[1]刘 刚,张 宏,李千目.基于博弈模型的网络安全最优攻防决策方法[J].南京理工大学学报(自然科学版),2014,38(01):12-21.
 Liu Gang,Zhang Hong,Li Qianmu.Network security optimal attack and defense decision-making method based on game model[J].Journal of Nanjing University of Science and Technology,2014,38(01):12-21.
点击复制

基于博弈模型的网络安全最优攻防决策方法
分享到:

《南京理工大学学报》(自然科学版)[ISSN:1005-9830/CN:32-1397/N]

卷:
38卷
期数:
2014年01期
页码:
12-21
栏目:
出版日期:
2014-02-28

文章信息/Info

Title:
Network security optimal attack and defense decision-making method based on game model
作者:
刘 刚张 宏李千目
南京理工大学 计算机科学与工程学院,江苏 南京 210094
Author(s):
Liu GangZhang HongLi Qianmu
School of Computer Science and Engineering,NUST,Nanjing 210094,China
关键词:
网络安全 风险管理 状态攻防图 博弈理论 最优决策
Keywords:
network security risk management state attack-defense graph game theory optimal decision-making
分类号:
TP309
摘要:
为了有效地实施网络安全风险管理,降低安全风险损失,该文基于博弈理论,通过分析攻击者和防御者的攻防交互,设计了一种网络安全最优攻防决策方法。该方法首先根据网络的拓扑信息、节点的可达关系和脆弱性信息,生成网络的状态攻防图,计算攻防图中各原子攻击成功的概率和危害指数,从而得出所有可能攻击路径的成功概率和危害指数,进一步计算不同网络安全状态下攻防双方采取不同攻防策略的效用矩阵。根据状态攻防图,基于非合作非零和博弈模型,提出了一种最优攻防决策算法,结合脆弱点的防控措施,生成了最优攻防策略。通过一个典型的网络实例分析了该方法在网络安全风险管理中的应用。实验结果表明:该方法能够有效地生成最优的攻防决策方案。
Abstract:
To effectively implement the network security risk management and reduce the security risk loss,based on the game theory,this paper designs a network security optimal attack and defense decision-making method through the analysis of interactions between the attacker and the defender.According to the network's topology information,reachable relationship of nodes and vulnerability information,the proposed method generates the network state attack-defense graph(SADG),calculates the successful probability and hazard index of each atomic attack in the SADG and gets the successful probability and hazard index of all possible attack paths.The method calculates the utility matrix of different strategies taken by the attacker and the defender at the different network security states.According to the SADG and based on the non-cooperative non-zero-sum game model,this paper proposes an optimal attack and defense decision-making algorithm,and generates optimal attack and defense strategies with the prevention and control measures of vulnerability.This paper analyzes the application of the proposed method in the network security risk management through a typical network example.The experimental results show that this method can effectively generate the optimal offensive and defensive decision.

参考文献/References:

[1] 吴迪,连一峰,陈恺,等.一种基于攻击图的安全威胁识别和分析方法[J].计算机学报,2012,35(9):1938-1950.
Wu Di,Lian Yifeng,Chen Kai,et al.A security threats identification and analysis method based on attack graph[J].Chinese Journal of Computers,2012,35(9):1938-1950.
[2]Poolsappasit N,Dewri R,Ray I.Dynamic security risk management using Bayesian attack graphs[J].IEEE Transactions on Dependable and Secure Computing,2012,9(1):61-74.
[3]Noel S,Jajodia S,Wang Lingyu,et al.Measuring security risk of networks using attack graphs[J].International Journal of Next-Generation Computing,2010,1(1):135-147.
[4]Sommestad T,Ekstedt M,Johnson P.Cyber security risks assessment with Bayesian defense graphs and architectural models[A].Proceedings of the 42nd Hawaii International Conference on System Sciences[C].Washington D C,USA:IEEE,2009:1-10.
[5]Roy S,Ellis C,Shiva S,et al.A survey of game theory as applied to network security[A].Proceedings of the 43rd Hawaii International Conference on System Sciences[C].Washington D C,USA:IEEE,2010:1-10.
[6]Zhang Boyun,Chen Zhigang,Tang Wensheng,et al.Network security situation assessment based on stochastic game model[A].ICIC'11 Proceedings of the 7th International Conference on Advanced Intelligent Computing[C].Berlin,Germany:Springer Berlin Heidelberg,2011:517-525.
[7]Wang Yuanzhuo,Yu Min,Li Jingyuan,et al.Stochastic game net and applications in security analysis for enterprise network[J].International Journal of Information Security,2012,11(1):41-52.
[8]Yan Guanhua,Lee Ritchie,Kent Alex,et al.Towards a Bayesian network game framework for evaluating DDoS attacks and defense[A].CCS'12 Proceedings of the 2012 ACM Conference on Computer and Communications Security[C].USA:ACM,2012:553-566.
[9]Ou Xinming,Boyer W F,McQueen M A.A Scalable approach to attack graph generation[A].Proceedings of the 13th ACM Conference on Computer and Communications Security[C].New York:ACM,2006:336-345.
[10]Ingols K,Lippmann R,Piwowarski K.Practical attack graph generation for network defense[A].ACSAC06[C].NJ,USA:IEEE,2006:121-130.
[11]宋舜宏,陆余良,夏阳,等.基于贪心策略的网络攻击图生成方法[J].计算机工程,2011,37(2):126-128.
Song Shunhong,Lu Yuliang,Xia Yang,et al.Method of network attack graph generation based on greedy policy[J].Computer Engineering.2011,37(2):126-128.
[12]Dempster A P.Upper and lower probabilities induced by a multivalued mapping[J].The Annals of Mathematical Statistics,1967,38(2):325-339.
[13]Shafer G A.Mathematical theory of evidence[M].Princeton:Princeton University Press,1976:25-38.
[14]Mell P,Scarfone K,Romanosky S.A complete guide to the common vulnerability scoring system(CVSS)version 2.0[EB/OL].http://www.first.org/cvss/cvss-guide,2007-06.
[15]刘刚,李千目,张宏.信度向量正交投影分解的网络安全分析评估方法[J].电子与信息学报,2012,34(8):1934-1938.
Liu Gang,Li Qianmu,Zhang Hong.Reliability vector orthogonal projection decomposition method of network security risk assessment[J].Journal of Electronics and Information Technology,2012,34(8):1934-1938.
[16]Northcutt S,Novak J,McLachlan D.Networking intrusion detection:An analyst's handbook[M].Thousand Oaks,CA:New Riders Publishing,2000:120-134.
[17]John N.Non-cooperative games[J].The Annals of Mathematics,1951,54(2):286-295.

相似文献/References:

[1]苘大鹏,杨武,杨永田,等.基于攻击图的网络脆弱性分析方法[J].南京理工大学学报(自然科学版),2008,(04):416.
 MAN Da-peng,YANG Wu,YANG Yong-tian.Method Based on Attack Graph for Network Vulnerability Analysis[J].Journal of Nanjing University of Science and Technology,2008,(01):416.
[2]钱玉文,王飞,孔建寿,等.基于模糊Petri网的协同入侵检测系统[J].南京理工大学学报(自然科学版),2008,(06):738.
 QIAN Yu-wen,WANG Fei,KONG Jian-shou,et al.Synergetic Intrusion Detection System Based on Fuzzy Petri Net[J].Journal of Nanjing University of Science and Technology,2008,(01):738.
[3]戴江山,肖军模.一种基于可控网络的攻击源定位方法[J].南京理工大学学报(自然科学版),2005,(03):356.
 DAI Jiang-shan,XIAO Jun-mo.Method of Tracing Attacks Based on Controllable Network[J].Journal of Nanjing University of Science and Technology,2005,(01):356.
[4]吴永森.高保密性能的LAN-PABX局部网络研究[J].南京理工大学学报(自然科学版),1995,(04):343.
 Wu Yongseng.The Design of High Securty LAN-PABX Local Network[J].Journal of Nanjing University of Science and Technology,1995,(01):343.

备注/Memo

备注/Memo:
收稿日期:2013-02-05 修回日期:2013-04-25
基金项目:国家自然科学基金(60903027); 江苏省自然科学重大研究项目(BK2011023); 江苏省自然科学基金(BK2011370); 航天创新基金(CALT201102); 连云港工业攻关科技项目(CG1124); 中国博士后基金(2012M521089)
作者简介:刘刚(1985-),男,博士生,主要研究方向:网络与信息安全,E-mail:liugang_nj@163.com; 通讯作者:张宏(1956-),男,教授,博士生导师,主要研究方向:网络安全、可信计算,E-mail:zhhong@njust.edu.cn。
引文格式:刘刚,张宏,李千目.基于博弈模型的网络安全最优攻防决策方法[J].南京理工大学学报,2014,38(1):12-21.
投稿网址:http://njlgdxxb.paperonce.org
更新日期/Last Update: 2014-02-28