基于贝叶斯攻击图的SDN安全预测方法

doi:10.11959/j.issn.1000-0801.2021212

电信科学 ›› 2021, Vol. 37 ›› Issue (11): 75-85.doi: 10.11959/j.issn.1000-0801.2021212

基于贝叶斯攻击图的SDN安全预测方法

尹彦尚, 索同鹏, 董黎刚, 蒋献

浙江工商大学信息与电子工程学院（萨塞克斯人工智能学院），浙江杭州 310018

修回日期:2021-09-11 出版日期:2021-11-20 发布日期:2021-11-01
作者简介:尹彦尚（1998− ），女，浙江工商大学硕士生，主要研究方向为软件定义网络
索同鹏（1995− ），男，浙江工商大学硕士生，主要研究方向为软件定义网络
董黎刚（1973− ），男，博士，浙江工商大学信息与电子工程学院院长、教授、硕士生导师，中国电子学会高级会员，浙江省计算机学会理事，主要研究方向为新一代网络和分布式系统
蒋献（1988− ），男，浙江工商大学实验师，主要研究方向为数字电路和模拟电路
基金资助:
浙江省重点研发计划项目(2020C01079);浙江省重点研发计划项目(2021C01036);国家自然科学基金资助项目(61871468);浙江省自然科学基金资助项目(LY18F010006);浙江省新型网络标准与应用技术重点实验室基金资助项目(2013E10012);大学生科技成果推广项目(1120KZN0220031G)

SDN security prediction method based on bayesian attack graph

Yanshang YIN, Tongpeng SUO, Ligang DONG, Xian JIANG

School of Information and Electronic Engineering (Sussex Artificial Intelligence Institute), Zhejiang Gongshang University, Hangzhou 310018, China

Revised:2021-09-11 Online:2021-11-20 Published:2021-11-01
Supported by:
Zhejiang Province Key Research and Development Program(2020C01079);Zhejiang Province Key Research and Development Program(2021C01036);The Natural Science Foundation of China(61871468);Zhejiang Provincial Natural Science Foundation of China(LY18F010006);Zhejiang Provincial Key Laboratory of New Network Standards and Application Technology(2013E10012);University Students' Scientific and Technological Achievements Promotion Project(1120KZN0220031G)

摘要/Abstract

摘要：

现有研究者采用威胁建模和安全分析系统的方法评估和预测软件定义网络（software defined network， SDN）安全威胁，但该方法未考虑SDN控制器的漏洞利用概率以及设备在网络中的位置，安全评估不准确。针对以上问题，根据设备漏洞利用概率和设备关键度结合PageRank算法，设计了一种计算SDN中各设备重要性的算法；根据SDN攻击图和贝叶斯理论设计了一种度量设备被攻击成功概率的方法。在此基础上设计了一种基于贝叶斯攻击图的SDN安全预测算法，预测攻击者的攻击路径。实验结果显示，该方法能够准确预测攻击者的攻击路径，为安全防御提供更准确的依据。

关键词: SDN安全预测, 漏洞利用概率, 攻击图, PR算法

Abstract:

Existing researchers use threat modeling and security analysis system to evaluate and predict SDN (software defined network) security threats, but this method does not consider the vulnerability utilization of SDN controller and the location of devices in the network, so the security evaluation is not accurate.In order to solve the above problems, according to the probability of device vulnerability utilization and device criticality, combined with PageRank algorithm, a algorithm to calculate the importance of each device in SDN was designed; according to SDN attack graph and Bayesian theory, a method to measure the success probability of device being attacked was designed.On this basis, a SDN security prediction method based on Bayesian attack graph was proposed to predict the attacker's attack path.Experimental results show that this method can accurately predict the attacker's attack path and provide more accurate basis for security defense.

Key words: SDN security prediction, vulnerability utilization probability, attack graph, PR algorithm

中图分类号:

TP393.0

尹彦尚, 索同鹏, 董黎刚, 蒋献. 基于贝叶斯攻击图的SDN安全预测方法[J]. 电信科学, 2021, 37(11): 75-85.

Yanshang YIN, Tongpeng SUO, Ligang DONG, Xian JIANG. SDN security prediction method based on bayesian attack graph[J]. Telecommunications Science, 2021, 37(11): 75-85.

图/表 10

图1

表1

图2

表2

表3

表4

表5

图3

图4

图5

参考文献 22

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	SCHEHLMANN L , ABT S , BAIER H . Blessing or curse? Revisiting security aspects of Software-Defined Networking[C]// 10th International Conference on Network and Service Management (CNSM) and Workshop. Piscataway:IEEE Press, 2014: 382-387.
[3]	SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 623-654.
[4]	KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks[C]// Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking - HotSDN '13. New York:ACM Press, 2013: 55-60.
[5]	LEE S , YOON C , SHIN S . The smaller,the shrewder:a simple malicious application can kill an entire SDN environment[C]// Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. New York:ACM Press, 2016: 23-28.
[6]	FERNANDES E L . Dpctl documentationcpqd/ofsoftswitch13 wiki github[EB]. 2018.
[7]	ANTIKAINEN M , AURA T , S?REL? M , . Spook in your network:attacking an SDN with a compromised OpenFlow switch[C]// Secure IT Systems. Piscataway:Springer Press, 2014: 229-244.
[8]	任晓龙 . 网络节点重要性排序算法及其应用研究[D]. 杭州:杭州师范大学, 2015.
	REN X L . The study of ranking algorithm of the important node in networks and its applications[D]. Hangzhou:Hangzhou Normal University, 2015.
[9]	游梦娜 . 基于攻击图的网络脆弱性评估技术研究与实现[D]. 北京:北京邮电大学, 2018.
	YOU M N . Research and implementation of network vulnerability assessment technology based on attack graph[D]. Beijing:Beijing University of Posts and Telecommunications, 2018.
[10]	朱禹铭 . 基于贝叶斯的动态网络攻击行为预测方法研究[D]. 秦皇岛:燕山大学, 2019.
	ZHU Y M . Research on dynamic network attack behavior prediction method based on Bayesian[D]. Qinhuangdao:Yanshan University, 2019.
[11]	EOM T , HONG J B , AN S ,et al. A framework for real-time intrusion response in software defined networking using precomputed graphical security models[J]. Security and Communication Networks, 2020: 1-15.
[12]	EOM T , HONG J B , AN S ,et al. A systematic approach to threat modeling and security analysis for software defined networking[J]. IEEE Access, 2019,7: 137432-137445.
[13]	LUO S , DONG M , OTA K ,et al. A security assessment mechanism for software-defined networking-based mobile networks[J]. Sensors (Basel,Switzerland), 2015,15(12): 31843-31858.
[14]	YOON S , CHO J H , KIM D S ,et al. Attack graph-based moving target defense in software-defined networks[J]. IEEE Transactions on Network and Service Management, 2020,17(3): 1653-1668.
[15]	LIU Y , MAN H . Network vulnerability assessment using Bayesian networks[C]// Defense and Security.Proc SPIE 5812,Data Mining,Intrusion Detection,Information Assurance,and Data Networks Security 2005. Piscataway:Society of Photo-Optical Instrumentation Engineers (SPIE) Press,2005, 5812: 61-71.
[16]	ZIMBA A , CHEN H S , WANG Z S . Bayesian network based weighted APT attack paths modeling in cloud computing[J]. Future Generation Computer Systems, 2019,96: 525-537.
[17]	Information security risk assessment[EB]. 2019.
[18]	Definition - what does risk analysismean?[EB]. 2019.
[19]	JOHNSON P , LAGERSTR?M R , EKSTEDT M ,et al. Can the common vulnerability scoring system be trusted? A Bayesian analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2018,15(6): 1002-1015.
[20]	POOLSAPPASIT N , DEWRI R , RAY I . Dynamic security risk management using Bayesian attack graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2012,9(1): 61-74.
[21]	Information Technology Labortory. National vulnerability database version 2.5[S]. 2018.
[22]	OU X , GOVINDAVAJHALA S , APPEL A W . MulVAL:alogic-based network security analyzer[C]// USENIX Security Symposium. Piscataway:USENIX Press, 2005: 113-128.

Host	主机配置	服务	CvE ID	CVSS	Impact
VM₃	Windows Server 2008	apache	CVE-2014-0098	7	2.9
VM₄	RedHat Linux	Linux	CVE-2014-0038	7	10.0
VM₅	MySQL Server 2003	postgresql	CVE-2014-0063	6.5	6.4
VM₆	RedHat Enterprise Linux	Linux	CVE-2015-4002	9	8.5
S₁	OpenFlow Spec 1.3.0	Open vSwitch	CVE-2016-2074	7.5	6.4
S₂	OpenFlow Spec 1.3.0	Open vSwitch	CVE-2017-9265	7.5	6.4
S₃	OpenFlow Spec 1.3.0	Open vSwitch	CVE-2017-9263	3.3	2.9
VM₁	RedHat Linux	Linux	CVE-2014-0098	0.73	2.9
C₁	RedHat Linux	ONOS	CVE-2018-1000616	7.5	6.4
C2	RedHat Linux	ONOS	CVE-2018-1000615	5.0	2.9
C₃	RedHat Linux	ONOS	CVE-2018-1000614	7.5	6.4

攻击图中的节点	SDN设备名称
H₁	VM₁主机
H₂	C₁控制器
H₃	C₁控制器
H₄	S₁交换机
H₅	C₁控制器
H₆	C₂控制器
H₇	C₃控制器

状态转移	CVE#	转移概率
a₁	CVE 2014-0098	0.73
a₂	CVE-2018-1000616	0.75
a₃	CVE-2018-1000615	0.5
a₄	CVE-2017-9265	0.75
a₅	CVE-2018-1000614	0.75
a₆	CVE-2018-12691	0.43
a₇	CVE-2018-1000614	0.75
a₈	CVE-2017-13762	0.43
a₁₀	CVE-2018-1000616	0.75

路径编号	攻击路径
1	H₀→H₁→H₂→H₇
2	H₀→H₁→H₃→H₆→H₇
3	H₀→H₁→H₃→H₇
4	H₀→H₁→H₄→H₅→H₇

攻击图中的节点	SDN设备权重值W	关键度
H₁	0.179 404 8	4
H₂	0.910 372 5	9
H₃	0.910 372 5	9
H₄	1.318 03	7
H₅	0.910 372 5	9
H₆	0.691 12	8
H₇	1.166 265	9

基于贝叶斯攻击图的SDN安全预测方法

SDN security prediction method based on bayesian attack graph

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 22

相关文章 9

Metrics

推荐阅读 0

[1]	杨伟伟, 王思宁, 郑贵德, 宋亚琼. 基于知识库的制造业能耗优化平台技术研究[J]. 电信科学, 2022, 38(8): 178-185.
[2]	陈伟雄, 杨晓晨, 春增军, 李若兰, 张华. 电力企业网络安全威胁情报管理体系的研究与实践[J]. 电信科学, 2022, 38(7): 184-189.
[3]	王峰, 于青民, 黄颖, 段世惠. 工业互联网网络关键技术与发展研究[J]. 电信科学, 2022, 38(7): 106-113.
[4]	陈哲,蒋胜,王闯. 面向智能工业物联的灵活地址可信协议架构[J]. 电信科学, 2020, 36(7): 26-33.
[5]	李丽君,张福泉,刘鸿飞. 基于功率损耗均衡化控制机制的移动无线传感网数据传输算法[J]. 电信科学, 2018, 34(11): 1-9.
[6]	李川,李学俊. 一种基于散列函数的RFID安全认证方法[J]. 电信科学, 2017, 33(6): 129-137.
[7]	汪来富,金华敏,刘东鑫,王帅. 面向网络大数据的安全分析技术应用[J]. 电信科学, 2017, 33(3): 112-118.
[8]	章谦骅,章坚武. 基于云安全技术的智慧政务云解决方案[J]. 电信科学, 2017, 33(3): 107-111.
[9]	王静,高昆仑,张波. 基于网络隔离与安全数据交换的发电集团双网体系研究与设计[J]. 电信科学, 2017, 33(2): 163-176.