Computer Network Vulnerability Assessment Based On Bayesian Attribute Attack Graph

With the popularity of Internet, the information can be rapidly spread and shared. So people can work more convenient to promote social progress. With the development of 3G, 4G and fiber optic broadband, the speed of network is greatly promoted. Thereby it can strengthen to improve the level of information technology of company, enhancing the competitiveness of enterprises. Internet doesn’t only bring us convenience, but also brings many security risks, for example information disclosure, software vulnerabilities, hackers and so on. They bring huge economic losses. Therefore, an accurate assessment of network security and effective security and defense policy has become urgent and necessary.About network security assessment and defense, researchers have made some mature program, for example IDS、IPS、firewall and so on. But these program only solve the problem from attacker’s perspective, and focus on the qualitative assessment. This paper analyzes the advantages and disadvantages of the current network security assessment method, and give a new assessment methods of network vulnerability.To predict potential network threats and assess network vulnerability quantitativly, we build a Bayesian network attribute attack graph model. In attribute attack graph, this paper presents a new algorithm of eliminating attack loop to get the attack graph without loop. Then based on this graph, a method of converting a acyclic attribute attack graph to Bayesian network has been given, to construct a Bayesian attribute attack graph model. In this model, we regard the network security status data as input to find all possible attack paths, and use Bayesian formula to calculation the probability of every possible attack path. Then we can assess network vulnerability quantitatively. According to the predicted result, the network administrator can make network security reinforcement programe.In order to assess network security situation from both the offensive and defensive, this paper establish a game theory vulnerability assessment framework based on Bayesian network attributes attack graph and game theory. The new method of calculating the utility of both offensive and defensive is given based on attribute node value about confidentiality, availability, integrity. We will use two game matrix represente attacker and defender incoming, and establish a multi-attribute attack and defense strategies double matrix model(MASDM). We use the game model to drawn mixed strategy Nash equilibrium, and give the best defense strategy.At last, the two models were tested in the experimental network environment, to prove their usability and effectiveness. So it can provide the basis for a network administrator to design network security reinforcement program.