WO2020093201A1 - 基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法 - Google Patents

基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法 Download PDF

Info

Publication number
WO2020093201A1
WO2020093201A1 PCT/CN2018/113980 CN2018113980W WO2020093201A1 WO 2020093201 A1 WO2020093201 A1 WO 2020093201A1 CN 2018113980 W CN2018113980 W CN 2018113980W WO 2020093201 A1 WO2020093201 A1 WO 2020093201A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
attacker
node
probability
mimic
Prior art date
Application number
PCT/CN2018/113980
Other languages
English (en)
French (fr)
Inventor
李挥
杨昕
邬江兴
伊鹏
Original Assignee
北京大学深圳研究生院
国家数字交换系统工程技术研究中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京大学深圳研究生院, 国家数字交换系统工程技术研究中心 filed Critical 北京大学深圳研究生院
Priority to PCT/CN2018/113980 priority Critical patent/WO2020093201A1/zh
Priority to CN201880092103.1A priority patent/CN112313915B/zh
Priority to US16/228,513 priority patent/US10440048B1/en
Publication of WO2020093201A1 publication Critical patent/WO2020093201A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N7/00Computing arrangements based on specific mathematical models
    • G06N7/01Probabilistic graphical models, e.g. probabilistic networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Definitions

  • the invention belongs to the field of network attack and defense security measurement, and particularly relates to a security modeling and quantization method based on GSPN and martingale theory cyberspace mimic defense.
  • MTD Moving Target Defense
  • the mobile target defense periodically and actively migrates the network configuration to limit the exposure time of the same vulnerability, increase the attack surface and uncertainty, increase the attacker's attack difficulty, and reduce the system attack. The probability of being captured.
  • Mobile target defense actively changes the system configuration in exchange for the improvement of system security, but the performance loss caused by frequent system configuration changes cannot be ignored.
  • CMD Cyberspace Mimic Defense
  • Mimicry aims to establish a relatively safe attack defense system, which is dynamic, redundant and heterogeneous.
  • the present invention takes the classic implementation structure of mimic defense—MDA (Mimic Defense Architecture) structure as an example, analyzes the security of mimic defense, and then forms the final mimic defense network by multiple MDA structures.
  • MDA Manufacturing Defense Architecture
  • the basic structure of MDA is shown in Figure 1.
  • the MDA structure is composed of an input agent, an executive heterogeneous pool, an executive set, a feedback controller, and an output arbiter, which is a multi-mode voter.
  • Multiple functional equivalents and different implementations, that is, heterogeneous functional equivalents, constitute an executive heterogeneous pool of this structure.
  • the isomers in the heterogeneous pool do not need to continue to be in a working state at the same time.
  • the input agent usually selects three execution bodies to form a current working execution set, and the other execution bodies are used as backups.
  • the system When the system receives the request message, enters the agent to issue instructions, assigns the same functional requirements to the current set of executives, the task is executed by the working state of the executive, after a certain execution time, the output vector is sent to the output arbiter as the execution result .
  • the output arbiter collects a sufficient number of results and makes a majority decision. If the collected output vectors are completely consistent, the multi-mode voter regards the result as correct and outputs it; otherwise, the output arbiter will activate the defense mechanism.
  • Safety measurement technology based on experimental simulation.
  • the main idea of the scheme is to use the simulation platform to simulate the attack process to conduct the offensive and defensive experiments, so as to test the security of the network structure.
  • Colbaugh et al. (Colbaugh, Richard, Kristin, "Predictive Moving Target”) used machine learning methods and a game model to describe the interaction between attack and defense, and analyzed the effectiveness of MTD defense in email applications.
  • Another common security measurement method is to use mathematical methods to calculate the effectiveness of defense methods.
  • the attack process is usually abstracted and transformed into an attack success probability problem under certain conditions.
  • Network security analysis is usually carried out with the help of powerful mathematical tools such as Petri networks, Markov chains, game theory, and random processes.
  • MTD nodes The state of MTD nodes is divided into three categories: working, idle and trapping.
  • the random Petri network is used to analyze the corresponding safety of the system when the state residence time changes, and the relationship between the state transition frequency and the effectiveness of the system is qualitatively explained.
  • the main defect of the existing mathematical model for calculating the security of the defense structure is the low degree of conformity with the actual system.
  • mathematical modeling requires a certain abstraction of the actual system to reduce the difficulty of modeling, but on the other hand, the abstraction process also leads to a gap between the model and the actual system. It is difficult for us to measure the influence of different mathematical abstractions on the authenticity of the modeling results, which makes the reliability of the modeling scheme lower.
  • a well-extended safety analysis model design should meet the following conditions: (1) It fits the actual system and is easy to make flexible adjustments according to the actual situation; (2) The mathematics calculation difficulty is low, and the system is effectively abstracted; ( 3) Effectively quantify the difficulty of attacks to facilitate the comparison of security between different defense systems; (4) Instruct the actual system parameter configuration.
  • the purpose of the present invention is to provide a security modeling and quantification method based on GSPN and martingale theory cyberspace mimic defense, aiming to solve the above technical problems.
  • the security modeling quantization method includes the following steps:
  • the attack and defense process of the distributed MDA with decision delay divides the type of attack process into single node attack and link attack according to the attack granularity
  • the total theoretical average attack time is obtained based on the expected number of successful steps of the link attack and the single-node attack time.
  • a further technical solution of the present invention is that the single-node attack uses an independent functional component in the attack process as a node, and when the node is attacked, the defense side performs eviction on the attacked actuator according to the situation of the attack ( D), an action in eviction (M), deactivation (S) and judgment (J).
  • step S3 the GSPN theory is that the attacker and the defender form a game in the actual system. According to the different actions of the attacker and the defender, they have different effects on the output state of the single node. The output states of the nodes have different effects, and a generalized stochastic Petri network (GSPN) model is established according to the described effects.
  • the method for establishing the generalized stochastic Petri network (GSPN) model includes the following steps:
  • a further technical solution of the present invention is that the attack and defense behaviors of the attacker and the defender in the game make the system assume the following different states according to different attack results: normal operation (A), non-specific perception (B), wear ( C), attack proliferation (D) and attack escape (E);
  • the normal work (A) is that the attacking party has not launched an attack or no attack is working, so that all execution bodies operate normally;
  • the non-specific perception (B) is that when the attacker successfully attacks less than half of the execution bodies, the system finds that the output of the attacked execution body and the other execution bodies are inconsistent when the majority decision is made, and the attacked execution body is attacked. Replaced by executors in the heterogeneous pool that have not been attacked, causing the attacker's attack to fail;
  • the wear (C) is that the attacker successfully attacked most of the actuators, but could not control its occurrence of the same error output or the attacker attacked all the actuators successfully, resulting in inconsistent output.
  • the system obtained multiple output results and there is no one. If the number of occurrences of the output result is greater than half and the judgment cannot be made, the system marks the execution set as suspicious and disables it;
  • the attack proliferation (D) is that the attacker successfully attacked most of the execution bodies and produced the same error output, which caused the system to expel the correct execution body by mistake; or the attacker attacked all the execution bodies successfully and more than half of the execution bodies produced the same Error output, the system evicts the invaded executor whose output is inconsistent.
  • the system eviction operation not only does not effectively clean the attacker out of the system, but also consumes resources in the heterogeneous pool, causing the attack to spread;
  • the attack escape (E) when the attacker's attack capability is strong enough and the attack speed is fast enough, before the mimic defense system makes a majority decision, all the execution bodies of the attack are successful and all produce the same error output, causing the attacker to escape successfully.
  • the arbiter judges that the output is correct, and allows all the executors to continue to work.
  • a further technical solution of the present invention is that the defensive behavior of the attacking party and the defending party in the game causes the single-node defensive party to make the system switch between different states through mimicry judgment during the offensive and defensive process.
  • P 2M J P ⁇ N (t a + ⁇ t a + ... + ⁇ i-1 t a ) -N (0) > 0 ⁇ ; the system carries out a mimic judgment (t (i, CJ) + t (2, D, J) )
  • N 1
  • N the number of working executives in the system
  • K is the threshold of the number of output of the same result, 0 ⁇ i ⁇ NK.
  • a further technical solution of the present invention is that the link attack takes the steady-state time of a single node as the attack cycle of the system.
  • the attacker advances along the attack chain. If a node is not successfully attacked, the attacker takes a step down the attack chain to determine whether it is encountered. Mimic random perturbation, if it encounters mimic random perturbation, it will take one step back along the attack chain, if it does not encounter mimic random perturbation, it will continue to attack the next node.
  • a further technical solution of the present invention is that: in a link attack, the attacking party has three different actions of back-off, down-link, and in-situ non-movement according to whether it encounters random perturbation and whether it attacks a single node successfully during the attack.
  • the probability of the attacker's success in attacking the next node is ⁇ , and the probability that the system does not randomly perturb the attack-related nodes in the transformation period is (1- ⁇ ), so the attacker successfully attacks the next node and no random disturbance occurs during the period
  • step S4 further includes the following steps:
  • is the probability that the attacker will successfully attack a single node
  • is the probability of encountering an active random disturbance at a single node
  • is the link length
  • ⁇ ( TE0 ) is the frequency of random disturbance actions
  • P (PE) is a single The probability of a node being broken.
  • the beneficial effects of the present invention are: using the GSPN model to make the modeling close to the actual system and ensuring the rationality of the model; abstracting the actual situation to ensure the efficiency of the modeling; quantifying the difficulty of the attack and making it possible to compare different security defense methods ; Find the relationship between different system configuration parameters and security to improve the security of the system.
  • the biggest advantage of the present invention is to design a unified security analysis model for complex defense systems. Mathematical quantitative analysis is close to the actual system, and shows good scalability for the actual system.
  • the invention takes into account the mathematical abstraction and the actual system through layered design, and reduces the difficulty of mathematical analysis on the premise of ensuring that the model is close to the actual system; the design of the first layer makes the model flexible and transferable, and can realize different system analysis by adjusting parameters The scalability of the system can achieve the goal of specific system specific parameter adjustment and guide the actual system parameter configuration.
  • the invention realizes the quantitative assessment of security, which brings many beneficial effects: the security of different systems is easy to compare; users can also flexibly choose the system configuration according to their own security needs; network defense
  • the industry can design a safety rating based on the scores of specific systems and divide different safety levels for different systems.
  • Figure 1 is the overall function and structure of mimic defense.
  • FIG. 2 is a schematic diagram of an attacker ’s perspective in an GSPN network with an attack and defense perspective provided by an embodiment of the present invention.
  • Fig. 3 is a schematic diagram of a defender's perspective in an GSPN network with an attack and defense perspective provided by an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a simplified attack and defense GSPN network provided by an embodiment of the present invention.
  • FIG. 5 is an attack transfer diagram provided by an embodiment of the present invention.
  • FIG. 6 is a detail of an attacker attack executive body 1 vulnerability provided by an embodiment of the present invention.
  • FIG. 8 is a detail of an attacker attack executive 3 vulnerability provided by an embodiment of the present invention.
  • FIG. 9 is a schematic diagram of mimic node attack and defense GSPN network provided by an embodiment of the present invention.
  • FIG. 10 is a correspondence diagram of attack speed and attack escape probability provided by an embodiment of the present invention.
  • FIG. 11 is a general diagram of a correspondence diagram between a random disturbance frequency and an attack escape probability provided by an embodiment of the present invention.
  • FIG. 12 is a partially enlarged diagram of a correspondence diagram between a random disturbance frequency and an attack escape probability provided by an embodiment of the present invention.
  • 19 is a flowchart of a security modeling quantization method based on GSPN and martingale theoretical cyberspace mimic defense provided by an embodiment of the present invention.
  • the present invention abstracts the attack and defense process of distributed MDA (Mimic defense architecture) with judgment delay, and divides the attack process of an attacker on a specific node in the network link into two levels according to the attack granularity : Single-node attacks and link attacks, in which sequential single-node attacks on the same attack chain form a network link attack.
  • the invention adopts the theory of game theory, and uses the generalized stochastic Peri network (GSPN Generalized Stochastic Petri Net Generalized Stochastic Petri network), Markov chain and martingale to analyze the mimic defense model, from node to link, and finally analyzes the security of the entire system Performance, including single node attack success rate, average node attack time, link attack time, etc.
  • the present invention first considers the security of a single node, that is, the probability of the attacker successfully attacking the single node within a certain time, and then passes it to the link attack layer as an input attack strength parameter to further calculate the success of the link attack Probability.
  • Node The present invention regards an independent functional component in the attack process as a node.
  • a node may be a server, a host, a software function process, or a function cluster.
  • Eviction When an executor sends an output vector that is inconsistent with other executors, the system marks the executor as a suspicious executor, stops its work tasks, performs cleaning, and puts it in a heterogeneous pool. Re-select an executor in the pool that has not been used or confirmed to have not been attacked to continue working. If the executor marked as suspicious is an erroneous executor, this action is called eviction.
  • False expulsion When an actuator outputs an output vector that is inconsistent with other actuators, but this situation is caused by two actuators being attacked and having the same output vector, which is different from the normal actuator, the system The deactivation of a normal executor as a suspicious executor is called false eviction. False eviction will cause resource consumption in the mimic heterogeneous pool, but it will not have a negative impact on security.
  • Deactivation When the results of the three executions are different, the arbiter cannot output the results. At this time, the system marks all three executions as suspicious executions and deactivates them, and selects three new ones from the heterogeneous pool. The executive body replaces their work.
  • the present invention defines five system states according to different attack results as follows:
  • Non-specific perception The attacker successfully attacked an executor, but the system found that the output of the executor and other executors were inconsistent when the majority decision was made, and replaced the invaded executor. The attack failed.
  • Attack Diffusion The attacker successfully attacked two actuators and produced the same error output, causing the system to expel the correct actuator by mistake; or the attacker successfully attacked three actuators, and only two actuators were generated at the same time The same error output, at this time the system evicts the invaded executor whose output is inconsistent. In both cases, the eviction operation of the system not only did not effectively clean the attacker out of the system, but also consumed additional resources in the heterogeneous pool, causing the attack to spread.
  • Attack Escape If the attacker's attack ability is strong enough and the attack speed is fast enough, before the mimic defense system makes a majority decision, the three attackers are successfully attacked and all produce the same error output, then the attacker's attack escape success That is, it gains control of its own node without being discovered by the defending party. At this time, the arbiter judges that the output is correct, and allows the three compromised executors to continue working.
  • the three executors that implement the function of a node have their own vulnerabilities, if the attacker wants to attack the entire node, they must attack the three executors separately. That is to say, the attacker needs to use the loopholes of each actuator to launch a targeted attack, and finally obtain control of the actuator, so that the attacker displays the desired effect.
  • defenders can choose different configurations and adopt mimic defense methods to defend.
  • the attacker can detect the configuration information of the work execution body, elevate its authority, and launch more attacks until it obtains control of the execution body.
  • the premise of gaining control of the node is to conquer most of its executive bodies and control their running results to be consistent to pass the majority decision.
  • the present invention classifies the single-step attacks suffered by each execution body into general attacks and special attacks.
  • the defender makes a majority decision of the output vector, marks and replaces the suspicious executor; on the other hand, in order to prevent high-frequency and high-intensity fast attacks, the defender adopts a low-frequency random disturbance mechanism.
  • Random perturbation refers to selecting an executor to perform offline pre-cleaning or strategic reconfiguration operations in a random command manner, and waiting to be scheduled to join the current working set after its recovery. Due to the existence of random perturbation mechanism, even if the standby coordinated attack succeeds, it cannot maintain the state of escape, that is, the attack cannot be maintained.
  • GSPN stochastic Petri network
  • a six-tuple represents a generalized random Petri network:
  • a GSPN (S, T; F, W, M 0 , ⁇ ), where
  • F represents the connecting arc between T and S, and the suppression arc is allowed.
  • 4.W represents the weight value corresponding to the arc. When the number of marks in the arc place is more than this value, it is a necessary condition for the transition to be implemented.
  • M 0 represents the initial mark position.
  • the present invention first establishes a GSPN model from the perspective of the attacker.
  • the attacker needs to sniff the configuration of the execution body of the node, and to specifically break through enough execution bodies to obtain control of the node.
  • a single node system has the following states: normal operation, one actuator is broken, two actuators are broken, and three actuators are broken (you can enter the process of attacking the next node).
  • the attacker's model includes vulnerabilities that are overcome when an attack is performed on an executive body, and the resulting privilege escalation, so it is related to the specific configuration of each executive body and the target of the attack.
  • the defensive behavior of the attacker and the defender in the game makes the single-node defender pass the mimetic decision during the offensive and defensive process to cause the system to switch between the following different states; the state is as follows: normal work, less than half of the execution body is broken, More than half of the execution bodies are broken, all the execution bodies are broken, more than half of the execution bodies that are broken after the judgment obtain more than half of the same error vectors, and more than half of the execution bodies that are broken after the judgment output different error vectors and no one More than half of the error vectors, the error vectors output by all the executives that were broken after the judgment did not have any more than half, all the error vectors that were broken after the judgment output the error vectors, and one of the more than half and all of them were executed after the judgment.
  • the volume is broken and the exact same error vector is output.
  • the defender and the single node system have the following states: normal operation, one execution is broken, two executions are broken, three executions are broken, and the judgment is broken
  • the two executors output the same error vector, the two executors that were broken after the judgment output different error vectors, and the three executors that were broken after the judgment output error vectors that are different from each other and were broken after the judgment.
  • the three actuators output two identical error vectors and a different error vector, and after judgment, the three actuators output exactly the same three error vectors.
  • the defender completes the system's transition between different states through a mimic judgment.
  • the GSPN model from the perspective of the defender is shown in Figure 3.
  • the present invention can obtain the final general attack GSPN network.
  • the attacker can launch an attack on several executive bodies at the same time. Since the time required to break each execution body is different, according to the time of completion of the attack, the execution body that the attacker successfully attacked can be sorted. Taking three executions as an example, the attacker has 6 successful orders.
  • the GSPN network from the perspective of the attacker and the defender is combined to obtain a complete schematic diagram of the GSPN network. To simplify the analysis, the present invention ignores the impact of different attack completion sequences. Assuming that executive bodies 1, 2, and 3 are broken in sequence, the simplified GSPN network structure diagram is shown in Figure 4.
  • the position is represented by a circle, denoted as P (i, x) , where i is the number of digits, which represents the number of compromised actuators, and x is the status bit, which represents the overall appearance of the compromised actuator status.
  • P 0 indicates that the system is operating normally;
  • P 1 , P 2 , and P 3 indicate that 1/2/3 of the actuators have been successfully attacked;
  • P ( i, B) indicates the non-specific perception state, that is, i actuators have been attacked.
  • the change table of defenders in Figure 4 is shown in Table 2.2.2.
  • the square represents the defender's behavior, in which the black solid square represents the instantaneous transition, and the corresponding parameter is the transition probability p; the black hollow square represents the delay transition, and the corresponding parameter is the transition rate ⁇ .
  • the different behaviors of the attacker and the defender cause the system to transition between different states.
  • the transition is denoted as T (i, j, x) , where i and j represent the starting position and ending position of the transition, respectively. If the number of attacked actuators indicated by the two positions has changed, then i and j represent the before and after changes respectively Number; if there is no change, the last bit of the position is the status bit.
  • x is the action position, indicating the main action of the attacking and defensive side, where D means drive, M means miss drive, S means stop, and J means judge.
  • T (2, 0, S) means that after two executors are attacked, the defender deactivates the suspicious executor and replaces the three suspicious executors with healthy executions taken from the heterogeneous pool. To restore the system to a state where no executive body has been attacked.
  • the attacking ability of general attacks is weak, and there is no cumulative effect, the present invention takes 1.2t w .
  • the probability that the normally working execution body has completed the output of the result is:
  • is the rate of the Poisson process, ⁇ > 0;
  • the present invention can set the parameters of each transition, so as to calculate the final single node attack success rate.
  • a complete network link is composed of many nodes, so if you want to attack a certain node in the link, the attacker needs to attack each node on the link in turn.
  • the invention takes the steady-state time of a single node as the attack cycle of the system. The attacker advances along the attack chain. Every time a node is successfully attacked, the attacker takes a step down the attack chain. If it encounters a random random disturbance, it takes a step back along the attack chain. This state of knowing the previous step, and the next attack range, finding the location of the attack stop, are consistent with the characteristics of the Markov chain. Therefore, it is proposed to use Markov chain and martingale to model and solve this part.
  • the present invention constructs an attack transition matrix M ⁇ * ⁇ , and the element M i, j represents the probability of transition from the i-th node to the j-th node.
  • the attacker moves along the link. After conquering a node, the attacker will get information about the successor node.
  • a single-node attack may succeed only if neither the attacked node nor the attack starting point is selected for disturbance. Obviously, the attack has three directions: retreating, descending, and staying in place.
  • the specific transition probability is as follows:
  • X 0 , X 1 , X 2 , ..., X n denote a series of random variables
  • Xi denote the node position where the attacker is at the beginning of the i-th time period
  • the M n sequence is about X 0 , X 1 , X 2 , ..., X n martingale.
  • stop time is defined as a random moment with a property that has nothing to do with the future.
  • Theorem 2.2.2 For an attack chain with a length of ⁇ nodes, if the probability of the attacker attacking a single node is ⁇ and the probability of encountering active random disturbance at a single node is ⁇ , then the attacker successfully attacks the target node (ie ⁇ Point)
  • the expected number of steps required is:
  • the steady-state probability of attack escape obtained by the operation is the downlink probability of the next part of the Markov chain
  • the random disturbance probability is the uplink probability of the Markov chain
  • the present invention takes an actual attack chain as an example, including each node in the attack and the execution structure of each node for analysis.
  • the attack enters from an external network.
  • the target of the attack is to steal the files in the database of each node in a link and insert a backdoor.
  • There are 10 link nodes, that is, ⁇ 10.
  • the attacker attacks the node's operating system, server, and database separately until the data is stolen and the backdoor is successfully inserted.
  • the execution body takes the operating system * front-end language * database as an example.
  • the attacker determines the order of the attack execution body based on the scanned information.
  • the defender selects the replacement execution body based on the information of the failed execution body.
  • a game is formed between the two.
  • the present invention is described by a generalized random Petri network.
  • the present invention uses a very important database when designing the delay function: Common Vulnerability Scoring System (CVSS) [].
  • CVSS is an "industry open standard" designed to measure the severity of vulnerabilities and help determine the urgency and importance of the required response, generally along with public vulnerabilities and exposures (Common Vulnerabilities & Exposures, CVE) []
  • the National Vulnerability Database (NVD) [] is released.
  • the goal is to provide a severity rating for all software security vulnerabilities and establish a standard for measuring the severity of the vulnerabilities so that the severity of the vulnerabilities can be compared with each other to determine their treatment Priority.
  • the CVSS score is based on the measurement results in a series of dimensions, which are called metrics.
  • the final score of the vulnerability is 10 at the maximum and 0 at the minimum.
  • the CVSS system includes three types of scores: benchmark score, tense score, and environmental score. Each score measures the different attributes of this security hole.
  • the benchmark score specifically refers to a specified security hole, the benchmark score is unchanged, it is not specific to a customer's technical IT environment.
  • Basic scores and temporary scores are usually given by security product vendors and suppliers because they can understand the details of vulnerabilities more clearly; environmental scores are usually given by users because they can better evaluate this in their own use environment The potential impact of the vulnerability.
  • attack path Access Vector, AC
  • attack complexity Access Complexity, AC
  • privilege Principals Required, PR
  • User cooperation User Interaction, UI
  • scope S
  • Confidentiality Confidentiality, Impact, C
  • Integrity Integrity, Impact, I
  • Availability Availability, Impact, A
  • Exploitability ES
  • exploitability Impact Subscore (ISC)
  • detectability measures the difficulty of finding the vulnerability and can be exploited Sex indicates the impact of the vulnerability after being exploited.
  • the specific calculation formula of the Base Score (BS) for the assessment score of the vulnerability is as follows:
  • ISC 6.42 ⁇ 1-[(1-Impact Conf) ⁇ (1-ImpactInteg) ⁇ (1-ImpactAvail)]
  • BS Roundup (Minimum [(ISC + ES), 10]) For specific calculation, please refer to [Error! Bookmark not defined. ] .
  • C ⁇ (Linux, Go, MySQL), (Linux, Go, PostgreSQL), (Linux, Python, MySQL), (Linux, Python, PostgreSQL), (Windows 7 , Go, MySQL), (Windows 7, Go, PostgreSQL), (Windows 7, Python, MySQL), (Windows 7, Python, PostgreSQL) ⁇ , a total of 8 effective configurations.
  • the present invention only considers serious vulnerabilities that do not require authorization from adjacent networks without user interaction, of which there are 2 for Windows 7 and 1 for Linux.
  • the present invention considers loopholes that do not require authorization from the network and do not require interaction with other components.
  • the invention selects the isomer configuration from the heterogeneous pool as follows: ⁇ (Linux, Go, MySQL), (Windows 7, Python, MySQL), (Linux, python, PostgreSQL) ⁇ , with the first execution body For example, the vulnerabilities are shown in Table 5.
  • the generalized random Petri network defender can flexibly design the delay function according to his own security needs. For example, if the defender pays more attention to the influence of the vulnerability, the delay can be set to 1 / ISC; if the defender wants to influence and control Detectability is taken into consideration at the same time, and the delay function can be designed as 1 / BS; the influence on the environment and time can also be added according to the demand, and the control can be flexibly adjusted.
  • the attack success rate decreases with the decrease of the attack speed, but the decrease is not large, that is to say, the increase of the attack speed and learning ability of the attack increases the probability of attack escape, which is only a small amount on the same order of magnitude Changes without bringing about changes in the magnitude of overall security.
  • This also shows that the enhancement of system security is brought about by the structure of the mimic system, and the slight gap caused by the above assumptions can be ignored.
  • the transformation curve is shown in Figures 11 and 12, where the red line represents a special attack and the green line represents a general attack. Because the value of the transformation frequency is very small and the points are dense, the corners of Figure 11 are very sharp, and the corners are partially enlarged to obtain Figure 12 .
  • the probability of attacking the present invention to reach 4000,0000 seconds to reach PE reaches the steady-state probability at this time.
  • the time for the special attack system to reach steady state is about 3.5 * 10 ⁇ 7 seconds.
  • P ( PE ) changes with time, as shown in Figure 18.
  • a negative value indicates that the attack downlink probability is lower than the uplink probability in the attack chain. That is to say, in theory, the attack cannot descend along the attack chain. Disturbed and cleared out of the system.
  • the meaning of this example is that for a 10-node attack chain, the defender wants to clear the attacker out of the attack chain, after the attacker completes an attack cycle of about 21,015 special attacks on a single node. If only considering the attack that the system reaches the maximum attack success rate (P E reaches the steady-state probability), it is impossible for the attacker to descend along the attack chain, and 1.6 * 10 ⁇ 8 seconds, will be removed from the attack chain after about 5 years.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Data Mining & Analysis (AREA)
  • Medical Informatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Probability & Statistics with Applications (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Computational Mathematics (AREA)
  • Algebra (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供基于GSPN和鞅理论的网络空间拟态防御安全性建模量化方法,包括:S1、在实际系统中对存在判决时延的分布式MDA的攻防过程按照攻击粒度将攻击过程的种类划分为单节点攻击与链路攻击;S2、根据实际系统的配置进行抽象提取拟态模型的单节点攻击参数;S3、根据获取的单节点攻击参数用GSPN理论利用数学工具分析计算单节点攻击成功概率及单节点攻击时间;S4、将攻击单节点成功概率作为参数使用Markov链及鞅理论计算链路攻击成功平均步数期望;S5、根据得到的链路攻击成功步数期望与单节点攻击时间得到总的理论平均攻击时间。采用GSPN模型,使建模贴近实际系统,保证模型合理性;对实际情况做抽象,保证建模的高效性。

Description

基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法 技术领域
本发明属于网络攻防安全性衡量领域,尤其涉及基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法。
背景技术
近年来,网络安全事故频发,人们逐步将注意力集中于网络安全领域。在传统网络中,攻击方和防御者处于不对等的地位。在防御者完成初始配置后,攻击方可以随时、持续地收集防御方的信息,并选择合适的时机筹划发动攻击,甚至可以在获得特权后保持很长一段时间内不被清除。这极大地威胁着网络系统的安全性。为了改变安全博弈中攻守双方不对等的局面,国内外提出了许多新型动态网络架构。
美国国土安全部针对此种情况提出移动目标防御(Moving Target Defense,MTD)是动态防御思想的典型应用,被视为“改变游戏规则”的革命性防御技术。由于不同的配置对应的攻击薄弱点也不相同,移动目标防御通过定期主动地迁移网络配置以限定同一弱点的暴露时长,增大攻击表面和不确定性,提高攻击方的攻击难度,降低系统被攻陷的概率。移动目标防御用主动改变系统配置换取了系统安全性的提升,但系统配置的频繁更改带来的性能损失不可忽略。
为了避免频繁配置变迁,必须寻找新的有效安全机制。在中国国家级网络安全战略的指引下产生,拟态安全防御(Cyberspace Mimic Defense,CMD)采用“有毒带菌”和“沙滩建楼”方法,将不安全组件聚合成为一个可靠系统。拟态防御有两条公理基础:1)“相对正确”公理,即“人人都存在这样或那样的缺点,但极少出现在独立完成同样任务时,多数人在同一个地方、同一时间、犯完全一样错误的情形”;2)“给定功能和性能条件下,往往存在多种实现算法”。上述两条公理的等价逻辑表达便是异构冗余机制和多模表决机制。其中,动态异构冗余(Dynamic Heterogeneous Redundancy,DHR)架构是实现拟态防御(MD)的重要原理性方法之一。
拟态旨在建立一个相对安全的攻击防御系统,这个系统具有动态、冗余、异构的特点。本发明以拟态防御的经典实现结构——MDA(Mimic defense architecture)结构为例,分析拟态防御的安全性,再由多个MDA结构组成最终的拟态防御网络。MDA的基本结构如图1所示。
MDA结构由输入代理器、执行体异构池、执行体集、反馈控制器和输出裁决器即多模表决器构成。多个功能等价且实现方式相异的执行体即异构功能等价体构成该结构的执行体异构池。异构池中的异构体不需要同时持续处于工作状态,输入代理通常会选择三个执行体组成一个当前工作的执行体集合,其他执行体则作为备用。当系统接收到请求消息,输入代理下发指令,为当前执行体集合分配相同的功能需求,由工作状态的执行体执行任务,经过一定执行时间,分别将输出矢量作为执行结果发送给输出裁决器。输出裁决器收集到足够数量的结果以后进行择多判决。若收集到的输出矢量完全一致,多模表决器将该结果视为正确并输出;反之,输出裁决器将激活防御机制。
值得注意的是,移动目标防御和拟态安全防御都牺牲部分性能以满足系统的安全性需求。如何定性、定量地分析它们的有效性,成为了一项亟待解决的工作。目前分析工作可以分为两种思路:用实验模拟攻击过程,测试其有效性;用数学工具对攻防过程进行建模,并计算其安全指标,如攻击成功率,平均失效时间(mean time to failure,MTTF),稳态可用性等。
基于实验仿真的安全性衡量技术。方案的主要思想是利用仿真平台,模拟攻击过程进行攻防实验,从而对网络结构的安全性进行测试。
Zhuang等人(R.Zhuang,S.Zhang,S.DeLoach,X.Ou,and A.Singhal,“Simulationbased Approaches to Studying Effectiveness of Moving-Target Network Defense,”in Proc.of National Symposium on Moving Target Research,2012.)首先提出了主动改变网络配置的MTD系统,并且比较了简单的随机适应的MTD系统与智能的基于攻击检测的MTD系统的有效性。
Hong等人(Hong J B,DongS K.“Assessing the Effectiveness of Moving Target Defenses Using Security Models[J].”IEEE Transactions on Dependable & Secure Computing,2016,13(2):163-177.)将MTD技术分为三类:混乱,多样和冗余,然后使用分层攻击表示模型(Hierarchical Attack Representation Model,HARM)和重要性度量(Importance Measures,IMs)来提高系统的可扩展性。
Colbaugh等人(Colbaugh,Richard,Kristin,“Predictive Moving Target Defense.”)用机器学习的方法,用博弈模型来描述攻击和防御两方的交互,分析了电子邮件应用中MTD防御的有效性。
仿真实验衡量系统安全性存在一定缺陷:A.无量化,难对比:仿真实验最终一般落脚站在攻击成功与否等布尔性数据上,对防御体系的有效性缺乏量化,致使两个不同的防御结构难以直观对比。B.可扩展性低:因为仿真实验设计一般以某个具体系统或某种具体配置为例,抽象性低,当系统结构改变,将会对实验结果造成比较大的影响,对于不同系统的差异,仿真实验很难通过动态调整某样参数实现模拟。
另一种常见安全测度方法是使用数学方法推算防御手段的有效性。在这部分研究中,通常将攻击过程进行抽象,转化为某些条件下的攻击成功概率问题,通常借助一些有力数学工具如Petri网络、Markov链、博弈论、随机过程等进行网络安全性分析。
Maleki等人(Maleki,H.,Valizadeh,S.,Koch,W.,Bestavros,A.,& Dijk,M.V.,Markov Modeling of Moving Target Defense Games.ACM Workshop on Moving Target Defense,pp.81-92.)介绍了一个基于Markov模型的分析框架,推算出了攻击方成功击溃一个MTD系统的概率和防御者花费的时间成本间的关系,并展示了如何利用单级MTD来分析多级MTD策略。
Mitchell等人(Mitchell R,Chen I R.Modeling and Analysis of Attacks and Counter Defense Mechanisms for Cyber Physical Systems[J].IEEE Transactions on Reliability,2016,65(1):350-358.)将网络状态划分为五类部件,包括中央控制器、传感器、执行部分、分布式管理和网络连接,以及三种攻击状态:磨损、扩散、攻击逃逸,用随机Petri网络记录 其中的状态转移,计算网络失效时间和各种配置参数的关系。
Moody等人(Moody,W.C.,Hu,H.,& Apon,A.,Defensive maneuver cyber platform modeling with Stochastic Petri Nets.IEEE International Conference on Collaborative Computing:Networking,Applications and Worksharing pp.531-538,2014.)将MTD节点状态分为工作、空闲和诱捕三类,并用随机Petri网络分析系统的状态停留时间变化时对应的安全性,定性说明状态转换频率和系统有效性的关系。
现有数学推算防御结构的安全性的模型的主要缺陷是与实际系统贴合度低。通常,数学建模需要对实际系统进行一定的抽象以降低建模难度,但另一方面,抽象化处理也导致了模型和实际系统之间的差距。我们难以衡量不同的数学抽象对建模结果真实性的影响,这使得建模方案可靠度降低。
已有的动态异构冗余网络防御安全性分析方法总体上很难在对实际系统的贴合性和建模的简易性之间取得良好的平衡,这极大降低了建模的可靠性。另外现有数学分析模型难以在复杂的网络结构中难以迁移使用,针对不同的网络结构差异,难以通过对模型的微小调整实现;现有实验测量模型因为缺少对安全性的量化表达,难以对不同防御结构进行对比。因此一个扩展性良好的安全性分析模型设计应满足以下几个条件:(1)贴合实际系统,并且易于根据实际情况作出灵活调整;(2)数学计算难度低,对系统进行有效抽象;(3)对攻击难度有效量化,方便不同防御系统之间的安全性比较;(4)对实际系统参数配置有指导作用。
综上所述,本发明所要解决的技术问题有四点。(1)找寻合适的建模工具,使建模贴近实际系统,保证模型合理性;(2)对实际情况做抽象,保证建模的高效性;(3)对攻击难度进行量化分析,使不同安全防御方法可以对比;(4)找寻不同系统配置参数和安全性之间的关系,对系统设计提供指导。
发明内容
本发明的目的在于提供基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,旨在解决上述的技术问题。
本发明是这样实现的,基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,所述安全性建模量化方法包括以下步骤:
S1、在实际系统中对存在判决时延的分布式MDA的攻防过程按照攻击粒度将攻击过程的种类划分为单节点攻击与链路攻击;
S2、根据实际系统的配置进行抽象提取拟态模型的单节点攻击参数;
S3、根据获取的单节点攻击参数用GSPN理论利用数学工具分析计算单节点攻击成功概率及单节点攻击时间;
S4、将攻击单节点成功概率作为参数使用Markov链及鞅理论计算链路攻击成功平均步数期望;
S5、根据得到的链路攻击成功步数期望与单节点攻击时间得到总的理论平均攻击时间。
本发明的进一步技术方案是:所述单节点攻击是将攻击过程中的某个独立功能部件作为一个节点,在该节点受到攻击时防御方对受到攻击的执行体根据受到攻击的情况执行驱逐(D)、误驱逐(M)、停用(S)及判决(J)中的一种动作。
本发明的进一步技术方案是:所述步骤S3中GSPN理论是在实际系统中攻击方与防守方形成博弈,根据攻守双方不同的动作对单节点的输出状态产生不同影响,利用博弈论理论刻画单节点的输出状态产生不同影响,根据刻画的影响建立广义随机Petri网络(GSPN)模型,所述广义随机Petri网络(GSPN)模型的建立方法包括以下步骤:
S31、提取攻击方动作及带来的影响建立攻击方视角的广义随机Petri网络;
S32、提取防守方动作及带来的影响建立防守方视角的广义随机Petri网络;
S33、将攻击方视角和防守方视角的广义随机Petri网络动作、状态合并,建立系统广义随机Petri网络。
本发明的进一步技术方案是:所述攻击方和防守方在博弈中的攻防行为根据不同的攻击结果使系统分别呈现以下不同状态:正常工作(A)、非特异性感知(B)、磨损(C)、攻击扩散(D)及攻击逃逸(E);
所述正常工作(A)为攻击方并未发动攻击或无任何攻击奏效,使所有执行体都正常运行;
所述非特异性感知(B)是在攻击方攻击成功的执行体少于半数时,系统在择多判决时发现被攻击的执行体与其他执行体的输出结果不一致,将被攻击的执行体替换成异构池中未被攻击的执行体,致使攻击方的攻击失败;
所述磨损(C)是在攻击方攻击大多数执行体成功,却无法控制其出现相同的错误输出或者攻击方攻击全部执行体成功,使得输出出现不一致,系统得到的多种输出结果并且没有一种输出结果出现次数大于一半造成无法判决,系统将该执行体集合标为可疑并停用;
所述攻击扩散(D)是攻击方攻击大多数执行体成功,并产生相同的错误输出,使得系统误驱逐正确执行体;或者攻击方攻击全部执行体成功,且有大于半数执行体产生相同的错误输出,系统驱逐输出不一致的被入侵执行体,该系统驱逐操作不仅没有把攻击方有效地清理出系统,还额外消耗了异构池中的资源,造成攻击扩散;
所述攻击逃逸(E)在攻击方的攻击能力足够强且攻击速度足够快时,在拟态防御系统进行择多判决前攻击全部执行体成功且均产生相同的错误输出造成攻击方攻击逃逸成功,裁决器判断该输出正确,并允许全部被入侵的执行体继续工作。
本发明的进一步技术方案是:所述攻击方和防守方在博弈中的防守行为使得单节点在攻防过程中防守方通过拟态判决使得系统进行不同状态之间的转换。
本发明的进一步技术方案是:在攻防过程攻击方攻克一个执行体后,正常工作的执行体已完成结果输出的概率为:P 1w=P{N(t a)-N(0)>0};一般攻击在攻击一个执行体完成后,其他正常工作执行体已经完 成K个结果输出,系统开展拟态判决(t (1,B,J))的概率为:P 1M J=P 1M K;一般攻击在攻击完成i个执行体后,其他正常工作的执行体已完成结果输出的概率为,
P 2M J=P{N(t a+αt a+...+α i-1t a)-N(0)>0};系统开展拟态判决(t (i,CJ)+t (2,D,J))的概率为:P iM J=P iM K;其中,N(t)表示从任务分发开始的t时间间隔内执行体进行结果输出的次数,t a攻击一个执行体的时间,一般攻击时α=1,特殊攻击时α=0.5,N为系统中工作执行体数目,K为相同的结果输出个数的阈值,0≤i≤N-K。
本发明的进一步技术方案是:所述链路攻击取单个节点的稳态时间作为系统的攻击周期,攻击方沿攻击链推进,没攻击成功一个节点,攻击方沿攻击链下行一步,判断是否遭遇拟态随机扰动,如遭遇拟态随机扰动,则沿攻击链退行一步,如未遭遇拟态随机扰动,则继续攻击下一个节点。
本发明的进一步技术方案是:在链路攻击中攻击方在攻击过程中根据遭遇拟态随机扰动与否和是否攻击单节点成功,有回退、下行及原地不动三种不同的动作。
本发明的进一步技术方案是:所述回退为无论攻击方是否发动攻击,只要系统进行随机扰动时改变到了攻击方所在的节点或者正在攻击的目标节点,攻击将无法进行,攻击方必须回退到已被攻击的上一节点,其概率为M i,i-1=ω。所述下行为攻击方攻击下个节点成功的概率为μ,变换周期内系统不对攻击相关节点进行随机扰动的概率为(1-ω),因此攻击方成功攻击下一个节点且期间不发生随机扰动的概率为M i,i+1=(1-ω)μ;所述原地不动为攻击方攻击下个节点不成功,恰好系统也没有对相关节点进行随机扰动,此时系统的状态保持不变,其概率为,M i,i=(1-ω)(1-μ)。
本发明的进一步技术方案是:所述步骤S4中还包括以下步骤:
S41、根据当前状态和下一步的攻击范围找寻攻击停留位置的动作建立Markov链;
S42、根据建立Markov链换为鞅序列;
S43、利用鞅中的停时定理计算攻击方成功攻击目标节点需要的步数期望为:
Figure PCTCN2018113980-appb-000001
S44、将单节点攻击成功概率带入攻击方成功攻击目标节点需要的步数期望得到当攻击链长度为Θ,攻击方成功攻击到目标节点需要的步数期望为:
Figure PCTCN2018113980-appb-000002
其中,μ为攻击方攻击单个节点成功的概率,ω为单节点处遭遇主动随机扰动的概率,θ为链路长度,λ(T E0)为随机扰动动作发生的频率,P(PE)为单节点被攻破的概率。
本发明的有益效果是:采用GSPN模型,使建模贴近实际系统,保证模型合理性;对实际情况做抽象,保证建模的高效性;对攻击难度进行量化分析,使不同安全防御方法可以对比;找寻不同系统配置参数和安全性之间的关系,提高系统的安全性。相比于已有的动态异构冗余网络防御有效性分析模型法,无论是实验测量还是数学推算,本发明的最大优势是为复杂的防御系统设计了一种统一的安全分析模型,在进行数学量化分析的同时贴近实际系统,并且对于实际系统表现出良好可扩展性。
本发明通过分层设计,兼顾了数学抽象和实际系统,在保证模型贴近实际系统的前提下,降低数学分析难度;第一层的设计使模型灵活可迁移,可以通过调整参数,实现不同系统分析的可扩展性,达到具体系统具体调参的目标,并对实际系统参数配置有指导作用。另外,本发明通过第二层的设计,实现了安全性的量化评估,这带来很多有益效果:不同系统的安全性易于对比;用户也可以根据自己的安全需求,灵活选择系统配置;网络防御行业可以根据具体系统的得分,设计安全评级,为不同的系统划分不同的安全等级。
附图说明
图1是拟态防御总体功能与结构图。
图2是本发明实施例提供的攻防视角GSPN网络中攻击方视角的示意图。
图3是本发明实施例提供的攻防视角GSPN网络中防守者视角的示意图。
图4是本发明实施例提供的简化攻防视角GSPN网络的示意图。
图5是本发明实施例提供的攻击转移图。
图6是本发明实施例提供的攻击者攻击执行体1漏洞细节。
图7是本发明实施例提供的攻击者攻击执行体2漏洞细节。
图8是本发明实施例提供的攻击者攻击执行体3漏洞细节。
图9是本发明实施例提供的拟态节点攻防GSPN网络的示意图。
图10是本发明实施例提供的攻击速度与攻击逃逸概率对应图
图11是本发明实施例提供的随机扰动频率与攻击逃逸概率对应图的总图。
图12是本发明实施例提供的随机扰动频率与攻击逃逸概率对应图的局部放大图。
图13是本发明实施例提供的一般攻击下P E概率图(ω=0.0000001)。
图14是本发明实施例提供的特殊攻击下P E概率图(ω=0.0000001)。
图15是本发明实施例提供的一般攻击下P E概率图(ω=0.00005)。
图16是本发明实施例提供的特殊攻击下P E概率图(ω=0.00005)。
图17是本发明实施例提供的P E概率图(ω=0.000001)。
图18是本发明实施例提供的P E概率图(ω=0.0005)。
图19是本发明实施例提供的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法的流程图。
具体实施方式
本发明对存在判决时延的分布式MDA(Mimic defense architecture,拟态防御架构)的攻防过程进行抽象,将攻击方对网络链路中某个特定节点的攻击过程按照攻击粒度,划分为两个层次:单节点攻击和链路攻击,其中,同一条攻击链上的顺序单节点攻击,组成了网络链路攻击。本发明采用博弈论的思想,分别使用广义随机Peri网络(GSPN Generalized Stochastic Petri Net广义随机Petri网络)、Markov链和鞅等数学工具分析拟态防御模型,由节点到链路,最终分析整个系统的安全性,包括单节点攻击成功率、节点平均攻击时间、链路攻击时间等。本发明首先考虑单节点的安全性,即攻击方在一定时间内攻击单节点成功的概率分析结果,然后将其传递给链路攻击层,作为输入的攻击强度参数,进一步计算链路攻击成功的概率。
单节点攻击
1)定义
节点:本发明将攻击过程中的某个独立功能部件看作一个节点。一个节点可能是一台服务器,一个主机,一个软件功能进程,或一个功能集群。
驱逐(D):当某个执行体发送与其他执行体不一致的输出矢量时,系统将该执行体标为可疑执行体,停止其工作任务并执行清洗后放入异构池,并从拟态异构池中重新选择一个没有被使用过或确认未遭受攻击的执行体继续工作。如果标为可疑的执行体是出错执行体,那么这个动作称为驱逐。
误驱逐(M):当某个执行体输出与其他执行体不一致的输出矢量,但这种情况是由两个执行体被攻击且输出矢量一致,与正常执行体相异造成的,此时系统将正常执行体当作可疑执行体进行停用,这种防御动作称为误驱逐。误驱逐会导致拟态异构池中的资源消耗,但不会对安全造成消极影响。值得注意的是,若连续两次对同一异构组件执行了误驱逐操作,即在驱逐动作完成后,新上线执行体与被驱逐执行体结果一致且与原两个相同结果的执行体输出不一致,系统标记原两个相同结果的执行体为可疑执行体,并执行驱逐。
停用(S):当三个执行体的结果各不相同,裁决器无法输出结果,此时系统标记全部三个执行体为可疑执行体并进行停用,从异构池中选择三个新的执行体代替他们的工作。
判决(J):当三个执行体对同一个任务都执行完毕,裁决器将对比收到的三个输出矢量,若一致,则直接输出结果;若两个一致,另一个不同,那么判断两个一致的结果为真,并将输出不同结果的执行体标为可疑执行体,并执行驱逐。
不同的攻防行为会使系统进入不同的状态,本发明根据不同的攻击结果定义五种系统状态如下:
正常工作(A):攻击方并未发动攻击或无任何攻击奏效,所有执行体都正常运行。
非特异性感知(B):攻击方攻击一个执行体成功,但系统在择多判决时发现该执行体与其他执行体的输出结果不一致,并替换被入侵执行体,攻击失败。
磨损(C):攻击方攻击两个执行体成功,但无法控制其出现相同的错误输出;或者攻击方攻击三个执行体成功,但其输出两两不一致。此时,系统得到的三个输出结果各不相同,无法判决,故将该执行体集合标为可疑并停用。虽然进入本状态没有对系统安全性产生消极影响,但是消耗了大量异构池中的资源。
攻击扩散(D):攻击方攻击两个执行体成功,并产生相同的错误输出,使得系统误驱逐正确执行体;或者攻击方攻击三个执行体成功,同时有且仅有两个执行体产生相同的错误输出,此时系统驱逐输出不一致的被入侵执行体。在这两种情况下,系统的驱逐操作不仅没有把攻击方有效地清理出系统,还额外消耗了异构池中的资源,造成攻击扩散。
攻击逃逸(E):如果攻击方的攻击能力足够强且攻击速度足够快,在拟态防御系统进行择多判决前攻击三个执行体成功且均产生相同的错误输出,那么攻击方攻击逃逸成功,即在不被防御方发现的情况下取得了本节点的控制权。此时裁决器判断该输出正确,并允许这三个被入侵的执行体继续工作。
2)GSPN(Generalized Stochastic Petri Net广义随机Petri网络)模型构建
因为实现一个节点功能的三个执行体有各自的漏洞,攻击方若想攻击整个节点,则必须分别攻击这三个执行体。也就是说,攻击方需要利用每个执行体的漏洞有针对性地发起攻击,最终获得该执行体的控制权,使之呈现攻击方想要的效果。
一方面,防御者可以选择不同的配置,并采用拟态防御手段进行防御。另一方面,攻击方可以对工作执行体的配置信息进行探测,提升自身的权限,进一步发动更多攻击,直到取得该执行体的控制权。对于单个节点来说,取得节点控制权的前提是攻克其多数执行体,并控制它们的运行结果一致以通过择多判决。
在这一步中,根据攻击能力的强弱,本发明将各个执行体遭受的单步攻击分为一般攻击和特殊攻击。防御者一方面进行输出矢量的择多判决,标记、替换可疑执行体;另一方面,为了防止高频率大强度的快速攻击,防御者采取低频率的随机性扰动机制。随机扰动是指以随机命令方式选择一个执行体进行下线预清洗或策略性重构操作,在其恢复后等待被调度加入当前工作集。由于随机扰动机制的存在,即使待机式协同攻击成功也无法维持可逃逸的状 态,即攻击不可维持。
攻击和防守在这一层形成了一场博弈,双方不同的动作会对单个节点的输出状态产生不同的影响,因此本发明用博弈论的思想刻画这些影响,建立广义随机Petri网络(GSPN)模型,计算单节点攻击成功的概率、攻击时间等安全评估参数。
通常情况下,用一个六元组表示广义随机Petri网络:
一个GSPN=(S,T;F,W,M 0,λ),其中
1.S表示网络位置集(place);
2.T表示网络变迁集,并且分为两个子集:T=T t∪T i
Figure PCTCN2018113980-appb-000003
T t={t 1,t 2,...,t k}和T i={t k+1,...,t n}分别表示时间变迁集和瞬时变迁集,与时间变迁集相关联的平均变迁实施速率集合为λ={λ 1,λ 2,...,λ k}。
3.F表示T和S之间的连接弧,并允许有抑制弧。
4.W表示弧对应的权值,当弧place中的标记数多于该值,是该变迁可以实施的必要条件。
5.M 0表示初始标记位置。
本发明先建立攻击方视角的GSPN模型,如图2所示,攻击方需要对该节点的执行体配置进行嗅探,有针对性地攻破足够多的执行体,才能取得该节点控制权。在攻击方的视野中,单个节点系统具有以下状态:正常工作、一个执行体被攻破、两个执行体被攻破、三个执行体被攻破(可以进入对下一个节点的攻击过程)。但这要在一轮攻击结束,通过输出矢量,攻击方才能知道自己攻击的结果。另外,攻击方的模型包括对执行体进行攻击时攻克的漏洞,带来的权限提升,所以它与每个执行体的具体配置以及攻击目标有关。
所述攻击方和防守方在博弈中的防守行为使得单节点在攻防过程中防守方通过拟态判决使得系统进行以下不同状态之间的转换;其状态如下:正常工作、小于半数执行体被攻破、大于半数执行体被攻破、全部执行体被攻破、经过判决后被攻破的大于半数执行体取得多于半数一致的错误矢量、经过判决后被攻破的大于半数执行体输出不同的错误矢量且没有一种错误矢量超过半数、经过判决后被攻破的全部执行体输出的错误矢量没有任何一种超过半数、经判决后被攻破的全部执行体输出错误矢量并且其中一种超过半数及经判决后全部执行体被攻破并输出完全相同的错误矢量。
在防守过程中以三执行体为例,使得防守方,单个节点系统具有以下状态:正常工作、一个执行体被攻破、两个执行体被攻破、三个执行体被攻破、经过判决后被攻破的两个执行体输出同样的错误矢量、经过判决后被攻破的两个执行体输出不同的错误矢量、经过判决后被攻破的三个执行体输出的错误矢量两两不同、经判决后被攻破的三个执行体输出两个相同错误矢量和一个不同错误矢量、经判决后三个执行体输出完全相同的三个错误矢量。防守者通过拟态判决,完成系统在不同状态间的转换。防守方视角的GSPN模型,如图3所示。
综合攻击方和防守者的视角,本发明可以得到最终的一般攻击GSPN网络。
攻击方可以对几个执行体同时发起进攻。由于攻破各个执行体所需的时间不同,所以按照攻击完成的时间,可以对攻击方攻击成功的执行体进行排序。以三执行体为例,攻击方攻击成功的次序有6种排列。考虑攻击完成顺序,把攻击方和防守方视角的GSPN网络结合在一起,得到完整的GSPN网络示意图。为了简化分析,本发明忽略不同的攻击完成顺序带来的影响。假设执行体1、2、3被顺序攻破,简化的GSPN网络结构图,如图4所示。
对于图4中的Petri网,位置用圆圈表示,记为P (i,x),其中i是数目位,表示被攻破的执行体数目,x是状态位,表示被攻破的执行体整体呈现的状态。P 0表示系统正常运行;P 1、P 2、P 3分别表示1/2/3个执行体被攻击成功;P( i,B)表示非特异性感知状态,也就是i个执行体受到了攻击,但是在经过择多判决后,系统找到了全部出错的执行体;P (i,C)示系统磨损,也就是i个执行体受到了攻击,但是输出完全不一致,导致系统无法判决,从而把所有执行体都标为被攻击执行体;P (i,D)表示攻击扩散,也就是i个执行体受到了攻击后,控制了大部分执行体进行错误输出,导致择多判决发生误判,系统将正确的或者也被攻击但是出错不一致的少数执行体标为被攻击执行体;P E表示攻击方控制了全部执行体,并且输出同样的错误矢量,导致系统无法通过择多判决找到出错的执行体。具体位置含义如表2.2.1所示。
表2.2.1.系统位置表格
Figure PCTCN2018113980-appb-000004
Figure PCTCN2018113980-appb-000005
图4中防守者的变迁表格如表2.2.2所表示。其中,方块表示防御者的行为,其中黑色实心方块表示瞬间变迁,对应参数为转移概率p;黑色空心方块表示时延变迁,对应参数为转移速率λ。攻击方和防御者行为的不同导致了系统在不同状态之间的转换。变迁记为T (i,j,x),i、j分别表示变迁的起始位置和终止位置,若两个位置表示的被攻击执行体数目发生了改变,那么i、j分别表示改变前后的数目;若没有发生改变,则用该位置的末位即状态位表示。x是动作位,表示攻防方的主要动作,其中,D表示驱赶(drive),M表示误驱赶(miss drive),S表示停用(stop),J表示判决(judge)。例如,T (2,0,S),表示在两个执行体受到攻击后,防御者对可疑执行体进行了停用,将三个可疑执行体都替换成从异构池中取出的健康执行体,从而使系统恢复到没有执行体受到攻击的状态。
表2.2.2.系统变迁表格
Figure PCTCN2018113980-appb-000006
于防守者来说,变迁的时延与变迁涉及的执行体个数有关,例如,误驱逐、驱逐动作一般只针对单个执行体,所以时延为1,对应λ=1;停用动作一般针对三个执行体输出矢量各不相同,裁决器无法进行结果输出的情况,会将三个执行体都视为可疑执行体并全部停用,所以时延为3,对应λ=1/3。本发明取两个异构执行体出现相同错误的概率为0.0001。
攻击方在攻击执行体的同时,其他未被攻破的执行体在正常运行计算正确输出矢量,攻击方的攻击时间越长,其他执行体输出正确输出矢量的概率越大;裁决器收集到的正确输出矢量越多,收集到足够多输出矢量进行拟态裁决的概率也越大。随着攻击的进行,攻击成功的执行体数目与攻击时间也呈正相关关系。
对于未受攻击的执行体,若执行任务时间为t w,那么在接收任务到输出结果这段时间内,各执行体的结果输出次数服从Poisson分布,但在产生结果输出后就停止该过程。易知参数λ=1/t w。用N(t)表示从任务分发开始的t时间间隔内执行体进行结果输出的次数(输出1次后停止)。不同类型的攻击操作复杂度不同,木马攻击、注入攻击的引发速度和正常操作执行时间相近,所以假设攻击一个执行体的时间在0.8t w~1.2t w
一般攻击的攻击能力较弱,且无累加效应,本发明取1.2t w。对于一般攻击,在攻击方攻克了一个执行体后,正常工作的执行体已完成结果输出的概率为:
Figure PCTCN2018113980-appb-000007
所以,一般攻击在攻击一个执行体完成后,其他两个正常工作执行体都已经完成结果输出,即系统开展拟态判决(t (1,B,J))的概率为:P 1M J=P 1M*P 1M≈0.4883  (2)
类似的,一般攻击在攻击完成两个执行体(用时2.4t w)后,另一个正常工作的执行体已完成结果输出,即
系统开展拟态判决(t (2,C,J)+t (2,D,J))的概率为:
Figure PCTCN2018113980-appb-000008
特殊攻击的攻击能力较强,且有累加效应,遇到相同的漏洞,攻击速度会加快,所以攻击方在攻击过程中,未被攻击的执行体输出正确结果,导致其遇到拟态判决的概率相较于一般攻击有所降低。假设攻击方在攻击第二个执行体时速度增加一倍,所以本发明取在特殊攻击攻破第一个、第二个执行体的时间分别为0.8t w和1.2t w。对于特殊攻击,在攻击方攻克一个执行体后,正常工作的执行体已完成结果输出的概率为:
Figure PCTCN2018113980-appb-000009
所以,特殊攻击在攻击一个执行体完成后,其他两个正常工作执行体都已经完成结果输出,即系统开展拟态判决(t (1,B,J))的概率为:P 1M Js=P 1M s*P 1M s≈0.3032  (5)
类似的,特殊攻击在攻击完成两个执行体(用时1.2tw)后,另一个正常工作的执行体已完成结果输出,即系统开展拟态判决(t (2,C,J)+t (2,D,J))的概率为:
Figure PCTCN2018113980-appb-000010
λ为Poisson过程的速率,λ>0;
再结合各种情况的判断概率,可以完整表2.2.2中的参数。
建立了完整GSPN模型后,本发明可以设置各个变迁的参数,从而推算得到最后的单节点攻击成功率。
链路攻击
完整的网络链路由许多节点构成,因此若想攻击链路中的某个节点,攻击方需要先依次攻击该链路上的各个节点。本发明取单个节点的稳态时间作为系统的攻击周期。攻击方沿攻击链推进,每攻击成功一个节点,则攻击方沿攻击链下行一步,若遭遇了拟态随机扰动,便沿着攻击链退行一步。这种知道上一步的状态,和下一步的攻击范围,找寻攻击停留位置的做法,和Markov链的特征吻合。所以拟采用Markov链和鞅对该部分建模求解。
令攻击单个节点成功的概率为μ,攻击链的节点总数为Θ,系统在该时刻选择该节点进行随机扰动的概率为ω。假设当前时刻攻击方停留在第k个节点,即已攻击成功k个节点,那么攻击转移图,如图5所示。
根据攻击转移图,本发明构造攻击转移矩阵M Θ*Θ,元素M i,j表示从第i个节点向第j个节点转移的概率。攻击时,攻击方沿着链路前行,在攻克一个节点后,攻击方将会得到后继节点的信息。在攻击过程中,只有被攻击节点和攻击起始点均未被选中进行扰动,此时的单节点攻击才可能成功。显然,攻击有回退、下行、原地不动三个方向。具体的转移概率如下:
1)回退
无论攻击方是否发动攻击,只要系统进行随机扰动时改变到了攻击方所在的节点或者正在攻击的目标节点,攻击将无法进行,攻击方必须回退到已被攻击的上一节点,即M i,i-1=ω。攻击方需要重新对i点进行单节点攻击,只有在下一次随机扰动之前攻陷i点,它才可以继续下行攻击。
2)下行
攻击方攻击下个节点成功的概率为μ,变换周期内系统不对攻击相关节点进行随机扰动的概率为(1-ω),因此攻击方成功攻击下一个节点且期间不发生随机扰动的概率为M i,i+1=(1-ω)μ。
3)原地不动
攻击方攻击下个节点不成功,恰好系统也没有对相关节点进行随机扰动,此时系统的状态保持不变,有M i,i=(1-ω)(1-μ)。
令X 0,X 1,X 2,...,X n表示一串随机变量,Xi表示第i个时间段开始时,攻击方所处的节点位置,X i的取值范围为[0,Θ],其中X 0=0,表示攻击的初始位置为进入攻击链的位置。在已知n时刻攻击方处于k位置,则下一跳位置如下:P{X n+1=k+1|X n=k}=(1-ω)μ  (7)
P{X n-1=k|X n=k}=(1-ω)(1-μ)  (8)
P{X n+1=k-1|X n=k}=ω  (9)
即,
Figure PCTCN2018113980-appb-000011
定理2.2.1.构建一个随机序列M 0,M 1,M 2,...,M n,其中,M i=X i-[(1-ω)μ-ω]·i
那么
M n=X n-[(1-ωμ)-ω·]  (11)
M n+1=X n+1-[(1-ω)μ-ω]·(n+1)  (12)
那么M n序列是关于X 0,X 1,X 2,...,X n的鞅。
证明:
Figure PCTCN2018113980-appb-000012
证毕
为了求解攻击Θ步到达目标节点的步数,本发明引入了鞅停时定理(即引理2.2.1)。在随机过程中,停时被定义为具有某种与将来无关性质的随机时刻。
引理2.2.1.若时刻S为停时,且满足:
i.  P{S<∞}=1;
ii. E[|M S|]<∞;
iii.lim n→∞E[|M S|I {S>n}]=0;
则有
E[M S]=E[M 0]  (14)
定理2.2.2.对于一条长度为Θ个节点的攻击链,如果攻击方攻击单个节点成功的概率为μ,单节点处遭遇主动随机扰动的概率为ω,那么攻击方成功攻击目标节点(即Θ点)需要的步数期望为:
Figure PCTCN2018113980-appb-000013
证明:由前文可知,到达时刻S的条件是X S=Θ。显然根据前n轮的结果可以得到n是否等于S,所以易知,时刻S是鞅的停时。但是显然,M n不是一个有界鞅,不能立刻说明条件ii、iii成立,但是根据Markov链的性质,存在C<∞,ρ<1,使得
I{S>n}≤cρ n  (16)
考虑到
Figure PCTCN2018113980-appb-000014
E[|M S|]≤θ+S≤∞  (18)
E[|M S|I {S>n}]≤cρ n(θ+n)  (19)
lim n→∞E[|M S|I {S>n}]≤lim n→∞n(θ+n)=0 (20)
又因为E[|M S|I {S>n}]≥0,所以停时定理满足。
下面计算到达Θ点的步数期望。根据停时定理得
E[M S]=E[M 0]=E[X 0]=0  (21)
Figure PCTCN2018113980-appb-000015
又因为E[X S]=Θ
所以
θ-[(1-ω)μ-ω]·E[S]=0  (23)
Figure PCTCN2018113980-appb-000016
根据上一部分的分析,运算得到的攻击逃逸的稳态概率即为下一部分马尔科夫链的下行概率,随机扰动概率即为马尔科夫链的上行概率,也就是说:
μ=P(P E),ω=λ(T E0)
若没有随机扰动,那么ω=λ(T E0)=0。
所以,根据上一部分实验测得的结果,当攻击链长度为Θ,攻击方成功攻击到目标节点需要的步数期望为:
Figure PCTCN2018113980-appb-000017
系统分析
在接下来的两节中本发明以一个实际的攻击链为例,包括攻击中的各个节点以及各节点的执行体构成,进行分析。
假设以下情况,攻击从外部网络进入,攻击目标是窃取一条链路中各节点数据库中的文件并安插后门,一共有10个链路节点,即Θ=10。对于每个链路节点,攻击者对节点的操作系统、服务器以及数据库分别展开攻击,直到窃取数据并成功安插后门。
执行体以操作系统*前端语言*数据库为例,攻击者根据扫描到的信息确定攻击执行体的顺序,防守者根据失效执行体的信息选择替换的执行体,二者之间形成博弈。本发明以广义随机Petri网络进行描述。在设计时延函数的时候本发明用到了一个很重要的数据库:通用漏洞评分系统(Common Vulnerability Scoring System,CVSS)[]。CVSS是一个被设计用来评测漏洞的严重程度,并帮助确定所需反应的紧急度和重要度的“行业公开标准”,一般与公共漏洞和暴露(Common Vulnerabilities & Exposures,CVE)[]一同由美国国家漏洞库(National Vulnerability Database,NVD)[]发布,目标是为所有软件安全漏洞提供一个严重程度的评级,建立衡量漏洞严重程度的标准,使漏洞的严重程度可 以互相比较,从而确定处理它们的优先级。
CVSS得分基于一系列维度上的测量结果,这些测量维度被称为量度(Metrics)。漏洞的最终得分最大为10,最小为0。CVSS系统包括三种类型的分数:基准分数,时态分数和环境分数。每一个分数都要衡量这个安全漏洞的不同属性。其中基准分数具体指一个指定的安全漏洞,基准分数是不变的,它不是具体针对一个客户的技术IT环境的。基本得分和临时得分通常由安全产品卖主、供应商给出,因为他们能够更加清楚的了解漏洞的详细信息;环境得分通常由用户给出,因为他们能够在自己的使用环境下更好的评价该漏洞存在的潜在影响。
在基准分数中有几个衡量要素:攻击途径(Access Vector,AC)、攻击复杂度(Access Complexity,AC)、特权(Privileges Required,PR)、用户合作(User Interaction,UI)、范围(Scope,S)、机密性(Confidentiality Impact,C)、完整性(Integrity Impact,I)、可利用性(Availability Impact,A)。依据它们可以计算出两个核心评估值:可探测性(Exploitability sub score,ES)和可利用性(Impact sub score,ISC),其中可探测性衡量该漏洞被发现的难易程度,而可利用性表示该漏洞被利用后的影响力。最终得到对该漏洞的评估分数基础得分(Base Score,BS)具体计算公式如下:
ES=8.22×AC×AC×PR×UI
ISC=6.42×1-[(1-Impact Conf)×(1-ImpactInteg)×(1-Impact Avail)]
BS=Roundup(Minimum[(ISC+ES),10])具体推算可参考 [错误!未定义书签。]
本发明现在描述一个拟态节点,这个节点的异构有三个层级,C1*C2*C3={{Redhat Linux 6.0,Windows 7}*{Go 1.6,Python 3.0}*{MySQL 5.1.7,PostgreSQL 9.6}}。也就是说这个节点在操作系统、语言、数据库三个层面进行了异构,其中,操作系统在Redhat Linux 6.0(以下简称linux),Windows 7之间选择,语言在Go 1.6,Python 3.0之间选择,数据库在MySQL 5.1.7,PostgreSQL 9.6之间选择。所以整个异构池中的有效配置可以表示成C={(Linux,Go,MySQL),(Linux,Go,PostgreSQL),(Linux,Python,MySQL),(Linux,Python,PostgreSQL),(Windows 7,Go,MySQL),(Windows 7,Go,PostgreSQL),(Windows 7,Python,MySQL),(Windows 7,Python,PostgreSQL)},共8种有效配置。
对于操作系统,本发明只考虑来自相邻网络不需要授权没有用户交互的严重漏洞,其中Windows7有2条,Linux有1条。对于程序语言和数据库,本发明考虑来自网络不需要授权并且不需要其他组件交互的漏洞,其中,Python 3.0有4条,Go 1.6有6条,PostgreSQL 9.6有6条,MySQL 5.1.7有2条,如表4所示。
表4.漏洞列表
Figure PCTCN2018113980-appb-000018
因为执行体之间结构差异越大,整个系统越安全 [错误!未定义书签。],所以本发明从异构池中选择异构体配置如下:{(Linux,Go,MySQL),(Windows 7,Python,MySQL),(Linux,python,PostgreSQL)},以第一个执行体为例,展示漏洞如表5。
表5.执行体1漏洞列表
Figure PCTCN2018113980-appb-000019
在攻击方视角,对三个执行体分别进行攻击时,攻击过程如图5所示,所以根据上文,忽略不同攻击顺序带来的影响,假设攻击完成顺序为执行体1、执行体2、执行体3,本发明得到整个拟态节点的攻防GSPN网络,如图9所示。
广义随机Petri网络防守者可以根据自己对安全性的需求灵活设计时延函数,比如如果防守者比较重视漏洞的影响力,可以将时延设为1/ISC;如果防守者要把影响力和可探测性同时纳入考虑,可以设计时延函数为1/BS;还可以根据需求添加对环境、时间的影响,灵活调控。
第三节提到,根据攻击能力的强弱,攻击可以分为一般攻击和特殊攻击。对于一般攻击,因为攻击者在T时刻的攻击对在T+X时刻的攻击无协同累积的影响,所以本发明设一般攻击的变迁时延只与攻击难度ES成反比,与攻击阶段无关,所以这里实验变迁的参数λ=1/ES。对于特殊攻击,由于攻击者在T时刻的攻击对在T+X时刻的攻击的协同累积影响,攻击者在攻击到相同的漏洞时,会吸取上一次的经验,导致攻击速度增快,攻击成功率升高,本发明设其第一次遇到的漏洞实验速率为λ 1=1/ES,接下来每遇到一次该漏洞,攻破的时延速度提升一倍 [错误!未定义书签。],即λ 2=2/ES,λ 3=4/ES。
在接下来会对不同的攻击强度进行分类讨论。
系统位置、变迁表格参见前面的表1和表2,完整表格分别参见附录表格1、附录表格2。一般攻击和特殊攻击的区别主要体现在攻击过程和攻击速度以及遭遇系统结果输出的概率上,也就是说一般攻击和特殊攻击对GSPN模型的影响是结构及参数的设定不同,这些参数我们在附录表格2中对比给出。
实验仿真及结果分析
用开源GSPN分析工具Platform Independent Petri Net Editor(PIPE) [i,ii]以随机Petri网软件包(SPNP)为辅助,对上述例子进行模拟分析。
在接下来的一节中,我们先以一般攻击为例,探索前期条件假设对拟态防御安全性的影响,然后探寻随机扰动频率对一般攻击和特殊攻击下的攻击逃逸概率、系统到达稳定的时间带来的影响,最后选取不同的攻击场景给出在日常防御下和受到攻击场景下的应对措施建议。
攻击时间影响
本发明取随机扰动频率ω=0.0001,对前期假设条件攻击时间在0.8t w~1.2t w之间每隔0.05tw取点,对应的攻击成功率变换情况,如图10所示。
根据图10,攻击成功率随攻击速度的下降而下降,但下降幅度不大,也就是说攻击的攻击速度、学习能力的增强,带来的攻击逃逸概率增大,只是同一量级上的细微变化,而不会带来总体安全性量级的改变。这也侧面说明,系统安全性的增强是由拟态系统的结构带来的,前文的假设条件带来的细微差距可以忽略不计。
随机扰动频率对一般攻击、特殊攻击的影响
考虑到只要没有发生攻击逃逸,防守者都可以发现攻击行为,攻击者无法毫无声息的在系统中潜伏,因此我们改变随机扰动频率,探索系统安全性和变换频率之间的关系,以供防御者根据安全性和系统性能的不同需求灵活选择参数。列举部分对应关系如表6所示。
表6.随机扰动频率与攻击逃逸概率对应表
Figure PCTCN2018113980-appb-000020
Figure PCTCN2018113980-appb-000021
变换曲线如图11、12所示,其中红线表示特殊攻击,绿线表示一般攻击,因为变换频率数值非常小且选点密集,所以图11拐角处非常尖锐,把拐角处局部放大,得到图12。
观察图11、12,易得,对于同样的随机扰动频率,特殊攻击因为学习能力,攻击力更强,攻击速度更快,所以攻击逃逸概率比一般攻击要高。总体上看,无论一般攻击还是特殊攻击,攻击逃逸概率随随机扰动频率升高而降低。
随机扰动频率对系统稳定时间的影响
我们取不同的随机扰动频率,测试在一般攻击和特殊攻击下系统达到稳定的时间,作为试验,本发明取ω=0.0000001,根据以上假设,依旧以“秒”作为随机扰动的最小时钟周期单位,即每隔1秒系统以概率ω进行一次随机扰动,那么此时系统平均每年采取三次主动随机扰动,如图13、14所示。
一般攻击本发明执行到4000,0000秒时陷入PE的概率达到此时的稳态概率。特殊攻击系统达到稳态的时间约为3.5*10^7秒。
取ω=0.00005即每隔5.56个小时采取一次主动随机扰动,此时一般攻击P E稳态概率为9.61898862753E-07,特殊攻击的P E稳态概率为3.7266553E-06。
在这种情况下,P(P E)随时间变化曲线,如图15、16所示。
根据图15、16所示,我们可以得到系统到达稳态概率的时间。在这个例子中,在受到一般攻击时大约需要90000秒后系统达到稳定状态,以9.62E-07的概率陷入状态P E;在受到特殊攻击,大约需要70000秒后系统达到稳定状态,以3.72E-06的概率陷入状态P E
由这两个例子可知,在同样的随机扰动频率下,一般攻击比特殊攻击的攻击逃逸概率要低,系统进入稳定的时间要更长。
掌握了这个规律,我们分被攻击和不被攻击两种情况分析随机扰动频率。
不同攻击场景下的建议
日常防御
当系统没有在被攻击或受到低频率低强度一般攻击时,我们选取比较低的随机扰动频率,换取一般的安全性,这里我们取一般攻击,其ω=0.000001,即每十天左右变换一次,此时对应的攻击下行概率为P(P E)=0.000048。在这种情况下,P(P E)随时间变化曲线,如图17所示。
大概经过4000000个系统时钟,P E可以达到稳定状态.也就是μ=0.000048,ω=0.000001,假设攻击链长度为10,那么
Figure PCTCN2018113980-appb-000022
攻击目标节点成功的时间期望为E[T]=212766.17*4000000=8.51*10^12秒,约26987年。
也就是说对于一条10个节点长的攻击链,攻击者想要成功攻击目标节点,需要对单个节点完成约212766次一般攻击,而在攻击者攻击单节点的过程中又会遇到很多次被拟态判决发现并且驱逐的可能。如果只考虑系统达到最大攻击成功率(P E达到稳态概率)的攻击,并且防御方不加强防御力度,一直以0.0003的主动随机扰动概率进行变换,攻击者将花费8.51*10^12秒后才能攻击成功被攻击目标。
危机防御
当系统受到高频特殊攻击或有其他需要加强防御时,我们选取比较高的随机扰动频率,换取更高的安全性,这里我们取特殊攻击,其ω=0.0005,即每0.55个小时随机扰动一次,此时攻击下行概率为P(PE)=0.00000037。
在这种情况下,P(P E)随时间变化曲线,如图18所示。大概经过约8000个系统时钟,P E可以达到稳定状态, 也就是μ=0.00000037,ω==0.0005,假设攻击链长度为10,那么
Figure PCTCN2018113980-appb-000023
攻击目标节点成功的时间期望为E[T]=-20015*8000=-1.6*10^8秒,约5年。
这时,可以看到步数出现了负值,负值表示在攻击链中,攻击下行概率比上行概率更低,也就是说理论上讲,攻击无法沿攻击链下行,反而会由于一次次随机扰动,被清理出系统。这个例子的意思是,也就是说对于一条10个节点长的攻击链,防御者想要将攻击者清理出攻击链,需要经过攻击者对单个节点完成约20015次特殊攻击的攻击周期。如果只考虑系统达到最大攻击成功率(P E达到稳态概率)的攻击,攻击者不可能沿攻击链下行,并且1.6*10^8秒,约5年后将被移出攻击链。
附录表格1:完整的位置意义
Figure PCTCN2018113980-appb-000024
Figure PCTCN2018113980-appb-000025
附录表格2:完整的时延变迁参数表
Figure PCTCN2018113980-appb-000026
Figure PCTCN2018113980-appb-000027
Figure PCTCN2018113980-appb-000028
Figure PCTCN2018113980-appb-000029
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内所作的任何修改、等同替换和改进等,均应包含在本发明的保护范围之内。

Claims (10)

  1. 基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述安全性建模量化方法包括以下步骤:
    S1、在实际系统中对存在判决时延的分布式MDA的攻防过程按照攻击粒度将攻击过程的种类划分为单节点攻击与链路攻击;
    S2、根据实际系统的配置进行抽象提取拟态模型的单节点攻击参数;
    S3、根据获取的单节点攻击参数用GSPN理论利用数学工具分析计算单节点攻击成功概率及单节点攻击时间;
    S4、将攻击单节点成功概率作为参数使用Markov链及鞅理论计算链路攻击成功平均步数期望;
    S5、根据得到的链路攻击成功步数期望与单节点攻击时间得到总的理论平均攻击时间。
  2. 根据权利要求1所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述单节点攻击是将攻击过程中的某个独立功能部件作为一个节点,在该节点受到攻击时防御方对受到攻击的执行体根据受到攻击的情况执行驱逐(D)、误驱逐(M)、停用(S)及判决(J)中的一种动作。
  3. 根据权利要求2所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述步骤S3中GSPN理论是在实际系统中攻击方与防守方形成博弈,根据攻守双方不同的动作对单节点的输出状态产生不同影响,利用博弈论理论刻画单节点的输出状态产生不同影响,根据刻画的影响建立广义随机Petri网络(GSPN)模型,所述广义随机Petri网络(GSPN)模型的建立方法包括以下步骤:
    S31、提取攻击方动作及带来的影响建立攻击方视角的广义随机Petri网络;
    S32、提取防守方动作及带来的影响建立防守方视角的广义随机Petri网络;
    S33、将攻击方视角和防守方视角的广义随机Petri网络动作、状态合并,建立系统广义随机Petri网络。
  4. 根据权利要求3所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述攻击方和防守方在博弈中的攻防行为根据不同的攻击结果使系统分别呈现以下不同状态:正常工作(A)、非特异性感知(B)、磨损(C)、攻击扩散(D)及攻击逃逸(E);
    所述正常工作(A)为攻击方并未发动攻击或无任何攻击奏效,使所有执行体都正常运行;
    所述非特异性感知(B)是在攻击方攻击成功的执行体少于半数时,系统在择多判决时发现被攻击的执行体与其他执行体的输出结果不一致,将被攻击的执行体替换成异构池中未被攻击的执行体,致使攻击方的攻击失败;
    所述磨损(C)是在攻击方攻击大多数执行体成功,却无法控制其出现相同的错误输出或者攻击方攻击全部执行体成功,使得输出出现不一致,系统得到的多种输出结果并且没有一种输出结果出现次数大于一半造成无法判决,系统将该执行体集合标为可疑并停用;
    所述攻击扩散(D)是攻击方攻击大多数执行体成功,并产生相同的错误输出,使得系统误驱逐正确执行体;或者攻击方攻击全部执行体成功,且有大于半数执行体产生相同的错误输出,系统驱逐输出不一致的被入侵执行体,该系统驱逐操作不仅没有把攻击方有效地清理出系统,还额外消耗了异构池中的资源,造成攻击扩散;
    所述攻击逃逸(E)在攻击方的攻击能力足够强且攻击速度足够快时,在拟态防御系统进行择多判决前攻击全部执行体成功且均产生相同的错误输出造成攻击方攻击逃逸成功,裁决器判断该输出正确,并允许全部被入侵的执行体继续工作。
  5. 根据权利要求4所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述攻击方和防守方在博弈中的防守行为使得单节点在攻防过程中防守方通过拟态判决使得系统进行不同状态之间的转换。
  6. 根据权利要求6所述的基于GSPN和鞅理论网络空间安全拟态防御的安全性建模量化方法,其特征在于,在攻防过程攻击方攻克一个执行体后,正常工作的执行体已完成结果输出的概率为:P 1w=P{N(t a)-N(0)>0};一般攻击在攻击一个执行体完成后,其他正常工作执行体已经完成K个结果输出,系统开展拟态判决(t (1,B,J))的概率为:P 1M J=P 1M K;一般攻击在攻击完成i个执行体后,其他正常工作的执行体已完成结果输出的概率为,P 2M J=P{N(t a+αt a+…+α i-1t a)-N(0)>0};系统开展拟态判决(t (i,C,J)+t (i,D,J))的概率为:P iM J=P iM K;其中,N(t)表示从任务分发开始的t时间间隔内执行体进行结果输出的次数,t a攻击一个执行体的时间,一般攻击时α=1,特殊攻击时α=0.5,N为系统中工作执行体数目,K为相同的结果输出个数的阈值,0≤i≤N-K。
  7. 根据权利要求6所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述链路攻击取单个节点的稳态时间作为系统的攻击周期,攻击方沿攻击链推进,每攻击成功一个节点,攻击方沿攻击 链下行一步,判断是否遭遇拟态随机扰动,如遭遇拟态随机扰动,则沿攻击链退行一步,如未遭遇拟态随机扰动,则继续攻击下一个节点。
  8. 根据权利要求7所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,在链路攻击中攻击方在攻击过程中根据遭遇拟态随机扰动与否和是否攻击单节点成功,有回退、下行及原地不动三种不同的动作。
  9. 根据权利要求8所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述回退为无论攻击方是否发动攻击,只要系统进行随机扰动时改变到了攻击方所在的节点或者正在攻击的目标节点,攻击将无法进行,攻击方必须回退到已被攻击的上一节点,其概率为M i,i-1=ω;所述下行为攻击方攻击下个节点成功的概率为μ,变换周期内系统不对攻击相关节点进行随机扰动的概率为(1-ω),因此攻击方成功攻击下一个节点且期间不发生随机扰动的概率为M i,i+1=(1-ω)μ;所述原地不动为攻击方攻击下个节点不成功,恰好系统也没有对相关节点进行随机扰动,此时系统的状态保持不变,其概率为,M i,i=(1-ω)(1-μ)。
  10. 根据权利要求1-9任一项所述的基于GSPN和鞅理论网络空间拟态防御的安全性建模量化方法,其特征在于,所述步骤S4中还包括以下步骤:
    S41、根据当前状态和下一步的攻击范围找寻攻击停留位置的动作建立Markov链;
    S42、根据建立Markov链换为鞅序列;
    S43、利用鞅中的停时定理计算攻击方成功攻击目标节点需要的步数期望为:
    Figure PCTCN2018113980-appb-100001
    S44、将单节点攻击成功概率带入攻击方成功攻击目标节点需要的步数期望得到当攻击链长度为Θ,攻击方成功攻击到目标节点需要的步数期望为:
    Figure PCTCN2018113980-appb-100002
    其中,μ为攻击方攻击单个节点成功的概率,ω为单节点处遭遇主动随机扰动的概率,θ为链路长度,λ(T E0)为随机扰动动作发生的频率,P(PE)为单节点被攻破的概率。
PCT/CN2018/113980 2018-11-05 2018-11-05 基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法 WO2020093201A1 (zh)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/CN2018/113980 WO2020093201A1 (zh) 2018-11-05 2018-11-05 基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法
CN201880092103.1A CN112313915B (zh) 2018-11-05 2018-11-05 基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法
US16/228,513 US10440048B1 (en) 2018-11-05 2018-12-20 Anti-attacking modelling for CMD systems based on GSPN and Martingale theory

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/113980 WO2020093201A1 (zh) 2018-11-05 2018-11-05 基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/228,513 Continuation US10440048B1 (en) 2018-11-05 2018-12-20 Anti-attacking modelling for CMD systems based on GSPN and Martingale theory

Publications (1)

Publication Number Publication Date
WO2020093201A1 true WO2020093201A1 (zh) 2020-05-14

Family

ID=68101656

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/113980 WO2020093201A1 (zh) 2018-11-05 2018-11-05 基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法

Country Status (3)

Country Link
US (1) US10440048B1 (zh)
CN (1) CN112313915B (zh)
WO (1) WO2020093201A1 (zh)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111628978A (zh) * 2020-05-21 2020-09-04 河南信大网御科技有限公司 一种拟态归一化裁决系统、方法及可读存储介质
CN114844684A (zh) * 2022-04-14 2022-08-02 北京大学深圳研究生院 一种基于多重融合方法的主动防御网络评估方法及系统

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10862918B2 (en) * 2017-04-21 2020-12-08 Raytheon Bbn Technologies Corp. Multi-dimensional heuristic search as part of an integrated decision engine for evolving defenses
CN110781012B (zh) * 2019-10-22 2020-11-24 河南信大网御科技有限公司 一种基于统一消息队列的拟态裁决器和裁决方法
CN110740067B (zh) * 2019-11-06 2022-02-08 鹏城实验室 主动防御网络安全性分析方法、存储介质及应用服务器
CN110912876A (zh) * 2019-11-08 2020-03-24 华东计算技术研究所(中国电子科技集团公司第三十二研究所) 面向信息系统的拟态防御系统、方法及介质
CN110691107B (zh) * 2019-12-11 2020-04-21 南京红阵网络安全技术研究院有限公司 一种内生安全的用户接入认证管理系统及方法
CN111107098B (zh) * 2019-12-27 2022-03-01 中国人民解放军战略支援部队信息工程大学 一种内生安全的网络功能基础平台及数据处理方法
CN111770111A (zh) * 2020-01-06 2020-10-13 南京林业大学 一种攻击防御树的定量分析方法
CN111385288B (zh) * 2020-02-20 2022-03-01 中国人民解放军战略支援部队信息工程大学 基于隐蔽对抗的移动目标防御时机选取方法及装置
CN110995409B (zh) * 2020-02-27 2020-06-23 南京红阵网络安全技术研究院有限公司 基于部分同态加密算法的拟态防御裁决方法和系统
CN111010410B (zh) * 2020-03-09 2020-06-16 南京红阵网络安全技术研究院有限公司 一种基于证书身份认证的拟态防御系统及证书签发方法
CN111478970A (zh) * 2020-04-13 2020-07-31 国网福建省电力有限公司 一种电网Web应用拟态防御系统
CN113630264B (zh) * 2020-05-08 2024-02-27 中国人民解放军61062部队 一种拟态网络设备现网部署的组网方法及系统
CN111371907B (zh) * 2020-05-26 2020-08-14 网络通信与安全紫金山实验室 一种基于stp协议的数据同步方法、装置和拟态交换机
CN111769903A (zh) * 2020-06-09 2020-10-13 国家数字交换系统工程技术研究中心 应用于网络安全防御系统的网络安全防御方法及相关装置
CN111431946B (zh) * 2020-06-10 2020-09-04 网络通信与安全紫金山实验室 一种拟态路由器执行体调度方法和拟态路由器
CN111475831B (zh) * 2020-06-22 2020-09-22 南京红阵网络安全技术研究院有限公司 一种基于拟态防御的数据访问控制方法及系统
CN111885021A (zh) * 2020-07-09 2020-11-03 河南信大网御科技有限公司 基于传输协议的拟态通信方法、通信架构及可读存储介质
CN111865950B (zh) * 2020-07-09 2022-04-26 河南信大网御科技有限公司 一种拟态网络测试仪及测试方法
CN111722955B (zh) * 2020-08-21 2020-12-01 之江实验室 一种拟态工业控制器归一化裁决方法及装置
CN112367289B (zh) * 2020-09-11 2021-08-06 浙江大学 一种拟态waf构造方法
CN112100693B (zh) * 2020-09-14 2022-10-11 北京航空航天大学 一种基于petri网的芯片安全分析方法
CN112100627B (zh) * 2020-10-30 2021-02-12 之江实验室 适用于拟态防御系统的多队列随机参数归一化装置及方法
CN112383527B (zh) * 2020-11-09 2021-12-17 浙江大学 一种拟态waf的执行体自愈方法
CN112422573B (zh) * 2020-11-19 2022-02-25 北京天融信网络安全技术有限公司 攻击路径还原方法、装置、设备及存储介质
CN112702205B (zh) * 2020-12-24 2023-02-14 中国人民解放军战略支援部队信息工程大学 拟态dhr架构下执行体状态监测方法及系统
CN112929217B (zh) * 2021-02-05 2022-07-01 吉林化工学院 一种基于鞅理论的差异化网络流量带宽需求估计方法
CN113254944B (zh) * 2021-06-08 2022-08-09 工银科技有限公司 漏洞处理方法、系统、电子设备、存储介质及程序产品
CN113810389B (zh) * 2021-08-31 2022-10-14 杭州电子科技大学 一种dhr系统漏洞修补过程中漏洞选取方法及装置
CN114338075B (zh) * 2021-11-10 2024-03-12 国网浙江省电力有限公司金华供电公司 基于广泛嗅探的攻击对象防御方法
CN114510712B (zh) * 2022-04-20 2022-06-28 中科星启(北京)科技有限公司 拟态数量调整方法、装置、宿主机及存储介质
CN115361177B (zh) * 2022-08-03 2024-08-13 国家电网公司华中分部 一种基于智能响应式威胁感知和动态网络变换技术的主动防御系统
CN115460011A (zh) * 2022-09-19 2022-12-09 湖北天融信网络安全技术有限公司 一种防御拟态逃逸的方法、装置、存储介质及电子设备
CN115834140B (zh) * 2022-10-31 2023-11-10 中国国家铁路集团有限公司 铁路网络安全管理方法、装置、电子设备及存储介质
CN115842658A (zh) * 2022-11-18 2023-03-24 贵州电网有限责任公司遵义供电局 一种针对威胁和攻击的网络安全告警方法
CN116318945B (zh) * 2023-03-09 2023-10-20 南京航空航天大学 一种基于内生动态防御架构的多目标服务功能链部署方法

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107135224A (zh) * 2017-05-12 2017-09-05 中国人民解放军信息工程大学 基于Markov演化博弈的网络防御策略选取方法及其装置
US20180109551A1 (en) * 2016-10-14 2018-04-19 Cisco Technology, Inc. Device profiling for isolation networks

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9778912B2 (en) * 2011-05-27 2017-10-03 Cassy Holdings Llc Stochastic processing of an information stream by a processing architecture generated by operation of non-deterministic data used to select data processing modules
US9021589B2 (en) * 2012-06-05 2015-04-28 Los Alamos National Security, Llc Integrating multiple data sources for malware classification

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180109551A1 (en) * 2016-10-14 2018-04-19 Cisco Technology, Inc. Device profiling for isolation networks
CN107135224A (zh) * 2017-05-12 2017-09-05 中国人民解放军信息工程大学 基于Markov演化博弈的网络防御策略选取方法及其装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CAI, GUILIN ET AL.: "A Model for Evaluating and Comparing Moving Target Defense Techniques Based on Generalized Stochastic Petri Net", SPRINGER, 9 August 2016 (2016-08-09) *
ZHANG, XINGMING ET AL.: "Markov Game Modeling of Mimic Defense and Defense Strategy Determination", JOURNAL ON COMMUNICATIONS, vol. 39, no. 10, 25 October 2018 (2018-10-25) *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111628978A (zh) * 2020-05-21 2020-09-04 河南信大网御科技有限公司 一种拟态归一化裁决系统、方法及可读存储介质
CN114844684A (zh) * 2022-04-14 2022-08-02 北京大学深圳研究生院 一种基于多重融合方法的主动防御网络评估方法及系统
CN114844684B (zh) * 2022-04-14 2023-09-26 北京大学深圳研究生院 一种基于多重融合方法的主动防御网络评估方法及系统

Also Published As

Publication number Publication date
US10440048B1 (en) 2019-10-08
CN112313915B (zh) 2021-08-31
CN112313915A (zh) 2021-02-02

Similar Documents

Publication Publication Date Title
WO2020093201A1 (zh) 基于gspn和鞅理论网络空间拟态防御的安全性建模量化方法
Zonouz et al. RRE: A game-theoretic intrusion response and recovery engine
CN117879970B (zh) 一种网络安全防护方法及系统
Hu et al. Attack scenario reconstruction approach using attack graph and alert data mining
Zhang et al. A novel attack graph posterior inference model based on bayesian network
Esfahani et al. Inferring software component interaction dependencies for adaptation support
CN114357459A (zh) 一种面向区块链系统的信息安全检测方法
Li et al. Research on Multi‐Target Network Security Assessment with Attack Graph Expert System Model
Li et al. Network security situation assessment method based on Markov game model
Patra et al. Using online planning and acting to recover from cyberattacks on software-defined networks
Marshall et al. Assessing the risk of an adaptation using prior compliance verification
CN114844684B (zh) 一种基于多重融合方法的主动防御网络评估方法及系统
CN106790211A (zh) 一种预测恶意软件感染的统计预测系统和方法
Siraj et al. A cognitive model for alert correlation in a distributed environment
Chunlei et al. Network survivability analysis based on stochastic game model
Chang et al. Implementation of ransomware prediction system based on weighted-KNN and real-time isolation architecture on SDN Networks
Dohi et al. An adaptive mode control algorithm of a scalable intrusion tolerant architecture
Al Mallah et al. On the initial behavior monitoring issues in federated learning
RU2710985C1 (ru) Способ оценки устойчивости киберфизической системы к компьютерным атакам
Lai et al. Wnn-based network security situation quantitative prediction method and its optimization
Zhang et al. A qualitative and quantitative risk assessment method in software security
Xu et al. Communication-efficient and Byzantine-robust distributed stochastic learning with arbitrary number of corrupted workers
Girish et al. DadGAN: DDOS Anomaly Detection using Generative Adversarial Network
Mu et al. Fuzzy cognitive maps for decision support in an automatic intrusion response mechanism
Jose et al. Prediction of network attacks using supervised machine learning algorithm

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18939179

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18939179

Country of ref document: EP

Kind code of ref document: A1