CN118802353A - A method for constructing a honey array model based on dynamic perception attack graph - Google Patents
A method for constructing a honey array model based on dynamic perception attack graph Download PDFInfo
- Publication number
- CN118802353A CN118802353A CN202410992909.3A CN202410992909A CN118802353A CN 118802353 A CN118802353 A CN 118802353A CN 202410992909 A CN202410992909 A CN 202410992909A CN 118802353 A CN118802353 A CN 118802353A
- Authority
- CN
- China
- Prior art keywords
- honey
- attack
- dynamic
- attack graph
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 235000012907 honey Nutrition 0.000 title claims abstract description 283
- 230000008447 perception Effects 0.000 title claims abstract description 102
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000007123 defense Effects 0.000 claims abstract description 145
- 238000004458 analytical method Methods 0.000 claims abstract description 122
- 230000003068 static effect Effects 0.000 claims abstract description 84
- 238000010276 construction Methods 0.000 claims abstract description 25
- 238000012544 monitoring process Methods 0.000 claims abstract description 5
- 230000006399 behavior Effects 0.000 claims description 23
- 238000013461 design Methods 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 11
- 238000013480 data collection Methods 0.000 claims description 11
- 238000011002 quantification Methods 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 abstract description 8
- 230000008859 change Effects 0.000 abstract description 3
- 235000009508 confectionery Nutrition 0.000 description 9
- 238000010586 diagram Methods 0.000 description 7
- 238000012502 risk assessment Methods 0.000 description 7
- 238000004364 calculation method Methods 0.000 description 5
- 230000000875 corresponding effect Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000004445 quantitative analysis Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 101001121408 Homo sapiens L-amino-acid oxidase Proteins 0.000 description 2
- 102100026388 L-amino-acid oxidase Human genes 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000001364 causal effect Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 101000827703 Homo sapiens Polyphosphoinositide phosphatase Proteins 0.000 description 1
- 102100023591 Polyphosphoinositide phosphatase Human genes 0.000 description 1
- 101100012902 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) FIG2 gene Proteins 0.000 description 1
- 101100233916 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) KAR5 gene Proteins 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009471 action Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
技术领域Technical Field
本发明涉及网络安全技术领域,尤其涉及一种基于动态感知攻击图的蜜阵模型构建方法。The present invention relates to the field of network security technology, and in particular to a method for constructing a honey array model based on a dynamic perception attack graph.
背景技术Background Art
欺骗设陷网络是一种先进的防御网络系统,它使用蜜点对虚拟网络或资产进行布置,吸引攻击者对其进行攻击,从而在攻击者与企业的真实资产之间设立一道防线。当攻击者被诱入陷阱时,企业的真实资产便得到了保护,避免了潜在的损害。Deception trap network is an advanced defense network system that uses honeypots to deploy virtual networks or assets to attract attackers to attack them, thereby setting up a line of defense between attackers and the company's real assets. When attackers are lured into the trap, the company's real assets are protected and potential damage is avoided.
经过调研了解到,针对复杂多变的欺骗设陷网络,目前已有的相关研究较少从动态定量安全方面进行分析。然而,面对现实的复杂多变网络环境,攻击手段和策略不断演变,静态的安全分析方法往往难以及时反映,从而导致防御策略的滞后。此外,欺骗设陷网络需要不断调整和优化蜜点,以保持对攻击者的吸引力和迷惑性,但缺乏动态定量分析工具意味着这些调整无法基于科学的量化数据进行优化,从而可能降低防御效果。After investigation, we learned that there are few existing studies on complex and changeable deception trap networks from the perspective of dynamic quantitative security. However, in the face of the complex and changeable network environment, attack methods and strategies are constantly evolving, and static security analysis methods are often difficult to reflect in a timely manner, resulting in a lag in defense strategies. In addition, deception trap networks need to constantly adjust and optimize honey spots to maintain their attractiveness and confusion to attackers, but the lack of dynamic quantitative analysis tools means that these adjustments cannot be optimized based on scientific quantitative data, which may reduce the effectiveness of defense.
因此,有必要提供一种能够进行动态定量分析以监控和评估网络安全态势,提高对复杂攻击的响应效率的欺骗设陷网络的防御构建方法。Therefore, it is necessary to provide a defense construction method for deceiving and trapping networks that can perform dynamic quantitative analysis to monitor and evaluate network security situation and improve the efficiency of responding to complex attacks.
发明内容Summary of the invention
本发明的目的在于提供一种基于动态感知攻击图的蜜阵模型构建方法,用以提供一种能够实时感知和分析攻击者的行为路径、动态调整蜜阵结构的蜜阵模型构建方法,以增强欺骗设陷网络的防御效果。The purpose of the present invention is to provide a honey array model construction method based on dynamic perception attack graph, so as to provide a honey array model construction method that can perceive and analyze the attacker's behavior path in real time and dynamically adjust the honey array structure to enhance the defense effect of deceiving and trapping the network.
第一方面,本发明提供的基于动态感知攻击图的蜜阵模型构建方法包括:进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集;根据原始数据集进行分析以提取安全事件、行为模式生成警报信息,基于原始数据集和警报信息构建动态感知攻击图;根据动态感知攻击图,设计静态风险协同分析用于识别和评估已知风险,设计动态风险协同分析用于对实时获取的数据进行监控和调整,构建基于动态感知攻击图的蜜阵模型。In the first aspect, the method for constructing a honey array model based on a dynamic perception attack graph provided by the present invention includes: collecting data to obtain relevant data on network attacks and network defenses to construct an original data set; analyzing the original data set to extract security events and behavior patterns to generate alarm information, and constructing a dynamic perception attack graph based on the original data set and the alarm information; based on the dynamic perception attack graph, designing a static risk collaborative analysis for identifying and evaluating known risks, and designing a dynamic risk collaborative analysis for monitoring and adjusting the data acquired in real time, and constructing a honey array model based on the dynamic perception attack graph.
本发明提供的基于动态感知攻击图的蜜阵模型构建方法的有益效果在于:引入量化方案构建动态感知攻击图能够实现量化网络的动态不确定性以及攻击图中的关键参数,为网络安全防御人员提供一个科学、定量的参考策略,帮助其更好理解和应对网络中的安全威胁。以欺骗设陷为核心目标,通过静态及动态防御风险协同分析算法使蜜阵模型能够有效适应网络结构和流量模式的动态变化,以实现对网络弹性演化的实时响应。这些算法不仅能够在网络静态状态下评估安全风险,还能够在网络动态变化过程中,持续监测和分析潜在的安全威胁,从而为网络安全提供更为灵活和适应性强的防御手段。The beneficial effect of the method for constructing a honey array model based on a dynamic perception attack graph provided by the present invention is that the introduction of a quantitative scheme to construct a dynamic perception attack graph can quantify the dynamic uncertainty of the network and the key parameters in the attack graph, providing a scientific and quantitative reference strategy for network security defense personnel to help them better understand and respond to security threats in the network. With deception and trapping as the core goal, the honey array model can effectively adapt to the dynamic changes of network structure and traffic patterns through static and dynamic defense risk collaborative analysis algorithms to achieve real-time response to the evolution of network elasticity. These algorithms can not only evaluate security risks in the static state of the network, but also continuously monitor and analyze potential security threats during the dynamic changes of the network, thereby providing a more flexible and adaptable defense method for network security.
一种可能的实施例中,进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集,包括:从入侵规则库,安全情报,攻击诱捕系统资产,多方威胁数据日志和漏洞数据库进行数据采集,以获取关于攻击模式和防御策略、潜在威胁、攻击行为、威胁情报和安全漏洞的网络攻击和网络防御的相关数据;整合网络攻击和网络防御的相关数据构建形成原始数据集。In one possible embodiment, data collection is performed to obtain relevant data on network attacks and network defense to construct an original data set, including: collecting data from an intrusion rule library, security intelligence, attack trapping system assets, multi-party threat data logs and vulnerability databases to obtain relevant data on network attacks and network defense regarding attack patterns and defense strategies, potential threats, attack behaviors, threat intelligence and security vulnerabilities; integrating relevant data on network attacks and network defense to construct an original data set.
另一种可能的实施例中,基于原始数据集和警报信息构建动态感知攻击图,包括:定义属性蜜点和原子攻击蜜点,根据属性蜜点的状态、原子攻击蜜点的状态、属性蜜点与其根蜜点之间的关系、属性蜜点与原子攻击蜜点之间的关系,以及属性蜜点与警报信息之间的关系构建动态感知攻击图的结构;量化动态感知攻击图的结构中的参数,包括:根据原子攻击蜜点的欺骗设陷成功率和NCR-index计算原子攻击蜜点的概率,根据属性蜜点的条件概率计算局部条件的概率,根据属性蜜点的条件概率计算属性蜜点的先验概率,根据属性蜜点与警报信息之间的关系计算属性蜜点的后验概率;根据动态感知攻击图的结构和参数的量化结果,完成动态感知攻击图的构建。In another possible embodiment, a dynamic perception attack graph is constructed based on the original data set and the alarm information, including: defining attribute honey points and atomic attack honey points, and constructing the structure of the dynamic perception attack graph according to the state of the attribute honey points, the state of the atomic attack honey points, the relationship between the attribute honey points and their root honey points, the relationship between the attribute honey points and the atomic attack honey points, and the relationship between the attribute honey points and the alarm information; quantifying the parameters in the structure of the dynamic perception attack graph, including: calculating the probability of the atomic attack honey points according to the deception trap success rate and NCR-index of the atomic attack honey points, calculating the probability of the local conditions according to the conditional probability of the attribute honey points, calculating the prior probability of the attribute honey points according to the conditional probability of the attribute honey points, and calculating the posterior probability of the attribute honey points according to the relationship between the attribute honey points and the alarm information; and completing the construction of the dynamic perception attack graph according to the structure of the dynamic perception attack graph and the quantification results of the parameters.
其它可能的实施例中,设计静态风险协同分析包括设计静态防御风险协同分析的感知攻击图,具体包括:初始化静态防御风险协同分析的攻击图;获取对当前欺骗设陷的赋值用于计算静态防御风险协同分析攻击图中的原子攻击蜜点的概率;获取初始属性蜜点的静态可达概率赋值,计算静态防御风险协同分析攻击图中的局部条件概率和属性蜜点的先验概率;更新静态防御风险协同分析攻击图的参数得到静态防御风险协同分析的感知攻击图。In other possible embodiments, designing a static risk collaborative analysis includes designing a perceptual attack graph for a static defense risk collaborative analysis, specifically including: initializing the attack graph for the static defense risk collaborative analysis; obtaining an assignment for a current deception trap for calculating the probability of an atomic attack honey point in the static defense risk collaborative analysis attack graph; obtaining a static reachable probability assignment for an initial attribute honey point, calculating the local conditional probability and the prior probability of the attribute honey point in the static defense risk collaborative analysis attack graph; and updating the parameters of the static defense risk collaborative analysis attack graph to obtain the perceptual attack graph for the static defense risk collaborative analysis.
设计动态风险协同分析包括设计动态防御风险协同分析的感知攻击图,具体包括:初始化动态防御风险协同分析攻击图;获取当前欺骗设陷网络的NCR-index用于更新所述静态防御风险协同分析的感知攻击图中的属性蜜点的先验概率;获取警报信息用于计算动态防御风险协同分析攻击图中属性蜜点的后验概率;更新动态防御风险协同分析攻击图的参数得到动态防御风险协同分析的感知攻击图。Designing dynamic risk collaborative analysis includes designing a perceptual attack graph for dynamic defense risk collaborative analysis, specifically including: initializing the dynamic defense risk collaborative analysis attack graph; obtaining the NCR-index of the current deception trap network for updating the prior probability of attribute honey points in the perceptual attack graph of the static defense risk collaborative analysis; obtaining alarm information for calculating the posterior probability of attribute honey points in the dynamic defense risk collaborative analysis attack graph; updating the parameters of the dynamic defense risk collaborative analysis attack graph to obtain the perceptual attack graph of the dynamic defense risk collaborative analysis.
第二方面,本发明还提供了一种基于动态感知攻击图的蜜阵模型构建装置,包括:数据采集单元,用于进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集;动态感知攻击图构建单元,用于根据原始数据集进行分析以提取安全事件、行为模式生成警报信息,基于原始数据集和警报信息构建动态感知攻击图;蜜阵模型构建单元,用于根据动态感知攻击图,设计静态风险协同分析用于识别和评估已知风险,设计动态风险协同分析用于对实时获取的数据进行监控和调整,构建基于动态感知攻击图的蜜阵模型。In the second aspect, the present invention also provides a honey array model construction device based on a dynamic perception attack graph, including: a data acquisition unit, used to perform data acquisition to obtain relevant data on network attacks and network defenses to construct an original data set; a dynamic perception attack graph construction unit, used to analyze the original data set to extract security events and behavior patterns to generate alarm information, and construct a dynamic perception attack graph based on the original data set and the alarm information; a honey array model construction unit, used to design a static risk collaborative analysis for identifying and evaluating known risks according to the dynamic perception attack graph, and design a dynamic risk collaborative analysis for monitoring and adjusting the data acquired in real time, and construct a honey array model based on the dynamic perception attack graph.
其中,数据采集单元进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集,包括:从入侵规则库,安全情报,攻击诱捕系统资产,多方威胁数据日志和漏洞数据库进行数据采集,以获取关于攻击模式和防御策略、潜在威胁、攻击行为、威胁情报和安全漏洞的网络攻击和网络防御的相关数据;整合网络攻击和网络防御的相关数据构建形成原始数据集。Among them, the data collection unit collects data to obtain relevant data of network attacks and network defense to construct the original data set, including: collecting data from the intrusion rule library, security intelligence, attack trapping system assets, multi-party threat data logs and vulnerability database to obtain relevant data of network attacks and network defense about attack patterns and defense strategies, potential threats, attack behaviors, threat intelligence and security vulnerabilities; integrating the relevant data of network attacks and network defense to construct the original data set.
动态感知攻击图构建单元基于原始数据集和警报信息构建动态感知攻击图,包括:定义属性蜜点和原子攻击蜜点,根据属性蜜点的状态、原子攻击蜜点的状态、属性蜜点与其根蜜点之间的关系、属性蜜点与原子攻击蜜点之间的关系,以及属性蜜点与警报信息之间的关系构建动态感知攻击图的结构;量化动态感知攻击图的结构中的参数,包括:根据原子攻击蜜点的欺骗设陷成功率和NCR-index计算原子攻击蜜点的概率,根据属性蜜点的条件概率计算局部条件的概率,根据属性蜜点的条件概率计算属性蜜点的先验概率,根据属性蜜点与警报信息之间的关系计算属性蜜点的后验概率;根据动态感知攻击图的结构和参数的量化结果,完成动态感知攻击图的构建。The dynamic perception attack graph construction unit constructs a dynamic perception attack graph based on the original data set and the alarm information, including: defining attribute honey points and atomic attack honey points, and constructing the structure of the dynamic perception attack graph according to the state of the attribute honey points, the state of the atomic attack honey points, the relationship between the attribute honey points and their root honey points, the relationship between the attribute honey points and the atomic attack honey points, and the relationship between the attribute honey points and the alarm information; quantifying the parameters in the structure of the dynamic perception attack graph, including: calculating the probability of the atomic attack honey points according to the deception trap success rate and NCR-index of the atomic attack honey points, calculating the probability of the local conditions according to the conditional probability of the attribute honey points, calculating the prior probability of the attribute honey points according to the conditional probability of the attribute honey points, and calculating the posterior probability of the attribute honey points according to the relationship between the attribute honey points and the alarm information; according to the structure of the dynamic perception attack graph and the quantification results of the parameters, the construction of the dynamic perception attack graph is completed.
蜜阵模型构建单元设计静态风险协同分析包括设计静态防御风险协同分析的感知攻击图,具体包括:初始化静态防御风险协同分析的攻击图;获取对当前欺骗设陷的赋值用于计算静态防御风险协同分析攻击图中的原子攻击蜜点的概率;获取初始属性蜜点的静态可达概率赋值,计算静态防御风险协同分析攻击图中的局部条件概率和属性蜜点的先验概率;更新静态防御风险协同分析攻击图的参数得到静态防御风险协同分析的感知攻击图。The honey array model construction unit designs static risk collaborative analysis, including designing a perceived attack graph for static defense risk collaborative analysis, specifically including: initializing the attack graph for static defense risk collaborative analysis; obtaining the assignment of the current deception trap to calculate the probability of atomic attack honey points in the static defense risk collaborative analysis attack graph; obtaining the static reachable probability assignment of the initial attribute honey points, calculating the local conditional probability and the prior probability of the attribute honey points in the static defense risk collaborative analysis attack graph; updating the parameters of the static defense risk collaborative analysis attack graph to obtain the perceived attack graph for static defense risk collaborative analysis.
蜜阵模型构建单元设计动态风险协同分析包括设计动态防御风险协同分析的感知攻击图,具体包括:初始化动态防御风险协同分析攻击图;获取当前欺骗设陷网络的NCR-index用于更新所述静态防御风险协同分析的感知攻击图中的属性蜜点的先验概率;获取警报信息用于计算动态防御风险协同分析攻击图中属性蜜点的后验概率;更新动态防御风险协同分析攻击图的参数得到动态防御风险协同分析的感知攻击图。The honey array model construction unit designs dynamic risk collaborative analysis, including designing a perception attack graph for dynamic defense risk collaborative analysis, specifically including: initializing the dynamic defense risk collaborative analysis attack graph; obtaining the NCR-index of the current deception trap network for updating the prior probability of attribute honey points in the perception attack graph of the static defense risk collaborative analysis; obtaining alarm information for calculating the posterior probability of attribute honey points in the dynamic defense risk collaborative analysis attack graph; updating the parameters of the dynamic defense risk collaborative analysis attack graph to obtain the perception attack graph for the dynamic defense risk collaborative analysis.
第三方面,本发明还提供了一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现上述基于动态感知攻击图的蜜阵模型构建方法。In a third aspect, the present invention further provides a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the method for constructing a honey array model based on a dynamic perception attack graph is implemented.
第四方面,本发明还提供了一种电子设备,包括:处理器及存储器;所述存储器用于存储计算机程序;所述处理器用于执行所述存储器存储的计算机程序,以使所述电子设备执行上述基于动态感知攻击图的蜜阵模型构建方法。In a fourth aspect, the present invention also provides an electronic device, comprising: a processor and a memory; the memory is used to store a computer program; the processor is used to execute the computer program stored in the memory, so that the electronic device executes the above-mentioned method for constructing a honey array model based on a dynamic perception attack graph.
关于上述第二方面至第四方面的有益效果可以参见上述第一方面的描述。For the beneficial effects of the second to fourth aspects, reference may be made to the description of the first aspect.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为本发明实施例提供的一种基于动态感知攻击图的蜜阵模型构建方法的流程示意图;FIG1 is a schematic diagram of a flow chart of a method for constructing a honey array model based on a dynamic perception attack graph provided by an embodiment of the present invention;
图2为本发明实施例提供的基于动态感知攻击图的蜜阵模型构建方法进行蜜阵模型构建与部署的一种示例情况示意图;FIG2 is a schematic diagram of an example of a situation in which a honey array model is constructed and deployed according to a honey array model construction method based on a dynamic perception attack graph provided by an embodiment of the present invention;
图3为本发明实施例提供的动态感知攻击图的示例结构示意图;FIG3 is a schematic diagram of an example structure of a dynamic perception attack graph provided by an embodiment of the present invention;
图4为本发明实施例提供的电网系统的蜜阵实例化部署示意图;FIG4 is a schematic diagram of an instantiation deployment of a honey array of a power grid system provided by an embodiment of the present invention;
图5为本发明实施例提供的一种基于动态感知攻击图的蜜阵模型构建装置的示意图;5 is a schematic diagram of a honey array model construction device based on a dynamic perception attack graph provided by an embodiment of the present invention;
图6为本发明实施例提供的一种电子设备结构示意图。FIG. 6 is a schematic diagram of the structure of an electronic device provided by an embodiment of the present invention.
具体实施方式DETAILED DESCRIPTION
为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明的一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。除非另外定义,此处使用的技术术语或者科学术语应当为本发明所属领域内具有一般技能的人士所理解的通常意义。本文中使用的“包括”等类似的词语意指出现该词前面的元件或者物件涵盖出现在该词后面列举的元件或者物件及其等同,而不排除其他元件或者物件。In order to make the purpose, technical solutions and advantages of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, rather than all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention. Unless otherwise defined, the technical terms or scientific terms used herein should be understood by people with general skills in the field to which the present invention belongs. "Including" and similar words used in this article mean that the elements or objects appearing before the word include the elements or objects listed after the word and their equivalents, without excluding other elements or objects.
针对现有技术存在的问题,本发明的实施例提供了一种基于动态感知攻击图的蜜阵模型构建方法。In view of the problems existing in the prior art, an embodiment of the present invention provides a method for constructing a honey array model based on a dynamic perception attack graph.
本实施例提供了一种基于动态感知攻击图的蜜阵模型构建方法。参见图1至图4,该方法包括:This embodiment provides a method for constructing a honey array model based on a dynamic perception attack graph. Referring to Figures 1 to 4, the method includes:
S101:进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集。S101: Conduct data collection to obtain relevant data on network attacks and network defense to build an original data set.
在S101中,一种可能的实施例中,进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集,包括:从入侵规则库,安全情报,攻击诱捕系统资产,多方威胁数据日志和漏洞数据库进行数据采集,以获取关于攻击模式和防御策略、潜在威胁、攻击行为、威胁情报和安全漏洞的网络攻击和网络防御的相关数据;整合网络攻击和网络防御的相关数据构建形成原始数据集。In S101, in a possible embodiment, data collection is performed to obtain relevant data of network attacks and network defense to construct an original data set, including: collecting data from an intrusion rule library, security intelligence, attack trapping system assets, multi-party threat data logs and a vulnerability database to obtain relevant data of network attacks and network defense about attack patterns and defense strategies, potential threats, attack behaviors, threat intelligence and security vulnerabilities; integrating relevant data of network attacks and network defense to construct an original data set.
示例性地,进行数据采集时,从入侵规则库,安全情报,攻击诱捕系统资产,多方威胁数据日志,漏洞数据库这五个角度对数据进行采集。据上述五个角度采集以获取到的网络攻击和网络防御的相关数据包括:入侵规则库提供最新的攻击模式和防御策略,安全情报帮助识别和预防潜在威胁,攻击诱捕系统资产记录分析攻击行为,多方威胁数据日志整合不同来源的威胁情报,漏洞数据库及时发现并修补安全漏洞。根据上述网络攻击和网络防御的相关数据,能够整合构建一个动态、全面的安全防护体系。Exemplarily, when collecting data, data is collected from five perspectives: intrusion rule base, security intelligence, attack trapping system assets, multi-party threat data logs, and vulnerability databases. The relevant data on network attacks and network defense obtained from the above five perspectives include: the intrusion rule base provides the latest attack patterns and defense strategies, security intelligence helps identify and prevent potential threats, attack trapping system assets record and analyze attack behaviors, multi-party threat data logs integrate threat intelligence from different sources, and vulnerability databases discover and patch security vulnerabilities in a timely manner. Based on the above-mentioned network attack and network defense related data, a dynamic and comprehensive security protection system can be integrated and constructed.
通过概率攻击图定义动态感知攻击图DAA-graph,进而构造DAA-graph结构,能够刻画攻击步骤间的因果耦合关系和概率推理关系。量化动态感知攻击图中的参数能够为后续构建的基于动态感知攻击图的蜜阵模型提供一种新的分析工具,使其能够更准确地模拟和预测攻击者的行为模式。进而使蜜阵模型能够实时监测网络中的异常活动,评估攻击的潜在影响,并动态调整防御机制以应对不断变化的网络威胁。The dynamic perception attack graph DAA-graph is defined through the probabilistic attack graph, and then the DAA-graph structure is constructed, which can characterize the causal coupling relationship and probabilistic reasoning relationship between the attack steps. Quantifying the parameters in the dynamic perception attack graph can provide a new analysis tool for the honey array model based on the dynamic perception attack graph, so that it can more accurately simulate and predict the behavior pattern of attackers. In turn, the honey array model can monitor abnormal activities in the network in real time, evaluate the potential impact of attacks, and dynamically adjust the defense mechanism to cope with the ever-changing network threats.
S102:根据原始数据集进行分析以提取安全事件、行为模式生成警报信息,基于原始数据集和警报信息构建动态感知攻击图。S102: Analyze the original data set to extract security events and behavior patterns to generate alarm information, and build a dynamic perception attack graph based on the original data set and the alarm information.
在S102中,一种可能的实施例中,基于原始数据集和警报信息构建动态感知攻击图,包括:定义属性蜜点和原子攻击蜜点,根据属性蜜点的状态、原子攻击蜜点的状态、属性蜜点与其根蜜点之间的关系、属性蜜点与原子攻击蜜点之间的关系,以及属性蜜点与警报信息之间的关系构建动态感知攻击图的结构;量化动态感知攻击图的结构中的参数,包括:根据原子攻击蜜点的欺骗设陷成功率和NCR-index计算原子攻击蜜点的概率,根据属性蜜点的条件概率计算局部条件的概率,根据属性蜜点的条件概率计算属性蜜点的先验概率,根据属性蜜点与警报信息之间的关系计算属性蜜点的后验概率;根据动态感知攻击图的结构和参数的量化结果,完成动态感知攻击图的构建。In S102, in a possible embodiment, a dynamic-perceived attack graph is constructed based on the original data set and the alarm information, including: defining attribute honey points and atomic attack honey points, and constructing the structure of the dynamic-perceived attack graph according to the state of the attribute honey points, the state of the atomic attack honey points, the relationship between the attribute honey points and their root honey points, the relationship between the attribute honey points and the atomic attack honey points, and the relationship between the attribute honey points and the alarm information; quantifying the parameters in the structure of the dynamic-perceived attack graph, including: calculating the probability of the atomic attack honey points according to the deception trap success rate and NCR-index of the atomic attack honey points, calculating the probability of the local conditions according to the conditional probability of the attribute honey points, calculating the prior probability of the attribute honey points according to the conditional probability of the attribute honey points, and calculating the posterior probability of the attribute honey points according to the relationship between the attribute honey points and the alarm information; and completing the construction of the dynamic-perceived attack graph according to the structure of the dynamic-perceived attack graph and the quantification results of the parameters.
在一种可能的实施例中,通过对原始数据集进行分析和加工,能够提取出关键的安全事件和行为模式并进一步生成详细的警报信息。警报信息不仅提供了实时的威胁预警,还还包含了有关攻击来源、路径和潜在影响的具体细节。In one possible embodiment, by analyzing and processing the original data set, key security events and behavior patterns can be extracted and further generated into detailed alarm information, which not only provides real-time threat warnings, but also contains specific details about the attack source, path, and potential impact.
本发明所述的动态感知攻击图(Dynamic Awareness Attack Graph,DAA-graph)是基于动态图构建的。其中动态图是指随着状态变换而进行动态更新的图,又记作图序列或者图流。The Dynamic Awareness Attack Graph (DAA-graph) of the present invention is constructed based on a dynamic graph, wherein a dynamic graph refers to a graph that is dynamically updated as the state changes, and is also referred to as a graph sequence or a graph flow.
在一个具体的实施例中,通过针对概率攻击图引入NCR-index的方式生成动态感知攻击图。在本实施例中,对动态感知攻击图的定义包括:In a specific embodiment, a dynamic perception attack graph is generated by introducing NCR-index into the probability attack graph. In this embodiment, the definition of the dynamic perception attack graph includes:
定义1:将属性蜜点定义为表示欺骗设陷网络中用于吸引和感知网络的入侵行为的蜜点,对蜜点进行0-1赋权。若属性蜜点的权值为1,表示蜜点(Honeypot,Hi)被攻击者入侵的概率P(Hi)=1;若属性蜜点的权值为0,则表示蜜点Hi未被攻击者入侵的概率且 Definition 1: Define the attribute honeypot as the honeypot that represents the intrusion behavior used to attract and sense the network in the deception trap network, and assign a weight of 0-1 to the honeypot. If the weight of the attribute honeypot is 1, it means that the probability of the honeypot (Honeypot, Hi ) being invaded by the attacker is P(H i ) = 1; if the weight of the attribute honeypot is 0, it means that the probability of the honeypot Hi not being invaded by the attacker is and
定义2:将原子攻击蜜点Xi定义为由前提条件属性蜜点Hpre转化为后继条件的属性蜜点Hpost所依托的欺骗设陷网络原子攻击,且Hpre不等于Hpost。从Hpre到Hpost的原子攻击蜜点的概率记作P(Xi),常定义为网络攻击所依托漏洞的利用成功概率进行量化,显然,P(Xi)≥0。Definition 2: The atomic attack honey point Xi is defined as the deceptive trap network atomic attack based on the transformation of the precondition attribute honey point Hpre into the subsequent condition attribute honey point Hpost , and Hpre is not equal to Hpost . The probability of the atomic attack honey point from Hpre to Hpost is denoted as P( Xi ), which is often defined as the probability of successful exploitation of the vulnerability relied on by the network attack to quantify. Obviously, P( Xi )≥0.
定义3:警报蜜点Ai定义为入侵检测系统是否观测到属性蜜点Hi被攻击者成功占有。当警报蜜点的状态为1时代表检测到属性蜜点被成功入侵,否则,警报蜜点的状态为0,表示没有检测到属性蜜点被攻击者占有。当检测到攻击事件时,动态感知攻击图呈现警报蜜点以明确标识报警的具体位置;否则,警报蜜点被隐藏以减小动态感知攻击图的展示规模,进而提升可读性。Definition 3: The alarm sweet spot Ai is defined as whether the intrusion detection system observes that the attribute sweet spot Hi is successfully occupied by the attacker. When the state of the alarm sweet spot is 1, it means that the attribute sweet spot is detected to be successfully invaded. Otherwise, the state of the alarm sweet spot is 0, indicating that the attribute sweet spot is not detected to be occupied by the attacker. When an attack event is detected, the dynamic perception attack graph presents the alarm sweet spot to clearly identify the specific location of the alarm; otherwise, the alarm sweet spot is hidden to reduce the display scale of the dynamic perception attack graph, thereby improving readability.
定义4:动态感知攻击图是蜜点集合和边集构成的五元组DAA(G)={V(G),E(G),W(G),R(G),T(G)},其中:Definition 4: The dynamic-aware attack graph is a five-tuple consisting of a honeypoint set and an edge set DAA(G) = {V(G), E(G), W(G), R(G), T(G)}, where:
(1)V(G)表示蜜点的集合,包括属性蜜点、原子攻击蜜点、警报蜜点,即v(G)={H∪X∪A}。其中,H={Hi|i∈[n]}={Hs}∪{Ht}∪{He},是由属性蜜点Hi组成的集合。攻击初始阶段,Hs表示攻击者初始属性蜜点构成的集合;攻击过程中,Ht表示攻击过程中的被访问的中间属性蜜点构成的集合;He表示攻击者到达目标属性蜜点的集合;X={Xi|i∈[m]},是由原子攻击蜜点Xi构成的集合;A={Ai|i∈[m]},是由警报蜜点Ai构成的集合。(1) V(G) represents the set of honey points, including attribute honey points, atomic attack honey points, and alarm honey points, that is, v(G) = {H∪X∪A}. Among them, H = {H i |i∈[n]} = {H s }∪{H t }∪{H e }, which is the set composed of attribute honey points Hi . At the initial stage of the attack, H s represents the set of the attacker's initial attribute honey points; during the attack, H t represents the set of the intermediate attribute honey points visited during the attack; He represents the set of the attacker's target attribute honey points; X = {X i |i∈[m]}, which is the set composed of atomic attack honey points Xi ; A = {A i |i∈[m]}, which is the set composed of alarm honey points Ai .
(2)E(G)表示有向边的集合,E(G)={E1(G)∪E2(G)∪E3(G)}。其中,表示攻击者占有某些资源或者权限后,选用某种原子蜜点攻击Ai;表示发动攻击时所依靠欺骗设陷网络连接的可靠性;表示入侵检测系统检测到攻击事件发出的警报。(2) E(G) represents the set of directed edges, E(G) = {E 1 (G) ∪ E 2 (G) ∪ E 3 (G)}. It means that after the attacker has certain resources or permissions, he chooses a certain atomic honey spot to attack Ai ; Indicates the reliability of the spoofed network connection used to launch the attack; Indicates an alarm issued by an intrusion detection system when it detects an attack.
(3)W(G)表示有向边赋权值的集合,即W(G)=(P(X),N,P(A))。其中,P(X)表示有向边E1(G)的权值,代表以状态Hpre到Hpost的原子攻击Xi的成功概率;N表示NCR-index,即描述欺骗设陷网络的不确定性对攻击结果的影响。P(A)表示对有向边E3进行赋值,代表攻击行为已经发生并且报警的概率。(3) W(G) represents the set of weighted values of directed edges, i.e., W(G) = (P(X), N, P(A)). Where, P(X) represents the weight of directed edge E 1 (G), representing the success probability of atomic attack Xi from state H pre to H post ; N represents NCR-index, which describes the impact of the uncertainty of the deceptive trap network on the attack result. P(A) represents the assignment of a value to directed edge E 3 , representing the probability that the attack behavior has occurred and an alarm has been issued.
(4)R(G)表示属性蜜点集合与根蜜点集合之间的关系,即二元组(Hj,Dj),其中,Dj{or,and},当Dj取or时,定义为欺骗设陷网络“并联或”,代表仅有一个根蜜点为真,即能到达状态属性蜜点Hj,当Dj取and时,定义为欺骗设陷网络的“并联与”,代表仅有根蜜点为真时才能到达状态属性蜜点Hj。其中,根蜜点表示蜜点的根点。(4) R(G) represents the relationship between the attribute honey point set and the root honey point set, that is, the binary (H j ,D j ), where D j {or, and}, when D j takes or, it is defined as the "parallel or" of the deceptive trap network, which means that only one root honey point is true, that is, the state attribute honey point H j can be reached. When D j takes and, it is defined as the "parallel and" of the deceptive trap network, which means that only when the root honey point is true can the state attribute honey point H j be reached. The root honey point represents the root point of the honey point.
(5)T(G)表示局部条件的概率分布(Local Conditional ProbabilityDistribution,LC-PD)。P={ρi∈[m]}表示欺骗设陷网络的蜜点及其根蜜点概率关联关系。如果蜜点Vi没有根蜜点,则其概率值根据先验知识得到,否则ρi=P(Vi|Pre(Vi)),其中,Pre(Vi)表示蜜点Vi的根蜜点的集合。(5) T(G) represents the local conditional probability distribution (LC-PD). P = {ρ i ∈ [m]} represents the probability association relationship between the honey points and their root honey points of the deceptive trap network. If the honey point V i has no root honey point, its probability value is obtained according to the prior knowledge, otherwise ρ i = P(V i | Pre(V i )), where Pre(V i ) represents the set of root honey points of the honey point V i .
示例性地,借鉴概率攻击图及贝叶斯攻击图的构造方式用以构造动态感知攻击图,具体地:根据定义的属性蜜点和原子攻击蜜点构造动态感知攻击图,构造完成的动态感知攻击图包括属性蜜点的状态、原子攻击蜜点的状态、属性蜜点与其根蜜点之间的关系、属性蜜点与原子攻击蜜点之间的关系。然后为属性蜜点增加警报蜜点,警报蜜点用于描述攻击行为的警报信息。图3为构造完成的动态感知攻击图的示例结构,or、and其中表示属性蜜点与其根蜜点之间的逻辑关系,箭头表示边的集合E(G)。然后,量化构造完成的动态感知攻击图的相关参数,具体包括:计算原子攻击蜜点的概率、计算局部条件的概率、计算属性蜜点的先验概率和计算属性蜜点的后验概率。Exemplarily, the construction methods of probabilistic attack graphs and Bayesian attack graphs are used to construct dynamic perception attack graphs. Specifically, the dynamic perception attack graph is constructed according to the defined attribute honey points and atomic attack honey points. The constructed dynamic perception attack graph includes the state of the attribute honey points, the state of the atomic attack honey points, the relationship between the attribute honey points and their root honey points, and the relationship between the attribute honey points and the atomic attack honey points. Then, alarm honey points are added to the attribute honey points, and the alarm honey points are used to describe the alarm information of the attack behavior. Figure 3 is an example structure of the constructed dynamic perception attack graph, where or and and represent the logical relationship between the attribute honey points and their root honey points, and the arrows represent the set of edges E(G). Then, the relevant parameters of the constructed dynamic perception attack graph are quantified, specifically including: calculating the probability of atomic attack honey points, calculating the probability of local conditions, calculating the prior probability of attribute honey points, and calculating the posterior probability of attribute honey points.
在一个具体的实施例中,根据原子攻击蜜点的欺骗设陷成功率和NCR-index计算原子攻击蜜点的概率满足如下公式:P(Xi)=Ni*P(X′i),其中,P(Xi)表示原子攻击蜜点的概率,P(X′i)=(Sv/10)×(Sc/10)×(Su/10)×100%,Ni表示NCR-index,NCR-index定义为网络攻击时所依赖网络的确定性程度,其取值范围为[0,1]。当NCR-index为0时,表示网络中断或者被物理隔离,当NCR-index为1时,表示网络联通稳定。P(X′i)表示欺骗设陷成功概率,Sv、Sc、Su根据CVSS标准进行赋值量化,具体的赋值标准如下表所示:In a specific embodiment, the probability of calculating the atomic attack honey spot based on the success rate of deception trapping of the atomic attack honey spot and the NCR-index satisfies the following formula: P(Xi)=Ni*P(X′ i ), where P(Xi) represents the probability of the atomic attack honey spot, P(X′ i )=(S v /10)×(S c /10)×(S u /10)×100%, Ni represents NCR-index, and NCR-index is defined as the degree of certainty of the network relied on during the network attack, and its value range is [0, 1]. When NCR-index is 0, it means that the network is interrupted or physically isolated, and when NCR-index is 1, it means that the network connection is stable. P(X′ i ) represents the probability of success of deception trapping, S v , S c , and Su are assigned and quantified according to the CVSS standard, and the specific assignment standards are shown in the following table:
CVSS基本属性的等级和评分值CVSS basic attribute levels and scoring values
动态感知攻击图中的属性蜜点之间需要考虑到根蜜点的相关性影响,因此属性蜜点间的关系具有相关性。属性蜜点Hi的条件概率为P(Hi|Pre(Hi)),基于不同的Dj,具体计算方式不同。根据属性蜜点的条件概率计算局部条件的概率满足如下公式:当Dj取and时,当Dj取or时,警报蜜点Ai的根蜜点为单个的蜜点Xi,检出率和误报率分别用r和f表示,表示警报蜜点Ai的局部条件的概率分布。The correlation between the attribute honey points in the dynamic perception attack graph needs to take into account the influence of the root honey points, so the relationship between the attribute honey points is correlated. The conditional probability of the attribute honey point Hi is P( Hi |Pre( Hi )), and the specific calculation method is different based on different Dj . The probability of calculating the local condition based on the conditional probability of the attribute honey point satisfies the following formula: When Dj takes and, When D j takes or, The root honey point of the alarm honey point Ai is a single honey point Xi . The detection rate and false alarm rate are represented by r and f respectively. Represents the probability distribution of the local conditions of the alarm sweet spot Ai .
静态欺骗设陷的安全风险协同分析的主要技术之一是属性蜜点Hi的先验概率。根据贝叶斯网络的性质可以得知,每个蜜点的先验概率是当前蜜点与其所有相关根蜜点的联合概率。根据属性蜜点的条件概率计算属性蜜点的先验概率满足如下公式:其中,P1(Hi)表示属性蜜点Hi的先验概率。One of the main techniques for collaborative analysis of security risks of static deception traps is the prior probability of attribute honey points Hi . According to the properties of Bayesian networks, the prior probability of each honey point is the joint probability of the current honey point and all its related root honey points. The prior probability of the attribute honey point calculated based on the conditional probability of the attribute honey point satisfies the following formula: Where P 1 (H i ) represents the prior probability of attribute honeypoint H i .
根据属性蜜点与警报信息之间的关系计算属性蜜点的后验概率具体包括:在真实的欺骗设陷网络场景中NCR-index是不断变化的。网络安全领域不断出现新的威胁事件,这些事件持续影响网络安全态势。为应对这些挑战,需要持续更新安全标准,并运用后验概率方法,进行动态的风险评估与分析。A={Ai|i∈[m]}表示相互独立的报警时间集合,假设忽略误警、虚警、漏警等情况入侵行为全部被发现则根据警报蜜点Ai的局部条件概率计算公式P(Ai|Hi)=1;否则P(Ai|Hi)=0。根据Ai与Hi的对应关系,得到被成功入侵的证据集合Hevi,需要更新的状态集合Hupdate=H-Hevi。对于任意Hk∈Hupdate,Hm∈Hevi,根据公式更新Hk的可达概率以得到属性蜜点的后验概率,其中,P(Hevi)=ΠkP(Hk=1),P2(Hk|Hevi)表示属性蜜点的后验概率,P(Hevi|Hk)表示有属性蜜点前提下,证据集合被入侵的概率,P(Hk)表示属性蜜点Hk的概率,P(Hevi)表示证据集合被入侵的概率。可达概率指从网络中的一个属性蜜点到另一个属性蜜点的可达性的概率。The posterior probability of the attribute honey point is calculated based on the relationship between the attribute honey point and the alarm information. Specifically, the NCR-index is constantly changing in the real deception trap network scenario. New threat events continue to emerge in the field of network security, and these events continue to affect the network security situation. In order to meet these challenges, it is necessary to continuously update security standards and use posterior probability methods to conduct dynamic risk assessment and analysis. A = {A i |i∈[m]} represents a set of independent alarm times. Assuming that false alarms, false alarms, missed alarms, etc. are ignored, all intrusion behaviors are discovered. According to the local conditional probability calculation formula of the alarm honey point A i P(A i |H i )=1; otherwise P(A i |H i )=0. According to the corresponding relationship between A i and H i , the evidence set He evi of successful intrusion is obtained, and the state set to be updated H update= HH evi . For any H k ∈Hupdate, H m ∈H evi , according to the formula Update the reachability probability of H k to get the posterior probability of the attribute honey point, where P(H evi ) = Π k P(H k = 1), P 2 (H k |H evi ) represents the posterior probability of the attribute honey point, P(H evi |H k ) represents the probability of the evidence set being invaded under the premise of the attribute honey point, P(H k ) represents the probability of the attribute honey point H k , and P(H evi ) represents the probability of the evidence set being invaded. The reachability probability refers to the probability of reachability from one attribute honey point in the network to another attribute honey point.
S103:根据动态感知攻击图,设计静态风险协同分析用于识别和评估已知风险,设计动态风险协同分析用于对实时获取的数据进行监控和调整,构建基于动态感知攻击图的蜜阵模型。S103: According to the dynamic perception attack graph, static risk collaborative analysis is designed to identify and evaluate known risks, dynamic risk collaborative analysis is designed to monitor and adjust the data obtained in real time, and a honey array model based on the dynamic perception attack graph is constructed.
在S103中,一种可能的实施例中,设计静态风险协同分析包括设计静态防御风险协同分析的感知攻击图,具体包括:初始化静态防御风险协同分析攻击图;获取对当前欺骗设陷的赋值用于计算静态防御风险协同分析攻击图中的原子攻击蜜点的概率;获取初始属性蜜点的静态可达概率赋值,计算静态防御风险协同分析攻击图中的局部条件概率和属性蜜点的先验概率;更新静态防御风险协同分析攻击图的参数得到静态防御风险协同分析的感知攻击图。In S103, in a possible embodiment, designing a static risk collaborative analysis includes designing a perceptual attack graph for a static defense risk collaborative analysis, specifically including: initializing the static defense risk collaborative analysis attack graph; obtaining an assignment for a current deception trap for calculating the probability of an atomic attack honey point in the static defense risk collaborative analysis attack graph; obtaining a static reachable probability assignment for an initial attribute honey point, calculating the local conditional probability and the prior probability of the attribute honey point in the static defense risk collaborative analysis attack graph; and updating the parameters of the static defense risk collaborative analysis attack graph to obtain the perceptual attack graph for the static defense risk collaborative analysis.
示例性地,设计静态防御风险协同分析的感知攻击图为:根据攻击图DAA(G)={V,E,W,R,T},初始属性蜜点H0的静态可达概率P(H0)及当前欺骗设陷的根据专家经验赋值,进行设计用于进行静态防御风险分析的攻击图Static_DAG={V,E,W,R,T,P1},其中,P1表示属性蜜点的先验概率。具体过程包括:初始化静态防御风险协同分析攻击图Static_DAG的参数,将DAA(G)的蜜点集合,边集合,赋权值的集合,相关关系等复制到Static_DAG。获取对当前欺骗设陷的赋值,根据公式P(Xi)=Ni*P(X′i)计算静态防御风险协同分析攻击图中的原子攻击蜜点的概率。获取初始属性蜜点的静态可达概率赋值,静态防御风险协同分析攻击图中的其余属性蜜点的可达概率可以通过计算得到,具体为根据公式和公式计算属性蜜点的可达概率,即得到局部条件概率。根据公式计算得到每个属性蜜点的先验概率P1(Hi),将P1(Hi)复制到静态防御风险协同分析攻击图中的参数P1。根据上述获取的赋值和计算结果,更新静态防御风险协同分析攻击图的参数得到静态防御风险协同分析的感知攻击图。Exemplarily, the perceptual attack graph for the static defense risk collaborative analysis is designed as follows: according to the attack graph DAA(G)={V, E, W, R, T}, the static reachability probability P(H 0 ) of the initial attribute honey point H 0 and the current deception trap assigned according to expert experience, an attack graph Static_DAG={V, E, W, R, T, P 1 } for static defense risk analysis is designed, wherein P 1 represents the prior probability of the attribute honey point. The specific process includes: initializing the parameters of the static defense risk collaborative analysis attack graph Static_DAG, and copying the honey point set, edge set, weighted value set, and related relationships of DAA(G) to Static_DAG. Obtaining the assignment of the current deception trap, and calculating the probability of the atomic attack honey point in the static defense risk collaborative analysis attack graph according to the formula P(Xi)=Ni*P(X′ i ). Obtaining the static reachability probability assignment of the initial attribute honey point, the reachability probabilities of the remaining attribute honey points in the static defense risk collaborative analysis attack graph can be obtained by calculation, specifically according to the formula and formula Calculate the reachability probability of the attribute honey point, that is, get the local conditional probability. According to the formula The prior probability P 1 (H i ) of each attribute honey point is calculated, and P 1 (H i ) is copied to the parameter P 1 in the static defense risk collaborative analysis attack graph. According to the assignment and calculation results obtained above, the parameters of the static defense risk collaborative analysis attack graph are updated to obtain the perception attack graph of the static defense risk collaborative analysis.
在一种可能的实施例中,设计动态风险协同分析包括设计动态防御风险协同分析的感知攻击图,具体包括:初始化动态防御风险协同分析攻击图;获取当前欺骗设陷网络的NCR-index用于更新静态防御风险协同分析的感知攻击图中的属性蜜点的先验概率;获取警报信息用于计算动态防御风险协同分析攻击图中属性蜜点的后验概率;更新动态防御风险协同分析攻击图的参数得到动态防御风险协同分析的感知攻击图。In a possible embodiment, designing a dynamic risk collaborative analysis includes designing a perceptual attack graph for a dynamic defense risk collaborative analysis, specifically including: initializing the dynamic defense risk collaborative analysis attack graph; obtaining the NCR-index of the current deception trap network for updating the prior probability of attribute honey points in the perceptual attack graph for the static defense risk collaborative analysis; obtaining alarm information for calculating the posterior probability of attribute honey points in the dynamic defense risk collaborative analysis attack graph; and updating the parameters of the dynamic defense risk collaborative analysis attack graph to obtain the perceptual attack graph for the dynamic defense risk collaborative analysis.
示例性地,设计动态防御风险协同分析的感知攻击图为:根据静态防御风险分析的感知攻击图Static_DAG、当前欺骗设陷网络的NCR-index和警报信息,进行设计用于进行静态防御风险分析的攻击图Dynamic_DAG(V,E,W,R,T,P1,P2),其中,P2表示属性蜜点的后验概率。具体过程包括:初始化动态防御风险协同分析攻击图Dynamic_DAG的参数,将静态防御风险协同分析的感知攻击图Static_DAG的属性蜜点、攻击蜜点、边集合及相关关系等应用到Dynamic_DAG。获取当前欺骗设陷网络的NCR-index的值N用于将静态防御风险协同分析的感知攻击图中的属性蜜点的先验概率P1进行更新。获取警报信息得到警报蜜点,根据公式计算属性蜜点的后验概率P2(Hi),将P2(Hi)复制到动态防御风险协同分析攻击图中的参数P2。根据上述获取的赋值和计算结果,更新动态防御风险协同分析攻击图的参数得到动态防御风险协同分析的感知攻击图。Exemplarily, the perceptual attack graph for dynamic defense risk collaborative analysis is designed as follows: based on the perceptual attack graph Static_DAG for static defense risk analysis, the NCR-index of the current deception trap network, and the alarm information, an attack graph Dynamic_DAG (V, E, W, R, T, P 1 , P 2 ) for static defense risk analysis is designed, wherein P 2 represents the posterior probability of the attribute honey point. The specific process includes: initializing the parameters of the dynamic defense risk collaborative analysis attack graph Dynamic_DAG, and applying the attribute honey points, attack honey points, edge sets, and related relationships of the perceptual attack graph Static_DAG for static defense risk collaborative analysis to Dynamic_DAG. Obtaining the value N of the NCR-index of the current deception trap network is used to update the prior probability P 1 of the attribute honey points in the perceptual attack graph for static defense risk collaborative analysis. Obtaining the alarm information to obtain the alarm honey point, according to the formula Calculate the posterior probability P 2 (H i ) of the attribute honey point, and copy P 2 (H i ) to the parameter P 2 in the dynamic defense risk collaborative analysis attack graph. According to the assignment and calculation results obtained above, update the parameters of the dynamic defense risk collaborative analysis attack graph to obtain the perception attack graph of the dynamic defense risk collaborative analysis.
本发明的基于动态感知攻击图的蜜阵模型构建方法设计静态及动态防御风险协同算法,使蜜阵模型能够随着攻防态势的变化而变化,从而适应欺骗设陷网络的动态弹性演化,以保障欺骗设陷网络的完备准确性和新鲜实效性。针对尚未投入使用的欺骗设陷网络系统,采用静态防御风险协同算法,能够基于属性蜜点的先验概率进行风险评估,实现已知风险的识别和评估,使得在系统部署之前就能够对潜在的安全威胁进行分析和预测。基于属性蜜点的先验概率是指在没有任何额外信息的情况下,攻击者被特定属性蜜点吸引并发起攻击的可能性,基于收集的数据估计攻击者被特定属性吸引的先验概率。结合先验概率和潜在影响,根据计算每个属性蜜点的风险值。从而,根据风险评估结果,能够确定需要优先保护的属性蜜点,合理分配安全资源,以保护最有可能遭受攻击的属性蜜点。持续监控属性蜜点的活动,并制定快速响应计划以应对潜在攻击。The method for constructing a honey array model based on a dynamic perception attack graph of the present invention designs a static and dynamic defense risk collaborative algorithm, so that the honey array model can change with the change of the attack and defense situation, so as to adapt to the dynamic elastic evolution of the deception trap network, so as to ensure the complete accuracy and freshness and effectiveness of the deception trap network. For the deception trap network system that has not yet been put into use, a static defense risk collaborative algorithm is adopted, which can perform risk assessment based on the prior probability of attribute honey points, realize the identification and assessment of known risks, and enable the analysis and prediction of potential security threats before the system is deployed. The prior probability based on the attribute honey point refers to the possibility that an attacker is attracted by a specific attribute honey point and launches an attack without any additional information, and the prior probability of an attacker being attracted by a specific attribute is estimated based on the collected data. Combined with the prior probability and the potential impact, the risk value of each attribute honey point is calculated. Therefore, according to the risk assessment results, the attribute honey points that need to be protected first can be determined, and security resources can be reasonably allocated to protect the attribute honey points that are most likely to be attacked. The activities of the attribute honey points are continuously monitored, and a rapid response plan is formulated to deal with potential attacks.
针对真实的欺骗设陷网络场景,网络连接状态呈现出高度的复杂性,新的警报信息持续涌现或消失。为更加精确地分析网络中的安全风险,动态防御风险协同算法在先验概率的基础上,不断更新警报蜜点的动态信息作为新的考量条件并据此计算后验概率,实现对实时获取的数据进行监控和调整。In the real deception trap network scenario, the network connection status presents a high degree of complexity, and new alarm information continues to emerge or disappear. In order to more accurately analyze the security risks in the network, the dynamic defense risk collaborative algorithm continuously updates the dynamic information of the alarm honey spot as a new consideration condition based on the prior probability and calculates the posterior probability accordingly, so as to monitor and adjust the data obtained in real time.
将本发明构建的基于动态感知攻击图的蜜阵模型部署到新型电力网络系统,能够保障新型电力系统各层次设备的安全性以及蜜点的动态性、诱捕性和鲁棒性。示例性地,参见说明书附图4,基于动态感知攻击图的蜜阵模型实现的电网系统的蜜阵实例化部署包括:首先,根据新型电力系统内部网络的安全需求,明确安全目标。其次,针对主要安全目标和被保护系统,结合新型电力网络多层次下的系统设备和网络协议,分层次分网段设计动态感知的蜜阵阵图,确保每个关键区域都有足够的诱捕节点来检测和防御潜在攻击。在电网系统的不同位置部署多个蜜点,包括网络蜜点、主机蜜点、服务蜜点等,以迷惑攻击者并收集攻击行为数据。蜜阵实时监测电网系统中的流量和行为,通过分析流量信息、流量采样、特征筛选等手段,识别和提取恶意流量特征。根据检测结果,进行攻防博弈分析,评估攻击的威胁程度和防御措施的有效性。然后,使用阵图变换引擎根据攻防博弈分析的结果进行蜜阵的动态调整,优化防御策略和蜜点的部署方案。最后,针对新型电力网络中常见环境和特定环境进行通用化和定制化阵图设计,丰富电力网络场景下的诱捕节点布防策略。The honey array model based on the dynamic perception attack graph constructed by the present invention is deployed to the new power network system, which can ensure the security of the equipment at all levels of the new power system and the dynamic, entrapment and robustness of the honey points. For example, referring to Figure 4 of the specification, the instantiation deployment of the honey array of the power grid system implemented by the honey array model based on the dynamic perception attack graph includes: first, according to the security requirements of the internal network of the new power system, the security goals are clarified. Secondly, for the main security goals and protected systems, combined with the system equipment and network protocols under the multi-level of the new power network, the honey array diagram of dynamic perception is designed in layers and segments to ensure that each key area has enough entrapment nodes to detect and defend potential attacks. Multiple honey points are deployed at different locations of the power grid system, including network honey points, host honey points, service honey points, etc., to confuse attackers and collect attack behavior data. The honey array monitors the traffic and behavior in the power grid system in real time, and identifies and extracts malicious traffic features by analyzing traffic information, traffic sampling, feature screening and other means. According to the detection results, an attack and defense game analysis is performed to evaluate the threat level of the attack and the effectiveness of the defense measures. Then, the array transformation engine is used to dynamically adjust the honey array according to the results of the attack and defense game analysis, optimizing the defense strategy and the deployment plan of the honey points. Finally, general and customized array designs are carried out for common and specific environments in the new power network to enrich the trapping node deployment strategy in the power network scenario.
实例结果表明本发明提出的蜜阵模型可以构建动态演化的欺骗设陷网络场景,增加警报信息等条件的动态定量分析,可以更加精确的反映欺骗设陷网络的实时安全风险状态,及时发现攻击行动,并将其作为新的判断条件,以适用新型电力系统不断增长的网络安全定量分析的需求,为网络安全防御人员提供定量的决策性参考。The example results show that the honey array model proposed in the present invention can construct a dynamically evolving deception trap network scenario, add dynamic quantitative analysis of conditions such as alarm information, and more accurately reflect the real-time security risk status of the deception trap network, timely discover attack actions, and use them as new judgment conditions to meet the growing demand for quantitative network security analysis of new power systems, and provide quantitative decision-making references for network security defense personnel.
综上所述,本发明提出的基于动态感知攻击图的蜜阵模型引入量化方案构建动态感知攻击图DAA-graph,实现量化网络的动态不确定性以及攻击图中的关键参数。这种量化方法能够为网络安全防御人员提供一个科学、定量的参考策略,帮助其更好理解和应对网络中的安全威胁。In summary, the honey array model based on the dynamic perception attack graph proposed in the present invention introduces a quantification scheme to construct a dynamic perception attack graph DAA-graph, which can quantify the dynamic uncertainty of the network and the key parameters in the attack graph. This quantification method can provide a scientific and quantitative reference strategy for network security defense personnel to help them better understand and respond to security threats in the network.
其次,本发明的技术方案以欺骗设陷为核心目标,设计一套支持网络动态演化的机制。通过提出静态及动态防御风险协同分析算法,使蜜阵模型能够有效适应网络结构和流量模式的动态变化,以实现对网络弹性演化的实时响应。这些算法不仅能够在网络静态状态下评估安全风险,还能够在网络动态变化过程中,持续监测和分析潜在的安全威胁,从而为网络安全提供了更为灵活和适应性强的防御手段。Secondly, the technical solution of the present invention takes deception and trapping as the core goal and designs a set of mechanisms to support the dynamic evolution of the network. By proposing static and dynamic defense risk collaborative analysis algorithms, the honey array model can effectively adapt to the dynamic changes of network structure and traffic patterns to achieve real-time response to the elastic evolution of the network. These algorithms can not only evaluate security risks in the static state of the network, but also continuously monitor and analyze potential security threats during the dynamic changes of the network, thereby providing a more flexible and adaptable defense method for network security.
此外,蜜阵模型强调了对网络攻击步骤间因果耦合关系和概率推理关系的刻画,通过概率攻击图的形式,增强了对攻击路径和攻击者行为模式的识别能力。这使得蜜阵模型不仅能够识别已知的攻击模式,还能够预测和防御新兴的、未知的攻击手段。In addition, the honey array model emphasizes the description of the causal coupling relationship and probabilistic reasoning relationship between network attack steps, and enhances the ability to identify attack paths and attacker behavior patterns in the form of probabilistic attack graphs. This enables the honey array model to not only identify known attack patterns, but also predict and defend against emerging and unknown attack methods.
参见说明书附图5,本实施例还提供了一种基于动态感知攻击图的蜜阵模型构建装置,该装置用于实现上述方法实施例。该装置包括:Referring to Figure 5 of the specification, this embodiment also provides a device for constructing a honey array model based on a dynamic perception attack graph, which is used to implement the above method embodiment. The device includes:
数据采集单元201,用于进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集。The data collection unit 201 is used to collect data to obtain relevant data of network attacks and network defenses to construct an original data set.
动态感知攻击图构建单元202,用于根据原始数据集进行分析以提取安全事件、行为模式生成警报信息,基于原始数据集和警报信息构建动态感知攻击图。The dynamic perception attack graph construction unit 202 is used to analyze the original data set to extract security events and behavior patterns to generate alarm information, and to construct a dynamic perception attack graph based on the original data set and the alarm information.
蜜阵模型构建单元203,用于根据动态感知攻击图,设计静态风险协同分析用于识别和评估已知风险,设计动态风险协同分析用于对实时获取的数据进行监控和调整,构建基于动态感知攻击图的蜜阵模型。The honey array model building unit 203 is used to design static risk collaborative analysis for identifying and evaluating known risks according to the dynamic perception attack graph, design dynamic risk collaborative analysis for monitoring and adjusting the data obtained in real time, and build a honey array model based on the dynamic perception attack graph.
其中,数据采集单元201进行数据采集以获取网络攻击和网络防御的相关数据构建原始数据集,包括:从入侵规则库,安全情报,攻击诱捕系统资产,多方威胁数据日志和漏洞数据库进行数据采集,以获取关于攻击模式和防御策略、潜在威胁、攻击行为、威胁情报和安全漏洞的网络攻击和网络防御的相关数据;整合网络攻击和网络防御的相关数据构建形成原始数据集。Among them, the data collection unit 201 performs data collection to obtain relevant data of network attacks and network defense to construct an original data set, including: collecting data from an intrusion rule library, security intelligence, attack trapping system assets, multi-party threat data logs and vulnerability databases to obtain relevant data of network attacks and network defense about attack patterns and defense strategies, potential threats, attack behaviors, threat intelligence and security vulnerabilities; integrating relevant data of network attacks and network defense to construct an original data set.
动态感知攻击图构建单元202基于原始数据集和警报信息构建动态感知攻击图,包括:定义属性蜜点和原子攻击蜜点,根据属性蜜点的状态、原子攻击蜜点的状态、属性蜜点与其根蜜点之间的关系、属性蜜点与原子攻击蜜点之间的关系,以及属性蜜点与警报信息之间的关系构建动态感知攻击图的结构;量化动态感知攻击图的结构中的参数,包括:根据原子攻击蜜点的欺骗设陷成功率和NCR-index计算原子攻击蜜点的概率,根据属性蜜点的条件概率计算局部条件的概率,根据属性蜜点的条件概率计算属性蜜点的先验概率,根据属性蜜点与警报信息之间的关系计算属性蜜点的后验概率;根据动态感知攻击图的结构和参数的量化结果,完成动态感知攻击图的构建。The dynamic perception attack graph construction unit 202 constructs a dynamic perception attack graph based on the original data set and the alarm information, including: defining attribute honey points and atomic attack honey points, and constructing the structure of the dynamic perception attack graph according to the state of the attribute honey points, the state of the atomic attack honey points, the relationship between the attribute honey points and their root honey points, the relationship between the attribute honey points and the atomic attack honey points, and the relationship between the attribute honey points and the alarm information; quantifying the parameters in the structure of the dynamic perception attack graph, including: calculating the probability of the atomic attack honey points according to the deception trap success rate and NCR-index of the atomic attack honey points, calculating the probability of the local conditions according to the conditional probability of the attribute honey points, calculating the prior probability of the attribute honey points according to the conditional probability of the attribute honey points, and calculating the posterior probability of the attribute honey points according to the relationship between the attribute honey points and the alarm information; completing the construction of the dynamic perception attack graph according to the structure of the dynamic perception attack graph and the quantification results of the parameters.
蜜阵模型构建单元203设计静态风险协同分析包括设计静态防御风险协同分析的感知攻击图,具体包括:初始化静态防御风险协同分析的攻击图;获取对当前欺骗设陷的赋值用于计算静态防御风险协同分析攻击图中的原子攻击蜜点的概率;获取初始属性蜜点的静态可达概率赋值,计算静态防御风险协同分析攻击图中的局部条件概率和属性蜜点的先验概率;更新静态防御风险协同分析攻击图的参数得到静态防御风险协同分析的感知攻击图。The honey array model construction unit 203 designs static risk collaborative analysis, including designing a perceived attack graph for static defense risk collaborative analysis, specifically including: initializing the attack graph for static defense risk collaborative analysis; obtaining the assignment of the current deception trap to calculate the probability of atomic attack honey points in the static defense risk collaborative analysis attack graph; obtaining the static reachable probability assignment of the initial attribute honey points, calculating the local conditional probability and the prior probability of the attribute honey points in the static defense risk collaborative analysis attack graph; updating the parameters of the static defense risk collaborative analysis attack graph to obtain the perceived attack graph for the static defense risk collaborative analysis.
蜜阵模型构建单元203设计动态风险协同分析包括设计动态防御风险协同分析的感知攻击图,具体包括:初始化动态防御风险协同分析攻击图;获取当前欺骗设陷网络的NCR-index用于更新所述静态防御风险协同分析的感知攻击图中的属性蜜点的先验概率;获取警报信息用于计算动态防御风险协同分析攻击图中属性蜜点的后验概率;更新动态防御风险协同分析攻击图的参数得到动态防御风险协同分析的感知攻击图。The honey array model construction unit 203 designs dynamic risk collaborative analysis, including designing a perceptual attack graph for dynamic defense risk collaborative analysis, specifically including: initializing the dynamic defense risk collaborative analysis attack graph; obtaining the NCR-index of the current deception trap network for updating the prior probability of attribute honey points in the perceptual attack graph for the static defense risk collaborative analysis; obtaining alarm information for calculating the posterior probability of attribute honey points in the dynamic defense risk collaborative analysis attack graph; updating the parameters of the dynamic defense risk collaborative analysis attack graph to obtain the perceptual attack graph for the dynamic defense risk collaborative analysis.
上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能模块的功能描述,在此不再赘述。All relevant contents of each step involved in the above method embodiment can be referred to the functional description of the corresponding functional module, and will not be repeated here.
在本申请的另一些实施例中,本申请实施例公开了一种电子设备,如图6所示,该电子设备300可以包括:一个或多个处理器301;存储器302;显示器303;一个或多个应用程序(未示出);以及一个或多个计算机程序304,上述各器件可以通过一个或多个通信总线305连接。其中该一个或多个计算机程序304被存储在上述存储器中并被配置为被该一个或多个处理器301执行,该一个或多个计算机程序304包括指令,上述指令可以用于执行如图1、图5及相应实施例中的各个步骤。In other embodiments of the present application, an electronic device is disclosed in an embodiment of the present application. As shown in FIG6 , the electronic device 300 may include: one or more processors 301; a memory 302; a display 303; one or more applications (not shown); and one or more computer programs 304. The above components may be connected via one or more communication buses 305. The one or more computer programs 304 are stored in the above memory and configured to be executed by the one or more processors 301. The one or more computer programs 304 include instructions, which may be used to execute the steps in FIG1 , FIG5 and the corresponding embodiments.
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Through the description of the above implementation methods, technicians in the relevant field can clearly understand that for the convenience and simplicity of description, only the division of the above functional modules is used as an example. In actual applications, the above functions can be assigned to different functional modules as needed, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above. The specific working process of the system, device and unit described above can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here.
在本申请实施例各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。Each functional unit in each embodiment of the present application can be integrated into a processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of software functional units.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:快闪存储器、移动硬盘、只读存储器、随机存取存储器、磁碟或者光盘等各种可以存储程序代码的介质。If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the embodiment of the present application is essentially or the part that contributes to the prior art or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium, including a number of instructions to enable a computer device (which can be a personal computer, a server, or a network device, etc.) or a processor to perform all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage medium includes: various media that can store program codes, such as flash memory, mobile hard disk, read-only memory, random access memory, disk or optical disk.
以上所述,仅为本申请实施例的具体实施方式,但本申请实施例的保护范围并不局限于此,任何在本申请实施例揭露的技术范围内的变化或替换,都应涵盖在本申请实施例的保护范围之内。因此,本申请实施例的保护范围应以所述权利要求的保护范围为准。The above is only a specific implementation of the embodiment of the present application, but the protection scope of the embodiment of the present application is not limited thereto, and any changes or replacements within the technical scope disclosed in the embodiment of the present application should be included in the protection scope of the embodiment of the present application. Therefore, the protection scope of the embodiment of the present application should be based on the protection scope of the claims.
Claims (12)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410992909.3A CN118802353A (en) | 2024-07-23 | 2024-07-23 | A method for constructing a honey array model based on dynamic perception attack graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410992909.3A CN118802353A (en) | 2024-07-23 | 2024-07-23 | A method for constructing a honey array model based on dynamic perception attack graph |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118802353A true CN118802353A (en) | 2024-10-18 |
Family
ID=93029565
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410992909.3A Pending CN118802353A (en) | 2024-07-23 | 2024-07-23 | A method for constructing a honey array model based on dynamic perception attack graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118802353A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240297892A1 (en) * | 2023-03-03 | 2024-09-05 | Applied Research Associates, Inc. | Modeling cyberspace operations and operation effectiveness |
| CN119520086A (en) * | 2024-11-18 | 2025-02-25 | 郑州大学 | A quantitative analysis method for the four core capabilities of network resilience |
-
2024
- 2024-07-23 CN CN202410992909.3A patent/CN118802353A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20240297892A1 (en) * | 2023-03-03 | 2024-09-05 | Applied Research Associates, Inc. | Modeling cyberspace operations and operation effectiveness |
| US12381903B2 (en) * | 2023-03-03 | 2025-08-05 | Applied Research Associates, Inc. | Modeling cyberspace operations and operation effectiveness |
| CN119520086A (en) * | 2024-11-18 | 2025-02-25 | 郑州大学 | A quantitative analysis method for the four core capabilities of network resilience |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108494810B (en) | Attack-oriented network security situation prediction method, device and system | |
| US20230351027A1 (en) | Intelligent adversary simulator | |
| US20230336581A1 (en) | Intelligent prioritization of assessment and remediation of common vulnerabilities and exposures for network nodes | |
| AU2022307535A1 (en) | Intelligent prioritization of assessment and remediation of common vulnerabilities and exposures for network nodes | |
| Sendi et al. | Real time intrusion prediction based on optimized alerts with hidden Markov model | |
| Khosravi et al. | Alerts correlation and causal analysis for APT based cyber attack detection | |
| US10637884B2 (en) | Artificial intelligence system and method for threat anticipation | |
| JP6557774B2 (en) | Graph-based intrusion detection using process trace | |
| Alheeti et al. | Hybrid intrusion detection in connected self-driving vehicles | |
| CN118802353A (en) | A method for constructing a honey array model based on dynamic perception attack graph | |
| CN117375997A (en) | Malicious traffic attack security knowledge plane construction method based on honey points | |
| Srilatha et al. | DDoSNet: A deep learning model for detecting network attacks in cloud computing | |
| CN118264443A (en) | An adaptive intrusion response game system and method for data services under intrusion attacks | |
| CN119051990A (en) | Enterprise network security test evaluation method and system | |
| Gill et al. | A systematic review on game-theoretic models and different types of security requirements in cloud environment: Challenges and opportunities | |
| CN118487824A (en) | Method, device, readable storage medium and program product for counter-mapping of cyberspace | |
| CN119254507A (en) | Cyberspace counter-mapping method, device, computer equipment and storage medium | |
| Lin et al. | A hypergraph-based machine learning ensemble network intrusion detection system | |
| Mohammadzad et al. | MAGD: Minimal attack graph generation dynamically in cyber security | |
| CN120106569A (en) | A dynamic risk visualization management method for asset and risk management | |
| Fang et al. | Predicting poaching for wildlife protection | |
| Li et al. | Few-shot multi-domain knowledge rearming for context-aware defence against advanced persistent threats | |
| Outkin et al. | Defender policy evaluation and resource allocation using MITRE ATT&CK evaluations data | |
| Dong et al. | A new method of dynamic network security analysis based on dynamic uncertain causality graph | |
| Kayacik et al. | Using self-organizing maps to build an attack map for forensic analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |