CN111786947B

CN111786947B - Attack graph generation method and device, electronic equipment and storage medium

Info

Publication number: CN111786947B
Application number: CN202010420219.2A
Authority: CN
Inventors: 徐国爱; 郭燕慧; 薛红飞; 王浩宇; 张淼; 徐国胜
Original assignee: Beijing University of Posts and Telecommunications
Current assignee: Beijing University of Posts and Telecommunications
Priority date: 2020-05-18
Filing date: 2020-05-18
Publication date: 2021-10-29
Anticipated expiration: 2040-05-18
Also published as: CN111786947A

Abstract

The invention provides a method and a device for generating an attack graph, electronic equipment and a storage medium. The method comprises the following steps: scanning a target network to obtain network characteristic information and first vulnerability information; determining a host and a port which are running in the target network according to the network characteristic information; scanning the running host and the running port to obtain second vulnerability information; merging the first vulnerability information and the second vulnerability information; and generating an attack graph of the target network according to the network characteristic information and the combined vulnerability information. The embodiment of the invention can improve the scanning efficiency and accuracy, and further improve the accuracy of the attack graph.

Description

Attack graph generation method and device, electronic equipment and storage medium

Technical Field

The present invention relates to the field of network space security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for generating an attack graph.

Background

The number of attack paths that may be taken to breach the network organization is now very large and an attacker may invade the target network by exploiting a series of vulnerabilities on various network hosts and gaining certain privileges at each step. The risk assessment method of the attack graph can represent possible attack modes of an attacker and can be used for network security index calculation, network strengthening, near-real-time security analysis and the like.

In the prior art, an OVAL (open vulnerability assessment language) scanning tool is mainly used to scan a target network to collect machine configuration information, and compare the configuration information with a formal suggestion to assess whether a vulnerability exists on a system. However, when the OVAL receives a new scanning proposal, the scan must be repeated on each host, which results in low scanning efficiency, and a single tool scanning bug may result in low scanning accuracy, which in turn results in low accuracy of the attack graph.

Disclosure of Invention

In view of this, the present invention provides a method, an apparatus, a device and a storage medium for generating an attack graph, so as to solve the problem of low accuracy of the attack graph due to low scanning efficiency and accuracy in the prior art.

Based on the above purpose, the present invention provides a method for generating an attack graph, which comprises:

scanning a target network to obtain network characteristic information and first vulnerability information;

determining a host and a port which are running in the target network according to the network characteristic information;

scanning the running host and the running port to obtain second vulnerability information;

merging the first vulnerability information and the second vulnerability information;

and generating an attack graph of the target network according to the network characteristic information and the combined vulnerability information.

Further, the scanning the target network to obtain the network characteristic information and the first vulnerability information specifically includes:

setting a bandwidth consumption requirement and a scanning time requirement;

determining a scanning strategy according to the bandwidth consumption requirement and the scanning time requirement;

and scanning the target network according to the scanning strategy to obtain network characteristic information and first vulnerability information.

Further, the determining a scanning policy according to the bandwidth consumption requirement and the scanning time requirement specifically includes:

respectively taking each scanning parameter in a plurality of prestored scanning parameters as a target scanning parameter, and detecting the bandwidth consumption of various hosts for scanning based on the target scanning parameter; the number of the various hosts is different;

determining scanning parameters corresponding to the bandwidth consumption meeting the bandwidth consumption requirement;

respectively taking each time option in a plurality of pre-stored time options as a target time option, and detecting scanning time of scanning by a plurality of hosts based on the target time option;

determining a time option corresponding to the scanning time meeting the scanning time requirement;

and determining a scanning strategy according to the determined scanning parameters and the time options.

Further, the first vulnerability information and the second vulnerability information both comprise at least one vulnerability;

before the merging the first vulnerability information and the second vulnerability information, the method further includes:

respectively carrying out primary scoring on each loophole in the first copper leakage information and the second loophole information;

and removing the loopholes of which the initial scores are lower than a preset threshold value in the first copper leakage information and the second loophole information.

Further, the first vulnerability information and the second vulnerability information both comprise at least one vulnerability and a vulnerability type of each vulnerability;

the method further comprises the following steps:

determining the weight of each vulnerability according to the vulnerability type of each vulnerability;

and determining the score of each vulnerability according to the initial score and the weight of each vulnerability.

Further, the method further comprises:

determining a system to which each vulnerability belongs;

and determining the integral vulnerability score of the corresponding system according to the scores of all the vulnerabilities belonging to the same system.

Further, the data formats of the first vulnerability information and the second vulnerability information are different;

respectively converting the data formats of the first vulnerability information and the second vulnerability information into preset formats;

and merging the first vulnerability information and the second vulnerability information which are converted into the preset format.

The invention also provides a device for generating the attack graph, which comprises the following components:

the first scanning module is used for scanning a target network to obtain network characteristic information and first vulnerability information;

a determining module, configured to determine, according to the network feature information, a host and a port that are running in the target network;

the second scanning module is used for scanning the running host and the running port to obtain second vulnerability information;

the merging module is used for merging the first vulnerability information and the second vulnerability information; and the number of the first and second groups,

and the generating module is used for generating the attack graph of the target network according to the network characteristic information and the combined vulnerability information.

The invention also provides electronic equipment which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor realizes the generation method of the attack graph when executing the program.

The present invention also provides a non-transitory computer-readable storage medium storing computer instructions for causing the computer to execute the above-described attack graph generation method.

From the above, it can be seen that the method, apparatus, device and storage medium for generating an attack graph provided by the present invention can firstly scan a target network for the first time to obtain network characteristic information and first vulnerability information, then determining the running host port in the target network according to the network characteristic information to perform a second scanning aiming at the running host and the running port to obtain second vulnerability information, and then merging the first vulnerability information and the second vulnerability information, and generating an attack graph of the target network according to the network characteristic information and the merged vulnerability information, so as to improve the accuracy of vulnerability scanning by multiple scanning, and to perform secondary scanning aiming at the running host and port, thereby improving the scanning efficiency, therefore, the configuration information for generating the attack graph is more effective, accurate and comprehensive, so as to generate a more accurate attack graph.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Fig. 1 is a schematic flow chart of a method for generating an attack graph according to an embodiment of the present invention;

fig. 2 is another schematic flow chart of a method for generating an attack graph according to an embodiment of the present invention;

fig. 3 is a schematic structural diagram of a network switching apparatus in an indoor environment according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to specific embodiments and the accompanying drawings.

It is to be noted that technical terms or scientific terms used in the embodiments of the present invention should have the ordinary meanings as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.

Referring to fig. 1, a schematic flow chart of a method for generating an attack graph according to an embodiment of the present invention is provided. The generation method of the attack graph comprises the following steps of 101 to 105:

101. and scanning the target network to obtain network characteristic information and first vulnerability information.

In the embodiment of the present invention, the first scanning of the target Network may adopt an NMAP (Network Mapper, Network scanning and sniffing toolkit under Linux) scanning tool, and due to the open source characteristic of the NMAP, a user may implement rich functions of the NMAP, such as the open or closed state of a host or a port of the entire subnet, by writing a script; whether the detection is filtered by intermediate equipment such as a firewall and the like; vulnerability detection, network topology visualization and the like.

When NMAP is adopted for scanning, the topological structure of a target network is determined firstly, the topological structure of the target network is scanned, and network characteristic information is obtained, wherein the network characteristic information comprises host configuration information (including open ports, services operated by the ports, existing bugs and the like), network configuration information, a network user main body and the like. Then, scanning the target network for Vulnerabilities to obtain first vulnerability information, wherein the first vulnerability information includes at least one vulnerability, and the first vulnerability information can be displayed in a form of CVE (Common Vulnerabilities & exposition).

Since NMAP, a very noisy tool, generates a lot of network traffic and sometimes consumes a lot of bandwidth (e.g., a scan of one host would generate about 4M of network traffic), the present invention proposes to optimize the scanning of NMAP.

Specifically, the scanning the target network in step 101 to obtain network feature information and first vulnerability information includes:

setting a bandwidth consumption requirement and a scanning time requirement;

It should be noted that, during scanning, according to actual requirements, bandwidth consumption requirements and scanning time requirements are set to determine a scanning strategy, and then scanning is optimized according to the scanning strategy. Since the NMAP can provide a variety of scan parameters and a variety of time options, the scan strategy can be determined by setting different scan parameters and time options of the NMAP.

Specifically, the determining a scanning policy according to the bandwidth consumption requirement and the scanning time requirement includes:

It should be noted that the scanning parameters of the NMAP may include-a parameters (system probe, version probe, script scan, trace scan, etc.), -SN parameters (using ICMP packets to probe hosts in the network), IP scan parameters, 65535TCP port scan parameters, etc. The time options include a default option, a T3 option, a T4 option, and a T5 option. The multiple hosts include a single host, class C hosts (250 hosts), and class B hosts (65000 hosts).

Detecting bandwidth consumption of a plurality of hosts scanning based on each scanning parameter: using-a parameter scan, a single host consumes 47852 bytes of bandwidth, a class C host consumes 250 × 47852 bytes of bandwidth 11.963mb, and a class B host consumes 65000 × 47852 bytes of bandwidth 4782278116 bytes of bandwidth 3110.510 mb; using-SN parameter scan, a single host consumes 74 bytes of bandwidth, a class C host consumes 250 × 74 bytes of 0.0185mb, and a class B host consumes 65000 × 74 bytes of 4.810 mb; using the IP scan parameters, a single host consumes 47852 bytes of bandwidth, a class C host consumes 250 × 47852 bytes of bandwidth 11.963mb, and a class B host consumes 65000 × 47852 bytes of bandwidth 4782278116 bytes of bandwidth 3110.510 mb; using 65535TCP port scan parameters, a single host consumes a bandwidth of 3331k, a class C host consumes a bandwidth of 250 x 3331 k-832.750 mb, and a class B host consumes a bandwidth of 65000 x 3331 k-216515 mb.

Detecting the scanning time of the scanning of various hosts based on each time option: using default options, the scan time of a single host is 25.73 seconds, the scan time of a class C host is 250 × 25.73 — 6432.5 seconds, and the scan time of a class B host is 65000 × 25.73 — 1672450 seconds; using the T3 option, the scan time of a single host is 17.92 seconds, the scan time of a class C host is 250 × 17.92 ═ 4480 seconds, and the scan time of a class B host is 65000 × 17.92 ═ 1164800 seconds; using the T4 option, the scan time of a single host is 20.61 seconds, the scan time of a class C host is 250 × 20.61 ═ 5152.5 seconds, and the scan time of a class B host is 65000 × 20.61 ═ 1339650 seconds; using the T5 option, the scan time for a single host is 14.72 seconds, the scan time for a class C host is 250 × 14.72 — 3680 seconds, and the scan time for a class B host is 65000 × 14.72 — 956800 seconds.

After the bandwidth consumption of the various hosts using each scanning parameter and the scanning time using each time option are obtained, the scanning result can be displayed in a bar graph form, namely the bandwidth consumption and the scanning time corresponding to different host numbers, different time options and different scanning parameters can be visually seen through the bar graph. During actual scanning, scanning parameters and time options are selected according to specific requirements to determine a scanning strategy of the NMAP, scanning is optimized according to the determined scanning strategy, and waste of network resources and time caused by blind scanning is avoided.

102. And determining the running host and port in the target network according to the network characteristic information.

In the embodiment of the present invention, the network characteristic information may include status information of each host and port, and the host and port that are running, that is, the active host and port, are selected from the network characteristic information.

103. And scanning the running host and the running port to obtain second vulnerability information.

In the embodiment of the invention, the second scanning can adopt a NESSUS scanning tool, and the second scanning can only carry out vulnerability scanning. The NMAP inputs the information of the running host and the running port into the NESSUS, so that the NESSUS scans the running host and the running port without scanning the whole target network, and the scanning efficiency is effectively improved.

The second vulnerability information output by the NESSUS comprises at least one vulnerability and corresponding vulnerability grades, the vulnerability grades can comprise danger, high, medium and low, and the second vulnerability information can be displayed in a pie chart mode.

After the first Vulnerability information and the second Vulnerability information are obtained, vulnerabilities in the first Vulnerability information and the second Vulnerability information can be evaluated and screened respectively based on a Common Virtualization Screening System (CVSS).

Specifically, the method further comprises:

The method includes the steps that a CVSS is adopted to conduct initial scoring on each vulnerability, and if the initial scoring of the vulnerability is 7-10, the vulnerability grade is judged to be serious; if the initial score of the vulnerability is between 4 and 6.9, judging the vulnerability level is middle; and if the initial score of the vulnerability is between 0 and 3.9, judging that the level of the vulnerability is low. And removing the vulnerability with a low level in the first vulnerability information and the second vulnerability information, or presetting a threshold value of initial score as 4, if the initial score of the vulnerability is greater than or equal to 4, retaining the vulnerability, and if the initial score of the vulnerability is less than 4, removing the vulnerability. Because the vulnerability risk with low score or low grade is lower and does not form a threat, the vulnerabilities are abandoned, namely the vulnerabilities are not taken as configuration information of an attack graph, so that the generation efficiency of the attack graph is improved, and the complexity of the attack graph is reduced.

Because the initial score of the CVSS does not concern the type of the vulnerability, the initial score effect of the CVSS is not ideal, and therefore the score of each vulnerability is determined by combining the vulnerability type of each vulnerability in the first vulnerability information and the second vulnerability information on the basis of the initial score of the CVSS.

Specifically, the method further comprises:

It should be noted that, different weights are set for different types of vulnerabilities. For example, if there is an activity bug in the intercepted application program, the weight of this type of bug may be set to 1; if the application is running but not listening on the opened port, the computer needs to be penetrated preemptively by utilizing the vulnerability, so the weight of the vulnerability of the type can be set to 0.8 to reduce the initial score of the CVSS because the application cannot directly access the computer; a passive vulnerability of an unused application must be activated by launching the application, an attacker must infiltrate the system and launch the application before benefiting from the corresponding vulnerability, and thus the weight of this type of vulnerability may be set to 0.5.

After the weight of each vulnerability is determined, multiplying the initial score of each vulnerability by the corresponding weight to obtain the final score of each vulnerability. According to the method, the final score of the vulnerability is obtained by combining the CVSS initial score and the vulnerability type, and the accuracy of the score of a single vulnerability is effectively improved.

It is clearly not reasonable to see a single vulnerability alone, and a score of 10 would result in an overall score that is higher than a score of 8 for a system with 20 vulnerabilities. Therefore, the scores of the current vulnerabilities need to be combined for the system.

Specifically, the method further comprises:

determining a system to which each vulnerability belongs;

It should be noted that, the scores of all holes belonging to the same system are combined, and the combination mode may be various, such as addition, multiplication, logarithm, and the like, preferably, the logarithm is used to control the overall hole score of the system to be a proper metric, so as to ensure that the number of holes in the system is as clear as possible, and at the same time, ensure that the overall hole score does not increase explosively.

104. And merging the first vulnerability information and the second vulnerability information.

In the embodiment of the invention, because different scanning tools are adopted to carry out vulnerability scanning twice, the data formats of the first vulnerability information and the second vulnerability information obtained by scanning twice are different, and a universal data model is also adopted to combine the first vulnerability information and the second vulnerability information before generating the attack graph.

Specifically, the first vulnerability information and the second vulnerability information are merged in the step;

It should be noted that the generic data model should be easy to understand and easy to interpret by a computer, and should be suitable for formal representation of vulnerability information in order to be provided to the attack graph construction tool later.

For example, NMAP provides a data model for containing its own scan results. However, it is difficult to include other types of scan results, strictly for the functionality of the port scan procedure of NMAP. The NESSUS vulnerability scanner also provides a data format to represent the disclosed information, but it focuses more on the analysis and prediction of vulnerabilities. Therefore, the first vulnerability information and the second vulnerability information in different data formats need to be converted into a preset format, such as a custom XML file format.

The generic data model is divided into three top-level branches, covering various aspects of integrated scanning. One branch contains combined scan results of multiple scan tools; the other branch contains an abstract configuration for integrated scanning; the last branch retains a copy of all the individual scan results produced by the scan tool (which may also be called a sub-scan in order to determine the source of particular information in the combined scan results).

Both the combined scan result and the sub-scan result have similar formats. This format focuses only on one scan result, very close to the single result format of NMAP. The host can be considered a core element of this format. Each host then has a set of open ports and running services.

Adapters are key components to convert the specific output of the scanner into sub-scans of the generic data model. For NMAP, only a few minor changes need to be performed. One example is the information specified in the normalized and unified NMAP output: the time and date information is converted to a universal date format by Common Platform Enumeration (CPE) and the product names are unified.

In NESSUS, the XML-based. news. v1 format has the problem that the program is hard to interpret as plain text. In fact, each security issue reported by Nessus is inserted into only one XML data tag. Therefore, the output needs to be made interpretable by extensive use of regular expressions. Tenable introduced a new output format named. news. v2 at the end of 2009, which solved the problem of providing only textual data. Another problem that complicates the interpretation of Nessus is the plug-in structure of Nessus itself: each aspect of the scan is handled by a plug-in. For example, one plug-in lists the ports that are open, another plug-in provides the host name of the target host, and another plug-in checks if there is a particular vulnerability on the target, so information is collected from the multiple plug-in outputs.

105. And generating an attack graph of the target network according to the network characteristic information and the combined vulnerability information.

In the embodiment of the invention, MulVAL can be used as an attack graph construction tool, and MulVAL has an expandable framework and open source characteristics. The inputs to MulVAL are network characteristic information and merged vulnerability information, such as policies such as reported vulnerabilities or consultants, host configuration, network users or principals, and access levels. The modeling language used by MulVAL is Datalog, which provides declarative specifications for inference logic, making it easier to view and augment the inference engine when necessary. The framework of MulVAL consists of five parts including interaction rules, logic enforcement engines, security policies, databases (analytics), attack paths and unauthorized access. Mulval's inference engine can handle network size and perform analysis for thousands of computers, the scanning program can be executed in parallel on multiple computers, and the analysis engine operates on data collected from all hosts.

According to the attack graph generation method provided by the invention, the target network can be scanned for the first time to obtain the network characteristic information and the first vulnerability information, the running host port in the target network is further determined according to the network characteristic information, the running host and the running port are scanned for the second time to obtain the second vulnerability information, the first vulnerability information and the second vulnerability information are merged, the attack graph of the target network is generated according to the network characteristic information and the merged vulnerability information, the vulnerability scanning accuracy is improved through multiple scanning, the running host and the running port are scanned for the second time, the scanning efficiency is improved, and the configuration information for generating the attack graph is more effective, accurate and comprehensive to generate a more accurate attack graph.

Referring to fig. 2, a schematic flow chart of a method for generating an attack graph according to an embodiment of the present invention is provided. The generation method of the attack graph comprises the following steps 201 to 206:

201. and scanning the target network by adopting an NAMP scanning tool to obtain network characteristic information and first vulnerability information.

The topological structure of the target network is input into an NAMP scanning tool, the NAMP scanning tool carries out topological scanning to obtain network characteristic information, and meanwhile, the NAMP carries out vulnerability scanning through a vulscan to obtain first vulnerability information.

202. And determining the running host and the running port according to the network characteristic information.

Wherein information of the running host and port is determined from the network characteristic information.

203. And scanning the running host and port by using a NESSUS scanning tool to obtain second vulnerability information.

And inputting the information of the running host and the port into the NESSUS scanning tool, so that the NESSUS scanning tool performs vulnerability scanning to obtain second vulnerability information.

204. And evaluating the grade of the loopholes in the first loophole information and the second loophole information, and removing the loopholes with low grade.

The method comprises the steps of setting the weight of each vulnerability according to the vulnerability type of each vulnerability in first vulnerability information and second vulnerability information, and calculating the score of each vulnerability by combining a CVSS vulnerability assessment method.

205. And merging the reserved first vulnerability information and the second vulnerability information by adopting a general data model.

206. And inputting the network characteristic information and the combined vulnerability information into a MuLVAL tool to generate an attack graph of the target network.

The embodiment of the invention integrates the Nmap scanning tool and the Nessus scanning tool, uses a plurality of vulnerability databases and a better vulnerability assessment method, effectively improves the input quality of the MuLVAL tool and improves the generation effect of the attack graph.

It should be noted that the method of the embodiment of the present invention may be executed by a single device, such as a computer or a server. The method of the embodiment can also be applied to a distributed scene and completed by the mutual cooperation of a plurality of devices. In the case of such a distributed scenario, one of the multiple devices may only perform one or more steps of the method according to the embodiment of the present invention, and the multiple devices interact with each other to complete the method.

Referring to fig. 3, a device for generating an attack graph provided in an embodiment of the present invention includes:

the first scanning module 10 is configured to scan a target network to obtain network characteristic information and first vulnerability information;

a determining module 20, configured to determine a host and a port that are running in the target network according to the network feature information;

the second scanning module 30 is configured to scan the running host and the running port to obtain second vulnerability information;

a merging module 40, configured to merge the first vulnerability information and the second vulnerability information; and the number of the first and second groups,

and a generating module 50, configured to generate an attack graph of the target network according to the network feature information and the combined vulnerability information.

The apparatus of the foregoing embodiment is used to implement the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.

Fig. 4 shows a schematic diagram of a specific hardware structure of an electronic device provided in this embodiment, where the device may include: a processor 1010, a memory 1020, an input/output interface 1030, a communication interface 1040, and a bus 1050. Wherein the processor 1010, memory 1020, input/output interface 1030, and communication interface 1040 are communicatively coupled to each other within the device via bus 1050.

The processor 1010 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present disclosure.

The Memory 1020 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1020 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1020 and called to be executed by the processor 1010.

The input/output interface 1030 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.

The communication interface 1040 is used for connecting a communication module (not shown in the drawings) to implement communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).

Bus 1050 includes a path that transfers information between various components of the device, such as processor 1010, memory 1020, input/output interface 1030, and communication interface 1040.

It should be noted that although the above-mentioned device only shows the processor 1010, the memory 1020, the input/output interface 1030, the communication interface 1040 and the bus 1050, in a specific implementation, the device may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.

The embodiment of the invention provides a non-transitory computer readable storage medium, wherein a plurality of instructions are stored, and the instructions can be loaded by a processor to execute the steps in any one of the attack graph generation methods provided by the embodiment of the invention.

Non-transitory computer readable media of the present embodiments, including non-transitory and non-transitory, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.

Those of ordinary skill in the art will understand that: the discussion of any embodiment above is meant to be exemplary only, and is not intended to intimate that the scope of the disclosure, including the claims, is limited to these examples; within the idea of the invention, also features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity.

In addition, well known power/ground connections to Integrated Circuit (IC) chips and other components may or may not be shown within the provided figures for simplicity of illustration and discussion, and so as not to obscure the invention. Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and also in view of the fact that specifics with respect to implementation of such block diagram devices are highly dependent upon the platform within which the present invention is to be implemented (i.e., specifics should be well within purview of one skilled in the art). Where specific details (e.g., circuits) are set forth in order to describe example embodiments of the invention, it should be apparent to one skilled in the art that the invention can be practiced without, or with variation of, these specific details. Accordingly, the description is to be regarded as illustrative instead of restrictive.

While the present invention has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. For example, other memory architectures (e.g., dynamic ram (dram)) may use the discussed embodiments.

The embodiments of the invention are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims

1. A method for generating an attack graph is characterized by comprising the following steps:

generating an attack graph of the target network according to the network characteristic information and the combined vulnerability information;

the scanning of the target network to obtain the network characteristic information and the first vulnerability information specifically comprises:

setting a bandwidth consumption requirement and a scanning time requirement;

scanning the target network according to the scanning strategy to obtain network characteristic information and first vulnerability information;

the determining a scanning strategy according to the bandwidth consumption requirement and the scanning time requirement specifically includes:

2. The method for generating the attack graph according to claim 1, wherein the first vulnerability information and the second vulnerability information each include at least one vulnerability;

respectively carrying out primary scoring on each vulnerability in the first vulnerability information and the second vulnerability information;

and removing the loopholes of which the initial scores are lower than a preset threshold value in the first loophole information and the second loophole information.

3. The method for generating the attack graph according to claim 1, wherein the first vulnerability information and the second vulnerability information each include at least one vulnerability and a vulnerability type of each vulnerability;

the method further comprises the following steps:

4. The method for generating the attack graph according to claim 3, the method further comprising:

determining a system to which each vulnerability belongs;

5. The method for generating the attack graph according to claim 1, wherein the first vulnerability information and the second vulnerability information have different data formats;

6. An apparatus for generating an attack graph, the apparatus comprising:

the generating module is used for generating an attack graph of the target network according to the network characteristic information and the combined vulnerability information;

the first scanning module is specifically configured to:

setting a bandwidth consumption requirement and a scanning time requirement;

the first scanning module is further configured to:

7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for generating an attack graph according to any one of claims 1 to 5 when executing the program.

8. A non-transitory computer-readable storage medium storing computer instructions for causing a computer to execute a method of generating an attack graph according to any one of claims 1 to 5.