计算机科学

计算机科学 ›› 2023, Vol. 50 ›› Issue (12): 349-358.doi: 10.11896/jsjkx.221000019

• 信息安全 • 上一篇    下一篇

基于贝叶斯攻击图的网络资产安全评估模型

曾昆仑, 张尼, 李维皓, 秦媛媛   

  1. 华北计算机系统工程研究所 北京 100083
  • 收稿日期:2022-10-07 修回日期:2023-03-16 出版日期:2023-12-15 发布日期:2023-12-07
  • 通讯作者: 李维皓(weihaoli99@163.com)
  • 作者简介:(1184982609@qq.com)

Network Asset Security Assessment Model Based on Bayesian Attack Graph

ZENG Kunlun, ZHANG Ni, LI Weihao, QIN Yuanyuan   

  1. National Computer System Engineering Research Institute of China,Beijing 100083,China
  • Received:2022-10-07 Revised:2023-03-16 Online:2023-12-15 Published:2023-12-07
  • About author:ZENG Kunlun,born in 1998,postgra-duate.His main research interest is network security assessment.
    LI Weihao,born in 1990,Ph.D.Her main research interests include social network security,privacy preservation,cloud computing and network security assessment.

PDF (PC)

2910

摘要: 当前攻击图模型没有考虑漏洞的重复利用,并且风险概率计算不够全面、准确。为了准确评估网络资产环境安全,提出了一种基于贝叶斯攻击图的网络资产安全评估模型。首先根据漏洞可利用性、主机安防强度、漏洞时间可利用性和漏洞来源计算原子攻击成功概率,并结合贝叶斯网络量化攻击图。其次,根据漏洞的重复利用情况,对部分原子攻击成功概率和相应先验可达概率进行修正,作为对网络资产静态安全风险的评估。再次,根据实时发生的攻击事件,动态更新相关节点的可达概率,实现对网络资产安全风险的动态评估。最后,通过实验仿真和与现有工作的对比分析,对所提模型进行有效分析和验证。

关键词: 贝叶斯攻击图, 攻击事件, 安全评估, 后验概率, 风险概率

Abstract: Current attack graph models do not consider the reuse of vulnerabilities,and the calculation of risk probability is not comprehensive and accurate.In order to overcome these difficulties and evaluate security of network assets environment accurately,a network assets security assessment model based on Bayesian attack graph is proposed.Firstly,successful probabilities of atomic attacks are calculated according to vulnerability exploitability,host protection strength,vulnerability time exploitability and vulnerability source.Then attack graph is quantified by Bayesian network.Secondly,successful probabilities of partial atomic attacks and corresponding prior reachable probabilities are modified according to the reuse of vulnerabilities to evaluate static security risk of network assets.Thirdly,reachable probabilities of related nodes are updated dynamically according to real-time attack events to realize the dynamic assessment of network assets security risk.Finally,the proposed model is analyzed and verified effectively by experimental simulation and comparison with existing works.

Key words: Bayesian attack graph, Attack event, Security assessment, Posterior probability, Risk probability

中图分类号: 

  • TP393
[1]ZHAO C,WANG H Q,LIN J Y,et al.Attack Graph Analysis Method for Large Scale Network Security Hardening[J].Journal of Frontiers of Computer Science and Technology,2018,12(2):263-273.
[2]PHILLIPS C,SWILER L P.A graph-based system for network vulnerability analysis[C]//1998 Workshop on New Security Paradigms.New York:ACM Press,1998:71-79.
[3]AL-MOHANNADI H,MIRZA Q,NAMANYA A,et al.Cyber-Attack Modeling Analysis Techniques:An Overview[C]//2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops.Vienna:IEEE,2016:69-76.
[4]YE Z W,GUO Y B,WANG C D,et al.Survey on application of attack graph technology[J].Journal on Communications,2017,38(11):121-132.
[5]ZHANG J,WANG J D,ZHANG H W,et al.Network RiskAnalysis Method Based on Node-Game Vulnerability Attack Graph[J].Computer Science,2014,41(9):169-173.
[6]HU H,LIU Y L,ZHANG Y C,et al.Survey of attack graphbased network security metric[J].Chinese Journal of Network and Information Security,2018,4(9):1-16.
[7]PEARL J.Probabilistic reasoning in intelligent system[M]//Morgan Kaufinann:Network of Plausible Inference.1988:1-86.
[8]WU C S,XIE W Q,JI Y X,et al.Survey on network system security metrics[J].Journal on Communications,2019,40(6):14-31.
[9]WANG L,ISLAM T,LONG T,et al.An attack graph-based probabilistic security metric[C]//22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security.London:IFIP,2008:283-296.
[10]FIRST.Common Vulnerability Scoring System version 3.1Specification Document Revision 1[EB/OL].https://www.first.org/cvss/v3.1/specification-document.
[11]XIE P,LI J H,OU X M,et al.Using Bayesian networks for cyber security analysis[C]//2010 IEEE/IFIP International Conference on Dependable Systems & Networks.Chicago:IEEE,2010:211-220.
[12]WANG J X,FENG Y,YOU R.Network security measurmentbased on dependency relationship graph and common vulnerabi-lity scoring system[J].Journal of Computer Applications,2019,39(6):1719-1727.
[13]HU W,ZHANG L,LIU X,et al.Research on Automatic Gene-ration and Analysis Technology of Network Attack Graph[C]//2020 IEEE 6th Intl Conference on Big Data Security on Cloud(BigDataSecurity),IEEE Intl Conference on High Performance and Smart Computing(HPSC) and IEEE Intl Conference on Intelligent Data and Security(IDS).Baltimore:IEEE,2020:133-139.
[14]YANG H Y,YUAN H H,ZHANG L.Host security assessment method based on attack graph[J].Journal on Communications,2022,43(2):89-99.
[15]CHEN X J,FANG B X,TAN Q F,et al.Inferring Attack Intent of Malicious Insider Based on Probabilistic Attack Graph Model[J].Chinese Journal of Computer,2014,37(1):62-72.
[16]WANG Z G,LU Y,LI J D.Network Security Risk Assessment Method Based on Bayesian Attack Graph[J].Journal of Academy of Armored Force Engineering,2018,32(3):81-86.
[17]YANG Y J,LENG Q,PAN R X,et al.Research on DynamicThreat Tracking and Quantitative Analysis Technology Based on Attribute Attack Graph[J].Journal of Electronics & Information Technology,2019,41(9):2172-2179.
[18]LUO Z Y,YANG X,LIU J H,et al.Network intrusion intention analysis model based on Bayesian attack graph[J].Journal on Communications,2020,41(9):160-169.
[19]GAO N,GAO L,HE Y Y,et al.Dynamic SecurityRisk Assessment Model Based on Bayesian Attack Graph[J].Journal of Sichuan University(Engineering Science Edition),2016,48(1):111-118.
[20]LI J R,LING X B,LI C X,et al.Dynamic Network SecurityAnalysis Based on Bayesian Attack Graph[J].Computer Science,2022,49(3):62-69.
[21]GE H H.Research on Multidimensional and Dynamic Information Security Risk Management Model and the Related Assessment Algorithms[D].Beijing:Beijing University of Posts and Telecommunications,2015.
[22]FREI S,MAY M,FIEDLER U,et al.Large-scale vulnerability analysis[C]//Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense(LSAD'06).New York:ACM Press,2006:131-138.
[23]PENG T R,LIU H P,LIU Y,et al.Target Weight Calculation Method Based on FAHP Method and Image Contrast Damage Evaluation Method[J].Acta Armamentarii,2021,42(S1):173-180.
[24]WANG W X,SUN Z,PAN M Y,et al.Information Security Risk Assessment Method for Electric Vehicle Charging Piles Based on Fuzzy Analytic Hierarchy Process[J].Electric Power,2021,54(1):96-103.
[25]PAN H W.Research on Information Security Risk Assessment Based on Fuzzy Analytic Hierarchy Process[D].Nanjing:Nanjing Normal University,2007.
[26]NIST.National vulnerability database[DB/OL].https://nvd.nist.gov.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发