基于网络防御知识图谱的0day攻击路径预测方法

doi:10.11959/j.issn.2096-109x.2021101

Abstract

Abstract:

To solve the difficulty of attack detection caused by the 0day vulnerability, a prediction method of 0day attack path based on cyber defense knowledge graph was proposed.The cyber defense knowledge graph was constructed to refine the discrete security data such as threat, vulnerability and asset into the complete and high-related knowledge format by extracting concepts and entities related to network attack from cyber security ontology research finds and databases.Based on the knowledge integrated by the knowledge graph, assumed and restricted the unknown attributes such as the existence, availability and harmfulness of 0day vulnerabilities, and model the concept of ＆quot;attack＆quot; as a relationship between attacker entities and device entities in the knowledge graph to transform the attack prediction to the link prediction of knowledge graph.According to this, apply path ranking algorithm was applied to mine the potential 0day attack in the target system and construct the 0day attack graph.Predicted the 0day attack path by utilizing the scores output by classifiers as the occurrence probabilities of single step attack and computing the occurrence probabilities of different attack paths.The experimental result shows that with the help of complete knowledge system provided by knowledge graph, the proposed method can reduce the dependence of prediction analysis on expert model and overcome the bad influence of 0day vulnerability to improve the accuracy of 0day attack prediction.And utilizing the characteristic that path ranking algorithm reasons based on the structure of graph can also help to backtrack the reasons of predicting results so as to improve the explainability of predicting.

Key words: knowledge graph, 0day attack, attack path prediction

CLC Number:

TP393.08

Cheng SUN, Hao HU, Yingjie YANG, Hongqi ZHANG. Prediction method of 0day attack path based on cyber defense knowledge graph[J]. Chinese Journal of Network and Information Security, 2022, 8(1): 151-166.

Figures/Tables 18

名称	关系路径
rp1	$Adversary \underset{\to}{h a s A c q u i r e d} Privilege \underset{\to}{{possess}^{- 1}} Device$
rp2	$Adversary \underset{\to}{bring} Threat \underset{\to}{riskFor} (Asset \underset{\to}{is- a^{- 1}} Function) \underset{\to}{{load}^{- 1}} Device$
rp3	$Adversary \underset{\to}{bring} Threat \underset{\to}{riskFor} (Asset \underset{\to}{is- a^{- 1}} D a t a) \underset{\to}{{store}^{- 1}} Device$
rp4	$Adversary \underset{\to}{bring} Threat \underset{\to}{r i s k F o r} (Asset \underset{\to}{is- a^{- 1}} Service) \underset{\to}{{supply}^{- 1}} Device$
rp5	$Adversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} (Vulnerability \underset{\to}{is- a^{- 1}} Known) \underset{\to}{{exist}^{- 1}} Component \underset{\to}{{consist}^{- 1}} Device$
rp6	$Adversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} (Vulnerability \underset{\to}{is- a^{- 1}} 0 day) \underset{\to}{P - {exist}^{- 1}} Component \underset{\to}{{consist}^{- 1}} Device$
rp7	$A dversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} (Vulnerability \underset{\to}{is- a^{- 1}} Human) \underset{\to}{{have}^{- 1}} Stuff \underset{\to}{operate} Device$
rp8	$Adversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} Vulnerability \underset{\to}{cause} Consequence \underset{\to}{compromise} (Asset \underset{\to}{{is-a}^{- 1}} F u n c t i o n) \underset{\to}{{load}^{- 1}} Device$
rp 9	$Adversary \underset{\to}{a p p l y} A t t a c k M o d e \underset{\to}{e x p l o i t} V u l n e r a b i l i t y \underset{\to}{c a u s e} C o n s e q u e n c e \underset{\to}{c o m p r o m i s e} (A s s e t \underset{\to}{is- a^{- 1}} data) \underset{\to}{{store}^{- 1}} Device$
rp 10	$Adversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} Vulnerability \underset{\to}{cause} Consequence \underset{\to}{compromise} (Asset \underset{\to}{is- a^{- 1}} Service) \underset{\to}{{supply}^{- 1}} Device$
rp11	$Adversary \underset{\to}{hasAcquired} Privilege \underset{\to}{trigger} (Vulnerability \underset{\to}{is- a^{- 1}} Known) \underset{\to}{{exist}^{- 1}} Component \underset{\to}{{consist}^{- 1}} Device$
rp12	$Adversary \underset{\to}{hasAcquired} Privilege \underset{\to}{trigger} (Vulnerability \underset{\to}{is- a^{- 1}} 0 day) \underset{\to}{P {-exist}^{- 1}} Component \underset{\to}{{consist}^{- 1}} Device$
rp13	$Adversary \underset{\to}{hasAcquired} Privilege \underset{\to}{trigger} (Vulnerability \underset{\to}{is- a^{- 1}} Human) \underset{\to}{{have}^{- 1}} Stuff \underset{\to}{operate} Device$
rp14	$Adversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} Vulnerability \underset{\to}{cause} Consequence \underset{\to}{satisfy} Threat \underset{\to}{riskFor} (Asset \underset{\to}{is- a^{- 1}} Function) \underset{\to}{{load}^{- 1}} Device$
rp15	$Adversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} Vulnerability \underset{\to}{cause} Consequence \underset{\to}{satisfy} Threat \underset{\to}{riskFor} (Asset \underset{\to}{is- a^{- 1}} data) \underset{\to}{{store}^{- 1}} Device$
rp16	$Adversary \underset{\to}{apply} AttackMode \underset{\to}{exploit} Vulnerability \underset{\to}{cause} Consequence \underset{\to}{satisfy} Threat \underset{\to}{riskFor} (Asset \underset{\to}{is - a^{- 1}} Service) \underset{\to}{{supply}^{- 1}} Device$
注：r^-1为r的逆关系，is-a表示的父子类关系仅用于标识父类实体的不同种类，不计入路径长度，不参与特征计算。

References 23

[1]	MCQUEEN M A , MCQUEEN T A , BOYER W F ,et al. Empirical estimates and observations of 0day vulnerabilities[C]// 2009 42nd Hawaii International Conference on System Sciences. 2009.
[2]	ZHANG S , CARAGEA D , OU X . An empirical study on using the national vulnerability database to predict software vulnerabilities[C]// Database and Expert Systems Applications-22nd International Conference, 2011.
[3]	WANG L , JAJODIA S , SINGHAL A ,et al. k-zero day safety:measuring the security risk of networks against unknown attacks[J]. Lecture Notes in Computer Science, 2010,11(1): 573-587.
[4]	WANG L , JAJODIA S , SINGHAL A ,et al. k-zero day safety:a network security metric for measuring the risk of unknown vulnerabilities[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2014,11(1): 30-44.
[5]	ALBANESE M , JAJODIA S , SINGHAL A ,et al. An efficient framework for evaluating the risk of zero-day vulnerabilities[C]// International Conference on E-Business and Telecommunications. 2013.
[6]	YANG Y U , XIA C H , XIAO-YUN H U , ,et al. An augmented 0-day attack graph generation method[J]. DEStech Transaction on Computer Science and Engineering, 2016(aice-ncs).
[7]	叶子维 . 基于漏洞与攻击图的网络脆弱性分析关键技术研究[D]. 郑州:信息工程大学, 2019.
	YE Z W . Research on key technology of network weakness analysis based on vulnerability and attack graph[D]. Zhengzhou:Information Engineering University, 2019.
[8]	AHMADINEJAD S H , JALILI S , ABADI M . A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs[J]. Computer Networks, 2011,55(9): 2221-2240.
[9]	SUN X , DAI J , LIU P ,et al. Towards probabilistic identification of zero-day attack paths[C]// 2016 IEEE Conference on Communications and Network Security (CNS). 2016.
[10]	SUN X , DAI J , LIU P ,et al. Using bayesian networks for probabilistic identification of zero-day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018: 1-10.
[11]	SUN X , DAI J , LIU P ,et al. Using bayesian networks to fuse intrusion evidences and detect zero-day attack paths[M]. Network Security Metrics. 2017.
[12]	SINGH U K , JOSHI C , KANELLOPOULOS D . A framework for zero-day vulnerabilities detection and prioritization[J]. Journal of Information Security and Applications, 2019,46: 164-172.
[13]	杨峻楠, 张红旗, 张传富 . 基于不完全信息随机博弈的防御决策方法[J]. 网络与信息安全学报, 2018,4(8): 12-20.
	YANG J N , ZHANG H Q , ZHANG C F . Defense decision-making method based on incomplete information stochastic game[J]. Chinese Journal of Network and Information Security, 2018,4(8): 12-20.
[14]	冷强, 杨英杰, 常德显 ,等. 面向网络实时对抗的动态防御决策方法[J]. 网络与信息安全学报, 2019,5(6): 58-66.
	LENG Q , YAGN Y J , CHANG D X ,et al. Dynamic defense decision method for network real-time confrontation[J]. Chinese Journal of Network and Information Security, 2019,5(6): 58-66.
[15]	LAO N , COHEN W W . Relational retrieval using a combination of path-constrained random walks[J]. Machine Learning, 2010,81(1): 53-67.
[16]	AMIT S . Introducing the knowledge graph:things,not strings[EB].
[17]	LI A . A practical approach to constructing a knowledge graph for cybersecurity[J]. Engineering, 2018,4(1): 53-60.
[18]	尚怀军 . 面向漏洞库的网安知识库构建技术的研究与实现[D]. 长沙:国防科技大学, 2018.
	SHANG H J . Research and implementation oftechniqueonconstructionofcybersecurityknowledgebaseforvulnerabilitydatabase[D]. Chagnsha:National University of Defense Technology, 2018.
[19]	谢敏容 . 网络防御知识图谱构建技术研究与实现[D]. 成都:电子科技大学, 2020.
	XIE M R . Research and implementation of cybersecurity knowledge graph construction technology[D]. Chengdu:University of Electronic Science and Technology of China, 2020.
[20]	SAHOO S S , HALB W , HELLAMNN S ,et al. A survey of current approaches for mapping of relational databases to RDF[R]. W3C RDB2RDF Incubator Group Report,2009, 1: 113-130.
[21]	LIN Y , SHEN S , LIU Z ,et al. Neural relation extraction with selective attention over instances[C]// Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics. 2016.
[22]	司成 . 基于本体的网络威胁态势推演与评估技术研究[D]. 郑州:信息工程大学, 2015.
	SI C . Research onnetworkthreatsituationdeductionandevaluationtechnologybasedonontology[D]. Zhengzhou:Information Engineering University, 2015.
[23]	LAO N , MITCHELL T M , COHEN W W . Random walk inference and learning in alarge scale knowledge base[C]// Conference on Empirical Methods in Natural Language Processing. DBLP, 2011.

Metrics

Recommended 0

No Suggested Reading articles found!

符号	描述	符号	描述
CKG	网络防御知识图谱	vul	单步攻击利用的漏洞
CSO	网络安全本体	rp	关系路径
zap	0day攻击路径	c	本体中的类
ZAG	0day攻击图	r	本体中的关系类型
A	单步攻击集	Domain(r)	关系类型的定义域
a	单步攻击	Range(r)	关系类型的值域
Priv	节点权限集	s	源实体
L	单步攻击与权限间的有向链接集	d	目标实体
E	攻击路径中单步攻击间的有向边集	h	关系路径特征值
Prob	单步攻击发生概率集	H	关系路径特征向量
host	发生攻击的设备	θ	关系路径权重向量

各占比厂商	硬件	操作系统	应用	合计
HPV	0.02	0.26	0.27	0.55
MPV	0.01	0.17	0.18	0.36
LPV	0	0.04	0.05	0.09
合计	0.03	0.47	0.5	1.0

类别	数据
	nationality → cityLocatedinCountry
	classmate → bornInCity
关系路径	classmate^-1→ bornInCity
	classmate^-1→ livedInCity
正例	(Tom, Paris)、(Bob, Paris)
负例	(Tom, Lyon)、(Bob, Lyon)
正样本	((1,1,0,0),1)、((0,0,1,0),1)
负样本	((1,0,0,0),0)、((0,0,0,1),0)

	Attacker	Firewall1	Web server	Email server	Firewall 2	Host 1	Host 2	File Server	Firewall 3	App server
Attacker	—	Access	Access	—	—	—	—	—	—	—
Firewall 1	Access	—	Access	Access	—	—	—	—	—	—
Web server	Access	Access	—	—	—	—	—	—	Access	Access
Email server	—	Access	—	—	Access	Access	—	—	—	—
Firewall 2	—	—	—	Access	—	Access	Access	—	—	—
Host 1	—	—	—	Access	Access	—	—	Access	—	—
Host 2	—	—	—	—	Access	—	—	User	—	—
File Server	—	—	—	—	—	Access	Access	—	—	—
Firewall 3	—	—	Access	—	—	—	—	—	—	Access
App server	—	—	Access	—	—	—	—	—	Access	—

设备	训练场景10（测试）					实验场景
设备	漏洞	E	C	I	A	漏洞	E	C	I	A
firewall_1	CVE-2016-6367	1.8	high	high	high	CVE-2019-1934	2.8	high	high	high
firewall_2	CVE-2017-17152	2.2	none	none	high	CVE-2017-17156	3.9	none	none	high
firewall_3	CVE-2017-17312	3.9	none	none	high	CVE-2014-9136	2.8	high	high	high
Web_Server	CVE-2017-15720	2.8	high	high	high	-	-	-	-	-
Email_Server	CVE-2018-18772	2.2	none	high	high	CVE-2018-18772	2.2	none	high	high
File_Server	CVE-2018-8206	3.9	none	none	high	CVE-2018-8169	2.2	high	high	high
Host_1	CVE-2017-18379	3.9	high	high	high	CVE-2018-12714	2.2	none	high	high
Host_2	CVE-2018-1013	2.2	high	high	high	CVE-2018-8472	2.2	high	none	none
App_Server	CVE-2017-8527	2.8	high	high	high	CVE-2017-8527	2.8	high	high	high
注：E为漏洞在CVSS3.1标准下的可用性评分，C、I、A分别为漏洞利用对机密性、完整性、可用性的影响程度。

Prediction method of 0day attack path based on cyber defense knowledge graph

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 18

References 23

Related Articles 3

Metrics

Recommended 0

代号	单步攻击	攻击发生概率
a₁	(Firewall_1, 0day-001)	0.51 654 167
a₂	(Email_Server,CVE-2018-18772)	0.77 063 776
a₃	(Host_1, CVE-2018-12714)	0.78 201 273
a₄	(File_Server, 0day-003)	0.58 126 107
a₅	(Firewall_2,CVE-2017-17156)	0.76 765 838
a₆	(Host_2, 0day-005)	0.77 269 441
a₇	(File_Server, CVE-2018-8169)	0.9 277 641

方法	准确性	便捷性	适用性	知识全面性	可解释性
文献[6]提出的方法	较低	较低	较高	较低	不支持
文献[7]提出的方法	较高	较低	较低	较低	不支持
本文方法	较高	较高	较高	较高	支持

[1]	Xiaochen SHEN, Yinhui GE, Bo CHEN, Ling YU. Research on construction technology of artificial intelligence security knowledge graph [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 164-174.
[2]	Yi XIA, Mingjng LAN, Xiaohui CHEN, Junyong LUO, Gang ZHOU, Peng HE. Survey on explainable knowledge graph reasoning methods [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 1-25.
[3]	Yuehang DING, Hongtao YU, Ruiyang HUANG, Yingle LI. Ontology summarization technology survey [J]. Chinese Journal of Network and Information Security, 2018, 4(10): 12-21.