计算机工程与应用 ›› 2019, Vol. 55 ›› Issue (22): 73-79.DOI: 10.3778/j.issn.1002-8331.1809-0081

• 网络、通信与安全 • 上一篇    下一篇

基于贝叶斯攻击图的网络入侵意图识别方法

王洋,吴建英,黄金垒,胡浩,刘玉岭   

  1. 1.信息工程大学 三院,郑州 450001
    2.北京市公安局 网络安全保卫总队,北京 100010
    3.中国科学院 软件研究所 可信计算与信息保障实验室,北京 100190
    4.中国科学院大学 网络空间安全学院,北京 101408
  • 出版日期:2019-11-15 发布日期:2019-11-13

Network Intrusion Intention Recognition Method Based on Bayesian Attack Graph

WANG Yang, WU Jianying, HUANG Jinlei, HU Hao, LIU Yuling   

  1. 1.The Third Institute, Information Engineering University, Zhengzhou 450001, China
    2.Cyber Security Guard, Beijing Public Security Bureau, Beijing 100010, China
    3.Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences, Beijing 100190, China
    4.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 101408, China
  • Online:2019-11-15 Published:2019-11-13

摘要: 现有入侵意图识别方法对报警证据的有效性缺乏考虑,影响了入侵意图识别的准确性。为此提出基于贝叶斯攻击图的入侵意图识别方法。首先建立贝叶斯攻击图模型,然后通过定义报警的置信度及报警间的关联强度,去除低置信水平的孤立报警;根据提取到的有效报警证据进行贝叶斯后验推理,动态更新攻击图中各状态节点遭受攻击的概率,识别网络中已发生和潜在的攻击行为。实验结果表明,该方法能有效提取报警证据,提高网络入侵预测的准确性。

关键词: 意图识别, 贝叶斯攻击图, 漏洞利用, 报警置信度, 报警关联强度

Abstract: The existing intrusion intention recognition methods lack the validity consideration of alert evidence, which affects the recognition accuracy. Therefore, the intrusion intention recognition method based on Bayesian attack graph is proposed. Firstly, the model of Bayesian attack graph is constructed, and then the isolated alerts with low confidence are removed by setting the alert confidence and correlation strength. Secondly, the Bayesian posteriori reasoning is performed based on the extracted effective alert evidence. Furthermore, the probability of each state node being attacked is dynamically updated in the attack graph, which aims to identify the previous and potential attack behaviors in the network. Finally, the experimental results show that the proposed method can effectively extract the alert evidence and improve the prediction accuracy of the network intrusion.

Key words: intention recognition, Bayesian attack graph, vulnerability exploitation, alert confidence level, alert correlation strength