计算机科学 ›› 2022, Vol. 49 ›› Issue (9): 306-311.doi: 10.11896/jsjkx.210600171

• 信息安全 • 上一篇    下一篇

基于战术关联的网络安全风险评估框架

柳杰灵1, 凌晓波2, 张蕾3, 王博1, 王之梁1, 李子木1, 张辉1, 杨家海1, 吴程楠4   

  1. 1 清华大学网络科学与网络空间研究院北京信息科学与技术国家研究中心 北京 100084
    2 国网上海市电力公司 上海 200122
    3 国网上海电力科学研究院 上海 200437
    4 国网上海松江供电公司 上海 201699
  • 收稿日期:2021-06-22 修回日期:2021-12-27 出版日期:2022-09-15 发布日期:2022-09-09
  • 通讯作者: 杨家海(yang@cernet.edu.cn)
  • 作者简介:(liu-jl18@tsinghua.org.cn)
  • 基金资助:
    国家重点研发计划(2017YFB0803004)

Network Security Risk Assessment Framework Based on Tactical Correlation

LIU Jie-ling1, LING Xiao-bo2, ZHANG Lei3, WANG Bo1, WANG Zhi-liang1, LI Zi-mu1, ZHANG Hui1, YANG Jia-hai1, WU Cheng-nan4   

  1. 1 Institute for Network Science and Cyberspace & BNRist,Tsinghua University,Beijing 100084,China
    2 State Grid Shanghai Electric Power Company,Shanghai 200122,China
    3 State Grid Shanghai Electric Power Research Institute,Shanghai 200437,China
    4 Songjiang Power Supply Company of State Grid Shanghai Municipal Electric Power Company,Shanghai 201699,China
  • Received:2021-06-22 Revised:2021-12-27 Online:2022-09-15 Published:2022-09-09
  • About author:LIU Jie-ling,born in 1995,master.His main research interests include advan-ced persistent threat and game theory.
    YANG Jia-hai,born in 1966,professor,Ph.D supervisor,is a member of China Computer Federation.His main research interests include network mana-gement,network measurement and security,cloud computing and network functions virtualization.
  • Supported by:
    National Key Research and Development Program of China(2017YFB0803004).

摘要: 电力系统网络是网络攻击的重要目标之一。为了保障电力系统的安全运行,网络管理员需要评估电力系统网络所面临的网络安全风险。现存的网络安全风险评估框架通常仅针对单一场景进行评估,不能从过多的网络安全告警中发现利用多种手段以达到目标的策略型攻击者。为应对上述挑战,文中设计了一种基于战术关联的网络安全风险评估框架,该体系利用成熟的网络安全知识库并整合重复性指标以尽可能简化使用者的输入,同时将多种网络安全系统产生的告警在战术层面关联起来,从而发现利用多种攻击手段协同的攻击方式。对高级持续性威胁(Advanced Persistent Threat,APT)攻击案例进行评估,对比结果表明,与现有的轻量级信息安全风险评估框架(Lightweight Information Security Risk Assessment,LiSRA)相比,该方法能更有效地发现高威胁风险,其鲁棒性也优于现有方法。

关键词: 网络安全, 高级持续性威胁(APT), 风险评估, 战术关联, 风险管理

Abstract: Power system network is one of the important targets of cyber attack.In order to ensure the safe operation of power system,network managers need to evaluate the network security risk.Usually,existing network security risk assessment framework only aims at a single scenario,and can not find the strategic attackers who use a variety of low-risk methods to achieve high-risk threat targets from large quantities of network security alerts.In order to meet the above challenges,this paper proposes a network security risk assessment method based on tactical correlation.In this method,the warning information generated on va-rious network security detection devices when an attacker implements a multi-step attack is associated to form an attack chain,and the security risk of the organization intranet is evaluated by calculating the threat,vulnerability,impact score of each node in the attack chain and the risk score of the whole attack chain.In order to verify the effectiveness and robustness of the proposed method,this paper selects a representative example to illustrate the specific implementation process of the proposed method for network security risk assessment in the organizational intranet.The example shows that the network security risk assessment framework based on the tactical association can correctly assess the harm of multi-step attack caused by low-risk alarm association to achieve high-risk targets,and is more robust than the traditional single scenario analysis method,which can better provide decision-making basis for organization decision-makers in network security risk management.

Key words: Network security, Advanced persistent threat(APT), Risk assessment, Tactical correlation, Risk Management

中图分类号: 

  • TP309
[1]KOTZIAS P,BILGE L,VERVIER P,et al.Mind your own busi-ness:a longitudinal study of threats and vulnerabilities in enterprises [C]//26th Annual Network and Distributed System Security Symposium.San Diego:The Internet Society,2019.
[2]NOUR B,MASTORAKIS S,ULLAH R,et al.Information-centric networking in wireless environments:security risks and challenges [J].IEEE Wireless Communications,2021,28(2):121-127.
[3]OLTSIK J.2017:Security operations challenges,priorities,and strategies [R/OL].[2021-01-19].https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.
[4]BROUGHTON K.Automated incident response:respond to eve-ry alert [R/OL].[2021-01-19].https://swimlane.com/blog/automated-incident-response-respondevery-alert/.
[5]SPATHOULAS G P,KATSIKAS S K.Using a Fuzzy Inference System to Reduce False Positives in Intrusion Detection [C]//International Conference on Systems,Signals and Image Processing.IEEE,2009.
[6]BIANCO D.The numbers game:how many alerts are too many to handle? [R/OL].[2021-01-19].https://www2.fireeye.com/StopTheNoise-IDC-Numbers-Game-Special-Report.html.
[7]ALBERTS C,DPRPFEE A,STEVENS J,et al.OCTAVE-S implementation guide,version 1.0 [R/OL].[2021-01-20].https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.
[8]MARBUKH V.Towards robust security risk metrics for networked systems:work in progress[C]//17th IFIP/IEEE International Symposium on Integrated Network Management.IEEE,2021:658-661.
[9]SENDI S A,BARZEGAR R A,CHERIET M.Taxonomy of information security risk assessment [J].Computers & Security,2016,57:14-30.
[10]Joint Task Force Transformation Initiative.Managing information security risk:organization,mission,and information system view [R/OL].[2021-01-20].https://csrc.nist.gov/publications/detail/sp/800-39/final.
[11]International Organization for Standardization.Information technology-security techniques-information security risk management [R/OL].[2021-01-20].https://www.iso.org/standard/42107.html.
[12]British Standards.Information security management systems.Guidelines for information risk management [R/OL].[2021-01-20].https://shop.bsigroup.com/ProductDetail?pid=000000000030354572.
[13]Fair Institute.Measuring and managing information risk:a fair approach.[R/OL].[2021-01-20].https://www.fairinstitute.org/fair-book.
[14]Microsoft.Microsoft security risk assessment.[R/OL].[2021-01-20].https://servicetrust.microsoft.com/ViewPage/RiskAssessmentOverview.
[15]SCHMITZ C,PAPE S.LiSRA:lightweight security risk assessment for decision support in information security [J/OL].Computers & Security,2020,90.https://www.sciencedirect.com/science/article/pii/S0167404819301993.
[16]FIGUEIRA T P,BRAVO L C,LOPEZ R L J.Improving information security risk analysis by including threat-occurrence predictive models [J/OL].Computers & Security,2020,88.https://www.sciencedirect.com/science/article/pii/S0167404819301592.
[17]TANTAWY A,ABDELWAHED S,ERRADI A,et al.Model-based risk assessment for cyber physical systems security [J/OL].Computers & Security,2020,96.https://www.sciencedirect.com/science/article/pii/S016740482030136X.
[18]Mandiant.MANDIANT:Exposing One of China's Cyber Espionage Units [R/OL].[2021-01-20].https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.
[19]MITRE.ATT&CK [R/OL].[2021-01-20].https://attack.mitre.org.
[20]MITRE.CAPEC:common attack pattern enumeration and classification [R/OL].[2021-01-20].https://capec.mitre.org/index.html.
[21]Forum of Incident Response and Security Teams.Common vulnerability scoring system v3.0:specification document [R/OL].[2021-01-20].https://www.first.org/cvss/specification-document.
[22]Microsoft.STRIDE chart [R/OL].[2021-01-20].https://www.microsoft.com/security/blog/2007/09/11/stride-chart/.
[1] 王磊, 李晓宇.
基于随机洋葱路由的LBS移动隐私保护方案
LBS Mobile Privacy Protection Scheme Based on Random Onion Routing
计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077
[2] 赵冬梅, 吴亚星, 张红斌.
基于IPSO-BiLSTM的网络安全态势预测
Network Security Situation Prediction Based on IPSO-BiLSTM
计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103
[3] 陶礼靖, 邱菡, 朱俊虎, 李航天.
面向网络安全训练评估的受训者行为描述模型
Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment
计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048
[4] 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓.
一种可快速迁移的领域知识图谱构建方法
Fast and Transmissible Domain Knowledge Graph Construction Method
计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018
[5] 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳.
基于进化神经网络的电力信息网安全态势量化方法
Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network
计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151
[6] 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏.
基于网络媒体的非线性动力学信息传播模型
Nonlinear Dynamics Information Dissemination Model Based on Network Media
计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043
[7] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
[8] 周仕承, 刘京菊, 钟晓峰, 卢灿举.
基于深度强化学习的智能化渗透测试路径发现
Intelligent Penetration Testing Path Discovery Based on Deep Reinforcement Learning
计算机科学, 2021, 48(7): 40-46. https://doi.org/10.11896/jsjkx.210400057
[9] 李贝贝, 宋佳芮, 杜卿芸, 何俊江.
DRL-IDS:基于深度强化学习的工业物联网入侵检测系统
DRL-IDS:Deep Reinforcement Learning Based Intrusion Detection System for Industrial Internet of Things
计算机科学, 2021, 48(7): 47-54. https://doi.org/10.11896/jsjkx.210400021
[10] 陈海彪, 黄声勇, 蔡洁锐.
一个基于智能电网的跨层路由的信任评估协议
Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid
计算机科学, 2021, 48(6A): 491-497. https://doi.org/10.11896/jsjkx.201000169
[11] 王金恒, 单志龙, 谭汉松, 王煜林.
基于遗传优化PNN神经网络的网络安全态势评估
Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network
计算机科学, 2021, 48(6): 338-342. https://doi.org/10.11896/jsjkx.201200239
[12] 雍琪, 蒋维娜, 罗育泽.
基于模糊数相似度的审判风险评估系统
Trial Risk Assessment System Based on Fuzzy Number Similarity
计算机科学, 2021, 48(5): 209-216. https://doi.org/10.11896/jsjkx.200500034
[13] 张凯, 刘京菊.
基于吸收Markov链的网络入侵路径分析方法
Attack Path Analysis Method Based on Absorbing Markov Chain
计算机科学, 2021, 48(5): 294-300. https://doi.org/10.11896/jsjkx.200700108
[14] 陈明豪, 祝跃飞, 芦斌, 翟懿, 李玎.
基于Attention-CNN的加密流量应用类型识别
Classification of Application Type of Encrypted Traffic Based on Attention-CNN
计算机科学, 2021, 48(4): 325-332. https://doi.org/10.11896/jsjkx.200900155
[15] 刘全明, 李尹楠, 郭婷, 李岩纬.
基于Borderline-SMOTE和双Attention的入侵检测方法
Intrusion Detection Method Based on Borderline-SMOTE and Double Attention
计算机科学, 2021, 48(3): 327-332. https://doi.org/10.11896/jsjkx.200600025
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!