Disclosure of Invention
The invention aims to provide a network security situation assessment method based on an attack graph model aiming at the problems in the prior art, and compared with the traditional network situation assessment method, the method improves the accuracy of attack path prediction and the accuracy of network security situation assessment on a very large layer level, and can provide theoretical support and scientific basis for network security management personnel to make protection in advance.
The technical scheme of the invention is as follows:
the network security situation assessment method based on the attack graph model comprises the following steps:
s1, combining space-time characteristics of network security attack events with multi-source alarm data to construct network attack behavior characteristics;
s2, mapping attack nodes of network attack behaviors based on alarm information, and acquiring multi-step attack paths;
s3, constructing an attack graph, and deducing the maximum possible attack path of an attacker by combining the attack transition probability;
s4, carrying out security situation assessment on each attack node of the most probable attack path, and then assessing the security situation of the whole network based on the security situation of each attack node.
Specifically, the step S1 specifically includes the following steps:
s11, reconstructing multi-source alarm data of network attack behaviors by adopting a sliding window method; and S12, carrying out space-time feature extraction and pooling on reconstructed multi-source alarm data by adopting a convolutional neural network to finally form a feature map, and realizing the fusion of alarm information feature levels to obtain the network attack behavior feature.
Specifically, the step S2 specifically includes the following implementation steps:
s21, inputting network attack behavior characteristics into a three-layer BP neural network, obtaining attack probability of each network node, and taking the maximum attack probability as a confirmed network attack node, wherein the network attack node comprises an attack behavior node ai Resource node ri ;
S22, attack behavior node ai After network attack operation, an attacker arrives at the resource node ri Node a will attacki And resource node ri Is connected in the topological order of the number of the attack rows to obtain each attack rowA multi-step attack path, the attack path is expressed as:
Path={<ai ,ri >,<ri ,aj >}。
specifically, the step S3 specifically includes the following implementation steps:
s31, based on historical attack behaviors, counting node transfer sequences of the attack behaviors, acquiring attack probabilities of the attack behaviors transferred from a current attack node to a next attack node, and forming an attack probability transfer table;
s32, defining a network attack graph based on the transition probability based on the attack behavior transition probability, and quantifying the possibility of the transition of the attack behavior from the current attack node to the next attack node;
s33, accumulating transition probabilities of each possible attack path, and taking the maximum probability as the maximum possible attack path of an attacker.
Specifically, the step S4 specifically includes the following implementation steps:
s41, calculating security situation evaluation values of all attack nodes of the maximum possible attack path:
Si =(Vi ,Ti ,Wi )*(wiv ,wiT ,wiw );
wherein: v (V)i Representing vulnerability posture value of node i, Ti Representing threat situation value, W, of node ii Representing the running state situation value, w, of the node iiv Vulnerability weight, w, representing node iiT Representing threat weights of node i, wiw Representing the running state weight of the node i;
s42, accumulating the security situation evaluation values of all attack nodes of the most probable attack path to obtain the security situation evaluation value of the whole network:
specifically, the three-layer BP neural network comprises an input layer, an implicit layer and an output layer, and all the layers are interconnected by a modifiable weight w.
Specifically, the value range of the vulnerability situation value is 1-4, wherein 1 represents low risk; 2 represents a medium risk; 3 represents a mid-upper risk; 4 represents a high risk; the value range of the threat situation value is 1-4, wherein: 1 represents safety; 2 represents a mild threat; 3 represents a moderate threat; 4 represents a high threat; the value range of the running state situation value is 1-4, wherein: 1 indicates normal operation; 2 represents a mild threat; 3 represents a threat; 4 represents a high threat.
The beneficial effects of the invention are as follows: compared with the prior art, the invention reconstructs the alarm data by combining a sliding window method and extracts the space-time characteristics of the alarm data; mapping attack nodes based on three layers of BP neural networks and acquiring multi-step attack paths; on the basis of a network attack graph, the intention of an attacker is inferred by combining with the transition probability, a dynamic evolution mechanism of network security under the drive of multi-step attack is formed by adopting a method of accumulating probability, and the change situation of the network security situation is dynamically reflected; compared with the traditional network situation assessment method, the method disclosed by the invention has the advantages that the attack path prediction accuracy and the network security situation assessment accuracy are improved on a very large layer degree, and theoretical support and scientific basis can be provided for network security management personnel to make protection in advance.
Detailed Description
The technical scheme of the invention is described in detail below with reference to the accompanying drawings and the specific embodiments.
The network security situation assessment method based on the attack graph model comprises the following steps:
s1, combining space-time characteristics of network security attack events with multi-source alarm data to construct network attack behavior characteristics;
s2, mapping attack nodes of network attack behaviors based on alarm information, and acquiring multi-step attack paths;
s3, constructing an attack graph, and deducing the maximum possible attack path of an attacker by combining the attack transition probability;
s4, carrying out security situation assessment on each attack node of the most probable attack path, and then assessing the security situation of the whole network based on the security situation of each attack node.
Example 1
Aiming at the current network security attack behavior, enterprises generally adopt various network security detection devices to detect the network attack behavior. Thus, once network attack behaviors occur, various security detection devices can generate alarm logs with different formats and various forms, and huge amounts of redundant alarm information bring great inconvenience to attack behavior analysis of network security administrators. Aiming at the situation, the embodiment provides a multisource alarm data fusion method based on semantic feature similarity, and more accurate network attack behavior features are obtained based on data fusion and alarm semantic information. Considering that the reactions of different security detection devices to the attack behaviors are inconsistent, the alarm time of the same attack behavior is possibly inconsistent. Therefore, in this embodiment, a sliding window method is used to reconstruct multi-source alarm data of network attack, and the method for reconstructing multi-source alarm data is shown in fig. 1;
then, the convolutional neural network is adopted to extract and pool space-time characteristics of reconstructed multi-source alarm data to finally form a characteristic diagram, fusion of alarm information characteristic layers is realized, and network attack behavior characteristics are obtained, and the specific process is shown in figure 2
Example 2
The existing network attack generally adopts a roundabout path, obtains Root rights of a certain computer through a loophole of the certain computer, and then uses the computer as a server or a cluster in the springboard attack. Therefore, in theory of 'detour' attack, in order for the network attack to complete a given target attack, a multi-step attack method must be adopted to achieve the final objective. Based on the thought, in the embodiment, the attack node (which can be understood as an attacked computer IP) of the network attack behavior is mapped by fusing the alarm information characteristics, and then the transfer sequence of the attack behavior from the current attack node to the next attack node is associated to acquire a multi-step attack path; the specific operation is as follows:
inputting the network attack behavior characteristics into a three-layer BP neural network, obtaining attack probability of each network node, and taking the maximum attack probability as a confirmed network attack node; as shown in fig. 3, a 6-3-1 neural network is a three-layer neural network, which is composed of an input layer, an hidden layer and an output layer, wherein the layers are interconnected by modifiable weights w. The input layer contains six nodes, the hidden layer contains 3 nodes, and the output layer contains 1 node. The neuron of the three-layer BP neural network output layer outputs the attack node with the reconstructed alarm information characteristic, and the attack nodes are associated according to the time sequence to form a multi-step attack path of each attack behavior.
The network attack node comprises an attack behavior node ai Resource node ri Attack behavior node ai After network attack operation, an attacker arrives at the resource node ri Node a will attacki And resource node ri The topology sequence of (1) is connected to obtain multi-step attack paths of each attack behavior, and the attack paths are expressed as follows:
Path={<ai ,ri >,<ri ,aj >}。
example 3
The network attack graph comprises attack behavior nodes, resource nodes and edges (representing attack directions) between the two nodes, wherein the edges between the nodes have an or and two connection relations, and the fact that the last node can reach the next node when meeting the specified conditions is indicated; or indicates that the previous node satisfies a condition to reach the next node. An exemplary attack diagram is shown in fig. 4.
In fig. 4, the network attack graph assumes a1 、a2 And a3 For network attack behavior initiating node, through the method of a1 、a2 And a3 After the attack, an attacker occupies the resource node r1 The method comprises the steps of carrying out a first treatment on the surface of the Then the attacker pairs the attack node a4 Attack is carried out, and the resource node r is occupied3 The method comprises the steps of carrying out a first treatment on the surface of the Finally, the network attack behavior node a can be reached through the process7 。
Considering the characteristics of each node, the selection of the attack path is related to the vulnerability and protection of the node itself, so as to more scientifically measure the sequence transition probability of the attack path; based on historical attack behaviors, the node transfer sequences of the attack behaviors are counted, the attack probability of the attack behaviors transferred from the current attack node to the next attack node is obtained, and an attack probability transfer table is formed; the transition probabilities for some of the attacks are shown in table 1.
TABLE 1
Then, based on the attack behavior transition probability, defining a network attack graph based on the transition probability, and quantifying the possibility of the attack behavior transition from the current attack node to the next attack node; a graph of network attacks based on transition probabilities is shown in fig. 5.
When a network administrator observes the alarms of some attack behaviors, the embodiment adopts a deep learning method to acquire the time-space characteristics of the alarms, utilizes three layers of BP neural networks to confirm the attack nodes, and then associates the attack nodes according to a time sequence to form a multi-step attack path of the current attack behaviors. And then, combining the transition probability network attack graph, and judging the potential attack intention of the attacker based on the current network attack path. Such as by a network attacker through a pair of a1 、a2 And a3 After attack, occupying the resource node r1 Then we predict that the next attack intention of the network attacker is to attack node a4 Or a6 To solve the aboveThe problem is that the present embodiment uses the maximum probability as the selection of the potential attack path by accumulating the transition probability for each possible attack path. The transition probability attack graph is defined as follows:
U(a1 ,a2 ,r1 ) Indicating the direction r1 The node of (a) determines the transition probability AND operation of all edges, and the calculation formula is as follows:
indicating the direction r3 The node of (a) determines the transition probability OR operation of all edges, and the calculation formula is as follows:
r3 ’|U( r1,a6 ,;
wherein p isairi Representing a slave attack node ai Transfer to resource node ri Is a transition probability of (a). The following emphasis is given to the analysis r1 After being attacked, the attacker reaches a7 Is included in the set of possible paths.
(1)Path1={<r
1 ,a
4 >,<a
4 ,r
3 >,<r
3 ,a
7 >Cumulative probability of } is
(2)Path2={<r
1 ,a
6 >,<a
6 ,r
3 >,<r
3 ,a
7 >The cumulative probability of } is:
(3)Path3={<r
1 ,a
6 >,<a
6 ,r
4 >,<r
4 ,a
7 >the cumulative probability of } is:
based on the cumulative probability analysis of each attack path described above, the probability of an attacker selecting path 1 is high.
And therefore, selecting the most likely attack path to calculate network security situation assessment.
Example 4
In the method provided by the embodiment, aiming at step S4, the security situation evaluation is performed on each attack node of the most probable attack path, and then the security situation of the whole network is evaluated based on the security situation of each attack node for detailed discussion.
Calculating security situation evaluation values of all attack nodes of the most probable attack path:
Si =(Vi ,Ti ,Wi )*(wiv ,wiT ,wiw );
wherein: v (V)i Representing vulnerability posture value of node i, Ti Representing threat situation value, W, of node ii Representing the running state situation value, w, of the node iiv Vulnerability weight, w, representing node iiT Representing threat weights of node i, wiw Representing the running state weight of the node i; the value range of the vulnerability situation value is 1-4, wherein 1=low risk; 2 = medium risk; 3 = upper middle risk; 4 = high risk; the value range of the threat situation value is 1-4, wherein: 1 = secure; 2 = mild threat; 3 = moderate threat; 4 = high threat; the value range of the running state situation value is 1-4, wherein: 1 = functioning properly; 2 = mild threat; 3 = threat; 4 = high threat;
the network security situation assessment algorithm is to acquire vulnerability situations, threat situations and system operation situations of each node by utilizing network security information (including intrusion information, network node topology information, vulnerability information, performance information, service information and log information) of each server node in a network, determine the influence degree of the vulnerability situations, threat situations and system operation situations in different nodes by combining the distribution situations of the nodes in a network cluster, and accumulate security situation assessment values of all attack nodes of the most probable attack path to obtain a security situation assessment value of the whole network:
example 5
In order to verify the feasibility of the above embodiment, the present embodiment provides the following experimental verification.
And (3) through simulating network attack behaviors, experimental verification is carried out on the test network by adopting methods such as denial of service attack, vulnerability attack, fake message attack and the like. During the attack process, 593 alarm events are extracted and relevant attack behaviors are marked. The experiment included simulating 2 normal network behaviors and 3 different combinations of aggressive behaviors. After carrying out space-time feature fusion on alarm data, mapping the alarm information through a three-layer neural network (a network structure 6-3-1, an input layer comprises six nodes, an hidden layer comprises 3 nodes, an output layer comprises 1 node, input is the space-time feature of the alarm data, N-dimensional space-time feature of the alarm data is compressed into 6 feature values through pooling and is input into the input layer, correlation calculation among feature values is realized among all layers through modifiable weight w interconnection, and finally suspicious attack nodes based on the space-time feature of the alarm information are output) and attack nodes are obtained, and a path of multi-step attack is formed by combining a time sequence; then introducing the transition probability into an attack graph, and deducing the most probable attack intention of an attacker; and finally, combining potential attack paths to realize security situation assessment of the large-probability attack nodes, and calculating security situation assessment values of the whole network according to the importance of each node in the cluster. The experiment is compared with the method of the embodiment by adopting the traditional network situation assessment method, and the attack path prediction accuracy and the network security situation assessment predicted value deviation rate of the traditional network situation assessment method and the attack path prediction accuracy and the network security situation assessment predicted value deviation rate are shown in a table 2.
TABLE 2
Compared with the traditional network situation assessment method, the method of the embodiment improves the attack path prediction accuracy and the longitude of network security situation assessment on a large layer level, and as the method of the embodiment can accurately extract attack behaviors by extracting the space-time characteristics of alarm data and combines an attack probability transition table according to the current attack path, the inference of the attack intention of an attacker is realized, so that the method analyzes the attack behaviors from multiple dimensions and reduces the interference of false alarm events on the attack behavior judgment; in addition, the method predicts the most likely attack path by adopting the accumulated probability of the attack path on the basis of the existing attack stage, forms a dynamic evolution mechanism of network security under the drive of multi-step attack, realizes the goal of dynamically reflecting the change of the network security situation, and ensures the accuracy of the algorithm.
In conclusion, compared with the traditional network situation assessment method, the method disclosed by the invention improves the attack path prediction accuracy and the network security situation assessment accuracy on a large degree of layering, and can provide theoretical support and scientific basis for network security management personnel to make protection in advance.
Finally, it should be noted that the above-mentioned embodiments are only for illustrating the technical scheme of the present invention and are not limiting; while the invention has been described in detail with reference to the preferred embodiments, those skilled in the art will appreciate that: modifications may be made to the specific embodiments of the present invention or equivalents may be substituted for part of the technical features thereof; without departing from the spirit of the invention, it is intended to cover the scope of the invention as claimed.