CN109302380A - A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system - Google Patents
A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system Download PDFInfo
- Publication number
- CN109302380A CN109302380A CN201810927065.9A CN201810927065A CN109302380A CN 109302380 A CN109302380 A CN 109302380A CN 201810927065 A CN201810927065 A CN 201810927065A CN 109302380 A CN109302380 A CN 109302380A
- Authority
- CN
- China
- Prior art keywords
- loophole
- linkage defense
- defense strategy
- attack
- defence policies
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system, when receiving alarm information, corresponding defence policies trigger condition is chosen in defence policies trigger condition predetermined according to alarm type, and network attack map is constructed according to the associated loophole of alarm information;According to the defence policies trigger condition chosen, corresponding linkage defense strategy is determined in the defence policies template library pre-established, generates linkage defense strategy set to be selected;Each strategy acts on the system safety hazards value of network attack map in set of computations one by one;Final linkage defense strategy is determined according to system safety hazards value.The acquisition of IT resource event, depth data excavation and event correlation in network security domain are analyzed through the above scheme, realize the monitoring and management of all kinds of security incidents;And the developing state based on Global Information safety provides decision service for the safe operation of information system, it is ensured that the safety of networked asset and the normal operation of network.
Description
Technical field
The invention belongs to Transmission Line Design load calculation method fields, and in particular to a kind of safety protection equipment linkage is anti-
Imperial strategy Intelligent Decision-making Method and system.
Background technique
With the continuous expansion, the continuous expansion of user demand and being continuously increased for new demand servicing of network size, network system
The characteristics of scale, service diversification and management distribution is presented, this brings to the assessment, operation and security maintenance of system and chooses
War.And in recent years, computer network system loophole discovery speed is increasingly accelerated, and extensive worm, virus, Denial of Service attack are not
Disconnected outburst, security status allow of no optimist.The safety for how ensuring large-scale networks becomes current urgently to be resolved
One problem.
Traditionally, people protect network security using tools such as firewall, IDS, scanners.Wherein, firewall passes through
Access control rule is executed to limit network connection, but is generally deficient of the protective capability of application layer;IDS passes through detection attack signature
Safety problem is found with abnormal behaviour, but general lack of the ability of detection Stealthier Attacks;Scanner is generally directed to separate unit host
It is scanned, ignores network topology, cannot identify the more Composite Attack of harmfulness and concerted attack.These conventional security tools
Each self-forming information island lacks the shared and unification of information between equipment.
In order to realize the association of conventional safety apparatus information, network security business circles develop information security integrated pipe and pat
Platform, such as Tai He information security operation centre of Venus InfoTech, Topsec's safety management system, by being provided to IT in network-wide security domain
The concentration of source event acquires comprehensively, depth data excavates and event correlation analysis, realizes the prison of all kinds of security incidents of enterprises
Control, analysis and management, pay close attention to enterprise's Global Information security developments situation, provide decision clothes for the safe operation of entire information system
Business and O&M workflow management.
However, the connection of security strategy is all not implemented in existing conventional safety apparatus and information security comprehensive management platform
It is dynamic, cause administrator to face the mass alarm information and security postures evolution curve of safety equipment, how to select reasonable, feasible
Coordination and response strategy often have no way of doing it.
Summary of the invention
In order to solve problems in the prior art, the present invention provides a kind of Security Vulnerability assessment based on linkage defense strategy
Method and system analyze its response to system general safety fragility for the linkage defense strategy of security incident triggering, will
Its foundation as linkage defense policy selection, to ensure the safety of networked asset and the normal operation of network;Compared to general
Strategy is expressed as one section of computer program, and technical solution proposed by the present invention easily facilitates analysis.
In order to achieve the above-mentioned object of the invention, the present invention adopts the following technical scheme that:
The present invention provides a kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method, which comprises
When receiving alarm information, chosen in defence policies trigger condition predetermined according to the alarm type
Corresponding defence policies trigger condition, and network attack map is constructed according to the associated loophole of alarm information;
According to the defence policies trigger condition chosen, corresponding linkage is determined in the defence policies template library pre-established
Defence policies generate linkage defense strategy set to be selected;
Calculate that each linkage defense strategy in linkage defense strategy set to be selected acts on the network attack map one by one is
System security risk value;
According to the system safety hazards value, final linkage defense strategy is determined.
Preferably, the foundation of the defence policies template library, comprising:
It is defence policies trigger condition by history alarm information and fault type data definition;
It is handled according to security strategy knowledge instanceization of the defence policies trigger condition to setting, generates linkage defense plan
Slightly.
Preferably, described to include: according to the associated loophole building network attack map of alarm information
The loophole of host node is obtained by scanning tools;
The loophole is inputted into safety analyzer, exports network attack map G;Wherein,
The network attack map G includes that n item attacks chain L1, L2 ... ..., Ln;Any attack chain Li is by m loophole
V1, V2 ..., Vm composition.
Further, described to calculate each linkage defense strategy in linkage defense strategy set to be selected one by one and act on the net
The system safety hazards value of network attack graph includes:
Popularity predetermined, easness and influence power are defined as to the risks and assumptions of loophole;
According to the relative risk of the risks and assumptions, the value-at-risk of every attack chain is calculated;
According to the value-at-risk of every attack chain, system safety hazards value is determined.
Further, the security risk value of system is determined by following formula:
R (G)=R (L_1)+R (L_2)+...+R (L_n)
In formula, R (G) is system safety hazards value, and R (L_i)=(V_1, V_2 ..., V_m) indicates to be made of m loophole
Attack chain L_i value-at-risk, i=1,2 ..., n;I indicates that i-th attack chain, n are attack chain quantity.
Further, the value-at-risk of the attack chain L_i being made of m loophole is determined by following formula:
R (L_i)=R (V_1) × R (V_2) × ... × R (V_m)
In formula, R (V_m) is the relative risk of m-th of loophole V_m.
Further, the relative risk of loophole V_m is determined by following formula:
R (V_m)=(P_p × P_d × P_e)/3
In formula, Pp, Pd and Pe respectively indicate the popularity, easness and influence power of loophole V_m.
Further, the popularity of the loophole refers to the frequency that attack is executed using any loophole;
The easness of the loophole refers to the complexity of loophole attack;
The influence power of the loophole refers to potential damage caused by loophole attack.
Preferably, the linkage defense strategy includes: access control limitation, patch installing, application software upgrade, modification default
User name and password and checking and killing Trojan.
A kind of safety protection equipment linkage defense strategy intelligent decision system, the system comprises:
Linkage defense strategic decision-making engine, for being determined in advance according to the alarm type when receiving alarm information
Corresponding defence policies trigger condition is chosen in the defence policies trigger condition of justice, and according to the associated loophole structure of alarm information
Establishing network attack graph;
Generation module, for the defence policies trigger condition that basis is chosen, in the defence policies template library pre-established
It determines corresponding linkage defense strategy, generates linkage defense strategy set to be selected;
Computing module acts on the net for calculating each linkage defense strategy in linkage defense strategy set to be selected one by one
The system safety hazards value of network attack graph;
Decision-making module, for determining final linkage defense strategy according to the system safety hazards value.
Compared with the immediate prior art, the invention has the benefit that
A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system proposed by the present invention, according to alarm class
Type chooses corresponding defence policies trigger condition in defence policies trigger condition predetermined, and according to alarm information correlation
The loophole of connection constructs network attack map;According to the defence policies trigger condition chosen, in the defence policies template library pre-established
The middle corresponding linkage defense strategy of determination, generates linkage defense strategy set to be selected;For the linkage defense of security incident triggering
Strategy analyzes its response to system general safety fragility, as the foundation of linkage defense policy selection;And it counts one by one
Calculate the system safety hazards value that each linkage defense strategy in linkage defense strategy set to be selected acts on network attack map.Pass through this
Inventive technique scheme is analyzed the acquisition of IT resource event, depth data excavation and event correlation in network security domain, is realized each
Monitoring, analysis and the management of class security incident.Based on the developing state of Global Information safety, mentioned for the safe operation of information system
For decision service.
Finally according to system safety hazards value, final linkage defense strategy is determined;So that it is guaranteed that the safety of networked asset
The normal operation of property and network, while improving the response accuracy of security incident, and enhances in actual production environment
Applicability.
Detailed description of the invention
Fig. 1 is the method flow diagram that the specific embodiment of the invention provides;
Fig. 2 is the linkage defense strategy intelligent decision making model schematic diagram that the specific embodiment of the invention provides;
Fig. 3 is the strategic decision-making engine model schematic diagram that the specific embodiment of the invention provides;
Fig. 4 is the network topological diagram in the implementation environment that the specific embodiment of the invention provides;
Fig. 5 is two attack chains in the network attack map that the specific embodiment of the invention provides.
Specific embodiment
The present invention is described in further detail below in conjunction with the accompanying drawings.
The description of strategy and the inquiry of strategy are the key points and difficulties in linkage defense strategy system of defense, for existing industry
Interior policy depiction, one way in which are using natural language, and this mode is best side for tactful importer
Formula, but need to carry out the processing of natural language using artificial intelligence, increase algorithm difficulty;Another way is will be tactful
It is expressed as the program that one section of computer is capable of handling.According to the definition of IETF, strategy can be expressed as a series of conditions and row
For that is, " ifcondition then action ", it is expressed as one section of computer program compared to by strategy, this mode is more
Convenient for analysis.Industry is successively it has been proposed that carry out strategy by way of carrying out heuristic optimization path-finding to directed acyclic graph
Inquiry, replace semantic-based policy lookup mode.
Technical solution of the present invention is directed to the linkage defense strategy set of security incident triggering, analyzes it to system general safety
The response of fragility, as the foundation of linkage defense policy selection, just with the safety for ensuring networked asset and network
Often operation.Linkage defense strategy intelligent decision making model can be constructed based on method proposed by the present invention, shown in Fig. 2, mainly by 5
It is grouped as: defence policies trigger condition, defence policies template library, strategic decision-making engine, man-machine interface and policy enforcement point.
Wherein, defence policies trigger condition includes the loophole of the alarm of safety equipment, scanner discovery.
Defence policies template library is used for Saving Safe Strategy knowledge, and does not store by the classification of type of trigger condition, is plan
Slightly decision engine provides input.
Strategic decision-making engine is the heart of entire linkage defense strategy intelligent decision making model, is called and is defendd according to trigger condition
Plan knowledge in policy template library is simultaneously instantiated, and further acts on safety interaction defence policies and combinations thereof one by one
Attack graph calculates corresponding system Security Vulnerability value, finally to safety officer's output safety linkage defense strategy.
Man-machine interface has two big functions: 1) being responsible for the exploitativeness of analysis, confirmation security strategy, main foundation is linkage
The exploitativeness of influence and strategy of the implementation of defence policies to system Security Vulnerability;2) increase according to demand, modify defence
Knowledge in policy template library.Policy enforcement point be responsible for implement generate linkage defense security strategy, be primarily referred to as firewall and
The network safety preventions equipment such as safety insulating device.
In order to realize safety protection equipment linkage defense, it is based on linkage defense strategy intelligent decision making model, the present invention provides
A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method, as shown in Figure 1, comprising the following steps:
S1 is selected in defence policies trigger condition predetermined when receiving alarm information, according to the alarm type
Corresponding defence policies trigger condition is taken, and network attack map is constructed according to the associated loophole of alarm information;
S2 determines corresponding connection according to the defence policies trigger condition chosen in the defence policies template library pre-established
Dynamic defence policies, generate linkage defense strategy set to be selected;
S3 calculates each linkage defense strategy in linkage defense strategy set to be selected one by one and acts on the network attack map
System safety hazards value;
S4 determines final linkage defense strategy according to the system safety hazards value.
In step S1, defence policies trigger condition predetermined: according to the Real-time Alarm of intrusion detection device, scanner
The threat information and grid topology, service operation demand that the loophole of output, mechanism of network security official/website provide
Deng, implement rationally, optimization Safety Management Measures, achieve the purpose that improve information system security defense capability, be information system
It unites a pith of safe O&M.
Using IDS alarm, loophole as tactful trigger condition set, main setting is supported with Types Below:
(1) IDS is alerted
Referring to the Alarm Classification information in Snort user's manual 2.9.9, the linkage defense strategic decision-making model of design is covered
Following alarm type:
The login attempt of default username and password
Network sweep
Denial of Service attack
Obtain administrator right
Obtain normal user permission
Wooden horse activity
(2) security breaches
Referring to the loophole Type division of China national information security vulnerability scan, the present invention proposes the security breaches of model
Class trigger condition mainly has:
Buffer overflow
SQL injection
Traversal path
Cross site scripting
Configuration error
Information leakage
Boundary condition mistake
Format string
The foundation of defence policies template library includes:
It is defence policies trigger condition by history alarm information and fault type data definition;
It is handled according to security strategy knowledge instanceization of the defence policies trigger condition to setting, generates linkage defense plan
Slightly.Linkage defense strategy is stored according to the type of defence policies trigger condition, constitutes defence policies template predetermined
Library.It is anti-that all linkages corresponding with the trigger condition in defence policies template library can be found by defence policies trigger condition
Imperial strategy.
Strategy in the template library can be used extensible markup language and be formulated.Extensible markup language (XML) is one
Description language based on SGML standard, structuring, self-described, expansible is planted, stringent structure avoids semantic two
Justice automatically processes for definition, exchange and the program of data and provides guarantee.Self descriptiveness and scalability foot in view of XML
The characteristics of to express various types data, is very suitable to describe the description towards security incident response and task start, the present invention
It proposes to describe user oriented higher layer policy using extensible markup language (XML), definition policy-id,
Classification, description, action field provide linkage defense strategy number, response events type, plan respectively
Slightly description information, denomination of dive and parameter.Here, classification field may correspond to multiple event types,
The parameter of action field has title (Name), host (Host), port (Port).Be given below tactful Deny (Src, Dst,
Src_Port, Dst_Port) XML language description:
Forbid the serve port Dst_Port of source host access destination host
For the IDS alarm of support and trigger condition, corresponding linkage defense policy action set is defined today.Below
Provide 5 typical linkage defense policy actions:
Access control limits Deny (Src, Dst, Src_Port, Dst_Port)
Patch installing Patch (Host, Patch_Name)
Application software upgrade Upgrade (Host, AppSoft_Name)
Modify default username and password Modify (Host, DefaultUser, DefaultPwd)
Checking and killing Trojan KillTrojan (Host, Trojan_Name)
Furthermore step S1 is also described according to the associated loophole building network attack map of alarm information, comprising:
The loophole of host node is obtained by scanning tools;Loophole is inputted into safety analyzer, output attacks chain structure by n item
At network attack map G;Wherein,
The network attack map G includes that n item attacks chain L1, L2 ... ..., Ln;Any attack chain Li is by m loophole
V1, V2 ..., Vm composition;So indicates the original state of attack chain, and Sg indicates attack end stopping of chain state.
Present invention introduces the enterprise network securities point of the led research team's exploitation of American scholar Xinming (Simon) OU
Parser MulVAL, for generating network attack map, help system administrator preferably control system risk.It is leaked with network system
Hole, network configuration and connectivity, system configuration, safety notice, linkage defense policy information are input, use Datalog language
Input element is modeled, constructs the network attack map for jeopardizing security target automatically using a series of inference rules, i.e., discovery is using together
Loophole between one host or different hosts combines bring safety problem.Network attack map considers that the interaction between loophole is made
With can be well reflected out Multi-stage attack and give system bring risk.The value-at-risk of whole network depends on every attack
The value-at-risk of chain, and the value-at-risk of every attack chain depends on the relative risk of each loophole, and specific Risk Calculation method exists
Have in step S3 recorded.
Linkage defense implementation of strategies effect is embodied in the promotion of system Prevention-Security resistivity, i.e. system is pacified on the whole
The reduction of full blast danger.For this purpose, the present invention designs the linkage defense strategic decision-making engine based on Security Vulnerability situation, linkage is anti-
Imperial strategy is to the security implication of the system overall situation as decision-making foundation.The engine is with the corresponding linkage defense strategy set of trigger condition
To input, for the current security configuration of system and vulnerability information, under the given hypotheses for implementing linkage defense strategy, structure
Establishing network attack graph (Attack Graph), further calculates the security risk value of system, and it is anti-to export linkage to safety officer
Strategy and corresponding system safety hazards value are driven, finally the low, connection with exploitativeness by administrator's selection system safety hazards
Dynamic defence policies.Strategic decision-making engine model is as shown in Figure 3.
Step S3 calculates each linkage defense strategy in linkage defense strategy set to be selected one by one and acts on the network attack
The system safety hazards value of figure includes:
Popularity predetermined, easness and influence power are defined as the risks and assumptions of loophole by a;Here the stream of loophole
The information of row degree, easness and influence power mainly uses questionnaire survey, uses expert analysis mode and general leakage according to historical data
Hole scoring system CVSS is obtained, and concept definition and value are as follows:
Popularity: some loophole is used to attack the use frequency of realistic objective in reality.Value 0.1 is few use,
0.5 is commonly using 1 is to be widely used.
Easness: skill necessary to attacking is executed using some loophole.Value 0.1 is seldom or to be not required to skill, and 0.5 is
Common security procedure person, 1 is seasoned security procedure person.
Influence power: caused potential damage after the attack of some loophole implementation success is utilized.Value 0.1 is some nothings of target
The information wanted is fastened, 0.5 services for ordinary user's account or refusal, and 1 is power user's account or similar information.B, according to wind
The relative risk of the dangerous factor calculates the value-at-risk of every attack chain;
C determines system safety hazards value according to the value-at-risk of every attack chain.
The security risk value of system is determined by following formula:
R (G)=R (L_1)+R (L_2)+...+R (L_n)
In formula, R (G) is system safety hazards value, and R (L_i)=(V_1, V_2 ..., V_m) indicates to be made of m loophole
Attack chain L_i value-at-risk, i=1,2 ..., n;I indicates that i-th attack chain, n are attack chain quantity.
Wherein, the value-at-risk for the attack chain L_i being made of m loophole is determined by following formula:
R (L_i)=R (V_1) × R (V_2) × ... × R (V_m)
In formula, R (V_m) is the relative risk of m-th of loophole V_m.
The relative risk of loophole V_m is determined by following formula:
R (V_m)=(P_p × P_d × P_e)/3
In formula, Pp, Pd and Pe respectively indicate the popularity, easness and influence power of loophole V_m.
In step S4, after determining system safety hazards value, security risk value and its linkage defense strategy are supplied to technology
Personnel are finally determined final linkage defense strategy by technical staff.
The scheme implementation process for illustrating the present invention proposition, builds network environment as shown in Figure 4, wherein host first
The operating system of A is Sun Solaris 9.0, and system is equipped with ordinary user usrA and power user root, and allows to access and lead
The MySQL of machine C can access host B with ordinary user's identity;The operating system of host B is Windows2000, provides and remotely steps on
Land services SSH, and is equipped with administrator's account AdministratorB, may have access to the MySQL of C;The operating system of host C is
Windows 2000 is equipped with administrator's account AdministratorC, provides MySQL database service, and may have access to and change
MySQL。
Three host nodes in network are scanned by Intrusion Detection based on host and network-based scanning tools, obtain loophole
Information is as shown in the table.
By the host loophole of Experimental Network, system configuration, access control policy information input to safety analyzer MulVAL,
The attack graph of output contains two attack chains, as shown in Figure 5.
Fig. 5 fully demonstrates the associative combination to spring a leak with loophole, and core concept is the utilization premise and consequence using loophole,
Mainly have:
1) the loophole V1 of host A where is associated with V2, and Correlation Criteria is that have local non-privileged users, and association results are to obtain
Obtain the root user right of host A.
2) loophole V1 is associated with loophole V3, and Correlation Criteria is host B operation SSH service and opens corresponding ports, host A
User may have access to the SSH service of host B, and association results are the root user rights for obtaining host B.
3) loophole V2 is associated with loophole V4, and Correlation Criteria is host C operation MySQL and the user of host A is allowed to access master
The MySQL of machine C, association results are the databases of host C where may have access to and changing.
4) loophole V3 is associated with loophole V4, and Correlation Criteria is host C operation MySQL and the user of host B is allowed to access master
The MySQL of machine C, association results are the databases of host C where may have access to and changing.
Based on given loophole popularity, easness and influence power, the value-at-risk of 4 loopholes V1, V2, V3 and V4 are calculated
It is respectively as follows: 0.2,0.867,0.9,0.93, further obtains two attack chains and network overall risk value is respectively as follows:
R (L_1)=R (V_1) × R (V_2) × R (V_4)=0.161
R (L_2)=R (V_1) × R (V_3) × R (V_4)=0.167
R (G)=R (L_1)+R (L_2)=0.328
When linkage defense strategic decision-making engine receives an alarm: the MySQL database of host C by it is unauthorized more
Change, corresponding linkage defense strategy in defence policies template library is read according to alarm type, and according to the attack of association loophole
Figure generates candidate linkage defense strategy set:
P1: upgrading MySQL
P2: modification default configuration closes the permission of MySQL user profile
P3: modification weak passwurd-V1
P4: upgrading Newgrp application software
Further, decision engine assumes to implement linkage defense strategy P1, P2, P3, P4, the then total wind of the corresponding network obtained
Danger value is respectively as follows: 0,0,0,0.167.For tactful P1, upgrade the operation that MySQL influences whether system business, and new version
The stability of MySQL has to be tested, therefore last exploitativeness of the administrator according to linkage defense strategy, selectable linkage defense
Strategy is P2 or P3, i.e. the weak passwurd of the MySQL user profile permission of closing host C or modification host A.
Based on the same inventive concept, the application also proposes a kind of safety protection equipment linkage defense strategy intelligent decision system
System, the system comprises:
Linkage defense strategic decision-making engine, for being determined in advance according to the alarm type when receiving alarm information
Corresponding defence policies trigger condition is chosen in the defence policies trigger condition of justice, and according to the associated loophole structure of alarm information
Establishing network attack graph;
Generation module, for the defence policies trigger condition that basis is chosen, in the defence policies template library pre-established
It determines corresponding linkage defense strategy, generates linkage defense strategy set to be selected;
Computing module acts on the net for calculating each linkage defense strategy in linkage defense strategy set to be selected one by one
The system safety hazards value of network attack graph;
Decision-making module, for determining final linkage defense strategy according to the system safety hazards value.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Claims (10)
1. a kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method, which is characterized in that the described method includes:
When receiving alarm information, chosen in defence policies trigger condition predetermined according to the alarm type corresponding
Defence policies trigger condition, and network attack map is constructed according to the associated loophole of alarm information;
According to the defence policies trigger condition chosen, corresponding linkage defense is determined in the defence policies template library pre-established
Strategy generates linkage defense strategy set to be selected;
The system peace that each linkage defense strategy in linkage defense strategy set to be selected acts on the network attack map is calculated one by one
Full value-at-risk;
According to the system safety hazards value, final linkage defense strategy is determined.
2. the method according to claim 1, wherein the foundation of the defence policies template library, comprising:
It is defence policies trigger condition by history alarm information and fault type data definition;
It is handled according to security strategy knowledge instanceization of the defence policies trigger condition to setting, generates linkage defense strategy.
3. the method according to claim 1, wherein described construct network according to the associated loophole of alarm information
Attack graph includes:
The loophole of host node is obtained by scanning tools;
The loophole is inputted into safety analyzer, exports network attack map G;Wherein,
The network attack map G includes that n item attacks chain L1, L2 ... ..., Ln;Any attack chain Li by m loophole V1,
V2 ..., Vm composition.
4. according to the method described in claim 3, it is characterized in that, described calculate in linkage defense strategy set to be selected respectively one by one
The system safety hazards value that linkage defense strategy acts on the network attack map includes:
Popularity predetermined, easness and influence power are defined as to the risks and assumptions of loophole;
According to the relative risk of the risks and assumptions, the value-at-risk of every attack chain is calculated;
According to the value-at-risk of every attack chain, system safety hazards value is determined.
5. according to the method described in claim 4, it is characterized in that, determining the security risk value of system by following formula:
R (G)=R (L_1)+R (L_2)+...+R (L_n)
In formula, R (G) is system safety hazards value, and R (L_i)=(V_1, V_2 ..., V_m) indicates to be attacked by what m loophole formed
Hit the value-at-risk of chain L_i, i=1,2 ..., n;I indicates that i-th attack chain, n are attack chain quantity.
6. according to the method described in claim 5, it is characterized in that, the value-at-risk of the attack chain L_i being made of m loophole
It is determined by following formula:
R (L_i)=R (V_1) × R (V_2) × ... × R (V_m)
In formula, R (V_m) is the relative risk of m-th of loophole V_m.
7. according to the method described in claim 6, it is characterized in that, determining the relative risk of loophole V_m by following formula:
R (V_m)=(P_p × P_d × P_e)/3
In formula, Pp, Pd and Pe respectively indicate the popularity, easness and influence power of loophole V_m.
8. according to the method described in claim 3, it is characterized in that,
The popularity of the loophole refers to the frequency that attack is executed using any loophole;
The easness of the loophole refers to the complexity of loophole attack;
The influence power of the loophole refers to potential damage caused by loophole attack.
9. the method according to claim 1, wherein the linkage defense strategy includes: access control limitation, beats
Patch, application software upgrade, modification default username and password and checking and killing Trojan.
10. a kind of safety protection equipment linkage defense strategy intelligent decision system, which is characterized in that the system comprises:
Linkage defense strategic decision-making engine, for when receiving alarm information, according to the alarm type predetermined
Corresponding defence policies trigger condition is chosen in defence policies trigger condition, and net is constructed according to the associated loophole of alarm information
Network attack graph;
Generation module, for being determined in the defence policies template library pre-established according to the defence policies trigger condition chosen
Corresponding linkage defense strategy, generates linkage defense strategy set to be selected;
Computing module acts on the network for calculating each linkage defense strategy in linkage defense strategy set to be selected one by one and attacks
Hit the system safety hazards value of figure;
Decision-making module, for determining final linkage defense strategy according to the system safety hazards value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810927065.9A CN109302380B (en) | 2018-08-15 | 2018-08-15 | Intelligent decision-making method and system for linkage defense strategy of safety protection equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810927065.9A CN109302380B (en) | 2018-08-15 | 2018-08-15 | Intelligent decision-making method and system for linkage defense strategy of safety protection equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109302380A true CN109302380A (en) | 2019-02-01 |
| CN109302380B CN109302380B (en) | 2022-10-25 |
Family
ID=65165085
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810927065.9A Active CN109302380B (en) | 2018-08-15 | 2018-08-15 | Intelligent decision-making method and system for linkage defense strategy of safety protection equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109302380B (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109861865A (en) * | 2019-02-14 | 2019-06-07 | 上海鹏越惊虹信息技术发展有限公司 | A kind of alarm interlock method, device, system, computer equipment and storage medium |
| CN110266676A (en) * | 2019-06-12 | 2019-09-20 | 深圳前海微众银行股份有限公司 | A kind of method and device of pre- preventing malicious attack |
| CN110852761A (en) * | 2019-10-11 | 2020-02-28 | 支付宝(杭州)信息技术有限公司 | Method and device for formulating anti-cheating strategy and electronic equipment |
| CN110909362A (en) * | 2019-11-12 | 2020-03-24 | 中国科学院微电子研究所 | System detection method, device, electronic equipment and storage medium |
| CN111027075A (en) * | 2019-12-06 | 2020-04-17 | 吉林亿联银行股份有限公司 | Vulnerability protection method and device and electronic equipment |
| CN111510428A (en) * | 2020-03-09 | 2020-08-07 | 联通(广东)产业互联网有限公司 | Security resource operation and maintenance platform system and control method |
| CN111614696A (en) * | 2020-06-02 | 2020-09-01 | 深圳供电局有限公司 | Network security emergency response method and system based on knowledge graph |
| CN111881456A (en) * | 2020-07-29 | 2020-11-03 | 江苏云从曦和人工智能有限公司 | Security risk management and control method, device, equipment and medium |
| CN111966714A (en) * | 2020-08-07 | 2020-11-20 | 苏州唐云信息技术有限公司 | Application management container system based on cloud computing foundation |
| CN112632555A (en) * | 2020-12-15 | 2021-04-09 | 国网河北省电力有限公司电力科学研究院 | Node vulnerability scanning method and device and computer equipment |
| CN112839045A (en) * | 2021-01-14 | 2021-05-25 | 中盈优创资讯科技有限公司 | Implementation method and device for arranging strategies |
| CN113037713A (en) * | 2021-02-07 | 2021-06-25 | 深信服科技股份有限公司 | Network attack resisting method, device, equipment and storage medium |
| CN113228713A (en) * | 2021-03-31 | 2021-08-06 | 华为技术有限公司 | Method and device for determining protection scheme of attack path |
| CN113228594A (en) * | 2021-03-31 | 2021-08-06 | 华为技术有限公司 | Method, device and equipment for determining protection scheme and computer readable storage medium |
| CN113315666A (en) * | 2021-07-02 | 2021-08-27 | 天津嘉恒达科技有限公司 | Defense control method and system for information network security |
| CN113422776A (en) * | 2021-06-23 | 2021-09-21 | 孙勐 | Active defense method and system for information network security |
| WO2021217616A1 (en) * | 2020-04-30 | 2021-11-04 | 新华三技术有限公司 | Device protection method, and devices |
| CN113709132A (en) * | 2021-08-23 | 2021-11-26 | 深圳市托奇科技有限公司 | Security detection method and system for reducing cloud computing requirements |
| CN113810418A (en) * | 2021-09-18 | 2021-12-17 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
| CN114070608A (en) * | 2021-11-12 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Asset optimization method and device based on flow analysis |
| CN114401113A (en) * | 2021-12-16 | 2022-04-26 | 中国人民解放军战略支援部队信息工程大学 | Network security protection strategy AI autonomous defense method and system based on security ontology modeling |
| CN114785538A (en) * | 2022-03-02 | 2022-07-22 | 南方电网数字电网研究院有限公司 | Data association analysis method and device, computer equipment and storage medium |
| CN115396314A (en) * | 2022-08-26 | 2022-11-25 | 湖北天融信网络安全技术有限公司 | Method, device, system and medium for obtaining protection strategy set and message detection |
| CN115426196A (en) * | 2022-10-31 | 2022-12-02 | 杭州安恒信息技术股份有限公司 | Security defense task generation method, device, equipment and medium |
| CN115622796A (en) * | 2022-11-16 | 2023-01-17 | 南京南瑞信息通信科技有限公司 | Network security linkage response combat map generation method, system, device and medium |
| WO2024131643A1 (en) * | 2022-12-20 | 2024-06-27 | 中移(苏州)软件技术有限公司 | Security protection method, cloud security platform and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7552480B1 (en) * | 2002-04-23 | 2009-06-23 | Citibank, N.A. | Method and system of assessing risk using a one-dimensional risk assessment model |
| CN106411562A (en) * | 2016-06-17 | 2017-02-15 | 全球能源互联网研究院 | Electric power information network safety linkage defense method and system |
-
2018
- 2018-08-15 CN CN201810927065.9A patent/CN109302380B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7552480B1 (en) * | 2002-04-23 | 2009-06-23 | Citibank, N.A. | Method and system of assessing risk using a one-dimensional risk assessment model |
| CN106411562A (en) * | 2016-06-17 | 2017-02-15 | 全球能源互联网研究院 | Electric power information network safety linkage defense method and system |
Non-Patent Citations (5)
| Title |
|---|
| BO ZHANG,ET.AL: "《The_Proactive_Defense_of_Energy_Internet_Terminals_Edge-Access_Using_the_Network_Topology_Autoassociation》", 《IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS》 * |
| 张书钦等: "工业控制网络安全脆弱性分析技术研究", 《中原工学院学报》 * |
| 张波等: "《网络攻击节点路径高效检测模型仿真研究》", 《计算机仿真》 * |
| 陈璐等: "基于图的可扩展移动应用安全评估模型", 《计算机工程》 * |
| 陈靖等: "基于动态攻击图的网络安全实时评估", 《计算机科学》 * |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109861865A (en) * | 2019-02-14 | 2019-06-07 | 上海鹏越惊虹信息技术发展有限公司 | A kind of alarm interlock method, device, system, computer equipment and storage medium |
| CN110266676A (en) * | 2019-06-12 | 2019-09-20 | 深圳前海微众银行股份有限公司 | A kind of method and device of pre- preventing malicious attack |
| CN110266676B (en) * | 2019-06-12 | 2023-05-12 | 深圳前海微众银行股份有限公司 | Method and device for preventing malicious attack |
| CN110852761A (en) * | 2019-10-11 | 2020-02-28 | 支付宝(杭州)信息技术有限公司 | Method and device for formulating anti-cheating strategy and electronic equipment |
| CN110909362A (en) * | 2019-11-12 | 2020-03-24 | 中国科学院微电子研究所 | System detection method, device, electronic equipment and storage medium |
| CN111027075A (en) * | 2019-12-06 | 2020-04-17 | 吉林亿联银行股份有限公司 | Vulnerability protection method and device and electronic equipment |
| CN111510428A (en) * | 2020-03-09 | 2020-08-07 | 联通(广东)产业互联网有限公司 | Security resource operation and maintenance platform system and control method |
| CN111510428B (en) * | 2020-03-09 | 2022-08-05 | 联通(广东)产业互联网有限公司 | Security resource operation and maintenance platform system and control method |
| WO2021217616A1 (en) * | 2020-04-30 | 2021-11-04 | 新华三技术有限公司 | Device protection method, and devices |
| CN111614696A (en) * | 2020-06-02 | 2020-09-01 | 深圳供电局有限公司 | Network security emergency response method and system based on knowledge graph |
| CN111614696B (en) * | 2020-06-02 | 2022-11-18 | 深圳供电局有限公司 | Network security emergency response method and system based on knowledge graph |
| CN111881456A (en) * | 2020-07-29 | 2020-11-03 | 江苏云从曦和人工智能有限公司 | Security risk management and control method, device, equipment and medium |
| CN111966714A (en) * | 2020-08-07 | 2020-11-20 | 苏州唐云信息技术有限公司 | Application management container system based on cloud computing foundation |
| CN112632555A (en) * | 2020-12-15 | 2021-04-09 | 国网河北省电力有限公司电力科学研究院 | Node vulnerability scanning method and device and computer equipment |
| CN112839045B (en) * | 2021-01-14 | 2023-05-30 | 中盈优创资讯科技有限公司 | Implementation method and device for arranging policies |
| CN112839045A (en) * | 2021-01-14 | 2021-05-25 | 中盈优创资讯科技有限公司 | Implementation method and device for arranging strategies |
| CN113037713A (en) * | 2021-02-07 | 2021-06-25 | 深信服科技股份有限公司 | Network attack resisting method, device, equipment and storage medium |
| CN113228594A (en) * | 2021-03-31 | 2021-08-06 | 华为技术有限公司 | Method, device and equipment for determining protection scheme and computer readable storage medium |
| CN113228713A (en) * | 2021-03-31 | 2021-08-06 | 华为技术有限公司 | Method and device for determining protection scheme of attack path |
| WO2022205132A1 (en) * | 2021-03-31 | 2022-10-06 | 华为技术有限公司 | Method and apparatus for determining protection plan of attack path |
| CN113228713B (en) * | 2021-03-31 | 2022-09-16 | 华为技术有限公司 | Method and device for determining protection scheme of attack path |
| WO2022205122A1 (en) * | 2021-03-31 | 2022-10-06 | 华为技术有限公司 | Method and apparatus for determining defense scheme, device, and computer-readable storage medium |
| CN113422776A (en) * | 2021-06-23 | 2021-09-21 | 孙勐 | Active defense method and system for information network security |
| CN113315666A (en) * | 2021-07-02 | 2021-08-27 | 天津嘉恒达科技有限公司 | Defense control method and system for information network security |
| CN113709132A (en) * | 2021-08-23 | 2021-11-26 | 深圳市托奇科技有限公司 | Security detection method and system for reducing cloud computing requirements |
| CN113810418A (en) * | 2021-09-18 | 2021-12-17 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
| CN113810418B (en) * | 2021-09-18 | 2023-12-26 | 土巴兔集团股份有限公司 | Method for defending cross-site scripting attack and related equipment thereof |
| CN114070608A (en) * | 2021-11-12 | 2022-02-18 | 北京天融信网络安全技术有限公司 | Asset optimization method and device based on flow analysis |
| CN114401113A (en) * | 2021-12-16 | 2022-04-26 | 中国人民解放军战略支援部队信息工程大学 | Network security protection strategy AI autonomous defense method and system based on security ontology modeling |
| CN114401113B (en) * | 2021-12-16 | 2023-06-27 | 中国人民解放军战略支援部队信息工程大学 | Network security policy AI autonomous defense method and system based on security ontology modeling |
| CN114785538A (en) * | 2022-03-02 | 2022-07-22 | 南方电网数字电网研究院有限公司 | Data association analysis method and device, computer equipment and storage medium |
| CN114785538B (en) * | 2022-03-02 | 2023-11-28 | 南方电网数字电网研究院有限公司 | Data association analysis method and device, computer equipment and storage medium |
| CN115396314A (en) * | 2022-08-26 | 2022-11-25 | 湖北天融信网络安全技术有限公司 | Method, device, system and medium for obtaining protection strategy set and message detection |
| CN115396314B (en) * | 2022-08-26 | 2024-04-26 | 湖北天融信网络安全技术有限公司 | Method, device, system and medium for obtaining protection policy set and message detection |
| CN115426196A (en) * | 2022-10-31 | 2022-12-02 | 杭州安恒信息技术股份有限公司 | Security defense task generation method, device, equipment and medium |
| CN115426196B (en) * | 2022-10-31 | 2023-03-24 | 杭州安恒信息技术股份有限公司 | Security defense task generation method, device, equipment and medium |
| CN115622796A (en) * | 2022-11-16 | 2023-01-17 | 南京南瑞信息通信科技有限公司 | Network security linkage response combat map generation method, system, device and medium |
| WO2024131643A1 (en) * | 2022-12-20 | 2024-06-27 | 中移(苏州)软件技术有限公司 | Security protection method, cloud security platform and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109302380B (en) | 2022-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109302380A (en) | A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system | |
| Li et al. | Analysis framework of network security situational awareness and comparison of implementation methods | |
| Manoharan et al. | Revolutionizing Cybersecurity: Unleashing the Power of Artificial Intelligence and Machine Learning for Next-Generation Threat Detection | |
| Kotenko et al. | The ontology of metrics for security evaluation and decision support in SIEM systems | |
| Kotenko et al. | Common framework for attack modeling and security evaluation in SIEM systems | |
| Tidwell et al. | Modeling internet attacks | |
| Kotenko et al. | Attack modeling and security evaluation in SIEM systems | |
| Ji et al. | Attack-defense trees based cyber security analysis for CPSs | |
| Ali et al. | Attributed multi-objective comprehensive learning particle swarm optimization for optimal security of networks | |
| CN111881451A (en) | Vulnerability association mining method for industrial control system | |
| CN114422224A (en) | Attack tracing-oriented threat information intelligent analysis method and system | |
| Li et al. | Research on Multi‐Target Network Security Assessment with Attack Graph Expert System Model | |
| Nadiammai et al. | A comprehensive analysis and study in intrusion detection system using data mining techniques | |
| Li et al. | Network security situation assessment method based on Markov game model | |
| Kotenko et al. | NETWORK SECURITY EVALUATION BASED ON SIMULATION OF MALFACTOR’S BEHAVIOR | |
| Vidalis et al. | Using vulnerability trees for decision making in threat assessment | |
| Li et al. | Research on information security risk analysis and prevention technology of network communication based on cloud computing algorithm | |
| CN115186136A (en) | Knowledge graph structure for network attack and defense confrontation | |
| Zheng | [Retracted] Information System Security Evaluation Algorithm Based on PSO‐BP Neural Network | |
| Ye et al. | Zero-day vulnerability risk assessment and attack path analysis using security metric | |
| Codetta-Raiteri et al. | Decision networks for security risk assessment of critical infrastructures | |
| Nikolskaia et al. | The relationship between cybersecurity and artificial intelligence | |
| Akbarzadeh | Dependency based risk analysis in Cyber-Physical Systems | |
| Sung et al. | Using system dynamics to investigate the effect of the information medium contact policy on the information security management | |
| Liu et al. | SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |