Research On Network Security Situation Awareness Methods Based On Attack Graph

As an active defense technology,Network security situation awareness(NSSA)has gradually become the focus of research,which can achieve the analysis and prediction of the whole network security status by acquiring network security elements,analyzing and understanding them.In view of the large-scale,coordinated and multi-stage characteristics of network attack threats in recent years,this dissertation studies the network security situation awareness methods for multistep attacks by using the flexibility of attack graph(AG),which can not only show the whole but also can reflect the local security state transition process.Through combing the current research in this field,the main existing problems are analyzed and summarized,the framework of NSSA based on AG model is designed,and then a suit of NSSA methods are proposed,which can effectively support the decision-making of security administrators.To conclude,the following research results have been achieved.1.The NSSA framework based on attack graph model is designed.Aiming at the problem of lacking the standard framework for security situation awareness towards multistep attacks,the multistep attack process is analyzed to describe the security attributes related to it,and the general definition of attack graph model is given.Based on this,the NSSA framework of multistep attacks is constructed,and the closed-loop feedback mechanism between awareness results and decision-making is designed.The proposed framework solves the problem of lacking uniform standard description framework in current research.2.The life cycle oriented security vulnerability situation analysis methods are proposed.Aiming at the problem that the existing research lacks the consideration of the vulnerability whole life cycle,the vulnerability life cycle time model is constructed by modeling the vulnerability state transition on the time axis of life cycle.The priori historical vulnerability information is used as the model input to quantitatively describe the occurrence probability of each vulnerability life cycle state in the time dimension.The proposed methods can accurately reflect the universal law of situation evolution for vulnerability exploitation in the real world,and solve the difficult problem of dynamic and quantitative measurement of vulnerability exploit rate in each stage.3.The attack path situation analysis methods based on absorbing Markov chain attack graph(AMCAG)is proposed.Aiming at the analysis deviation generated by the attack "monotonicity" hypothesis for attack path situation,we analyze the nonlinear and uncertain characteristics of attacker's state transition.The absorbing Markov chain(AMC)is used to transform the AG.The AMCAG model is constructed to correct the measurement deviation generated by the ?circle? paths in the AG.The proposed methods can infer the expected success probability of attack intention,the expected length of attack path and the expected visits numbers of path nodes so as to achieve accurate depiction of multi-dimensional attack path situation.4.The network security risk situation prediction method based on Dynamic Bayesian attack graph(DBAG)is proposed.Aiming at the problem of lacking the dynamic relationship description among attackers,defenders and network environment situation elements in the space-time dimension,the DBAG model is constructed to deduce the multistep attack process and quantify the uncertainty and correlation of situation elements in the space-time dimension.Furthermore,the multistep attack interactions are used as the endogenous driving force for the security situation change of network system.In addition,by fusing the assets,threats and vulnerabilities information,the underlying attack behavior prediction results are mapped to the quantifiable security risk situation value.The proposed methods can intuitively show the trend of network security changes and improve the effectiveness and accuracy of situation early warning.5.The NSSA based network optimal defense strategy selection methods are proposed.Aiming at the problem that there is no depiction method for decision-making interaction and behavior evolution of security attack-defense in the existing research,firstly,the set of attack-defense strategies is extracted from the attack path situation analysis results,and the security risk situation prediction results are used to quantify the risk-benefits of strategies.Secondly,the game model describing the strategy interaction and behavior evolution of both sides of attack-defense is constructed from the bounded rationality perspective.Finally,for two typical application scenarios with complete situation information and incomplete situation information,the optimal defense strategy selection methods are designed respectively.In the meantime,the feedback of strategy selection is provided for situational awareness.By depicting the evolutionary track of the optimal defense strategy,the hard problem of selecting security measures in dynamic,complex and time-varying network scenarios is solved.The research results of this dissertation help security managers to grasp the network security status in time,prevent the multistep attack threats that may occur in the future and provide relevant theoretical support as well as method guarantee for winning the network security attack-defense time war and implementing active defense.