基于贝叶斯攻击图的SDN入侵意图识别算法的研究

doi:10.11959/j.issn.1000-436x.2023073

摘要/Abstract

摘要：

针对目前已有的软件定义网络（SDN）安全预测方法中未考虑攻击代价以及控制器漏洞对 SDN 安全所产生的影响，提出了一种基于贝叶斯攻击图的SDN入侵意图识别算法。利用PageRank算法求出设备关键度，并与漏洞价值、攻击成本、攻击收益以及攻击偏好相结合构建攻击图，建立风险评估模型，对入侵路径进行预测。通过实验对比可以看出，所提模型能更准确地预测入侵路径，有效地保证安全预测的准确性，并为 SDN 的防御提供依据。

关键词: SDN安全预测, 入侵意图, 攻击图, PageRank算法

Abstract:

Since the existing software defined network (SDN) security prediction methods do not consider the attack cost and the impact of controller vulnerabilities on SDN security, a Bayesian attack graph-based algorithm to assessing SDN intrusion intent was proposed.The PageRank algorithm was used to obtain the criticality of the device, and combining with the vulnerability value, attack cost, attack benefit and attack preference, an attack graph was constructed, and a risk assessment model was established to predict the intrusion path.Through experimental comparison, it is obvious that the proposed model can more accurately predict the intrusion path, effectively ensure the accuracy of security prediction, and provide a basis for SDN defense.

Key words: SDN security prediction, intrusion intention, attack graph, PageRank algorithm

中图分类号:

TP393.4

罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225.

Zhiyong LUO, Yu ZHANG, Qing WANG, Weiwei SONG. Study of SDN intrusion intent identification algorithm based on Bayesian attack graph[J]. Journal on Communications, 2023, 44(4): 216-225.

图/表 11

表1

表2

表3

图1

表4

图2

表5

图3

表6

图4

图5

参考文献 20

[1]	MCKEOWN N , ANDERSON T , BALAKRISHNAN H ,et al. OpenFlow[J]. ACM SIGCOMM Computer Communication Review, 2008,38(2): 69-74.
[2]	CHICA J C C , IMBACHI J C , BOTERO J F . Security in SDN:a comprehensive survey[J]. Journal of Network and Computer Applications, 2020, 159:102595.1-102595.23.
[3]	周启钊, 于俊清, 李冬 . SDN控制层泛洪防御机制研究:检测与缓解[J]. 通信学报, 2021,42(11): 41-53.
	ZHOU Q Z , YU J Q , LI D . Research on flood defense mechanism of SDN control layer:detection and mitigation[J]. Journal on Communications, 2021,42(11): 41-53.
[4]	王涛, 陈鸿昶 . 基于多维异构特征与反馈感知调度的 SDN 内生安全控制平面[J]. 电子学报, 2021,49(6): 1117-1124.
	WANG T , CHEN H C . An SDN endogenous security control plane based on multi-dimensional heterogeneous features and feedback-aware scheduling strategy[J]. Acta Electronica Sinica, 2021,49(6): 1117-1124.
[5]	VARADHARAJAN V , TUPAKULA U . Counteracting attacks from malicious end hosts in software defined networks[J]. IEEE Transactions on Network and Service Management, 2020,17(1): 160-174.
[6]	YANG S , CUI L Z , CHEN Z T ,et al. An efficient approach to robust SDN controller placement for security[J]. IEEE Transactions on Network and Service Management, 2020,17(3): 1669-1682.
[7]	陆以勤, 毛中书, 程喆 ,等. SDN 拓扑攻击及其防御[J]. 华南理工大学学报(自然科学版), 2020,48(11): 114-122.
	LU Y Q , MAO Z S , CHENG Z ,et al. Research on SDN topology attack and its defense mechanism[J]. Journal of South China University of Technology (Natural Science Edition), 2020,48(11): 114-122.
[8]	PAGE L , BRIN S , MOTWANI R ,et al. The PageRank citation ranking:bringing order to the Web[R]. 1999.
[9]	罗智勇, 杨旭, 孙广路 ,等. 基于马尔可夫的有限自动机入侵容忍系统模型[J]. 通信学报, 2019,40(10): 79-89.
	LUO Z Y , YANG X , SUN G L ,et al. Finite automaton intrusion tolerance system model based on Markov[J]. Journal on Communications, 2019,40(10): 79-89.
[10]	CHEN Y Y , XU B , LONG J ,et al. Information security assessment of wireless sensor networks based on Bayesian attack graphs[J]. Journal of Intelligent ＆ Fuzzy Systems:Applications in Engineering and Technology, 2021,41(3): 4511-4517.
[11]	HUSáK M , KOMáRKOVá J , BOU-HARB E ,et al. Survey of attack projection,prediction,and forecasting in cyber security[J]. IEEE Communications Surveys ＆ Tutorials, 2019,21(1): 640-660.
[12]	MUNOZ-GONZALEZ L , SGANDURRA D , BARRERE M ,et al. Exact inference techniques for the analysis of Bayesian attack graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2017,16(2): 231-244.
[13]	ZENG J P , WU S , CHEN Y Y ,et al. Survey of attack graph analysis methods from the perspective of data and knowledge processing[J]. Security and Communication Networks, 2019,2019: 1-16.
[14]	POKHREL N R , TSOKOS C P . Cybersecurity:a stochastic predictive model to determine overall network security risk using Markovian process[J]. Journal of Information Security, 2017,8(2): 91-105.
[15]	SUN X Y , DAI J , LIU P ,et al. Using Bayesian networks for probabilistic identification of zero-day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018,13(10): 2506-2521.
[16]	王辉, 张娟, 赵雅 ,等. 一种新型贝叶斯模型的网络风险评估方法[J]. 小型微型计算机系统, 2020,41(9): 1898-1904.
	WANG H , ZHANG J , ZHAO Y ,et al. Network risk assessment method of a new type of Bayesian model[J]. Journal of Chinese Computer Systems, 2020,41(9): 1898-1904.
[17]	RUOHONEN J . A look at the time delays in CVSS vulnerability scoring[J]. Applied Computing and Informatics, 2019,15(2): 129-135.
[18]	肖云鹏, 卢星宇, 许明 ,等. 机器学习经典算法实践[M]. 北京: 清华大学出版社, 2018.
	XIAO Y P , LU X Y , XU M ,et al. Classical algorithm practice of machine learning[M]. Beijing: Tsinghua University Press, 2018.
[19]	马春光, 汪诚弘, 张东红 ,等. 一种基于攻击意愿分析的网络风险动态评估模型[J]. 计算机研究与发展, 2015,52(9): 2056-2068.
	MA C G , WANG C H , ZHANG D H ,et al. A dynamic network risk assessment model based on attacker’s inclination[J]. Journal of Computer Research and Development, 2015,52(9): 2056-2068.
[20]	王洋, 吴建英, 黄金垒 ,等. 基于贝叶斯攻击图的网络入侵意图识别方法[J]. 计算机工程与应用, 2019,55(22): 73-79.
	WANG Y , WU J Y , HUANG J L ,et al. Network intrusion intention recognition method based on Bayesian attack graph[J]. Computer Engineering and Applications, 2019,55(22): 73-79.

指标	属性度量值	因素评分
	网络关系(N)	0.85
AV	相邻设备(A)	0.62
	本地设备(L)	0.55
	物理(P)	0.20
	低复杂度(L)	0.71
AC	中复杂度(M)	0.61
	高复杂度(H)	0.35
	无权限要求(N)	0.85
PR	权限要求较低(L)	0.64
	权限要求较高(H)	0.33
	无(N)	0
C, I, A	低(L)	0.22
	高(H)	0.56

编号	经验值	经验信息描述
A₁	0.1	攻击者内部信息没有对该设备以往的攻击记录，但可能会找到该设备漏洞
A₂	0.2	攻击者内部信息没有对该设备以往的攻击记录，但知道其漏洞，不知道攻击方法
A₃	0.3	攻击者内部信息没有对该设备以往的攻击记录，但会参考可能用到的攻击方法
A₄	0.4	攻击者内部信息有粗略的攻击方法
A₅	0.5	有大概的攻击步骤，但没有攻击工具
A₆	0.6	有详细的攻击步骤，但没有攻击工具
A₇	0.7	有攻击代码和详细的工具步骤，但没有攻击工具
A₈	0.8	有攻击代码、详细的工具步骤以及攻击工具
A₉	0.9	所有都具备，且都已准备好

收益水平	衡量信息	收益值
PL₁	内部信息泄露	0.30～0.55
PL₂	远程登录设备	0.55～0.70
PL₃	认证绕过	0.70～0.85
PL₄	临时访问	0.85～0.95
PL₅	获取Root权限	1.00

设备名	设备ID	操作系统或程序	漏洞描述	漏洞编号	CVE编号	worth(v_i)
虚拟机H₁	H₁	LINUX (Ubantu16.04)	缓冲区溢出	v₁	CVE-2014-1443	0.41
		LINUX (Ubantu16.04)	执行任意代码	v₂	CVE-2015-1635	0.43
虚拟机H₂	H₂	LINUX (Ubantu16.04)	访问限制绕过	v₃	CVE-2015-8467	0.35
		LINUX (Ubantu16.04)	跨站脚本	v₄	CVE-2015-8622	0.39
VPN服务器	T₁	WebVPN	授权后堆溢出漏洞	v₅	CVE-2018-13383	0.43
FTP服务器	T₂	Titan FTP Server6.0.3	任意命令执行漏洞	v₆	CVE-2014-8517	0.43
SSH服务器	T₃	LINUX (Ubantu16.04)	登录验证绕过漏洞	v₇	CVE-2018-10933	0.57
Web服务器	T₄	LINUX (Ubantu16.04)	漏洞复现	v₈	CVE-2018-8715	0.39
数据库服务器	T₅	Postgre SQL (postgresql-11)	SQL注入	v₉	CVE-2020-7471	0.52
		Postgre SQL (postgresql-11)	缓冲区溢出	v₁₀	CVE-2014-1669	0.41
交换机W₁	W₁	Open vSwitch2.13	资源管理错误	v₁₁	CVE-2017-14970	0.55
交换机W₂	W₂	Open vSwitch2.13	用户安全漏洞	v₁₂	CVE-2020-27827	0.62
交换机W₃	W₃	Open vSwitch2.13	输入验证漏洞	v₁₃	CVE-2018-17205	0.57
交换机W₄	W₄	Open vSwitch2.13	缓冲区溢出	v₁₄	CVE-2016-2074	0.41
交换机W₅	W₅	Open vSwitch2.13	用户安全漏洞	v₁₅	CVE-2020-35498	0.62
交换机W₆	W₆	Open vSwitch2.13	缓冲区溢出	v₁₆	CVE-2017-9265	0.41
控制器S₁	S₁	NGINX1.21.0	其他	v₁₇	CVE-2021-23019	0.37
控制器S₂	S₂	NGINX1.21.0	安全特征问题	v₁₈	CVE-2021-23020	0.52
控制器S₃	S₃	ONAP SDNC	操作系统命令注入	v₁₉	CVE-2019-12113	0.55

路径编号	入侵路径	入侵设备数
IV₁	<H₁, W₂, W₃, S₃, S₁, W₁, T₅>	7
IV₂	<H₁, W₂, W₃, S₃, W₅, W₁, T₅>	7
IV₃	<H₁, W₂, S₂, S₃, S₁, W₁, T₅>	7
IV₄	<H₁, W₂, S₂, S₁, W₁, T₅>	6
IV₅	<H₁, W₂, S₂, S₃, W₅, W₁, T₅>	7
IV₆	<H₁, W₂, W₄, S₃, W₅, W₁, T₅>	7
IV₇	<H₁, W₂, W₄, S₃, S₁, W₁, T₅>	7