信息网络安全 ›› 2021, Vol. 21 ›› Issue (4): 62-72.doi: 10.3969/j.issn.1671-1122.2021.04.007

• 技术研究 • 上一篇    下一篇

基于漏洞动态可利用性的网络入侵路径分析方法

张凯1,2,3, 刘京菊1,3()   

  1. 1.国防科技大学电子对抗学院,合肥 230037
    2.中国酒泉卫星发射中心,酒泉 732750
    3.网络空间安全态势感知与评估安徽省重点实验室,合肥 230037
  • 收稿日期:2020-08-11 出版日期:2021-04-10 发布日期:2021-05-14
  • 通讯作者: 刘京菊 E-mail:jingjul@aliyun.com
  • 作者简介:张凯(1992—),男,安徽,硕士研究生,主要研究方向为网络空间安全态势感知|刘京菊(1974—),女,湖北,教授,博士,主要研究方向为网络空间安全态势感知和安全检测
  • 基金资助:
    国家重点研发计划(2017YFB0802905)

Network Attack Path Analysis Method Based on Vulnerability Dynamic Availability

ZHANG Kai1,2,3, LIU Jingju1,3()   

  1. 1. College of Electronic Engineering, National University of Defense Technology, Hefei 230037, China
    2. Jiuquan Satellite Launch Center, Jiuquan 732750, China
    3. Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, Hefei 230037, China
  • Received:2020-08-11 Online:2021-04-10 Published:2021-05-14
  • Contact: LIU Jingju E-mail:jingjul@aliyun.com

摘要:

现有的网络入侵路径分析方法未考虑漏洞的动态特征,且在描述漏洞利用导致的状态转移时,未考虑漏洞利用失败的情形。通过建模漏洞可利用性随时间的变化,文章提出一种改进状态转移概率计算方法的吸收Markov链模型。该模型结合网络攻防实际,考虑漏洞利用失败的情形,合理计算状态转移概率:首先对目标网络生成攻击图,在计算漏洞动态可利用概率的基础上,构建吸收Markov链;然后利用状态转移概率矩阵的性质,计算状态节点威胁度排序、入侵路径长度期望和路径成功概率,并在时间维度上进行分析。实验分析表明,文章方法相比已有方法在节点威胁度排序上更准确,对入侵路径长度期望和路径成功概率的计算更加符合网络攻防实际。

关键词: 吸收Markov链, 入侵路径分析, 节点威胁度排序, 入侵路径长度期望, 路径成功概率

Abstract:

The existing network attack path analysis methods do not consider the dynamic characteristics of vulnerabilities, and do not consider the problem of vulnerability exploitation failure when describing the state transition caused by vulnerability exploitation. By modeling the change of vulnerability availability over time, this paper proposes an absorbing Markov chain model using an improved state transition probability calculation method. This method combines the actual situation of network attack and defense, fully considers the situation of vulnerability exploitation failure, and reasonably calculates the state transition probability. Firstly, the attack graph is generated for the target network, and the absorbing Markov chain is constructed based on calculating the vulnerability dynamic availability probability. Then, by using the properties of state transition probability matrix, the node threat ranking, the expected length of attack path and the path success probability are calculated and analyzed in time dimension. Experimental results show that the proposed method is more accurate in node threat ranking than the existing methods, and the calculation of the expected length of attack path and the path success probability is more consistent with the actual situation of network attack and defense.

Key words: absorbing Markov chain, attack path analysis, node threat ranking, expected length of attack path, path success probability

中图分类号: