CN115225338B - Knowledge graph-based vulnerability association graph generation method and storage medium - Google Patents
Knowledge graph-based vulnerability association graph generation method and storage medium Download PDFInfo
- Publication number
- CN115225338B CN115225338B CN202210742246.0A CN202210742246A CN115225338B CN 115225338 B CN115225338 B CN 115225338B CN 202210742246 A CN202210742246 A CN 202210742246A CN 115225338 B CN115225338 B CN 115225338B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- graph
- node
- data
- nodes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000007781 pre-processing Methods 0.000 claims abstract description 23
- 238000011156 evaluation Methods 0.000 claims abstract description 16
- 230000008439 repair process Effects 0.000 claims abstract description 8
- 239000011159 matrix material Substances 0.000 claims description 42
- 230000009191 jumping Effects 0.000 claims description 21
- 238000010276 construction Methods 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 6
- 230000008520 organization Effects 0.000 abstract description 4
- 238000012800 visualization Methods 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 9
- 238000011160 research Methods 0.000 description 4
- 239000002699 waste material Substances 0.000 description 4
- 238000004140 cleaning Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The application relates to a knowledge-graph-based vulnerability association graph generation method and a storage medium, wherein the knowledge-graph-based vulnerability association graph generation method comprises the steps of acquiring original vulnerability information and actual network data, and performing data preprocessing; constructing a vulnerability knowledge graph according to a pre-designed vulnerability knowledge graph ontology model; generating a vulnerability association graph according to a preset vulnerability association graph generation algorithm, wherein the vulnerability association graph is used for subsequent vulnerability association evaluation, vulnerability repair and vulnerability management. The method adopts the knowledge graph to organize and store data, utilizes the capability of the knowledge graph to graphically store knowledge, can intuitively display the association relationship between the loopholes, and solves the problems of poor visualization degree and poor readability of the loopholes library. The entity and the relationship of the knowledge graph can be used for organizing the data by utilizing the relationship between the vulnerability and the attack and the existing attack, the relationship between the attack and the vulnerability and the relationship between the vulnerability and the vulnerability, and obtaining the association relationship of the vulnerability in an ideal state, thereby realizing efficient organization and reasoning of the vulnerability related data.
Description
Technical Field
The application relates to the technical field of network security, in particular to a vulnerability association graph generation method based on a knowledge graph and a storage medium.
Background
Research on how to better manage and repair vulnerabilities is becoming a focus of research in the security field. How to evaluate the harmfulness of different loopholes, thereby helping enterprises to solve the priority problem of the loophole repair, putting limited resources into repair and solving the high-harmfulness loopholes which are easier to attack and have more serious consequences and losses after being attacked, and being the pain point problem of research and repair work.
The universal vulnerability assessment system (CVSS) in the United states is a common vulnerability assessment system in the industry at present, but the assessment system only assesses the harmfulness of single vulnerabilities from the technical level, and does not consider the association relationship among leaks.
It is necessary to study the associative evaluation of vulnerabilities in evaluating the jeopardy of the vulnerability. With the improvement of network defense capability, the intrusion objective can be achieved by only single-step attack, and multi-step attack has become a main means of network attack. The multi-step attack is often formed by combining a series of typical single-step attack means, and the association relationship among different vulnerabilities is utilized in the attack process to launch the attack.
Before research on the association evaluation of vulnerabilities, the association relationship between vulnerabilities (i.e., the utilization sequence relationship of vulnerabilities in multi-step attacks) needs to be obtained. The vulnerability association graph can establish a relatively complete vulnerability attack model, and can reflect association relations of all vulnerability nodes in the system on an attack path.
The current mainstream vulnerability correlation graph generation method is to generate an attack graph by using a traditional attack graph generation algorithm, and simplify the attack graph into a vulnerability correlation graph according to vulnerability correlation rules. The common vulnerability association rule is a permission promotion rule, namely, promotion of permissions of attackers on victim hosts owned by the attackers before and after utilizing the vulnerability.
The quality of the vulnerability correlation graph generated by the process not only depends on the quality of the attack graph generation algorithm, but also is related to defined vulnerability correlation rules, and more errors are introduced. Moreover, the association rules among the loopholes are defined manually, and the association relation among the loopholes has poor interpretability; the problem of resource waste also exists in the process of simplifying the attack graph into the vulnerability association graph.
The traditional vulnerability association evaluation data are stored in a vulnerability database, association relations among vulnerabilities, vulnerability attributes and vulnerabilities are expressed in a text form, the information visualization degree is poor, the readability is poor, potential relativity among vulnerabilities is difficult to intuitively express, the accuracy of generating a vulnerability association graph is difficult to judge, and the interpretability of the vulnerability evaluation process is poor.
The united states national vulnerability library (NVD) as shown in fig. 1 associates vulnerabilities with vulnerabilities, and the Common Attack Pattern and Enumeration (CAPEC) as shown in fig. 2 associates attack patterns with vulnerabilities that can be exploited to associate vulnerabilities. Firstly, associating attacks by utilizing Relationships of a CAPEC data set to obtain an attack sequence in multi-step attacks; the Related weaknesses of the CAPEC data set are utilized to correlate the attacks and the weaknesses, so that the weaknesses utilized in the multi-step attacks are obtained; and then, utilizing the relationship between the vulnerability and the vulnerability in the NVD data set to correlate the vulnerability and the vulnerability, and obtaining the utilization sequence of the vulnerability in the multi-step attack, so as to obtain the vulnerability association relationship in the ideal state.
Disclosure of Invention
The vulnerability association graph generation method based on the knowledge graph provided by the application can solve the technical problems.
In order to achieve the above purpose, the present application adopts the following technical scheme:
a knowledge-graph-based vulnerability association graph generation method, which comprises the following steps,
s1, acquiring original vulnerability information, acquiring actual network data of a network to be evaluated, extracting data required by an evaluation scheme, and performing data preprocessing;
s2, constructing a vulnerability knowledge graph based on the data obtained in the step S1 and according to a pre-designed vulnerability knowledge graph body model;
s3, based on the constructed vulnerability knowledge graph in the step S2, generating a vulnerability correlation graph according to a preset vulnerability correlation graph generation algorithm, wherein the vulnerability correlation graph is used for subsequent vulnerability correlation evaluation, vulnerability repair and vulnerability management.
Further, in step S1, the original vulnerability information includes a json format american national vulnerability database NVD data set, a csv format attack mode, an enumerated CAPEC data set, and original data in an xml format CNVD data set of a chinese national information security sharing platform;
the actual network data comprises a network topology structure, network node vulnerability scanning information and network node asset importance information.
Further, the data preprocessing includes preprocessing the collected Json format of the original data in the U.S. national vulnerability database NVD data set, csv format attack mode and enumeration CAPEC data set and xml format of the Chinese national information security sharing platform CNVD data set, extracting the data required by evaluation including vulnerability CVE number, vulnerability CWE number, attack mode number, related classes, related Weakness and the like, and generating corresponding csv files, so that the data can be conveniently imported into the graph database by using a construction algorithm;
the data preprocessing also needs to preprocess the acquired actual network data to obtain a network node relation matrix, a network node vulnerability relation and network node asset importance information, and generate a csv file of the network node and the corresponding vulnerability, so that the data can be conveniently imported into the graph database by using a construction algorithm.
Further, the constructing the vulnerability knowledge graph includes:
the first step: and designing a vulnerability knowledge graph ontology model. Designing a vulnerability knowledge graph ontology model, wherein the ontology comprises four major classes of assets, vulnerabilities and attacks, and the relationship comprises five major classes of vulnerability pointing to assets affects, vulnerability pointing to vulnerability relay, attack pointing to vulnerability utize, attack pointing to attack next step child of the last step in multi-step attack, attack pointing to peer attack; the property of the node where the asset is located, namely the vulnerability, comprises price of the asset and the role played by the asset in the network, namely a client/server, and the two properties reflect the importance of the asset;
and a second step of: selecting a graph database;
and a third step of: designing a vulnerability knowledge graph construction algorithm, and organizing vulnerability data set data, a network node set, a network node vulnerability relation matrix and network node asset importance attributes obtained by a data preprocessing module according to a vulnerability knowledge graph ontology model; and (3) a knowledge graph construction algorithm for constructing a vulnerability knowledge graph module calls Py2Neo library operation Neo4j provided by Python to construct and store the vulnerability knowledge graph.
Further, the generating of the vulnerability association graph includes:
the vulnerability association graph generation is based on a vulnerability knowledge graph, an actual network node adjacency matrix and a network node vulnerability relationship, and a designed vulnerability association graph generation algorithm is utilized to generate a vulnerability association graph;
the vulnerability association graph generation algorithm is used for obtaining the relationship between nodes and the relationship between the nodes and the vulnerability according to the actual network data, traversing the nodes and the vulnerability on the nodes, inquiring whether the nodes where the two vulnerabilities are located are associated in the node relationship data, and inquiring whether an attack context relationship exists between the two vulnerabilities in the vulnerability knowledge graph leakage, so that a vulnerability association graph is generated.
Further, the generating of the vulnerability association graph includes:
the first step: acquiring a node set, a vulnerability set, a network node adjacency matrix and a network node vulnerability relation matrix which are obtained by a data preprocessing module; the method comprises the steps of obtaining a network node set Nodes based on an actual network topology structure: [ host1 host2 host3 host4 host5 ]]The network node adjacency matrix Nodes_Adjacent corresponding to the network:Nodes_Adjacent[i][j]a value of 1 represents that the (i+1) th node and the (j+1) th node in the network node set Nodes are Adjacent, and the Nodes_Adjacent [ i ]][j]A value of 0 represents that the (i+1) th node and the (j+1) th node in the network node set Nodes are not adjacent; when the node vulnerability scanning information shows that the vulnerability vull 1 exists in the host1, the vulnerability vull 2 exists in the node hostVulnerability vulnerabilities vull 1 and vull 2, vulnerability vull 3 exists in node host3, vulnerability vull 4 exists in node host4, and vulnerability vull 4 exists in node host5, so that a vulnerability set vulls can be obtained: [ vul1 vul2 vul3 vul4 ]]Network node vulnerability relation matrix Nodes_Vuls: />Nodes_Vuls[i][j]A value of 1 represents that the j+1th loophole in the loophole set Vuls exists on the i+1th node in the network node set Nodes;
and a second step of: generating a host: vulnerability vulnerabilities node; traversing a network node set Nodes and a vulnerability set Vuls, inquiring a network node vulnerability relation matrix Nodes_Vuls, judging whether a jth vulnerability of a vulnerability exists on an ith network node, and if so, generating a Nodes [ i ] Vuls [ j ] vertex;
and a third step of: creating a host: a correlation edge between vulnerability vertices;
(8) Traversing the row of the node adjacency matrix Nodes_Adjacent, namely, the ith node in the ith column/row corresponding node set;
(9) For the ith row, if i=n, finishing traversal, and outputting a vulnerability knowledge graph; otherwise, traversing columns of j > =i in the node adjacency matrix starting from j=i;
(10) Traversing the vulnerability set from 0 for the ith node, if i_vul < m, traversing is not completed, and executing the step (4); otherwise j+1, jumping into (7);
(11) Traversing the vulnerability set from 0 for the j-th node, and if j_vul < m, traversing is not completed, executing the step (5); otherwise, i_vul+1, jumping to the step (3);
(12) Inquiring a node vulnerability relation matrix Nodes_Vuls, and if an ith_vul vulnerability on an ith node and a jth_vul vulnerability on a jth node exist at the same time, executing the step (5); otherwise j_vul+1, jumping to the step (4);
(13) Inquiring a vulnerability knowledge graph, if a vulnerability Vuls [ i_vul ] and a vulnerability Vuls [ j_vul ] in the vulnerability knowledge graph have an attack up-down relation, connecting a directional edge between vertexes Nodes [ i_vul ] and Nodes [ j ] in the vulnerability correlation graph, wherein the direction of the directional edge is the same as the direction between attack modes a1 and a2 respectively associated with the vulnerabilities Vuls [ i_vul ] and the vulnerabilities Vuls [ j_vul ] in the knowledge graph, and jumping into the step (4); otherwise, directly j_vul+1, and jumping to the step (4);
(14) If j < n, inquiring a node adjacent matrix, and if the ith node is adjacent to the jth node, jumping to the step (3); otherwise j+1, jumping to step (7), if j=n, i+1, jumping to step (2).
In another aspect, the application also discloses a computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the method as described above.
According to the technical scheme, the vulnerability association graph generation method based on the vulnerability knowledge graph is provided, vulnerability in the NVD data set, vulnerability in the CAPEC data set, vulnerability and attack and the relationship thereof are organized by using the vulnerability knowledge graph, and visualized storage is carried out to obtain the association relationship of the vulnerability in an ideal state. And combining asset information and vulnerability information of the actual network nodes, utilizing asset entities and vulnerability entities in a vulnerability knowledge graph, and associating the vulnerability with the nodes (assets). And traversing a node adjacency matrix and a node vulnerability relation matrix which are obtained according to the actual network topology structure and vulnerability scanning data, and inquiring whether attack step-by-step relations exist among vulnerabilities in a vulnerability knowledge graph to generate an actual network corresponding vulnerability association graph. And a foundation is laid for the subsequent associated evaluation of the loopholes.
According to the knowledge-graph-based vulnerability association graph generation method, knowledge graph organization and data storage are adopted, knowledge graph graphical storage capability is utilized, association relations among vulnerabilities can be intuitively displayed, and the problems of poor visualization degree and poor readability of a vulnerability library are solved. The entity and the relationship of the knowledge graph can be used for organizing the data by utilizing the relationship between the vulnerability and the attack and the existing attack, the relationship between the attack and the vulnerability and the relationship between the vulnerability and the vulnerability, and obtaining the association relationship of the vulnerability in an ideal state, thereby realizing efficient organization and reasoning of the vulnerability related data.
When the knowledge graph is constructed, firstly, a vulnerability knowledge graph is initially constructed by utilizing structural knowledge acquired from an NVD data set, a CNVD data set and a CAPEC data set; and finally, generating an asset (node) entity according to node information, asset information and safety protection measure information of installation and deployment in the system of the network, and completing a vulnerability knowledge graph. The association relationship between loopholes obtained by reasoning according to the data set is the loophole association relationship under the ideal state of supposing that the system is infinitely large and the loopholes are infinitely many. And finally, based on the vulnerability association relation in the ideal state in the knowledge graph, generating the vulnerability association graph corresponding to the actual network by combining the actual network topology structure.
In general, the application fully excavates the relations among the existing typical databases by utilizing the knowledge graph based on the NVD and CAPEC data sets, acquires the vulnerability association relation under the ideal state, directly generates the vulnerability association graph by combining the actual network topology structure and the vulnerability scanning data, does not need to process the conventional attack graph generation algorithm and the vulnerability association rule, and improves the problems of more errors and resource waste introduced in the process of generating the association graph by utilizing the conventional vulnerability association graph generation method. Moreover, the vulnerability knowledge graph can visually display the association relation of the vulnerability, whether the association relation exists between adjacent vulnerabilities in the generated vulnerability association graph can be verified in the knowledge graph, and how the adjacent vulnerabilities are associated can be clearly and clearly ascertained, so that the quality of the vulnerability association graph generation algorithm and the interpretability of the association graph are improved.
Drawings
FIG. 1 is an example of a national vulnerability library (NVD); wherein cve _data_meta is cve number indicating vulnerability, problemtype is vulnerability related to the vulnerability;
FIG. 2 is a generic attack pattern and enumeration (CAPEC) example; wherein, relationships: displaying other attack patterns related to the attack pattern; the relationships between attack patterns include: childOf (CanFollow), parentOf (CanPrecede) and similar relationships to this attack pattern-PeerOf (CanAlsoBe); related weakness: vulnerabilities associated with the attack pattern;
FIG. 3 is an overall frame diagram of the present application;
FIG. 4 is an example of a vulnerability knowledge graph ontology model in an embodiment of the present application;
FIG. 5 is an example of a constructed vulnerability knowledge graph screenshot of an embodiment of the present application;
FIG. 6 is an example vulnerability correlation graph of an embodiment of the present application;
FIG. 7 is a flowchart of a vulnerability correlation graph generation algorithm of an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application.
The embodiment of the application organizes the loopholes, the weaknesses, the attacks, the relation between the weaknesses and the weaknesses, the relation between the weaknesses and the attacks based on the constructed loophole knowledge graph, and obtains the association relation between the weaknesses by utilizing the reasoning capability of the knowledge graph; and finally, combining the actual network topology structure and vulnerability information on the nodes to generate a vulnerability association graph. Knowledge maps have great potential in the field of network security. By utilizing the strong data organization capability of the knowledge graph, the network security data from different data sources can be organized, stored and managed uniformly according to the construction scheme designed by the application. And secondly, by utilizing the strong reasoning capability of the knowledge graph, the association relation between the loopholes in the ideal state can be obtained by reasoning according to the existing data, and the NVD of the existing loophole database and the CAPEC of the attack database are fully utilized. Finally, the high visualization capability of the knowledge graph is utilized, so that the interpretability of the relationship among the loopholes in the generated loophole association graph can be improved. The method solves the problems of larger error, poor interpretability and resource waste of the traditional vulnerability correlation graph generation method.
As shown in fig. 3, the method for generating a vulnerability association graph based on a knowledge graph according to the embodiment includes the following steps,
s1, acquiring reliable original vulnerability information, such as an acquired Json-format NVD (national vulnerability database) data set, csv-format attack mode and enumeration CAPEC data set, an xml-format CNVD (China national information security sharing) data set and the like; and acquiring actual network data of the network to be evaluated, such as network topology structure, network node vulnerability scanning information, network node asset importance information and the like. And extracting data required by the evaluation scheme, cleaning and arranging the data so as to construct a vulnerability knowledge graph based on the data later.
S2, constructing a vulnerability knowledge graph based on the data obtained in the S1 and according to a vulnerability knowledge graph body model designed by the scheme, so as to generate a vulnerability association graph based on the vulnerability knowledge graph.
S3, generating a vulnerability association graph based on the vulnerability knowledge graph constructed in the S2 and the network node association relationship and the node vulnerability relationship obtained after the pretreatment in the S1 according to a designed vulnerability association graph generation algorithm. The vulnerability association graph can be used for subsequent vulnerability association evaluation, vulnerability repair, vulnerability management and other works.
The following are respectively described:
integral frame
As shown in FIG. 3, the method mainly comprises a data preprocessing module, a vulnerability knowledge graph construction module and a vulnerability association graph generation module. The constructed data sources of the vulnerability knowledge graph comprise two major parts: the acquired Json format NVD data set, csv format attack mode and enumeration CAPEC data set, and xml format CNVD data set and actual network data. The original data is subjected to data cleaning, data extraction and other operations through a data preprocessing module; inputting the preprocessed data into a vulnerability knowledge graph construction module to construct a vulnerability knowledge graph; and finally, inputting a node adjacency matrix, a node set and a node vulnerability relation matrix which are obtained after the vulnerability knowledge graph and the actual network information are preprocessed into a vulnerability association graph generating module, and calling a vulnerability association graph generating algorithm to generate a vulnerability association graph. And calculating the vulnerability association degree (an important factor for carrying out association evaluation on the vulnerability) based on the generated vulnerability association graph, and laying a foundation for carrying out subsequent vulnerability association evaluation.
Data preprocessing module
The data preprocessing module is used for preprocessing the collected Json-format NVD data set of the United states national vulnerability database, csv-format attack mode and enumeration CAPEC data set and the xml-format CNVD data set of the Chinese national information security sharing platform, extracting vulnerability data set data (such as vulnerability CVE number, vulnerability CWE number, attack mode number, related Relationships, related Weakness and the like) required by evaluation and generating corresponding csv files, so that the follow-up utilization of a construction algorithm is facilitated to import the data into the graph database.
The data preprocessing module is used for preprocessing the acquired actual network data to obtain a network node set, a network node asset importance attribute, a vulnerability set and a network node vulnerability relation matrix, and generating a csv file of the network node and the corresponding vulnerability, so that the data can be conveniently imported into a graph database by a subsequent construction algorithm; and obtaining a network node adjacency matrix, so that a vulnerability association graph can be conveniently generated by using a vulnerability association graph generation algorithm.
Vulnerability knowledge graph construction module
The vulnerability knowledge graph construction module organizes a data structure based on the designed vulnerability knowledge graph ontology model and the selected graph database, writes a construction algorithm and generates a vulnerability knowledge graph.
The first step: and designing a vulnerability knowledge graph ontology model. The vulnerability knowledge graph ontology model shown in fig. 4 is designed, wherein the ontology comprises four major classes of assets, vulnerabilities and attacks, and the relationship comprises five major classes of affect (vulnerability pointing to asset), related (vulnerability pointing to vulnerability), utize (attack pointing to vulnerability), childOf (the last step of attack pointing to the next step of attack in multi-step attack), peerOf (attack pointing to the same class attack). Wherein the properties of the asset (node where the vulnerability is located) include price of the asset (price) and role the asset plays in the network (client/server), both of which reflect the importance of the asset to some extent.
And a second step of: a graph database is selected. The graph database Neo4j is selected for use.
And a third step of: and designing a vulnerability knowledge graph construction algorithm. Organizing vulnerability data set data, a network node set, a network node vulnerability relation matrix and network node asset importance attributes (node price, role and the like) obtained by a data preprocessing module according to a vulnerability knowledge graph ontology model; the knowledge graph construction algorithm for constructing the vulnerability knowledge graph module calls Py2Neo library operation Neo4j provided by Python to construct and store the vulnerability knowledge graph shown in FIG. 5.
Vulnerability association graph generation module
The vulnerability correlation graph generation module is used for generating a vulnerability correlation graph by utilizing a designed vulnerability correlation graph generation algorithm based on a vulnerability knowledge graph, an actual network node adjacency matrix and a network node vulnerability relation matrix. Taking fig. 6 as an example, when the actual network topology structure is shown as a left graph, based on the data obtained by preprocessing the actual network information and the vulnerability knowledge graph, the vulnerability association graph as a right graph can be generated by calling the vulnerability association graph generation algorithm shown in fig. 7.
And the directional arrow in the generated vulnerability association graph points to the vulnerability of the next attack utilization from the vulnerability of the last attack utilization in the multi-step attack. The directed edge is represented by the importance of the asset where the two vulnerabilities connected by the directed edge are located:reflecting the importance of the asset (network node) where the two vulnerabilities of the directed edge connection are located. The weight of a directed edge is represented by the average of the importance of the asset where the two vulnerabilities of the directed edge connection are located:because an attacker tends to attack more important vulnerabilities, the same vulnerability points to different vulnerabilities, the higher the importance of the directed vulnerabilities, the more likely the attacker will choose the vulnerability as the next attack target, and the importance of the asset where the vulnerability is located reflects the importance of the vulnerability to a certain extent.
The idea of the vulnerability association graph generation algorithm is to obtain the relationship between nodes and the relationship between the nodes and the vulnerability according to actual network data, traverse the vulnerability (depth priority) on the nodes and the nodes, and inquire whether an attack step-by-step relationship exists between two vulnerabilities in a vulnerability knowledge graph leak so as to generate a vulnerability association graph. The vulnerability association graph generation algorithm flow chart is shown in fig. 7.
The first step: and acquiring a node set, a vulnerability set, a network node adjacency matrix and a network node vulnerability relation matrix which are obtained by the data preprocessing module. Based on the actual network topology structure of the diagram, acquiring a network node set Nodes: [ host1 host2 host3 host4 host5 ]]The network node adjacency matrix Nodes_Adjacent corresponding to the network:Nodes_Adjacent[i][j]a value of 1 represents that the (i+1) th node and the (j+1) th node in the network node set Nodes are Adjacent, and the Nodes_Adjacent [ i ]][j]A value of 0 represents that the i+1st node and the j+1st node in the network node set node are not contiguous. When the node vulnerability scanning information shows that a vulnerability vull 1 exists in a host1, vulnerabilities vull 1 and vull 2 exist in a host2, a vulnerability vull 3 exists in a host3, a vulnerability vull 4 exists in a host4, and a vulnerability vull 4 exists in a host5, a vulnerability set vulls can be obtained: [ vul1 vul2 vul3 vul4 ]]Network node vulnerability relation matrix Nodes_Vuls: />Nodes_Vuls[i][j]A value of 1 represents that the j+1th vulnerability in the vulnerability set Vuls exists on the i+1th node in the network node set Nodes.
And a second step of: a (host: vulnerability vul) node is generated. Traversing network node set Nodes and vulnerability set Vuls, inquiring network node vulnerability relation matrix Nodes_Vuls, judging whether the ith vulnerability exists on the ith network node, if so, generating (Nodes [ i ]: vuls [ j ]) vertexes.
And a third step of: associated edges between (host: vulnerability) vertices are created.
(15) Traversing the rows of the node adjacency matrix node_adjacency. (the ith column/row corresponds to the ith node in the node set).
(16) For the ith row, if i=n, finishing traversal, and outputting a vulnerability knowledge graph; otherwise, the columns of j > =i in the node adjacency matrix are traversed starting with j=i.
(17) Traversing the vulnerability set from 0 for the ith node, if i_vul < m, traversing is not completed, and executing the step (4); otherwise j+1, jump into (7)
(18) Traversing the vulnerability set from 0 for the j-th node, and if j_vul < m, traversing is not completed, executing the step (5); otherwise, i_vul+1, jump to step (3)
(19) Inquiring a node vulnerability relation matrix Nodes_Vuls, and if an ith_vul vulnerability on an ith node and a jth_vul vulnerability on a jth node exist at the same time, executing the step (5); otherwise j_vul+1, jumping to the step (4).
(20) Inquiring a vulnerability knowledge graph, if a vulnerability Vuls [ i_vul ] and a vulnerability Vuls [ j_vul ] in the vulnerability knowledge graph have an attack up-down relationship, connecting a directional edge between vertexes (Nodes [ i ] Vuls [ i_vul ]), (Nodes [ j ] Vuls [ j_vul ]) in a vulnerability correlation graph, wherein the direction of the directional edge is the same as the direction between attack modes a1 and a2 respectively associated with the vulnerability Vuls [ i_vul ] and the vulnerability Vuls [ j_vul ] in the knowledge graph, and jumping to the step (4); otherwise, directly j_vul+1, and jumping to the step (4).
(21) If j < n, inquiring a node adjacent matrix, and if the ith node is adjacent to the jth node, jumping to the step (3); otherwise j+1, jumping to the step (7). If j=n, i+1, step (2) is skipped.
In general, the application fully excavates the relations among the existing typical databases by utilizing the knowledge graph based on the NVD and CAPEC data sets, acquires the vulnerability association relation under the ideal state, directly generates the vulnerability association graph by combining the actual network topology structure and the vulnerability scanning data, does not need to process the conventional attack graph generation algorithm and the vulnerability association rule, and improves the problems of more errors and resource waste introduced in the process of generating the association graph by utilizing the conventional vulnerability association graph generation method. Moreover, the vulnerability knowledge graph can visually display the association relation of the vulnerability, whether the association relation exists between adjacent vulnerabilities in the generated vulnerability association graph can be verified in the knowledge graph, and how the adjacent vulnerabilities are associated can be clearly and clearly ascertained, so that the quality of the vulnerability association graph generation algorithm and the interpretability of the association graph are improved.
In yet another aspect, the application also discloses a computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of any of the methods described above.
In yet another aspect, the application also discloses a computer device comprising a memory and a processor, the memory storing a computer program which, when executed by the processor, causes the processor to perform the steps of any of the methods described above.
In a further embodiment of the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform the steps of any of the methods of the above embodiments.
It may be understood that the system provided by the embodiment of the present application corresponds to the method provided by the embodiment of the present application, and explanation, examples and beneficial effects of the related content may refer to corresponding parts in the above method.
Those skilled in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by a computer program for instructing relevant hardware, where the program may be stored in a non-volatile computer readable storage medium, and where the program, when executed, may include processes in the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.
Claims (6)
1. A knowledge-graph-based vulnerability association graph generation method is characterized by comprising the following steps,
s1, acquiring original vulnerability information, acquiring actual network data of a network to be evaluated, extracting data required by an evaluation scheme, and performing data preprocessing;
s2, constructing a vulnerability knowledge graph based on the data obtained in the step S1 and according to a pre-designed vulnerability knowledge graph body model;
s3, based on the vulnerability knowledge graph constructed in the step S2, generating a vulnerability correlation graph according to a preset vulnerability correlation graph generation algorithm, wherein the vulnerability correlation graph is used for subsequent vulnerability correlation evaluation, vulnerability repair and vulnerability management;
the vulnerability association graph generation comprises the following steps:
the first step: acquiring a node set, a vulnerability set, a network node adjacency matrix and a network node vulnerability relation matrix which are obtained by a data preprocessing module; the method comprises the steps of obtaining a network node set Nodes based on an actual network topology structure: [ host1 host2 host3 host4 host5 ]]The network node adjacency matrix Nodes_Adjacent corresponding to the network:Nodes_Adjacent[i][j]a value of 1 represents a set of network Nodes in the node setThe (i+1) th node is Adjacent to the (j+1) th node, nodes_Adjacent [ i ]][j]A value of 0 represents that the (i+1) th node and the (j+1) th node in the network node set Nodes are not adjacent; when the node vulnerability scanning information shows that a vulnerability vull 1 exists in a host1, vulnerabilities vull 1 and vull 2 exist in a host2, a vulnerability vull 3 exists in a host3, a vulnerability vull 4 exists in a host4, and a vulnerability vull 4 exists in a host5, a vulnerability set vulls can be obtained: [ vul1 vul2 vul3 vul4 ]]Network node vulnerability relation matrix Nodes_Vuls: />Nodes_Vuls[i][j]A value of 1 represents that the j+1th loophole in the loophole set Vuls exists on the i+1th node in the network node set Nodes;
and a second step of: generating (host: vulnerability vul) nodes; traversing network node set Nodes and vulnerability set Vuls, inquiring network node vulnerability relation matrix Nodes_Vuls, judging whether the ith vulnerability exists on the ith network node, if so, generating (Nodes [ i ]: vuls [ j ]) vertexes;
and a third step of: creating (host: vulnerability) associated edges between vertices;
(1) Traversing the row of the node adjacency matrix Nodes_Adjacent, namely, the ith node in the ith column/row corresponding node set;
(2) For the ith row, if i=n, finishing traversal, and outputting a vulnerability knowledge graph; otherwise, traversing columns of j > =i in the node adjacency matrix starting from j=i;
(3) Traversing the vulnerability set from 0 for the ith node, if i_vul < m, traversing is not completed, and executing the step (4); otherwise j+1, jumping into (7);
(4) Traversing the vulnerability set from 0 for the j-th node, and if j_vul < m, traversing is not completed, executing the step (5); otherwise, i_vul+1, jumping to the step (3);
(5) Inquiring a node vulnerability relation matrix Nodes_Vuls, and if an ith_vul vulnerability on an ith node and a jth_vul vulnerability on a jth node exist at the same time, executing the step (5); otherwise j_vul+1, jumping to the step (4);
(6) Inquiring a vulnerability knowledge graph, if a vulnerability Vuls [ i_vul ] and a vulnerability Vuls [ j_vul ] in the vulnerability knowledge graph have an attack up-down relationship, connecting a directional edge between vertexes (Nodes [ i ] Vuls [ i_vul ]), (Nodes [ j ] Vuls [ j_vul ]) in a vulnerability correlation graph, wherein the direction of the directional edge is the same as the direction between attack modes a1 and a2 respectively associated with the vulnerability Vuls [ i_vul ] and the vulnerability Vuls [ j_vul ] in the knowledge graph, and jumping to the step (4); otherwise, directly j_vul+1, and jumping to the step (4);
(7) If j < n, inquiring a node adjacent matrix, and if the ith node is adjacent to the jth node, jumping to the step (3); otherwise j+1, jumping to step (7), if j=n, i+1, jumping to step (2).
2. The knowledge-graph-based vulnerability correlation graph generation method of claim 1, wherein the method comprises the following steps:
the original vulnerability information in the step S1 comprises an NVD data set of a USA national vulnerability library in json format, an attack mode in csv format, an enumeration CAPEC data set and original data in a CNVD data set of a China national information security sharing platform in xml format;
the actual network data comprises a network topology structure, network node vulnerability scanning information and network node asset importance information.
3. The knowledge-graph-based vulnerability correlation graph generation method of claim 2, wherein the method is characterized by: the data preprocessing comprises the steps of preprocessing the collected Json-format NVD data set of the U.S. national vulnerability library, the csv-format attack mode and enumeration CAPEC data set and the xml-format CNVD data set of the Chinese national information security sharing platform, extracting the data required by evaluation, including vulnerability CVE number, vulnerability CWE number, attack mode number, related classes and Related Weakness, and generating a corresponding csv file, so that the data can be conveniently imported into the graph database by using a construction algorithm;
the data preprocessing also needs to preprocess the acquired actual network data to obtain a network node relation matrix, a network node vulnerability relation and network node asset importance information, and generate a csv file of the network node and the corresponding vulnerability, so that the data can be conveniently imported into the graph database by using a construction algorithm.
4. The knowledge-graph-based vulnerability correlation graph generation method of claim 1, wherein the method comprises the following steps: the constructing the vulnerability knowledge graph comprises the following steps:
the first step: designing a vulnerability knowledge graph ontology model; designing a vulnerability knowledge graph ontology model, wherein the ontology comprises four major classes of assets, vulnerabilities and attacks, and the relationship comprises five major classes of vulnerability pointing to assets affects, vulnerability pointing to vulnerability relay, attack pointing to vulnerability utize, attack pointing to attack next step child of the last step in multi-step attack, attack pointing to peer attack; the property of the node where the asset is located, namely the vulnerability, comprises price of the asset and the role played by the asset in the network, namely a client/server, and the two properties reflect the importance of the asset;
and a second step of: selecting a graph database;
and a third step of: designing a vulnerability knowledge graph construction algorithm, and organizing vulnerability data set data, a network node set, a network node vulnerability relation matrix and network node asset importance attributes obtained by a data preprocessing module according to a vulnerability knowledge graph ontology model; and (3) a knowledge graph construction algorithm for constructing a vulnerability knowledge graph module calls Py2Neo library operation Neo4j provided by Python to construct and store the vulnerability knowledge graph.
5. The knowledge-graph-based vulnerability correlation graph generation method of claim 1, wherein the method comprises the following steps: the vulnerability association graph generation comprises the following steps:
the vulnerability association graph generation is based on a vulnerability knowledge graph, an actual network node adjacency matrix and a network node vulnerability relationship, and a designed vulnerability association graph generation algorithm is utilized to generate a vulnerability association graph;
the vulnerability association graph generation algorithm is used for obtaining the relationship between nodes and the relationship between the nodes and the vulnerability according to the actual network data, traversing the nodes and the vulnerability on the nodes, inquiring whether the nodes where the two vulnerabilities are located are associated in the node relationship data, and inquiring whether an attack context relationship exists between the two vulnerabilities in the vulnerability knowledge graph leakage, so that a vulnerability association graph is generated.
6. A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to perform the steps of the method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210742246.0A CN115225338B (en) | 2022-06-28 | 2022-06-28 | Knowledge graph-based vulnerability association graph generation method and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210742246.0A CN115225338B (en) | 2022-06-28 | 2022-06-28 | Knowledge graph-based vulnerability association graph generation method and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115225338A CN115225338A (en) | 2022-10-21 |
| CN115225338B true CN115225338B (en) | 2023-12-12 |
Family
ID=83609061
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210742246.0A Active CN115225338B (en) | 2022-06-28 | 2022-06-28 | Knowledge graph-based vulnerability association graph generation method and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115225338B (en) |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106549950A (en) * | 2016-11-01 | 2017-03-29 | 南京理工大学 | A kind of matrix method for visualizing based on state attacking and defending figure |
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
| CN109948911A (en) * | 2019-02-27 | 2019-06-28 | 北京邮电大学 | A kind of appraisal procedure calculating networking products Information Security Risk |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
| US10496678B1 (en) * | 2016-05-12 | 2019-12-03 | Federal Home Loan Mortgage Corporation (Freddie Mac) | Systems and methods for generating and implementing knowledge graphs for knowledge representation and analysis |
| KR102079687B1 (en) * | 2019-07-12 | 2020-02-20 | 한화시스템(주) | System and method for cyber prediction based on attack graph |
| CN111163086A (en) * | 2019-12-27 | 2020-05-15 | 北京工业大学 | Multi-source heterogeneous network security knowledge graph construction and application method |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN112613038A (en) * | 2020-11-27 | 2021-04-06 | 中山大学 | Security vulnerability analysis method based on knowledge graph |
| CN113051575A (en) * | 2021-03-25 | 2021-06-29 | 深圳市联软科技股份有限公司 | Method and system for generating red and blue attack resisting exercise scheme based on graph database |
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
| CN114357189A (en) * | 2021-12-29 | 2022-04-15 | 广州大学 | Vulnerability utilization relation determining method, device, equipment and storage medium |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10542015B2 (en) * | 2016-08-15 | 2020-01-21 | International Business Machines Corporation | Cognitive offense analysis using contextual data and knowledge graphs |
-
2022
- 2022-06-28 CN CN202210742246.0A patent/CN115225338B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10496678B1 (en) * | 2016-05-12 | 2019-12-03 | Federal Home Loan Mortgage Corporation (Freddie Mac) | Systems and methods for generating and implementing knowledge graphs for knowledge representation and analysis |
| CN106549950A (en) * | 2016-11-01 | 2017-03-29 | 南京理工大学 | A kind of matrix method for visualizing based on state attacking and defending figure |
| CN107526971A (en) * | 2017-09-28 | 2017-12-29 | 北京计算机技术及应用研究所 | A kind of leak based on leak association distributed model finds method |
| CN108933793A (en) * | 2018-07-24 | 2018-12-04 | 中国人民解放军战略支援部队信息工程大学 | The attack drawing generating method and its device of knowledge based map |
| CN109948911A (en) * | 2019-02-27 | 2019-06-28 | 北京邮电大学 | A kind of appraisal procedure calculating networking products Information Security Risk |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
| KR102079687B1 (en) * | 2019-07-12 | 2020-02-20 | 한화시스템(주) | System and method for cyber prediction based on attack graph |
| CN111163086A (en) * | 2019-12-27 | 2020-05-15 | 北京工业大学 | Multi-source heterogeneous network security knowledge graph construction and application method |
| CN111177417A (en) * | 2020-04-13 | 2020-05-19 | 中国人民解放军国防科技大学 | Security event correlation method, system and medium based on network security knowledge graph |
| CN112613038A (en) * | 2020-11-27 | 2021-04-06 | 中山大学 | Security vulnerability analysis method based on knowledge graph |
| CN113051575A (en) * | 2021-03-25 | 2021-06-29 | 深圳市联软科技股份有限公司 | Method and system for generating red and blue attack resisting exercise scheme based on graph database |
| CN114257420A (en) * | 2021-11-29 | 2022-03-29 | 中国人民解放军63891部队 | Method for generating network security test based on knowledge graph |
| CN114357189A (en) * | 2021-12-29 | 2022-04-15 | 广州大学 | Vulnerability utilization relation determining method, device, equipment and storage medium |
Non-Patent Citations (3)
| Title |
|---|
| 一种基于知识图谱的扩展攻击图生成方法;叶子维;郭渊博;李涛;琚安康;;计算机科学(第12期);全文 * |
| 基于知识图谱的电网安全漏洞扩展攻击图研究;陈泽 等;信息技术;P30-P35 * |
| 漏洞知识图谱的构建及漏洞态势感知技术研究;王丽敏;中国优秀硕士学位论文全文数据库 信息科技辑;正文第15-50页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115225338A (en) | 2022-10-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108933793B (en) | Attack graph generation method and device based on knowledge graph | |
| US20210326885A1 (en) | Method and Apparatus of Identifying a Transaction Risk | |
| KR101568224B1 (en) | Analysis device and method for software security | |
| CN112131882A (en) | Multi-source heterogeneous network security knowledge graph construction method and device | |
| US11762839B2 (en) | Search method using data structure for supporting multiple search in blockchain-based IoT environment, and device according to method | |
| CN108319858B (en) | Data dependency graph construction method and device for unsafe function | |
| CN104408584A (en) | Analysis method and system for transaction relevance | |
| CN112347716B (en) | Q learning-based power grid vulnerability detection method, system, equipment and medium | |
| CN110289995A (en) | Based on the social networks behavior monitoring method and device using attribute attack graph | |
| Kas et al. | An incremental algorithm for updating betweenness centrality and k-betweenness centrality and its performance on realistic dynamic social network data | |
| Che et al. | KNEMAG: key node estimation mechanism based on attack graph for IOT security | |
| CN113923016B (en) | Attack path analysis method and device, electronic equipment and computer storage medium | |
| CN115225338B (en) | Knowledge graph-based vulnerability association graph generation method and storage medium | |
| CA3138761A1 (en) | Method, device, computer equipment and storage medium for verifying inter-system data admission | |
| CN115102796B (en) | Vulnerability correlation assessment method and system based on knowledge graph and random walk strategy | |
| CN112632564A (en) | Threat assessment method and device | |
| He et al. | TokenCat: detect flaw of authentication on ERC20 tokens | |
| CN114363002B (en) | Method and device for generating network attack relation diagram | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN115333806A (en) | Penetration test attack path planning method and device, electronic equipment and storage medium | |
| CN114528552A (en) | Security event correlation method based on vulnerability and related equipment | |
| Lyu et al. | Analyzing Ethereum Smart Contract Vulnerabilities at Scale Based on Inter-Contract Dependency. | |
| Garg et al. | A systematic review of attack graph generation and analysis techniques | |
| CN113761011A (en) | Object relation calculation method, device, equipment and storage medium | |
| CN112308694A (en) | Method and device for discovering cheating group |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |