CN116961985A - Multi-category risk element attack planning model construction method, equipment and medium - Google Patents

Multi-category risk element attack planning model construction method, equipment and medium Download PDF

Info

Publication number
CN116961985A
CN116961985A CN202310424105.9A CN202310424105A CN116961985A CN 116961985 A CN116961985 A CN 116961985A CN 202310424105 A CN202310424105 A CN 202310424105A CN 116961985 A CN116961985 A CN 116961985A
Authority
CN
China
Prior art keywords
attack
asset
elements
class
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310424105.9A
Other languages
Chinese (zh)
Inventor
鲁辉
田志宏
梁儒烽
张曼
陈可
陈俊翰
张浩楠
苏申
孙彦斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou University
Original Assignee
Guangzhou University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou University filed Critical Guangzhou University
Priority to CN202310424105.9A priority Critical patent/CN116961985A/en
Publication of CN116961985A publication Critical patent/CN116961985A/en
Pending legal-status Critical Current

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The application discloses a method, equipment and medium for constructing a multi-category risk element attack planning model, which comprises the following steps: acquiring multi-category risk elements and establishing an attack planning knowledge graph; selecting risk elements from the attack planning knowledge graph according to the physical characteristics of the target asset to form an attack element chain; loading the attack element chain in an attack planning model to attack the target asset; and optimizing the attack planning model through feedback information of the target asset after attack. According to the method, the knowledge graph is constructed from an attack view, the entity elements in the penetration test scene are fully considered in the ontology construction, the multi-category risk elements can be effectively integrated, and the multi-category risk elements in an uncertain environment are effectively evaluated and modeled. The application can also integrate the effective feedback information generated in the attack process into the attack planning model, and utilize the network security attack and defense elements in the scene to carry out autonomous attack reasoning so as to bring the feedback information into the next attack planning decision.

Description

Multi-category risk element attack planning model construction method, equipment and medium
Technical field dimension
The application relates to the technical field of network security, in particular to a method, equipment and medium for constructing a multi-category risk element attack planning model.
Background
In the current information-based society, the security threat faced by the internet is increased, the security problem of the network space is more serious due to the occurrence of advanced sustainable attack, hackers attack the information systems of enterprises and organizations through various means to steal sensitive information, and great losses are brought to the enterprises and the organizations, so that the guarantee of the information security has become an important task of modern enterprises and organizations.
Testing the degree of security of an information system is typically performed using a penetration test. The penetration test is an attack means for simulating a hacker, and an attack planning model is established to attack the target information system so as to test the protection performance of the target information system and discover possible vulnerabilities of the target information system.
In a black box environment, the existing partial attack planning model cannot effectively sense an uncertain environment; the result of the attack planning model suitable for the white box environment is easy to fall into a local minimum value, and the system loopholes, such as a Markov decision process model and the like, cannot be comprehensively checked. On the other hand, in the face of a dynamic complex network space environment, safety-related information sources are large in quantity and quick in change, and an existing attack planning model construction method lacks an effective method for integrating multiple types of risk elements. The prior art lacks an attack planning model which can integrate multiple types of risk factors and is suitable for uncertain environments.
Disclosure of Invention
In view of this, the embodiment of the application provides a method, a device and a medium for constructing a multi-category risk element attack planning model.
The first aspect of the present application provides a method for constructing a multi-category risk element attack planning model, comprising the following steps:
acquiring multi-category risk elements and establishing an attack planning knowledge graph;
selecting risk elements from the attack planning knowledge graph according to the physical characteristics of the target asset to form an attack element chain;
loading the attack element chain in an attack planning model to attack the target asset;
and optimizing the attack planning model through feedback information of the target asset after attack.
Further, the acquiring of the multi-category risk elements specifically comprises the implementation of automatic acquisition combined with manual labeling; the automatic acquisition is realized by automatically crawling attribute data as risk element entities by applying a crawler script in an open source data set, and the relationship of the risk elements is marked by a manual mode after the risk elements are acquired.
Further, the entities of the risk elements comprise vulnerability elements, attack elements, tool elements, static asset elements and dynamic asset elements;
the relationship of the risk factors includes:
the dynamic asset class element is associated with the static asset class element;
the static asset class element is provided with the vulnerability class element;
the attack class element is associated with the tool class element;
the tool class element acts on the dynamic asset class element by utilizing the vulnerability class element;
the dynamic asset class element implements the attack class element.
Further, the selecting risk elements from the attack planning knowledge graph according to the physical characteristics of the target asset specifically includes the following steps:
analyzing the protection intensity of each dimension of the target asset; wherein the dimensions of the target asset include an asset dimension, a configuration dimension, and a protection dimension;
and evaluating the target asset dimension with the lowest protection intensity by using a priority algorithm, and extracting corresponding risk elements from the knowledge graph aiming at the target asset dimension with the lowest protection intensity to form an attack element chain.
Further, the formed attack element chain comprises a dynamic asset element, an attack element related to the dynamic asset element, a tool element related to the attack element, a vulnerability element related to the tool element and a static asset element related to the vulnerability element.
Further, the attack on the target asset specifically includes the following steps:
initializing dynamic asset elements to form a network topology;
inquiring a static asset element associated with the dynamic asset element to acquire an attack element executable by the dynamic asset element;
querying a tool class element associated with an attack class element according to the attack class element executable by the dynamic asset class element;
querying the sub-tools associated with the tool class elements, if yes, further querying the tool class elements of the sub-tools;
and attacking the target asset by using the tool elements.
Further, the method optimizes the attack planning model through feedback information of the target asset after attack, and specifically comprises the following steps:
collecting feedback information generated after the attack planning model attacks the target asset;
when the feedback information is the vulnerability of the target asset, inquiring the static asset element with the vulnerability element, and updating the vulnerability element on the dynamic asset element in the attack element chain;
and when the feedback information is the attribute information of the target asset, directly updating the attribute information of the target asset on the dynamic asset elements in the attack element chain.
Further, after the attack planning model attacks the target asset, when no new feedback information is generated, the attack operation is ended, and the optimization of the attack planning model is completed.
In a second aspect, the application discloses an electronic device comprising a processor and a memory;
the memory is used for storing programs;
and executing the program by the processor to realize a multi-category risk element attack planning model construction method.
A third aspect of the present application discloses a computer-readable storage medium storing a program that is executed by a processor to implement a multi-category risk element attack planning model construction method.
The embodiment of the application has the following beneficial effects: according to the method, the equipment and the medium for constructing the multi-category risk element attack planning model, the knowledge graph is constructed from an attack perspective, and the entity elements in a penetration test scene are fully considered during ontology construction, so that the multi-category risk elements can be effectively integrated, and the multi-category risk elements in an uncertain environment are effectively evaluated and modeled. The application can also integrate the effective feedback information generated in the attack process into the attack planning model, and utilize the network security attack and defense elements in the scene to carry out autonomous attack reasoning so as to bring the feedback information into the next attack planning decision.
Additional aspects and advantages of the application will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a basic implementation flow chart of a multi-category risk element attack planning model construction method, apparatus and medium of the present application;
FIG. 2 is a flow chart of knowledge graph construction of a method, equipment and medium for constructing a multi-category risk element attack planning model;
FIG. 3 is a schematic diagram of the internal relationship of the knowledge graph of the method, the device and the medium for constructing the multi-category risk element attack planning model;
FIG. 4 is a schematic diagram of a network topology of a method, apparatus and medium for constructing a multi-class risk element attack planning model according to the present application;
FIG. 5 is a schematic view of an attack element chain of a method, apparatus and medium for constructing a multi-class risk element attack planning model according to the present application;
fig. 6 is an attack planning flow chart of a method, apparatus and medium for constructing a multi-category risk element attack planning model according to the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
As described above, the existing penetration test technology cannot effectively sense an uncertain environment in a black box environment; the result of the attack planning model suitable for the white box environment is easy to fall into a local minimum value, and the system loopholes, such as a Markov decision process model, cannot be comprehensively checked. On the other hand, in the face of a dynamic complex network space environment, safety-related information sources are large in quantity and quick in change, and an existing attack planning model construction method lacks an effective method for integrating multiple types of risk elements. The prior art lacks an attack planning model which can integrate multiple types of risk factors and is suitable for uncertain environments.
Therefore, the embodiment of the application provides a multi-category risk element attack planning model construction method, which aims to solve the following problems:
(1) under the black box environment, effectively evaluating and modeling the multi-category risk elements under the uncertain environment;
(2) the effective feedback information generated in the attack process is fused into an attack planning model;
(3) the knowledge system and the knowledge system can be processed, wherein the knowledge system and the knowledge system are obtained by an expert in manual attack planning, and an attack planning knowledge base can be automatically constructed;
(4) an attack planning model is effectively linked with an actual asset system framework.
The embodiment of the application provides a multi-category risk element attack planning model construction method, as shown in fig. 1, comprising the following steps:
s100, acquiring multi-category risk elements and establishing an attack planning knowledge graph;
s200, selecting risk elements from the attack planning knowledge graph according to physical characteristics of the target asset to form an attack element chain;
s300, loading the attack element chain into an attack planning model, and attacking the target asset;
s400, optimizing the attack planning model through feedback information of the target asset after attack.
The following specifically discusses the implementation flow of each step in the embodiment of the present application:
s100, acquiring multi-category risk elements and establishing an attack planning knowledge graph.
The embodiment of the application adopts a top-down construction mode, a network security ontology model of an attack view angle is constructed according to network security elements related to the attack scene, such as attack technique and tactics, utilization holes, attack tools, target asset configuration information, topology information and the like, then corresponding knowledge extraction and relation construction are carried out from an open source data set, and finally a graph database is used for storing a knowledge graph after quality evaluation.
As shown in fig. 2, the step S100 of acquiring multiple types of risk elements specifically includes a manner of automatically acquiring and manually labeling. The automatic acquisition is realized by automatically crawling attribute data as risk element entities by applying a crawler script in an open source data set, and the relationship of the risk elements is marked by a manual mode after the risk elements are acquired. The method for acquiring the open source data set of the multi-category risk elements comprises a common platform enumeration standard (CPE), a common vulnerability disclosure vulnerability library (CVE), an ATT & CK knowledge base and the like, various types of risk elements are automatically crawled through a crawler framework such as the Scopy, and relationships among the risk elements are manually standardized through expert experience.
As shown in fig. 3, the entities of the risk element include five categories of vulnerability element, attack element, tool element, static asset element, and dynamic asset element.
The relationship of the risk factors includes:
the dynamic asset class element is associated with the static asset class element; the static asset element has a vulnerability element; the attack class element is associated with the tool class element; the tool class element uses the vulnerability class element to act on the dynamic asset class element; the dynamic asset class component implements an attack class component.
The attribute information of the entities of various risk factors is specifically described below.
The properties of the vulnerability class element include vulnerability name, vulnerability impact level, associated attack class element name list and additional description of vulnerability. Each vulnerability component entity in the vulnerability class component has the four attributes.
Specifically, the "vulnerability name" is used to identify a vulnerability number of the vulnerability component dataset, such as a CVE vulnerability number, which may be used as an attribute value of the associated vulnerability name list;
the vulnerability influence degree characterizes the influence degree of the vulnerability element entity, and the standard reference universal vulnerability scoring system (CVSS) is used for a subsequent priority evaluation algorithm;
the 'associated attack class element name list' is composed of an 'attack name' attribute set of attack class elements and is used for associating attack class element entities;
the 'extra description of the vulnerability' is used for describing the specific meaning of the vulnerability factor entity, and is convenient for an expert to manually analyze.
The attributes of the attack class elements include the attack name, the associated tool class element name list, the associated vulnerability class element name list, the associated dynamic asset class element list, and additional description of the attack. Each attack element entity in the attack class element has these five attributes.
Specifically, the "attack name" is used to identify the attack technique;
the 'associated tool element name list' is composed of a tool name attribute set of tool elements and is used for associating tool element entities;
the 'associated vulnerability class element name list' is composed of 'vulnerability name' attribute sets of vulnerability class elements and is used for associating vulnerability element entities;
the 'associated dynamic asset element name list' is composed of an 'asset IP' attribute set of dynamic asset elements and is used for associating dynamic asset element entities;
the 'additional description of attack' is used for describing the specific meaning of an attack element entity, and is convenient for an expert to manually analyze.
The attributes of the tool class elements include the tool name, tool type, tool usage, associated sub-tool name list, attack tool result type, attack result, and additional description of the attack tool. Each tool element entity in the tool class element includes these seven attributes.
In particular, a "tool name" is used to identify a particular attack tool;
the tool type has two attributes, namely a tool attack and an association attack, wherein the tool attack and the association attack respectively indicate that the tool element entity can independently finish the attack and has no association sub-tool, and the association sub-tool is required to be associated and inquired when the tool entity is inquired;
the tool usage consists of a tool standardized call command based on Metasplot, and is used for calling an attack tool;
the 'associated sub-tool name list' is composed of 'tool names' of tool class elements and is used for associating sub-tools;
the attack tool result type has two attributes including an asset and a vulnerability, wherein if the asset is the asset and the vulnerability are respectively, the attack result is used for updating the dynamic asset element entity, and if the vulnerability is the vulnerability, the attack result is used for inquiring the vulnerability element entity;
the attack result is used for storing the actual execution result of the attack tool;
the "additional description of the attack tool" is used to describe the specific meaning of the tool entity, facilitating manual analysis by the expert.
The attributes of the static asset class element include asset name, asset type, vendor name, product name, version number, vulnerability name list associated with the host asset, update package information, version information, additional description of the asset. Each static asset element entity in the static asset class element includes these nine attributes.
Static asset class attributes are mostly information used to characterize the target asset, such as vendor name, version number, etc. In particular, the "vulnerability name list associated with a host asset" is composed of "vulnerability names" of vulnerability class elements.
Attributes of the dynamic asset class element include asset IP, associated asset IP list, domain name, open port, configuration information, safeguards, asset type, product name, version number. Each dynamic asset element entity in the dynamic asset class element includes these nine attributes.
Specifically, "asset IP" is used to identify the IP address of the target asset obtained during the attack;
the 'associated asset IP list' is composed of accessible asset IP sets, as shown in fig. 4, based on the attribute of the 'associated asset IP list', dynamic asset element entities can establish a connection in a map through network accessibility relation, so that the network topology of a target controlled asset is automatically mapped in the process of generating a new dynamic asset element entity, whether a network appears or not is reflected, for example, a controlled host 192.168.1.2 of a layer of the intranet in the figure is an off-network host, and 192.168.1.3 is an off-network host, thereby being more beneficial to the subsequent attack planning reasoning process;
the domain name is used for identifying a domain name address corresponding to the target asset;
the open port is formed by a port number set obtained in the process of scanning the host;
"configuration information" is used to identify improper configuration information for the target asset, such as leaked user credentials, etc.;
"protective measures" are protective information used to identify the target asset, such as WAF model number, etc.;
s200, selecting risk elements from the attack planning knowledge graph according to physical characteristics of the target asset to form an attack element chain;
s300, loading the attack element chain into an attack planning model, and attacking the target asset;
the overall attack plan implementation framework of steps S200-300 is shown in fig. 6. The risk factors are selected from the attack planning knowledge graph according to the physical characteristics of the target asset, and the method specifically comprises the following steps:
s201, analyzing the protection intensity of each dimension of the target asset; the dimension of the target asset comprises an asset dimension, a configuration dimension and a protection dimension;
s202, evaluating and obtaining the target asset dimension with the lowest protection intensity by using a priority algorithm, and extracting corresponding risk elements from the knowledge graph aiming at the target asset dimension with the lowest protection intensity to form an attack element chain.
In the embodiment, aiming at the problem of excessive dimensions of the target asset in attack planning, the wooden barrel effect of the safety protection of the target asset is fully utilized, and the vulnerable points of the target asset are found out from the dimensions of the asset, the configuration dimension and the protection dimension by using a priority evaluation algorithm, so that quantitative support is provided for construction of an attack element chain.
In this embodiment, the asset dimension refers to, for example, assets with more historical vulnerabilities such as Shiro, weblogic, wordpress, open source cms, or assets with more attack profits such as firewalls, VPN, and rights collecting devices; configuration dimension refers to improper configuration information quantity of target assets, such as error reporting information existing in the face of different Payload, sensitive background paths, source code leakage and the like; the protection dimension refers to the protection degree of the target asset, such as whether the target asset is protected by the WAF, whether the antivirus software is running, and the like.
In the dynamic query process of the knowledge graph, step S200 of the embodiment firstly evaluates all dynamic asset entities by using a priority evaluation algorithm, and preferentially queries the attack entity for the assets with more weak points, low protection degree and large attack benefit, and further constructs the attack element chain in fig. 6. The attack element chain is composed of five entity nodes, namely dynamic assets, static assets, attacks, tools and vulnerabilities in the knowledge graph according to the associated rules.
Step S300 attacks the target asset, specifically comprising the steps of:
s301, initializing dynamic asset elements to form a network topology;
s302, inquiring a static asset element associated with the dynamic asset element to acquire an attack element executable by the dynamic asset element;
s303, inquiring tool class elements associated with the attack class elements according to the attack class elements executable by the dynamic asset class elements;
s304, inquiring the sub-tools associated with the tool class elements, and if yes, further inquiring the tool class elements of the sub-tools;
s305, attacking the target asset by using the tool elements.
In step S300 of the present embodiment, a dynamic asset element entity is initialized at the beginning of an attack, which only includes an attack node, and a new dynamic asset element entity is dynamically added along with the acquisition of the authority of a target host, and forms a network topology, and when a plurality of attack paths exist, a priority evaluation algorithm is called to select an optimal attack path; then, by inquiring the associated attack element entity, the attack strategy executable on the current dynamic asset element entity can be obtained; and then inquiring the associated tool element entity according to each attack strategy, and applying the associated tool element entity to attack the target asset.
S400, optimizing the attack planning model through feedback information of the target asset after attack.
In this embodiment, step S400 optimizes the attack planning model through feedback information of the target asset after attack, and specifically includes the following steps:
s401, collecting feedback information generated after the attack planning model attacks the target asset;
s402, inquiring a static asset element with a vulnerability element when feedback information is a vulnerability of a target asset, and updating the vulnerability element on a dynamic asset element in an attack element chain;
s403, when the feedback information is the attribute information of the target asset, the attribute information of the target asset is directly updated on the dynamic asset elements in the attack element chain.
After the attack is executed on the target asset, the target asset can output certain feedback information, reflect the content such as the effect of the attack, and the like, and can be specifically divided into two feedback information of a vulnerability type and an asset type. The vulnerability type expresses vulnerability element entities of the target asset, the attack planning model further queries the vulnerability element entities and related static asset element entities, and updates the specific vulnerability element entities on the dynamic asset element entities. The asset type expresses the problem of the target asset in terms of authority grant or resource allocation, etc., and the attack planning model is updated directly on the dynamic asset element entity.
And when the attack no longer generates new feedback information, the attack is regarded as ending, and the generation of the new attack scheme is stopped, so that the optimization of the attack planning model is completed.
In this embodiment, the attack planning model is developed by standardizing the functions of each module of the metaplus penetration framework based on pymetaplus 3 library of Python open source. The present embodiment uses RPC to remotely invoke the framework, and can operate on the penetration module (explicit), attack load module (Payload), auxiliary module (auxliary), and Encoder module (Encoder) of the attack planning model without entering the console. Meanwhile, the related tool data parameters are stored as tool entity attributes in the knowledge graph and updated in the graph in real time along with the calling of the tool,
embodiments of the present application also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the method shown in fig. 1.
The embodiment of the application realizes a network security ontology model oriented to attack planning, effectively models network space elements involved in penetration test, and integrates multi-category risk elements; tool interfaces based on Metasplot are standardized, so that an attack tool can effectively link knowledge maps, and feedback information generated in the penetration test process is fully collected; the attack planning algorithm based on the knowledge graph can realize global network attack and defense reasoning by constructing an attack element chain and a priority evaluation algorithm.
In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of the present application are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.
Furthermore, while the application is described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the described functions and/or features may be integrated in a single physical device and/or software module or one or more functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present application. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Accordingly, one of ordinary skill in the art can implement the application as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the application, which is to be defined in the appended claims and their full scope of equivalents.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present application have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the application, the scope of which is defined by the claims and their equivalents.
While the preferred embodiment of the present application has been described in detail, the present application is not limited to the embodiments described above, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present application, and these equivalent modifications or substitutions are included in the scope of the present application as defined in the appended claims.

Claims (10)

1. The method for constructing the multi-category risk element attack planning model is characterized by comprising the following steps of:
acquiring multi-category risk elements and establishing an attack planning knowledge graph;
selecting risk elements from the attack planning knowledge graph according to the physical characteristics of the target asset to form an attack element chain;
loading the attack element chain in an attack planning model to attack the target asset;
and optimizing the attack planning model through feedback information of the target asset after attack.
2. The method for constructing the multi-category risk element attack planning model according to claim 1, wherein the steps of acquiring the multi-category risk elements comprise automatically acquiring the multi-category risk elements in combination with manual labeling; the automatic acquisition is realized by automatically crawling attribute data as risk element entities by applying a crawler script in an open source data set, and the relationship of the risk elements is marked by a manual mode after the risk elements are acquired.
3. The method for constructing a multi-category risk element attack planning model according to claim 2, wherein the entities of the risk elements include vulnerability elements, attack elements, tool elements, static asset elements and dynamic asset elements;
the relationship of the risk factors includes:
the dynamic asset class element is associated with the static asset class element;
the static asset class element is provided with the vulnerability class element;
the attack class element is associated with the tool class element;
the tool class element acts on the dynamic asset class element by utilizing the vulnerability class element;
the dynamic asset class element implements the attack class element.
4. A method for constructing a multi-category risk element attack plan model according to claim 3, wherein the selecting risk elements from the attack plan knowledge graph according to the physical characteristics of the target asset specifically comprises the following steps:
analyzing the protection intensity of each dimension of the target asset; wherein the dimensions of the target asset include an asset dimension, a configuration dimension, and a protection dimension;
and evaluating the target asset dimension with the lowest protection intensity by using a priority algorithm, and extracting corresponding risk elements from the knowledge graph aiming at the target asset dimension with the lowest protection intensity to form an attack element chain.
5. The method of claim 4, wherein the formed attack element chain includes dynamic asset elements, attack elements associated with the dynamic asset elements, tool elements associated with the attack elements, vulnerability elements associated with the tool elements, and static asset elements associated with the vulnerability elements.
6. The method for constructing a multi-category risk element attack planning model according to claim 4, wherein the attack on the target asset specifically comprises the following steps:
initializing dynamic asset elements to form a network topology;
inquiring a static asset element associated with the dynamic asset element to acquire an attack element executable by the dynamic asset element;
querying a tool class element associated with an attack class element according to the attack class element executable by the dynamic asset class element;
querying the sub-tools associated with the tool class elements, if yes, further querying the tool class elements of the sub-tools;
and attacking the target asset by using the tool elements.
7. The method for constructing a multi-class risk element attack planning model according to claim 6, wherein the method for optimizing the attack planning model by feedback information of target assets after attack specifically comprises the following steps:
collecting feedback information generated after the attack planning model attacks the target asset;
when the feedback information is the vulnerability of the target asset, inquiring the static asset element with the vulnerability element, and updating the vulnerability element on the dynamic asset element in the attack element chain;
and when the feedback information is the attribute information of the target asset, directly updating the attribute information of the target asset on the dynamic asset elements in the attack element chain.
8. The method for constructing a multi-class risk element attack planning model according to claim 7, wherein when no new feedback information is generated after the attack planning model attacks the target asset, the attack operation is ended, and the optimization of the attack planning model is completed.
9. An electronic device comprising a processor and a memory;
the memory is used for storing programs;
the processor executing the program to implement the method of any one of claims 1-8.
10. A computer readable storage medium, characterized in that the storage medium stores a program, which is executed by a processor to implement the method of any one of claims 1-8.
CN202310424105.9A 2023-04-19 2023-04-19 Multi-category risk element attack planning model construction method, equipment and medium Pending CN116961985A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310424105.9A CN116961985A (en) 2023-04-19 2023-04-19 Multi-category risk element attack planning model construction method, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310424105.9A CN116961985A (en) 2023-04-19 2023-04-19 Multi-category risk element attack planning model construction method, equipment and medium

Publications (1)

Publication Number Publication Date
CN116961985A true CN116961985A (en) 2023-10-27

Family

ID=88448138

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310424105.9A Pending CN116961985A (en) 2023-04-19 2023-04-19 Multi-category risk element attack planning model construction method, equipment and medium

Country Status (1)

Country Link
CN (1) CN116961985A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117171366A (en) * 2023-11-03 2023-12-05 国网信息通信产业集团有限公司 Knowledge graph construction method and system for power grid dispatching operation situation

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117171366A (en) * 2023-11-03 2023-12-05 国网信息通信产业集团有限公司 Knowledge graph construction method and system for power grid dispatching operation situation
CN117171366B (en) * 2023-11-03 2024-01-30 国网信息通信产业集团有限公司 Knowledge graph construction method and system for power grid dispatching operation situation

Similar Documents

Publication Publication Date Title
Kaynar A taxonomy for attack graph generation and usage in network security
EP3216193B1 (en) Recombinant threat modeling
US8095984B2 (en) Systems and methods of associating security vulnerabilities and assets
US8392997B2 (en) Value-adaptive security threat modeling and vulnerability ranking
Kotenko et al. Attack modeling and security evaluation in SIEM systems
Speicher et al. Towards automated network mitigation analysis
CN112904817B (en) Global safety detection system for intelligent manufacturing production line and working method thereof
CN116961985A (en) Multi-category risk element attack planning model construction method, equipment and medium
Kijsanayothin et al. Analytical approach to attack graph analysis for network security
Kotenko et al. NETWORK SECURITY EVALUATION BASED ON SIMULATION OF MALFACTOR’S BEHAVIOR
Noel et al. Big-data graph knowledge bases for cyber resilience
Li et al. An approach to model network exploitations using exploitation graphs
Lohmann et al. Systematic Literature Review of Threat Modeling Concepts.
Krishnan A hybrid approach to threat modelling
US20230379356A1 (en) Analytical attack graph abstraction for resource-efficiencies
Kerzhner et al. Analyzing cyber security threats on cyber-physical systems using Model-Based Systems Engineering
CN115333806A (en) Penetration test attack path planning method and device, electronic equipment and storage medium
Kiesling et al. Evolving secure information systems through attack simulation
Kotenko et al. Analyzing network security using malefactor action graphs
Goh Toward Automated Penetration Testing Intelligently with Reinforcement Learning
Aouad et al. Defender-centric Conceptual Cyber Exposure Ontology for Adaptive Cyber Risk Assessment.
Ruiz et al. Automating threat modeling through the software development life-cycle
Hersén Measuring Coverage of Attack Simulations on MAL Attack Graphs
Speicher et al. Towards Automated Network Mitigation Analysis (extended)
Vergara-Vargas et al. Sarch-knows: A knowledge graph for modeling security scenarios at the software architecture level

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination