The Research On Network Vulnerabilities Assessment Methods Using Bayesian Network-based Attack Graphs

As to accelerate informatization construction,the security of network information system becomes very important.The main threat to the current network security is that attack become advanced and continuous,which has been unable to be effectively coped with by traditional passive safety protection.Vulnerability assessment technology is through the perspective of attackers to find existing network potential safety hazard.Analysis of vulnerability in the system of network is used to guide network security protection,to achieve the goal of network vulnerability assessment.In this paper,on the basis of the existing evaluation method based on attack graph,we extend network security element model and add the uncertain factors to the bayesian network attack graph.We design and implement the attack graph attack probability calculation algorithm,bayesian attack graph generation algorithm and Gibbs reasoning algorithm based on bayesian attack graph.Finally we realize the attack graph attack probability calculation and further use the attack graph split-weighted method to realize the vulnerability assessment to the target network.The main work of the article includes:Firstly,we analyse various factors of attack mode and network security model for vulnerability assessment,then classify the influence of the factor model of network security and detail the model description by levels.Considering the lack of attack uncertainty,time and environmental factors in the attack probability calculation,we extend bayesian attack graph model,establishing intelligent planning oriented method to generate attack graph as the prerequisite of the subsequent intelligent planning input to generate the attack graph.Second,we put forward the attack probability calculation method combined with the general vulnerability assessment framework(CVSS),by considering the attacker ability,difficulty of vulnerability using factors.By combining the CVSS parameter vector with attack graph analysis of the actual attack process,we achieve the adjustment of dynamic bayesian prior probability of attack graph parameters and implement an objective,considering the probability of network attack graph of the actual scene,achieving specific goals for network attack probability calculation.Again,we implement the Gibbs sampling of approximate reasoning method according to the bayesian attack graph,effectively reducing the probability of computational complexity.In the process of bayesian probability selection of attack graph and the attack probability feedback to attack graph probability calculation,we achieve markov balance and conclude the results considering multiple network security attack probability value parameter and uncertainty factors.Finally we propose the attack vulnerability assessment according to the cumulative probability and the atomic attack analysis algorithm based on split weighted attack graph.We use attack probability value to quantify the biggest attack probability path,and based on the bayesian attack graph split weighted we propose attack split weighted method and the attack probability considering repair methods.By using the quantitative evaluation of parameters,we achieve a quantitative analysis of attack repair set selection results and finally guide repair network security assessment.