基于屬性攻擊圖的網(wǎng)絡(luò)動(dòng)態(tài)威脅分析技術(shù)研究

楊英杰; 冷強(qiáng); 常德顯; 潘瑞萱; 胡浩

doi:10.11999/JEIT181025

基于屬性攻擊圖的網(wǎng)絡(luò)動(dòng)態(tài)威脅分析技術(shù)研究

doi: 10.11999/JEIT181025

信息工程大學(xué) 鄭州 450001

基金項(xiàng)目: 國(guó)家“863”高技術(shù)研究發(fā)展計(jì)劃(2015AA016006)，國(guó)家重點(diǎn)研發(fā)計(jì)劃課題(2016YFF0204003)，國(guó)家自然科學(xué)基金(61471344)

詳細(xì)信息

作者簡(jiǎn)介:
楊英杰：男，1971年生，教授，研究方向?yàn)樾畔踩?/p>
冷強(qiáng)：男，1993年生，碩士生，研究方向?yàn)樾畔踩L(fēng)險(xiǎn)評(píng)估

常德顯：男，1977年生，副教授，研究方向?yàn)樾畔踩?/p>
潘瑞萱：女，1995年生，碩士生，研究方向?yàn)镾DN網(wǎng)絡(luò)協(xié)議安全

胡浩：男，1989年生，講師，研究方向?yàn)榫W(wǎng)絡(luò)安全態(tài)勢(shì)感知和圖像秘密共享

通訊作者:
冷強(qiáng)　lqsly1993@163.com

中圖分類號(hào): TP393
計(jì)量
- 文章訪問(wèn)數(shù): 2290
- HTML全文瀏覽量: 1302
- PDF下載量: 88
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2018-11-07
- 修回日期: 2019-03-25
- 網(wǎng)絡(luò)出版日期: 2019-04-22
- 刊出日期: 2019-08-01

Research on Network Dynamic Threat Analysis Technology Based on Attribute Attack Graph

Information Engineering University, Zhengzhou 450001, China

Funds: The National High Technology Research and Development Program of China (2015AA016006), The National Key Research and Development Program of China (2016YFF0204003), The National Natural Science Foundation of China (61471344)

摘要

摘要: 該文首先利用屬性攻擊圖理論構(gòu)建了網(wǎng)絡(luò)動(dòng)態(tài)威脅分析屬性攻擊圖(DT-AAG)模型，該模型在全面刻畫(huà)系統(tǒng)漏洞和網(wǎng)絡(luò)服務(wù)導(dǎo)致的威脅轉(zhuǎn)移關(guān)系的基礎(chǔ)上，結(jié)合通用漏洞評(píng)分標(biāo)準(zhǔn)(CVSS)和貝葉斯概率轉(zhuǎn)移計(jì)算方法設(shè)計(jì)了威脅轉(zhuǎn)移概率度量算法；其次基于構(gòu)建的DT-AAG模型，利用威脅與漏洞、服務(wù)間的關(guān)聯(lián)關(guān)系，設(shè)計(jì)了動(dòng)態(tài)威脅屬性攻擊圖生成算法(DT-AAG-A)，并針對(duì)生成的屬性攻擊圖存在的威脅傳遞環(huán)路問(wèn)題，設(shè)計(jì)了環(huán)路消解機(jī)制；最后通過(guò)實(shí)驗(yàn)驗(yàn)證了該模型和算法的有效性。
- 屬性攻擊圖 /
- 威脅轉(zhuǎn)移 /
- 通用漏洞評(píng)分標(biāo)準(zhǔn) /
- 傳遞環(huán)路
Abstract: Firstly, a network Dynamic Threat Attribute Attack Graph (DT-AAG) analysis model is constructed by using Attribute Attack Graph theory. On the basis of the comprehensive description of system vulnerability and network service-induced threat transfer relationship, a threat transfer probability measurement algorithm is designed in combination with Common Vulerability Scoring System (CVSS) vulnerability evaluation criteria and Bayesian probability transfer method. Secondly, based on the model, a Dynamic Threat Attribute Attack Graph generation Algorithm (DT-AAG-A) is designed by using the relationship between the threat and the vulnerability as well as the service. What’s more, to solve the problem that threat transfer loop existing in the generated attribute attack graph, the loop digestion mechanism is designed. Finally, the effectiveness of the proposed model and algorithm is verified by experiments.
- Attribute Attack Graph (AAG) /
- Threat to transfer /
- Common Vulerability Scoring System (CVSS) scoring standard /
- Transfer loop

HTML全文

圖 1 DT-AAG攻擊示意圖

下載: 全尺寸圖片幻燈片

圖 2 多步攻擊威脅轉(zhuǎn)移概率圖

下載: 全尺寸圖片幻燈片

圖 3 模式構(gòu)建圖

下載: 全尺寸圖片幻燈片

圖 4 DT-AAG-A過(guò)程圖

下載: 全尺寸圖片幻燈片

圖 5 實(shí)驗(yàn)環(huán)境圖

下載: 全尺寸圖片幻燈片

圖 6 DT-AAG生成圖

下載: 全尺寸圖片幻燈片

圖 7 文獻(xiàn)[8]實(shí)驗(yàn)圖

下載: 全尺寸圖片幻燈片

表 1 DT-AAG-A生成算法

　輸入：DT-AAG-PL

　輸出：DT-AAG

　(1) DT-AAG-PL$ \ne \varnothing $; /* DT-AAG-PL數(shù)據(jù)庫(kù)不為空 */

　(2) DT-AAG${\rm{ = }}\varnothing $; /* 設(shè)置DT-AAG初始值為空 */

　(3) $t,i \in $DT-AAG-PL

　(4) For each $t = [{\rm{I}}{{\rm{D}}_t},{\rm{IPpreCo}}{{\rm{n}}_t},{\rm{IPpostCo}}{{\rm{n}}_t}]$

　(5) DO { /* 任取DT-AAG-PL中一個(gè)元素 */

　(6) SearchIDIPpre (DT-AAG-PL) }

　(7) For rest $j \in$DT-AAG-PL DO {

　　 /* 搜索匹配DT-AAG-PL中剩余元素*/

　(8) SearchIDIPpre (DT-AAG-PL, ${\rm{DT {\tiny{-}} AAG}}$)；

　　 /* 范圍為DT-AAG-PL 和${\rm{DT {\tiny{-}} AAG}}$ */ }

　(9) 　 If DT-AAG-PL$= \varnothing${

　　 /* 當(dāng)DT-AAG-PL中所有元素都被移動(dòng) */

　(10) Return DT-AAG； }

　(11) SearchIDIPpre (DT-AAG-PL) {

　(12) 　If ${\rm{I}}{{\rm{D}}_t} = {\rm{I}}{{\rm{D}}_i}\& \& {\rm{IPpostCo}}{{\rm{n}}_t} = {\rm{IPpostCo}}{{\rm{n}}_i}$；

　　 /* 根據(jù)ID和IP搜索匹配 */

　(13) 　　{$a = t \to i$; Put a to ${\rm{DT - AAG}}$；}

　　 /* 將匹配到的元素移到${\rm{DT {\tiny{-}} AAG}}$ */

　(14) 　else

　(15) 　　{$a = t$; Put a to ${\rm{DT {\tiny{-}} AAG}}$；}

　　 /* 將未匹配的元素移到${\rm{DT {\tiny{-}}AAG}}$中 */ }

下載: 導(dǎo)出CSV

表 2 主機(jī)與服務(wù)器存在的漏洞和協(xié)議信息表

Host/Server	Protocol/Vulnerability	Port
user1	–	80/445
user2	HIDP	80
user3	GUN Wget	80
user4	NDproxy	445
WebServer	IIS	80
FileServer	Protocol with user3/Apache	80
DataServer	Protocol with user4	445
MainServer	Protocol with user2&user3&user4	80&445

下載: 導(dǎo)出CSV

表 3 漏洞信息表

Vulnerability	ExpSco+ImpSco	CVE Num.
HIDP	7.0	CVE-2018-8169
GUN Wget	8.8	CVE-2016-4971
NDproxy	7.2	CVE-2013-5065
IIS	7.8	CVE-2015-7597
Apache	7.5	CVE-2018-8015

下載: 導(dǎo)出CSV

表 4 攻擊路徑和威脅轉(zhuǎn)移概率表

攻擊路徑	a$ \to $d$ \to $i	a$ \to $d$ \to $j	a$ \to $d$ \to $k	a$ \to $d$ \to $l	a$ \to $e	a$ \to $f	a$ \to $g	b$ \to $j	b$ \to $k	b$ \to $l	c$ \to $m	c$ \to $n
轉(zhuǎn)移概率	0.38	0.30	0.49	0.49	0.44	0.34	0.56	0.53	0.88	0.88	0.58	0.58

下載: 導(dǎo)出CSV

表 5 關(guān)聯(lián)分析表

	攻擊路徑	攻擊成功概率	全攻擊路徑	消解環(huán)路	權(quán)限	系統(tǒng)業(yè)務(wù)關(guān)系
文獻(xiàn)[8]	√	√	×	√	√	×
文獻(xiàn)[9]	√	√	√	×	×	×
本文	√	√	√	√	√	√

下載: 導(dǎo)出CSV

參考文獻(xiàn)(19)

PHILLIPS C and SWILER L P. A graph-based system for network-vulnerability analysis[C]. The 1998 Workshop on New Security Paradigms, Charlottesville, Virginia, USA, 1998; 71–79.

SWILER L P, PHILLIPS C, ELLIS D, et al. Computer-attack graph generation tool[C]. DARPA Information Survivability Conference and Exposition II, DISCEX’01, Anaheim, CA, USA, 2001, 2: 307–321.

INGOLS K, CHU M, LIPPMANN R, et al. Modeling modern network attacks and countermeasures using attack graphs[C]. 2009 Annual Computer Security Applications Conference, Honolulu, Hawaii, USA, 2009: 117–126.

黃永洪, 吳一凡, 楊豪璞, 等. 基于攻擊圖的APT脆弱節(jié)點(diǎn)評(píng)估方法[J]. 重慶郵電大學(xué)學(xué)報(bào)(自然科學(xué)版), 2017, 29(4): 535–541. doi: 10.3979/j.issn.1673-825X.2017.04.017

HUANG Yonghong, WU Yifan, YANG Haopu, et al. Graph-based vulnerability assessment for APT attack[J]. Journal of Chongqing University of Posts and Telecommunications (Natural Science Edition), 2017, 29(4): 535–541. doi: 10.3979/j.issn.1673-825X.2017.04.017

LEE J, MOON D, KIM I, et al. A semantic approach to improving machine readability of a large-scale attack graph[J]. The Journal of Supercomputing, 2018: 1–18. doi: 10.1007/s11227-018-2394-6

胡浩, 劉玉嶺, 張紅旗, 等. 基于吸收Markov鏈的網(wǎng)絡(luò)入侵路徑預(yù)測(cè)方法[J]. 計(jì)算機(jī)研究與發(fā)展, 2018, 55(4): 831–845. doi: 10.7544/issn1000-1239.2018.20170087

HU Hao, LIU Yuling, ZHANG Hongqi, et al. Route prediction method for network intrusion using absorbing markov Chain[J]. Journal of Computer Research and Development, 2018, 55(4): 831–845. doi: 10.7544/issn1000-1239.2018.20170087

HU Hao, LIU Yuling, ZHANG Hongqi, et al. Security metric methods for network multistep attacks using AMC and big data correlation analysis[J]. Security and Communication Networks, 2018, 2018: 57871012. doi: 10.1155/2018/5787102

吳迪, 連一峰, 陳愷, 等. 一種基于攻擊圖的安全威脅識(shí)別和分析方法[J]. 計(jì)算機(jī)學(xué)報(bào), 2012, 35(9): 1938–1950. doi: 10.3724/SP.J.1016.2012.01938

WU Di, LIAN Yifeng, CHEN Kai, et al. A security threats identification and analysis method based on attack graph[J]. Chinese Journal of Computers, 2012, 35(9): 1938–1950. doi: 10.3724/SP.J.1016.2012.01938

HOMER J, ZHANG Su, OU Xinming, et al. Aggregating vulnerability metrics in enterprise networks using attack graphs[J]. Journal of Computer Security, 2013, 21(4): 561–597. doi: 10.3233/JCS-130475

王會(huì)梅, 鮮明, 王國(guó)玉. 基于擴(kuò)展網(wǎng)絡(luò)攻擊圖的網(wǎng)絡(luò)攻擊策略生成算法[J]. 電子與信息學(xué)報(bào), 2011, 33(12): 3015–3021. doi: 10.3724/SP.J.1146.2011.00414

WANG Huimei, XIAN Ming, and WANG Guoyu. A network attack decision-making algorithm based on the extended attack graph[J]. Journal of Electronics &Information Technology, 2011, 33(12): 3015–3021. doi: 10.3724/SP.J.1146.2011.00414

WANG Huan, CHEN Zhanfang, ZHAO Jianping, et al. A vulnerability assessment method in industrial internet of things based on attack graph and maximum flow[J]. IEEE Access, 2018, 6: 8599–8609. doi: 10.1109/ACCESS.2018.2805690

張海霞, 蘇璞睿, 馮登國(guó). 基于攻擊能力增長(zhǎng)的網(wǎng)絡(luò)安全分析模型[J]. 計(jì)算機(jī)研究與發(fā)展, 2007, 44(12): 2012–2019.

ZHANG Haixia, SU Purui, and FENG Dengguo. A network security analysis model based on the increase in attack ability[J]. Journal of Computer Research and Development, 2007, 44(12): 2012–2019.

SINGH U K, JOSHI C, and GAUD N. Information security assessment by quantifying risk level of network vulnerabilities[J]. International Journal of Computer Applications, 2016, 156(2): 37–44. doi: 10.5120/ijca2016912375

胡浩, 葉潤(rùn)國(guó), 張紅旗, 等. 面向漏洞生命周期的安全風(fēng)險(xiǎn)度量方法[J]. 軟件學(xué)報(bào), 2018, 29(5): 1213–1229. doi: 10.13328/j.cnki.jos.005507

HU Hao, YE Runguo, ZHANG Hongqi, et al. Vulnerability life cycle oriented security risk metric method[J]. Journal of Software, 2018, 29(5): 1213–1229. doi: 10.13328/j.cnki.jos.005507

陳鋒, 張怡, 蘇金樹(shù), 等. 攻擊圖的兩種形式化分析[J]. 軟件學(xué)報(bào), 2010, 21(4): 838–848. doi: 10.3724/SP.J.1001.2010.03584

CHEN Feng, ZHANG Yi, SU Jinshu, et al. Two formal analyses of attack graphs[J]. Journal of Software, 2010, 21(4): 838–848. doi: 10.3724/SP.J.1001.2010.03584

葉子維, 郭淵博, 王宸東, 等. 攻擊圖技術(shù)應(yīng)用研究綜述[J]. 通信學(xué)報(bào), 2017, 38(11): 121–132. doi: 10.11959/j.issn.1000-436x.2017213

YE Ziwei, GUO Yuanbo, WANG Chendong, et al. Survey on application of attack graph technology[J]. Journal on Communications, 2017, 38(11): 121–132. doi: 10.11959/j.issn.1000-436x.2017213

CVSS v3.0 specification document[EB/OL]. https://www.first.org/cvss/specification-document, 2018.

CVE. Common vulnerabilities and exposures[EB/OL]. http://cve.mitre.org/, 2018.

NIST. National vulnerability database[EB/OL]. https://nvd.nist.gov/, 2018.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問(wèn)統(tǒng)計(jì)