Performance Evaluation Method Of Multi-level Cyber Space Deception Defense Technology

After decades of development,the Internet has penetrated every aspect of people's life.It has not only offered many conveniences to daily life but also brought many security threats.The current network attack and defense are in a trend of "easy to defend but difficult to attack".The attacker can perform the attack constantly based on the information obtained from network detection.Target at this characteristic,Cyber deception misleads or disturbs the attacker's cognition and makes it take or refrain from taking action in favor of the defense.A network security assessment can significantly improve the protection ability of active defense technology,which is of great help to solve security problems.However,at present,the cyber deception effectiveness evaluation system has not been formed.Most of the existing evaluation methods take whether discover the system resources or the fraudulent results of cheating the system as the evaluation basis.They are only limited to a single deception method and cannot include all the deception application scenarios in the business system.It also ignores factors such as deception and concealment.Therefore,establish an effective evaluation model to analyze and evaluate the performance of cyber deception is of great significance.To solve the above problems,this thesis proposes a performance evaluation method of multi-level cyberspace deception defense,which mainly includes the following research contents:(1)This thesis proposes a method for deception scheme concealment analysis based on the network node cognitive model.In this method,a knowledge model of network nodes is introduced,including the information obtained by the attacker through scan detection tools.This information generalizes the relevant factors of multiple types of deception scenarios,such as network,terminal,and data,which form the false network view from the attacker's perspective.We analyze the concealment of the deception scheme by comparing the similarity between the cognitive model of resource nodes and bait nodes under the false network view and the genuine network view.The concealment measurement is carried out on the network,terminal,data,and other aspects.This method takes the scanning detection results as input and builds the cognitive model of network nodes according to all available detection information.The experimental results show that the proposed method for deception scheme concealed analysis is feasible and scalable.(2)This thesis proposes a method to evaluate the effectiveness of network deception based on the dynamic Bayesian attack graph.Combined with the information related to the network state,we calculated the probability of the attacker reaching each state according to the known vulnerability information in the network to generate the state transition diagram.Then the attack graph is dynamically transformed in the continuous attack and defense process.The occurrence of attack events and the feedback of node monitoring will change the state attributes of nodes in the attack graph.Finally,we enumerate the state information of each node to determine the attack phase and extract the attack path.The effectiveness of deception defense depends on the stay of the decoy nodes deployed by the attacker on this path.Finally,we verify the feasibility and effectiveness of the network deception evaluation method based on the dynamic Bayesian attack graph by simulation experiment.(3)We designed and implemented a cyber deception effectiveness evaluation prototype system based on the above methods.The system includes an information collection module,a concealment analysis module,and an effectiveness evaluation module.The information collection module is responsible for collecting data from network,system,and event to acquire the status data generated in each stage of network deception defense.The concealment analysis module is used to carry out concealment analysis on the deception scheme developed by the security personnel.This module takes the basic information of the host computer collected by the information collection module as input to carry out the concealment measurement of the multi-level deception environment such as network,terminal,and data.The effectiveness evaluation module has the functions of generating attack graphs,setting up local vulnerability databases and evaluating the effectiveness of defense,etc.It can reflect the current network security situation and make quantitative situation evaluation results.The system performs the concealment analysis and effectiveness evaluation of the cyber deception by means of instruction call and status monitoring,and the results are standard output and stored in a specified file.The user can combine it with the cyber deception management control system for integration and extension.