网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (1): 151-166.doi: 10.11959/j.issn.2096-109x.2021101

所属专题: 知识图谱

• 学术论文 • 上一篇    下一篇

基于网络防御知识图谱的0day攻击路径预测方法

孙澄, 胡浩, 杨英杰, 张红旗   

  1. 信息工程大学,河南 郑州 450001
  • 修回日期:2021-03-06 出版日期:2022-02-15 发布日期:2022-02-01
  • 作者简介:孙澄(1991− ),男,江苏常州人,信息工程大学硕士生,主要研究方向为APT检测跟踪
    胡浩(1989− ),男,安徽池州人,博士,信息工程大学讲师,主要研究方向为网络态势感知
    杨英杰(1971− ),男,河南郑州人,博士,信息工程大学教授,主要研究方向为信息安全
    张红旗(1962− ),男,河北遵化人,博士,信息工程大学教授、博士生导师,主要研究方向为网络安全、移动目标防御、等级保护和信息安全管理
  • 基金资助:
    国家自然科学基金(61902427)

Prediction method of 0day attack path based on cyber defense knowledge graph

Cheng SUN, Hao HU, Yingjie YANG, Hongqi ZHANG   

  1. Information Engineering University, Zhengzhou 450001, China
  • Revised:2021-03-06 Online:2022-02-15 Published:2022-02-01
  • Supported by:
    The National Natural Science Foundation of China(61902427)

摘要:

针对 0day 漏洞未知性造成的攻击检测难问题,提出了一种基于知识图谱的 0day 攻击路径预测方法。通过从现有关于网络安全领域本体的研究成果及网络安全数据库中抽取“攻击”相关的概念及实体,构建网络防御知识图谱,将威胁、脆弱性、资产等离散的安全数据提炼为互相关联的安全知识。在此基础上,依托知识图谱整合的知识,假设并约束0day漏洞的存在性、可用性及危害性等未知属性,并将“攻击”这一概念建模为知识图谱中攻击者实体与设备实体间存在的一种关系,从而将攻击预测问题转化为知识图谱的链接预测问题。采用基于路径排序算法的知识图谱推理方法挖掘目标系统中可能发生的 0day 攻击,并生成 0day 攻击图。复用分类器输出的预测得分作为单步攻击发生概率,通过计算并比较不同攻击路径的发生概率,预测分析 0day 攻击路径。实验证明,所提方法能够依托知识图谱提供的知识体系,为攻击预测提供较全面的知识支持,降低预测分析对专家模型的依赖,并较好地克服 0day 漏洞未知性对预测分析造成的不利影响,提高了 0day 攻击预测的准确性,并且借助路径排序算法基于图结构这一显式特征进行推理的特点,能够对推理结果形成的原因进行有效反溯,从而一定限度上提高了攻击预测分析结果的可解释性。

关键词: 知识图谱, 0day攻击, 攻击路径预测

Abstract:

To solve the difficulty of attack detection caused by the 0day vulnerability, a prediction method of 0day attack path based on cyber defense knowledge graph was proposed.The cyber defense knowledge graph was constructed to refine the discrete security data such as threat, vulnerability and asset into the complete and high-related knowledge format by extracting concepts and entities related to network attack from cyber security ontology research finds and databases.Based on the knowledge integrated by the knowledge graph, assumed and restricted the unknown attributes such as the existence, availability and harmfulness of 0day vulnerabilities, and model the concept of "attack" as a relationship between attacker entities and device entities in the knowledge graph to transform the attack prediction to the link prediction of knowledge graph.According to this, apply path ranking algorithm was applied to mine the potential 0day attack in the target system and construct the 0day attack graph.Predicted the 0day attack path by utilizing the scores output by classifiers as the occurrence probabilities of single step attack and computing the occurrence probabilities of different attack paths.The experimental result shows that with the help of complete knowledge system provided by knowledge graph, the proposed method can reduce the dependence of prediction analysis on expert model and overcome the bad influence of 0day vulnerability to improve the accuracy of 0day attack prediction.And utilizing the characteristic that path ranking algorithm reasons based on the structure of graph can also help to backtrack the reasons of predicting results so as to improve the explainability of predicting.

Key words: knowledge graph, 0day attack, attack path prediction

中图分类号: 

No Suggested Reading articles found!