基于贝叶斯攻击图的SDN安全预测方法

doi:10.11959/j.issn.1000-0801.2021212

Abstract

Abstract:

Existing researchers use threat modeling and security analysis system to evaluate and predict SDN (software defined network) security threats, but this method does not consider the vulnerability utilization of SDN controller and the location of devices in the network, so the security evaluation is not accurate.In order to solve the above problems, according to the probability of device vulnerability utilization and device criticality, combined with PageRank algorithm, a algorithm to calculate the importance of each device in SDN was designed; according to SDN attack graph and Bayesian theory, a method to measure the success probability of device being attacked was designed.On this basis, a SDN security prediction method based on Bayesian attack graph was proposed to predict the attacker's attack path.Experimental results show that this method can accurately predict the attacker's attack path and provide more accurate basis for security defense.

Key words: SDN security prediction, vulnerability utilization probability, attack graph, PR algorithm

CLC Number:

TP393.0

Yanshang YIN, Tongpeng SUO, Ligang DONG, Xian JIANG. SDN security prediction method based on bayesian attack graph[J]. Telecommunications Science, 2021, 37(11): 75-85.

Figures/Tables 10

References 22

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow:enabling innovation in campus networks[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	SCHEHLMANN L , ABT S , BAIER H . Blessing or curse? Revisiting security aspects of Software-Defined Networking[C]// 10th International Conference on Network and Service Management (CNSM) and Workshop. Piscataway:IEEE Press, 2014: 382-387.
[3]	SCOTT-HAYWARD S , NATARAJAN S , SEZER S . A survey of security in software defined networks[J]. IEEE Communications Surveys ＆ Tutorials, 2016,18(1): 623-654.
[4]	KREUTZ D , RAMOS F M V , VERISSIMO P . Towards secure and dependable software-defined networks[C]// Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking - HotSDN '13. New York:ACM Press, 2013: 55-60.
[5]	LEE S , YOON C , SHIN S . The smaller,the shrewder:a simple malicious application can kill an entire SDN environment[C]// Proceedings of the 2016 ACM International Workshop on Security in Software Defined Networks ＆ Network Function Virtualization. New York:ACM Press, 2016: 23-28.
[6]	FERNANDES E L . Dpctl documentationcpqd/ofsoftswitch13 wiki github[EB]. 2018.
[7]	ANTIKAINEN M , AURA T , S?REL? M , . Spook in your network:attacking an SDN with a compromised OpenFlow switch[C]// Secure IT Systems. Piscataway:Springer Press, 2014: 229-244.
[8]	任晓龙 . 网络节点重要性排序算法及其应用研究[D]. 杭州:杭州师范大学, 2015.
	REN X L . The study of ranking algorithm of the important node in networks and its applications[D]. Hangzhou:Hangzhou Normal University, 2015.
[9]	游梦娜 . 基于攻击图的网络脆弱性评估技术研究与实现[D]. 北京:北京邮电大学, 2018.
	YOU M N . Research and implementation of network vulnerability assessment technology based on attack graph[D]. Beijing:Beijing University of Posts and Telecommunications, 2018.
[10]	朱禹铭 . 基于贝叶斯的动态网络攻击行为预测方法研究[D]. 秦皇岛:燕山大学, 2019.
	ZHU Y M . Research on dynamic network attack behavior prediction method based on Bayesian[D]. Qinhuangdao:Yanshan University, 2019.
[11]	EOM T , HONG J B , AN S ,et al. A framework for real-time intrusion response in software defined networking using precomputed graphical security models[J]. Security and Communication Networks, 2020: 1-15.
[12]	EOM T , HONG J B , AN S ,et al. A systematic approach to threat modeling and security analysis for software defined networking[J]. IEEE Access, 2019,7: 137432-137445.
[13]	LUO S , DONG M , OTA K ,et al. A security assessment mechanism for software-defined networking-based mobile networks[J]. Sensors (Basel,Switzerland), 2015,15(12): 31843-31858.
[14]	YOON S , CHO J H , KIM D S ,et al. Attack graph-based moving target defense in software-defined networks[J]. IEEE Transactions on Network and Service Management, 2020,17(3): 1653-1668.
[15]	LIU Y , MAN H . Network vulnerability assessment using Bayesian networks[C]// Defense and Security.Proc SPIE 5812,Data Mining,Intrusion Detection,Information Assurance,and Data Networks Security 2005. Piscataway:Society of Photo-Optical Instrumentation Engineers (SPIE) Press,2005, 5812: 61-71.
[16]	ZIMBA A , CHEN H S , WANG Z S . Bayesian network based weighted APT attack paths modeling in cloud computing[J]. Future Generation Computer Systems, 2019,96: 525-537.
[17]	Information security risk assessment[EB]. 2019.
[18]	Definition - what does risk analysismean?[EB]. 2019.
[19]	JOHNSON P , LAGERSTR?M R , EKSTEDT M ,et al. Can the common vulnerability scoring system be trusted? A Bayesian analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2018,15(6): 1002-1015.
[20]	POOLSAPPASIT N , DEWRI R , RAY I . Dynamic security risk management using Bayesian attack graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2012,9(1): 61-74.
[21]	Information Technology Labortory. National vulnerability database version 2.5[S]. 2018.
[22]	OU X , GOVINDAVAJHALA S , APPEL A W . MulVAL:alogic-based network security analyzer[C]// USENIX Security Symposium. Piscataway:USENIX Press, 2005: 113-128.

Metrics

Recommended 0

No Suggested Reading articles found!

Host	主机配置	服务	CvE ID	CVSS	Impact
VM₃	Windows Server 2008	apache	CVE-2014-0098	7	2.9
VM₄	RedHat Linux	Linux	CVE-2014-0038	7	10.0
VM₅	MySQL Server 2003	postgresql	CVE-2014-0063	6.5	6.4
VM₆	RedHat Enterprise Linux	Linux	CVE-2015-4002	9	8.5
S₁	OpenFlow Spec 1.3.0	Open vSwitch	CVE-2016-2074	7.5	6.4
S₂	OpenFlow Spec 1.3.0	Open vSwitch	CVE-2017-9265	7.5	6.4
S₃	OpenFlow Spec 1.3.0	Open vSwitch	CVE-2017-9263	3.3	2.9
VM₁	RedHat Linux	Linux	CVE-2014-0098	0.73	2.9
C₁	RedHat Linux	ONOS	CVE-2018-1000616	7.5	6.4
C2	RedHat Linux	ONOS	CVE-2018-1000615	5.0	2.9
C₃	RedHat Linux	ONOS	CVE-2018-1000614	7.5	6.4

攻击图中的节点	SDN设备名称
H₁	VM₁主机
H₂	C₁控制器
H₃	C₁控制器
H₄	S₁交换机
H₅	C₁控制器
H₆	C₂控制器
H₇	C₃控制器

状态转移	CVE#	转移概率
a₁	CVE 2014-0098	0.73
a₂	CVE-2018-1000616	0.75
a₃	CVE-2018-1000615	0.5
a₄	CVE-2017-9265	0.75
a₅	CVE-2018-1000614	0.75
a₆	CVE-2018-12691	0.43
a₇	CVE-2018-1000614	0.75
a₈	CVE-2017-13762	0.43
a₁₀	CVE-2018-1000616	0.75

路径编号	攻击路径
1	H₀→H₁→H₂→H₇
2	H₀→H₁→H₃→H₆→H₇
3	H₀→H₁→H₃→H₇
4	H₀→H₁→H₄→H₅→H₇

攻击图中的节点	SDN设备权重值W	关键度
H₁	0.179 404 8	4
H₂	0.910 372 5	9
H₃	0.910 372 5	9
H₄	1.318 03	7
H₅	0.910 372 5	9
H₆	0.691 12	8
H₇	1.166 265	9

SDN security prediction method based on bayesian attack graph

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 10

References 22

Related Articles 9

Metrics

Recommended 0

[1]	Weiwei YANG, Sining WANG, Guide ZHENG, Yaqiong SONG. Research on manufacturing energy consumption optimization platform technology based on knowledge-base [J]. Telecommunications Science, 2022, 38(8): 178-185.
[2]	Weixiong CHEN, Xiaochen YANG, Zengjun CHUN, Ruolan LI, Hua ZHANG. Research and practice of network security threat intelligence management system for power enterprise [J]. Telecommunications Science, 2022, 38(7): 184-189.
[3]	Feng WANG, Qingmin YU, Ying HUANG, Shihui Duan. Research on key technology and development of industrial Internet network [J]. Telecommunications Science, 2022, 38(7): 106-113.
[4]	Zhe CHEN,Sheng JIANG,Chuang WANG. A flexible and secure protocol framework for industrial internet of smart things [J]. Telecommunications Science, 2020, 36(7): 26-33.
[5]	Lijun LI,Fuquan ZHANG,Hongfei LIU. Data transmission algorithm for mobile wireless sensor network based on power loss equalization control mechanism [J]. Telecommunications Science, 2018, 34(11): 1-9.
[6]	Chuan LI,Xuejun LI. A secure authentication method based on hash function for RFID system [J]. Telecommunications Science, 2017, 33(6): 129-137.
[7]	Laifu WANG,Huamin JIN,Dongxin LIU,Shuai WANG. Application of security analysis technology for network big data [J]. Telecommunications Science, 2017, 33(3): 112-118.
[8]	Qianhua ZHANG,Jianwu ZHANG. Solution for smart government cloud based on cloud security technology [J]. Telecommunications Science, 2017, 33(3): 107-111.
[9]	Jing WANG,Kunlun GAO,Bo ZHANG. Research and design in dual network scheme of power corporation based on network isolation and secure data exchange [J]. Telecommunications Science, 2017, 33(2): 163-176.