Research of Vulnerability Assessment and Risk Probability Base on General Attack Tree

doi:10.3969/j.issn.1671-1122.2022.10.006

Abstract

Abstract:

The proposed general network attack tree model takes each branch node as a unit to perform hierarchical analysis on network security vulnerability and calculate the risk probability. The identification information of vulnerability assessment and elements of each attack node are discussed with a proposed attack tree model. A novel calculation method for the analysis of risk probability is introduced. Combined with a practical case, the vulnerability assessment and risk probability of this model in network attack events are illustrated and analyzed.

Key words: attack tree, vulnerability assessment, risk assessment, risk probability

CLC Number:

TP309

HUANG Bo, QIN Yuhai, LIU Yang, JI Duo. Research of Vulnerability Assessment and Risk Probability Base on General Attack Tree[J]. Netinfo Security, 2022, 22(10): 39-44.

Figures/Tables 4

References 16

[1]	WANG Guoliang, LU Zhiyong. Information Network Security Testing and Evaluation[M]. Beijing: National Defense Industry Press, 2015.
	王国良, 鲁智勇. 信息网络安全测试与评估[M]. 北京: 国防工业出版社, 2015.
[2]	WANG Saie, LIU Caixia, LIU Shuxin, et al. A Method of 4G Network Security Risk Assessment Based on Attack Tree[J]. Computer Engineering, 2021, 47(3): 139-146, 154.
	王赛娥, 刘彩霞, 刘树新, 等. 一种基于攻击树的4G网络安全风险评估方法[J]. 计算机工程, 2021, 47(3):139-146,154.
[3]	ZHAO Qing, LIU Zhaohui, CHEN Zhi. Information Security Vulnerability Analysis of DCS System in Nuclear Power Plant Based on Attack Tree[J]. Journal of University of South China(Science and Technology), 2018, 32(3): 54-59.
	赵庆, 刘朝晖, 陈智. 基于攻击树的核电厂DCS系统信息安全脆弱性分析[J]. 南华大学学报:自然科学版, 2018, 32(3):54-59.
[4]	REN Qiujie, PAN Gang, BAI Yongqiang, et al. Security Risk Assessment of information System based on FAHP and Attack Tree[J]. Computer Technology and Its Applications, 2018, 44(8): 113-117.
	任秋洁, 潘刚, 白永强, 等. 基于FAHP和攻击树的信息系统安全风险评估[J]. 电子技术应用, 2018, 44(8):113-117.
[5]	SUN Zhuo, LIU Dong, XIAO Anhong, et al. Information Security Analysis of Digital Control System Based on Attack Tree Model[J]. Journal of Shanghai Jiao Tong University, 2019, 53(S1): 68-73.
	孙卓, 刘东, 肖安洪, 等. 基于攻击树模型的数字化控制系统信息安全分析[J]. 上海交通大学学报, 2019, 53(S1):68-73.
[6]	LALLIE H S, DEBATTISTA K, BAL J. A Review of Attack Graph and Attack Tree Visual Syntax in Cyber Security[J]. Computer Science Review, 2020, 35: 1-46.
[7]	WANG Zuoguang, WEI Qiang, LIU Wenwen. Quantitative Risk Assessment of Industrial Control Systems Based on Attack-Tree and CVSS[J]. Application Research of Computers, 2016, 33(12): 3785-3790.
	王作广, 魏强, 刘雯雯. 基于攻击树与CVSS的工业控制系统风险量化评估[J]. 计算机应用研究, 2016, 33(12):3785-3790.
[8]	BARDHAN S. A Multi-Objective Approach for Security Hardening and Probabilistic Vulnerability Assessment on Attack Graphs[C]// IEEE. 2022 IEEE 46th Annual Computers, Software, and Applications Conference(COMPSAC). New York: IEEE, 2022: 726-735.
[9]	KIM H, LEE J, LEE E, et al. Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane[C]// IEEE. 2019 IEEE Symposium on Security and Privacy(SP). New York: IEEE, 2019: 1153-1168.
[10]	LYU Zongping, QI Wei, GU Zhaojun. Attack Tree Model Based on Fuzzy Analytical Hierarchy Process[J]. Computer Engineering and Design, 2018, 39(6): 1501-1505, 1515.
	吕宗平, 戚威, 顾兆军. 基于模糊层次分析法的攻击树模型[J]. 计算机工程与设计, 2018, 39(6):1501-1505,1515.
[11]	ZANG Tianlei, GAO Shibin, HUANG Tao, et al. Complex Network-Based Transmission Network Vulnerability Assessment Using Adjacent Graphs[J]. IEEE Systems Journal, 2020, 14(1): 572-581.
[12]	BOUDERMINE A, KHATOUN R, CHOYER J. Attack Graph-Based Solution for Vulnerabilities Impact Assessment in Dynamic Environment[C]// IEEE. 5th Conference on Cloud and Internet of Things(CIoT). New York: IEEE, 2020: 24-31.
[13]	SPRING J, HATLEBACK E, HOUSEHOLDER A, et al. Time to Change the CVSS?[J]. IEEE Security & Privacy, 2021, 19(2): 74-78.
[14]	CHEN Yanhong, OU Yuyi, LING Jie. An Improved Trojans Detection Method Based on Extended Attack Tree Model[J]. Computer Applications and Software, 2016, 33(8): 308-311, 333.
	陈燕红, 欧毓毅, 凌捷. 一种改进的基于扩展攻击树模型的木马检测方法[J]. 计算机应用与软件, 2016, 33(8):308-311,333.
[15]	CHEN Fucai, HU Hongchao, LIU Wenyan, et al. Active Defense Technology in Cyberspace[M]. Beijing: Science Press, 2018.
	陈福才, 扈红超, 刘文彦, 等. 网络空间主动防御技术[M]. 北京: 科学出版社, 2018.
[16]	TANG Zanyu, LIU Hong. Study on Evaluation Method of Network Security Situation Under Multi-Stage Large-Scale Network Attack[J]. Computer Science, 2018, 45(1): 245-2 48.
	唐赞玉, 刘宏. 多阶段大规模网络攻击下的网络安全态势评估方法研究[J]. 计算机科学, 2018, 45(1):245-248.

节点	任务	节点	任务	节点	任务	节点	任务
M1	信息收集	N1	IP资源信息	N6	网站关键信息	N11	渗透代理
M2	边界渗透	N2	域名信息	N7	漏洞利用	N12	内网攻击
M3	权限获取	N3	服务器信息	N8	绕过防护	N13	后渗透
M4	内网渗透	N4	漏洞信息	N9	权限提升	N14	系统日志清除
M5	痕迹清除	N5	人力资源信息	N10	权限维持	N15	应用日志清除
S1	真实IP 获取	S2	旁站信息	S3	主机信息	S4	子域名信息
S5	域名发现	S6	服务器端口	S7	服务器系统	S8	漏洞研究
S9	漏洞扫描	S10	Whois 信息	S11	社会工程学	S12	网站指纹识别
S13	敏感路径	S14	互联网信息	S15	操作系统漏洞	S16	应用系统漏洞
S17	框架漏洞	S18	CMS漏洞	S19	WAF识别	S20	WAF绕过
S21	绕过IDS/IPS	S22	操作系统提权	S23	DBMS 提权	S24	第三方提权
S25	系统权限维持	S26	框架权限维持	S27	后门维持	S28	反正向代理
S29	端口映射	S30	隐秘隧道	S31	信息收集	S32	漏洞及利用
S33	钓鱼攻击	S34	无线攻击	S35	域渗透	S36	后渗透维持
S37	操作系统日志清除	S38	DBMS系统日志清除	S39	中间件日志清除	S40	边界设备日志清除

攻击难度评价
要素	可选值	分值标准
AV	物理/本地/相邻网络/远程	0.2/0.4/0.6/0.8
AC	很低/低/高/很高	0.9/0.7/0.5/0.2
AP	无权限/低权限/高权限	0.9/0.5/0.2
UI	不需要/需要	0.9/0.45
攻击特性影响评价
要素	可选值	分值标准
C	低影响/部分影响/完全影响	0.3/0.6/0.9
I	低影响/部分影响/完全影响	0.3/0.6/0.9
A	低影响/部分影响/完全影响	0.3/0.6/0.9