WO2022127482A1

WO2022127482A1 - Network security protection method and apparatus

Info

Publication number: WO2022127482A1
Application number: PCT/CN2021/131087
Authority: WO
Inventors: 杨冰涛; 莫楠; 桂照斌; 白琳
Original assignee: 华为技术有限公司
Priority date: 2020-12-18
Filing date: 2021-11-17
Publication date: 2022-06-23
Also published as: CN114726557A

Abstract

Embodiments of the present application provide a network security protection method. The method may periodically obtain network information of a target network, predict, according to the network information of the target network, an attack means that an attacker may take, and dynamically deploy a security protection strategy. Because the acquired state information of the target network may be different at different acquisition time points, the corresponding obtained target attack means is also different, and furthermore, the deployed security protection strategy is also different. In other words, by using the present solution, a security protection strategy, such as a dynamic honeypot, can be dynamically deployed on the basis of network information of a target network, and thus the network security is effectively protected.

Description

A kind of network security protection method and device

This application claims the priority of the Chinese patent application with the application number 202011505798.7 and the application title "A method and device for network security protection" filed with the State Intellectual Property Office of China on December 18, 2020, the entire contents of which are incorporated by reference in in this application.

technical field

The present application relates to the field of network security, and in particular, to a network security protection method and device.

Background technique

With the development of network technology, the Internet has realized the interconnection of hundreds of millions of hosts around the world, and network services have penetrated into all aspects of production and life. However, the accompanying network security problems are also increasingly prominent, and attackers such as network hackers can affect the normal operation of network services by attacking the network.

Therefore, how to ensure network security is an urgent problem to be solved at present.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a network security protection method and device, which can effectively improve network security.

In a first aspect, an embodiment of the present application provides a network security protection method, and the method can be executed by a control management entity. In an example, in order to improve the network security of the target network, the control and management entity may periodically obtain network information of the target network, and determine the target attack path of the target network in the current state according to the obtained network information. The target attack path mentioned here is used to achieve the attack target. That is, the target attack path is an attack path that an attacker may take to reach the attack target. After the control and management entity determines the target attack path, a security protection policy may be dynamically deployed according to the target attack path. It can be seen that, by using the method of the embodiment of the present application, the control and management entity can predict the attack methods that the attacker may take on the target network according to the network information of the target network, and dynamically deploy the corresponding security protection strategy, thereby effectively preventing network attacks. To improve the network security of the target network. As an example, the control and management entity can dynamically adjust the security protection policy of the honeypot in the target network, so as to guide the attacker to attack the honeypot, thereby reducing the attacker's attack on the communication devices in the target network, so as to improve the network security of the target network . Since the collected state information of the target network may be different at different collection time points, the corresponding attacking methods of the obtained target are also different, and further, the deployed security protection strategies are also different. Therefore, by using this solution, a security protection strategy can be dynamically deployed based on the network information of the target network, thereby effectively protecting network security.

In a possible implementation manner, it is considered that an attacker will generally use the vulnerability of the network and/or the port information opened by the network to attack the network. Therefore, the network information of the target network may include vulnerability information of the target network and/or port information opened by the target network. After acquiring the vulnerability information and the open port information, the control and management entity can determine the target attack path according to the acquired vulnerability information and the open port information.

In a possible implementation manner, considering that for an attacker, the more information related to the target network that he can obtain, the more beneficial it is to analyze the target network, so as to determine the attack behavior. Therefore, the network information of the target network may include other information in addition to the signature vulnerability information and/or the open port information. On the one hand, the alarm information of the target network can also expose the vulnerability of the target network to a certain extent, and an attacker can use the alarm information to determine the attack behavior. Therefore, the network information of the target network may also include alarm information. On the other hand, for the target network, if the attacker obtains the topology information of the target network and the device configuration information of the target network, the attacker can also use the topology information and device configuration information to target the target network. The network performs precise attacks. Therefore, the network information of the target network may further include device configuration information and/or topology information of the target network.

In a possible implementation manner, for the target network in the current state, to achieve the attack target, the attacker may take more than one attack path. Therefore, after acquiring the network information of the target network, the control and management device can determine the first attack path set according to the acquired network information, and the first attack path set is a set of multiple attack paths capable of realizing the attack target. After the first attack path set is determined, the target attack path may be selected from the first attack path set. In one example, attack paths that can be implemented by an attacker may be traversed according to the network information to obtain the first set of attack paths. In yet another example, the first attack graph of the target network may be obtained according to the network information of the target network, and the first attack path set may be obtained further according to the first attack graph.

In a possible implementation manner, one or more attack paths may be randomly selected from the first attack path set as the target attack path.

In a possible implementation manner, it is considered that although all attack paths in the first attack path set can achieve the attack target, the attack costs corresponding to each attack path may be different. When attackers attack the network, they tend to use a smaller attack cost to achieve the attack target. Therefore, one or more attack paths with lower attack cost may be selected from the first attack path set as the target attack path. It can be understood that, for the attack paths in the first attack path set, the attacker is most likely to attack the target network by using the attack path with the least attack cost. Therefore, in an example, the target attack The path may be an attack path with the smallest corresponding attack cost in the first attack path set. Wherein, the attack path with the smallest corresponding attack cost in the first attack path set may also be called the optimal attack path.

In a possible implementation manner, the security protection strategy is dynamically deployed according to the target attack path. During specific implementation, the security protection strategy of the honeypot may be dynamically adjusted in the target network according to the target attack path, so that the honeypot It can lure more attack traffic, so as to achieve the purpose of protecting the target network.

In a possible implementation manner, if a honeypot has been deployed in the target network, the security protection policy of the existing honeypot can be adjusted. In other embodiments, a new honeypot may also be added to the target network. For example, if a honeypot is not originally deployed in the target network, a new honeypot can be added to lure attack traffic; another example, although a honeypot has been deployed in the target network, the security protection strategy of the existing honeypot is not suitable for adjustment. Honeypots can be added to lure attack traffic.

In a possible implementation manner, the control and management entity determines the target attack path according to the acquired network information. During specific implementation, it may first obtain the first attack graph of the target network according to the acquired network information. The first attack graph may reflect the correlation between various vulnerabilities of the target network and the attack path that can reach the attack target. Therefore, after the first attack graph is obtained, the target attack path can be obtained by using the first attack graph.

In a possible implementation manner, considering that there may be a lot of information in the attack graph for calculating the target attack path, it will result in a large amount of computation for calculating the target attack path according to the attack graph. In order to reduce the calculation amount of calculating the target attack path. A second attack graph of the target network may be obtained first according to the obtained network information, and then redundant information in the second attack graph is removed to obtain a first attack graph. It can be understood that, compared with the second attack graph, the first attack graph has a smaller amount of data, but the effective information in the second attack graph is retained. In this way, the calculation amount for calculating the target attack path can be effectively reduced.

In a possible implementation manner, the target attack path may be one or more attack paths whose corresponding attack cost is relatively small in the foregoing first attack path set. In an example, in order to determine the target attack path, the target attack path may be obtained by combining a specific algorithm or model and the first attack graph. The algorithm with the aforementioned characteristics can determine the attack cost of each attack path in the first attack path set.

In a possible implementation manner, the target attack path may be obtained by using a multi-arm gambling machine model and the first attack graph. Among them, the multi-arm gambling machine model corresponds to the single-step reinforcement learning task in reinforcement learning. Based on the multi-arm gambling machine model, the attack path with less corresponding attack cost can be determined. In an example, according to the multi-armed gambling machine model and the first attack graph, when determining the target attack path of the target network in specific implementation, it can be determined according to the current state of the target network (ie: the first state), when the attack target is achieved The state of the target network (ie, the second state) and the first attack graph obtain a first attack path set that enables the target network to transition from the first state to the second state. It can be understood that, for any attack path in the first attack path set, the target network can be made to transition from the first state to the second state. Then, the multi-arm gambling machine model is used to calculate the reward of each attack path in the first attack path set, and then, according to the reward of each attack path, the target attack path is selected from the first attack path set.

In a possible implementation manner, according to the reward of each attack path, the target attack path is selected from the first attack path set. The top N attack paths to the low ranking are determined as the target paths. N mentioned here is an integer greater than or equal to 1. When the value of N is 1, the target path is actually the optimal attack path for realizing the attack target.

In a second aspect, the present application provides a control management entity, including: a transceiver unit and a processing unit. The transceiving unit is configured to perform the transceiving operation performed by the control management entity according to any one of the above first aspect and the first aspect, and the processing unit is configured to perform the above first aspect and any one of the first aspect. Controls other operations performed by the management entity in addition to sending and receiving operations.

In a third aspect, the present application provides a control management entity, where the control management entity includes a memory and a processor; the memory is used to store program codes; the processor is used to execute instructions in the program codes , so that the control management entity executes the first aspect and the method described in any one of the first aspect.

In a fourth aspect, the present application provides a control management entity, where the control management entity includes a communication interface and a processor, and the communication interface is configured to execute the control management entity described in any one of the first aspect and the first aspect. For the transceiving operation performed, the processor is configured to perform other operations except the transceiving operation performed by the control management entity according to any one of the above first aspect and the first aspect.

In a fifth aspect, the present application provides a computer-readable storage medium, wherein the computer-readable storage medium stores instructions, and when the processor executes the instructions, the above first aspect and the first aspect are implemented any of the methods described.

In a sixth aspect, the present application provides a computer program product, including a computer program, when the processor runs the program, the above first aspect and the method described in any one of the first aspect are implemented.

Description of drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments described in this application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

Figure 1 is a schematic diagram of a network system with honeypots deployed;

2 is a schematic flowchart of a network security protection method provided by an embodiment of the present application;

FIG. 3 is a schematic structural diagram of a control management entity according to an embodiment of the present application;

FIG. 4 is a schematic structural diagram of a control management entity according to an embodiment of the present application;

FIG. 5 is a schematic structural diagram of a control management entity according to an embodiment of the present application.

Detailed ways

For ease of understanding, related knowledge of network security protection and possible application scenarios of the embodiments of the present application are first introduced.

With the development of network technology, network security problems have become increasingly prominent, and network hackers can affect the normal operation of network services by attacking the network.

At present, in order to ensure network security, a defense system can be constructed based on the network architecture, and a variety of different defense measures can be combined to achieve network security defense. The aforementioned defense systems may be, for example, firewalls, intrusion detection, security gateways, antivirus software, data encryption, access control, user authentication, etc., which are not listed and described here. However, the construction of this defense system relies on prior knowledge of existing network attacks and is a passive defense technology. In other words, this defense system can only block known attacks, but cannot block unknown attacks. Therefore, this defense system cannot effectively prevent network attacks.

In view of the fact that the aforementioned defense system cannot effectively prevent network attacks, honeypot technology emerges as the times require. By deploying decoy communication devices, honeypot technology induces attackers to attack decoy communication devices, thereby reducing the attacker's attack traffic on real communication devices and further protecting network security. In addition, the attack on the decoy communication device can also be analyzed, the attacker's attack intention can be obtained, and corresponding countermeasures can be taken, so as to effectively delay or even prevent the network attack, so as to achieve the purpose of protecting network security. Among them, the decoy communication device can also be called a honeypot.

Figure 1 is a schematic diagram of a network system with honeypots deployed. As shown in Figure 1, the data collection, processing, and analysis module can collect attack information against the decoy communication device, and analyze the attack information to obtain the attacker's attack intention, and further corresponding countermeasures can be taken according to the attack intention to protect the real communication device.

For the network to be protected, multiple honeypots can be deployed for it, and the honeypot technology can also be combined with the aforementioned defense system to protect network security. Among them: the combination of honeypot technology and the aforementioned defense system can also be called dense network technology. In dense mesh technology, in order to lure more attack traffic, the honeypot may deploy the same system as the communication devices in the network to be protected. For example, if the host in the network to be protected is deployed with a windows system, the honeypot may also deploy the windows system. Moreover, in order to reduce the deployment cost of dense net technology, the defense strategy of honey net can be dynamically adjusted. For example, in the first communication cycle, ports 1 to 10 of the honeypot are opened, and in the second communication cycle, ports 11 to 20 of the honeypot are opened.

However, the current dense net technology can only adjust the defense measures of the dense net according to the attacks that have been caught. It is understandable that when an attack is detected and then adjust the defense strategy of the honeynet, on the one hand, the attack has already occurred, and adjusting the defense strategy of the honeynet at this time cannot achieve complete and effective protection; on the other hand, the network There are many attacks in the Internet, and it is difficult to prevent high-risk and hidden attacks by adjusting honeynet defense strategies only based on the captured attacks. In other words, the current dense network technology cannot effectively protect network security.

In view of this, the embodiments of the present application provide a network security protection method, which can predict the attack methods that an attacker may take according to the network information of the target network, and dynamically deploy a security protection strategy, thereby effectively preventing network attacks and improving network security. .

The communication device mentioned in the embodiment of this application may be a network device such as a switch and a router, or may be a part of the components on the network device, such as a single board and a line card on the network device, and may also be a network device on the network device. The functional modules are not specifically limited in the embodiments of the present application. The communication apparatus may also be user equipment. For example, but not limited to, the communication devices can be directly connected through an Ethernet cable or an optical fiber cable.

FIG. 2 is a schematic flowchart of a network security protection method provided by an embodiment of the present application. The network security protection method 100 shown in FIG. 2 may be executed by a control management entity.

The control management entity mentioned in the embodiments of the present application may be, for example, a device running a network management system (network management system, NMS), or may be a controller. The control management entity may be a functional module that implements control and/or management functions, or a physical entity that runs related functional modules. The physical entity may be, for example, a server installed with related software, a communication device, etc. Used to implement the functions of the control management entity. The embodiments of the present application do not make specific limitations.

For example, the method 100 shown in FIG. 2 may include the following S101-S103.

S101: Periodically acquire network information of a target network.

In this embodiment of the present application, the target network is a network to be protected, and the target network may include network equipment and/or user equipment. The network devices in the target network may belong to the access network, may also belong to the aggregation network, and may also belong to the core network, which is not specifically limited here.

The status information of the target network is used to indicate the status of the target network. Attackers can take corresponding attack behaviors by analyzing the network information of the target network. In this embodiment of the present application, in order to effectively protect the network security of the target network, the network information of the target network may be obtained first, and further, according to the obtained network information, the attack behavior that an attacker may take on the target network may be predicted .

In some embodiments, it is considered that attackers generally use the vulnerabilities of the network and/or the port information opened by the network to attack the network. Therefore, in an example, the network information of the target network may include vulnerability information of the target network and/or information of ports opened by the target network. The port information opened by the target network may be a protocol port number opened on the communication device in the target network. In this embodiment of the present application, the vulnerability analysis tool may be used to obtain the vulnerability information of the target network, and the port scanning tool may be used to obtain the open port information of the target network. There are no restrictions on vulnerability analysis tools and port scanning tools.

In some embodiments, considering that for an attacker, the more information related to the target network that he can obtain, the more beneficial it is to analyze the target network, so as to determine the attack behavior. Therefore, the network information of the target network may include other information in addition to the signature vulnerability information and/or the open port information. As an example, considering that the alarm information of the target network can also expose the vulnerability of the target network to a certain extent, the attacker can use the alarm information to determine the attack behavior. Therefore, the network information of the target network may also include the alarm information. . As another example, for the target network, if the attacker obtains the topology information of the target network and the device configuration information of the target network, the attacker can also use the topology information and device configuration information to target the target network. The target network performs a precise attack. Therefore, the network information of the target network may further include device configuration information and/or topology information of the target network. Wherein: the device configuration information of the target network may be the configuration information of the communication device in the target network, and the configuration information of the communication device may include, for example, the communication protocol supported by the communication device, the port information opened by the communication device, and the service provided by the communication device. Wait.

S102: Determine a target attack path of the target network in the current state according to the acquired network information, where the target attack path is used to achieve an attack target.

After the network information of the target network is obtained, the target attack path of the target network in the current state can be determined according to the obtained network information. The target attack path refers to the attack path that the attacker may take to achieve the attack target. The so-called attack path can be regarded as a collection of multiple attack behaviors performed by an attacker in a certain order. For example: the attacker exploited the vulnerability A and compromised the communication device A. Then, after the communication device A was compromised, the vulnerability B was exploited, and the communication device B was compromised. Finally, on the basis of attacking the communication device B, the vulnerability C is used to achieve the attack target. In this case, the attack path adopted by the attacker includes three attack behaviors executed according to the execution. The three attack behaviors are: exploiting vulnerability A to attack communication device A, exploiting vulnerability B to attack communication device B, and exploiting vulnerability C to attack to achieve the attack target. The attack target mentioned here, for example, may be to capture a certain communication device.

It is understandable that, for the target network in the current state, to achieve the attack target, the attacker may take more than one attack path. In an example, when S102 is specifically implemented, a first attack path set may be determined according to the acquired network information, where the first attack path set is a set of multiple attack paths capable of achieving the attack target. In other words, all attack paths in the first attack path set can achieve the attack target. It is precisely because all attack paths in the first attack path set can achieve the attack target, so when an attacker wishes to achieve the attack target, the attacker may use any one of the first attack path set or multiple attack paths to attack the target network. Therefore, after the first attack path set is determined, the target attack path can be selected from the first attack path set.

In an example, when determining the first attack path set according to the acquired network information, in specific implementation, the attack paths that can be implemented by the attacker may be traversed according to the network information to obtain the first attack path set. In yet another example, the first attack graph of the target network may be obtained according to the network information of the target network, and the first attack path set may be obtained further according to the first attack graph. For the specific implementation of the first attack graph and obtaining the first attack path set according to the first attack graph, reference may be made to the relevant description section below, which will not be described in detail here.

In one example, one or more attack paths may be randomly selected from the first attack path set as the target attack path.

In yet another example, it is considered that although all attack paths in the first attack path set can achieve the attack target, the attack costs corresponding to each attack path may not be the same. For example: the first attack path set includes attack path 1 and attack path 2. Among them, attack path 1 can achieve the attack target by using only one port, while attack path 2 needs to capture three communication devices to achieve the attack target. Obviously , the attack cost of attack path 1 is less than the attack cost of attack path 2. When attackers attack the network, they tend to use a smaller attack cost to achieve the attack target. Therefore, in an implementation manner, one or more attack paths with lower attack cost may be selected from the first attack path set as the target attack path. For example, the attack paths in the first attack path set may be sorted according to the attack cost in ascending order, and a certain number of attack paths in the first order may be used as the target attack paths. It can be understood that, for the attack paths in the first attack path set, the attacker is most likely to attack the target network by using the attack path with the least attack cost. Therefore, in an example, the target attack The path may be an attack path with the smallest corresponding attack cost in the first attack path set. Wherein, the attack path with the smallest corresponding attack cost in the first attack path set may also be called the optimal attack path.

S103: Dynamically deploy a security protection policy according to the target attack path.

After the target attack path is obtained, a security protection policy can be dynamically deployed according to the target attack path. Since the target attack path is an attack method that an attacker may take, dynamically deploying a security protection policy according to the target attack path can effectively intercept attack traffic, thereby protecting the network security of the target network.

In an implementation manner of S103, the security protection policy of the honeypot can be dynamically adjusted in the target network according to the target attack path, so that the honeypot can induce more attack traffic, thereby achieving the purpose of protecting the target network. In some embodiments, if a honeypot has been deployed in the target network, the security protection policy of the existing honeypot can be adjusted. For example, if the target attack path indicates that the attacker may realize the attack target based on the XX port, the XX port can be opened on the existing honeypot to achieve the purpose of attracting attack traffic. For another example, if the target attack path indicates that the attacker may achieve the attack target based on the existing vulnerability X, the vulnerability X can be deployed on the honeypot, so as to induce attack traffic and protect the real communication device. In other embodiments, a new honeypot may also be added to the target network. For example, if a honeypot is not originally deployed in the target network, a new honeypot can be added to lure attack traffic; another example, although a honeypot has been deployed in the target network, the security protection strategy of the existing honeypot is not suitable for adjustment. Honeypots can be added to lure attack traffic.

In another implementation manner of S103, a protection policy for attack traffic corresponding to the target attack path may be deployed on the firewall. In an example, the possible characteristics of the attack traffic can be analyzed according to the target attack path, and after the characteristics of the attack traffic are obtained, an interception strategy for the attack traffic can be deployed on the firewall. In yet another example, after dynamically adjusting the security protection policy of the honeypot in the target network based on the target attack path, the control and management entity can collect the attacks on the honeypot, analyze the attacks on the honeypot, and further analyze the attacks on the honeypot. As a result, the corresponding protection policy is deployed on the firewall. For example, if the honeypot receives a large amount of attack traffic targeting port XX, a traffic verification policy targeting port XX can be deployed on the firewall.

It can be seen from the above description that using the method 100, the control and management entity can predict the attack methods that the attacker may take on the target network according to the state information of the target network, and dynamically deploy the corresponding security protection strategy, so as to effectively prevent network attacks and improve the target network. network security. Moreover, at different collection time points, the collected state information of the target network may be different, and the corresponding obtained target attack methods are also different, and further, the deployed security protection strategies are also different. In other words, by using this solution, a security protection strategy can be dynamically deployed based on the network information of the target network, thereby effectively protecting network security.

Next, a possible implementation manner of S102 is introduced.

In an example, S102 can be implemented through the following steps A and B.

Step A: The control and management entity obtains the first attack graph of the target network according to the acquired network information.

First, a brief introduction to the attack graph.

There are always certain security loopholes in the network, and there may be a certain correlation between these loopholes, that is, when a loophole is successfully exploited, it may create favorable conditions for the exploitation of another loophole. For example, after exploiting vulnerability A to exploit communication device A, vulnerability B can be exploited to exploit communication device B. In order to thoroughly find out all the associations, we can simulate the attacker's attack on the network with security vulnerabilities, find all the attack paths that can reach the attack target, and express these paths in the form of a graph, which is an attack graph.

The first attack graph mentioned here can reflect the relationship between various vulnerabilities of the target network and the attack path that can reach the attack target. It can be understood that the first attack graph can reflect potential high-risk threats of the target network to a certain extent.

In one example, the attack graph generation tool can output the first attack graph based on the network information of the target network. Therefore, the attack graph generation tool can be used to generate the first attack graph. The embodiment of the present application does not specifically limit the attack graph generation tool, and the attack graph generation tool may be, for example, a multi-host multi-stage vulnerability analysis (MulVAL) tool.

In one example, considering that the attack graph generated by some attack graph generating tools may contain more information, the calculation amount of calculating the target attack path according to the attack graph is relatively large. In order to reduce the calculation amount of calculating the target attack path. A second attack graph of the target network may be obtained first according to the obtained network information, and then redundant information in the second attack graph is removed to obtain a first attack graph. For example, the MulVAL tool can be used to generate a second attack graph, and an algorithm to refine attack graph (ARAG) can be used to reconstruct the first attack graph to remove redundant information in the second attack graph. The remaining information is obtained to obtain the first attack graph. It can be understood that, compared with the second attack graph, the first attack graph has a smaller amount of data, but the effective information in the second attack graph is retained.

Step B: The control management entity determines the target attack path according to the first attack graph.

As mentioned above, the first attack graph can reflect the correlation between various vulnerabilities of the target network and the attack path that can reach the attack target. Therefore, the target attack path can be obtained by using the first attack graph.

As can be seen from the foregoing description of the target attack path, the target attack path may be one or more attack paths in the first set of attack paths with relatively low attack costs. In an example, in order to determine the target attack path, the target attack path may be obtained by combining a specific algorithm or model and the first attack graph. The algorithm with the aforementioned characteristics can determine the attack cost of each attack path in the first attack path set.

In an example: the target attack path can be obtained by using a hidden Markov model and the first attack graph. For example: the known vulnerabilities, open ports and used protocols in the target network can be used as the observed state, the state of the target network being attacked or the target network being attacked as the implicit state, and the difference between the observed state and the implicit state of the target network. are related based on a certain probability. Based on Hidden Markov Models, the next state of the system can be predicted based on the values of the observed states. Finally, based on the vulnerability score and defense cost, and using the Viterbi algorithm, the most likely attack sequence can be calculated to obtain the target attack path.

In yet another example, the target attack path can be obtained using a Bayesian network and the first attack graph. Among them: Bayesian network is a probabilistic graph network, which is based on prior knowledge and combined with causality to obtain the probability of an unknown event. The Bayesian network-based attack graph can be obtained by using the Bayesian network and the first attack graph. The attack graph based on Bayesian network consists of triples {nodes, connecting lines, probability matrix}, where nodes represent known vulnerabilities, exposed ports and other information in the target network; connecting lines represent dependencies between nodes; The probability matrix represents the conditional probability of a node being attacked. Finally, the target attack path can be solved based on Bayesian publicity.

In another example, the target attack path can be obtained using a multi-armed slot machine model and the first attack graph. Considering that the multi-armed gambling machine model corresponds to the single-step reinforcement learning task in reinforcement learning, the multi-armed gambling machine model can determine the corresponding attack path with less attack cost, while the aforementioned hidden Markov model and Bayesian network only The attack path that can achieve the attack target can be solved, and the attack path that achieves the attack target and corresponds to the lower attack cost cannot be determined. Therefore, in a preferred implementation manner, when step B is implemented, the multi-arm gambling machine model and the first attack graph can be used to determine the target attack path.

First, a brief introduction to the dobby model is given.

The multi-arm slot machine model corresponds to the single-step reinforcement learning task in reinforcement learning. The multi-arm gambling machine problem can be described as follows: a gambling machine with multiple swing arms can only pull one of the swing arms at a time, and get a certain reward, but the reward corresponding to pulling each swing arm is unknown. The multi-arm gambling machine problem refers to: in each decision-making moment, according to what strategy to pull the rocker arm, can you get the most reward. In other words, what steps should be followed to pull the arms of the dobby to get the most bang for your buck.

When the multi-armed gambling machine model is applied to the scenario where the target attack path is determined, the problem can be summarized as: for various attack paths that can achieve the attack target, which attack paths correspond to the larger rewards, and the larger the rewards, the corresponding attack paths The path is less expensive to attack.

Wherein: an attack path may include multiple attack behaviors, each attack behavior corresponds to an attack reward, for an attack path, for example, for the first attack path, it can be determined according to the rewards of each attack behavior included in the first attack path The reward for the first attack path.

In an example, according to the multi-arm gambling machine model and the first attack graph, when determining the target attack path of the target network in specific implementation, it can be determined according to the current state of the target network (hereinafter referred to as the first state), when the attack target is achieved The state of the target network (hereinafter referred to as the second state) and the first attack graph obtain a first attack path set that can make the target network transition from the first state to the second state. It can be understood that, for any attack path in the first attack path set, the target network can be made to transition from the first state to the second state. Then, the multi-arm gambling machine model is used to calculate the reward of each attack path in the first attack path set, and then, according to the reward of each attack path, the target attack path is selected from the first attack path set.

Regarding the first state and the second state, it should be noted that, in an example, when the target network is in the first state, the attack means that the attacker can take may constitute the second attack path set, and the second attack path set in the second attack path set Some attack paths may cause the target network to transition from the first state to the second state, and other attack paths in the second attack path set may cause the target network to transition from the first state to other states such as the third state. As can be seen from the foregoing description, the attack paths that can cause the target network to transition from the first state to the second state can constitute the first attack path set. Therefore, the first attack path set is a subset of the second attack path set. The first state may also indicate an attack goal that the current attacker has achieved. Similarly, the second state may indicate the attack goal that the attacker has achieved when the target network is in the second state. In one example, the reward of the attack path can be determined by the following formula (1).

In formula (1):

constitute an attack path,

Refers to the (n+1)th attack behavior in the attack path, and the value of n is between 0 and (l-1);

Among them: the value of l is greater than or equal to 1, and l is used to indicate the number of attack behaviors included in the attack path; when l is equal to 1, the attack path includes only one attack behavior

When l is equal to 2, the attack path includes the attack behavior

When l is equal to 3, the attack path includes the attack behavior

When l is equal to 4, the attack path includes the attack behavior

So on and so forth;

path of attack

The reward is used to indicate the attack cost of the attack path; E is the expected value calculation identifier;

Identifies that when the state of the target network is S(n), the attack action is taken

It can make the state transition of the target network to be S(n+1);

for aggressive behavior

The reward obtained by making the state of the target network transfer from S(n) to S(n+1);

β _n is

The discount factor can be an empirical value, and the specific value is not limited here.

It can be understood that the current state of the target network is S(0), that is, the first state is S(0). act aggressively

After that, the state of the target network can be transferred to S(1) and continue to take attack actions

The state of the target network can be transferred to S(2), and so on, the aforementioned attack path

After the execution is completed, the state of the target network is transferred to S(l), at this time, the attack target is achieved. That is to say, the state S(1) can indicate an attack target, and the state S(1) is the aforementioned second state.

According to formula (1), it can be known that in order to determine the target attack path, it is actually to determine the N attack paths with the highest corresponding rewards in the first path set. In other words, the N attack paths with the highest corresponding rewards in the first path set are determined as the target paths. It can be understood that when the value of N is 1, the target path is actually an optimal attack path for realizing the attack target. N is an integer greater than or equal to 1.

In one example, each attack behavior can be calculated using Gittins theorem and state-elimination algorithm (SEA) such as

To obtain the target attack path according to the Gittins indicators of each attack behavior. Regarding Gittins theorem and SEA, since they are mature algorithms, they will not be described in detail here.

In addition, an embodiment of the present application further provides a control management entity 300, as shown in FIG. 3 . FIG. 3 is a schematic structural diagram of a control management entity according to an embodiment of the present application. The control management entity 300 includes a transceiver unit 301 and a processing unit 302 .

In an example, the control management entity 300 may execute the method 100 in the above embodiments. When the control management entity 300 is used to execute the method 100 in the above embodiments, the control management entity 300 is equivalent to the control management in the method 100 entity. The transceiving unit 301 is configured to perform the transceiving operation performed by the control management entity in the method 100 . The processing unit 302 is configured to perform operations other than the transceiving operations performed by the control management entity in the method 100 . For example, the transceiver unit 301 is configured to periodically acquire the network information of the target network; the processing unit 302 is configured to determine the target attack path of the target network in the current state according to the acquired network information, and the target attack path uses In order to achieve the attack target, and dynamically deploy the security protection strategy according to the target attack path.

In addition, an embodiment of the present application further provides a control management entity 400. Referring to FIG. 4, FIG. 4 is a schematic structural diagram of a communication apparatus provided by an embodiment of the present application. The control management entity 400 includes a communication interface 401 and a processor 402 connected to the communication interface 401 .

In an example, the control management entity 400 may execute the method 100 in the above embodiments. When the control management entity 400 is used to execute the method 100 in the above embodiments, the control management entity 400 is equivalent to the control management in the method 100 entity. The communication interface 401 is used to perform the transceiving operation performed by the control management entity in the method 100 . The processor 402 is configured to perform operations other than the transceiving operations performed by the control management entity in the method 100 . For example, the communication interface 401 is used to periodically acquire the network information of the target network; the processor 402 is used to determine the target attack path of the target network in the current state according to the acquired network information, and the target attack path uses In order to achieve the attack target, and dynamically deploy the security protection strategy according to the target attack path.

In addition, an embodiment of the present application further provides a control management entity 500. Referring to FIG. 5, FIG. 5 is a schematic structural diagram of a communication apparatus provided by an embodiment of the present application.

The control management entity 500 can be used to execute the method 100 in the above embodiments.

As shown in FIG. 5 , the control management entity 500 may include a processor 510 , a memory 520 coupled to the processor 510 , and a transceiver 530 . The transceiver 530 may be, for example, a communication interface, an optical module, or the like. The processor 510 may be a central processing unit (English: central processing unit, abbreviation: CPU), a network processor (English: network processor, abbreviation: NP), or a combination of CPU and NP. The processor may also be an application-specific integrated circuit (English: application-specific integrated circuit, abbreviation: ASIC), a programmable logic device (English: programmable logic device, abbreviation: PLD) or a combination thereof. The above-mentioned PLD can be a complex programmable logic device (English: complex programmable logic device, abbreviation: CPLD), field programmable logic gate array (English: field-programmable gate array, abbreviation: FPGA), general array logic (English: generic array logic, abbreviation: GAL) or any combination thereof. The processor 510 may refer to one processor, or may include multiple processors. The memory 520 may include volatile memory (English: volatile memory), such as random-access memory (English: random-access memory, abbreviation: RAM); the memory may also include non-volatile memory (English: non-volatile memory) , such as read-only memory (English: read-only memory, abbreviation: ROM), flash memory (English: flash memory), hard disk (English: hard disk drive, abbreviation: HDD) or solid-state drive (English: solid-state drive , abbreviation: SSD); the memory 520 may also include a combination of the above-mentioned types of memory. The memory 520 may refer to one memory, or may include multiple memories. In one embodiment, computer-readable instructions are stored in the memory 520 , and the computer-readable instructions include a plurality of software modules, such as a sending module 521 , a processing module 522 and a receiving module 523 . After executing each software module, the processor 510 can perform corresponding operations according to the instructions of each software module. In this embodiment, an operation performed by a software module actually refers to an operation performed by the processor 510 according to the instruction of the software module.

In an example, the control management entity 500 may execute the method 100 in the above embodiments. When the control management entity 500 is used to execute the method 100 in the above embodiments, the control management entity 500 is equivalent to the control management in the method 100 entity. The transceiver 530 is configured to perform the transceiving operation performed by the control management entity in the method 100 . The processor 510 is configured to perform operations other than the transceiving operations performed by the control management entity in the method 100 . For example, the transceiver 530 is configured to periodically acquire the network information of the target network; the processor 510 is configured to determine the target attack path of the target network in the current state according to the acquired network information, and the target attack path uses In order to achieve the attack target, and dynamically deploy the security protection strategy according to the target attack path.

The present application also provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, which, when executed on a computer, cause the computer to execute the method (eg, method 100) described in the foregoing embodiments. ) any one or more of the operations.

The present application also provides a computer program product, including a computer program that, when run on a computer, causes the computer to perform any one or more operations of the methods (eg, method 100 ) described in the foregoing embodiments.

The terms "first", "second", "third", "fourth", etc. (if any) in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that data so used may be interchanged under appropriate circumstances so that the embodiments described herein can be practiced in sequences other than those illustrated or described herein. Furthermore, the terms "comprising" and "having" and any variations thereof, are intended to cover non-exclusive inclusion, for example, a process, method, system, product or device comprising a series of steps or units is not necessarily limited to those expressly listed Rather, those steps or units may include other steps or units not expressly listed or inherent to these processes, methods, products or devices.

Those skilled in the art can clearly understand that, for the convenience and brevity of description, the specific working process of the system, device and unit described above can be referred to the corresponding process in the foregoing method embodiments, which will not be repeated here.

In the several embodiments provided in this application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are only illustrative. For example, the division of units is only a logical business division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated. to another system, or some features can be ignored, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

Units described as separate components may or may not be physically separated, and components shown as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each service unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated unit may be implemented in the form of hardware, or may be implemented in the form of a software business unit.

The integrated unit, if implemented as a software business unit and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, and the computer software products are stored in a storage medium , including several instructions to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods in the various embodiments of the present application. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

Those skilled in the art should realize that, in one or more of the above examples, the services described in the present invention may be implemented by hardware, software, firmware or any combination thereof. When implemented in software, the services may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media including any medium that facilitates transfer of a computer program from one place to another. A storage medium can be any available medium that can be accessed by a general purpose or special purpose computer.

The above specific embodiments further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above are only specific embodiments of the present invention.

Above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the above-mentioned embodiments, those of ordinary skill in the art should understand that: it can still be used for the above-mentioned implementations The technical solutions described in the examples are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present application.

Claims

A network security protection method, characterized in that it is executed by a control management entity, the method comprising:

Periodically obtain the network information of the target network;

Determine the target attack path of the target network in the current state according to the acquired network information, and the target attack path is used to realize the attack target;

The security protection strategy is dynamically deployed according to the target attack path.
The method according to claim 1, wherein the network information of the target network includes one or more of the following:

Vulnerability information and open port information.
The method according to claim 2, wherein the network information of the target network further includes any one or more of the following:

Alarm information, device configuration information, and topology information.
The method according to any one of claims 1-3, wherein the target attack path is an optimal attack path for realizing the attack target.
The method according to any one of claims 1-4, wherein the dynamically deploying a security protection policy according to the target attack path comprises:

According to the target attack path, the security protection strategy of the honeypot is dynamically adjusted in the target network.
The method according to claim 5, wherein the dynamically adjusting the security protection policy of the honeypot in the target network comprises:

Add a honeypot to the target network, or,

Adjust the security protection strategy of the existing honeypot in the target network.
The method according to any one of claims 1-4, wherein dynamically deploying a security protection strategy according to the target attack path, comprising:

A protection policy for attack traffic corresponding to the target attack path is deployed on the firewall.
The method according to any one of claims 1-7, wherein the determining the target attack path of the target network in the current state according to the acquired network information comprises:

determining a first attack path set according to the network information, and all attack paths in the first attack path set can reach the attack target;

The target attack path is selected from the first set of attack paths.
The method according to any one of claims 1-7, wherein determining the target attack path of the target network in the current state according to the acquired network information, comprising:

obtaining a first attack graph of the target network according to the obtained network information;

The target attack path is determined according to the first attack graph.
The method according to claim 9, wherein the determining the target attack path according to the first attack graph comprises:

The target attack path is determined according to the multi-armed gambling machine model and the first attack graph.
The method according to claim 10, wherein the determining the target attack path of the target network according to the multi-arm gambling machine model and the first attack graph comprises:

A first attack path set that causes the target network to transition from a first state to a second state is determined according to the first attack graph, where the first state is the current state of the target network, and the second state is achieved the state of the target network when the target is attacked, and each attack path in the first attack set can make the target network transition from the first state to the second state;

Determine the reward corresponding to each attack path in the first attack path set according to the multi-arm gambling machine model;

The target attack path is selected from the first attack paths according to the respective rewards corresponding to each attack path in the first attack path set.
The method according to claim 11, wherein the selecting the target attack path from the first attack paths according to the rewards corresponding to each attack path in the first attack path set comprises:

Determining the top N attack paths in the first path set with corresponding rewards sorted from high to bottom as the target path, where N is an integer greater than or equal to 1.
A control management entity, characterized in that the control management entity includes a memory and a processor;

the memory for storing instructions;

The processor is configured to execute the instructions, so that the control management entity executes the method described in any one of the preceding claims 1-12.
A computer-readable storage medium, characterized in that the computer-readable storage medium stores instructions, and when the processor executes the instructions, the method of any one of claims 1-12 is implemented.
A computer program product, characterized by comprising a computer program, when a processor runs the program, the method according to any one of claims 1-12 is implemented.
A network security protection device, characterized in that it is applied to a control management entity, the device comprising:

an acquisition unit for periodically acquiring network information of the target network;

a determining unit, configured to determine a target attack path of the target network in the current state according to the acquired network information, where the target attack path is used to achieve an attack target;

The deployment unit is configured to dynamically deploy the security protection strategy according to the target attack path.
The apparatus according to claim 16, wherein the network information of the target network includes one or more of the following:

Vulnerability information and open port information.
The apparatus according to claim 17, wherein the network information of the target network further includes any one or more of the following:

Alarm information, device configuration information, and topology information.
The device according to any one of claims 16-18, wherein the target attack path is an optimal attack path for realizing the attack target.
The device according to any one of claims 16-19, wherein the deployment unit is configured to:

According to the target attack path, the security protection strategy of the honeypot is dynamically adjusted in the target network.
The apparatus according to claim 20, wherein the deployment unit is configured to:

According to the target attack path, a new honeypot is added to the target network, or,

According to the target attack path, the security protection strategy of the existing honeypot in the target network is adjusted.
The device according to any one of claims 16-19, wherein the deployment unit is configured to:

A protection policy for attack traffic corresponding to the target attack path is deployed on the firewall.
The device according to any one of claims 16-22, wherein the determining unit is configured to:

determining a first attack path set according to the network information, and all attack paths in the first attack path set can reach the attack target;

The target attack path is selected from the first set of attack paths.
The device according to any one of claims 16-22, wherein the determining unit is configured to:

obtaining a first attack graph of the target network according to the obtained network information;

The target attack path is determined according to the first attack graph.
The apparatus according to claim 24, wherein the determining the target attack path according to the first attack graph comprises:

The target attack path is determined according to the multi-armed gambling machine model and the first attack graph.
The device according to claim 25, wherein the determining the target attack path of the target network according to the multi-armed gambling machine model and the first attack graph comprises:

A first attack path set that causes the target network to transition from a first state to a second state is determined according to the first attack graph, where the first state is the current state of the target network, and the second state is achieved the state of the target network when the target is attacked, and each attack path in the first attack set can make the target network transition from the first state to the second state;

Determine the reward corresponding to each attack path in the first attack path set according to the multi-arm gambling machine model;

The target attack path is selected from the first attack paths according to the respective rewards corresponding to each attack path in the first attack path set.
The device according to claim 26, wherein the selecting the target attack path from the first attack paths according to the rewards corresponding to each attack path in the first attack path set comprises:

Determining the top N attack paths in the first path set with corresponding rewards sorted from high to bottom as the target path, where N is an integer greater than or equal to 1.