174 results about "Attack graph" patented technology

A computer system analysis tool and method that will allow for qualitative and quantitative assessment of security attributes and vulnerabilities in systems including computer networks. The invention is based on generation of attack graphs wherein each node represents a possible attack state and each edge represents a change in state caused by a single action taken by an attacker or unwitting assistant. Edges are weighted using metrics such as attacker effort, likelihood of attack success, or time to succeed. Generation of an attack graph is accomplished by matching information about attack requirements (specified in “attack templates”) to information about computer system configuration (contained in a configuration file that can be updated to reflect system changes occurring during the course of an attack) and assumed attacker capabilities (reflected in “attacker profiles”). High risk attack paths, which correspond to those considered suited to application of attack countermeasures given limited resources for applying countermeasures, are identified by finding “epsilon optimal paths.”

A method of generating graphical models for providing security analysis in computer networks that in one embodiment includes the steps of generating a type abstract graph independent of particular networks that models abstract dependency relationships among attributes and exploits; generating network-specific attack graphs by combining the type abstract graph with specific network information; monitoring an intruder alert; and generating a real-time attack graph by correlating the intruder alert with the network-specific attack graph. The real-time attack graph can be generated using reachability checking, bridging, and exploit prediction based on consequence alerts and may further include the step of calculating the likelihood of queries using a Bayesian network model. The method may also include the steps of inferring unobserved attacks that may have been missed by intrusion detection sensors, and projecting on which hosts and using what exploits additional intruder attacks may occur. The method may further include the step of comparing alternate actions by computation, wherein the alternate actions include the step of patching some vulnerabilities, and wherein the specific network information includes network topology. The specific network information may also include firewall rules.

An improved method for analyzing computer network security has been developed. The method first establishes multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security. Next, an estimate is created for each node that reflects the ease of realizing the event, condition, or attribute of the node. Attack paths are identified that represent a linkage of nodes that reach a condition of compromise of network security. Next, edge probabilities are calculated for the attack paths. The edge probabilities are based on the estimates for each node along the attack path. Next, an attack graph is generated that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions. Finally, attacks are detected with physical sensors on the network, that predict the events and conditions. When an attack is detected, security alerts are generated in response to the attacks.

A method for analyzing computer network security has been developed. The method first establishes multiple nodes, where each node represents an actor, an event, a condition, or an attribute related to the network security. Next, an estimate is created for each node that reflects the case of realizing the event, condition, or attribute of the node. Attack paths are identified that represent a linkage of nodes that reach a condition of compromise of network security. Next, edge probabilities are calculated for the attack paths. The edge probabilities are based on the estimates for each node along the attack path. Finally, an attack graph is generated that identifies the easiest conditions of compromise of network security and the attack paths to achieving those conditions.

The invention belongs to the technical field of network security and particularly relates to an attack-oriented network security situation prediction method, device and system. The method comprises the following steps: detecting and collecting alarm data and network environment operation and maintenance information in a network countermeasure environment, obtaining an element set required by network security situation prediction, wherein the element set comprises three types of information of an attacker, a defense party and a network environment; evaluating the attacker capability and the level of the defense party, establishing a dynamic Bayesian attack graph, and calculating an attack phase number and an attack state occurrence probability vector; and combining a vulnerability scoring standard and network asset information, and performing time-space dimension quantification on the network security situation value. According to the method, dynamic association of the situation elements of the defense party, the attacker, the environment information and the like is achieved, the actual environment of the network is better conformed to, the future situation and the attack occurrencetime can be accurately predicted, higher prediction efficiency is achieved, and storage scale and timeliness of network security situation awareness are optimized, so as to provide more effective guidance for network protection.

The invention relates to a network security situation assessment method, in particular, a Bayesian network-based multi-step attack security situation assessment method. The method includes the following steps that: multi-step attack generating patterns are mined through association analysis, so that an attack graph can be constructed; a Bayesian network is established according to the multi-step attack graph, attack wills, probability of success of attacks and the accuracy of event monitoring are defined as the probability attributes of the Bayesian network; based on the event monitoring, a multi-step attack risk is calculated according to the posterior reasoning and cumulative probability of the Bayesian network; and the security situations of a host and the whole network are quantitatively assessed according to a hierarchical quantitative assessment method. With the method of the invention adopted, the problem of lack of correlation analysis in a network security situation assessment process can be solved. According to the method of the invention, monitoring events are taken into risk assessment, and a network security situation assessment model is accurately established, and therefore, the effectiveness and real-time performance of the method of the invention can be enhanced.

In one aspect, a method to generate an attack graph includes determining if a potential node provides a first precondition equivalent to one of preconditions provided by a group of preexisting nodes on the attack graph. The group of preexisting nodes includes a first state node, a first vulnerability instance node, a first prerequisite node, and a second state node. The method also includes, if the first precondition is equivalent to one of the preconditions provided by the group of preexisting nodes, coupling a current node to a preexisting node providing the precondition equivalent to the first precondition using a first edge and if the first precondition is not equivalent to one of the preconditions provided by the group of preexisting nodes, generating the potential node as a new node on the attack graph and coupling the new node to the current node using a second edge.

The invention discloses a network security situation awareness model and method based on an attack graph. The model comprises a data preprocessing module, an attack feature library construction module, an attack state identification module, a security situation evaluation module and a security situation prediction module. The method comprises: firstly, collecting data sets of different sources, and obtaining asset vulnerability threat data and asset attack threat data after preprocessing; further analyzing and training by utilizing the asset attack threat data and the principal component dataof the attack information, and establishing an attack feature library; matching the attack portrait, and determining the attack state of the current equipment; then, calculating a security situation value of the whole network by utilizing the asset attack threat data; and finally, predicting the next attack state through the attack and defense game matrix of the attack state diagram so as to predict the network security situation. A good situation awareness effect and a network security situation evaluation and prediction function are realized, and the model and the method have relatively goodpracticability, high efficiency and expansibility.

The invention discloses a method and a device for evaluating system security based on correlation analysis. The method comprises the following steps of using an attack graph model to perform the correlation analysis on the network security condition, adopting an attack graph generation algorithm based on breadth-first search, introducing a PageRank calculation model to quantize the weights of state nodes of the attack graph, utilizing the difference of the weights to judge the critical attack nodes of the attack graph, utilizing a depth-first search algorithm to find the critical attack path in the attack graph, finally providing the network security amount based on the attack graph, quantizing the risk value of the critical attack path of the attack graph, and quantizing the security of the whole network.

The invention provides a network security evaluation device based on an attack graph adjacent matrix. The network security evaluation device comprises an information collection device, an atom attack graph generation device, a matrix calculation device, a network safety analyzing device and a result appearing device, wherein the information collection device is used for collecting all information in a network; the atom attack graph generation device is used for generating an initial atom attack graph between a main engine pair needed for carrying out subsequent analysis on network safety; the matrix calculation device is used for converting the generated atom attack graph into the corresponding adjacent matrix and is also used for calculating a corresponding iteration matrix of the adjacent matrix through setting iteration times; the network safety analyzing device is used for obtaining information including a key main engine, a key path and the like on the basis of the finally-generated iteration matrix; the result appearing device is used for visually appearing the found key main engine and key path and a network vulnerability index. The network security evaluation device disclosed by the invention is high in efficiency and is suitable for large-scale and high-speed networks. The network security evaluation device can improve the instantaneity of evaluating a target network. The evaluation accuracy rate is high, and the key path and the key main engine can be accurately recognized. The visualization degree is high so that the network security evaluation device is convenient for a manager to check, analyze and maintain.

The invention discloses a network security situation evaluating method, and belongs to the technical field of network security. The method comprises the following steps of: 1) performing correlation analysis on input alarm information to obtain a host attack graph; 2) performing association analysis on the host attack graph according to input host vulnerability information to obtain a host expectation state graph; 3) calculating a host threat value by utilizing intrusive expectant threat and the host expectation state graph; 4) calculating a host comprehensive security situation by utilizing weight information of services provided by hosts and threat values of the hosts; 5) calculating a network component comprehensive security situation by utilizing network component performance information and weight values of network components; and 6) performing weighted calculation by utilizing the host comprehensive security situation and the network component comprehensive security situation to obtain a network security situation. The method can more accurately analyze the actual influence of attacks on the network hosts and the network components, analyzes threat caused by unknown attacks, and reflects the network security situation more accurately compared with the traditional method.

The invention belongs to the technical field of network security, and discloses an attack path analysis method based on a hierarchical attack graph. Firstly, dividing an original network into a plurality of logic subnets through a community discovery algorithm, wherein the logic subnets and connection relations thereof form a network logic structure; generating two layers of attack graphs based onthe network logic structure and the network basic information; and finally, reducing an attack path on the two layers of attack graphs by utilizing monotonicity of attack behaviors. The method comprises the following specific steps: (1) realizing community discovery; (2) establishing a hierarchical attack graph model; (3) generating an attack path; (4) analyzing the attack path to provide a defense strategy. According to the attack path analysis method, unreasonable attack path generation is avoided from the perspective of attackers, the real-time performance of attack path analysis is effectively improved, and the problem that an existing attack path analysis method is poor in real-time performance when the network scale is large and the vulnerability is high is solved.

An attack graph generation system facing to network security alarm association in the field of computer network, in the present invention, the network initial configuration information module receives the network topological structure, gateway filtering rule input by the users; OVAL vulnerability scanning report collecting module collects the vulnerabilities in all the apparatuses in the network; the network connectivity analyzing module transmits connectivity between ant two apparatuses to the attack graph generation module; the data structure establishing model respectively establishes a kind of data to describe aiming at the attacker state, apparatus state, implantation vulnerability behavior, atom attack action, system state in the network; the knowledge base stores the network topological structure, gateway filtering rule, vulnerability to transfer by the attack graph generation module; the attack graph generation module transfers the information in the knowledge base, generates the network attack graph and transmits the generated attack graph to the attack graph displaying module to visually display to the user; the system work complexity of the present invention is O(N<5>) and is easy to realize the project.

The invention provides a depth-first attack graph generation method. The steps are as follows: (1) the entire safety factors of the current network are collected to form an initial network state; (2) a prolog system is used to search the entire network states that an attacker is possible to pass through before a target state is reached; (3) attack routes are constructed according to the searched dependency relations among the network states; (4) the constructed attack routes are combined into a network attack graph. The invention has the advantages that: the depth-first generation algorithm decreases the scale of the attack graph, and can ensure that no non-target leaf node exists in the attack graph.

The invention discloses a network attacker behavior analyzing method based on an attack graph. The method comprises the steps of establishing a network attacker behavior analyzing model and attracting attacks of attackers; carrying out comprehensive capturing on attack data through a data capturing mechanism; and generating an attack state transfer graph through combination of a finite-state machine and analyzing behaviors of the attackers according to possibility indexes of attack behaviors, skill level indexes of the attackers and destination indexes of the attackers. According to the network attacker behavior analyzing method based on the attack graph provided by the invention, the good foundation can be laid for design of an active defense system, the network attacks can be defended, the attacks can be prevented before the network attacks occur, one part of the attacks are screened, a cybercrime can be effectively prevented, the defense efficiency is improved, and the defense cost is reduced.

A storage unit of a computer includes: a product configuration information holding unit; a component-vulnerability correspondence holding unit indicating security holes; an asset information holding unit that stores asset values of the respective component of the product; a security countermeasure classification holding unit that stores defense target components for the respective security countermeasures and coefficients of countermeasure effects; and an attack map holding unit that stores attack maps indicating attack paths. A processing unit executes a program, to form: an information collection processing unit; an attack map creation processing unit that creates an attack map for each product; and a vulnerability evaluation processing unit that calculates priority order among countermeasures from threat levels of security holes of the respective components on the basis of the asset values.

The invention discloses a network spoofing defense efficiency evaluation method based on a dynamic Bayesian attack graph, and belongs to the field of network space security. The method comprises the following steps: speculating attacker ability by analyzing vulnerability elements in a current network, and constructing a dynamic Bayesian attack graph model; aiming at the defense characteristics ofnetwork spoofing and counterfeiting real assets, the consistency of real nodes and bait nodes in the aspects of network characteristics, equipment fingerprints, file attributes and the like is comprehensively compared, so that a spoofing scheme is subjected to concealment analysis, and whether a defense strategy can achieve an expected effect or not is judged; and updating the attack graph model according to the analysis result and the attack and defense confrontation information, and giving a quantitative index to evaluate the effectiveness of deception defense. The method can be integrated on a server serving as a control center, other nodes in the network do not need to be modified, and the method has good applicability.

The invention relates to a quantitative evaluation method of a network security situation based on an attack graph, and belongs to the field of information security technology. The method specifically comprises the following steps: step 1, generating the attack graph; step 2, evaluating the importance of nodes in the attack graph G; step 3, on the operation basis of step 1, calculating the maximum probability that the nodes in the attack graph G are successfully permeated; and step 4, obtaining an evaluation value of the network security situation. Compared with the prior art, the method provided by the invention has the following advantages: (1) by adoption of the evaluation method based on the attack graph, the intention of multi-step attacks of an attacker using the loopholes in the network can be reflected. (2) The data used in the evaluation method are easy to collect and are operable. (3) The protection conditions of the nodes in the network obtained in the evaluation process reflect the protection conditions of the nodes in the network. (4) In the evaluation method, the topological information of the network, loophole association information and the attack intention of the attacker are comprehensively considered, and thus the precision of the evaluation result is high.

The invention provides a network security posture assessment method. The method comprises the following steps: producing a vulnerability list, an atomic attack list and an attack evidence list according to the acquired vulnerability information, network attack information and attack evidence; creating a bayesian network; acquiring atomic attack posterior probability; detecting the authenticity of the causal relationship between the atomic attack and the attack evidence in the bayesian network; building a network attack system framework and producing a bayesian attack graph; acquiring node attack probability of atomic attack; acquiring vulnerability threat degree and dividing into three levels, namely, Root authority level, User authority level and None authority level; displaying the overall assessment result of the network security posture according to the three levels of the vulnerability thread degree and early warning values corresponding to the three levels; performing early warning when the vulnerability thread degree exceeds the early warning levels corresponding to the three levels. The network security posture assessment method has the characteristics of being simple in model, accurate in assessment result and wide in applicable scope, and can be widely applied to the field of network security.

The invention disclose a network security analytical method for solving a K maximum probability attack graph. The method specially includes: step (1) typing in system information and inputting the value of a parameter K; step (2) initializing a system; step (3) counting nodes which can be attacked by an attacker currently; step (4) judging whether a loophole table is empty, entering the step (5) if the loophole table is empty, taking out head-of-line nodes of an available loophole table otherwise for loophole using, judging whether the number of existing attack paths of the nodes is smaller than K, updating loophole using information and the position of the attacker and entering the step (3) for executing if the number of existing attack paths of the nodes is smaller than K, and entering the beginning position of the step (4) for continuing executing otherwise; and step (5) generating front K paths with the maximum probability of all attack nodes and finishing operation. By storing and accumulating the front K attack paths with the maximum probability at the nodes, the problem of the front K attack paths with the maximum probability at the attack nodes is solved.

The invention belongs to the technical field of the network security, and especially relates to a network intrusion situation intention evaluation method based on alarm integration. The method comprises the following steps: collecting network environment information, generating a Bayes attack graph model, wherein the network environment information at least comprises network connectivity, networkservice loopholes, host network configuration and access policy information, and the Bayes attack graph model comprises an attack state node, an atom attack node and an alarm evidence node; setting alarm confidence and association strength through the Bayes attack graph model, extracting effective alarm evidence; respectively computing the alarm confidence of the effective alarm evidence for eachattack state node; and evaluating the intruded probability of the effective node, and outputting the threaten order of all situation intention nodes. The method disclosed by the invention is low in computation complexity, not overly dependent on the historic data, simple and convenient for operation, capable of improving the node attack probability prediction accuracy, thereby providing reliable and effective data reference for defense decision and providing reliable guidance for the safety defense decision of the auxiliary network.