CN114615066A - Target path determination method and device - Google Patents
Target path determination method and device Download PDFInfo
- Publication number
- CN114615066A CN114615066A CN202210265392.9A CN202210265392A CN114615066A CN 114615066 A CN114615066 A CN 114615066A CN 202210265392 A CN202210265392 A CN 202210265392A CN 114615066 A CN114615066 A CN 114615066A
- Authority
- CN
- China
- Prior art keywords
- target
- asset
- node
- path
- asset node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the specification provides a target path determining method and a device, wherein the target path determining method comprises the following steps: acquiring attribute information of at least two asset nodes in a target network, and determining interaction information between the at least two asset nodes based on the attribute information, wherein the interaction information comprises network interaction information, physical interaction information and/or resource interaction information; constructing a path topology graph between the at least two asset nodes of the target network based on the interaction information; under the condition that a starting asset node and a target asset node are determined in the path topological graph, all target paths between the starting asset node and the target asset node are calculated by utilizing a traversal algorithm, so that potential network attack paths can be ensured not to be omitted, the obtained network attack paths have comprehensiveness, and the subsequent network attack defense effect can be improved conveniently.
Description
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a target path determining method.
Background
With the development of the internet, the network security problem is increasingly highlighted. In order to guarantee network security, internet enterprises need to change passive defense into active prediction and defense, and through active simulation attack prediction in advance, executable attack paths are found before an attack event occurs, and relevant repair and defense work is well done, so that the problem that how to accurately predict all attack paths capable of being covered becomes an urgent need to be solved. Most of the existing network attack path prediction methods are network attack paths determined by historical attack cases and attack experiences, and the method is difficult to comprehensively comb all possible attack paths in a network, so that the defense effect of the network attack is poor.
Disclosure of Invention
In view of this, the embodiments of the present specification provide a target path determining method. One or more embodiments of the present specification also relate to an object path determining apparatus, a computing device, a computer-readable storage medium, and a computer program, so as to solve the technical problems in the prior art.
According to a first aspect of embodiments of the present specification, there is provided a target path determining method including:
acquiring attribute information of at least two asset nodes in a target network, and determining interaction information between the at least two asset nodes based on the attribute information, wherein the interaction information comprises network interaction information, physical interaction information and/or resource interaction information;
constructing a path topology graph between the at least two asset nodes of the target network based on the interaction information;
and under the condition that a starting asset node and a target asset node are determined in the path topological graph, calculating all target paths between the starting asset node and the target asset node by using a traversal algorithm.
According to a second aspect of embodiments herein, there is provided a target path determination apparatus including:
the system comprises an interaction information determining module, a resource interaction determining module and a resource interaction determining module, wherein the interaction information determining module is configured to acquire attribute information of at least two asset nodes in a target network and determine interaction information between the at least two asset nodes based on the attribute information, and the interaction information comprises network interaction information, physical interaction information and resource interaction information;
a topology graph construction module configured to construct a path topology graph between the at least two asset nodes of the target network based on the interaction information;
a path determination module configured to calculate all target paths between a starting asset node and a target asset node using a traversal algorithm if the starting asset node and the target asset node are determined in the path topology map.
According to a third aspect of embodiments herein, there is provided a computing device comprising:
a memory and a processor;
the memory is configured to store computer-executable instructions and the processor is configured to execute the computer-executable instructions, which when executed by the processor, implement the steps of the target path determination method described above.
According to a fourth aspect of embodiments herein, there is provided a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the above-described target path determination method.
According to a fifth aspect of embodiments herein, there is provided a computer program, wherein when the computer program is executed in a computer, the computer is caused to execute the steps of the above-mentioned target path determination method.
One embodiment of the present specification provides a target path determining method, which includes acquiring attribute information of at least two asset nodes in a target network, and determining interaction information between the at least two asset nodes based on the attribute information, wherein the interaction information includes network interaction information, physical interaction information, and/or resource interaction information; constructing a path topology graph between the at least two asset nodes of the target network based on the interaction information; and under the condition that a starting asset node and a target asset node are determined in the path topological graph, calculating all target paths between the starting asset node and the target asset node by using a traversal algorithm.
Specifically, by directly obtaining attribute information of asset nodes in a target network, interaction information between every two asset nodes is determined, and a path topological graph is constructed; after a starting asset node and a target asset node are determined in a path topological graph, a target path between the starting asset node and the target asset node is calculated by using a traversal algorithm, through the method, the possible attack relation between the asset nodes is determined, and all attack paths between any two asset nodes are calculated, so that the defects caused by determining a network attack path by using a historical attack case and experience are avoided, and the potential network attack path can be ensured not to be omitted, so that the obtained network attack path has comprehensiveness, and the subsequent network attack defense effect is improved.
Drawings
Fig. 1 is a schematic view of an application scenario of a target path determining method provided in an embodiment of the present specification;
fig. 2 is a flowchart of a target path determining method provided in an embodiment of the present specification;
fig. 3 is a schematic diagram of constructing a path topology diagram of a target path determination method according to an embodiment of the present specification;
fig. 4 is a processing diagram of a target path determining method according to an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a target path determining apparatus according to an embodiment of the present disclosure;
fig. 6 is a block diagram of a computing device according to an embodiment of the present disclosure.
Detailed Description
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present description. This description may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein, as those skilled in the art will be able to make and use the present disclosure without departing from the spirit and scope of the present disclosure.
The terminology used in the description of the one or more embodiments is for the purpose of describing the particular embodiments only and is not intended to be limiting of the description of the one or more embodiments. As used in one or more embodiments of the present specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used in one or more embodiments of the present specification refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It will be understood that, although the terms first, second, etc. may be used herein in one or more embodiments to describe various information, these information should not be limited by these terms. These terms are only used to distinguish one type of information from another. For example, a first can also be referred to as a second and, similarly, a second can also be referred to as a first without departing from the scope of one or more embodiments of the present description. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, the noun terms to which one or more embodiments of the present specification relate are explained.
Attack path: the attack path is an attack path through which a network breaker attacks and destroys normally running equipment or application programs in the network.
An IT asset: refers to the equipment assets related to computers, communication and related technologies, including hardware equipment and software equipment.
Topological diagram: it can be understood as a network topology diagram, which is a network structure diagram composed of network node devices and communication media.
Traversal (Traversal): the method is characterized in that each node in the topological graph is visited once and only once in sequence along a certain search route, and the operation of visiting the nodes depends on specific application problems.
Fortress machine: it can be understood that in a specific network environment, in order to ensure that the network and data are not invaded and damaged by external and internal users, various technical means are used for monitoring and recording the operation behaviors of operation and maintenance personnel on the servers, network devices, security devices, databases and other devices in the network, so as to intensively monitor, timely process and audit and determine responsibility.
Domain control: a domain controller is a server in a windows (a kind of operating system) that is responsible for functions such as authentication, management, etc. in a "domain" mode.
E, mail service: a mail server.
In the process of evaluating the security level of the network, a hacker needs to know which possible attack paths exist, and then the possible attack paths are subjected to actual combat simulation, so as to check whether the network has the capability of defending against network attacks. At present, for network attacks of hackers, a defense system is deployed based on historical cases and attack experiences, all possible attack paths are difficult to comb comprehensively, and the current attack path determination method draws asset information through active or passive scanning so that determined topological graphs all cause information incompleteness; or the topological graph can be established through collecting network asset information and feasible network vulnerability information, which can cause the situation that the topological graph information is not complete, so that the output result of the method has no capability of covering all possible attack paths of hackers. Based on this, the target path determining method provided by the embodiments of the present specification can ensure the comprehensiveness of the asset by directly acquiring asset nodes, including networked devices and non-networked devices, from the IT system; meanwhile, vulnerability information is not relied on in the process of establishing the topological graph, so that the topological graph in the network is established perfectly, and all paths which are possibly attacked by a hacker are conveniently determined in the perfect topological graph subsequently.
In the present specification, a target path determining method is provided, and the present specification relates to a target path determining apparatus, a computing device, and a computer-readable storage medium, which are described in detail one by one in the following embodiments.
It should be noted that, the target path determining method provided in the embodiment of the present specification takes an example of a hacker attacking asset nodes in a network to provide a scheme for determining a comprehensive attack path; meanwhile, the network type of the target network attacked by the hacker mentioned in the target path determination method is not limited at all herein.
Referring to fig. 1, fig. 1 shows an application scenario illustration of a target path determination method according to an embodiment of the specification.
Fig. 1 includes a server a, a target network B, a hacker C, and an attack path topology. In practical application, in order to avoid that a hacker C attacks and damages asset nodes in a target network B, a server A confirms in advance attack paths which can be damaged by the hacker C among all asset nodes in the target network B; based on the above, the server A acquires the attribute information of all asset nodes in the target network B, determines the interaction information among the asset nodes according to the attribute information, and then constructs an attack path topological graph (as shown in the right side of the figure 1) according to the interaction information, and after determining the attack path topological graph, and after determining the initial attack node and the target attack node in the attack path topological graph, all attack paths which are possible to attack between the two asset nodes can be calculated by using a traversal algorithm; further, server a may determine all attack paths between asset nodes in the attack path topology graph.
In the target path determining method provided in the embodiments of the present description, by determining attribute information of each asset node in a target network, interaction information between the asset nodes is further determined, and a corresponding attack path topological graph is constructed, so that all possible attack paths of a hacker attack are obtained.
Referring to fig. 2, fig. 2 is a flowchart illustrating a target path determining method according to an embodiment of the present disclosure, which specifically includes the following steps.
Step 202: the method comprises the steps of obtaining attribute information of at least two asset nodes in a target network, and determining interaction information between the at least two asset nodes based on the attribute information.
The interaction information comprises network interaction information, physical interaction information and/or resource interaction information.
The target network may be understood as a network system of any application, and is not specifically limited herein; asset nodes may be understood as various entities in the target network including application nodes, database nodes, VPN nodes, management platform nodes, etc.
The network interaction information may be understood as information transmitted by each asset node in the target network based on network data, for example, asset node a transmits data to asset node B through HTTP protocol (employees access an internal website through computers), and asset node a transmits data to asset node B through UDP protocol (a video conference between employees performs data transmission through UDP); the physical interaction information can be understood as information of physical equipment interaction occurring between asset nodes, for example, equipment such as a USB flash disk, a mouse, a keyboard, a data line and the like is accessed into a computer, Bluetooth is connected with a Bluetooth receiver of a computer terminal, and the interaction of a radio and a vehicle and road rod lifting system is realized; the resource interaction information may be understood as historical connection information between asset nodes, and a specific connection manner of the resource interaction information is not limited in any way.
In practical application, after acquiring attribute information of each asset node of a target network, a server may determine interaction information between every two asset nodes based on the attribute information, where the attribute information of an asset node may be understood as a device type, configuration attribute information, connection state information in a network, and the like of the asset node, and further determine interaction information connected to the asset node or having an interaction relationship according to the attribute information of each asset node, where the interaction information may include network interaction information, physical interaction information, and/or resource interaction information; it should be noted that, in the embodiments of the present specification, only the three types described above are taken as examples of specific interaction information, and no limitation is made.
In order to avoid incomplete asset nodes acquired in the subsequent topological graph establishment and resulting in incomplete paths which may be attacked by hackers, the target path determination method provided by the embodiment of the specification can directly determine asset nodes from an asset library of a network to establish a more complete path topological graph; specifically, the obtaining of the attribute information of at least two asset nodes in the target network includes:
at least two asset nodes are determined from an asset library of a target network, and attribute information of each asset node is acquired, wherein the asset nodes comprise networking devices and non-networking devices of the target network.
The asset library of the target network may be understood as an asset library of the IT devices stored in the target network, and may include networked devices and non-networked devices in the current network.
In practical application, the server may determine all asset nodes from an asset library of the target network, including networked devices and non-networked devices in the target network, and further acquire attribute information corresponding to each asset node (device), for example, acquire type information of processing data of a transaction management background (asset node), background operating state information, background configuration attribute information, current network state information, and the like.
The embodiment of the specification provides a target path determining method, and for the combing mode of asset nodes, the method directly obtains the networked devices and non-networked devices of a target network from an IT system to ensure the comprehensiveness of the asset nodes and lay a foundation for subsequently constructing a comprehensive path topological graph.
Further, the determining interaction information between the at least two asset nodes based on the attribute information includes:
determining network status information of each asset node based on the attribute information, and determining network interaction information between the at least two asset nodes based on the network status information;
acquiring physical connection information of each asset node from a preset information base based on the attribute information, and determining physical interaction information between the at least two asset nodes based on the physical connection information; and/or
And determining historical resource connection information of each asset node from a preset information base based on the attribute information, and determining resource interaction information between the at least two asset nodes based on the historical resource connection information.
In practical application, the network interaction information between any two asset nodes can determine network state information through the personal attribute information of each asset node, such as a network protocol corresponding to data transmission, a network connection state between two asset nodes, and the like; for the physical interaction information and the resource interaction information, the server may pass connection states between asset nodes pre-stored from a preset information base, such as connection states between a data line and the server, historical connection states between developers and the database server, and the like.
It should be noted that the relationship between the network interaction information, the physical interaction information, and the resource interaction information may be understood as an and/or relationship, the server constructs corresponding path topology diagrams according to the obtained specific content of the interaction information between the asset nodes, and the constructed path topology diagrams may be different according to the difference of the obtained interaction information.
In the method for determining the target path provided in the embodiment of the present specification, the interaction information between asset nodes is determined according to the attribute information of each asset node, and then a path topology map is constructed according to the interaction information.
Step 204: constructing a path topology graph between the at least two asset nodes of the target network based on the interaction information.
The path topology graph may be understood as a network topology graph, and corresponding links in the topology graph may represent paths between asset nodes, that is, attack paths.
In practical application, after determining the interaction information among the asset nodes in the target network, the server may further construct a path topology graph of the target network according to the interaction information among the asset nodes, where the path topology graph includes the asset nodes and links generated by the asset nodes according to the interaction information.
Referring to fig. 3, fig. 3 is a schematic diagram illustrating a path topology diagram of a target path determination method provided by an embodiment of the present specification.
Fig. 3 includes two parts, part (a) and part (B), and each part includes asset node a, asset node B, asset node C, asset node D, asset node E, and asset node F.
In practical application, after the server determines the attribute information of each asset node, a path topology graph is constructed according to the determined interaction information between each asset node, it should be noted that the path topology graph may be a directed graph with a directed relationship (for example, as shown in (a)), or may be a topology graph with only a connection relationship (for example, as shown in (b)), where taking (a) in fig. 3 as an example, it is shown that a directed graph between each asset node is established, so that all target paths between any two asset nodes, that is, attack paths that can be attacked by hackers, are subsequently calculated on the basis of the directed graph.
Further, the path topology map is updated in real time according to the interaction information determined in real time from the target network.
In practical application, the path topology graph of the target network generated by the server is not fixed, but the interaction information among all asset nodes can be changed according to the dynamic transformation of all asset nodes of the target network, so that the path topology graph of the target network generated by the server can be updated in real time.
Step 206: and under the condition that a starting asset node and a target asset node are determined in the path topological graph, calculating all target paths between the starting asset node and the target asset node by using a traversal algorithm.
The starting asset node may be understood as a starting asset node attacked by a hacker in a target network, the target asset node may be understood as a terminating asset node attacked by the hacker in the target network, and it should be noted that the starting asset node and the target asset node may be any two of all asset nodes in the target network, which is not limited herein.
In practical application, under the condition that a starting asset node and a target asset node are determined in a path topological graph, a server can calculate all target paths between the starting asset node and the target asset node by using a traversal algorithm in the path topological graph, and further can ensure the comprehensiveness of possible attack paths between any two asset nodes on the basis of ensuring that the asset nodes in the path topological graph are relatively comprehensive.
The embodiment of the present specification provides a first target path determining method, which determines all target paths between any two asset nodes through association relationships between asset nodes in each topological graph; specifically, when a starting asset node and a target asset node are determined in the path topology map, all target paths between the starting asset node and the target asset node are calculated by using a traversal algorithm, including:
determining at least one path node from the path topology map associated with a starting asset node and a target asset node if the starting asset node and the target asset node are determined in the path topology map;
calculating all target paths between the starting asset node and the target asset node by using a traversal algorithm based on the incidence relation between each path node and other nodes,
wherein the other nodes include other path nodes except each path node, a start asset node, and a target asset node.
In practical applications, taking the path topology map as an example of the topology map with only an association relationship, in the case that the server determines the starting asset node and the target asset node in the constructed path topology map, the server may directly determine at least one path node associated with the starting asset node and the target asset node in the path topology map, where the at least one path node associated with the starting asset node and the target asset node may be understood as at least one asset node having a link relationship with the starting asset node and at least one asset node having a link relationship with the target asset node in the path topology map; furthermore, the server can calculate all target paths between the initial asset node and the target asset node by utilizing a traversal algorithm based on the incidence relation between each path node and other nodes; it should be noted that the other nodes mentioned above may be understood as other path nodes, starting asset nodes and target asset nodes besides each path node.
For example, referring to the path topology diagram of fig. 3 (B), asset node a is a starting asset node, asset node F is a target asset node, and further, the path nodes associated with asset node a are determined to be asset node B and asset node D in the path topology diagram; the path nodes associated with asset node F are asset node B, asset node C, and asset node E. And then determining the incidence relation between the asset node B and the asset nodes E, D and C, and calculating all target paths between the asset node A and the asset node F by using a traversal algorithm, wherein all the target paths comprise A-B-E-F, A-B-F, A-B-C-F and A-D-C-F.
The target path determining method provided by the embodiments of the present specification may determine an association relationship between path nodes by determining path nodes associated with the starting asset node and the target asset node, and then calculate all target paths between the starting asset node and the target asset node by using a traversal algorithm, and ensure that all attack paths that a hacker can attack are covered by using a path topological graph.
The embodiment of the present specification provides a second target path determining method, which determines all target paths between any two asset nodes through a directed relationship between asset nodes in each topological graph; specifically, when a starting asset node and a target asset node are determined in the path topology map, all target paths between the starting asset node and the target asset node are calculated by using a traversal algorithm, including:
determining at least one path node from the path topology map associated with a starting asset node and a target asset node if the starting asset node and the target asset node are determined in the path topology map;
establishing an adjacent node storage table among the starting asset node, the target asset node and the at least one path node based on the directed relationship between each path node and other nodes, wherein the other nodes comprise other path nodes except each path node, the starting asset node and the target asset node;
calculating all target paths between the starting asset node and the target asset node through a traversal algorithm based on the adjacent node storage table.
Here, the adjacent node storage table may be understood as a storage table between adjacent nodes generated based on the path topology map, in which a connection path between nodes having a directed relationship is known.
In practical application, taking the path topology graph including the directional relationship between asset nodes as an example, the server may determine not only the starting asset node and the target asset node in the constructed path topology graph, but also determine at least one path node associated with the starting asset node and the target asset node, and may establish a storage table of adjacent nodes between the starting asset node, the target asset node, and the at least one path node based on the directional relationship between each path node and other nodes, where, taking (a) the path topology graph in fig. 3 as an example, the storage table of adjacent nodes may include the contents of the following table 1:
TABLE 1
| A | B | ||
| A | B | C | |
| A | B | C | F |
| A | B | E | |
| A | B | E | F |
| A | D | ||
| A | D | C | |
| A | D | C | F |
It should be noted that the other nodes mentioned in this embodiment include other path nodes except for each path node, a starting asset node, and a target asset node; further, the server calculates all target paths between the starting asset node and the target asset node through a traversal algorithm based on the adjacent node storage table.
The target path determining method provided in the embodiment of the present specification may further calculate all target paths between any two asset nodes by using a directed relationship between asset nodes in the path topology graph, so as to determine an attack path covering all hackers in the path topology graph with a directed relationship.
Further, said calculating all target paths between said starting asset node and said target asset node by a traversal algorithm based on said neighbor node storage table comprises:
determining at least one connection path between the starting asset node and the target asset node based on the incidence relation among the starting asset node, the target asset node and the at least one path node in the adjacent node storage table;
determining at least one connection path between the starting asset node to the target asset node as all target paths between the starting asset node and the target asset node.
In practical application, the server can clarify the incidence relation among the starting asset node, the target asset node and at least one path node in the determined adjacent node storage table, and further can determine at least one connection path from the starting asset node to the target asset node, the above example is continued, wherein the initial asset node is inquired in the adjacent node storage table as A, and the connection path of the target asset node as F is A-B-C-F, A-B-E-F or A-D-C-F; furthermore, the three connection paths can be determined as all target paths between the starting asset node a and the target asset node F; it should be noted that the traversal algorithm mentioned in this embodiment may be a directed graph depth-first traversal algorithm.
The target path determining method provided in the embodiment of the present specification establishes a corresponding adjacent node storage table based on a path topology graph having a directed relationship, and further determines at least one connection path between a starting asset node and a target asset node, and further determines all target paths that may be attacked by a hacker.
In addition, after determining all target paths between the initial asset node and the target asset node in the target network, the server can also perform sensitivity detection on all the target paths to determine whether the two asset nodes have the capability of defending against attacks; specifically, after the step of calculating all target paths between the starting asset node and the target asset node by using the traversal algorithm, the method further includes:
acquiring attribute information of each asset node in each target path;
determining a path detection strategy based on the attribute information of each asset node, and carrying out sensitive detection on each target path based on the path detection strategy;
and generating a sensitive detection report of all target paths between the starting asset node and the target asset node in the target network based on a sensitive detection result.
The path detection strategy can be understood as a detection scheme of a connection path between each asset node, and different anti-attack detection strategies are determined according to attribute information such as connection modes between different asset nodes, asset node types and the like.
In practical application, after the server can determine all target paths between the starting asset node and the target asset node by the method in the embodiment, the attribute information of each asset node passing through each target path can be acquired, so that path detection strategies for different target paths can be determined; in order to better protect each target path against network attacks, the server can perform sensitive detection on the corresponding target path according to different path detection strategies to judge the defense capability in the current target path, determine the sensitive detection result corresponding to each target path according to different defense capabilities, and further generate the sensitive detection reports of all target paths between the initial asset nodes and the target asset nodes in the target network based on the sensitive detection results.
It should be noted that the server may implement subsequent defense measures on different target paths according to the generated sensitivity detection report to solve the security defense problem of the target network, and a specific implementation manner for improving the defense capability in this embodiment is not limited herein.
In summary, the target path determining method provided in the embodiments of the present description may ensure the comprehensiveness of the asset by directly acquiring asset nodes, including networked devices and non-networked devices, from the IT system; meanwhile, vulnerability information is not relied on in the process of establishing the topological graph, so that the topological graph in the network is perfectly established, and all paths which are possibly attacked by hackers can be covered in the perfect topological graph in the follow-up process.
The following describes the target path determining method further by taking an application of the target path determining method provided in this specification in a network attack as an example, with reference to fig. 4. Fig. 4 is a schematic processing procedure diagram of a target path determining method according to an embodiment of the present disclosure.
Fig. 4 includes a plurality of asset nodes, which are hacker, customer service, operation and maintenance staff, developer, bastion machine, domain control, postal service, VPN, application 1, application 2, application 3, application 4, application 5, application 6, application 7, application 9, automation release platform, configuration management platform, transaction management background, database-customer information, and database backup server, respectively; and the system also comprises a connecting link between the asset nodes, wherein the connecting link carries the directed relationship.
In practical application, the server may directly obtain the asset nodes from an asset library of a target network, and determine attribute information of each asset node to construct a path topology graph with a directed relationship in fig. 4, and in a case where it is determined that an asset node of a hacker is a starting asset node and a database-client information node is a target asset node, an adjacent node storage table may be established based on the directed relationship in the path topology graph, and all possible target paths between the hacker and the database-client information are determined by using a traversal algorithm according to the adjacent node storage table, where the target paths are all attack paths that the hacker may attack.
Further, the server can also carry out actual combat simulation on all determined attack paths so as to check whether the defense sensing capability can cope with the attack of the hacker, and the output result of the mode can cover all possible attack paths of the hacker.
The target path determining method provided in the embodiments of the present description guarantees the comprehensiveness of asset nodes in a target network by directly obtaining attribute information of each asset node, and further calculates all attack paths between an initial asset node and a target asset node by using a traversal algorithm through a directed relationship between asset nodes in a path topology graph, so as to obtain the comprehensiveness of the attack paths.
Corresponding to the above method embodiment, the present specification further provides an embodiment of a target path determining apparatus, and fig. 5 shows a schematic structural diagram of a target path determining apparatus provided in an embodiment of the present specification. As shown in fig. 5, the apparatus includes:
an interaction information determining module 502 configured to obtain attribute information of at least two asset nodes in a target network, and determine interaction information between the at least two asset nodes based on the attribute information, wherein the interaction information includes network interaction information, physical interaction information, and resource interaction information;
a topology graph construction module 504 configured to construct a path topology graph between the at least two asset nodes of the target network based on the interaction information;
a path determination module 506 configured to calculate all target paths between a starting asset node and a target asset node using a traversal algorithm if the starting asset node and the target asset node are determined in the path topology.
Optionally, the interaction information determining module 502 is further configured to:
determining network status information of each asset node based on the attribute information, and determining network interaction information between the at least two asset nodes based on the network status information;
acquiring physical connection information of each asset node from a preset information base based on the attribute information, and determining physical interaction information between the at least two asset nodes based on the physical connection information; and/or
And determining historical resource connection information of each asset node from a preset information base based on the attribute information, and determining resource interaction information between the at least two asset nodes based on the historical resource connection information.
Optionally, the interaction information determining module 502 is further configured to:
at least two asset nodes are determined from an asset library of a target network, and attribute information of each asset node is acquired, wherein the asset nodes comprise networking devices and non-networking devices of the target network.
Optionally, the apparatus further includes an update control module:
the updating control module is configured to control the path topology map to update in real time according to the interaction information determined in real time from the target network.
Optionally, the path determining module 506 is further configured to:
determining at least one path node from the path topology map associated with a starting asset node and a target asset node if the starting asset node and the target asset node are determined in the path topology map;
calculating all target paths between the starting asset node and the target asset node by using a traversal algorithm based on the incidence relation between each path node and other nodes,
wherein the other nodes include other path nodes except each path node, a start asset node, and a target asset node.
Optionally, the path determining module 506 is further configured to:
determining at least one path node from the path topology map associated with a starting asset node and a target asset node if the starting asset node and the target asset node are determined in the path topology map;
establishing an adjacent node storage table among the starting asset node, the target asset node and the at least one path node based on directed relationships between each path node and other nodes, wherein the other nodes comprise other path nodes except each path node, the starting asset node and the target asset node;
calculating all target paths between the starting asset node and the target asset node through a traversal algorithm based on the adjacent node storage table.
Optionally, the path determining module 506 is further configured to:
determining at least one connection path between the starting asset node and the target asset node based on the incidence relation among the starting asset node, the target asset node and the at least one path node in the adjacent node storage table;
determining at least one connection path between the starting asset node to the target asset node as all target paths between the starting asset node and the target asset node.
Optionally, the apparatus further comprises:
the path detection module is configured to acquire attribute information of each asset node in each target path;
determining a path detection strategy based on the attribute information of each asset node, and carrying out sensitive detection on each target path based on the path detection strategy;
and generating a sensitive detection report of all target paths between the starting asset node and the target asset node in the target network based on a sensitive detection result.
The target path determining device provided in the embodiments of the present description directly obtains attribute information of asset nodes in a target network, thereby determining interaction information between every two asset nodes and constructing a path topology map; after a starting asset node and a target asset node are determined in a path topological graph, a target path between the starting asset node and the target asset node is calculated by using a traversal algorithm, through the method, the possible attack relation between the asset nodes is determined, and all attack paths between any two asset nodes are calculated, so that the defects caused by determining a network attack path by using a historical attack case and experience are avoided, and the potential network attack path can be ensured not to be omitted, so that the obtained network attack path has comprehensiveness, and the subsequent network attack defense effect is improved.
The foregoing is a schematic diagram of a target route determination apparatus according to this embodiment. It should be noted that the technical solution of the target path determining apparatus and the technical solution of the target path determining method belong to the same concept, and details that are not described in detail in the technical solution of the target path determining apparatus can be referred to the description of the technical solution of the target path determining method.
FIG. 6 illustrates a block diagram of a computing device 600 provided in accordance with one embodiment of the present description. The components of the computing device 600 include, but are not limited to, a memory 610 and a processor 620. The processor 620 is coupled to the memory 610 via a bus 630 and a database 650 is used to store data.
Computing device 600 also includes access device 640, access device 640 enabling computing device 600 to communicate via one or more networks 660. Examples of such networks include the Public Switched Telephone Network (PSTN), a Local Area Network (LAN), a Wide Area Network (WAN), a Personal Area Network (PAN), or a combination of communication networks such as the internet. Access device 640 may include one or more of any type of network interface (e.g., a Network Interface Card (NIC)) whether wired or wireless, such as an IEEE802.11 Wireless Local Area Network (WLAN) wireless interface, a worldwide interoperability for microwave access (Wi-MAX) interface, an ethernet interface, a Universal Serial Bus (USB) interface, a cellular network interface, a bluetooth interface, a Near Field Communication (NFC) interface, and so forth.
In one embodiment of the present description, the above-described components of computing device 600, as well as other components not shown in FIG. 6, may also be connected to each other, such as by a bus. It should be understood that the block diagram of the computing device architecture shown in FIG. 6 is for purposes of example only and is not limiting as to the scope of the present description. Those skilled in the art may add or replace other components as desired.
Computing device 600 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., tablet, personal digital assistant, laptop, notebook, netbook, etc.), mobile phone (e.g., smartphone), wearable computing device (e.g., smartwatch, smartglasses, etc.), or other type of mobile device, or a stationary computing device such as a desktop computer or PC. Computing device 600 may also be a mobile or stationary server.
Wherein the processor 620 is configured to execute computer-executable instructions that, when executed by the processor, implement the steps of the target path determination method described above.
The above is an illustrative scheme of a computing device of the present embodiment. It should be noted that the technical solution of the computing device and the technical solution of the target path determining method belong to the same concept, and details that are not described in detail in the technical solution of the computing device can be referred to the description of the technical solution of the target path determining method.
An embodiment of the present specification also provides a computer-readable storage medium storing computer-executable instructions that, when executed by a processor, implement the steps of the above-described target path determination method.
The above is an illustrative scheme of a computer-readable storage medium of the present embodiment. It should be noted that the technical solution of the storage medium belongs to the same concept as the technical solution of the target path determining method, and for details that are not described in detail in the technical solution of the storage medium, reference may be made to the description of the technical solution of the target path determining method.
An embodiment of the present specification further provides a computer program, wherein when the computer program is executed in a computer, the computer is caused to execute the steps of the target path determining method.
The above is an illustrative scheme of a computer program of the present embodiment. It should be noted that the technical solution of the computer program and the technical solution of the target path determining method belong to the same concept, and details that are not described in detail in the technical solution of the computer program can be referred to the description of the technical solution of the target path determining method.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The computer instructions comprise computer program code which may be in the form of source code, object code, an executable file or some intermediate form, or the like. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution medium, and the like. It should be noted that the computer-readable medium may contain suitable additions or subtractions depending on the requirements of legislation and patent practice in jurisdictions, for example, in some jurisdictions, computer-readable media may not include electrical carrier signals or telecommunication signals in accordance with legislation and patent practice.
It should be noted that, for the sake of simplicity, the foregoing method embodiments are described as a series of acts, but those skilled in the art should understand that the present embodiment is not limited by the described acts, because some steps may be performed in other sequences or simultaneously according to the present embodiment. Furthermore, those skilled in the art will appreciate that the embodiments described in this specification are presently preferred and that no acts or modules are required in the implementations of the disclosure.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
The preferred embodiments of the present specification disclosed above are intended only to aid in the description of the specification. Alternative embodiments are not exhaustive and do not limit the invention to the precise embodiments described. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the embodiments and the practical application, to thereby enable others skilled in the art to best understand and utilize the embodiments. The specification is limited only by the claims and their full scope and equivalents.
Claims (11)
1. A target path determination method, comprising:
acquiring attribute information of at least two asset nodes in a target network, and determining interaction information between the at least two asset nodes based on the attribute information, wherein the interaction information comprises network interaction information, physical interaction information and/or resource interaction information;
constructing a path topology graph between the at least two asset nodes of the target network based on the interaction information;
and under the condition that a starting asset node and a target asset node are determined in the path topological graph, calculating all target paths between the starting asset node and the target asset node by using a traversal algorithm.
2. The target path determination method of claim 1, the determining interaction information between the at least two asset nodes based on the attribute information, comprising:
determining network status information of each asset node based on the attribute information, and determining network interaction information between the at least two asset nodes based on the network status information;
acquiring physical connection information of each asset node from a preset information base based on the attribute information, and determining physical interaction information between the at least two asset nodes based on the physical connection information; and/or
And determining historical resource connection information of each asset node from a preset information base based on the attribute information, and determining resource interaction information between the at least two asset nodes based on the historical resource connection information.
3. The target path determination method according to claim 1 or 2, wherein the obtaining attribute information of at least two asset nodes in the target network comprises:
at least two asset nodes are determined from an asset library of a target network, and attribute information of each asset node is acquired, wherein the asset nodes comprise networking devices and non-networking devices of the target network.
4. The method of claim 1, wherein the path topology map is updated in real time based on interaction information determined in real time from the target network.
5. The target path determination method of claim 1, wherein in the case of determining a starting asset node and a target asset node in the path topology graph, calculating all target paths between the starting asset node and the target asset node using a traversal algorithm comprises:
determining at least one path node from the path topology map associated with a starting asset node and a target asset node if the starting asset node and the target asset node are determined in the path topology map;
calculating all target paths between the starting asset node and the target asset node by using a traversal algorithm based on the incidence relation between each path node and other nodes,
wherein the other nodes include other path nodes except each path node, a start asset node, and a target asset node.
6. The target path determination method of claim 1, wherein in the case of determining a starting asset node and a target asset node in the path topology graph, calculating all target paths between the starting asset node and the target asset node using a traversal algorithm comprises:
determining at least one path node from the path topology map associated with a starting asset node and a target asset node if the starting asset node and the target asset node are determined in the path topology map;
establishing an adjacent node storage table among the starting asset node, the target asset node and the at least one path node based on directed relationships between each path node and other nodes, wherein the other nodes comprise other path nodes except each path node, the starting asset node and the target asset node;
calculating all target paths between the starting asset node and the target asset node through a traversal algorithm based on the adjacent node storage table.
7. The target path determination method of claim 6, the calculating all target paths between the starting asset node and the target asset node by a traversal algorithm based on the adjacency node storage table, comprising:
determining at least one connection path between the starting asset node and the target asset node based on the incidence relation among the starting asset node, the target asset node and the at least one path node in the adjacent node storage table;
determining at least one connection path between the starting asset node to the target asset node as all target paths between the starting asset node and the target asset node.
8. The target path determination method of claim 1, after calculating all target paths between the starting asset node and the target asset node using a traversal algorithm, further comprising:
acquiring attribute information of each asset node in each target path;
determining a path detection strategy based on the attribute information of each asset node, and carrying out sensitive detection on each target path based on the path detection strategy;
and generating a sensitive detection report of all target paths between the starting asset node and the target asset node in the target network based on a sensitive detection result.
9. A target path determination apparatus comprising:
the system comprises an interaction information determining module, a resource interaction determining module and a resource interaction determining module, wherein the interaction information determining module is configured to acquire attribute information of at least two asset nodes in a target network and determine interaction information between the at least two asset nodes based on the attribute information, and the interaction information comprises network interaction information, physical interaction information and resource interaction information;
a topology graph construction module configured to construct a path topology graph between the at least two asset nodes of the target network based on the interaction information;
a path determination module configured to calculate all target paths between a starting asset node and a target asset node using a traversal algorithm if the starting asset node and the target asset node are determined in the path topology map.
10. A computing device, comprising:
a memory and a processor;
the memory is for storing computer-executable instructions, and the processor is for executing the computer-executable instructions, which when executed by the processor, perform the steps of the target path determination method of any one of claims 1 to 8.
11. A computer-readable storage medium storing computer-executable instructions which, when executed by a processor, implement the steps of the target path determination method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210265392.9A CN114615066A (en) | 2022-03-17 | 2022-03-17 | Target path determination method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210265392.9A CN114615066A (en) | 2022-03-17 | 2022-03-17 | Target path determination method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114615066A true CN114615066A (en) | 2022-06-10 |
Family
ID=81865891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210265392.9A Pending CN114615066A (en) | 2022-03-17 | 2022-03-17 | Target path determination method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114615066A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210234832A1 (en) * | 2014-05-12 | 2021-07-29 | Tocmail Inc | Computer Security System and Method Based on User-Intended Final Destination |
| CN115865783A (en) * | 2022-11-22 | 2023-03-28 | 中国联合网络通信集团有限公司 | Method and device for determining target node and computer readable storage medium |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102185706A (en) * | 2011-04-13 | 2011-09-14 | 北京航空航天大学 | Method for generating IEEE1394 (Institute of Electrical and Electronics Engineers 1394) network topological graph |
| KR20140115574A (en) * | 2013-03-21 | 2014-10-01 | 전자부품연구원 | Wireless Sensor Network Security Method with Security Attack Detection and Security System using the same |
| US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
| CN105871882A (en) * | 2016-05-10 | 2016-08-17 | 国家电网公司 | Network-security-risk analysis method based on network node vulnerability and attack information |
| CN107040552A (en) * | 2017-06-13 | 2017-08-11 | 上海斗象信息科技有限公司 | Network attack path Forecasting Methodology |
| US20170359222A1 (en) * | 2016-06-09 | 2017-12-14 | Honeywell International Inc. | Automation network topology determination for c&i systems |
| CN108462587A (en) * | 2017-02-20 | 2018-08-28 | 中兴通讯股份有限公司 | A kind of network topology treating method and apparatus |
| US20190215266A1 (en) * | 2018-01-09 | 2019-07-11 | Cisco Technology, Inc. | Segment-routing multiprotocol label switching end-to-end dataplane continuity |
| CN112039703A (en) * | 2020-08-28 | 2020-12-04 | 迈普通信技术股份有限公司 | Path determining method, device, equipment and readable storage medium |
| KR20210074891A (en) * | 2019-12-12 | 2021-06-22 | 국방과학연구소 | Method and apparatus for predicting attack target based on attack graph |
| CN113067728A (en) * | 2021-03-17 | 2021-07-02 | 中国人民解放军海军工程大学 | Network security attack and defense test platform |
| CN113452561A (en) * | 2021-06-25 | 2021-09-28 | 深信服科技股份有限公司 | Topology generation method, device and equipment and readable storage medium |
| CN113824680A (en) * | 2021-07-26 | 2021-12-21 | 北京墨云科技有限公司 | Network security analysis method and device, computer equipment and storage medium |
| WO2022021860A1 (en) * | 2020-07-29 | 2022-02-03 | 山东英信计算机技术有限公司 | Multi-node network topology management method and apparatus, and electronic device and storage medium |
| US20220046048A1 (en) * | 2020-08-06 | 2022-02-10 | Electronics And Telecommunications Research Institute | Method and apparatus for predicting attack vulnerability of computer network |
-
2022
- 2022-03-17 CN CN202210265392.9A patent/CN114615066A/en active Pending
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102185706A (en) * | 2011-04-13 | 2011-09-14 | 北京航空航天大学 | Method for generating IEEE1394 (Institute of Electrical and Electronics Engineers 1394) network topological graph |
| KR20140115574A (en) * | 2013-03-21 | 2014-10-01 | 전자부품연구원 | Wireless Sensor Network Security Method with Security Attack Detection and Security System using the same |
| US20150381649A1 (en) * | 2014-06-30 | 2015-12-31 | Neo Prime, LLC | Probabilistic Model For Cyber Risk Forecasting |
| CN105871882A (en) * | 2016-05-10 | 2016-08-17 | 国家电网公司 | Network-security-risk analysis method based on network node vulnerability and attack information |
| US20170359222A1 (en) * | 2016-06-09 | 2017-12-14 | Honeywell International Inc. | Automation network topology determination for c&i systems |
| CN108462587A (en) * | 2017-02-20 | 2018-08-28 | 中兴通讯股份有限公司 | A kind of network topology treating method and apparatus |
| CN107040552A (en) * | 2017-06-13 | 2017-08-11 | 上海斗象信息科技有限公司 | Network attack path Forecasting Methodology |
| US20190215266A1 (en) * | 2018-01-09 | 2019-07-11 | Cisco Technology, Inc. | Segment-routing multiprotocol label switching end-to-end dataplane continuity |
| KR20210074891A (en) * | 2019-12-12 | 2021-06-22 | 국방과학연구소 | Method and apparatus for predicting attack target based on attack graph |
| WO2022021860A1 (en) * | 2020-07-29 | 2022-02-03 | 山东英信计算机技术有限公司 | Multi-node network topology management method and apparatus, and electronic device and storage medium |
| US20220046048A1 (en) * | 2020-08-06 | 2022-02-10 | Electronics And Telecommunications Research Institute | Method and apparatus for predicting attack vulnerability of computer network |
| CN112039703A (en) * | 2020-08-28 | 2020-12-04 | 迈普通信技术股份有限公司 | Path determining method, device, equipment and readable storage medium |
| CN113067728A (en) * | 2021-03-17 | 2021-07-02 | 中国人民解放军海军工程大学 | Network security attack and defense test platform |
| CN113452561A (en) * | 2021-06-25 | 2021-09-28 | 深信服科技股份有限公司 | Topology generation method, device and equipment and readable storage medium |
| CN113824680A (en) * | 2021-07-26 | 2021-12-21 | 北京墨云科技有限公司 | Network security analysis method and device, computer equipment and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210234832A1 (en) * | 2014-05-12 | 2021-07-29 | Tocmail Inc | Computer Security System and Method Based on User-Intended Final Destination |
| CN115865783A (en) * | 2022-11-22 | 2023-03-28 | 中国联合网络通信集团有限公司 | Method and device for determining target node and computer readable storage medium |
| CN115865783B (en) * | 2022-11-22 | 2024-04-09 | 中国联合网络通信集团有限公司 | Method and device for determining target node and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Wu et al. | A hierarchical security framework for defending against sophisticated attacks on wireless sensor networks in smart cities | |
| Gonzalez-Granadillo et al. | Dynamic risk management response system to handle cyber threats | |
| CN114615066A (en) | Target path determination method and device | |
| US8825838B2 (en) | Identification of business process application service groups | |
| Cintuglu et al. | Secure distributed state estimation for networked microgrids | |
| CN102724208B (en) | For controlling the system and method for the access to Internet resources | |
| Chu et al. | Penetration testing for internet of things and its automation | |
| Jajodia et al. | An integrated framework for cyber situation awareness | |
| CN111935167A (en) | Illegal external connection detection method, device, equipment and storage medium for industrial control | |
| CN112769797A (en) | Safety defense system and method for closed-source power engineering control system | |
| Sen et al. | On using contextual correlation to detect multi-stage cyber attacks in smart grids | |
| Arat et al. | Attack path detection for IIoT enabled cyber physical systems: Revisited | |
| CN111614659B (en) | Distributed detection method for unknown network flow | |
| Madhu et al. | IoT Network Attack Severity Classification | |
| Lee et al. | AI-based network security enhancement for 5G industrial Internet of things environments | |
| Kumar et al. | Detection and prevention of profile cloning in online social networks | |
| Grottke et al. | On the efficiency of sampling and countermeasures to critical-infrastructure-targeted malware campaigns | |
| Yermalovich et al. | Formalization of attack prediction problem | |
| CN116208416A (en) | Attack link mining method and system for industrial Internet | |
| Sakr et al. | Mechanisms of system penetration | |
| Liatifis et al. | Dynamic risk assessment and certification in the power grid: a collaborative approach | |
| Sen et al. | On holistic multi-step cyberattack detection via a graph-based correlation approach | |
| CN111031068B (en) | DNS analysis method based on complex network | |
| Rishu et al. | Enhancing exfiltration path analysis using reinforcement learning | |
| Mlot et al. | Towards a testbed for critical industrial systems: SunSpec protocol on DER systems as a case study |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |