Loading [MathJax]/jax/output/HTML-CSS/jax.js
高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

基于属性攻击图的动态威胁跟踪与量化分析技术研究

杨英杰 冷强 潘瑞萱 胡浩

基于N分随机乘法模型的多重分形海杂波仿真[J]. 电子与信息学报, 2015, 37(6): 1470-1475. doi: 10.11999/JEIT141042
引用本文: 杨英杰, 冷强, 潘瑞萱, 胡浩. 基于属性攻击图的动态威胁跟踪与量化分析技术研究[J]. 电子与信息学报, 2019, 41(9): 2172-2179. doi: 10.11999/JEIT181117
Simulating Multifractal Sea Clutter by N-partitioned Random Multiplicative Process Model[J]. Journal of Electronics & Information Technology, 2015, 37(6): 1470-1475. doi: 10.11999/JEIT141042
Citation: Yingjie YANG, Qiang LENG, Ruixuan PAN, Hao HU. Research on Dynamic Threat Tracking and Quantitative Analysis Technology Based on Attribute Attack Graph[J]. Journal of Electronics & Information Technology, 2019, 41(9): 2172-2179. doi: 10.11999/JEIT181117

基于属性攻击图的动态威胁跟踪与量化分析技术研究

doi: 10.11999/JEIT181117
基金项目: 国家“863”高技术研究发展计划基金(2015AA016006),国家重点研发计划(2016YFF0204003),国家自然科学基金(61471344)
详细信息
    作者简介:

    杨英杰:男,1971年生,教授,研究方向为信息安全

    冷强:男,1993年生,硕士生,研究方向为信息安全风险评估

    潘瑞萱:女,1995年生,硕士生,研究方向为SDN网络协议安全

    胡浩:男,1989年生,讲师,研究方向为网络安全态势感知和图像秘密共享

    通讯作者:

    冷强 lqsly1993@163.com

  • 中图分类号: TP393

Research on Dynamic Threat Tracking and Quantitative Analysis Technology Based on Attribute Attack Graph

Funds: The National “863” High Technology Research and Development Program of China (2015AA016006), The National Key Research and Development Program of China (2016YFF0204003), The National Natural Science Foundation of China (61471344)
  • 摘要: 网络多告警信息融合处理是有效实施网络动态威胁分析的主要手段之一。基于此该文提出一种利用网络系统多告警信息进行动态威胁跟踪与量化分析的机制。该机制首先利用攻击图理论构建系统动态威胁属性攻击图;其次基于权限提升原则设计了前件推断算法(APA)、后件预测算法(CPA)和综合告警信息推断算法(CAIIA)进行多告警信息的融合与威胁分析,生成网络动态威胁跟踪图进行威胁变化态势的可视化展示。最后通过实验验证了该机制和算法的有效性。
  • 图  1  动态威胁跟踪机制图

    图  2  拓扑实例图

    图  3  前件推断图

    图  4  后件预测实例图

    图  5  多告警信息实例图

    图  6  实验图

    图  7  网络属性攻击图

    图  8  time1威胁状态图

    图  9  time2威胁状态图

    图  10  文献[17]time1威胁状态图

    图  11  文献[17]time2威胁状态图

    表  1  前件推断算法

     算法1:前件推断算法(APA)
     输入:DTAAG, all
     输出:DI
     (1) all=(timel,IPprol,IPpostl,classl)
     (2) if IPpostl=IPl, set dil=1
       //根据IP地址确定攻击图中产生告警信息的节点;
     (3) set l –1, l, l+1,···, l+m
       //按照攻击图中关于节点l 的路径的节点权限排序;
     (4) if IPprol=IPl1, set dil1=1
       //如果该告警信息的源IP在系统中,表示攻击者已经获得该 节点的前件节点的权限;
     (5) { if not only cl1cl
       //节点l–1的后置条件包含不止节点l
     (6) { set l1,l,l+1,···,l+n(nm1);
       //设置节点l-1的后件节点中非包含l节点路径的其余节点的顺 序;
     (7) dil1=dil1=1
     (8) DO { CPA(l1); // 对节点l1执行后件预测算法;
     (9) }}}
     (10) else
     (11) set dil1=0
       //该告警节点与其所处攻击图中的前件节点无关,因此设置 其前件节点推断强度为0;
     (12) return DI
    下载: 导出CSV

    表  2  后件预测算法

     算法2:后件预测算法(CPA)
     输入:DTAAG, all
     输出:DI
     (1) all=(timel,IPprol,IPpostl,classl)
     (2) if IPpostl=IPl, set dil=1
     (3) set l –1, l, l+1,···, l+m
     (4) for(i=1, dil+iλ&&im, i++)
     (5) {dil+i=ij=1pl+j×dil; }
     (6) when DIl+i={di1l+i,di2l+i,···,dinl+i}
       //从节点l到节点l+in条路径,DIl+i的元素都是由all推断;
     (7) DO {
     (8) dil+i=max(di1l+i,di2l+i,···,dinl+i); }
       //取单个告警不同路径中推断强度最大的值;
     (9) Return DI
    下载: 导出CSV

    表  3  综合告警信息推断算法

     算法3:综合告警信息推断算法(CAIIA)
     输入:DTAAG, AL
     输出:DI
     (1) AL; //告警信息不为空;
     (2) aliAL
     (3) for each
     (4) ali=(timei,IPproi,IPposti,classi)
     (5) if IPposti=IPi, set dii=1
     (6) DO { APA(i); // 对节点i 执行前件推断算法;
     (7) CPA(i) //对节点i执行后件预测算法 }
     (8) if IPjaliALIPposti
     (9) { dij=alkALdik
       //计算产生告警节点推断未产生告警的节点的推断强度;
     (10) if dij>1, let dij=1;}
       //表示将推强度大于1的值确定为1;
     (11) else
     (12) set dii=1
     (13) return DI
    下载: 导出CSV

    表  4  系统漏洞、协议关系表

    Host/ServerProtocol/VulnerabilityPort
    WebProtocol with H1&H2 /IIS445&80
    DataApache80
    H1Protocol with Web /HIDP445
    H2Protocol with Web/GUN Wget80
    H3NDproxy445
    下载: 导出CSV

    表  5  漏洞信息表

    Vul.CVE Num.Vul. Risklevel
    IISCVE-2015-75977.8
    ApacheCVE-2018-80157.5
    HIDPCVE-2018-81697.0
    GUN WgetCVE-2016-49718.8
    NDproxyCVE-2013-50657.2
    下载: 导出CSV

    表  6  关联分析

    文献攻击路径威胁转移概率前后件推断消解环路实时分析综合多路径权限提升存取访问关系
    文献[15]××××××
    文献[17]××××
    本文
    下载: 导出CSV
  • 韦勇. 网络安全态势评估模型研究[D]. [博士论文], 中国科学技术大学, 2009.

    WEI Yong. Research on network security situational awareness model[D]. [Ph.D. dissertation], University of Science and Technology of China, 2009.
    梅海彬, 龚俭, 张明华. 基于警报序列聚类的多步攻击模式发现研究[J]. 通信学报, 2011, 32(5): 63–69. doi: 10.3969/j.issn.1000-436X.2011.05.009

    MEI Haibin, GONG Jian, and ZHANG Minghua. Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J]. Journal on Communications, 2011, 32(5): 63–69. doi: 10.3969/j.issn.1000-436X.2011.05.009
    PHILLIPS C and SWILER L P. A graph-based system for network-vulnerability analysis[C]. The 1998 Workshop on New Security Paradigms, Charlottesville, USA, 1998: 71–79.
    SWILER L P, PHILLIPS C, ELLIS D, et al. Computer-attack graph generation tool[C]. The 2nd DARPA Information Survivability Conference and Exposition, Anaheim, USA, 2001: 307–321.
    王会梅, 鲜明, 王国玉. 基于扩展网络攻击图的网络攻击策略生成算法[J]. 电子与信息学报, 2011, 33(12): 3015–3021. doi: 10.3724/SP.J.1146.2011.00414

    WANG Huimei, XIAN Ming, and WANG Guoyu. A network attack decision-making algorithm based on the extended attack graph[J]. Journal of Electronics &Information Technology, 2011, 33(12): 3015–3021. doi: 10.3724/SP.J.1146.2011.00414
    苏婷婷, 潘晓中, 肖海燕, 等. 基于属性邻接矩阵的攻击图表示方法研究[J]. 电子与信息学报, 2012, 34(7): 1744–1747. doi: 10.3724/SP.J.1146.2012.00261

    SU Tingting, PAN Xiaozhong, XIAO Haiyan, et al. Research on attack graph based on attributes adjacncy matrix[J]. Journal of Electronics &Information Technology, 2012, 34(7): 1744–1747. doi: 10.3724/SP.J.1146.2012.00261
    黄永洪, 吴一凡, 杨豪璞, 等. 基于攻击图的APT脆弱节点评估方法[J]. 重庆邮电大学学报: 自然科学版, 2017, 29(4): 535–541. doi: 10.3979/j.issn.1673-825X.2017.04.017

    HUANG Yonghong, WU Yifan, YANG Haopu, et al. Graph-based vulnerability assessment for APT attack[J]. Journal of Chongqing University of Posts and Telecommunications:Natural Science Edition, 2017, 29(4): 535–541. doi: 10.3979/j.issn.1673-825X.2017.04.017
    叶子维, 郭渊博, 王宸东, 等. 攻击图技术应用研究综述[J]. 通信学报, 2017, 38(11): 121–132. doi: 10.11959/j.issn.1000-436x.2017213

    YE Ziwei, GUO Yuanbo, WANG Chendong, et al. Survey on application of attack graph technology[J]. Journal on Communications, 2017, 38(11): 121–132. doi: 10.11959/j.issn.1000-436x.2017213
    HU Hao, LIU Yulin, ZHANG Hongqi, et al. Security metric methods for network multistep attacks using AMC and big data correlation analysis[J]. Security and Communication Networks, 2018, 2018: 5787102. doi: 10.1155/2018/5787102
    WANG Huan, CHEN Zhanfang, ZHAO Jianping, et al. A vulnerability assessment method in industrial internet of things based on attack graph and maximum flow[J]. IEEE Access, 2018, 6: 8599–8609. doi: 10.1109/ACCESS.2018.2805690
    胡浩, 叶润国, 张红旗, 等. 面向漏洞生命周期的安全风险度量方法[J]. 软件学报, 2018, 29(5): 1213–1229. doi: 10.13328/j.cnki.jos.005507

    HU Hao, YE Runguo, ZHANG Hongqi, et al. Vulnerability life cycle oriented security risk metric method[J]. Journal of Software, 2018, 29(5): 1213–1229. doi: 10.13328/j.cnki.jos.005507
    WANG Lingyu, LIU Anyi, and JAJODIA S. Using attack craphs for correlating, hypothesizing, and predicting intrusion alerts[J]. Computer Communications, 2006, 29(15): 2917–2933. doi: 10.1016/j.comcom.2006.04.001
    ROSCHKE S, CHENG F, and MEINEL C. A New Alert Correlation Algorithm Based on Attack Graph[M]. HERRERO Á, CORCHADO E. Computational Intelligence in Security for Information Systems. Berlin, Germany: Springer, 2011: 58–67.
    ROSCHKE S, CHENG F, and MEINEL C. High-quality attack graph-based IDS correlation[J]. Logic Journal of the IGPL, 2013, 21(4): 571–591. doi: 10.1093/jigpal/jzs034
    AHMADINEJAD S H, JALILI S, and ABADI M. A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs[J]. Computer Networks, 2011, 55(9): 2221–2240. doi: 10.1016/j.comnet.2011.03.005
    吕慧颖, 彭武, 王瑞梅, 等. 基于时空关联分析的网络实时威胁识别与评估[J]. 计算机研究与发展, 2014, 51(5): 1039–1049. doi: 10.7544/issn1000-1239.2014.20120816

    Huiying, PENG Wu, WANG Ruimei, et al. A real-time network threat recognition and assessment method based on association analysis of time and space[J]. Journal of Computer Research and Development, 2014, 51(5): 1039–1049. doi: 10.7544/issn1000-1239.2014.20120816
    刘威歆, 郑康锋, 武斌, 等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015, 36(9): 135–144. doi: 10.11959/j.issn.1000-436x.2015193

    LIU Weixin, ZHENG Kangfeng, WU Bin, et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015, 36(9): 135–144. doi: 10.11959/j.issn.1000-436x.2015193
    王硕, 汤光明, 寇广, 等. 基于因果知识网络的攻击路径预测方法[J]. 通信学报, 2016, 37(10): 188–198. doi: 10.11959/j.issn.1000-436x.2016210

    WANG Shuo, TANG Guangming, KOU Guang, et al. Attack path prediction method based on causal knowledge net[J]. Journal on Communications, 2016, 37(10): 188–198. doi: 10.11959/j.issn.1000-436x.2016210
    LIANG Wei, CHEN Zuo, YAN Xiaolong, et al. Multiscale entropy-based weighted hidden Markov network security situation prediction model[C]. 2017 IEEE International Congress on Internet Of Things (ICIOT), Honolulu, USA 2017: 97–104.
    CVE. Common vulnerabilities and exposures[EB/OL]. http://cve.mitre.org/, 2018.
    NIST. National vulnerability database[EB/OL]. https://nvd.nist.gov/, 2018.
    CVSS v3.0: specification document[EB/OL].
  • 期刊类型引用(1)

    1. 左雷,金丹. 基于2分随机乘法模型的多重分形海杂波建模研究. 海军工程大学学报. 2019(04): 17-21 . 百度学术

    其他类型引用(3)

  • 加载中
图(11) / 表(6)
计量
  • 文章访问数:  2792
  • HTML全文浏览量:  1526
  • PDF下载量:  67
  • 被引次数: 4
出版历程
  • 收稿日期:  2018-12-04
  • 修回日期:  2019-04-05
  • 网络出版日期:  2019-04-22
  • 刊出日期:  2019-09-10

目录

    /

    返回文章
    返回