基于有限理性的网络防御策略智能规划方法

doi:10.11959/j.issn.1000-436x.2023091

摘要/Abstract

摘要：

考虑到网络防御主体通常具有资源受限等特点，基于智能化攻防对抗的理念研究了有限理性条件下的网络防御策略智能规划与自主实施。首先，融合攻击图、通用与领域专有知识构建网络防御安全本体；在此基础上，利用知识推理推荐安全防御策略，以更好地适应受保护网络信息资产的安全需求及当前所面临的攻击威胁；最后，结合有限理性的智能规划方法，实现网络安全防御资源受限、网络信息资产动态变化等约束条件下的防御策略自主规划与实施。实例表明，动态攻击下所提方法具有稳健性。将所提方法与现有基于博弈论及攻击图方法进行对比，实验结果表明在对抗一次典型的APT攻击时所提方法的防御有效性提高了5.6%～26.12%。

关键词: 网络防御, 防御策略推荐, 智能规划, 有限理性, 安全本体

Abstract:

Considering that network defense subjects were usually resource-constrained, an intelligent planning and au-tonomous implementation of network defense strategies under bounded rationality was studied considering the concept of intelligent confrontation.First, attack graph, general knowledge and domain-specific knowledge were fused to construct a network defense security ontology.On that basis, knowledge reasoning was utilized to recommend security defense strategies to better adapt to the security needs of protected network information assets and current attack threats.Finally, an autonomous planning and implementation of defense strategies was achieved under the constraints of limited network security defense resources and dynamic changes of network information assets with the help of bounded rationality.The example shows that the proposed method is robust under dynamic attacks.The experiments show that the defense effec-tiveness is improved by 5.6%～26.12% compared with existing game theory and attack graph-based methods against a typical APT attack.

Key words: cyber defense, defense strategy recommendation, intelligent planning, bounded rationality, security ontology

中图分类号:

TN92

刘盈泽, 郭渊博, 方晨, 李勇飞, 陈庆礼. 基于有限理性的网络防御策略智能规划方法[J]. 通信学报, 2023, 44(5): 52-63.

Yingze LIU, Yuanbo GUO, Chen FANG, Yongfei LI, Qingli CHEN. Intelligent planning method for cyber defense strategies based on bounded rationality[J]. Journal on Communications, 2023, 44(5): 52-63.

图/表 15

图1

图2

表1

表2

图3

图4

图6

图5

表3

表4

图7

图8

图9

表5

表6

参考文献 34

[1]	YUAN X Y , HE P , ZHU Q L ,et al. Adversarial examples:attacks and defenses for deep learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2019,30(9): 2805-2824.
[2]	LAKHDHAR Y , REKHIS S . Active,reactive and proactive visibility-based cyber defense for defending against attacks on critical systems[C]// Proceedings of International Wireless Communications and Mobile Computing. Piscataway:IEEE Press, 2020: 439-444.
[3]	JIANG F , FU Y S , GUPTA B B ,et al. Deep learning based multi-channel intelligent attack detection for data security[J]. IEEE Transactions on Sustainable Computing, 2020,5(2): 204-212.
[4]	SYED Z , PADIA A , MATHEWS M L ,et al. UCO:a unified cybersecurity ontology[C]// AAAI Workshop:Artificial Intelligence for Cyber Security. Palo Alto:AAAI Press, 2016: 195-202.
[5]	ZHANG K , LIU J J . Ontology construction for security analysis of network nodes[C]// Proceedings of International Conference on Communications,Information System and Computer Engineering. Piscataway:IEEE Press, 2020: 292-297.
[6]	PUJARA J , MIAO H , GETOOR L ,et al. Ontology-aware partitioning for knowledge graph identification[C]// Proceedings of the 2013 workshop on Automated knowledge base construction. New York:ACM Press, 2013: 19-24.
[7]	BEITOLLAHI H , DECONINCK G . Analyzing well-known countermeasures against distributed denial of service attacks[J]. Computer Communications, 2012,35(11): 1312-1332.
[8]	THERON P , KOTT A . When autonomous intelligent goodware will fight autonomous intelligent malware:a possible future of cyber defense[C]// Proceedings of IEEE Military Communications Conference. Piscataway:IEEE Press, 2020: 1-7.
[9]	ZHOU Z , KUANG X H , SUN L M ,et al. Endogenous security defense against deductive attack:when artificial intelligence meets active defense for online service[J]. IEEE Communications Magazine, 2020,58(6): 58-64.
[10]	BASALLO Y A , SENTI V E , SANCHEZ N M . Artificial intelligence techniques for information security risk assessment[J]. IEEE Latin America Transactions, 2018,16(3): 897-901.
[11]	CHEN J , ZHU Q . Interdependent strategic security risk management with bounded rationality in the internet of things[J]. IEEE Transactions on Information Forensics and Security, 2019,14(11): 2958-2971.
[12]	LI X H , ZHU M Y , YANG L T ,et al. Sustainable ensemble learning driving intrusion detection model[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(4): 1591-1604.
[13]	雷程, 马多贺, 张红旗 ,等. 基于网络攻击面自适应转换的移动目标防御技术[J]. 计算机学报, 2018,41(5): 1109-1131.
	LEI C , MA D H , ZHANG H Q ,et al. Moving target defense technique based on network attack surface self-adaptive mutation[J]. Chinese Journal of Computers, 2018,41(5): 1109-1131.
[14]	张红霞, 王琪, 王登岳 ,等. 基于深度学习的区块链蜜罐陷阱合约检测[J]. 通信学报, 2022,43(1): 194-202.
	ZHANG H X , WANG Q , WANG D Y ,et al. Honeypot contract detection of blockchain based on deep learning[J]. Journal on Communications, 2022,43(1): 194-202.
[15]	KIM H , BEN-OTHMAN J . Toward integrated virtual emotion system with AI applicability for secure CPS-enabled smart cities:AI-based research challenges and security issues[J]. IEEE Network, 2020,34(3): 30-36.
[16]	VAST R , SAWANT S , THORBOLE A ,et al. Artificial intelligence based security orchestration,automation and response system[C]// Proceedings of 2021 6th International Conference for Convergence in Technology. Piscataway:IEEE Press, 2021: 1-5.
[17]	YAN B J , YAO P C , WANG J M ,et al. Game theoretical dynamic cybersecurity defense strategy for electrical cyber physical systems[C]// Proceedings of 2021 IEEE 5th Conference on Energy Internet and Energy System Integration. Piscataway:IEEE Press, 2022: 2392-2397.
[18]	JIANG Y , CEDER A A . Incorporating personalization and bounded rationality into stochastic transit assignment model[J]. Transportation Research Part C:Emerging Technologies, 2021,127: 1-26.
[19]	ZHENG H J , WANG Y C , HAN C ,et al. Learning and applying ontology for machine learning in cyber attack detection[C]// Proceedings of 17th IEEE International Conference on Trust,Security and Privacy in Computing and Communications/ 12th IEEE International Conference on Big Data Science and Engineering. Piscataway:IEEE Press, 2018: 1309-1315.
[20]	WOTAWA F , BOZIC J , LI Y H . Ontology-based testing:an emerging paradigm for modeling and testing systems and software[C]// Proceedings of 2020 IEEE International Conference on Software Testing,Verification and Validation Workshops. Piscataway:IEEE Press, 2020: 14-17.
[21]	KIM M , DEY S , LEE S W . Ontology-driven security requirements recommendation for APT attack[C]// Proceedings of 2019 IEEE 27th International Requirements Engineering Conference Workshops. Piscataway:IEEE Press, 2019: 150-156.
[22]	KIM B J , LEE S W . Understanding and recommending security requirements from problem domain ontology:a cognitive three-layered approach[J]. Journal of Systems and Software, 2020,169:110695.
[23]	MOHAMMADI S , MIRVAZIRI H , GHAZIZADEH-AHSAEE M , ,et al. Cyber intrusion detection by combined feature selection algorithm[J]. Journal of Information Security and Applications, 2019,44: 80-88.
[24]	AZWAR H , MURTAZ M , SIDDIQUE M ,et al. Intrusion detection in secure network for cybersecurity systems using machine learning and data mining[C]// Proceedings of IEEE 5th International Conference on Engineering Technologies and Applied Sciences. Piscataway:IEEE Press, 2019: 1-9.
[25]	INJADAT M , MOUBAYED A , NASSIF A B ,et al. Multi-stage optimized machine learning framework for network intrusion detection[J]. IEEE Transactions on Network and Service Management, 2021,18(2): 1803-1816.
[26]	GAJDEROWICZ B . Artificial intelligence planning techniques for emulating agents with application in social services[D]. Toronto:University of Toronto, 2019.
[27]	HARRISON L , SPAHN R , IANNACONE M ,et al. NV:Nessus vulnerability visualization for the Web[C]// Proceedings of the Ninth International Symposium on Visualization for Cyber Security. New York:ACM Press, 2012: 25-32.
[28]	ALFORD R , LAWRENCE D , KOUREMETIS M . CALDERA:a red-blue cyber operations automation platform[C]// Proceedings of the 32nd International Conference on Automated Planning and Scheduling. Palo Alto:AAAI Press, 2022: 375-376.
[29]	STROM B E , APPLEBAUM A , MILLER D P ,et al. MITRE ATT＆CK:design and philosophy[R]. 2018.
[30]	PANFILI M , GIUSEPPI A , FIASCHETTI A ,et al. A game-theoretical approach to cyber-security of critical infrastructures based on multi-agent reinforcement learning[C]// Proceedings of 26th Mediterranean Conference on Control and Automation. Piscataway:IEEE Press, 2018: 460-465.
[31]	ASVIJA B , ESWARI R , BIJOY M B . Bayesian attack graphs for platform virtualized infrastructures in clouds[J]. Journal of Information Security and Applications, 2020,51:102455.
[32]	杨宏宇, 袁海航, 张良 . 基于攻击图的主机安全评估方法[J]. 通信学报, 2022,43(2): 89-99.
	YANG H Y , YUAN H H , ZHANG L . Host security assessment method based on attack graph[J]. Journal on Communications, 2022,43(2): 89-99.
[33]	SANDOVAL J E , HASSELL S P . Measurement,identification and calculation of cyber defense metrics[C]// Proceedings of 2010 Military Communications Conference. Piscataway:IEEE Press, 2011: 2174-2179.
[34]	ZHENG L , PERL Y , ELHANAN G ,et al. Summarizing an ontology:a big knowledge coverage approach[J]. Studies in Health Technology and Informatics, 2017,245: 978-982.

安全属性	恶意目标	防御策略类型			资产所需安全手段
安全属性	恶意目标	预防(P)	监测(D)	恢复(R)	资产所需安全手段
Co	E	C	N	N	P
In	M	C	C	C	PDR
Av	Dt	N	C	C	DR
Au	F	N	C	N	D

术语	说明
BR-A(T)	对攻击的反应时间T有限，它限制了规划生成和实施期间用于构造和评估搜索树的搜索空间中状态的数量
BR-A(C)	规划生成和实施过程中对攻防双方的认知有限，它限制了代理的搜索树深度
BR-A(I)	在规划生成和实施期间，自身防御资源有限
S-BR	代理在其认知范围内了解的资产状态
G-BR	代理希望为真的一组目标命题
CM-BR	代理在规划生成期间，使用有限内存知道的防御策略
P^x	STRIPS-BR规划器为代理制定的规划方案，即一系列待执行防御策略序列
	时间步t=i和t=j之间的部分规划，是P^x的子序列
O^x	P ^x执行的结果
rank(s_i)	实际执行的防御策略顺序
	规划方案P^x顺序执行的第k个防御策略
	分配给P^x的第k个防御策略的权重值
	P ^x中从开始到第k个防御策略的累计规划效用

所在位置	漏洞ID	FIM	VA	SLD
主机1	CVE-2017-0143	0.2	0.5	0.6
主机2	CVE-2017-0267	0.3	0.6	0.8
主机3	CVE-2021-1074	0.2	0.5	0.6

漏洞ID	CVSS评分	FIM	VA	SLD
CVE-2017-0143	8.1	1.62	4.05	4.86
CVE-2017-0267	5.9	1.77	3.54	4.72
CVE-2021-1074	7.3	1.46	3.65	4.38

方法	网络安全防御资源的有限性	防御策略选择基准		时效性		防御有效性
方法	网络安全防御资源的有限性	CVSS/攻击概率	攻击特性	预先分析	实时更新	防御有效性
文献[30]方法	√	×	√	√	×	38.70
文献[31]方法	×	√	×	√	×	43.51
文献[32]方法	×	√	×	√	×	49.43
本文方法	√	√	√	√	√	52.38