Research On Threat Assessment And Defense Mechanism Of Multi-Steps Attack

With the rapid development of network technology,network attack methods are emerging one after another,leading to more and more network attacks,especially multi-steps attack.Thus,there is much need taking emphasis on network security evaluation,defense as well as making defense decisions dynamically in the multi-steps attack.The moving target defense system,shorted as MTD,has introduced the dynamic and diversity of the network,and achieved in defensing against APT attacks by eliminating the advantage that an attacker can accumulate attack resources over time.However,existing dynamic platforms MTD are mostly based on simple randomization methods,like rotation reset,providing limited dynamic security.In addition,existing optimal decision-making methods based on MTD systems are mostly consisted of disable service,closing hosts and other simple defense measures.Although these researches achieve dynamic decision process against attacks,the existing systems haven't taken dynamic defense methods into account.In response to these problems,this paper has carried out the following researches:(1)Firstly,this paper proposes a multi-dimensional evaluation method,which combines performance degradation,vulnerability assessment and log analysis,and evaluates from the three security dimensions of confidentiality,integrity and availability in the field of multi-information fusion threat assessment.This method decreases the false positive rate compared with log-based analysis.(2)Secondly,this paper uses Bayesian attack graph to evaluate the core asset threat under the MTD.In addition,considering the defense cost and system affordability,this paper proposes a cut threshold controlling reset policy.Our experiment proves that the method can effectively evaluate the security threats and trends of APT attacks,and the dynamic defense policies based on simple randomness have only limited security capabilities under improving the attackers' ability.(3)Thirdly,this paper proposes the System Dependency Graph,based on which two kinds of diversity extension defense mechanisms are proposed,namely the Random Derivation Algorithm and the Genetic Algorithm.The System Dependency Graph describes the operating system,applications and configuration in the system image,also with the relationship and intensity among their dependencies,providing theoretical support and practical basis for the "system-application" aspect of dynamics.The Random Derivation Algorithm achieves the diversity extension by randomly combining the operating system and each application,while the Genetic Algorithm makes it succeed by reorganizing the application configuration.Our experiment shows that the Random Derivation Algorithm has high efficiency and stability,but limited diversity ability.On the contrary,the Genetic Algorithm has high diversity,also with choosing and evolution ability in individual safety,although it is slightly inefficient and instable.(4)Fourthly,this paper also proposes an optimal defense decision based on the belief-MDP considering the dynamic nature of the MTD system.We estimate the real-time gain value by threat assessment methods due to the limited ability of the defender.And the Q-learning algorithm is implemented by evaluating the simulation interaction of the systems.The experiment illustrates that our method gets stable rewards,and is suitable for the scenarios where dynamic defense policies can lead to environmental changing.This paper finally implements the above-mentioned defense mechanisms based on Dockerfile,and builds a complete adaptive defense system.It makes up for the shortcomings of the existing platforms in the diversity extension,comprehensively considering the defense effect and cost using Belief-MDP to solve the optimal decision problem of dynamic defense and realize dynamic decision against attacks.