基于动态概率攻击图的云环境攻击场景构建方法

doi:10.11959/j.issn.1000-436x.2021004

摘要/Abstract

摘要：

针对复杂多步攻击检测问题，研究面向云计算环境的攻击场景构建方法。首先，构建了动态概率攻击图模型，设计了概率攻击图更新算法，使之能够随着时空的推移而周期性更新，从而适应弹性、动态性的云计算环境。其次，设计了攻击意图推断算法和最大概率攻击路径推断算法，解决了误报、漏报导致的攻击场景错误、断裂等不确定性问题，保证了攻击场景的准确性。同时将攻击场景随动态概率攻击图动态演化，保证了攻击场景的完备性和新鲜性。实验结果表明，所提方法能够适应弹性、动态的云计算环境，还原出攻击者完整的攻击渗透过程，重构出高层次的攻击场景，为构建可监管可追责的云环境提供了一定的依据和参考。

关键词: 云计算, 攻击场景, 动态概率攻击图, 攻击意图, 最大概率攻击路径

Abstract:

Aiming at the problem of complex multi-step attack detection, the method of attack scenario construction oriented to cloud computing environment was studied.Firstly, a dynamic probabilistic attack graph model was constructed, and a probabilistic attack graph updating algorithm was designed to make it update periodically with the passage of time and space, so as to adapt to the elastic and dynamic cloud computing environment.Secondly, an attack intention inference algorithm and a maximum probability attack path inference algorithm were designed to solve the uncertain problems such as error and fracture of attack scenarios caused by false positive or false negative, and ensure the accuracy of attack scenario.Meanwhile, the attack scenario was dynamically evolved along with the dynamic probability attack graph to ensure the completeness and freshness of the attack scenario.Experimental results show that the proposed method can adapt to the elastic and dynamic cloud environment, restore the penetration process of attacker’s and reconstruct high-level attack scenario, and so provide certain references for building supervised and accountable cloud environment.

Key words: cloud computing, attack scenario, dynamic probabilistic attack graph, attack intention, maximum probability attack path

中图分类号:

TP309.5

王文娟, 杜学绘, 单棣斌. 基于动态概率攻击图的云环境攻击场景构建方法[J]. 通信学报, 2021, 42(1): 1-17.

Wenjuan WANG, Xuehui DU, Dibin SHAN. Construction method of attack scenario in cloud environment based on dynamic probabilistic attack graph[J]. Journal on Communications, 2021, 42(1): 1-17.

图/表 17

图1

表1

表2

表3

图2

图3

图4

图5

表4

图6

图7

表5

图8

表6

表7

图9

表8

参考文献 18

[1]	PETER M M , TIMOTHY G . SP 800-145.The NIST definition of cloud computing[M]. National Institute of Standards ＆ Technology, 2011.
[2]	PENG N , YUN C , REEVES D S ,et al. Constructing attack scenarios through correlation of intrusion alerts[C]// ACM Symposium on Computer and Communications Security. New York:ACM Press, 2002: 245-254.
[3]	WANG L , GHORBANI A , LI Y ,et al. Automatic multi-step attack pattern discovering[J]. International Journal of Network Security, 2010,10(2): 142-152.
[4]	梅海彬, 龚俭, 张明华 ,等. 基于警报序列聚类的多步攻击模式发现研究[J]. 通信学报, 2011,32(5): 63-69.
	MEI H B , GONG J , ZHANG M H ,et al. Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J]. Journal on Communications, 2011,32(5): 63-69.
[5]	葛琳, 季新生, 江涛 ,等. 基于关联规则的网络信息内容安全事件发现及其 Map-Reduce 实现[J]. 电子与信息学报, 2014,36(8): 1831-1837.
	GE L , JI X S , JIANG T ,et al. Association rules and its implementation in Map-Reduce[J]. Journal of Electronics ＆ Information Technology, 2014,36(8): 1831-1837.
[6]	鲁显光, 杜学绘, 王文娟 ,等. 基于改进FP growth的告警关联算法[J]. 计算机科学, 2019,46(8): 64-70.
	LU X G , DU X H , WANG W J ,et al. Alert correlation algorithm based on improved FP growth[J]. Computer Science, 2019,46(8): 64-70.
[7]	WANG S , TANG G , KOU G ,et al. An attack graph generation method based on heuristic searching strategy[C]// IEEE International Conference on Computer and Communications. Piscataway:IEEE Press, 2016: 1180-1185.
[8]	KAYNAR K , SIVRIKAYA F . Distributed attack graph generation[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(5): 519-532.
[9]	吕慧颖, 彭武, 王瑞梅 ,等. 基于时空关联分析的网络实时威胁识别与评估[J]. 计算机研究与发展, 2014,51(5): 1039-1049.
	LYU H Y , PENG W , WANG R M ,et al. A real-time network threat recognition and assessment method based on association analysis of time and space[J]. Journal of Computer Research and Development, 2014,51(5): 1039-1049.
[10]	刘威歆, 郑康锋, 武斌 ,等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9): 135-144.
	LIU W X , ZENG K F , WU B ,et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015,36(9): 135-144.
[11]	陈小军, 方滨兴, 谭庆丰 ,等. 基于概率攻击图的内部攻击意图推断算法研究[J]. 计算机学报, 2014,37(1): 62-72.
	CHEN X J , FANG B X , TAN Q F ,et al. Inferring attack intent of malicious insider based on probabilistic attack graph[J]. Journal of Computers, 2014,37(1): 62-72.
[12]	王硕, 汤光明, 王建华 ,等. 基于因果知识网络的攻击场景构建方法[J]. 计算机研究与发展, 2018,55(12): 2620-2636.
	WANG S , TANG G M , WANG J H ,et al. Attack scenario construction method based on causal knowledge net[J]. Journal of Computer Research and Development, 2018,55(12): 2620-2636.
[13]	许嘉, 张千桢, 赵翔 ,等. 动态图模式匹配技术综述[J]. 软件学报, 2018,29(3): 663-688.
	XU J , ZHANG Q Z , ZHAO X ,et al. Survey on dynamic graph pattern matching technologies[J]. Journal of Software, 2018,29(3): 663-688.
[14]	OU X , GOVINDAVAJHALA S , APPEL A W ,et al. MulVAL:a logic-based network security analyzer[C]// 14th USENIX Security. Berkeley:USENIX Association, 2005: 1-16.
[15]	JAJODIA S , NOEL S . Topological vulnerability analysis:a powerful new approach for network attack prevention,detection,and response[J]. Algorithms,Architectures and Information Systems Security, 2005: 285-305.
[16]	LIPPMANN R , INGOLS K , SCOTT C ,et al. Validating and restoring defense in depth using attack graphs[C]// Milcom 2006 Military Communications Conference.[S.n.:s.l.], 2006: 1-10.
[17]	SCARFONE K , MELL P . An analysis of CVSS version 2 vulnerability scoring[C]// International Symposium on Empirical Software Engineering ＆ Measurement. Piscataway:IEEE Press, 2009.
[18]	冯学伟, 王东霞, 黄敏桓 ,等. 一种基于马尔可夫性质的因果知识挖掘方法[J]. 计算机研究与发展, 2014,51(11): 2493-2504.
	FENG X W , WANG D X , HUANG M H ,et al. A mining approach for causal knowledge in alert correlating based on the Markov property[J]. Journal of Computer Research and Development, 2014,51(11): 2493-2504.

方法	优点	缺点
基于相似度的方法	计算开销小，依赖专家知识少	需定义阈值，只能发现统计上的关联
基于数据挖掘的方法	能够发现未知攻击	准确度较低、实用性较弱
基于属性攻击图的方法	直观展示攻击步骤间因果关系	没有考虑攻击步骤间的不确定关系，静态攻击图
基于概率攻击图的方法	攻击图和不确定性相结合，定性与定量分析，准确度较高	静态攻击图

指标		等级评分（频率）	Δ_s
漏洞利用难度	AV	本地L：0.359；邻近A：0.646；远程N：1.0	2AV × AC× Au
	AC	高H：0.35；中M：0.61；低L：0.71
	Au	多次M：0.45；单次S：0.56；不需要N：0.704
		近一周<5次	0.1
发生次数		近一周<20次	0.5
		近一周>20次	0.8

攻击类型		Δ_a
漏洞利用		1.0
	容易	0.9
其他	一般	0.5
	难	0.1

软硬件	版本
CPU	2颗 Intel E5-2620v3 (2.4 GHz/6c) 8GT/15ML3
内存、硬盘	96 GB、900 GB
虚拟化系统	Xen 4.6.0, Ubuntu 16.04

主机	版本	漏洞	描述	AV/AC/Au
WS	Apache 2.0	CVE-2006-3747	execute code, dos	N/H/N
WS	IE 9	CVE-2019-1367	overflow, execute code	N/H/N
FS	NFS 1.0	CVE-2004-0946	execute code, overflow	N/L/N
VM₁	Win7 SP1	CVE-2017-0146	execute code	N/M/N
PM₃	Hadoop 2.6	CVE-2016-3086	obtain information	N/L/N
PM₄	Spark 2.1	CVE-2018-8024	obtain infotmation	N/M/S
VMM	Xen 4.6	CVE-2017-2620	dos, gain privileges	L/M/N