基于动态概率攻击图的云环境攻击场景构建方法

doi:10.11959/j.issn.1000-436x.2021004

Abstract

Abstract:

Aiming at the problem of complex multi-step attack detection, the method of attack scenario construction oriented to cloud computing environment was studied.Firstly, a dynamic probabilistic attack graph model was constructed, and a probabilistic attack graph updating algorithm was designed to make it update periodically with the passage of time and space, so as to adapt to the elastic and dynamic cloud computing environment.Secondly, an attack intention inference algorithm and a maximum probability attack path inference algorithm were designed to solve the uncertain problems such as error and fracture of attack scenarios caused by false positive or false negative, and ensure the accuracy of attack scenario.Meanwhile, the attack scenario was dynamically evolved along with the dynamic probability attack graph to ensure the completeness and freshness of the attack scenario.Experimental results show that the proposed method can adapt to the elastic and dynamic cloud environment, restore the penetration process of attacker’s and reconstruct high-level attack scenario, and so provide certain references for building supervised and accountable cloud environment.

Key words: cloud computing, attack scenario, dynamic probabilistic attack graph, attack intention, maximum probability attack path

CLC Number:

TP309.5

Wenjuan WANG, Xuehui DU, Dibin SHAN. Construction method of attack scenario in cloud environment based on dynamic probabilistic attack graph[J]. Journal on Communications, 2021, 42(1): 1-17.

Figures/Tables 17

References 18

[1]	PETER M M , TIMOTHY G . SP 800-145.The NIST definition of cloud computing[M]. National Institute of Standards ＆ Technology, 2011.
[2]	PENG N , YUN C , REEVES D S ,et al. Constructing attack scenarios through correlation of intrusion alerts[C]// ACM Symposium on Computer and Communications Security. New York:ACM Press, 2002: 245-254.
[3]	WANG L , GHORBANI A , LI Y ,et al. Automatic multi-step attack pattern discovering[J]. International Journal of Network Security, 2010,10(2): 142-152.
[4]	梅海彬, 龚俭, 张明华 ,等. 基于警报序列聚类的多步攻击模式发现研究[J]. 通信学报, 2011,32(5): 63-69.
	MEI H B , GONG J , ZHANG M H ,et al. Research on discovering multi-step attack patterns based on clustering IDS alert sequences[J]. Journal on Communications, 2011,32(5): 63-69.
[5]	葛琳, 季新生, 江涛 ,等. 基于关联规则的网络信息内容安全事件发现及其 Map-Reduce 实现[J]. 电子与信息学报, 2014,36(8): 1831-1837.
	GE L , JI X S , JIANG T ,et al. Association rules and its implementation in Map-Reduce[J]. Journal of Electronics ＆ Information Technology, 2014,36(8): 1831-1837.
[6]	鲁显光, 杜学绘, 王文娟 ,等. 基于改进FP growth的告警关联算法[J]. 计算机科学, 2019,46(8): 64-70.
	LU X G , DU X H , WANG W J ,et al. Alert correlation algorithm based on improved FP growth[J]. Computer Science, 2019,46(8): 64-70.
[7]	WANG S , TANG G , KOU G ,et al. An attack graph generation method based on heuristic searching strategy[C]// IEEE International Conference on Computer and Communications. Piscataway:IEEE Press, 2016: 1180-1185.
[8]	KAYNAR K , SIVRIKAYA F . Distributed attack graph generation[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(5): 519-532.
[9]	吕慧颖, 彭武, 王瑞梅 ,等. 基于时空关联分析的网络实时威胁识别与评估[J]. 计算机研究与发展, 2014,51(5): 1039-1049.
	LYU H Y , PENG W , WANG R M ,et al. A real-time network threat recognition and assessment method based on association analysis of time and space[J]. Journal of Computer Research and Development, 2014,51(5): 1039-1049.
[10]	刘威歆, 郑康锋, 武斌 ,等. 基于攻击图的多源告警关联分析方法[J]. 通信学报, 2015,36(9): 135-144.
	LIU W X , ZENG K F , WU B ,et al. Alert processing based on attack graph and multi-source analyzing[J]. Journal on Communications, 2015,36(9): 135-144.
[11]	陈小军, 方滨兴, 谭庆丰 ,等. 基于概率攻击图的内部攻击意图推断算法研究[J]. 计算机学报, 2014,37(1): 62-72.
	CHEN X J , FANG B X , TAN Q F ,et al. Inferring attack intent of malicious insider based on probabilistic attack graph[J]. Journal of Computers, 2014,37(1): 62-72.
[12]	王硕, 汤光明, 王建华 ,等. 基于因果知识网络的攻击场景构建方法[J]. 计算机研究与发展, 2018,55(12): 2620-2636.
	WANG S , TANG G M , WANG J H ,et al. Attack scenario construction method based on causal knowledge net[J]. Journal of Computer Research and Development, 2018,55(12): 2620-2636.
[13]	许嘉, 张千桢, 赵翔 ,等. 动态图模式匹配技术综述[J]. 软件学报, 2018,29(3): 663-688.
	XU J , ZHANG Q Z , ZHAO X ,et al. Survey on dynamic graph pattern matching technologies[J]. Journal of Software, 2018,29(3): 663-688.
[14]	OU X , GOVINDAVAJHALA S , APPEL A W ,et al. MulVAL:a logic-based network security analyzer[C]// 14th USENIX Security. Berkeley:USENIX Association, 2005: 1-16.
[15]	JAJODIA S , NOEL S . Topological vulnerability analysis:a powerful new approach for network attack prevention,detection,and response[J]. Algorithms,Architectures and Information Systems Security, 2005: 285-305.
[16]	LIPPMANN R , INGOLS K , SCOTT C ,et al. Validating and restoring defense in depth using attack graphs[C]// Milcom 2006 Military Communications Conference.[S.n.:s.l.], 2006: 1-10.
[17]	SCARFONE K , MELL P . An analysis of CVSS version 2 vulnerability scoring[C]// International Symposium on Empirical Software Engineering ＆ Measurement. Piscataway:IEEE Press, 2009.
[18]	冯学伟, 王东霞, 黄敏桓 ,等. 一种基于马尔可夫性质的因果知识挖掘方法[J]. 计算机研究与发展, 2014,51(11): 2493-2504.
	FENG X W , WANG D X , HUANG M H ,et al. A mining approach for causal knowledge in alert correlating based on the Markov property[J]. Journal of Computer Research and Development, 2014,51(11): 2493-2504.

Metrics

Recommended 0

No Suggested Reading articles found!

方法	优点	缺点
基于相似度的方法	计算开销小，依赖专家知识少	需定义阈值，只能发现统计上的关联
基于数据挖掘的方法	能够发现未知攻击	准确度较低、实用性较弱
基于属性攻击图的方法	直观展示攻击步骤间因果关系	没有考虑攻击步骤间的不确定关系，静态攻击图
基于概率攻击图的方法	攻击图和不确定性相结合，定性与定量分析，准确度较高	静态攻击图

指标		等级评分（频率）	Δ_s
漏洞利用难度	AV	本地L：0.359；邻近A：0.646；远程N：1.0	2AV × AC× Au
	AC	高H：0.35；中M：0.61；低L：0.71
	Au	多次M：0.45；单次S：0.56；不需要N：0.704
		近一周<5次	0.1
发生次数		近一周<20次	0.5
		近一周>20次	0.8

攻击类型		Δ_a
漏洞利用		1.0
	容易	0.9
其他	一般	0.5
	难	0.1

软硬件	版本
CPU	2颗 Intel E5-2620v3 (2.4 GHz/6c) 8GT/15ML3
内存、硬盘	96 GB、900 GB
虚拟化系统	Xen 4.6.0, Ubuntu 16.04

主机	版本	漏洞	描述	AV/AC/Au
WS	Apache 2.0	CVE-2006-3747	execute code, dos	N/H/N
WS	IE 9	CVE-2019-1367	overflow, execute code	N/H/N
FS	NFS 1.0	CVE-2004-0946	execute code, overflow	N/L/N
VM₁	Win7 SP1	CVE-2017-0146	execute code	N/M/N
PM₃	Hadoop 2.6	CVE-2016-3086	obtain information	N/L/N
PM₄	Spark 2.1	CVE-2018-8024	obtain infotmation	N/M/S
VMM	Xen 4.6	CVE-2017-2620	dos, gain privileges	L/M/N

Construction method of attack scenario in cloud environment based on dynamic probabilistic attack graph

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 17

References 18

Related Articles 15

Metrics

Recommended 0

有向边	权值	有向边	权值	有向边	权值	有向边	权值
(s₀, a₁)	0.49	(s₃, a₄)	0.86	(s₀, a₇)	1.0	(s₇, a₁₀)	0.68
(a₁, s₁)	1.0	(a₄, s₄)	1.0	(a₇, s₃)	1.0	(a₁₀, s₈)	1.0
(s₁, a₂)	0.5	(s₄, a₅)	1.0	(s₃, a₈)	0.5	(s₁, a₁₁)	0.49
(a₂, s₂)	0.9	(a₅, s₅)	1.0	(a₈, s₆)	0.9	(a₁₁, s₇)	1.0
(s₂, a₃)	0.5	(s₁, a₆)	0.49	(s₆, a₉)	0.5	(s₈, a₁₂)	0.34
(a₃, s₃)	0.9	(a₆, s₄)	1.0	(a₉, s₇)	0.9	(a₁₂, s₉)	1.0

时刻	更新操作	编号	观察事件序列	攻击意图g_MAP	最大概率攻击路径h_MAP
t₀	—	O₀	{null}	s₅	{s₀, a₇, s₃, a₄, s₄, a₅, s₅}
t₁	?	O₁	{o₁:0.81, o₂:0.6, o₃:0.38}	s₅	{s₀, a₁, s₁, a₂, s₂, a₃, s₃, a₄, s₄, a₅, s₅}
t₂	{D, a₅, s₅}	O₂	{ o₁₁:0.59, o₁₀:0.62}	s₈	{s₀, a₁, s₁, a₁₁, s₇, a₁₀, s₈}
t₃	{I, a₁₂, s₉}	O₃	{ o₁₂:0.54}	s₉	{s₀, a₁, s₁, a₁₁, s₇, a₁₂, s₉}

方法	攻击意图推断	攻击路径推断	误报漏报处理	有效报警识别	动态演化
文献[10]方法	√	√	√	—	—
文献[12]方法	√	√	—	√	—
文献[13]方法	√	√	√	—	—
本文方法	√	√	√	√	√

[1]	Ling MA, Qiliang FAN, Ting XU, Guanchen GUO, Shenglin ZHANG, Yongqian SUN, Yuzhi ZHANG. Scheduling framework based on reinforcement learning in online-offline colocated cloud environment [J]. Journal on Communications, 2023, 44(6): 90-102.
[2]	Huaqun WANG, Zhe LIU, Debiao HE, Jiguo LI. Identity-based provable data possession scheme for multi-source IoT terminal data in public cloud [J]. Journal on Communications, 2021, 42(7): 52-60.
[3]	Jianhong ZHANG, Menglong WU, Jing WANG, Pei LIU, Zhengtao JIANG, Changgen PENG. Secure and verifiable multi-keyword searchable encryption scheme in cloud [J]. Journal on Communications, 2021, 42(4): 139-149.
[4]	Ruiqi LI, Chunfu JIA, Yafei WANG. Multi-key homomorphic proxy re-encryption scheme based on NTRU and its application [J]. Journal on Communications, 2021, 42(3): 11-22.
[5]	Jiawei ZHANG, Jianfeng MA, Zhuo MA, Teng LI. Time-based and privacy protection revocable and traceable data sharing scheme in cloud computing [J]. Journal on Communications, 2021, 42(10): 81-94.
[6]	Youliang TIAN,Qin LUO. Verifiable multi-keyword search scheme based on improved Merkle-Tree authentication method [J]. Journal on Communications, 2020, 41(9): 118-129.
[7]	Na WANG,Kun ZHENG,Junsong FU,Jian LI. Method of ciphertext retrieval in mobile edge computing based on block segmentation [J]. Journal on Communications, 2020, 41(7): 95-102.
[8]	Lindong ZHAO,Wenqin ZHUANG,Jianxin CHEN,Liang ZHOU. Hierarchical task offloading in heterogeneous cellular network:modeling and optimization [J]. Journal on Communications, 2020, 41(4): 34-44.
[9]	Bing LIANG,Wen JI. Multiuser computation offloading for edge-cloud collaboration using submodular optimization [J]. Journal on Communications, 2020, 41(10): 25-36.
[10]	SU Mingfeng,WANG Guojun,LI Renfa. Multidimensional QoS cloud computing resource scheduling method based on stakeholder perspective [J]. Journal on Communications, 2019, 40(6): 102-115.
[11]	CHEN Xingshu,HUA Qiang,WANG Yitong,GE Long,ZHU Yi. Research on low-rate DDoS attack of SDN network in cloud environment [J]. Journal on Communications, 2019, 40(6): 210-222.
[12]	Wanliang WANG, Zelin ZANG, Guoqi CHEN, Hangyao TU, Yule WANG, Linyan LU. Research on optimal two element exchange algorithm for large scale cloud computing server scheduling problem [J]. Journal on Communications, 2019, 40(5): 180-191.
[13]	Tian WANG,Xuewei SHEN,Hao LUO,Baisheng CHEN,Guojun WANG,Weijia JIA. Research progress of trusted sensor-cloud based on fog computing [J]. Journal on Communications, 2019, 40(3): 170-181.
[14]	Xinfeng HE,Junfeng TIAN,Fanming LIU. Survey on trusted cloud platform technology [J]. Journal on Communications, 2019, 40(2): 154-163.
[15]	Zhiqiang ZHU,Renhao LIN,Cuiyun HU. Openstack authentication protocol based on digital certificate [J]. Journal on Communications, 2019, 40(2): 188-196.