不确定性网络攻击场景下的多状态因果表示与推理模型

doi:10.3969/j.issn.1671-1122.2025.05.010

摘要/Abstract

摘要：

网络安全领域当前面临的挑战之一是对网络攻击的不确定性因素进行系统分析。为应对该挑战，攻击图工具被广泛应用于网络安全领域，旨在描述攻击者行为特征与构建攻击场景。然而，当前的攻击图工具，如属性攻击图、状态攻击图以及贝叶斯攻击图等，并没有全面且综合地考虑网络攻击中存在的不确定性因素，因而无法提供一个统一的网络不确定性因素描述框架。除此之外，当前攻击图中的计算节点风险概率的相关算法时间复杂度较高，难以应用实践。为解决上述问题，文章提出多状态-动态不确定性因果攻击图（M-DUCAG）模型与基于单向因果链的节点风险概率推理（One Side-CCRP）算法，以实现网络不确定性因素的表示与推理。M-DUCAG模型能够表示节点的多个状态，能够结合告警信息更加准确地描述网络攻击过程中的不确定性因素。One Side-CCRP算法通过展开节点上游因果链，有效提高推理的效率与准确性。实验结果表明，M-DUCAG模型在应对参数扰动方面具有鲁棒性，能够有效表示网络攻击过程中的不确定性因素。与变量消除法相比，One Side-CCRP算法在有限数量告警证据下具有更高的推理效率，能够满足现实推理应用需求。

关键词: 动态不确定性因果攻击图, 概率攻击图, 不确定性因素, 漏洞

Abstract:

One of the challenges in the field of cybersecurity is to conduct a systematic analysis of the uncertainties of cyber-attacks. To solve this challenge, attack graphs are widely used in network security, aiming to describe attacker behavior characteristics and construct attack scenarios. However, current attack graph tools, such as attribute attack graphs, state attack graphs, and Bayesian attack graphs, cannot comprehensively consider the uncertainty factors in network attacks and provide a unified framework for describing network uncertainties. In addition, the time complexity of the algorithm related to calculating the risk probability of nodes in the current attack graph is relatively high, which is difficult to apply in practice. To solve the above problems, this paper proposed a multi-state Dynamic Uncertain Causality Attack Graph (M-DUCAG) model and a node risk probabilistic inference algorithm based on one-side causal chains (One Side-CCRP) to represent and inference the uncertainty factors of the network. The M-DUCAG could represent multiple states of nodes and describe the uncertainties in the process of network attacks based on alarm information. The One Side-CCRP algorithm effectively improved the efficiency and accuracy of inference by expanding the upstream causal chains of the node. Experiments show that the M-DUCAG model is robust in dealing with parameter disturbances and can effectively represent the uncertainties in the process of network attacks. Compared with the variable elimination method, the One Side-CCRP algorithm has higher inference efficiency under limited number alarm evidence, which can satisfy the needs of real-world inference applications.

Key words: dynamic uncertain causality attack graph, probability attack graph, uncertainty factors, vulnerability

中图分类号:

TP309

董春玲, 冯宇, 范永开. 不确定性网络攻击场景下的多状态因果表示与推理模型[J]. 信息网络安全, 2025, 25(5): 778-793.

DONG Chunling, FENG Yu, FAN Yongkai. Multi-State Causal Representation and Inference Model in Uncertain Network Attack Scenarios[J]. Netinfo Security, 2025, 25(5): 778-793.

图/表 18

图1

图2

图3

图4

表1

表2

图5

图6

图7

表3

图8

表4

图9

表5

表6

图10

图11

表7

参考文献 29

[1]	PING Guolou, YE Xiaojun. A Survey of Research on Network Attack Model[J]. Journal of Information Security Research, 2020, 6(12): 1058-1067.
	平国楼, 叶晓俊. 网络攻击模型研究综述[J]. 信息安全研究, 2020, 6(12): 1058-1067.
[2]	KONSTA A-M, LAFUENTE A L, SPIGA B, et al. Survey: Automatic Generation of Attack Trees and Attack Graphs[J]. Computer Security, 2024, 137(C): 103660-103672.
[3]	GADYATSKAYA O. How to Generate Security Cameras: Towards Defence Generation for Socio-Technical Systems[C]// Springer. Proceedings of the Graphical Models for Security:Second International Workshop(GraMSec 2015). Heidelberg: Springer, 2016: 50-65.
[4]	IVANOVA M G, PROBST C W, HANSEN R R, et al. Transforming Graphical System Models to Graphical Attack Models[C]// Springer. Proceedings of the Graphical Models for Security:Second International Workshop(GraMSec 2015). Heidelberg: Springer, 2016: 82-96.
[5]	LIU Xuejiao. Research on Network Vulnerability Assessment and Intrusion Alert Analysis Technology[D]. WuHan: HuaZhong Nornal University, 2011.
	刘雪娇. 网络脆弱性评估及入侵报警分析技术研究[D]. 武汉: 华中师范大学, 2011.
[6]	ZHONG Shangqin, XU Guosheng, YAO Wenbin, et al. Network Security Analysis Based on Host-Security-Group[J]. Journal of Beijing University of Posts and Telecommunications, 2012, 35(1): 19-23. doi: 10.13190/jbupt.201201.19.zhongshq
	钟尚勤, 徐国胜, 姚文斌, 等. 基于主机安全组划分的网络安全性分析[J]. 北京邮电大学学报, 2012, 35(1): 19-23. doi: 10.13190/jbupt.201201.19.zhongshq
[7]	ZENITANI K. From Attack Graph Analysis to Attack Function Analysis[J]. Information Sciences, 2023, 650: 119703-119719.
[8]	MOHAMMADZAD M, KARIMPOUR J, MAHAN F. MAGD: Minimal Attack Graph Generation Dynamically in Cyber Security[J]. Computer Networks, 2023, 236: 110004-110019.
[9]	WANG Lingyu, YAO Chao, SINGHAL A, et al. Interactive Analysis of Attack Graphs Using Relational Queries[C]// Data and Applications Security XX. 20th Annual IFIP WG 113 Working Conference on Data and Applications Security. Heidelberg:Springer, 2006: 119-132.
[10]	WANG Shuo, TANG Guangming, KOU Guang, et al. An Attack Graph Generation Method Based on Heuristic Searching Strategy[C]// IEEE. Proceedings of the 2016 2nd IEEE International Conference on Computer and Communications (ICCC). New York: IEEE, 2016: 1180-1185.
[11]	KAYNAR K, SIVRIKAYA F. Distributed Attack Graph Generation[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 13(5): 519-532.
[12]	PU Junyan, LI Yahui, ZHOU Chunjie. Cross-Domain Dynamic Security Risk Analysis Method of Industrial Control System Based on Probabilistic Attack Graph[J]. Netinfo Security, 2023, 23(9): 85-94.
	浦珺妍, 李亚辉, 周纯杰. 基于概率攻击图的工控系统跨域动态安全风险分析方法[J]. 信息网络安全, 2023, 23(9): 85-94.
[13]	POOLSAPPASIT N, DEWRI R, RAY I. Dynamic Security Risk Management Using Bayesian Attack Graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2011, 9(1): 61-74.
[14]	ZHANG Kai, LIU Jingju. Network Attack Path Analysis Method Based on Vulnerability Dynamic Availability[J]. Netinfo Security, 2021, 21(4): 62-72.
	张凯, 刘京菊. 基于漏洞动态可利用性的网络入侵路径分析方法[J]. 信息网络安全, 2021, 21(4): 62-72.
[15]	WANG Yang, WU Jianying, HUANG Jinlei, et al. Network Intrusion Intention Recognition Method Based on Bayesian Attack Graph[J]. Computer Engineering and Applications, 2019, 55(22): 73-79. doi: 10.3778/j.issn.1002-8331.1809-0081
	王洋, 吴建英, 黄金垒, 等. 基于贝叶斯攻击图的网络入侵意图识别方法[J]. 计算机工程与应用, 2019, 55(22): 73-79. doi: 10.3778/j.issn.1002-8331.1809-0081
[16]	WANG Wenjuan, DU Xuehui, SHAN Dibin. Construction Method of Attack Scenario in Cloud Environment Based on Dynamic Probabilistic Attack Graph[J]. Journal on Communications, 2021, 42(1): 1-17. doi: 10.11959/j.issn.1000-436x.2021004
	王文娟, 杜学绘, 单棣斌. 基于动态概率攻击图的云环境攻击场景构建方法[J]. 通信学报, 2021, 42(1): 1-17. doi: 10.11959/j.issn.1000-436x.2021004
[17]	MA Chunguang, WANG Chenghong, ZHANG Donghong, et al. A Dynamic Network Risk Assessment Model Based on Attacker’s Inclination[J]. Journal of Computer Research and Development, 2015, 52(9): 2056-2068.
	马春光, 汪诚弘, 张东红, 等. 一种基于攻击意愿分析的网络风险动态评估模型[J]. 计算机研究与发展, 2015, 52(9): 2056-2068.
[18]	GAO Qingguan, ZHANG Bo, FU Anmin. An Advanced Persistent Threat Detection Method Based on Attack Graph[J]. Netinfo Security, 2023, 23(12): 59-68.
	高庆官, 张博, 付安民. 一种基于攻击图的高级持续威胁检测方法[J]. 信息网络安全, 2023, 23(12): 59-68.
[19]	XIE PENG, LI J H, OU Xinming, et al. Using Bayesian Networks for Cyber Security Analysis[C]// IEEE. Proceedings of the 2010 IEEE/IFIP. International Conference on Dependable Systems & Networks (DSN). New York: IEEE, 2010: 211-220.
[20]	CHEN Xiaojun, SHI Jinqiao, XU Fei, et al. Algorithm of Optimal Security Hardening Measures Against Insider Threat[J]. Journal of Computer Research and Development, 2014, 51(7): 1565-1577.
	陈小军, 时金桥, 徐菲, 等. 面向内部威胁的最优安全策略算法研究[J]. 计算机研究与发展, 2014, 51(7): 1565-1577.
[21]	WANG Hui, CHEN Fuwang, WANG Zhe. Research on Internal Network Attack Graph Based on Strength Coefficient[J]. Application Research of Computers, 2018, 35(2): 515-520.
	王辉, 陈甫旺, 王哲. 基于强度系数的内部网络攻击图研究[J]. 计算机应用研究, 2018, 35(2): 515-520.
[22]	LALLIE H S, DEBATTISTA K, BAL J. A Review of Attack Graph and Attack Tree Visual Syntax in Cyber Security[J]. Computer Science Review, 2020, 35: 100219-100260.
[23]	KEVIN P M. Dynamic Bayesian Networks:Representation, Inference and Learning[D]. Berkeley: University of California, 2002.
[24]	CAI Baoping, LIU Yu, XIE Min. A Dynamic-Bayesian-Network-Based Fault Diagnosis Methodology Considering Transient and Intermittent Faults[J]. IEEE Transactions on Automation Science and Engineering, 2017, 14(1): 276-285.
[25]	ZHANG Qin, DONG Chunling, CUI Yan, et al. Dynamic Uncertain Causality Graph for Knowledge Representation and Probabilistic Reasoning: Statistics Base, Matrix, and Application[J]. IEEE Transactions on Neural Networks & Learning Systems, 2014, 25(4): 645-663.
[26]	DONG Chunling, FENG Yu, SHANG Wenqian. A New Method of Dynamic Network Security Analysis Based on Dynamic Uncertain Causality Graph[J]. Journal of Cloud Computing, 2024, 13(1): 24-41.
[27]	DONG Chunling, ZHANG Qin. The Cubic Dynamic Uncertain Causality Graph: A Methodology for Temporal Process Modeling and Diagnostic Logic Inference[J]. IEEE Transactions on Neural Networks and Learning Systems, 2020, 31(10): 4239-4253.
[28]	DONG Chunling, ZHOU Zhenxu, ZHANG Qin. Cubic Dynamic Uncertain Causality Graph: A New Methodology for Modeling and Reasoning About Complex Faults with Negative Feedbacks[J]. IEEE Transactions on Reliability, 2018, 67(3): 920-932.
[29]	ISAAC M, JOHN M, SADEGH S, et al. Cyclic Bayesian Attack Graphs: A Systematic Computational Approach[C]// IEEE.Security and Privacy in Computing and Communications (TrustCom). New York: IEEE, 2020: 129-136.

指标	等级
AV	L：0.359；A：0.646；N：1.0
AC	H：0.35；M：0.61；L：0.71
Au	M：0.45；S：0.56；N：0.704

网络安全等级	A_S_;_V概率取值
薄弱	1
一般	0.9
严格	0.8

节点	D-CCRP因果链	Pr (X_v)	O-CCRP因果链	Pr (X_v)
S_1,1	—	—	—	—
S_1,2	(A_S1,2;V1,1+A_V3;S1,2·A_S3,1;V+ A_V4;S1,2·A_S4,1;V4)/3	0.73	A_S_1,2;_V_1,1	0.5
V_3,0	(A_S1,2;V1,1·A_V3,0;S1,2+A_S3,1;V3,0)/2	0.5	A_S_1,2;_V_1,1	0.1
V_3,1	(A_S1,2;V1,1·A_V3,1;S1,2+A_S3,1;V3,1)/2	0.65	A_S_1,2;_V_1,1·A_V_3,1;_S_1,2	0.4
V_4,0	(A_S1,2;V1,1·A_V4,0;S1,2+A_S4,1;V4,0)/2	0.6	A_S_1,2;_V_1,1·A_V_4,0;_S_1,2	0.4
V_4,1	(A_S1,2;V1,1·A_V4,1;S1,2+A_S4,1;V4,1)/2	0.45	A_S_1,2;_V_1,1·A_V_4,1;_S_1,2	0.1

ID	描述信息	IP地址	攻击行为节点	漏洞CVE编号	攻击发生概率
S₁	HOST1	192.168.9.35	V₃, V₁₀	CVE-2013-3940	0.86
			V₃, V₁₀	CVE-2012-0002	0.86
			V₁₃	零日漏洞攻击	0.80
S₂	HOST2	192.168.9.36	D₁	Inside Attack	1.00
S₃	SQL Server	192.168.10.72	V₄, V₆, V₇, V₁₂	CVE-2016-7253	0.80
S₄	FTP Server	192.168.10.73	V₈, V₁₁	CVE-2015-4108	0.86
S₄	FTP Server	192.168.10.73	V₈, V₁₁	CVE-2019-10009	0.80
S₅	Workstation	192.168.10.105	V₉	CVE-2019-5541	0.80
S₅	Workstation	192.168.10.105	V₉	CVE-2019-5524	0.80
S₆	Mail Server	192.168.11.15	V₂	CVE-2020-14066	0.80
S₆	Mail Server	192.168.11.15	V₅	零日漏洞攻击	0.80
S₇	Web Server	192.168.11.16	V₁	CVE-2017-12728	0.25

攻击序列	模拟攻击序列	攻击候选序列及其概率
1	B₁→V₁→S₇→ V₃→S₁→V₇→S₃	B₁(BX₁)→V_1,0→S_7,2→V_3,1→S_1,2→V_7,0→ S_3,2(0.2983) B₁(BX₁)→V_1,0→S_7,2→V_4,0→S_3,2(0.2983) BX₁→V_2,0→S_6,2→V_6,0→S_3,2(0.3055)
2	D₁→S₂→V₁₃→ S₁→V₈→S₄	D₁→S_2,2→V_13,0→S_1,2→V₈→S_4,2(0.4590) D₁→S_2,2→V_13,0→S_1,2→V_9,1→S_5,2→V₁₁→ S_4,2(0.1500) D₁→S_2,2→V_10,1→S_1,2→V₈→S_4,2(0.2870)
3	1）B₂→V₅→ S₆→V₆→S₃ 2）D₁→S₂→V₁₀→ S₁→V₈→S₄	B₂(BX₁)→V_2,0→S_6,2→V_6,0→S_3,2(0.3732) B₂(BX₁)→V_5,0→S_6,2→V_6,0→S_3,2(0.3732) D₁→S_2,2→V_10,1→S_1,2→V_8,0→S_4,2(0.3420) D₁→S_2,2→V_10,1→S_1,2→V_8,1→S_4,2(0.3690)