基于因果知识网络的攻击路径预测方法

doi:10.11959/j.issn.1000-436x.2016210

摘要/Abstract

摘要：

针对现有攻击路径预测方法无法准确反映攻击者攻击能力对后续攻击路径的影响，提出了基于因果知识网络的攻击路径预测方法。借助因果知识网络，首先通过告警映射识别已发生的攻击行为；然后分析推断攻击者能力等级，进而根据攻击者能力等级动态调整概率知识分布；最后利用改进的Dijkstra算法计算出最有可能的攻击路径。实验结果表明，该方法符合网络对抗实际环境，且能提高攻击路径预测的准确度。

关键词: 攻击路径预测, 因果知识网络, 攻击者能力, 概率知识分布, Dijkstra算法

Abstract:

The existing attack path prediction methods can not accurately reflect the variation of the following attack path caused by the capability of the attacker.Accordingly an attack path prediction method based on causal knowledge net was presented.The proposed method detected the current attack actions by mapping the alarm sets to the causal knowledge net.By analyzing the attack actions,the capability grade of the attacker was inferred,according to which adjust the probability knowledge distribution dynamically.With the improved Dijkstra algorithm,the most possible attack path was computed.The experiments results indicate that the proposed method is suitable for a real network confrontation environment.Besides,the method can enhance the accuracy of attack path prediction.

Key words: attack path prediction, causal knowledge net, attacker capability, probability knowledge distribution, Dijkstra algorithm

王硕,汤光明,寇广,宋海涛. 基于因果知识网络的攻击路径预测方法[J]. 通信学报, 2016, 37(10): 188-198.

Shuo WANG,Guang-ming TANG,Guang KOU,Hai-tao SONG. Attack path prediction method based on causal knowledge net[J]. Journal on Communications, 2016, 37(10): 188-198.

图/表 11

表1

表2

不同攻击行为结果推断攻击者能力等级的概率分布"

x			P(Cap=x\|Res=y)
x	y= L_fail	y= L_suc	y= M_fail	y= M_suc	y= H_fail	y= H_suc
x=low	$\frac{5}{9}$	$\frac{5}{21}$	$\frac{7}{15}$	$\frac{3}{15}$	$\frac{9}{21}$	$\frac{1}{9}$
x=mid	$\frac{3}{9}$	$\frac{7}{21}$	$\frac{5}{15}$	$\frac{5}{15}$	$\frac{7}{21}$	$\frac{3}{9}$
x=high	$\frac{1}{9}$	$\frac{9}{21}$	$\frac{3}{15}$	$\frac{7}{15}$	$\frac{5}{21}$	$\frac{5}{9}$

表2

图1

图2

图3

表3

表4

表5

图4

图5

表6

参考文献 15

[1]	SHAH C . Zeus crime ware toolkit[EB/OL]. .
[2]	QIN X , LEE W . Statistical causality of INFOSEC alert data[C]// Recent Advances in Intrusion Detection 2003. Berlin, 2003: 73-93.
[3]	梅海彬, 龚俭, 张明华 . 基于警报序列聚类的多步攻击模式发现研究[J]. 通信学报, 2011,32(5): 63-69. MEI H B , GONG J , ZHANG M H . Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J]. Journal on Communications, 2011,32(5): 63-69.
[4]	VALEUR F , VIGNA G , KRUEGEL C ,et al. A comprehensive approach to intrusion detection alert correlation[J]. IEEE Trans.Dependable and Secure Computing, 2004,1(3): 146-169.
[5]	JAJODIA S , NOEL S , KALAPA P ,et al. Cauldron:mission-centric cyber situational awareness with defense in depth[C]// The Military Communications Conference. Baltimore, 2011: 1339-1344.
[6]	YU D , FRINCKE D . Improving the quality of alerts and predicting intruder’s next goal with hidden colored petri-net[J]. Computer Networks, 2007,51(3): 632-654.
[7]	WANG L , ISLAM T , LONG T ,et al. An attack graph-based probabilistic security metric[C]// Data and Applications Security XXII. Berlin Heidelberg, 2008: 283-296.
[8]	苏婷婷, 潘晓中, 肖海燕 . 基于属性邻接矩阵的攻击图表示方法研究[J]. 电子与信息学报, 2012,34(7): 1744-1747. SU T T , PAN X Z , XIAO H Y . Research on attack graph based on attributes adjacncy matrix[J]. Journal of Electronics ＆ Information Technology, 2012,34(7): 1744-1747.
[9]	陈小军, 方滨兴, 谭庆丰 . 基于概率攻击图的内部攻击意图推断算法研究[J]. 计算机学报, 2014,37(1): 62-72. CHEN X J , FANG B X , TAN Q F . Inferring attack intent of malicious insider based on probabilistic attack graph model[J]. Chinese Journal of Computers, 2014,37(1): 62-72.
[10]	吕慧颖, 彭武, 王瑞梅 . 基于时空关联分析的网络实时威胁识别与评估[J]. 计算机研究与发展, 2014,51(5): 1039-1049. LV H Y , PENG W , WANG R M . A real-time network threat recognition and assessment method based on association analysis of time and space[J]. Journal of Computer Research and Development, 2014,51(5): 1039-1049.
[11]	XIE P , LI J H , OU X M ,et al. Using Bayesian networks for cyber security analysis[C]// The 40th IEEE/IFIP International Conference on Dependable Systems and Networks(DSN). Chicago, 2010: 211-220.
[12]	张少俊, 李建华, 宋珊珊 . 贝叶斯推理在攻击图节点置信度计算中的应用[J]. 软件学报, 2010,21(9): 2376-2386. ZHANG S J , LI J H , SONG S S . Using Bayesian inference for computing attack graph node beliefs[J]. Journal of Software, 2010,21(9): 2376-2386.
[13]	ABRAHAM S , NAIR S . A predictive framework for cyber security analytics using attack graphs[J]. International Journal of Computer Networks ＆ Communications, 2015,7(1): 1-17.
[14]	FREDJ O B . A realistic graph-based alert correlation system[J]. Security and Communication Network, 2015,8(15): 2477-2493.
[15]	冯学伟, 王东霞, 黄敏桓 . 一种基于马尔可夫性质的因果知识挖掘方法[J]. 计算机研究与发展, 2014,51(11): 2493-2504. FENG X W , WANG D X , HANG M H . A mining approach for causal knowledge in alert correlating based on the Markov property[J]. Journal of Computer Research and Development, 2014,51(11): 2493-2504.

Cpx		P(Cpx,Cap)
Cpx	Cap=low	Cap=mid	Cap=high
Cpx=low	0.5	0.7	0.9
Cpx=mid	0.3	0.5	0.7
Cpx=high	0.1	0.3	0.5

主机编号	主机信息	漏洞编号	CVE编号	漏洞描述	漏洞利用攻击编号
		V₁	CVE-2013-2249	模块安全漏洞	a₁
H₁	Web服务器，Apache	V₂	CVE-2013-3940	图形设备接口整数溢出漏洞	a₆，a₇
		V₃	CVE-2013-5065	内核中的漏洞允许特权提升	a₁₁
		V₄	CVE-2012-0002	远程桌面协议代码执行漏洞	a₁₂
H₂	主机1，Microsoft Windows XP SP2	V₅	CVE-2013-1727	Mozilla Firefox安全绕过漏洞	a₅
		V₆	CVE-2007-6473	基于堆的缓冲区溢出漏洞	a₁₀
H₃	主机2，Microsoft Windows 7 SP2	V₇	CVE-2011-0638	USB数据任意程序执行漏洞	a₂
H₄	主机3，Red Hat	V₈	CVE-2014-6271	GNU Bash远程代码执行漏洞	a₁₃
		V₉	CVE-2012-6137	SSL证书验证安全绕过漏洞	a₉
H₅	文件服务器，Windows 2000,HFS	V₁₀	CVE-2014-6287	HFS代码注入漏洞	a₃
H₆	工作站2，Windows 2000,Funk Proxy v3.0	V₁₁	CVE-2002-0065	Funk软件代理弱密码存储漏洞	a₈
H₇	数据库服务器，Windows Server 2003	V₁₂	CVE-2004-0119	远程缓冲区溢出漏洞	a₄

漏洞利用攻击编号	前提条件	后置结果	利用的漏洞（CVE编号）	攻击行为复杂度
a₁	外部用户	(H₁,root)	CVE-2013-2249	低
a₂	外部用户	(H₃,root)	CVE-2011-0638	高
a₃	(H₁,root)	(H₅,root)	CVE-2014-6287	低
a₄	(H₁,root)	(H₇,root)	CVE-2004-0119	低
a₅	(H₁,root)	(H₂,root)	CVE-2013-1727	高
a₆	(H₅,root)	(H₂,user)	CVE-2013-3940	中
a₇	(H₇,root)	(H₂,user)	CVE-2013-3940	中
a₈	(H₇,root)	(H₆,root)	CVE-2002-0065	低
a₉	(H₁,root),(H₃,root)	(H₄,root)	CVE-2012-6137	低
a₁₀	(H₇,root)	(H₂,root)	CVE-2007-6473	中
a₁₁	(H₂,user)	(H₂,root)	CVE-2013-5065	低
a₁₂	(H₆,root)	(H₂,root)	CVE-2012-0002	低
a₁₃	(H₂,root)	(H₄,root)	CVE-2014-6271	中

编号	T时刻的告警迹	攻击者能力等级	最大可能后续攻击路径
		low	s₁→a₁→s₂→a₄→s₅→a₁₀→s₈→a₁₃→s₉
1	Alarm_T=null	mid	s₁→a₁→s₂→a₄→s₅→a₁₀→s₈→a₁₃→s₉
		high	s₁→a₁→s₂→a₄→s₅→a₈→s₇→a₁₂→s₈→a₁₃→s₉
2	Alarm_T=(as₂,ae₂,ae₅)	mid	s₂→a₄→s₅→a₁₀→s₈→a₁₃→s₉
3	Alarm_T=(as₂,as₅,ae₁,ae₄,ae₁₀)	high	s₅→a₈→s₇→a₁₂→s₈→a₁₃→s₉

攻击者能力			攻击成功概率
攻击者能力	path1	path2	path3	path4	path5	path6
low	(0.015，0)	(0.011，0)	(0.011，0.111)	(0.019，0)	(0.023，0.111)	(0.013，0)
mid	(0.105，0.108)	(0.086，0.081)	(0.086，0.081)	(0.120，0.108)	(0.123，0.135)	(0.103，0.108)
high	(0.315，0.25)	(0.357，0.25)	(0.357，0.25)	(0.459，0.50)	(0.397，0.25)	(0.365，0.25)