Computer Science

Computer Science ›› 2023, Vol. 50 ›› Issue (12): 349-358.doi: 10.11896/jsjkx.221000019

• Information Security • Previous Articles     Next Articles

Network Asset Security Assessment Model Based on Bayesian Attack Graph

ZENG Kunlun, ZHANG Ni, LI Weihao, QIN Yuanyuan   

  1. National Computer System Engineering Research Institute of China,Beijing 100083,China
  • Received:2022-10-07 Revised:2023-03-16 Online:2023-12-15 Published:2023-12-07
  • About author:ZENG Kunlun,born in 1998,postgra-duate.His main research interest is network security assessment.
    LI Weihao,born in 1990,Ph.D.Her main research interests include social network security,privacy preservation,cloud computing and network security assessment.

PDF (PC)

2556

Abstract: Current attack graph models do not consider the reuse of vulnerabilities,and the calculation of risk probability is not comprehensive and accurate.In order to overcome these difficulties and evaluate security of network assets environment accurately,a network assets security assessment model based on Bayesian attack graph is proposed.Firstly,successful probabilities of atomic attacks are calculated according to vulnerability exploitability,host protection strength,vulnerability time exploitability and vulnerability source.Then attack graph is quantified by Bayesian network.Secondly,successful probabilities of partial atomic attacks and corresponding prior reachable probabilities are modified according to the reuse of vulnerabilities to evaluate static security risk of network assets.Thirdly,reachable probabilities of related nodes are updated dynamically according to real-time attack events to realize the dynamic assessment of network assets security risk.Finally,the proposed model is analyzed and verified effectively by experimental simulation and comparison with existing works.

Key words: Bayesian attack graph, Attack event, Security assessment, Posterior probability, Risk probability

CLC Number: 

  • TP393
[1]ZHAO C,WANG H Q,LIN J Y,et al.Attack Graph Analysis Method for Large Scale Network Security Hardening[J].Journal of Frontiers of Computer Science and Technology,2018,12(2):263-273.
[2]PHILLIPS C,SWILER L P.A graph-based system for network vulnerability analysis[C]//1998 Workshop on New Security Paradigms.New York:ACM Press,1998:71-79.
[3]AL-MOHANNADI H,MIRZA Q,NAMANYA A,et al.Cyber-Attack Modeling Analysis Techniques:An Overview[C]//2016 IEEE 4th International Conference on Future Internet of Things and Cloud Workshops.Vienna:IEEE,2016:69-76.
[4]YE Z W,GUO Y B,WANG C D,et al.Survey on application of attack graph technology[J].Journal on Communications,2017,38(11):121-132.
[5]ZHANG J,WANG J D,ZHANG H W,et al.Network RiskAnalysis Method Based on Node-Game Vulnerability Attack Graph[J].Computer Science,2014,41(9):169-173.
[6]HU H,LIU Y L,ZHANG Y C,et al.Survey of attack graphbased network security metric[J].Chinese Journal of Network and Information Security,2018,4(9):1-16.
[7]PEARL J.Probabilistic reasoning in intelligent system[M]//Morgan Kaufinann:Network of Plausible Inference.1988:1-86.
[8]WU C S,XIE W Q,JI Y X,et al.Survey on network system security metrics[J].Journal on Communications,2019,40(6):14-31.
[9]WANG L,ISLAM T,LONG T,et al.An attack graph-based probabilistic security metric[C]//22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security.London:IFIP,2008:283-296.
[10]FIRST.Common Vulnerability Scoring System version 3.1Specification Document Revision 1[EB/OL].https://www.first.org/cvss/v3.1/specification-document.
[11]XIE P,LI J H,OU X M,et al.Using Bayesian networks for cyber security analysis[C]//2010 IEEE/IFIP International Conference on Dependable Systems & Networks.Chicago:IEEE,2010:211-220.
[12]WANG J X,FENG Y,YOU R.Network security measurmentbased on dependency relationship graph and common vulnerabi-lity scoring system[J].Journal of Computer Applications,2019,39(6):1719-1727.
[13]HU W,ZHANG L,LIU X,et al.Research on Automatic Gene-ration and Analysis Technology of Network Attack Graph[C]//2020 IEEE 6th Intl Conference on Big Data Security on Cloud(BigDataSecurity),IEEE Intl Conference on High Performance and Smart Computing(HPSC) and IEEE Intl Conference on Intelligent Data and Security(IDS).Baltimore:IEEE,2020:133-139.
[14]YANG H Y,YUAN H H,ZHANG L.Host security assessment method based on attack graph[J].Journal on Communications,2022,43(2):89-99.
[15]CHEN X J,FANG B X,TAN Q F,et al.Inferring Attack Intent of Malicious Insider Based on Probabilistic Attack Graph Model[J].Chinese Journal of Computer,2014,37(1):62-72.
[16]WANG Z G,LU Y,LI J D.Network Security Risk Assessment Method Based on Bayesian Attack Graph[J].Journal of Academy of Armored Force Engineering,2018,32(3):81-86.
[17]YANG Y J,LENG Q,PAN R X,et al.Research on DynamicThreat Tracking and Quantitative Analysis Technology Based on Attribute Attack Graph[J].Journal of Electronics & Information Technology,2019,41(9):2172-2179.
[18]LUO Z Y,YANG X,LIU J H,et al.Network intrusion intention analysis model based on Bayesian attack graph[J].Journal on Communications,2020,41(9):160-169.
[19]GAO N,GAO L,HE Y Y,et al.Dynamic SecurityRisk Assessment Model Based on Bayesian Attack Graph[J].Journal of Sichuan University(Engineering Science Edition),2016,48(1):111-118.
[20]LI J R,LING X B,LI C X,et al.Dynamic Network SecurityAnalysis Based on Bayesian Attack Graph[J].Computer Science,2022,49(3):62-69.
[21]GE H H.Research on Multidimensional and Dynamic Information Security Risk Management Model and the Related Assessment Algorithms[D].Beijing:Beijing University of Posts and Telecommunications,2015.
[22]FREI S,MAY M,FIEDLER U,et al.Large-scale vulnerability analysis[C]//Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense(LSAD'06).New York:ACM Press,2006:131-138.
[23]PENG T R,LIU H P,LIU Y,et al.Target Weight Calculation Method Based on FAHP Method and Image Contrast Damage Evaluation Method[J].Acta Armamentarii,2021,42(S1):173-180.
[24]WANG W X,SUN Z,PAN M Y,et al.Information Security Risk Assessment Method for Electric Vehicle Charging Piles Based on Fuzzy Analytic Hierarchy Process[J].Electric Power,2021,54(1):96-103.
[25]PAN H W.Research on Information Security Risk Assessment Based on Fuzzy Analytic Hierarchy Process[D].Nanjing:Nanjing Normal University,2007.
[26]NIST.National vulnerability database[DB/OL].https://nvd.nist.gov.
[1] WANG Biao, WANG Da, KE Ji, MA Yuqing, ZHANG Yipu, WANG Changqing, LI Aijun. Study on Optimized Offloading for Data Security in Industrial Scene [J]. Computer Science, 2023, 50(8): 286-293.
[2] LI Jia-rui, LING Xiao-bo, LI Chen-xi, LI Zi-mu, YANG Jia-hai, ZHANG Lei, WU Cheng-nan. Dynamic Network Security Analysis Based on Bayesian Attack Graphs [J]. Computer Science, 2022, 49(3): 62-69.
[3] LIU Pei, JIA Jian, CHEN Li, AN Ying. Image Denoising Algorithm Based on Fast and Adaptive Bidimensional Empirical Mode Decomposition [J]. Computer Science, 2019, 46(11): 260-266.
[4] XU Bing-feng, HE Gao-feng. Penetration Testing Method for Cyber-Physical System Based on Attack Graph [J]. Computer Science, 2018, 45(11): 143-148.
[5] ZHU Hua-min, WU Li-fa and KANG Hong-kai. Research of Cloud Provider Selection Method Based on SecLA [J]. Computer Science, 2016, 43(5): 100-107.
[6] SHAN Mei-jing. Analytic Hierarchy Process-based Assessment Method on Mobile Payment Security [J]. Computer Science, 2015, 42(Z11): 368-371.
[7] LIAN Li-quan,PENG Wu and WANG Dong-hai. Method of Network Security Dynamic Assessment Based on Attack-defense Confrontation [J]. Computer Science, 2013, 40(Z11): 214-218.
[8] JIANG Zheng-wei,ZHAO Wen-rui,LIU Yu and LIU Bao-xu. Model for Cloud Computing Security Assessment Based on Classified Protection [J]. Computer Science, 2013, 40(8): 151-156.
[9] . Distributed Network Risk Assessment Method Based on Attack Graph [J]. Computer Science, 2013, 40(2): 139-144.
[10] LI Lu.GHOU Liang.DING Qiu-lin. Research of Sketch Symbol Recognition Based on Bayesian Network [J]. Computer Science, 2011, 38(6): 262-265.
[11] DING Jie,YANG Jing-yu. AP Clustering Based Biomimetic Pattern Recognition [J]. Computer Science, 2011, 38(5): 224-226.
[12] LIU Duan-yang,QIU Wei-jie. Active Learning for Multi-label Classification Based on SVM's Expect Margin [J]. Computer Science, 2011, 38(4): 230-232.
[13] . [J]. Computer Science, 2008, 35(12): 28-33.
[14] MAO Han-Dong CHENG Feng ZHANG Wei-Ming ZHU Cheng SONG Jun-Feng (School of Information System and Management, NUDT, Changsha 410073). [J]. Computer Science, 2007, 34(12): 85-90.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.