CN117009974A - Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network - Google Patents

Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network Download PDF

Info

Publication number
CN117009974A
CN117009974A CN202310783504.4A CN202310783504A CN117009974A CN 117009974 A CN117009974 A CN 117009974A CN 202310783504 A CN202310783504 A CN 202310783504A CN 117009974 A CN117009974 A CN 117009974A
Authority
CN
China
Prior art keywords
vulnerability
bayesian network
tested
test
degree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310783504.4A
Other languages
Chinese (zh)
Inventor
傅涛
冯驰宇
郭超
郭金辉
王超
景向学
胡燕
冷静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bozhi Safety Technology Co ltd
Original Assignee
Bozhi Safety Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bozhi Safety Technology Co ltd filed Critical Bozhi Safety Technology Co ltd
Priority to CN202310783504.4A priority Critical patent/CN117009974A/en
Publication of CN117009974A publication Critical patent/CN117009974A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • G06N5/042Backward inferencing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/01Probabilistic graphical models, e.g. probabilistic networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Computational Linguistics (AREA)
  • Probability & Statistics with Applications (AREA)
  • Algebra (AREA)
  • Computational Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Pure & Applied Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a vulnerability mining method based on a Bayesian network, which comprises the steps of extracting target information, constructing a fault tree, constructing a Bayesian network topological structure, constructing a Bayesian network, setting weights, calculating suspicious scores of vulnerabilities, carrying out reverse reasoning, reasoning feedback and optimizing until the vulnerabilities are mined, can effectively solve the reasoning problems of uncertainty and complex causal relationship of the unknown vulnerabilities, can automatically adjust strategies based on features to be detected, can find the unknown vulnerabilities more accurately and purposefully, and remarkably improves the vulnerability mining efficiency.

Description

Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network
Technical Field
The application relates to a vulnerability discovery method, a vulnerability discovery system, a vulnerability discovery storage medium and a vulnerability discovery terminal device based on a Bayesian network, and belongs to the technical field of network security.
Background
In recent years, how to effectively ensure the self-safety of industrial control equipment is a real challenge presented to industrial control safety operators of enterprises; the current detection of unknown vulnerabilities of industrial control equipment/industrial control protocols is mainly based on a fuzzy test technology, and a mutation message generated by using a fuzzy test case is sent to tested equipment for detection. As long as the test case is not affected to continue to be executed, the change of weaker features of the tested device is often ignored, and hidden unknown vulnerabilities cannot be found; therefore, how to predict and infer from the weaker feature change of the tested equipment, and to enhance the features through the subsequent more targeted test, further improving the accuracy and efficiency of the vulnerability discovery becomes the current urgent problem to be solved.
Disclosure of Invention
In order to solve the problems that uncertainty and complex causal relation of unknown vulnerabilities are difficult to infer, and the problems that uncertainty of unknown vulnerabilities are large, requirements on detection personnel are high, accuracy is low and efficiency is low commonly existing in the existing vulnerability mining method, the application provides a Bayesian network-based vulnerability mining method which can conduct predictive reasoning from the change of weak features of tested equipment, and the features are enhanced through subsequent more targeted tests, so that the unknown vulnerabilities are found.
The method comprises the following steps:
s1: analyzing and counting POC samples with known industrial control vulnerabilities, and applying the POC samples to target equipment for verification, and extracting target information, wherein the target information comprises target characteristics of the target equipment;
the obtained known vulnerability information needs to cover current main stream industrial control equipment manufacturers, main stream industrial control equipment models, main stream industrial control protocols and the like, and the known industrial control vulnerability samples are subjected to manual verification analysis to obtain triggering conditions of vulnerabilities of each sample, so that corresponding vulnerability types are induced.
S2: and constructing a fault tree model and constructing a Bayesian network topology structure according to the fault tree model.
S3: a bayesian network is constructed.
S4: and setting weight according to the association degree of the target feature and the vulnerability.
S5: and calculating the vulnerability suspicious score by combining the weight with the to-be-detected characteristics of the to-be-detected equipment.
S6: judging according to the suspicious scores of the loopholes, substituting the features to be tested into the Bayesian network for reasoning, and reversely reasoning out the more probabilistic loopholes types and the loopholes triggering conditions based on the current features.
S7: and optimizing the mutation testing direction and the mutation degree according to the reasoning result until the loopholes are mined.
Optionally, the target information further includes: triggering conditions and vulnerability types;
the target feature is associated with the vulnerability type and the triggering condition.
Optionally, constructing the bayesian network topology in S2 specifically includes:
according to the logical causal relationship of the fault of the equipment caused by the vulnerability, taking the initial cause of the fault as a basic event;
the vulnerability type is used as an intermediate event, is used as a result caused by a basic event, and is also a cause for causing an abnormal state of a target to be detected;
constructing a fault tree model by taking the target features as top events;
the basic event, the intermediate event and the top event respectively correspond to a father node, an intermediate node and a child node in the Bayesian network;
the input-output relationship of the events in the fault tree model corresponds to the causal relationship of parent-child nodes in the bayesian network.
Optionally, the constructing the bayesian network in S3 specifically includes:
according to the fuzzy set theory, the prior probability and the conditional probability of each node are calculated respectively, and a Bayesian network model is completed;
before the network parameters are not learned, the initial conditional probability of each node is defined according to priori knowledge;
selecting N experiential experts to judge the occurrence probability of various abnormal states of an industrial control target, wherein the probability is 7-degree judgment with scores of 1-7, the 7-degree judgment corresponds to the probability { Very Low (VL), low (L), low (FL), medium (M), high (FH), high (H), very High (VH) }, and a triangular (trapezoid) fuzzy function F= (a, b, c, d) is adopted to represent the membership degree corresponding to each probability, wherein a and d represent the lower limit and the upper limit respectively, and [ b, c ] represents the region with the membership degree of 1;
the specific 7-level fuzzy number is:
f(VL)=(0,0,0.1,0.2);
f(L)=(0.1,0.2,0.3);
f(FL)=(0.2,0.3,0.4,0.5);
f(M)=(0.4,0.5,0.6);
f(FH)=(0.5,0.6,0.7,0.8);
f(H)=(0.7,0.8,0.9);
f(VH)=(0.8,0.9,1,1);
wherein F is ji Meaning that the j-th expert (j=1, 2,..n) performs semantic judgment on the i-th preset abnormal state to obtain a comprehensive judgment result of the event by calculating an average, wherein the comprehensive judgment of n expert judges can be expressed as follows:
wherein p is i The comprehensive judgment result of the event is still a fuzzy number set;
need p to i Performing defuzzification processing, and processing by adopting a weighted average algorithm commonly used in an industrial control system to obtain 1 specific probability value, wherein the probability value is used as the prior probability of the node in the Bayesian network;
and similarly, the prior probability and the conditional probability of other nodes are calculated respectively.
Optionally, the setting of the weight in S4 specifically includes:
the smaller the target feature is affected by accidental factors, the larger the occupied weight is, the weights of different features are different, for example, the DO output and the AO output in industrial control equipment are strong in stability and are less affected by accidental factors, the weight of the feature is higher, the influence of accidental factors such as ICMP delay and ARP delay on a tested environment network is larger, and the weight of the feature is lower.
Optionally, the S6 includes:
and setting a monitoring unit to monitor the equipment to be tested in real time in the vulnerability mining test, and acquiring the target characteristics in real time.
Optionally, the step S7 further includes:
and setting a moderate interval of the suspicious score of the vulnerability, so as to adjust a subsequent test strategy and/or judge whether the vulnerability is mined.
Optionally, the setting of the moderate interval specifically includes:
setting a vulnerability suspicious score interval [ P1, P2];
if the vulnerability suspicious score of the device to be tested is smaller than P1, the test in the next time period resumes the initial test case execution;
if the suspicious score of the vulnerability of the device to be tested is larger than P2, judging that the vulnerability is excavated, outputting POC scripts formed by subtest at the current stage, and calculating the vulnerability type with the highest probability of the vulnerability according to a Bayesian network;
if the vulnerability suspicious score of the equipment to be detected is located in the interval, continuing substituting the feature to be detected into the Bayesian network to perform reasoning and optimizing according to a reasoning result until the vulnerability is dug.
Optionally, the step S7 specifically includes:
s7-1: calculating the probability of each vulnerability triggering condition according to a Bayesian formula, and selecting the vulnerability triggering condition with the maximum probability;
s7-2: selecting the obtained T according to the vulnerability triggering condition n Related test messages in a time period are selected to be covered by corresponding abnormal fields or abnormal message structures, the number of variant tests is increased or the degree of variation is enhanced, and then the next time period T is carried out n+1 Enhancing the vulnerability occurrence trend of the test;
s7-3: if the next time period T n+1 After the test is carried out, the suspicious degree of the loopholes is not obviously increased, and the default reference test case is restored to continue the test;
if the suspicious degree of the vulnerability is obviously increased after the next time period is tested, the device characteristic value is brought into the Bayesian network again for reasoning, and a new vulnerability triggering condition is obtained according to a new reasoning result;
s7-4: and further adjusting and optimizing the variation direction and variation degree of the test case according to the new vulnerability triggering condition until vulnerabilities are excavated.
Optionally, controlling the degree of variation by increasing the degree of dispersion of the corresponding field variation value;
the variation degree comprises the variation message number and boundary value coverage of the corresponding message field.
Optionally, the triggering condition includes at least one of the following conditions:
abnormal length field, illegal parameters, abnormal data packet verification, connection exhaustion, abnormal heartbeat packet and illegal boundary.
Optionally, the trigger type includes at least one of the following types:
denial of service holes, buffer overflows, SQL injection, information leakage.
Optionally, the target feature comprises at least one of the following features: memory, CPU, process, voltage analog output value, voltage digital output value, port state, internet protocol response delay time, register state, coil state.
The application also provides a vulnerability discovery system based on the Bayesian network, which comprises:
the monitoring module is used for monitoring the characteristics to be tested of the equipment to be tested in the test process;
the computing module is used for computing the conditional probability and posterior probability of each node in the Bayesian network and computing the vulnerability suspicious score according to the feature to be tested and the preset weight;
the strategy module is used for adjusting and optimizing the mutation strategy according to the vulnerability triggering condition with the maximum probability;
the system can realize the vulnerability discovery method based on the Bayesian network.
The application also provides a storage medium storing instructions for implementing the above method when executed by a processor.
The application also provides a terminal device, which comprises a processor and a memory, wherein the memory stores instructions for enabling the terminal device to execute the method.
In the application, the POC of the known industrial control vulnerability can be analyzed, the target characteristics of the target equipment when triggering the corresponding vulnerability are extracted, a Bayesian topological structure is constructed through a fault tree model, the prior probability and the conditional probability of each node are calculated according to the fuzzy set theory, and a Bayesian network is generated;
in the test process, the to-be-tested characteristics of the to-be-tested equipment are monitored and substituted into the Bayesian network to reversely infer the vulnerability triggering condition, and the test engine adjusts the mutation strategy to carry out subsequent tests according to the reasoning result and in combination with the vulnerability suspicious score and the like, so that the vulnerability mining efficiency can be effectively improved.
The application has the beneficial effects that:
1) The method can automatically adjust the strategy based on the features to be detected, can find unknown vulnerabilities more accurately and in a targeted manner, and remarkably improves the vulnerability mining efficiency;
2) The application can effectively solve the problems of uncertainty of unknown vulnerabilities and reasoning of complex causal relationships.
Drawings
Fig. 1 is a flowchart illustrating steps of a vulnerability discovery method based on bayesian network according to an embodiment of the present application.
Detailed Description
The present application is described in detail below with reference to examples, but the present application is not limited to these examples.
The execution main body of the vulnerability discovery method can be any terminal equipment;
according to an embodiment of the present application, the present application provides a vulnerability discovery method based on bayesian networks, including the following steps:
s1: analyzing and counting POC samples of known industrial control vulnerabilities, applying the POC samples to target equipment for verification, extracting target information, wherein the target information comprises target characteristics, trigger conditions and vulnerability types of the target equipment, and associating the target characteristics with the vulnerability types and the trigger conditions;
the triggering condition comprises, but is not limited to, length field abnormality, illegal parameters, data packet verification abnormality, connection exhaustion, heartbeat packet abnormality and illegal boundaries;
the trigger types include, but are not limited to, denial of service holes, buffer overflows, SQL injection, information leakage;
the target features include, but are not limited to: memory, CPU, process, voltage analog output value, voltage digital output value, port state, internet protocol response delay time, register state, coil state.
S2: constructing a fault tree model and a Bayesian network topological structure according to the fault tree model:
according to the logical causal relationship of the fault of the equipment caused by the vulnerability, taking the initial cause of the fault as a basic event;
the vulnerability type is used as an intermediate event, is used as a result caused by a basic event, and is also a cause for causing an abnormal state of a target to be detected;
constructing a fault tree model by taking the target features as top events;
the basic event, the intermediate event and the top event respectively correspond to a father node, an intermediate node and a child node in the Bayesian network;
the input-output relationship of the events in the fault tree model corresponds to the causal relationship of parent-child nodes in the bayesian network.
S3: constructing a Bayesian network: according to the fuzzy set theory, the prior probability and the conditional probability of each node are calculated respectively, and a Bayesian network model is completed;
before the network parameters are not learned, the initial conditional probability of each node is defined according to priori knowledge;
selecting N experiential experts to judge the occurrence probability of various abnormal states of an industrial control target, wherein the probability is 7-degree judgment with scores of 1-7, the 7-degree judgment corresponds to the probability { Very Low (VL), low (L), low (FL), medium (M), high (FH), high (H), very High (VH) }, and a triangular (trapezoid) fuzzy function F= (a, b, c, d) is adopted to represent the membership degree corresponding to each probability, wherein a and d represent the lower limit and the upper limit respectively, and [ b, c ] represents the region with the membership degree of 1;
the specific 7-level fuzzy number is:
f(VL)=(0,0,0.1,0.2);
f(L)=(0.1,0.2,0.3);
f(FL)=(0.2,0.3,0.4,0.5);
f(M)=(0.4,0.5,0.6);
f(FH)=(0.5,0.6,0.7,0.8);
f(H)=(0.7,0.8,0.9);
f(VH)=(0.8,0.9,1,1);
wherein F is ji Meaning that the j-th expert (j=1, 2,..n) performs semantic judgment on the i-th preset abnormal state to obtain a comprehensive judgment result of the event by calculating an average, wherein the comprehensive judgment of n expert judges can be expressed as follows:
wherein p is i The comprehensive judgment result of the event is still a fuzzy number set;
need p to i Performing defuzzification processing by adopting weighted average calculation commonly used in industrial control systemsThe method is used for processing, 1 specific probability value can be obtained, and the probability value is used as the prior probability of the node in the Bayesian network;
and similarly, the prior probability and the conditional probability of other nodes are calculated respectively.
S4: setting weight according to the association degree of the target feature and the vulnerability, wherein the smaller the target feature is affected by accidental factors, the larger the weight is occupied;
s4-1: executing an initial fuzzy test case, wherein the initial case can be selected in a self-defined manner according to a protocol;
s4-2: after the test execution time period T, the to-be-tested characteristics of the current to-be-tested equipment are obtained, namely the hit characteristic number M of the to-be-tested equipment at the current moment.
S5: and calculating the vulnerability suspicious score by combining the weight with the to-be-detected characteristics of the to-be-detected equipment.
S6: judging according to the suspicious scores of the loopholes, wherein the higher the scores are, the greater the suspicious degree of the loopholes is, namely the probability of the loopholes or the probability of the loopholes to occur in the future is greater;
s6-1: and setting a vulnerability suspicious score interval [ P1, P2].
S6-2: if the vulnerability suspicion score of the device to be tested is smaller than P1, the vulnerability suspicion degree at the current moment is considered to be lower and negligible, the initial test case execution is restored in the test of the next time period, namely, the execution is continued to return to S4-1;
s6-3: if the suspicious score of the vulnerability of the device to be tested is larger than P2, judging that the vulnerability is excavated, outputting POC scripts formed by sub-tests at the current stage, and simultaneously calculating the type of the vulnerability with the highest probability of the vulnerability according to a Bayesian network, and ending the vulnerability excavation test;
s6-4: if the vulnerability suspicion score of the device to be tested is located in the interval, judging that the vulnerability suspicion degree at the current moment is moderate, and continuing to execute S6-5;
s6-5: substituting the feature to be detected into the Bayesian network for reasoning, and reversely reasoning out the vulnerability type and the vulnerability triggering condition with larger probability based on the current feature.
S7: optimizing the mutation testing direction and the mutation degree according to the reasoning result until the loopholes are mined;
s7-1: and calculating the probability of each vulnerability triggering condition according to a Bayesian formula, and selecting the vulnerability triggering condition with the maximum probability.
S7-2: selecting related test messages in the acquired Tn time period according to the vulnerability triggering condition, selecting a corresponding abnormal field or abnormal message structure to cover, increasing the number of variant subtest or enhancing the variant degree, and controlling the variant degree by increasing the discrete degree of the variant value of the corresponding field;
then, the next time period Tn+1 is tested, and the vulnerability occurrence trend is enhanced.
For example, in S7-1, the vulnerability triggering condition with the highest probability inferred based on the current hit feature is an illegal boundary, and then the number of variant sub-tests related to the illegal boundary needs to be increased in the next time period to cover the illegal boundaries of all string type fields in the test message.
S7-3: if the vulnerability suspicious degree is not obviously increased after the next time period Tn+1 is tested, the test is continued after the default reference test case is restored;
if the suspicious degree of the vulnerability is obviously increased after the next time period is tested, the device characteristic value is brought into the Bayesian network again for reasoning, and a new vulnerability triggering condition is obtained according to a new reasoning result.
S7-4: and further adjusting and optimizing the variation direction and variation degree of the test case according to the new vulnerability triggering condition until vulnerabilities are excavated.
The application also provides a vulnerability discovery system based on the Bayesian network, which comprises:
the monitoring module is used for monitoring the characteristics to be tested of the equipment to be tested in the test process;
the computing module is used for computing the conditional probability and posterior probability of each node in the Bayesian network and computing the vulnerability suspicious score according to the feature to be tested and the preset weight;
the strategy module is used for adjusting and optimizing the mutation strategy according to the vulnerability triggering condition with the maximum probability;
the system can realize the vulnerability discovery method based on the Bayesian network.
The application also provides a storage medium storing instructions for implementing the above method when executed by a processor.
The application also provides a terminal device, which comprises a processor and a memory, wherein the memory stores instructions for enabling the terminal device to execute the method.
It should be noted that, for the sake of simplicity of description, the foregoing method embodiments are all described as a series of combinations of actions, but it should be understood by those skilled in the art that the present disclosure is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present disclosure;
further, those skilled in the art should also appreciate that the embodiments described in the specification are all alternative embodiments, and that the acts and modules involved are not necessarily required by the present disclosure;
while the application has been described in terms of preferred embodiments, it will be understood by those skilled in the art that various changes and modifications can be made without departing from the scope of the application, and it is intended to cover the principles of the application as defined in the appended claims.

Claims (10)

1. The vulnerability discovery method based on the Bayesian network is characterized by comprising the following steps:
s1: analyzing and counting POC samples with known industrial control vulnerabilities, and applying the POC samples to target equipment for verification, and extracting target information, wherein the target information comprises target characteristics of the target equipment;
s2: constructing a fault tree model and constructing a Bayesian network topological structure according to the fault tree model;
s3: constructing a Bayesian network;
s4: setting weight according to the association degree of the target feature and the vulnerability;
s5: calculating the vulnerability suspicious score by combining the weight with the to-be-detected characteristics of the to-be-detected equipment;
s6: judging according to the suspected score of the vulnerability, substituting the feature to be tested into the Bayesian network for reasoning;
s7: and optimizing the mutation testing direction and the mutation degree according to the reasoning result until the loopholes are mined.
2. The bayesian network-based vulnerability discovery method of claim 1, wherein the target information further comprises: triggering conditions and vulnerability types;
associating the target feature with the vulnerability type and the triggering condition;
preferably, the constructing the bayesian network topology in S2 specifically includes:
according to the logical causal relationship of the fault of the equipment caused by the vulnerability, taking the vulnerability triggering condition as a basic event, taking the vulnerability type as an intermediate event, and taking the target feature as a top event to construct a fault tree model;
the basic event, the intermediate event and the top event respectively correspond to a father node, an intermediate node and a child node in the Bayesian network;
the input-output relationship of the event in the fault tree model corresponds to the causal relationship of the parent-child nodes in the Bayesian network;
preferably, the constructing the bayesian network in S3 specifically includes:
according to the fuzzy set theory, the prior probability and the conditional probability of each node are calculated respectively, and a Bayesian network model is completed;
preferably, the setting of the weight in S4 specifically includes:
the smaller the target feature is affected by accidental factors, the larger the occupied weight is;
preferably, the S6 includes:
and setting a monitoring unit to monitor the equipment to be tested in real time in the vulnerability mining test, and acquiring the target characteristics in real time.
3. The bayesian network based vulnerability discovery method according to claim 1, wherein S7 further comprises:
setting a moderate interval of the suspicious score of the vulnerability, so as to adjust a subsequent test strategy and/or judge whether the vulnerability is mined;
preferably, the setting of the moderate interval specifically includes:
setting a vulnerability suspicious score interval [ P1, P2];
if the vulnerability suspicious score of the device to be tested is smaller than P1, the test in the next time period resumes the initial test case execution;
if the suspicious score of the vulnerability of the device to be tested is larger than P2, judging that the vulnerability is excavated, outputting POC scripts formed by subtest at the current stage, and calculating the vulnerability type with the highest probability of the vulnerability according to a Bayesian network;
if the vulnerability suspicious score of the equipment to be detected is located in the interval, continuing substituting the feature to be detected into the Bayesian network to perform reasoning and optimizing according to a reasoning result until the vulnerability is dug.
4. The bayesian network-based vulnerability discovery method according to claim 2, wherein S7 specifically comprises:
s7-1: calculating the probability of each vulnerability triggering condition according to a Bayesian formula, and selecting the vulnerability triggering condition with the maximum probability;
s7-2: selecting the obtained T according to the vulnerability triggering condition n Related test messages in a time period are selected to be covered by corresponding abnormal fields or abnormal message structures, the number of variant tests is increased or the degree of variation is enhanced, and then the next time period T is carried out n+1 Enhancing the vulnerability occurrence trend of the test;
S7-3:if the next time period T n+1 After the test is carried out, the suspicious degree of the loopholes is not obviously increased, and the default reference test case is restored to continue the test;
if the suspicious degree of the vulnerability is obviously increased after the next time period is tested, the device characteristic value is brought into the Bayesian network again for reasoning, and a new vulnerability triggering condition is obtained according to a new reasoning result;
s7-4: further adjusting and optimizing the variation direction and variation degree of the test case according to the new vulnerability triggering condition until vulnerabilities are excavated;
preferably, the degree of variation is controlled by increasing the degree of variation of the corresponding field variation value;
the variation degree comprises the variation message number and boundary value coverage of the corresponding message field.
5. The bayesian network based vulnerability discovery method of claim 2, wherein the triggering condition comprises at least one of the following conditions:
abnormal length field, illegal parameters, abnormal data packet verification, connection exhaustion, abnormal heartbeat packet and illegal boundary.
6. The bayesian network based vulnerability discovery method of claim 2, wherein the trigger type comprises at least one of the following types:
denial of service holes, buffer overflows, SQL injection, information leakage.
7. The bayesian network based vulnerability discovery method of claim 2, wherein the target features comprise at least one of the following features: memory, CPU, process, voltage analog output value, voltage digital output value, port state, internet protocol response delay time, register state, coil state.
8. A bayesian network-based vulnerability discovery system, the system comprising:
the monitoring module is used for monitoring the characteristics to be tested of the equipment to be tested in the test process;
the computing module is used for computing the conditional probability and posterior probability of each node in the Bayesian network and computing the vulnerability suspicious score according to the feature to be tested and the preset weight;
the strategy module is used for adjusting and optimizing the mutation strategy according to the vulnerability triggering condition with the maximum probability;
the system can implement the bayesian network-based vulnerability discovery method of any one of claims 1-7.
9. A storage medium storing instructions for implementing the bayesian network based vulnerability discovery method of any one of claims 1-7 when executed by a processor.
10. A terminal device, comprising a processor and a memory, wherein the memory stores instructions for causing the terminal device to perform the bayesian network-based vulnerability discovery method according to any one of claims 1-7.
CN202310783504.4A 2023-06-28 2023-06-28 Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network Pending CN117009974A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310783504.4A CN117009974A (en) 2023-06-28 2023-06-28 Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310783504.4A CN117009974A (en) 2023-06-28 2023-06-28 Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network

Publications (1)

Publication Number Publication Date
CN117009974A true CN117009974A (en) 2023-11-07

Family

ID=88566364

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310783504.4A Pending CN117009974A (en) 2023-06-28 2023-06-28 Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network

Country Status (1)

Country Link
CN (1) CN117009974A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117610027A (en) * 2024-01-23 2024-02-27 上海齐同信息科技有限公司 Private protocol vulnerability detection method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050160324A1 (en) * 2003-12-24 2005-07-21 The Boeing Company, A Delaware Corporation Automatic generation of baysian diagnostics from fault trees
CN114647566A (en) * 2020-12-18 2022-06-21 南京泛函智能技术研究院有限公司 Vulnerability mining technology based on reinforcement learning
CN114756471A (en) * 2022-04-25 2022-07-15 尚蝉(浙江)科技有限公司 Vulnerability type oriented fuzzy test method and system based on byte sensitive energy distribution

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050160324A1 (en) * 2003-12-24 2005-07-21 The Boeing Company, A Delaware Corporation Automatic generation of baysian diagnostics from fault trees
CN114647566A (en) * 2020-12-18 2022-06-21 南京泛函智能技术研究院有限公司 Vulnerability mining technology based on reinforcement learning
CN114756471A (en) * 2022-04-25 2022-07-15 尚蝉(浙江)科技有限公司 Vulnerability type oriented fuzzy test method and system based on byte sensitive energy distribution

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
赵战民;岳永哲;: "网络信息交互过程安全漏洞检测仿真", 计算机仿真, no. 11, 15 November 2017 (2017-11-15) *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117610027A (en) * 2024-01-23 2024-02-27 上海齐同信息科技有限公司 Private protocol vulnerability detection method and system
CN117610027B (en) * 2024-01-23 2024-03-29 上海齐同信息科技有限公司 Private protocol vulnerability detection method and system

Similar Documents

Publication Publication Date Title
Ramaki et al. Real time alert correlation and prediction using Bayesian networks
Servin et al. Multi-agent reinforcement learning for intrusion detection
CN107040517B (en) Cognitive intrusion detection method oriented to cloud computing environment
Wan et al. Event-Based Anomaly Detection for Non-Public Industrial Communication Protocols in SDN-Based Control Systems.
WO2021244029A1 (en) Evaluation method for reliability, elasticity, and brittleness states of system
CN117009974A (en) Vulnerability discovery method, system, storage medium and terminal equipment based on Bayesian network
CN109977681A (en) A kind of fuzz testing system of fuzz testing method and unmanned plane towards unmanned plane
CN113886225A (en) Unknown industrial control protocol-oriented fuzzy test system and method
Kavousi et al. Automatic learning of attack behavior patterns using Bayesian networks
CN111966604A (en) Fuzzy industrial control protocol vulnerability mining system
Marino et al. Data-driven correlation of cyber and physical anomalies for holistic system health monitoring
Rao et al. Cyber security enhancement of smart grids via machine learning-a review
CN117614741B (en) Network security vulnerability position detection method and system
Lightbody et al. Host-based intrusion detection system for IOT using convolutional neural networks
Alem et al. A novel bi-anomaly-based intrusion detection system approach for industry 4.0
Tang et al. A detection and mitigation scheme of LDoS Attacks via SDN Based on the FSS-RSR Algorithm
Jiang et al. RBF-based real-time hierarchical intrusion detection systems
Gao et al. The prediction role of hidden markov model in intrusion detection
Cemerlic et al. Network Intrusion Detection Based on Bayesian Networks.
Chen et al. Research on intrusion detection based on BP neural network
Alqurashi et al. On the performance of isolation forest and multi layer perceptron for anomaly detection in industrial control systems networks
Kodali et al. An investigation into deep learning based network intrusion detection system for iot systems
K V et al. Accurate and reliable detection of DDoS attacks based on ARIMA-SWGARCH model
CN114006744A (en) LSTM-based power monitoring system network security situation prediction method and system
Li et al. Research on intrusion detection based on neural network optimized by genetic algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination