基于期望收益率攻击图的网络风险评估研究

doi:10.11959/j.issn.2096-109x.2022047

Abstract

Abstract:

As Internet applications and services become more and more extensive, the endless network attacks lead to great risks and challenges to the security of information systems.As a model-based network security risk analysis technology, attack graph is helpful to find the vulnerability between network nodes and the harm of being attacked.It has been proved to be an effective method to find and prevent network security risks.Attack graph is mainly divided into state-based attack graph and attribute-based attack graph.Due to the problem of state explosion in state-based attack graph, most researchers prefer the attribute-based attack graph for network risk assessment.In view of the existing researches on attribute-based attack graph, they excessively rely on the vulnerability of network nodes and the essential attributes of atomic attack.However, they ignore that rational attackers usually choose specific attack paths by maximizing attack benefits.Then, a network risk assessment framework and a quantification method of attack benefits-rate based on expected benefits-rate attack graph were proposed.The network risk assessment framework took the open vulnerability resource database, the new vulnerabilities found by the vulnerability mining system and the big data related to network attack and defense as the basic data source.The network risk assessment framework also took the open source big data platform as the analysis tool to mine and calculate the elements related to attack cost and attack benefit.Using the concepts of cost, benefit and benefit-rate in economics, the calculation model of expected benefit-rate of atomic attack was constructed.By constructing the attribute-based attack graph of the target network, the expected benefit-rate of atomic attack on the attack path was calculated, and the expected benefit-rate list of all possible attack paths was generated.Furthermore, taking the expected goal as the starting point, the search was carried out according to the specific optimization strategy (backtracking method, greedy algorithm, dynamic programming).And the complete attack path with the maximum benefit-rate was obtained, which provided the basis for network risk assessment.The simulation results show the effectiveness and rationality of the proposed expected benefit-rate attack graph network risk assessment method, which can provide support for discovering and preventing network security problems.

Key words: attack graph, risk assessment, attack path, expected benefits-rate, attack graph of benefits-rate

CLC Number:

TP309.1

Wenfu LIU, Jianmin PANG, Xin ZHOU, Nan LI, Feng YUE. Research on network risk assessment based on attack graph of expected benefits-rate[J]. Chinese Journal of Network and Information Security, 2022, 8(4): 87-97.

Figures/Tables 17

References 19

[1]	吴迪, 冯登国, 连一峰 ,等. 一种给定脆弱性环境下的安全措施效用评估模型[J]. 软件学报, 2012,23(7): 1880-1898.
	WU D , FENG D G , LIAN Y F ,et al. Efficiency evaluation model of system security measures in the given vulnerabilities set[J]. Journal of Software. 2012,23(7): 1880-1898.
[2]	MAIO F D , MASCHERONA Z E . Risk analysis of cyber-physical systems by GTST-MLD[J]. IEEE Systems Journal, 2020,14(1): 1333-1340.
[3]	LEE J , MOON D , KIM I ,et al. A semantic approach to improving machine readability of a large-scale attack graph[J]. The Journal of Supercomputing, 2018.
[4]	SCARFONE K , MELL P . An analysis of CVSS version 2 vulnerability scoring[J]. IEEE Computer Society, 2009.
[5]	KERAMATI M , AKBARI A . CVSS-based security metrics for quantitative analysis of attack graphs[C]// 2013 3th International Conference on Computer and Knowledge Engineering (ICCKE). 2013.
[6]	KHOUZANI M , LIU Z , MALACARIA P . Scalable min-max multi-objective cyber-security optimisation over probabilistic attack graphs[J]. European Journal of Operational Research, 2019.
[7]	LIU X G . A network attack path prediction method using attack graph[J]. Journal of Ambient Intelligence and Humanized Computing, 2020,(1): 1-8.
[8]	ZANG T , GAO S , LIU B ,et al. Integrated fault propagation model based vulnerability assessment of the electrical cyber-physical system under cyber attacks[J]. Reliability Engineering ＆ System Safety, 2019,189(SEP.): 232-241.
[9]	OBERT J , CHAVEZ A . Graph theory and classifying security events in grid security gateways[J]. International Journal of Semantic Computing, 2020,14(1): 93-105.
[10]	陈锋, 张怡, 苏金树 ,等. 攻击图的两种形式化分析[J]. 软件学报, 2010,21(4): 838-848.
	CHEN F , ZHANG Y , SU J S ,et al. Two formal analyses of attack graphs[J]. Journal of Software, 2010,21(4): 838-848.
[11]	SHEYNER O , HAINES J , JHA S ,et al. Automated generation and analysis of attack graphs[C]// IEEE Symposium on Security ＆ Privacy. 2002.
[12]	INGOLSK , CHU M , LIPPMANN R ,et al. Modeling modern network attacks and countermeasures using attack graphs[R]. 2009.
[13]	马春光, 汪诚弘, 张东红 ,等. 一种基于攻击意愿分析的网络风险动态评估模型[J]. 计算机研究与发展, 2015,52(9): 2056-2068.
	MA C G , WANG C H , ZHANG D H ,et al. A dynamic network risk assessment model based on attacker’s inclination[J]. Journal of Computer Research and Development. 2015,52(9): 2056-2068.
[14]	闫峰 . 基于攻击图的网络安全风险评估技术研究[D]. 长春:吉林大学, 2014.
	YAN F . The technology research of network security risk assessment based on attacks graphs[D]. Changchun:Jilin University, 2014.
[15]	ZHANG S , SONG S . A novel attack graph posterior inference model based on bayesian network[J]. Journal of Information Security, 2011,2(1): 8-27.
[16]	WANG L , LIU A , JAJODIA S . Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts[J]. Computer Communications, 2006,29(15): 2917-2933.
[17]	周余阳, 程光, 郭春生 . 基于贝叶斯攻击图的网络攻击面风险评估方法[J]. 网络与信息安全学报, 2018,4(6): 11-22.
	ZHOU Y Y , CHENG G , GUO C S . Risk assessment method for network attack surface based on Bayesian attack graph[J]. Chinese Journal of Network and Information Security, 2018,4(6): 11-22.
[18]	LALLIE H S , DEBATTISTAK , BAL J . Evaluating practitioner cyber-security attack graph configuration preferences[J]. Computers ＆ Security, 2018,79: 117-131.
[19]	LIN P , CHEN Y . Dynamic network security situation prediction based on bayesian attack graph and big data[C]// 2018 IEEE 4th Information Technology and Mechatronics Engineering Conference (ITOEC). 2018.

Metrics

Recommended 0

No Suggested Reading articles found!

分类	要素	可选值	分值
AFC	SI	Complete Code/Function Code/Null	0.3/0.5/0.7
	SP	Common/Special/Particular	0.3/0.5/0.7
	LF	Reuse/Modify/Disposable	0.2/0.6/1.0
AVC	OR	Tool/Script/Corporation	0.3/0.5//0.8
	IR	Regular Information/Configuration/Critical Information	0.3/0.5/0.8
ATC	AT	Short/Normal/Long	0.2/0.5/0.7

分类	要素	可选值	分数
	RR	/	0.55
APB	CB	/	0.75
	LA	/	0.85
	FA	/	1.0
	CV	Normal/Medium/High	0.2/0.5//0.7
AVB	IV	Normal/Medium/High	0.2/0.5//0.7
	AV	Normal/Medium/High	0.2/0.5/0.7
AEB	EB	Low/Medium/High	0.2/0.4/0.6
注：“/”表示不适用。

要素	可选值	分数
Attack Vector(AV)	Local/Network	0.7/1.0
Attack Complexity(AC)	High/Medium/Low	0.6/0.8/1.0
Authentication(AU)	Required/Null	0.6/1.0

变量名	变量名缩写	收益率
B(S₁S₂-S₆,A₁)	B(A₁)	65%
B(S₂S₃-S₆,A₂)	B(A₂)	55%
B(S₃-S₇,A₃)	B(A₃)	40%
B(S₄-S₇,A₃)	B(A₃₀)	60%
B(S₅-S₇,A₄)	B(A₄)	30%
B(S₆S₇-S₈,A₅)	B(A₅)	50%

Research on network risk assessment based on attack graph of expected benefits-rate

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 19

Related Articles 9

Metrics

Recommended 0

[1]	Lijun ZU, Yalin CAO, Xiaohua MEN, Zhihui LYU, Jiawei YE, Hongyi LI, Liang ZHANG. Adaptive selection method of desensitization algorithm based on privacy risk assessment [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 49-59.
[2]	Cheng SUN, Hao HU, Yingjie YANG, Hongqi ZHANG. Prediction method of 0day attack path based on cyber defense knowledge graph [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 151-166.
[3]	Haiyang YU, Xiuzhen CHEN, Jin MA, Zhihong ZHOU, Shuning HOU. Information security vulnerability scoring model for intelligent vehicles [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 167-179.
[4]	Yaofang ZHANG, Zheyu ZHANG, Haikuo QU, Ge ZHANG, Zibo WANG, Bailing WANG. Key path analysis method for large-scale industrial control network [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 31-43.
[5]	Fan CHAO, Zhi YANG, Xuehui DU, Bing HAN. Classified risk assessment method of Android application based on multi-factor clustering selection [J]. Chinese Journal of Network and Information Security, 2021, 7(2): 161-173.
[6]	Biao WANG,Xingyang LIU,Ka XU,Wangyang LIU,Kenan WANG,Yuqing XIA. Research on national security risk assessment model of open government data [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 80-87.
[7]	Qiang LENG,Yingjie YANG,Dexian CHANG,Ruixuan PAN,Ying CAI,Hao HU. Dynamic defense decision method for network real-time confrontation [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 58-66.
[8]	Hao HU, Yuling LIU, Yuchen ZHANG, Hongqi ZHANG. Survey of attack graph based network security metric [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 1-16.
[9]	Yuyang ZHOU, Guang CHENG, Chunsheng GUO. Risk assessment method for network attack surface based on Bayesian attack graph [J]. Chinese Journal of Network and Information Security, 2018, 4(6): 11-22.