Attack Graph Generation And Application Techniques Based On Attack Phases

With the development of information technology,various network applications are deeply integrated with people’s lives,and it can be said that today’s society is gradually developing into an information society with the network as the underlying foundation.While enjoying the convenience brought by the network,various network attacks are also threatening people’s security.In the current network security protection field,a major task is to analyze the security situation of the network environment.The attack graph is a network penetration model formed by using network vulnerability information and combining a variety of knowledge bases,which allows network security professionals to find out the vulnerable points of the network environment and reinforce key equipment or use real-time information to predict the next invasion direction of the attacker based on the model information.In the past,the information utilized in the process of building attack graph models was mainly the permissions and attack locations required for vulnerability implementation,but with the frequent occurrence of APT and other types of attacks that are highly covert and targeted through the cooperation of multiple vulnerabilities,the current attack graph model can no longer accurately cope with the intrusion process based on multiple atomic attack categories,and in the subsequent vulnerability assessment process,the traditional Common Vulnerability Scoring System(CVSS)leads to a biased risk assessment due to low scoring diversity and failure to incorporate the attack process.To address the above two problems,this paper carries out a series of works to build a complete automated cyber risk assessment system,and the main innovation points and works are as follows.Propose an atomic model of attack graph based on attack phases,and correctly deal with the logical relationship between multiple types of atomic attacks by introducing the concept of attack phases;to solve the problem that attack graphs cannot be generated automatically,propose a framework for generating attribute attack graphs based on attack phases;establish a standard library of 393 types of attacks,use the crawled vulnerability description information,perform word and phrase similarity calculations,and then derive the short text similarity to obtain the attack pattern corresponding to the vulnerability,laying the foundation for automated generation;using the similarity between the attack pattern and the attack phase,we propose a mapping and gain inference algorithm to further clarify the attack phase of the vulnerability and the attack gain,and realize the automated generation of the attack phase and the missing information of the vulnerability.Finally,to solve the problem that the traditional attribute attack graph cannot correctly deal with multiple types of vulnerabilities,an attack graph generation algorithm based on attack phases is proposed to accurately and intuitively simulate the attacker’s intrusion operation.On the basis of the attack phase based attack graph,the atomic attack evaluation method in the graph is studied.Firstly,the CVSS scoring dimensions and formula principles are studied,and the problem that the traditional scoring diversity is low and cannot distinguish the subtle differences of individual atomic attacks is derived;secondly,the correlation between attack patterns and CVSS and the principle of action are analyzed through the formula and data;then,through historical data and curve fitting,a new Then,through historical data and curve fitting,a new assessment formula is proposed to solve the problem of low diversity of original CVSS scores and small differences between vulnerabilities;after that,combined with the concept of attack phase,a node reachability metric formula is proposed to solve the problem of low cost estimation in the past;a node hazard metric formula is proposed to solve the problem of not separating multiple threats from a single vulnerability in the past;a node follow-up threat metric formula is proposed to assess the dynamic threat of nodes;by combining the above three considerations,a The node risk assessment formula is proposed,and recommendations are made for security reinforcement.We build a simulated experimental environment,set up a three-layer network model of DMZ zone,OADC domain,and SCADA domain,and put constraints on network connectivity to verify the above-mentioned attack graph generation framework and node risk assessment techniques,compare them with the traditional attack graph model,and analyze the problems of the original model and the solutions of the attack graph model proposed in this paper.Also,the traditional vulnerability scoring system is compared with the improved assessment method to corroborate the advantages of the new risk assessment algorithm.