通信学报 ›› 2017, Vol. 38 ›› Issue (11): 121-132.doi: 10.11959/j.issn.1000-436x.2017213
叶子维1,2,郭渊博1,2,王宸东1,2,琚安康1,2
修回日期:
2017-11-06
出版日期:
2017-11-01
发布日期:
2017-12-13
作者简介:
叶子维(1990-),男,吉林通化人,解放军信息工程大学博士生,主要研究方向为网络安全、态势感知。|郭渊博(1975-),男,陕西周至人,解放军信息工程大学教授、博士生导师,主要研究方向为大数据安全、态势感知。|王宸东(1992-),男,江西抚州人,解放军信息工程大学硕士生,主要研究方向为网络安全。|琚安康(1995-),男,河南新乡人,解放军信息工程大学博士生,主要研究方向为多步网络攻击检测、威胁情报。
基金资助:
Zi-wei YE1,2,Yuan-bo GUO1,2,Chen-dong WANG1,2,An-kang JU1,2
Revised:
2017-11-06
Online:
2017-11-01
Published:
2017-12-13
Supported by:
摘要:
攻击图是一种预判攻击者对目标网络发动攻击的方式和过程,指导防御方对网络中的节点采取针对性防御措施,提高网络安全性的技术。首先介绍了攻击图的基本构成,列举了攻击图的几种类型及其各自的优缺点,然后介绍了攻击图技术目前在风险评估和网络加固、入侵检测和告警关联等方面的应用现状以及现有的几种攻击图生成和分析工具,最后指出了攻击图技术面临的挑战和未来可能的研究方向。
中图分类号:
叶子维,郭渊博,王宸东,琚安康. 攻击图技术应用研究综述[J]. 通信学报, 2017, 38(11): 121-132.
Zi-wei YE,Yuan-bo GUO,Chen-dong WANG,An-kang JU. Survey on application of attack graph technology[J]. Journal on Communications, 2017, 38(11): 121-132.
[1] | 国家计算机网络应急技术处理协调中心. 2016年中国互联网网络安全报告[M]. 北京: 人民邮电出版社, 2017: 15-89. |
National Internet Emergency Center. Report on China Internet network security in 2016[M]. Beijing: Posts & Telecommunications Press, 2017: 15-89. | |
[2] | PHILLIPS C , SWILER L P . A graph-based system for network-vulnerability analysis[C]// The 1998 Workshop on New Security Paradigms. ACM, 1998: 71-79. |
[3] | WANG S , ZHANG Z , KADOBAYASHI Y . Exploring attack graph for cost-benefit security hardening:a probabilistic approach[J]. Computers& Security, 2013,32(1): 158-169. |
[4] | HONG J , KIM D S . Harms:hierarchical attack representation models for network security analysis[C]// The 10th Australian Information Security Management Conference. Western Australia, 2012. |
[5] | KOTENKO I , STEPASHKIN M . Attack graph based evaluation of network security[C]// IFIP International Conference on Communications and Multimedia Security. Springer Berlin Heidelberg, 2006: 216-227. |
[6] | WANG L , ISLAM T , LONG T ,et al. An attack graph-based probabilistic security metric[C]// IFIP Annual Conference on Data and Applications Security and Privacy. Springer Berlin Heidelberg, 2008: 283-296. |
[7] | OU X , BOYER W F , MCQUEEN M A . A scalable approach to attack graph generation[C]// The 13th ACM conference on Computer and Communications Security. ACM, 2006: 336-345. |
[8] | HUANG H , ZHANG S , OU X ,et al. Distilling critical attack graph surface iteratively through minimum-cost sat solving[C]// 27th Annual Computer Security Applications Conference. ACM, 2011: 31-40. |
[9] | 陈锋, 毛捍东, 张维明 ,等. 攻击图技术研究进展[J]. 计算机科学, 2011,38(11): 12-18. |
CHEN F , MAO H D , ZHANG W M ,et al. Survey of attack graph technique[J]. Computer Science, 2011,38(11): 12-18. | |
[10] | LI H , WANG Y , CAO Y . Searching forward complete attack graph generation algorithm based on hypergraph partitioning[J]. Procedia Computer Science, 2017,107: 27-38. |
[11] | RICK V H . The motivation of attackers in attack tree analysis[D]. Holland,Delft:Delft University of Technology, 2015. |
[12] | PIETERS W , DAVARYNEJAD M . Calculating adversarial risk from attack trees:control strength and probabilistic attackers[M]// Data Privacy Management,Autonomous Spontaneous Security,and Security Assurance. Springer International Publishing, 2015: 201-215. |
[13] | JHA S , SHEYNER O , WING J . Two formal analyses of attack graphs[C]// The 2002 Computer Security Foundations Workshop. IEEE, 2002: 49-63. |
[14] | SHEYNER O , HAINES J , JHA S ,et al. Automated generation and analysis of attack graphs[C]// The 2002 Security and Privacy Symposium. 2002: 273-284. |
[15] | SHEYNER O . Scenario graphs and attack graphs[D]. US Air Force Research Laboratory, 2004. |
[16] | BHATTACHARYA S , GHOSH S K . An artificial intelligence based approach for risk management using attack graph[C]// Computational Intelligence and Security,2007 International Conference on IEEE. 2007: 794-798. |
[17] | 冯萍慧, 连一峰, 戴英侠 ,等. 基于可靠性理论的分布式系统脆弱性模型[J]. 软件学报, 2006,17(7): 1633-1640. |
FENG P H , LIAN Y F , DAI Y X ,et al. A vulnerability model of distributed systems based on reliability theory[J]. Journal of Software, 2006,17(7): 1633-1640. | |
[18] | HOMER J , ZHANG S , OU X ,et al. Aggregating vulnerability metrics in enterprise networks using attack graphs[J]. Journal of Computer Security, 2013,21(4): 561-597. |
[19] | 吴迪, 连一峰, 陈恺 ,等. 一种基于攻击图的安全威胁识别和分析方法[J]. 计算机学报, 2012,35(9): 1938-1950. |
WU D , LIAN Y F , CHEN K ,et al. A security threats identification and analysis method based on attack graph[J]. Chinese Journal of Computers, 2012,35(9): 1938. | |
[20] | 方研, 殷肖川, 李景志 . 基于贝叶斯攻击图的网络安全量化评估研究[J]. 计算机应用研究, 2013,30(9): 2763-2766. |
FANG Y , YIN X C , LI J Z . Research of quantitative network security assessment based on Bayesian-attack graphs[J]. Application Research of Computers, 2013,30(9): 2763-2766. | |
[21] | ALHOMIDI M , REED M . Risk assessment and analysis through population-based attack graph modelling[C]// 2013 World Congress on Internet Security (WorldCIS) . 2013: 19-24. |
[22] | ROSCHKE S , CHENG F , MEINEL C . High-quality attack graph-based IDS correlation[J]. Logic Journal of the IGPL, 2013,21(4): 571-591. |
[23] | WANG L , YAO C , SINGHAL A ,et al. Implementing interactive analysis of attack graphs using relational databases[J]. Journal of Computer Security, 2008,16(4): 419-437. |
[24] | WANG L , YAO C , SINGHAL A ,et al. Interactive analysis of attack graphs using relational queries[C]// IFIP Annual Conference on Data and Applications Security and Privacy. Springer Berlin Heidelberg, 2006: 119-132. |
[25] | 陈靖, 王冬海, 彭武 . 基于动态攻击图的网络安全实时评估[J]. 计算机科学, 2013,40(2): 133-138. |
CHEN J , WANG D H , PENG W . Real-time network security assessment based on dynamic attack graph[J]. Computer Science, 2013,40(2): 133-138. | |
[26] | 闫峰 . 基于攻击图的网络安全风险评估技术研究[D]. 长春:吉林大学, 2014. |
YAN F . The technology research of network security assessment based on attack graphs[D]. Changchun:Jilin University, 2014. | |
[27] | 陈锋, 张怡, 苏金树 ,等. 攻击图的两种形式化分析[J]. 软件学报, 2010,21(4): 838-848. |
CHEN F , ZHANG Y , SU J S ,et al. Two formal analyses of attack graphs[J]. Journal of Software, 2010,21(4): 838-848. | |
[28] | RITCHEY B , O'BERRY B , NOEL S . Representing TCP/IP connectivity for topological analysis of network security[C]// The 2002 Computer Security Applications Conference. 2002: 25-31. |
[29] | LI W , VAUGHN R B , DANDASS Y S . An approach to model network exploitations using exploitation graphs[J]. Simulation, 2006,82(8): 523-541. |
[30] | AMMANN P , WIJESEKERA D , KAUSHIK S . Scalable,graph-based network vulnerability analysis[C]// The 9th ACM Conference on Computer and Communications Security. ACM, 2002: 217-224. |
[31] | PEARL J . Probabilistic reasoning in intelligent system[M]. Morgan Kaufinann: Network of Plausible Inference, 1988: 1-86. |
[32] | LIU Y , MAN H . Network vulnerability assessment using Bayesian networks[C]// Defense and Security. International Society for Optics and Photonics, 2005: 61-71. |
[33] | 张少俊, 李建华, 宋珊珊 ,等. 贝叶斯推理在攻击图节点置信度计算中的应用[J]. 软件学报, 2010,21(9): 2376-2386. |
ZHANG S J , LI J H , SONG S S ,et al. Using Bayesian inference for computing attack graph node beliefs[J]. Journal of Software, 2010,21(9): 2376-2386. | |
[34] | FRIGAULT M , WANG L . Measuring network security using Bayesian network-based attack araphs[C]// The 3rd IEEE International Workshop on Security,Trust,and Privacy for Software Applications. 2008: 698-703. |
[35] | POOLSAPPASIT N , DEWRI R , RAY I . Dynamic security risk management using Bayesian attack graphs[J]. IEEE Transactions on Dependable & Secure Computing, 2011,9(1): 61-74. |
[36] | WANG L , JAJODIA S , SINGHAL A ,et al. k-zero day safety:measuring the security risk of networks against unknown attacks[J]. Lecture Notes in Computer Science, 2010,11(1): 573-587. |
[37] | WANG L , JAJODIA S , SINGHAL A ,et al. k-zero day safety:a network security metric for measuring the risk of unknown vulnerabilities[J]. IEEE Transactions on Dependable & Secure Computing, 2014,11(1): 30-44. |
[38] | WANG L , ZHANG M , JAJODIA S ,et al. Modeling network diversity for evaluating the robustness of networks against zero-day attacks[C]// European Symposium on Research in Computer Security. Springer International Publishing, 2014: 494-511. |
[39] | ZHANG M , WANG L , JAJODIA S ,et al. Network diversity:a security metric for evaluating the resilience of networks against zero-day attacks[J]. IEEE Transactions on Information Forensics & Security, 2016,11(5): 1071-1086. |
[40] | BECKERS K , KRAUTSEVICH L , YAUTSIUKHIN A . Analysis of social engineering threats with attack graphs[M]// Data Privacy Management,Autonomous Spontaneous Security,and Security Assurance. Springer International Publishing, 2015: 67-73. |
[41] | BI K , HAN D , WANG J . K maximum probability attack paths dynamic generation algorithm[J]. Computer Science and Information Systems, 2016,13(2): 677-689. |
[42] | WANG S , TANG G , KOU G ,et al. An attack graph generation method based on heuristic searching strategy[C]// 2016 2nd IEEE International Conference on Computer and Communications (ICCC), 2016: 1180-1185. |
[43] | KAYNAR K , SIVRIKAYA F . Distributed attack graph generation[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(5): 519-532. |
[44] | MIEHLING E , RASOULI M , TENEKETZIS D . Optimal defense policies for partially observable spreading processes on Bayesian attack graphs[C]// The Second ACM Workshop on Moving Target Defense. ACM, 2015: 67-76. |
[45] | DURKOTA K , LISY V , BOSANSKY B ,et al. Optimal network security hardening using attack graph games[C]// IJCAI. 2015: 7-14. |
[46] | POLAD H , PUZIS R , SHAPIRA B . Attack graph obfuscation[C]// International Conference on Cyber Security Cryptography and Machine Learning. Springer,Cham, 2017: 269-287. |
[47] | JOHNSON P , VERNOTTE A , EKSTEDT M ,et al. pwnPr3d:an attack-graph-driven probabilistic threat-modeling approach[C]// 2016 11th International Conference on Availability,Reliability and Security (ARES). 2016: 278-283. |
[48] | ABRAHAM S , NAIR S . Predictive cyber security analytics framework:a non-homogenous Markov model for security quantification[J]. Journal of Communications, 2014,12(9): 899-907. |
[49] | FADLALLAH A , SBEITY H , MALLI M ,et al. Application of attack graphs in intrusion detection systems:an implementation[J]. International Journal of Computer Networks, 2016,8(1): 1-12. |
[50] | WANG L , LIU A , JAJODIA S . Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts[J]. Computer Communications, 2006,29(15): 2917-2933. |
[51] | AHMADINEJAD S H , JALILI S , ABADI M . A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs[J]. Computer Networks, 2011,55(9): 2221-2240. |
[52] | 刘威歆, 郑康锋, 武斌 ,等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9): 135-144. |
LIU W X , ZHENG K F , WU B ,et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015,36(9): 135-144. | |
[53] | 徐丽娟 . 基于攻击图的工业控制网络安全隐患分析[D]. 北京:北京邮电大学, 2015. |
XU L J . Industrial control system network’s potential risk analysis based on attack graph[D]. Beijing:Beijing University of Posts and Telecommunications, 2015. | |
[54] | 黄家辉, 冯冬芹, 王虹鉴 . 基于攻击图的工控系统脆弱性量化方法[J]. 自动化学报, 2015,42(5): 792-798. |
HUANG J H , FENG D Q , WANG H J . A method for quantifying vulnerability of industrial control system based on attack graph[J]. Acta Automatica Sinica, 2015,42(5): 792-798. | |
[55] | LEVER K E , MACDERMOTT á , KIFAYAT K . Evaluating interdependencies and cascading failures using distributed attack graph generation methods for critical infrastructure defence[C]// The 2015 Developments of E-Systems Engineering (DeSE). 2015: 47-52. |
[56] | 胡双双 . 基于蜜网的攻击行为分析[D]. 北京:北京邮电大学, 2015. |
HU S S . Analysis of attack based on honeynet[D]. Beijing:Beijing University of Posts and Telecommunications, 2015. | |
[57] | HAWRYLAK P J , HARTNEY C , PAPA M ,et al. Using hybrid attack graphs to model and analyze attacks against the critical information infrastructure[M]// Critical Information Infrastructure Protection and Resilience in the ICT Sector. IGI Global, 2013: 173-197. |
[58] | 武文博, 康锐, 李梓 . 基于攻击图的信息物理系统信息安全风险评估方法[J]. 计算机应用, 2016,36(1): 203-206. |
WU W B , KANG R , LI Z . Attack graph based risk assessment method for cyber security of cyber-physical system[J]. Journal of Computer Applications, 2016,36(1): 203-206. | |
[59] | NICHOLS W , HAWRYLAK P , HALE J ,et al. Introducing priority into hybrid attack graphs[C]// The 12th Annual Conference on Cyber and Information Security Research. ACM, 2017:12. |
[60] | LUCKETT P , MCDONALD J , GLISSON W . Attack-graph threat modeling assessment of ambulatory medical devices[C]// The 50th Hawaii International Conference on System Sciences. 2017: 3648-3657. |
[61] | OU X , GOVINDAVAJHALA S , APPEL A W . MulVAL:a logic- based network security analyzer[C]// 14th USENIX Security. 2005: 1-16. |
[62] | SAHA D , . Extending logical attack graphs for efficient vulnerability analysis[C]// The 15th ACM Conference on Computer and Communications Security. 2008: 63-74. |
[63] | LIPPMANN R , INGOLS K , SCOTT C ,et al. Validating and restoring defense in depth using attack graphs[C]// Milcom 2006 Military Communications Conference. 2006: 1-10. |
[64] | FREDRIK J S . A test of attack graph-based evaluation of IT-security[D]. Sweden,V?sterbotten:Ume? University, 2014. |
[1] | 罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225. |
[2] | 康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135. |
[3] | 杨宏宇, 袁海航, 张良. 基于攻击图的主机安全评估方法[J]. 通信学报, 2022, 43(2): 89-99. |
[4] | 王文娟, 杜学绘, 单棣斌. 基于动态概率攻击图的云环境攻击场景构建方法[J]. 通信学报, 2021, 42(1): 1-17. |
[5] | 罗智勇,杨旭,刘嘉辉,许瑞. 基于贝叶斯攻击图的网络入侵意图分析模型[J]. 通信学报, 2020, 41(9): 160-169. |
[6] | 胡浩,叶润国,张红旗,杨英杰,刘玉岭. 基于攻击预测的网络安全态势量化方法[J]. 通信学报, 2017, 38(10): 122-134. |
[7] | 刘威歆,郑康锋,武斌,杨义先. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015, 36(9): 135-144. |
[8] | 赵光胜,程庆丰,孙永林. 基于随机松弛优选策略的网络脆弱性弥补算法[J]. 通信学报, 2015, 36(1): 237-245. |
[9] | 庞 滨,李 华,王友义,闫 帅,杨智和. 校园网服务器安全扫描告警系统的设计与实现[J]. 通信学报, 2014, 35(Z1): 3-13. |
[10] | 庞滨,李华,王友义,闫帅,杨智和. 校园网服务器安全扫描告警系统的设计与实现[J]. 通信学报, 2014, 35(Z1): 10-13. |
[11] | 刘奇旭,张翀斌,张玉清,张宝峰. 安全漏洞等级划分关键技术研究[J]. 通信学报, 2012, 33(Z1): 79-87. |
[12] | 张玉清,吴舒平,刘奇旭,梁芳芳. 国家安全漏洞库的设计与实现[J]. 通信学报, 2011, 32(6): 93-100. |
[13] | 叶云,徐锡山,贾焰,齐治昌,程文聪. 基于攻击图的风险邻接矩阵研究[J]. 通信学报, 2011, 32(5): 112-120. |
[14] | 赵凯,张怡,来犇,李晓星. 基于并行的大规模网络攻击图生成算法[J]. 通信学报, 2011, 32(11A): 125-131. |
[15] | 苘大鹏,周渊,杨武,杨永田. 用于评估网络整体安全性的攻击图生成方法[J]. 通信学报, 2009, 30(3): 1-5. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|