[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN104394177A - Calculating method of attack target accessibility based on global attack graph - Google Patents

Calculating method of attack target accessibility based on global attack graph Download PDF

Info

Publication number
CN104394177A
CN104394177A CN201410782322.6A CN201410782322A CN104394177A CN 104394177 A CN104394177 A CN 104394177A CN 201410782322 A CN201410782322 A CN 201410782322A CN 104394177 A CN104394177 A CN 104394177A
Authority
CN
China
Prior art keywords
attack
network
state
probability
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410782322.6A
Other languages
Chinese (zh)
Inventor
刘宇明
田丰
刘彤
何林宏
李辉
苏进
李晓耕
李朝广
韩熙媛
程涛
陈龙
陈文�
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
YUNNAN ELECTRIC POWER DISPATCH CONTROL CENTER
Original Assignee
YUNNAN ELECTRIC POWER DISPATCH CONTROL CENTER
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by YUNNAN ELECTRIC POWER DISPATCH CONTROL CENTER filed Critical YUNNAN ELECTRIC POWER DISPATCH CONTROL CENTER
Priority to CN201410782322.6A priority Critical patent/CN104394177A/en
Publication of CN104394177A publication Critical patent/CN104394177A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a calculating method of attack target accessibility based on a global attack graph. The calculating method comprises the following steps: generating the global network attack graph, wherein the attack graph contains all network target states; supposing that an attacker as an intelligent agent has a profound understanding of network vulnerability, selecting a next attack target according to the attack complexity of each vulnerability and further calculating the accessibility probability of the attack target. The calculating method has the benefits that the vulnerability exiting in a network can be analyzed from a global perspective; when the accessibility of the attack target is calculated, the behavior characteristics of the attacker are considered, so that analysis results are more objective and more accurate.

Description

A kind of computational methods of the target of attack accessibility based on global attack figure
Technical field
The present invention relates to a kind of computational methods of the target of attack accessibility based on global attack figure.
Background technology
Because network attack means present complicated and diversified trend, can find to cause the attack sequence of network state transition to become the key link of network security assessment work.At present, the generation method of attack graph model can be divided into two classes.First kind method adopts model inspection or programming in logic technology to generate attack graph.These class methods use a model detector or the programming in logic systems axiol-ogy attack path for a certain target of attack.Equations of The Second Kind method adopts the thought based on graph theory to generate attack graph.The people such as Ammann are from network initial state, and all paths that can arrive target of attack of forward lookup, then oppositely export attack path from target of attack.Zhang Tao and Sun Liang obtains the dependence between network state by search assailant utilizable main frame weakness under current network state, if arrive objective network state, then search procedure stops, and exports attack path.Although researcher proposes various attacks figure modeling method, these methods are all towards simple target.In addition, about the analytical method of attack graph model, especially quantitative analysis method is also less, existing attack graph analytical method just tries to achieve the attack complexity product of each weakness on attack path simply when calculating destination node reachable probability, these class methods have ignored such fact: assailant is as intelligent agent, the weakness that often prioritizing selection complexity is low is attacked, thus causes analysis result not accurate enough.In order to solve the problem, this section proposes a kind of network vulnerability quantified analysis method based on attack graph.First outline has been carried out to global attack graph model, be then described by the behavioural characteristic of transition probability to assailant, given a kind of computational methods of new attack target reachable probability.Finally, illustrate the application of the method in network vulnerability analysis with example, and by with the comparing and analysis of traditional analytical method, demonstrate correctness and the validity of this analytical method.
For understanding the state of development of prior art, existing paper and patent being carried out to retrieval, have compared and analyze, has filtered out the technical information that following degree related to the present invention is higher:
Technical scheme 1: the patent No. is " identifying that fragility utilizes security threat and determines the method in correlation attack path " patent of CN102638458A, relate to technical field of network information safety, be specifically related to a kind ofly identify that fragility utilizes security threat and determines the method in correlation attack path, complete mainly through three steps: first, obtain causality attack graph according to the network configuration of operation system and vulnerability information, described causality attack graph is converted to the network attack map based on Colored Petri Nets;
The second, identify various fragility in operation system according to predefined operation system Security Target and utilize security threat target; 3rd, the described network attack map based on Colored Petri Nets is decomposed into sub-attack graph, obtains the attack path that described various fragility utilizes security threat target.
Technical scheme 2: the patent No. is " a kind of network risk analysis method " patent of CN101162993B, relate to a kind of network security assessment technology, particularly a kind of quantitative evaluation technology for network risks, complete mainly through five steps: first, collect topology, weakness, the information on services of current network, tectonic network attack graph; The second, according to network attack map, calculate the probability that each weakness victim successfully utilizes; 3rd, each weakness is combined with the impact of these weakness on host services, data by the probability successfully utilized, calculates the risk of each weakness to host availability, confidentiality and integrality; 4th, consider the demand for security of each main frame, calculate the integrated risk of each main frame; 5th, according to the integrated risk of each main frame, computing network integrated risk.
Technical scheme 3: the patent No. is " a kind of attack drawing generating method of depth-first " patent of CN101222317A, relate to a kind of network safety protective method, complete mainly through five steps: the first, collect whole security factors of current network, form initial network state; The second, use prolog systematic search assailant before arriving dbjective state the network state of likely process; 3rd, according to the dependence between the network state searched, structure attack path; 4th, when constructing attack path, reduced the scale of attack graph by the possibility and attack step number judging arrival destination node; 5th, the attack path of structure is combined into network attack map.
Traditional causality attack graph is converted to the network attack map based on Colored Petri Nets by method described in technical scheme 1.Each atomic strike in network attack map can independently perform, and the successful implementation of each atomic strike may change whole network system situation.Therefore, be relatively applicable to utilizing Colored Petri Nets be described network attack map and analyze.The described method of this invention is based on security threat targets all in system safety target identification services system, and adopt the decomposition of Colored Petri Nets the Realization of Simulation network attack map, disposablely can obtain the sub-attack graph of all security threat targets, i.e. attack path, efficiency is very high.But its algorithm is complicated, brings a large amount of resource overheads.
Technical scheme 2 collects topology, weakness, the information on services of current network by Nessus and OVALScanner scanner, and by the method generating network attack graph based on graph theory; According to network attack map, take the reachable probability of each state node in the method computing network attack graph of breadth First, each state node be mapped with weakness, calculate weakness by the probability successfully utilized; Provide each weakness on service and data impact quantitative criteria prerequisite under, in conjunction with weakness by the probability successfully utilized, calculate the risk that each weakness is brought to host services, data, finally, try to achieve the risk of host availability, confidentiality and integrality; According to the demand to availability, confidentiality and integrality of main frame, be assigned to three kinds of demand for security importance degree weights, then according to weights, the risk of computation host confidentiality, integrality and availability; The value-at-risk of each main frame is added up, tries to achieve the integrated risk of network.This technical scheme only mentions the method generating network attack graph by graph theory, and follow-up is computational methods about network synthesis risk on the basis of network attack map, does not illustrate how generating network attack graph.
The attack drawing generating method of technical scheme 3 depth-first, after the dependence finding overall network state node by prolog system, with the principle of depth-first, structure attack path; When constructing attack path, judge the length of destination node reachable probability and attack path; When destination node reachable probability is less than given threshold value, delete this path; Be greater than given threshold value when attack path and arrive destination node not yet, deleting path.This technical scheme considers this factor of destination node reachable probability, but the attack graph formed is only for simple target node, does not possess the feature of the overall situation.
Summary of the invention
The object of the invention is to generate global attack graph model, make keeper can from the fragility of the angle analysis network of the overall situation, the general safety situation of awareness network, analysis result be more objective.
Traditional attack graph analytical method, when calculating the reachable probability of dbjective state and target of attack, have ignored assailant and carries out the such fact of attack as the intelligent agent weakness that often prioritizing selection complexity is low, cause analysis result objective not.For this reason, transition probability is introduced attacking in the analysis of accessibility of target by the present invention.
Only comprise a kind of dbjective state in tradition attack graph model, but in reality, network manager not only needs to know that assailant may from a main frame which path invasion network, and also should understand assailant can which main frame in attacking network.This just requires must to comprise in attack graph model the overall network state that assailant can arrive.For this reason, propose a kind of global attack drawing generating method in previous work, profit can obtain the attack graph comprising target complete state in this way.
Based on computational methods for the target of attack accessibility of global attack figure, the present invention is characterised in that, comprises the following steps:
One, generating network global attack figure, this attack graph comprises network target complete state, comprises the steps:
1) collection network weakness, service, topology information;
2) information collected is formed initial network safe condition as Network security factor, add state queue;
3) utilize rule according to network vulnerability information and weakness, structure attacks node queue;
4) for each state in state queue, traversal once attacks node queue, adds in queue by the new state of generation;
5) network attack map is built according to the incidence relation between network state;
Two, hypothesize attack person is as the understanding of intelligent agent to network vulnerability own profound, and the attack complexity always according to each weakness is selected next step target of attack and then calculated the reachable probability of target of attack;
Sub-goal select probability: for any one the state si in attack graph, the attack complexity of the weakness of its correspondence is aci; If after assailant arrives state si, the sub-goal state set attacked can be selected to be SUB_S, then according to hypothesis 2, assailant's selection mode sj ∈ SUB_S is as the possibility λ of next step target of attack i, jcalculated by formula (1);
λ i , j = ac j / Σ sk ∈ SUB _ S ac k - - - ( 1 )
Attack path select probability: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the possibility ci that assailant selects this paths to carry out attacking is calculated by formula (2);
c i = Π j = 0 n - 1 λ j , j + 1 - - - ( 2 )
The attack path probability of success: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the Probability p i that assailant utilizes this paths successfully to arrive dbjective state is calculated by formula (3);
p i = c i × Π j = 1 n ac i - - - ( 3 )
Dbjective state reachable probability: establish can arrive a certain dbjective state sgoal in attack graph attack path set L=(l1, l2 ..., ln), then the probability P sgoal that assailant can arrive dbjective state is obtained by formula (4);
P sgoal = Σ i = 1 n P i - - - ( 4 )
Target of attack reachable probability: the dbjective state set of setting a certain target of attack in attack graph to comprise as S_GOAL={s1 ..., sn}, then assailant is obtained by formula (5) the probability of success Pgoal of this target of attack offensive attack;
P goal = Σ i = 1 n P si - - - ( 5 ) .
In general, assailant needs to implement multiple attack to reach its attack object.Weakness involved by these attacks may be different, but there is causality each other, and occur according to certain logical order.A free-revving engine of structure attack graph is exactly, according to the causality between attack, find out infiltration type attack sequence potential in network, finds the high-rise attack strategies of invader, helps administrative staff to understand the safe condition of network better.Regard successful attack action each time the transition of primary network state as herein, thus, show that attack graph and attack path are defined as follows.
Define 1 attack graph.Attack graph is a state transition system T=(S, t, s0, SG).Wherein, S is the set of network state, be the set of State Transferring relation, s0 ∈ S is network initial state, it is the set of dbjective state.
Define 2 attack paths.For a dbjective state sn ∈ SG, if from initial condition s0, there is one group of status switch s1, s2 ... sn-1, makes (si, si+1) ∈ t, 0<i<n-1, then claim status switch s0, s1 ..., sn is an attack path.
Define 3 attack actions.The following tlv triple of attack action represents (src_host, dst_host, vid).Wherein src_host is the main frame id of offensive attack, dst_host is that the main frame id attacked, vid this time attack the weakness number utilized.
Complexity is attacked in definition 4.The attack complexity of weakness is used to weigh assailant and successfully utilizes the one of the complexity of this weakness to measure.The attack complexity of weakness, by the impact of many factors, is difficult to quantize accurately it, can only gives expression to the difference of attacking complexity between different weakness approx.The people such as Wang Lidong have carried out analysis and comparison to the Application way of hundreds of kind weakness and instrument, give the quantitative criteria of attacking complexity, in table 1.
The quantitative criteria of complexity attacked by table 1
SG in tradition attack graph model only comprises a kind of dbjective state, but in reality, and network manager not only needs to know that assailant may from a main frame which path invasion network, and also should understand assailant can which main frame in attacking network.This overall network state just requiring the SG in attack graph model must comprise assailant to arrive.For this reason, propose a kind of global attack drawing generating method in previous work, profit can obtain the attack graph comprising target complete state in this way, and its basic step is as Fig. 1.
Traditional attack graph analytical method, when calculating the reachable probability of dbjective state and target of attack, have ignored assailant and carries out the such fact of attack as the intelligent agent weakness that often prioritizing selection complexity is low, cause analysis result objective not., herein transition probability is introduced attacking in the analysis of accessibility of target for this reason, and propose following hypothesis.
Hypothesize attack person is as the understanding of intelligent agent to system vulnerability own profound, and he always selects next step target of attack according to the attack complexity of each weakness.
Sub-goal select probability: for any one the state si in attack graph, the attack complexity of the weakness of its correspondence is aci.If after assailant arrives state si, the sub-goal state set attacked can be selected to be SUB_S, then according to hypothesis 2, assailant's selection mode sj ∈ SUB_S is as the possibility λ of next step target of attack i, jcalculated by formula (1).
&lambda; i , j = ac j / &Sigma; sk &Element; SUB _ S ac k - - - ( 1 )
Attack path select probability: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the possibility ci that assailant selects this paths to carry out attacking is calculated by formula (2).
c i = &Pi; j = 0 n - 1 &lambda; j , j + 1 - - - ( 2 )
The attack path probability of success: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the Probability p i that assailant utilizes this paths successfully to arrive dbjective state is calculated by formula (3).
p i = c i &times; &Pi; j = 1 n ac i - - - ( 3 )
Dbjective state reachable probability: establish can arrive a certain dbjective state sgoal in attack graph attack path set L=(l1, l2 ..., ln), then the probability P sgoal that assailant can arrive dbjective state is obtained by formula (4).
P sgoal = &Sigma; i = 1 n P i - - - ( 4 )
Target of attack reachable probability: the dbjective state set of setting a certain target of attack in attack graph to comprise as S_GOAL={s1 ..., sn}, then assailant is obtained by formula (5) the probability of success Pgoal of this target of attack offensive attack.
P goal = &Sigma; i = 1 n P si - - - ( 5 )
Key point of the present invention
Key problem in technology point of the present invention is:
1. transition probability is introduced attacking in the analysis of accessibility of target;
2. in attack graph model, comprise the overall network state that assailant can arrive.
Effect of the present invention
The present invention proposes a kind of computational methods of the target of attack accessibility based on global attack figure, and its advantage is:
This technology is in order to improve the accuracy of network vulnerability analysis result, set up global attack graph model, on this basis, a kind of computational methods of the target of attack accessibility based on global attack figure are proposed, and illustrate the application of the method in network vulnerability analysis with an example, demonstrate the validity of the method.Compared with legacy network vulnerability analysis method, the method that this section proposes has the following advantages:
(1) fragility that can exist from overall angle analysis network;
(2) consider the behavioural characteristic of assailant when calculating the accessibility of target of attack, analysis result is more objective, more accurate.
Accompanying drawing explanation
Fig. 1 is attack graph product process figure of the present invention;
Fig. 2 is Experimental Network attack graph of the present invention.
Embodiment
Based on computational methods for the target of attack accessibility of global attack figure, the present invention is characterised in that, comprises the following steps:
One, generating network global attack figure, this attack graph comprises network target complete state, comprises the steps:
1) collection network weakness, service, topology information;
2) information collected is formed initial network safe condition as Network security factor, add state queue;
3) utilize rule according to network vulnerability information and weakness, structure attacks node queue;
4) for each state in state queue, traversal once attacks node queue, adds in queue by the new state of generation;
5) network attack map is built according to the incidence relation between network state;
Two, hypothesize attack person is as the understanding of intelligent agent to network vulnerability own profound, and the attack complexity always according to each weakness is selected next step target of attack and then calculated the reachable probability of target of attack;
Sub-goal select probability: for any one the state si in attack graph, the attack complexity of the weakness of its correspondence is aci; If after assailant arrives state si, the sub-goal state set attacked can be selected to be SUB_S, then according to hypothesis 2, assailant's selection mode sj ∈ SUB_S is as the possibility λ of next step target of attack i, jcalculated by formula (1);
&lambda; i , j = ac j / &Sigma; sk &Element; SUB _ S ac k - - - ( 1 )
Attack path select probability: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the possibility ci that assailant selects this paths to carry out attacking is calculated by formula (2);
c i = &Pi; j = 0 n - 1 &lambda; j , j + 1 - - - ( 2 )
The attack path probability of success: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the Probability p i that assailant utilizes this paths successfully to arrive dbjective state is calculated by formula (3);
p i = c i &times; &Pi; j = 1 n ac i - - - ( 3 )
Dbjective state reachable probability: establish can arrive a certain dbjective state sgoal in attack graph attack path set L=(l1, l2 ..., ln), then the probability P sgoal that assailant can arrive dbjective state is obtained by formula (4);
P sgoal = &Sigma; i = 1 n P i - - - ( 4 )
Target of attack reachable probability: the dbjective state set of setting a certain target of attack in attack graph to comprise as S_GOAL={s1 ..., sn}, then assailant is obtained by formula (5) the probability of success Pgoal of this target of attack offensive attack;
P goal = &Sigma; i = 1 n P si - - - ( 5 ) .
Illustrate below in conjunction with example:
In order to verify correctness and the validity of the method that this problem proposes, construct an Experimental Network environment.Experimental situation is switching network, has 4 main frames.The open Telnet service of IP1, IP2 is ftp server, and IP3 upper operation Mysql database and HTTP service, IP4 is database server.The Telnet that fire compartment wall only allows external host to access on host ip 1 serves, and other external reference is all prevented from, and the mutual access between internal host does not limit.In order to without loss of generality, in Experimental Network, add confidentiality class weakness and local elevation of privilege class weakness.In Experimental Network, the information of each main frame and weakness thereof is as shown in the table.
(1) host information
Table 2 host information
Hostid Service Vulnerability
IP1 {Telnet} {12815}
IP2 {FTP} {9904,13454}
IP3 {FTP,HTTP} {7974,9691}
IP4 {Oracle} {14312}
(2) vulnerability information
Table 3 vulnerability information
Vid Range Type Service Conprivilege Comlexity
12815 remote privescalation Telnet Root 0.7
9904 remote privescalation Ftp User 0.5
13454 remote privescalation Ftp User 0.7
7974 remote privescalation Ftp User 0.7
9691 local privescalation Kernel Root 0.3
14312 remote confidentiality Oracle Access 0.9
According to the global attack figure modeling method proposed, associate the fragility in Experimental Network, the attack graph automatically generated by drawing tool graphviz as shown in Figure 2.Identical with the attack graph method for expressing of Swiler, the directed edge in figure represents attack action, the network state after node on behalf attack action success, and 1,8, No. 9 node on behalf assailants are by attacking the root authority obtaining certain main frame.Known by analysis chart, owing to there is relevance between weakness, the host ip 2 of script protected by firewall, IP3 and IP4 now all have the possibility of being attacked by network hacker.The qualitative analysis of network vulnerability sees the following form 4.
Table 4
Host Vulnerability Statenumber Result Patamount Shortestpath
IP1 {12815} {1} Privescalation(root) 1 0→1
IP2 {9904,13454} {2,7,11} Privescalation(root) 6 0→1→2
IP3 {7974} {3,5} Privescalation(root) 3 0→1→3
IP3 {9691} {8,9} Privescalation(root) 3 0→1→3→8
IP4 {14312} {4,6,10,12} Accessviolation 7 0→1→4
Because global attack graph model contains overall network state that assailant may arrive and the attack path for these network states, this just makes keeper can from the fragility of the angle analysis network of the overall situation, the general safety situation of awareness network.Table 5 gives each main frame in network and is attacked the consequence of rear generation and the probability of success of these attacks, and wherein P1 is the probability of success calculated after adding transition probability, and P2 does not add the probability of success that transition probability tries to achieve.From P2, for host ip 2, IP3 and IP4, the attack that the probability of success is greater than 1 likely occurs, and this is obviously irrational, and can avoid the generation of this situation add transition probability in analysis after.
The consequence of table 5 success attack and probability
For attack path l1:0 → 1 → 2 (13454) → 6 and l2:0 → 1 → 3 → 6, the probability that assailant utilizes these two attack paths successfully to arrive state 6 is can be calculated identical by conventional method, and after adding transition probability, can obtain the probability that assailant arrives state 6 by l 1 is 0.062, the probability being arrived state 6 by l2 is 0.041, illustrates that path l 1 is more dangerous than path l2.Cause the reason of this species diversity be due to: after assailant arrives state 3, can select to carry out next step sub-goal attacked more, thus reduce and select the possibility that on host ip 4, No. 13454 leaks carry out attacking.And traditional computational methods have ignored this behavioural characteristic of assailant, cause analysis result not accurate enough.

Claims (1)

1., based on computational methods for the target of attack accessibility of global attack figure, it is characterized in that, comprise the following steps:
One, generating network global attack figure, this attack graph comprises network target complete state, comprises the steps:
1) collection network weakness, service, topology information;
2) information collected is formed initial network safe condition as Network security factor, add state queue;
3) utilize rule according to network vulnerability information and weakness, structure attacks node queue;
4) for each state in state queue, traversal once attacks node queue, adds in queue by the new state of generation;
5) network attack map is built according to the incidence relation between network state;
Two, hypothesize attack person is as the understanding of intelligent agent to network vulnerability own profound, and the attack complexity always according to each weakness is selected next step target of attack and then calculated the reachable probability of target of attack;
Sub-goal select probability: for any one the state si in attack graph, the attack complexity of the weakness of its correspondence is aci; If after assailant arrives state si, the sub-goal state set attacked can be selected to be SUB_S, then according to hypothesis 2, assailant's selection mode sj ∈ SUB_S is as the possibility λ of next step target of attack i, jcalculated by formula (1);
&lambda; i , j = ac j / &Sigma; sk &Element; SUB _ S ac k - - - ( 1 )
Attack path select probability: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the possibility ci that assailant selects this paths to carry out attacking is calculated by formula (2);
c i = &Pi; j = 0 n - 1 &lambda; j , j + 1 - - - ( 2 )
The attack path probability of success: establish the attack path set L=(l1 that can arrive a certain dbjective state in attack graph, l2, ln), for in L any attack path li=(s0, s1 ... sn), the Probability p i that assailant utilizes this paths successfully to arrive dbjective state is calculated by formula (3);
p i = c i &times; &Pi; j = 1 n ac i - - - ( 3 )
Dbjective state reachable probability: establish can arrive a certain dbjective state sgoal in attack graph attack path set L=(l1, l2 ..., ln), then the probability P sgoal that assailant can arrive dbjective state is obtained by formula (4);
P sgoal = &Sigma; i = 1 n P i - - - ( 4 )
Target of attack reachable probability: the dbjective state set of setting a certain target of attack in attack graph to comprise as S_GOAL={s1 ..., sn}, then assailant is obtained by formula (5) the probability of success Pgoal of this target of attack offensive attack;
P goal = &Sigma; i = 1 n P si - - - ( 5 ) .
CN201410782322.6A 2014-12-16 2014-12-16 Calculating method of attack target accessibility based on global attack graph Pending CN104394177A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410782322.6A CN104394177A (en) 2014-12-16 2014-12-16 Calculating method of attack target accessibility based on global attack graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410782322.6A CN104394177A (en) 2014-12-16 2014-12-16 Calculating method of attack target accessibility based on global attack graph

Publications (1)

Publication Number Publication Date
CN104394177A true CN104394177A (en) 2015-03-04

Family

ID=52612012

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410782322.6A Pending CN104394177A (en) 2014-12-16 2014-12-16 Calculating method of attack target accessibility based on global attack graph

Country Status (1)

Country Link
CN (1) CN104394177A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104883356A (en) * 2015-04-24 2015-09-02 北京邮电大学 Target model-based network attack detection method
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN105991639A (en) * 2015-07-08 2016-10-05 北京匡恩网络科技有限责任公司 Network attack path analysis method
CN106411576A (en) * 2016-08-30 2017-02-15 河南理工大学 Method for generating attack graphs based on status transition network attack model
CN106850607A (en) * 2017-01-20 2017-06-13 北京理工大学 The quantitative estimation method of the network safety situation based on attack graph
CN106850265A (en) * 2016-12-29 2017-06-13 中国科学院信息工程研究所 A kind of power system network Attack Prediction method
CN106941502A (en) * 2017-05-02 2017-07-11 北京理工大学 A kind of security measure method and apparatus of internal network
CN107888588A (en) * 2017-11-09 2018-04-06 上海海事大学 A kind of K maximum probability attack path method for solving of specified destination node set
CN110138762A (en) * 2019-05-09 2019-08-16 南京邮电大学 Tender spots detection system, method and storage medium based on attack graph network
CN110138764A (en) * 2019-05-10 2019-08-16 中北大学 A kind of attack path analysis method based on level attack graph
CN110868384A (en) * 2018-12-24 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable assets in network environment and electronic equipment
CN115913640A (en) * 2022-10-19 2023-04-04 南京南瑞信息通信科技有限公司 Large-scale network attack deduction and risk early warning method based on attack graph

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101162993A (en) * 2007-11-29 2008-04-16 哈尔滨工程大学 Network risk analysis method
US7603715B2 (en) * 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
CN103139220A (en) * 2013-03-07 2013-06-05 南京理工大学常熟研究院有限公司 Network security attack defense method using state attack and defense graph model
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7603715B2 (en) * 2004-07-21 2009-10-13 Microsoft Corporation Containment of worms
CN101162993A (en) * 2007-11-29 2008-04-16 哈尔滨工程大学 Network risk analysis method
CN103139220A (en) * 2013-03-07 2013-06-05 南京理工大学常熟研究院有限公司 Network security attack defense method using state attack and defense graph model
CN103152345A (en) * 2013-03-07 2013-06-12 南京理工大学常熟研究院有限公司 Network safety optimum attacking and defending decision method for attacking and defending game

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王宁宁: "计算机网络拓扑结构脆弱性的分析与评估技术研究", 《中国优秀硕士学位论文全文数据库》 *
苘大鹏; 杨武; 杨永田: "基于攻击图的网络脆弱性分析方法", 《南京理工大学学报》 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104883356A (en) * 2015-04-24 2015-09-02 北京邮电大学 Target model-based network attack detection method
CN105991639A (en) * 2015-07-08 2016-10-05 北京匡恩网络科技有限责任公司 Network attack path analysis method
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
CN105871882B (en) * 2016-05-10 2019-02-19 国家电网公司 Network security risk analysis method based on network node fragility and attack information
CN106411576A (en) * 2016-08-30 2017-02-15 河南理工大学 Method for generating attack graphs based on status transition network attack model
CN106411576B (en) * 2016-08-30 2019-10-22 河南理工大学 Attack drawing generating method based on state transition network network challenge model
CN106850265A (en) * 2016-12-29 2017-06-13 中国科学院信息工程研究所 A kind of power system network Attack Prediction method
CN106850265B (en) * 2016-12-29 2019-10-22 中国科学院信息工程研究所 A kind of power system network Attack Prediction method
CN106850607B (en) * 2017-01-20 2019-09-20 北京理工大学 The quantitative estimation method of network safety situation based on attack graph
CN106850607A (en) * 2017-01-20 2017-06-13 北京理工大学 The quantitative estimation method of the network safety situation based on attack graph
CN106941502A (en) * 2017-05-02 2017-07-11 北京理工大学 A kind of security measure method and apparatus of internal network
CN106941502B (en) * 2017-05-02 2020-10-20 北京理工大学 Safety measurement method and device for internal network
CN107888588A (en) * 2017-11-09 2018-04-06 上海海事大学 A kind of K maximum probability attack path method for solving of specified destination node set
CN110868384B (en) * 2018-12-24 2022-03-29 北京安天网络安全技术有限公司 Method and device for determining vulnerable assets in network environment and electronic equipment
CN110868384A (en) * 2018-12-24 2020-03-06 北京安天网络安全技术有限公司 Method and device for determining vulnerable assets in network environment and electronic equipment
CN110138762B (en) * 2019-05-09 2020-08-11 南京邮电大学 Vulnerability detection system and method based on attack graph network and storage medium
CN110138762A (en) * 2019-05-09 2019-08-16 南京邮电大学 Tender spots detection system, method and storage medium based on attack graph network
CN110138764A (en) * 2019-05-10 2019-08-16 中北大学 A kind of attack path analysis method based on level attack graph
CN110138764B (en) * 2019-05-10 2021-04-09 中北大学 Attack path analysis method based on hierarchical attack graph
CN115913640A (en) * 2022-10-19 2023-04-04 南京南瑞信息通信科技有限公司 Large-scale network attack deduction and risk early warning method based on attack graph
CN115913640B (en) * 2022-10-19 2023-09-05 南京南瑞信息通信科技有限公司 Large-scale network attack deduction and risk early warning method based on attack graph

Similar Documents

Publication Publication Date Title
CN104394177A (en) Calculating method of attack target accessibility based on global attack graph
CN106341414B (en) A kind of multi-step attack safety situation evaluation method based on Bayesian network
Abraham et al. Cyber security analytics: a stochastic model for security quantification using absorbing markov chains
Zhao et al. Study on network security situation awareness based on particle swarm optimization algorithm
CN105871882A (en) Network-security-risk analysis method based on network node vulnerability and attack information
CN104348652A (en) Method and device for evaluating system security based on correlation analysis
Ioannou et al. A Markov multi-phase transferable belief model for cyber situational awareness
CN114547415A (en) Attack simulation method based on network threat information in industrial Internet of things
CN114039758A (en) Network security threat identification method based on event detection mode
He et al. Robust control for a class of cyber-physical systems with multi-uncertainties
Kim et al. Cost-effective valuable data detection based on the reliability of artificial intelligence
Kumar et al. Unsupervised outlier detection technique for intrusion detection in cloud computing
CN105162752A (en) Method for predicting propagation path of network threat
Abaeian et al. Intrusion detection forecasting using time series for improving cyber defence
Almajed et al. Using machine learning algorithm for detection of cyber-attacks in cyber physical systems
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
Angelini et al. An attack graph-based on-line multi-step attack detector
Peng et al. Sensing network security prevention measures of BIM smart operation and maintenance system
Fan et al. A hierarchical method for assessing cyber security situation based on ontology and fuzzy cognitive maps
Fan et al. An improved integrated prediction method of cyber security situation based on spatial-time analysis
Bian et al. Network security situational assessment model based on improved AHP_FCE
Qi et al. Iterative anomaly detection algorithm based on time series analysis
CN117134943A (en) Attack mode prediction method based on fuzzy Bayesian network
Arifin et al. Oversampling and undersampling for intrusion detection system in the supervisory control and data acquisition IEC 60870‐5‐104
Lin et al. Evaluation of Network Security Grade Protection Combined With Deep Learning for Intrusion Detection

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150304

RJ01 Rejection of invention patent application after publication