[go: up one dir, main page]

CN116436701A - Method, device, equipment and storage medium for predicting network attacks - Google Patents

Method, device, equipment and storage medium for predicting network attacks Download PDF

Info

Publication number
CN116436701A
CN116436701A CN202310690622.0A CN202310690622A CN116436701A CN 116436701 A CN116436701 A CN 116436701A CN 202310690622 A CN202310690622 A CN 202310690622A CN 116436701 A CN116436701 A CN 116436701A
Authority
CN
China
Prior art keywords
attack
target
potential
probability
potential attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310690622.0A
Other languages
Chinese (zh)
Other versions
CN116436701B (en
Inventor
张文琴
李震宇
黄凯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Mingshi Technology Co ltd
Original Assignee
Hangzhou Mingshi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Mingshi Technology Co ltd filed Critical Hangzhou Mingshi Technology Co ltd
Priority to CN202310690622.0A priority Critical patent/CN116436701B/en
Publication of CN116436701A publication Critical patent/CN116436701A/en
Application granted granted Critical
Publication of CN116436701B publication Critical patent/CN116436701B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

本披露公开了一种用于对网络攻击进行预测的方法、装置、设备及存储介质。该方法包括:根据当前攻击目标确定当前攻击手段和多个潜在攻击目标;利用攻击预测模型处理当前攻击手段,以得到潜在攻击手段及其发生概率;获取每一潜在攻击目标的静态检测结果;根据潜在攻击手段及其发生概率、每一潜在攻击目标的静态检测结果以及在静态检测结果下发生攻击手段的条件概率,计算每一潜在攻击目标受到潜在攻击手段的受攻击风险值;以及确定受攻击风险值最大的潜在攻击目标为预测攻击目标。本披露实施例的方法能够利用受攻击风险值筛选出最有可能遭受攻击的预测攻击目标,高效准确完成下一阶段的攻击目标的预测,提高预测准确性。

Figure 202310690622

The present disclosure discloses a method, device, equipment and storage medium for predicting network attacks. The method includes: determining the current attack method and multiple potential attack targets according to the current attack target; using the attack prediction model to process the current attack method to obtain the potential attack method and its occurrence probability; obtaining the static detection result of each potential attack target; Potential attack methods and their occurrence probability, the static detection results of each potential attack target and the conditional probability of the attack means under the static detection results, and the calculation of the attack risk value of each potential attack target by the potential attack means; The potential attack target with the highest risk value is the predicted attack target. The method of the disclosed embodiment can use the attack risk value to screen out the predicted attack target who is most likely to be attacked, efficiently and accurately complete the prediction of the attack target in the next stage, and improve the prediction accuracy.

Figure 202310690622

Description

Method, device, equipment and storage medium for predicting network attack
Technical Field
The present disclosure relates generally to the field of network security technology. More particularly, the present disclosure relates to a method, apparatus, electronic device, and computer readable storage medium for predicting network attacks.
Background
Network security technologies generally predict network security situations, so that the security state of a network is mastered before a network attack event occurs, and corresponding protective measures are timely taken to avoid unnecessary attacks and losses.
Among known cyber attack threats, there is a class of attacks known as advanced persistent threat (APT, advanced Persistent Threat), which is a significant threat to important information systems such as finance, energy, traffic, government, military and telecommunications due to its organized, targeted, extremely long duration attack characteristics. The attack channels of the APT are diversified, the hidden time is long, and the attack characteristics are difficult to extract, so that the next attack means of the attack chain is difficult to predict, and a great security threat is caused.
The network attack prediction method provided by the prior art determines a plurality of attack chains according to the disclosed network attack event, determines the current attack stage according to the network attack currently suffered by the target host, predicts the next attack stage by referring to the sequence of the attack stages on the attack chains, but cannot predict the attack target, and cannot provide more accurate prediction information for the network security situation prediction process.
In view of this, it is desirable to provide a network attack prediction scheme, so as to efficiently and accurately predict the attack target of the next stage, and improve the prediction accuracy.
Disclosure of Invention
To address at least one or more of the technical problems mentioned above, the present disclosure proposes a network attack prediction scheme in various aspects.
In a first aspect, the present disclosure provides a method for predicting a network attack comprising: determining a current attack means and a plurality of potential attack targets according to the current attack targets; processing the current attack means by utilizing the attack prediction model to obtain potential attack means and occurrence probability thereof; acquiring a static detection result of each potential attack target; calculating an attack risk value of each potential attack target under the potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target and the conditional probability of the attack means under the static detection result; and determining the potential attack target with the largest attacked risk value as the predicted attack target.
In some embodiments, wherein calculating the risk of attack value for each potential attack target comprises: calculating the attack probability of each potential attack target by the potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target and the conditional probability of the attack means under the static detection result; determining a preset target value of each potential attack target; and taking the product of the attack probability of each potential attack target and the preset target value as the attack risk value of each potential attack target.
In some embodiments, wherein after determining the predicted attack target, the method further comprises: aiming at the predicted attack target, calculating the attack probability of each potential attack means according to the potential attack means and the occurrence probability thereof, the static detection result of the predicted attack target and the conditional probability of the occurrence of the attack means under the static detection result; and determining the potential attack means with the largest attack probability as the prediction attack means.
In some embodiments, the static detection result of each potential attack target includes a security feature that the potential attack target has, wherein calculating the probability of being attacked for each potential attack target includes: generating a Has function of each potential attack target aiming at each security feature according to the static detection result of each potential attack target; generating a probability function of each potential attack means for each security feature according to the conditional probability of the attack means under the static detection result; and calculating the attack probability of each potential attack target according to the Has function, the probability function and the occurrence probability of each potential attack means.
In some embodiments, wherein calculating the probability of being attacked for each potential attack target from the Has function, the probability function, and the probability of occurrence for each potential attack means comprises: according to
Figure SMS_1
Calculating the attack probability of the potential attack target; wherein P (b) represents the probability of being attacked by potential attack target b, T represents the set of potential attack means, < ->
Figure SMS_2
Representing potential attack means, F representing the security features of potential attack target b, F representing the set of security features of potential attack target b,/for>
Figure SMS_3
Representing potential means of attack->
Figure SMS_4
Probability of occurrence of->
Figure SMS_5
Representing each potential means of attack->
Figure SMS_6
For the probability function of each security feature f, has (b, f) represents the Has function for each security feature for each potential attack target.
In some embodiments, wherein calculating the attack probability for each potential attack means for the predicted attack target comprises: for the predicted attack target b, according to
Figure SMS_9
Calculate each potential attack means->
Figure SMS_12
Is a probability of attack; wherein attack probability->
Figure SMS_15
Indicating that the predicted attack target b is subject to potential attack means->
Figure SMS_8
F represents the security feature possessed by the potential attack target b, and F represents the security possessed by the potential attack target bSet of full features, ++>
Figure SMS_11
Representing potential means of attack->
Figure SMS_14
Probability of occurrence of->
Figure SMS_16
Representing each potential means of attack->
Figure SMS_7
Probability function with respect to each security feature f +.>
Figure SMS_10
Reflecting the occurrence of potential attack means under static detection results- >
Figure SMS_13
Has (b, f) represents the Has function of each potential attack target for each security feature, has (b, f) reflects the static detection result of potential attack target b.
In some embodiments, wherein generating a Has function for each security feature for each potential attack target comprises: if the potential attack target b Has the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 1; and if the potential attack target b does not have the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 0.
In some embodiments, wherein generating a probability function for each potential attack means for each security feature comprises: carrying out numerical statistics according to the historical static detection result and the associated historical attack means so as to obtain a probability function rel (t, f) of each attack means aiming at each security feature; and deriving a probability function for each security feature for each potential attack means based on the probability function rel (t, f) and the potential attack means
Figure SMS_17
The method comprises the steps of carrying out a first treatment on the surface of the Wherein rel (t, f) ∈ [0,1 ]]T represents attackClicking means, or->
Figure SMS_18
∈[0,1],
Figure SMS_19
Representing an attack means, f representing a security feature.
In some embodiments, wherein after determining the predictive attack means, the method further comprises: and adopting an attack reduction means aiming at the predicted attack means for the predicted attack target.
In some embodiments, wherein determining the current attack means based on the current attack target comprises: dynamically monitoring a current attack target to obtain a dynamic monitoring log of the current attack target; processing the dynamic monitoring log according to a preset rule to generate a safety alarm; and determining the current attack means of the current attack target according to the security alarm.
In some embodiments, wherein determining potential attack targets from current attack targets comprises: collecting local network topology structure and network connectivity information; taking the target meeting the preset condition and the current attack target as potential attack targets; the preset condition includes that the target and the current attack target are in the same link in the local network topology structure, and the network connectivity information of the link is connected.
In some embodiments, wherein prior to processing the current attack means using the attack prediction model, the method further comprises: acquiring historical attack data; intercepting a historical attack chain according to the historical attack data; extracting features of the historical attack chain to obtain a training sample; and training the model by using the training sample to obtain an attack prediction model.
In some embodiments, the historical attack data is an ordered sequence formed by a historical attack means, and the historical attack chain is a subsequence of the ordered sequence.
In a second aspect, the present disclosure provides an apparatus for predicting a network attack comprising: the static detection module is used for carrying out static detection on potential attack targets; and an attack prediction module communicatively coupled to the static detection module and operative in concert to perform the method of the first aspect.
In some embodiments, the apparatus further comprises: the network information acquisition module is used for acquiring the local network topological structure and the network connectivity information so as to enable the attack prediction module to determine potential attack targets; and the dynamic monitoring module is used for dynamically monitoring the current attack target so as to ensure that the attack prediction module determines the current attack means.
In a third aspect, the present disclosure provides an electronic device comprising: a processor; and a memory having executable code stored thereon that, when executed by the processor, causes the processor to perform the method of the first aspect.
In a fourth aspect, the present disclosure provides a non-transitory computer-readable storage medium having executable code stored thereon, which when executed by a processor of an electronic device, causes the processor to perform the method of the first aspect.
By the attack prediction method provided by the embodiment of the disclosure, potential attack means and potential attack targets can be determined according to the current attack targets, and the attack risk value of each potential attack target under the potential attack means is calculated by combining the static detection result of the potential attack targets, the occurrence probability of the potential attack means and the conditional probability of the occurrence of the attack means under the static detection result, so that the attack risk value is utilized to judge which target in the potential attack targets is highest in risk of the potential attack means, the next stage of attack targets are accurately predicted, and more accurate prediction information is provided for the network security situation prediction process, so that efficient and accurate network security control is performed on the predicted attack targets.
Drawings
The above, as well as additional purposes, features, and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description when read in conjunction with the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar or corresponding parts and in which:
FIG. 1 illustrates an exemplary flow chart of a network attack prediction method 100 of some embodiments of the present disclosure;
FIG. 2 illustrates an exemplary flow chart of a method 200 of computing a risk of attack value in accordance with some embodiments of the present disclosure;
FIG. 3 illustrates an exemplary flow chart of a method 300 of computing probability of attack for some embodiments of the present disclosure;
FIG. 4 illustrates an exemplary flow chart of a network attack prediction method 400 of further embodiments of the present disclosure;
FIG. 5 illustrates an exemplary flowchart of an attack means determination method 500 of some embodiments of the present disclosure;
FIG. 6 illustrates an exemplary flow chart of a model training method 600 of some embodiments of the present disclosure;
FIG. 7 illustrates an exemplary block diagram of a network attack prediction device 700 in accordance with some embodiments of the present disclosure;
fig. 8 shows an exemplary block diagram of an electronic device 800 of an embodiment of the disclosure.
Detailed Description
The following description of the embodiments of the present disclosure will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the disclosure. Based on the embodiments in this disclosure, all other embodiments that may be made by those skilled in the art without the inventive effort are within the scope of the present disclosure.
It should be understood that the terms "comprises" and "comprising," when used in this specification and the claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the present disclosure is for the purpose of describing particular embodiments only, and is not intended to be limiting of the disclosure. As used in the specification and claims of this disclosure, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should be further understood that the term "and/or" as used in the present disclosure and claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Specific embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
Exemplary application scenarios
APT generally refers to a group of attackers that use relatively complex and highly targeted means of attack to invade a particular target multiple times, thereby stealing sensitive information or control systems, and such threats can persist for a long period of time. APT poses a greater security threat to network security as compared to other forms of attack due to its greater concealment, durability, and jeopardy.
A cyber security threat knowledge base ATT & CK, collectively Adversarial Tactics, techniques, and Common Knowledge, is provided in the current cyber security arts that describes a variety of tactics and Techniques that may be used by an attacker, as well as the specific manner in which an attacker may take. The ATT & CK unifies the standards of malicious network attack behavior descriptions, and subdivides various network attack behaviors corresponding to attack behavior data. The ATT & CK framework organizes this information in a structured model that can help network security professionals better understand and handle attacks from threatening actors.
The network attack prediction scheme provided by the disclosure can comprehensively judge by combining static detection results and other information of each target under an ATT & CK framework, and can efficiently and accurately predict the attack which has specific targets and is difficult to extract attack characteristics aiming at APT, so that the attack targets of the next stage of an attack chain are locked.
The existing scheme for predicting network attack based on the attack chain can only predict the next attack stage, cannot accurately lock an attack target, and cannot provide more accurate prediction information for a network security situation prediction process.
Exemplary embodiment
In view of this, the embodiments of the present disclosure provide a network attack prediction scheme, which calculates an attacked risk value of each potential attack target by a potential attack means according to a static detection result of the potential attack target, an occurrence probability of the potential attack means, and a conditional probability of the occurrence of the attack means under the static detection result, and screens out a predicted attack target most likely to be attacked by the attack risk value, so that prediction of the attack target in the next stage can be efficiently and accurately completed.
Fig. 1 illustrates an exemplary flow chart of a network attack prediction method 100 of some embodiments of the present disclosure.
As shown in fig. 1, in step S101, a current attack means and a plurality of potential attack targets are determined according to a current attack target.
In this embodiment, the target currently under the network attack is called a, and since the current attack target a has been subjected to the network attack, the current attack means of the attacker can be obtained by detecting the state of the current attack target a.
It should be noted that when the method is executed under the ATT & CK framework, the attack means herein may be regarded as an attack technique in ATT & CK, such as a passthrough threat Drive-by company, etc. In addition, an attacker may attack the current attack target a using a single or multiple attack means, i.e. the number of current attack means may be one or more, and a plurality of current attack means may also constitute the attack tactics shown in ATT & CK.
In this embodiment, the potential attack target refers to a target that an attacker has a possibility of attack in the next attack stage, and at least needs to satisfy the following conditions: is within the scope of an attacker's attack. Based on the condition, it can be known that the attacker can choose to continue to attack the current attack target a in the next attack stage, and can choose to attack the target q directly connected with the current attack target a.
Further, potential attack targets may be determined by analyzing the network topology. Taking multiple hosts under the same network as an example, the network topology structure can be represented by a directed graph g= < V, E >, where V represents a set of all hosts in the network, E represents a set of directed edges between the hosts, and then the attack scope of an attacker can be represented as follows: { a } { q| < a, q > ∈E, q∈V }, it can be understood that the attack scope of an attacker includes: a current attack target a and a target q directly reachable from the current attack target.
In practical application, a network information acquisition module can acquire a local network topology structure and network connectivity, and a potential attack target is determined through the following steps:
collecting local network topology structure and network connectivity information;
and taking the target meeting the preset condition and the current attack target as potential attack targets.
Wherein the preset conditions include: in the local network topology structure, the target and the current attack target are in the same link, and the network connectivity information of the link is connected.
The network topology is a physical layout feature of physical connection of various transmission media such as network cables, etc., and can be used for representing network configuration and connection of network servers, workstations and network devices by describing two most basic graphic elements such as points and lines in geometry.
Taking a plurality of hosts under the same network as an example, one node in the local network topology structure is a host, one line is a link, the nodes at two ends of the link are directly connected, and the network connectivity information reflects whether the link is in a connected state or a disconnected state.
When the target is in the same link with the current attack target and the link is communicated, the attacker can directly reach the target from the current attack target, so that the target is in the attack range of the attacker.
In step S102, the current attack means is processed by using the attack prediction model to obtain potential attack means and occurrence probability thereof.
In this embodiment, the current attack means is input into the attack prediction model, so that the attack means possibly adopted by the attacker in the next attack stage, which is also called as potential attack means, can be obtained.
After the current attack means is input into the attack prediction model, the attack prediction model outputs a set T= { T of attack means possibly adopted by an attacker in the next attack stage 1 , t 2 ,…, t i Further, a set of occurrence probabilities { P (t) i ) | t i ∈T, 0≤P(t i )≤1}。
It should be noted that the number of potential attack means output by the attack prediction model may be one or more. The attack means available to the attacker is assumed to include t A 、t B 、t C 、t D 、t E 、t F And t G Total 7 kinds, if the current attack means is t A And t C Its corresponding feature vector can be expressed as<1,0,1,0,0,0,0>After being processed by the attack prediction model, the output form is as follows<0,0.2,0,0.4,0,0.6,0.7>Which illustrates that the potential means of attack includes t B 、t D 、t F And t G
And normalizing the output feature vectors to obtain the occurrence probability of each potential attack means. Still by<0,0.2,0,0.4,0,0.6,0.7>This prediction is exemplified by potential attack means t B Probability of occurrence P (t) B )=0.2/(0.2+0.4+0.6+0.7)
Figure SMS_20
100% = 10.5%, potential attack means t D Probability of occurrence P (t) D )=0.4/(0.2+0.4+0.6+0.7)
Figure SMS_21
100% = 21.1%, and so on, potential attack means t F Probability of occurrence P (t) F )=0.6/(0.2+0.4+0.6+0.7)
Figure SMS_22
100% = 31.6%, potential attack means t G Probability of occurrence P (t) G )= 0.7/(0.2+0.4+0.6+0.7)
Figure SMS_23
100%=36.8%。
It should be noted that the above feature vector of the input attack prediction model and the output prediction result are only one example given in the present embodiment, and do not constitute a unique limitation to the attack prediction model.
In step S103, a static detection result of each potential attack target is acquired.
In practical application, the static detection module is used for carrying out physical examination on the target, so that a static detection result of the target is obtained. The main items of static detection include baseline detection, weak password detection, vulnerability detection, malicious program/virus detection, rootkit detection and the like, and whether the detected target has a weak password or not is a security feature of the current detected target, so that based on the items of static detection, each target can construct a security feature set F to represent the security condition of the target, wherein the security feature can include whether the target has a weak password, whether the target has a specific application, whether the target opens an SSH port or not, and the like, and the static detection result of each potential attack target includes the security feature F of the potential attack target.
It should be further noted that, in this embodiment, the execution timing of step S102 and step S103 is not strictly required, and in practical application, step S103 may be executed prior to step S102 or may be executed in parallel with step S102.
In step S104, an attack risk value for each potential attack target is calculated.
Specifically, in step S104, the attack risk value of each potential attack target for the potential attack means is calculated according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target, and the conditional probability of the occurrence of the attack means under the static detection result.
It should be noted that, in the ATT & CK, the attack technique and the security feature have an association relationship, when a target has a certain security feature, a certain attack technique may be applied, easily applied, or the success rate of application is high, so that the association degree between the security feature and the attack technique is high, and when another target has the security feature, the target is considered to have a high conditional probability of being attacked by the attack technique. For example, in attack tactics Credential Access, there is an attack technique Brute Force and sub-technique Password Guessing, which attacks are only easily successful when there is a weak password in the target. Also for example, in the attack tactics Laternal move, there are attack technologies Remote Services and sub-technologies SSH, which attacks may only succeed if the SSH service in the target allows telnet.
In view of this, the security feature of each potential attack target can be determined according to the static detection result of each potential attack target, the conditional probability of a certain attack means under each security feature can be obtained according to the conditional probability of an attack means under the static detection result, and then the attack risk value of a potential attack target under the current situation of the potential attack means can be calculated by combining the occurrence probability of each potential attack means.
In step S105, it is determined that the potential attack target with the largest risk value under attack is the predicted attack target.
The step S104 may calculate an attack risk value of each potential attack target, where a higher attack risk value indicates that the potential attack targets are more likely to be attacked, and the potential attack target with the highest attack probability is the final predicted attack target.
Further, the risk of attack value may include quantized data in two dimensions, one of which is a preset target value and the other of which is a target probability of attack. The preset target value is a value set for each target in advance, the value can be used for feeding back the value of the data asset in the target, the quantized data of the dimension of the preset target value is essentially used for evaluating the loss generated after the target is attacked, the attack probability is the possibility that the feedback target is attacked, and the quantized data of the dimension is essentially used for evaluating the probability that the target is attacked.
The combination of quantized data in two dimensions is considered based on the following factors: when the attack probability difference of the potential attack targets is large, the potential attack targets with large attack probability are preferentially considered as predicted attack targets so as to ensure that the subsequent attack can be successfully intercepted. However, given that the difference between the attack probabilities of the two potential attack targets is smaller, if the potential attack target with smaller attack probability has higher data asset value, the loss generated by the attack of the potential attack target is difficult to bear, and the potential attack target still needs to be regarded as a predicted attack target for protection.
Still further, in some embodiments, the present disclosure provides a method of attack risk value calculation. Fig. 2 illustrates an exemplary flow chart of a method 200 of computing a risk of attack value in accordance with some embodiments of the present disclosure. It will be appreciated that the attack means determination method is a specific implementation of step S104 described above, and thus the features described above in connection with fig. 1 may be similarly applied thereto.
As shown in fig. 2, in step S201, the probability of being attacked by each potential attack target is calculated.
Specifically, in step S201, the attack probability may be calculated according to the potential attack means and the occurrence probability thereof, the static detection result of each potential attack target, and the conditional probability of occurrence of the attack means under the static detection result.
Further, the present embodiment provides
Figure SMS_24
This calculation formulaFor calculating the probability of being attacked, wherein +.>
Figure SMS_25
Representing potential means of attack->
Figure SMS_26
Probability of occurrence of->
Figure SMS_27
Figure SMS_28
Representing each potential means of attack->
Figure SMS_29
For each security feature f, has (b, f) represents the Has function for each security feature for each potential attack target b.
According to the description in the foregoing embodiment, the attack technique has an association relation with the security feature, and when the target has a certain security feature, a certain attack technique may be applied, where the association relation may be represented by a probability function rel (t, f), where the probability function rel (t, f) represents the conditional probability that the target is attacked by the attack means t when the target has the security feature f. Thus, the first and second substrates are bonded together,
Figure SMS_30
essentially reflecting the occurrence of potential attack means +.>
Figure SMS_31
Conditional probability of (2).
The function of the Has is to determine whether an object Has a certain attribute or method, so that whether the potential attack target b Has the security feature f can be determined according to the value of Has (b, f), that is, has (b, f) can reflect the static detection result of the potential attack target b.
In addition, P (b) represents the probability of being attacked by potential attack target b, T represents the set of potential attack means,
Figure SMS_32
Representing potential attack means, F represents the security features possessed by potential attack target b, and F represents the set of security features possessed by potential attack target b.
In step S202, a preset target value for each potential attack target is determined.
Since different targets have different data assets, the value of the different data assets is different, so that corresponding value differences exist among the targets, and in order to reflect the value differences, a preset target value can be set for each target.
What has been described above is that the data assets have different values, and in practice, the reasons for the difference in value may also include other factors, such as equipment costs, and the like.
In step S203, the product of the attack probability of each potential attack target and the preset target value is taken as the attack risk value of each potential attack target.
Assuming that the preset target Value of the potential attack target b is Value (b), the attack risk Value may be expressed as Value (b)
Figure SMS_33
P (b), the process of determining the predicted target of attack can be regarded as screening Value (b)/(b)>
Figure SMS_34
Process of minimum value of P (b).
To improve the accuracy of predictions, the present disclosure provides a method of calculating probability of attack that is applicable to any of the previous embodiments. Fig. 3 illustrates an exemplary flow chart of a method 300 of computing probability of attack for some embodiments of the present disclosure. It will be appreciated that the method of calculating the probability of attack is a specific implementation of step S201 described above, and so the features described above in connection with fig. 2 may be similarly applied thereto.
As shown in fig. 3, in step S301, a Has function of each potential attack target for each security feature is generated according to the static detection result of each potential attack target.
Illustratively, the execution of step S301 is as follows:
if the potential attack target b Has the security feature f, the value of the Has function Has (b, f) of the potential attack target b aiming at the security feature f is 1;
if the potential attack target b does not have the security feature f, the value of the Has function Has (b, f) of the potential attack target b for the security feature f is 0.
Taking the attack tactics Laternal move as an example, attack technology Remote Services and sub-technology SSH may only succeed if the SSH service in the target allows telnet. Assuming that the potential attack target b Has a security feature f that SSH service allows telnet, the Has function Has (b, f) =1 for the security feature f that the potential attack target b and SSH service allow telnet.
In step S302, a probability function for each security feature for each potential attack means is generated from the conditional probabilities of the attack means occurring under the static detection result.
In this embodiment, numerical statistics may be performed first according to the historical static detection result and its associated historical attack means to obtain a distribution ratio, which may be regarded as the probability function rel (t, f) of each attack means obtained for each security feature, and then using the potential attack means
Figure SMS_35
Replacing t in rel (t, f) to get the probability function of each potential attack means for each security feature +.>
Figure SMS_36
Wherein rel (t, f) ∈ [0,1 ]],
Figure SMS_37
∈[0,1]。
It should be noted that, in the present embodiment, the execution timing of step S301 and step S302 is not strictly required, and in practical application, step S302 may be executed prior to step S301 or parallel to step S301, which is not limited only herein.
In step S303, the probability of being attacked by each potential attack target is calculated according to the Has function, the probability function, and the occurrence probability of each potential attack means.
Specifically, the products of the Has function, the probability function and the occurrence probability of each potential attack means can be doubly summed to obtain the attack probability of each potential attack target, and the specific calculation formula of the process is that
Figure SMS_38
Taking the attack tactics Laternal move as an example, the attack technology Remote Services and the sub-technology SSH are taken as potential attack means, when the potential attack target does not have the corresponding security feature, the value of the item of has (b, f) is 0, and no matter how the attack technology Remote Services and the sub-technology SSH have the occurrence probability, the potential attack target b can not cause the increase of the attack probability due to the attack technology Remote Services and the sub-technology SSH.
The reference of the Has function can eliminate the interference of partial impossible attack means on the attack probability aiming at the current potential attack target, so that the accuracy of the attack probability is ensured, and the prediction accuracy is further ensured.
In the network attack prediction process, after the predicted attack target is locked, the attack means possibly adopted by an attacker in the next attack stage can be further determined, namely, the predicted attack means is determined, so that a targeted protection measure is implemented on the predicted attack target aiming at the predicted attack means.
Fig. 4 illustrates an exemplary flow chart of a network attack prediction method 400 of further embodiments of the present disclosure.
As shown in fig. 4, in step S401, a predicted attack target is determined according to the current attack target.
It should be noted that the specific implementation of step S401 has been described in detail in the foregoing embodiments, and will not be repeated here
In step S402, attack probabilities for each potential attack means are calculated for the predicted attack targets.
In this embodiment, the attack probability of each potential attack means is calculated according to the potential attack means and the occurrence probability thereof, the static detection result of the predicted attack target, and the conditional probability of the occurrence of the attack means under the static detection result.
Specifically, for the predicted attack target b, the formula may be followed
Figure SMS_39
Calculate each potential attack means->
Figure SMS_40
Is a result of the attack probability of (a).
Wherein the attack probability
Figure SMS_41
Indicating that the predicted attack target b is subject to potential attack means->
Figure SMS_42
F represents the security features of potential attack target b, F represents the set of security features of potential attack target b, +.>
Figure SMS_43
Representing potential means of attack->
Figure SMS_44
Is a probability of occurrence of (a).
Figure SMS_45
Representing each potential means of attack->
Figure SMS_46
With respect to the probability function of each security feature f, according to the description in the previous embodiment,
Figure SMS_47
The conditional probability of an attack means occurring under the static detection result is reflected.
In the present embodiment of the present invention, in the present embodiment,
Figure SMS_48
can be according toThe generation is performed in the manner of step S302 in the previous embodiment, and will not be described here again.
Has (b, f) represents the Has function of each potential attack target for each security feature, and reflects the static detection result of potential attack target b according to the description in the previous embodiment.
In this embodiment, has (b, f) may be generated according to the method of step S301 in the previous embodiment, which is not described herein.
In step S403, the potential attack means with the greatest attack probability is determined as the predicted attack means.
For the predicted attack target, the attack probability of each potential attack means represents the possibility that an attacker adopts the potential attack means for the predicted attack target, so that the potential attack means with the highest attack probability is the attack means with the highest possibility that the attacker adopts for the predicted attack target, namely the predicted attack means.
Further, after determining the predicted attack means, an attack mitigation means for the predicted attack means may also be employed for the predicted attack target.
Not only are various tactics and attack techniques which may be used by an attacker described in the ATT & CK, but also a targeted attack reduction means is described, so that a user can conveniently formulate a corresponding security risk reduction strategy. By utilizing the corresponding relation between the attack technology and the attack reduction means in the ATT & CK, the attack reduction means aiming at the predicted attack means can be inquired, and network security control is carried out on the predicted attack target based on the attack reduction means.
In order to determine the current attack means during the execution of any of the network attack prediction methods described in the foregoing embodiments, the present disclosure provides a method as shown in fig. 5, which can determine the current attack means through the dynamic monitoring result of the current attack target. Fig. 5 illustrates an exemplary flowchart of an attack means determination method 500 of some embodiments of the present disclosure.
As shown in fig. 5, in step S501, the current attack target is dynamically monitored to obtain a dynamic monitoring log of the current attack target.
In practical application, the dynamic monitoring module is a module for collecting dynamic monitoring logs reported by various targets and generating safety alarms according to preset rules. The dynamic monitoring module can dynamically monitor the target and record abnormal behaviors in the running process.
In step S502, the dynamic monitoring log is processed according to a preset rule to generate a security alarm.
According to preset rules and abnormal behavior records, the dynamic monitoring module generates security alarms such as abnormal IP login, abnormal time login, hidden processes, account number addition, account number change and the like.
In step S503, the current attack means of the current attack target is determined according to the security alarm.
Because the generation reasons of the security alarms are different, the attack means of the current attack target can be deduced through the security alarms. For example, when the security alert is being logged in multiple attempts, the corresponding attack technique may be deemed to be brute force.
Some embodiments of the present disclosure combine static detection techniques and dynamic monitoring techniques to monitor the abnormal behavior of a current attack target to obtain information of the current attack means, and detect the security condition of a potential attack target to obtain the calculation parameters of the attack risk value of the potential attack target.
In addition, an attack prediction model is introduced to efficiently and quickly generate potential attack means so as to facilitate the follow-up completion of the locking of the predicted attack targets and/or the screening of the predicted attack means.
Before the current attack means is processed by using the attack prediction model to obtain the potential attack means, the model needs to be trained to improve the accuracy of the attack prediction model.
FIG. 6 illustrates an exemplary flow chart of a model training method 600 of some embodiments of the present disclosure.
As shown in fig. 6, in step S601, history attack data is acquired.
The historical attack data can be data extracted from network attack cases disclosed by the Internet, and can be obtained by analyzing and extracting target groups according to historical network attack events.
In this embodiment, the historical attack data are sorted to form an ordered sequence of < s1, s2, …, sn >, where s1, s2, and sn represent the historical attack means used in the historical attack, which may be all attack techniques in ATT & CK, i.e. the historical attack data is an ordered sequence formed by the historical attack means.
In step S602, a history attack chain is intercepted according to history attack data.
According to the ordered sequence shown in step S601, the attack behavior may be intercepted in the form of several attack chains. To contain four attack means of ordered sequence<t A ,t B ,t C ,t D >For example, it may intercept the following three attack chains:<t A ,t B ,t C >→<t D >,<t A ,t B >→<t C >a kind of electronic device with a high-performance liquid crystal display<t A >→<t B >The history attack chain can be regarded as a subsequence of the ordered sequence in step S601.
In step S603, feature extraction is performed on the history attack chain to obtain a training sample.
In the present embodiment, the attack chain intercepted in step S602 <t A ,t B ,t C >→<t D >Can be converted into a feature vector form through feature extraction, and the feature vector obtained after the conversion is<1,1,1,0,0,0,0>→<0,0,0,1,0,0,0>While attacking chain<t A ,t B >→<t C >The corresponding feature vector is<1,1,0,0,0,0,0>→<0,0,1,0,0,0,0>Attack chain<t A >→<t B >The corresponding feature vector is<1,0,0,0,0,0,0>→<0,1,0,0,0,0,0>。
It should be noted that, at this time, the attack means includes t A ,t B ,t C ,t D ,t E ,t F And t G A total of 7.
In step S604, model training is performed using the training samples to obtain an attack prediction model.
And (3) taking the historical attack chain in the feature vector form obtained in the step (S603) as a training sample to carry out model training, and thus obtaining an attack prediction model.
In this process, the machine learning model may be trained as an initial model, and specific machine learning techniques may be a multi-layer perceptron (MLP, multilayer Perceptron), linear regression (LR, logistic Regression), na ve Bayes, support vector machines (SVM, support Vector Machine), or the like, or model training may be performed using a decision tree algorithm, which is not limited only herein.
In summary, by the attack prediction method provided by the above embodiment, the potential attack means and the occurrence probability thereof in the next stage can be predicted by using the attack prediction model, and the static detection result of the target and the association relationship between the attack technique and the static detection result are combined, so that before the attack occurs, the target most likely to be attacked by the attacker in the next attack stage is locked, thereby facilitating the risk reduction of the predicted attack target by the user.
In addition, the attack means adopted in the next attack stage can be further predicted, and the method is more accurate than simple history attack chain matching, so that symptomatic risk reduction is realized.
The embodiment of the disclosure also provides a device for predicting the network attack. Fig. 7 illustrates an exemplary block diagram of a network attack prediction device 700 in accordance with some embodiments of the present disclosure.
As shown in fig. 7, the network attack prediction apparatus includes:
the static detection module 701 is configured to perform static detection on a potential attack target, and specifically, the static detection module 701 is configured to perform item detection including baseline detection, weak password detection, vulnerability detection, malicious program/virus detection, and rootkit detection on the potential attack target, so as to obtain information of a security feature of the potential attack target;
an attack prediction module 702 communicatively coupled to the static detection module 701 and operative in conjunction therewith for performing the method as illustrated in any of the preceding embodiments.
Further, the network attack prediction apparatus 700 may further include:
a network information collection module 703 communicatively coupled to and cooperating with the attack prediction module 702 for collecting local network topology and network connectivity information for the attack prediction module 702 to determine potential attack targets;
And a dynamic monitoring module 704, which is communicatively connected to and cooperates with the attack prediction module 702, for dynamically monitoring a current attack target for the attack prediction module 702 to determine a current attack means.
Corresponding to the foregoing functional embodiments, an electronic device as shown in fig. 8 is also provided in the embodiment of the present invention. Fig. 8 shows an exemplary block diagram of an electronic device 800 of an embodiment of the disclosure.
An electronic device 800 shown in fig. 8, comprising: a processor 810; and a memory 820, the memory 820 having stored thereon executable program instructions which, when executed by the processor 810, cause the electronic device to implement any of the methods as described above.
In the electronic apparatus 800 of fig. 8, only constituent elements related to the present embodiment are shown. Thus, it will be apparent to those of ordinary skill in the art that: the electronic device 800 may also include common constituent elements that are different from those shown in fig. 8.
The processor 810 may control the operation of the electronic device 800. For example, the processor 810 controls the operation of the electronic device 800 by executing programs stored in the memory 820 on the electronic device 800. The processor 810 may be implemented by a Central Processing Unit (CPU), an Application Processor (AP), an artificial intelligence processor chip (IPU), etc., provided in the electronic device 800. However, the present disclosure is not limited thereto. In this embodiment, the processor 810 may be implemented in any suitable manner. For example, the processor 810 may take the form of, for example, a microprocessor or processor, and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), a programmable logic controller, and an embedded microcontroller, among others.
The memory 820 may be used to store hardware for various data, instructions that are processed in the electronic device 800. For example, the memory 820 may store processed data and data to be processed in the electronic device 800. Memory 820 may store data sets that have been processed or to be processed by processor 810. Further, the memory 820 may store applications, drivers, and the like to be driven by the electronic device 800. For example: the memory 820 may store various programs related to task type recognition, operator type recognition, and the like to be performed by the processor 810. The memory 820 may be a DRAM, but the present disclosure is not limited thereto. The memory 820 may include at least one of volatile memory or nonvolatile memory. The nonvolatile memory may include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), flash memory, phase change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), ferroelectric RAM (FRAM), and the like. Volatile memory can include Dynamic RAM (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), PRAM, MRAM, RRAM, ferroelectric RAM (FeRAM), and the like. In an embodiment, the memory 820 may include at least one of a Hard Disk Drive (HDD), a Solid State Drive (SSD), a high density flash memory (CF), a Secure Digital (SD) card, a Micro-secure digital (Micro-SD) card, a Mini-secure digital (Mini-SD) card, an extreme digital (xD) card, a cache (caches), or a memory stick.
In summary, specific functions implemented by the memory 820 and the processor 810 of the electronic device 800 provided in the embodiment of the present disclosure may be explained in comparison with the foregoing embodiments in the present disclosure, and may achieve the technical effects of the foregoing embodiments, which will not be repeated herein.
Alternatively, the present disclosure may also be implemented as a non-transitory machine-readable storage medium (or computer-readable storage medium, or machine-readable storage medium) having stored thereon computer program instructions (or computer programs, or computer instruction codes) which, when executed by a processor of an electronic device (or electronic device, server, etc.), cause the processor to perform part or all of the steps of the above-described methods according to the present disclosure.
While various embodiments of the present disclosure have been shown and described herein, it will be obvious to those skilled in the art that such embodiments are provided by way of example only. Numerous modifications, changes, and substitutions will occur to those skilled in the art without departing from the spirit and scope of the present disclosure. It should be understood that various alternatives to the embodiments of the disclosure described herein may be employed in practicing the disclosure. The appended claims are intended to define the scope of the disclosure and are therefore to cover all equivalents or alternatives falling within the scope of these claims.

Claims (17)

1.一种用于对网络攻击进行预测的方法,其特征在于,包括:1. A method for predicting network attacks, characterized in that it includes: 根据当前攻击目标确定当前攻击手段和多个潜在攻击目标;Based on the current attack target, determine the current attack method and multiple potential attack targets; 利用攻击预测模型处理当前攻击手段,以得到潜在攻击手段及其发生概率;The attack prediction model is used to process the current attack methods in order to obtain potential attack methods and their probability of occurrence. 获取每一潜在攻击目标的静态检测结果;Obtain the static detection results for each potential attack target; 根据所述潜在攻击手段及其发生概率、每一潜在攻击目标的静态检测结果以及在静态检测结果下发生攻击手段的条件概率,计算每一潜在攻击目标受到潜在攻击手段的受攻击风险值;以及Based on the potential attack methods and their probabilities of occurrence, the static detection results of each potential target, and the conditional probability of the attack method occurring under the static detection results, calculate the attack risk value of each potential target under the potential attack method; and 确定受攻击风险值最大的潜在攻击目标为预测攻击目标。The potential attack target with the highest attack risk value is identified as the predicted attack target. 2.根据权利要求1所述的方法,其特征在于,其中计算每一潜在攻击目标的受攻击风险值包括:2. The method according to claim 1, wherein calculating the attack risk value of each potential attack target includes: 根据所述潜在攻击手段及其发生概率、每一潜在攻击目标的静态检测结果以及在静态检测结果下发生攻击手段的条件概率,计算每一潜在攻击目标受到潜在攻击手段的受攻击概率;Based on the potential attack methods and their occurrence probabilities, the static detection results of each potential attack target, and the conditional probability of the attack method occurring under the static detection results, the probability of each potential attack target being attacked by the potential attack method is calculated. 确定每一潜在攻击目标的预设目标价值;以及Determine the pre-defined target value for each potential attack target; and 以每一潜在攻击目标的受攻击概率与预设目标价值的乘积作为每一潜在攻击目标的受攻击风险值。The attack risk value of each potential target is calculated by multiplying the probability of being attacked by the preset target value. 3.根据权利要求1所述的方法,其特征在于,其中在确定预测攻击目标之后,所述方法还包括:3. The method according to claim 1, characterized in that, after determining the predicted attack target, the method further includes: 针对所述预测攻击目标,根据所述潜在攻击手段及其发生概率、所述预测攻击目标的静态检测结果以及所述在静态检测结果下发生攻击手段的条件概率,计算每一潜在攻击手段的攻击概率;以及For the predicted attack target, based on the potential attack methods and their occurrence probabilities, the static detection results of the predicted attack target, and the conditional probability of the attack method occurring under the static detection results, the attack probability of each potential attack method is calculated; and 确定攻击概率最大的潜在攻击手段为预测攻击手段。The most probable potential attack method is the predicted attack method. 4.根据权利要求2所述的方法,其特征在于,每一潜在攻击目标的静态检测结果包括所述潜在攻击目标具有的安全特征,其中计算每一潜在攻击目标的受攻击概率包括:4. The method according to claim 2, wherein the static detection result of each potential attack target includes the security characteristics of the potential attack target, and calculating the attack probability of each potential attack target includes: 根据每一潜在攻击目标的静态检测结果,生成每一潜在攻击目标针对每一安全特征的Has函数;Based on the static detection results of each potential attack target, generate a Has function for each security feature for each potential attack target; 根据所述在静态检测结果下发生攻击手段的条件概率,生成每一潜在攻击手段针对每一安全特征的概率函数;以及Based on the conditional probability of an attack occurring under the static detection results, a probability function for each potential attack method against each security feature is generated; and 根据所述Has函数、所述概率函数和每一潜在攻击手段的发生概率计算每一潜在攻击目标的受攻击概率。The probability of each potential attack target being attacked is calculated based on the Has function, the probability function, and the probability of occurrence of each potential attack method. 5.根据权利要求4所述的方法,其特征在于,其中根据所述Has函数、所述概率函数和每一潜在攻击手段的发生概率计算每一潜在攻击目标的受攻击概率包括:5. The method according to claim 4, characterized in that, calculating the attack probability of each potential attack target based on the Has function, the probability function, and the occurrence probability of each potential attack method includes: 根据
Figure QLYQS_1
计算潜在攻击目标的受攻击概率;according to
Figure QLYQS_1
Calculate the probability of a potential target being attacked; 其中,P(b)表示潜在攻击目标b的受攻击概率,T表示潜在攻击手段的集合,
Figure QLYQS_2
表示潜在攻击手段,f表示潜在攻击目标b具有的安全特征,F表示潜在攻击目标b具有的安全特征的集合,
Figure QLYQS_3
表示潜在攻击手段
Figure QLYQS_4
的发生概率,
Figure QLYQS_5
表示每一潜在攻击手段
Figure QLYQS_6
针对每一安全特征f的概率函数,has(b,f)表示每一潜在攻击目标针对每一安全特征的Has函数。Where P(b) represents the probability that a potential target b is attacked, and T represents the set of potential attack methods.
Figure QLYQS_2
Let f represent a potential attack method, f represent a security feature of a potential attack target b, and F represent the set of security features of a potential attack target b.
Figure QLYQS_3
Indicates potential attack methods
Figure QLYQS_4
The probability of occurrence,
Figure QLYQS_5
Indicate each potential attack method
Figure QLYQS_6
For each security feature f, the probability function is given by has(b,f), which represents the Has function for each potential attack target for each security feature. 6.根据权利要求3所述的方法,其特征在于,其中针对所述预测攻击目标,计算每一潜在攻击手段的攻击概率包括:6. The method according to claim 3, wherein calculating the attack probability of each potential attack method for the predicted attack target includes: 针对预测攻击目标b,根据
Figure QLYQS_7
计算每一潜在攻击手段
Figure QLYQS_8
的攻击概率;For the predicted attack target b, according to
Figure QLYQS_7
Calculate each potential attack method
Figure QLYQS_8
The probability of attack; 其中,攻击概率
Figure QLYQS_11
表示预测攻击目标b受到潜在攻击手段
Figure QLYQS_12
的概率,f表示潜在攻击目标b具有的安全特征,F表示潜在攻击目标b具有的安全特征的集合,
Figure QLYQS_15
表示潜在攻击手段
Figure QLYQS_10
的发生概率,
Figure QLYQS_13
表示每一潜在攻击手段
Figure QLYQS_14
相对于每一安全特征f的概率函数,
Figure QLYQS_16
反映了所述在静态检测结果下发生潜在攻击手段
Figure QLYQS_9
的条件概率,has(b,f)表示每一潜在攻击目标针对每一安全特征的Has函数,has(b,f)反映了潜在攻击目标b的静态检测结果。Among them, attack probability
Figure QLYQS_11
This indicates a prediction of potential attack methods against target b.
Figure QLYQS_12
Let f represent the security characteristics of a potential attack target b, and F represent the set of security characteristics of a potential attack target b.
Figure QLYQS_15
Indicates potential attack methods
Figure QLYQS_10
The probability of occurrence,
Figure QLYQS_13
Indicate each potential attack method
Figure QLYQS_14
The probability function relative to each security feature f,
Figure QLYQS_16
This reflects the potential attack methods that occur under static detection results.
Figure QLYQS_9
The conditional probability of has(b,f) is given by has(b,f), which represents the Has function for each potential attack target for each security feature. has(b,f) reflects the static detection result of potential attack target b. 7.根据权利要求4或5所述的方法,其特征在于,其中生成每一潜在攻击目标针对每一安全特征的Has函数包括:7. The method according to claim 4 or 5, wherein generating the Has function for each security feature for each potential attack target comprises: 若潜在攻击目标b具有安全特征f,则潜在攻击目标b针对安全特征f的Has函数has(b,f)的取值为1;以及If a potential attack target b has security feature f, then the Has function has(b,f) of the potential attack target b with respect to security feature f takes the value 1; and 若潜在攻击目标b不具有安全特征f,则潜在攻击目标b针对安全特征f的Has函数has(b,f)的取值为0。If the potential attack target b does not have security feature f, then the value of the Has function has(b,f) of the potential attack target b for security feature f is 0. 8.根据权利要求4或5所述的方法,其特征在于,其中生成每一潜在攻击手段针对每一安全特征的概率函数包括:8. The method according to claim 4 or 5, wherein generating the probability function for each potential attack method against each security feature comprises: 根据历史静态检测结果及其关联的历史攻击手段进行数值统计,以得到每一攻击手段针对每一安全特征的概率函数rel(t,f);以及Numerical statistics are performed based on historical static detection results and their associated historical attack methods to obtain the probability function rel(t,f) for each attack method against each security feature; and 基于概率函数rel(t,f)和所述潜在攻击手段得到每一潜在攻击手段针对每一安全特征的概率函数
Figure QLYQS_17
Based on the probability function rel(t,f) and the potential attack methods, the probability function of each potential attack method for each security feature is obtained.
Figure QLYQS_17
; 其中,rel(t,f)∈[0,1],t表示攻击手段,
Figure QLYQS_18
∈[0,1],
Figure QLYQS_19
表示攻击手段,f表示安全特征。Where rel(t,f)∈[0,1], t represents the attack method.
Figure QLYQS_18
∈[0,1],
Figure QLYQS_19
'f' represents the attack method, and 'f' represents the security feature. 9.根据权利要求3或6所述的方法,其特征在于,其中在确定预测攻击手段之后,所述方法还包括:9. The method according to claim 3 or 6, characterized in that, after determining the predicted attack method, the method further includes: 对所述预测攻击目标采用针对所述预测攻击手段的攻击消减手段。Attack mitigation measures are applied to the predicted attack targets in response to the predicted attack methods. 10.根据权利要求1所述的方法,其特征在于,其中根据当前攻击目标确定当前攻击手段包括:10. The method according to claim 1, wherein determining the current attack method based on the current attack target includes: 对当前攻击目标进行动态监测,以得到当前攻击目标的动态监测日志;Dynamically monitor the current attack target to obtain dynamic monitoring logs of the current attack target; 根据预设规则处理所述动态监测日志,以生成安全告警;以及The dynamic monitoring logs are processed according to preset rules to generate security alerts; and 根据所述安全告警确定当前攻击目标的当前攻击手段。The current attack method of the current target is determined based on the security alert. 11.根据权利要求1所述的方法,其特征在于,其中根据当前攻击目标确定潜在攻击目标包括:11. The method according to claim 1, wherein determining potential attack targets based on current attack targets includes: 采集本地网络拓扑结构和网络连通性信息;以及Collect local network topology and network connectivity information; and 将满足预设条件的目标和当前攻击目标作为潜在攻击目标;所述预设条件包括在所述本地网络拓扑结构中,目标与当前攻击目标处于同一链路,且所述链路的网络连通性信息为连通。Targets that meet preset conditions and the current attack target are considered as potential attack targets; the preset conditions include that, in the local network topology, the target and the current attack target are on the same link, and the network connectivity information of the link is connected. 12.根据权利要求1所述的方法,其特征在于,其中在利用攻击预测模型处理当前攻击手段之前,所述方法还包括:12. The method according to claim 1, characterized in that, before processing the current attack method using the attack prediction model, the method further includes: 获取历史攻击数据;Obtain historical attack data; 根据所述历史攻击数据截取历史攻击链;Extract the historical attack chain based on the historical attack data; 对所述历史攻击链进行特征提取,以得到训练样本;以及Feature extraction is performed on the historical attack chain to obtain training samples; and 利用所述训练样本进行模型训练,以得到所述攻击预测模型。The attack prediction model is obtained by training the model using the training samples. 13.根据权利要求12所述的方法,其特征在于,所述历史攻击数据为历史攻击手段所构成的有序序列,所述历史攻击链为所述有序序列的子序列。13. The method according to claim 12, wherein the historical attack data is an ordered sequence of historical attack methods, and the historical attack chain is a subsequence of the ordered sequence. 14.一种用于对网络攻击进行预测的装置,其特征在于,包括:14. An apparatus for predicting network attacks, characterized in that it comprises: 静态检测模块,其用于对潜在攻击目标进行静态检测;以及A static detection module is used to perform static detection on potential attack targets; and 攻击预测模块,其与所述静态检测模块通信连接并且配合操作,以用于执行如权利要求1-13中任一项所述的方法。An attack prediction module, which is communicatively connected to and operates in conjunction with the static detection module, is used to perform the method as described in any one of claims 1-13. 15.根据权利要求14所述的装置,其特征在于,还包括:15. The apparatus according to claim 14, characterized in that it further comprises: 网络信息采集模块,其用于采集本地网络拓扑结构和网络连通性信息,以供所述攻击预测模块确定潜在攻击目标;以及A network information acquisition module is used to collect local network topology and network connectivity information for the attack prediction module to determine potential attack targets; and 动态监测模块,其用于对当前攻击目标进行动态监测,以供所述攻击预测模块确定当前攻击手段。The dynamic monitoring module is used to dynamically monitor the current attack target so that the attack prediction module can determine the current attack method. 16.一种电子设备,其特征在于,包括:16. An electronic device, characterized in that it comprises: 处理器;以及Processor; and 存储器,其上存储有可执行代码,当所述可执行代码被所述处理器执行时,使所述处理器执行如权利要求1-13中任一项所述的方法。A memory having executable code stored thereon, which, when executed by the processor, causes the processor to perform the method as described in any one of claims 1-13. 17.一种非暂时性计算机可读存储介质,其上存储有可执行代码,当所述可执行代码被电子设备的处理器执行时,使所述处理器执行如权利要求1-13中任一项所述的方法。17. A non-transitory computer-readable storage medium having executable code stored thereon, which, when executed by a processor of an electronic device, causes the processor to perform the method as described in any one of claims 1-13.
CN202310690622.0A 2023-06-12 2023-06-12 Method, device, equipment and storage medium for predicting network attacks Active CN116436701B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310690622.0A CN116436701B (en) 2023-06-12 2023-06-12 Method, device, equipment and storage medium for predicting network attacks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310690622.0A CN116436701B (en) 2023-06-12 2023-06-12 Method, device, equipment and storage medium for predicting network attacks

Publications (2)

Publication Number Publication Date
CN116436701A true CN116436701A (en) 2023-07-14
CN116436701B CN116436701B (en) 2023-08-18

Family

ID=87087562

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310690622.0A Active CN116436701B (en) 2023-06-12 2023-06-12 Method, device, equipment and storage medium for predicting network attacks

Country Status (1)

Country Link
CN (1) CN116436701B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119854045A (en) * 2025-03-20 2025-04-18 北京航空航天大学 Universal complex network attack inference method based on Bayesian ATT & CK network

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150381649A1 (en) * 2014-06-30 2015-12-31 Neo Prime, LLC Probabilistic Model For Cyber Risk Forecasting
CN108769051A (en) * 2018-06-11 2018-11-06 中国人民解放军战略支援部队信息工程大学 A kind of network intrusions situation intention appraisal procedure based on alert correlation
CN108833186A (en) * 2018-06-29 2018-11-16 北京奇虎科技有限公司 A network attack prediction method and device
CN112187773A (en) * 2020-09-23 2021-01-05 支付宝(杭州)信息技术有限公司 Method and device for mining network security vulnerability
CN114095270A (en) * 2021-11-29 2022-02-25 北京天融信网络安全技术有限公司 Network attack prediction method and device
CN115203692A (en) * 2022-05-23 2022-10-18 东南大学 Multi-dimensional Android platform application behavior safety assessment method integrating user subjective evaluation

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150381649A1 (en) * 2014-06-30 2015-12-31 Neo Prime, LLC Probabilistic Model For Cyber Risk Forecasting
CN108769051A (en) * 2018-06-11 2018-11-06 中国人民解放军战略支援部队信息工程大学 A kind of network intrusions situation intention appraisal procedure based on alert correlation
CN108833186A (en) * 2018-06-29 2018-11-16 北京奇虎科技有限公司 A network attack prediction method and device
CN112187773A (en) * 2020-09-23 2021-01-05 支付宝(杭州)信息技术有限公司 Method and device for mining network security vulnerability
CN114095270A (en) * 2021-11-29 2022-02-25 北京天融信网络安全技术有限公司 Network attack prediction method and device
CN115203692A (en) * 2022-05-23 2022-10-18 东南大学 Multi-dimensional Android platform application behavior safety assessment method integrating user subjective evaluation

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119854045A (en) * 2025-03-20 2025-04-18 北京航空航天大学 Universal complex network attack inference method based on Bayesian ATT & CK network

Also Published As

Publication number Publication date
CN116436701B (en) 2023-08-18

Similar Documents

Publication Publication Date Title
El Sayed et al. A flow-based anomaly detection approach with feature selection method against ddos attacks in sdns
EP4124975A1 (en) Discovering cyber-attack process model based on analytical attack graphs
US10986121B2 (en) Multivariate network structure anomaly detector
US7716739B1 (en) Subjective and statistical event tracking incident management system
US10298607B2 (en) Constructing graph models of event correlation in enterprise security systems
US12184683B2 (en) Cybersecurity resilience by integrating adversary and defender actions, deep learning, and graph thinking
JP6557774B2 (en) Graph-based intrusion detection using process trace
US12206694B2 (en) Cyberattack identification in a network environment
Krishnan et al. IoT network attack detection using supervised machine learning
Chen et al. A model-based validated autonomic approach to self-protect computing systems
JP2015076863A (en) Log analysis apparatus, method and program
Wu et al. Risk assessment method for cybersecurity of cyber-physical systems based on inter-dependency of vulnerabilities
US20230275908A1 (en) Thumbprinting security incidents via graph embeddings
US11765199B2 (en) Computer-based system for analyzing and quantifying cyber threat patterns and methods of use thereof
Kholidy et al. Online risk assessment and prediction models for autonomic cloud intrusion srevention systems
Abdulrazaq et al. Combination of multi classification algorithms for intrusion detection system
WO2023163821A1 (en) Graph-based techniques for security incident matching
WO2018071356A1 (en) Graph-based attack chain discovery in enterprise security systems
CN119363462A (en) A method, device, equipment, storage medium and product for analyzing attack behavior
CN116436701B (en) Method, device, equipment and storage medium for predicting network attacks
US20250045381A1 (en) Intelligent, enterprise ransomware detection and mitigation framework
Bahareth et al. Constructing attack scenario using sequential pattern mining with correlated candidate sequences
Marchetti et al. Identification of correlated network intrusion alerts
Bharati et al. A survey on hidden Markov model (HMM) based intention prediction techniques
Thanthrige Hidden markov model based intrusion alert prediction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant