ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2018, Vol. 55 ›› Issue (4): 831-845.doi: 10.7544/issn1000-1239.2018.20170087

• 信息安全 • 上一篇    下一篇

基于吸收Markov链的网络入侵路径预测方法

胡浩1,3,刘玉岭2,张红旗1,3,杨英杰1,3,叶润国4   

  1. 1(解放军信息工程大学 郑州 450001); 2(中国科学院软件研究所可信计算与信息保障实验室 北京 100190); 3(河南省信息安全重点实验室 郑州 450001); 4(中国电子技术标准化研究院 北京 100007) (wjjhh_908@163.com)
  • 出版日期: 2018-04-01
  • 基金资助: 
    国家重点研发计划项目(2016YFF0204002, 2016YFF0204003);“十三五”装备预研领域基金项目(6140002020115);CCF-启明星辰“鸿雁”科研计划基金项目(2017003);郑州市科技领军人才项目(131PLJRC644)

Route Prediction Method for Network Intrusion Using Absorbing Markov Chain

Hu Hao1,3, Liu Yuling2, Zhang Hongqi1,3, Yang Yingjie1,3, Ye Runguo4   

  1. 1(PLA Information Engineering University, Zhengzhou 450001); 2(Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190); 3(Henan Key Laboratory of Information Security, Zhengzhou 450001); 4(China Electronics Standardization Institute, Beijing 100007)
  • Online: 2018-04-01

摘要: 入侵意图和路径预测对于安全管理员深入理解攻击者可能的威胁行为具有重要意义.现有研究主要集中于理想攻击场景中的路径预测,然而理想攻击路径并不都是入侵者采取的真实路径.为了准确全面地预测网络入侵的路径信息,提出基于吸收Markov链的多步攻击路径预测方法.首先利用吸收Markov链中状态转移的无后效性和吸收性设计节点状态转移概率归一化算法,并证明完整攻击图可以映射为吸收Markov链,进而给出了基于通用漏洞评分标准的状态转移概率度量方法,最后提出攻击状态节点访问次数和路径长度的期望值预测步骤流程.实例分析结果表明:该方法可以量化不同长度攻击路径的概率分布、计算路径长度的期望值、预测实现既定攻击目标所需的原子攻击次数,并对节点威胁进行排序,为及时应对网络攻击威胁提供更多安全防护指导.

关键词: 入侵路径预测, 攻击图, 吸收Markov链, 期望路径长度, 节点威胁排序

Abstract: Predictions of network intrusion intention and path are very significant for the security administrator to comprehend the possible threat behaviors of attackers deeply. Existing reports mainly focus on the path prediction under the ideal attack scenario. However, the ideal attack paths are not the real-world paths adopted by the intruders entirely. In order to predict the attack path information of network intrusion accurately and comprehensively, a novel route prediction method based on absorbing Markov chain (AMC) is proposed in this paper. Firstly, a normalization algorithm for state transition probability of AMC is designed with the Markov and absorption properties, then the complete attack graph (AG) proved can be mapped into the AMC. In addition, the probability metric for state transition based on common vulnerability scoring system (CVSS) is designed. Finally, the detailed steps for predicting expected number of visits to attack state and expected number of route lengths are further put forward respectively. Experimental analysis results indicate that our method can quantify the probability distribution of routes with different attack lengths, and calculate the expected number of route lengths. Moreover, it can predict the expected number of atomic attacks needed to compromise the attack goal. The predictions can be used in node threat ranking. Hence, our approach provides more guidance for network security protection in response to network attack threat timely.

Key words: intrusion route prediction, attack graph (AG), absorbing Markov chains (AMC), expected route length, node threat ranking

中图分类号: