攻击图技术应用研究综述

叶子维; 郭渊博; 王宸东; 琚安康

doi:10.11959/j.issn.1000-436x.2017213

您当前的位置：

首页 >

文章列表页 >

攻击图技术应用研究综述

综述 | 更新时间：2024-06-05

- 攻击图技术应用研究综述
- Survey on application of attack graph technology
- 通信学报 2017年38卷第11期页码：121-132
- 作者机构：
  
  1. 解放军信息工程大学网络空间安全学院，河南郑州 450001
  2. 数学工程与先进计算国家重点实验室，江苏无锡 214000
- 作者简介：
  
  [ "叶子维（1990-），男，吉林通化人，解放军信息工程大学博士生，主要研究方向为网络安全、态势感知。" ]
  [ "郭渊博（1975-），男，陕西周至人，解放军信息工程大学教授、博士生导师，主要研究方向为大数据安全、态势感知。" ]
  [ "王宸东（1992-），男，江西抚州人，解放军信息工程大学硕士生，主要研究方向为网络安全。" ]
  [ "琚安康（1995-），男，河南新乡人，解放军信息工程大学博士生，主要研究方向为多步网络攻击检测、威胁情报。" ]
- 基金信息：
  
  国家自然科学基金资助项目(61602515);国家自然科学基金资助项目(61501515)
- DOI：10.11959/j.issn.1000-436x.2017213
  中图分类号： TP393
- 网络出版日期：2017-11，
  
  纸质出版日期：2017-11-25
- 稿件说明：
移动端阅览
叶子维, 郭渊博, 王宸东, 等. 攻击图技术应用研究综述[J]. 通信学报, 2017,38(11):121-132.

Zi-wei YE, Yuan-bo GUO, Chen-dong WANG, et al. Survey on application of attack graph technology[J]. Journal on communications, 2017, 38(11): 121-132.
叶子维, 郭渊博, 王宸东, 等. 攻击图技术应用研究综述[J]. 通信学报, 2017,38(11):121-132. DOI： 10.11959/j.issn.1000-436x.2017213.

Zi-wei YE, Yuan-bo GUO, Chen-dong WANG, et al. Survey on application of attack graph technology[J]. Journal on communications, 2017, 38(11): 121-132. DOI： 10.11959/j.issn.1000-436x.2017213.

摘要

攻击图是一种预判攻击者对目标网络发动攻击的方式和过程，指导防御方对网络中的节点采取针对性防御措施，提高网络安全性的技术。首先介绍了攻击图的基本构成，列举了攻击图的几种类型及其各自的优缺点，然后介绍了攻击图技术目前在风险评估和网络加固、入侵检测和告警关联等方面的应用现状以及现有的几种攻击图生成和分析工具，最后指出了攻击图技术面临的挑战和未来可能的研究方向。

Abstract

Attack graph technology was a measure to predict the pattern and process used by attacker to compromise the target network

so as to guide defender to take defensive measures and improve network security.The basic component

types of attack graphs and respective advantages and disadvantages of each type were reviewed.The application status of attack graph technology in risk assessment and network hardening

intrusion detection and alarm correlation

and other aspects were introduced.Several kinds of existing attack graph generation and analysis tools were also presented.At last a survey of some challenges and research trends in future research work was provided.

关键词

Keywords

references

国家计算机网络应急技术处理协调中心 . 2016年中国互联网网络安全报告 [M ] . 北京 : 人民邮电出版社 , 2017 : 15 - 89 .

National Internet Emergency Center . Report on China Internet network security in 2016 [M ] . Beijing : Posts ＆ Telecommunications Press , 2017 : 15 - 89 .

PHILLIPS C , SWILER L P . A graph-based system for network-vulnerability analysis [C ] // The 1998 Workshop on New Security Paradigms . ACM , 1998 : 71 - 79 .

WANG S , ZHANG Z , KADOBAYASHI Y . Exploring attack graph for cost-benefit security hardening:a probabilistic approach [J ] . Computers＆ Security , 2013 , 32 ( 1 ): 158 - 169 .

HONG J , KIM D S . Harms:hierarchical attack representation models for network security analysis [C ] // The 10th Australian Information Security Management Conference . Western Australia , 2012 .

KOTENKO I , STEPASHKIN M . Attack graph based evaluation of network security [C ] // IFIP International Conference on Communications and Multimedia Security . Springer Berlin Heidelberg , 2006 : 216 - 227 .

WANG L , ISLAM T , LONG T , et al . An attack graph-based probabilistic security metric [C ] // IFIP Annual Conference on Data and Applications Security and Privacy . Springer Berlin Heidelberg , 2008 : 283 - 296 .

OU X , BOYER W F , MCQUEEN M A . A scalable approach to attack graph generation [C ] // The 13th ACM conference on Computer and Communications Security . ACM , 2006 : 336 - 345 .

HUANG H , ZHANG S , OU X , et al . Distilling critical attack graph surface iteratively through minimum-cost sat solving [C ] // 27th Annual Computer Security Applications Conference . ACM , 2011 : 31 - 40 .

陈锋 , 毛捍东 , 张维明 , 等 . 攻击图技术研究进展 [J ] . 计算机科学 , 2011 , 38 ( 11 ): 12 - 18 .

CHEN F , MAO H D , ZHANG W M , et al . Survey of attack graph technique [J ] . Computer Science , 2011 , 38 ( 11 ): 12 - 18 .

LI H , WANG Y , CAO Y . Searching forward complete attack graph generation algorithm based on hypergraph partitioning [J ] . Procedia Computer Science , 2017 , 107 : 27 - 38 .

RICK V H . The motivation of attackers in attack tree analysis [D ] . Holland,Delft:Delft University of Technology , 2015 .

PIETERS W , DAVARYNEJAD M . Calculating adversarial risk from attack trees:control strength and probabilistic attackers [M ] // Data Privacy Management,Autonomous Spontaneous Security,and Security Assurance . Springer International Publishing , 2015 : 201 - 215 .

JHA S , SHEYNER O , WING J . Two formal analyses of attack graphs [C ] // The 2002 Computer Security Foundations Workshop . IEEE , 2002 : 49 - 63 .

SHEYNER O , HAINES J , JHA S , et al . Automated generation and analysis of attack graphs [C ] // The 2002 Security and Privacy Symposium . 2002 : 273 - 284 .

SHEYNER O . Scenario graphs and attack graphs [D ] . US Air Force Research Laboratory , 2004 .

BHATTACHARYA S , GHOSH S K . An artificial intelligence based approach for risk management using attack graph [C ] // Computational Intelligence and Security,2007 International Conference on IEEE . 2007 : 794 - 798 .

冯萍慧 , 连一峰 , 戴英侠 , 等 . 基于可靠性理论的分布式系统脆弱性模型 [J ] . 软件学报 , 2006 , 17 ( 7 ): 1633 - 1640 .

FENG P H , LIAN Y F , DAI Y X , et al . A vulnerability model of distributed systems based on reliability theory [J ] . Journal of Software , 2006 , 17 ( 7 ): 1633 - 1640 .

HOMER J , ZHANG S , OU X , et al . Aggregating vulnerability metrics in enterprise networks using attack graphs [J ] . Journal of Computer Security , 2013 , 21 ( 4 ): 561 - 597 .

吴迪 , 连一峰 , 陈恺 , 等 . 一种基于攻击图的安全威胁识别和分析方法 [J ] . 计算机学报 , 2012 , 35 ( 9 ): 1938 - 1950 .

WU D , LIAN Y F , CHEN K , et al . A security threats identification and analysis method based on attack graph [J ] . Chinese Journal of Computers , 2012 , 35 ( 9 ): 1938 .

方研 , 殷肖川 , 李景志 . 基于贝叶斯攻击图的网络安全量化评估研究 [J ] . 计算机应用研究 , 2013 , 30 ( 9 ): 2763 - 2766 .

FANG Y , YIN X C , LI J Z . Research of quantitative network security assessment based on Bayesian-attack graphs [J ] . Application Research of Computers , 2013 , 30 ( 9 ): 2763 - 2766 .

ALHOMIDI M , REED M . Risk assessment and analysis through population-based attack graph modelling [C ] // 2013 World Congress on Internet Security (WorldCIS) . 2013 : 19 - 24 .

ROSCHKE S , CHENG F , MEINEL C . High-quality attack graph-based IDS correlation [J ] . Logic Journal of the IGPL , 2013 , 21 ( 4 ): 571 - 591 .

WANG L , YAO C , SINGHAL A , et al . Implementing interactive analysis of attack graphs using relational databases [J ] . Journal of Computer Security , 2008 , 16 ( 4 ): 419 - 437 .

WANG L , YAO C , SINGHAL A , et al . Interactive analysis of attack graphs using relational queries [C ] // IFIP Annual Conference on Data and Applications Security and Privacy . Springer Berlin Heidelberg , 2006 : 119 - 132 .

陈靖 , 王冬海 , 彭武 . 基于动态攻击图的网络安全实时评估 [J ] . 计算机科学 , 2013 , 40 ( 2 ): 133 - 138 .

CHEN J , WANG D H , PENG W . Real-time network security assessment based on dynamic attack graph [J ] . Computer Science , 2013 , 40 ( 2 ): 133 - 138 .

闫峰 . 基于攻击图的网络安全风险评估技术研究 [D ] . 长春:吉林大学 , 2014 .

YAN F . The technology research of network security assessment based on attack graphs [D ] . Changchun:Jilin University , 2014 .

陈锋 , 张怡 , 苏金树 , 等 . 攻击图的两种形式化分析 [J ] . 软件学报 , 2010 , 21 ( 4 ): 838 - 848 .

CHEN F , ZHANG Y , SU J S , et al . Two formal analyses of attack graphs [J ] . Journal of Software , 2010 , 21 ( 4 ): 838 - 848 .

RITCHEY B , O'BERRY B , NOEL S . Representing TCP/IP connectivity for topological analysis of network security [C ] // The 2002 Computer Security Applications Conference . 2002 : 25 - 31 .

LI W , VAUGHN R B , DANDASS Y S . An approach to model network exploitations using exploitation graphs [J ] . Simulation , 2006 , 82 ( 8 ): 523 - 541 .

AMMANN P , WIJESEKERA D , KAUSHIK S . Scalable,graph-based network vulnerability analysis [C ] // The 9th ACM Conference on Computer and Communications Security . ACM , 2002 : 217 - 224 .

PEARL J . Probabilistic reasoning in intelligent system [M ] . Morgan Kaufinann : Network of Plausible Inference , 1988 : 1 - 86 .

LIU Y , MAN H . Network vulnerability assessment using Bayesian networks [C ] // Defense and Security . International Society for Optics and Photonics , 2005 : 61 - 71 .

张少俊 , 李建华 , 宋珊珊 , 等 . 贝叶斯推理在攻击图节点置信度计算中的应用 [J ] . 软件学报 , 2010 , 21 ( 9 ): 2376 - 2386 .

ZHANG S J , LI J H , SONG S S , et al . Using Bayesian inference for computing attack graph node beliefs [J ] . Journal of Software , 2010 , 21 ( 9 ): 2376 - 2386 .

FRIGAULT M , WANG L . Measuring network security using Bayesian network-based attack araphs [C ] // The 3rd IEEE International Workshop on Security,Trust,and Privacy for Software Applications . 2008 : 698 - 703 .

POOLSAPPASIT N , DEWRI R , RAY I . Dynamic security risk management using Bayesian attack graphs [J ] . IEEE Transactions on Dependable ＆ Secure Computing , 2011 , 9 ( 1 ): 61 - 74 .

WANG L , JAJODIA S , SINGHAL A , et al . k-zero day safety:measuring the security risk of networks against unknown attacks [J ] . Lecture Notes in Computer Science , 2010 , 11 ( 1 ): 573 - 587 .

WANG L , JAJODIA S , SINGHAL A , et al . k-zero day safety:a network security metric for measuring the risk of unknown vulnerabilities [J ] . IEEE Transactions on Dependable ＆ Secure Computing , 2014 , 11 ( 1 ): 30 - 44 .

WANG L , ZHANG M , JAJODIA S , et al . Modeling network diversity for evaluating the robustness of networks against zero-day attacks [C ] // European Symposium on Research in Computer Security . Springer International Publishing , 2014 : 494 - 511 .

ZHANG M , WANG L , JAJODIA S , et al . Network diversity:a security metric for evaluating the resilience of networks against zero-day attacks [J ] . IEEE Transactions on Information Forensics ＆ Security , 2016 , 11 ( 5 ): 1071 - 1086 .

BECKERS K , KRAUTSEVICH L , YAUTSIUKHIN A . Analysis of social engineering threats with attack graphs [M ] // Data Privacy Management,Autonomous Spontaneous Security,and Security Assurance . Springer International Publishing , 2015 : 67 - 73 .

BI K , HAN D , WANG J . K maximum probability attack paths dynamic generation algorithm [J ] . Computer Science and Information Systems , 2016 , 13 ( 2 ): 677 - 689 .

WANG S , TANG G , KOU G , et al . An attack graph generation method based on heuristic searching strategy [C ] // 2016 2nd IEEE International Conference on Computer and Communications (ICCC) , 2016 : 1180 - 1185 .

KAYNAR K , SIVRIKAYA F . Distributed attack graph generation [J ] . IEEE Transactions on Dependable and Secure Computing , 2016 , 13 ( 5 ): 519 - 532 .

MIEHLING E , RASOULI M , TENEKETZIS D . Optimal defense policies for partially observable spreading processes on Bayesian attack graphs [C ] // The Second ACM Workshop on Moving Target Defense . ACM , 2015 : 67 - 76 .

DURKOTA K , LISY V , BOSANSKY B , et al . Optimal network security hardening using attack graph games [C ] // IJCAI . 2015 : 7 - 14 .

POLAD H , PUZIS R , SHAPIRA B . Attack graph obfuscation [C ] // International Conference on Cyber Security Cryptography and Machine Learning . Springer,Cham , 2017 : 269 - 287 .

JOHNSON P , VERNOTTE A , EKSTEDT M , et al . pwnPr3d:an attack-graph-driven probabilistic threat-modeling approach [C ] // 2016 11th International Conference on Availability,Reliability and Security (ARES) . 2016 : 278 - 283 .

ABRAHAM S , NAIR S . Predictive cyber security analytics framework:a non-homogenous Markov model for security quantification [J ] . Journal of Communications , 2014 , 12 ( 9 ): 899 - 907 .

FADLALLAH A , SBEITY H , MALLI M , et al . Application of attack graphs in intrusion detection systems:an implementation [J ] . International Journal of Computer Networks , 2016 , 8 ( 1 ): 1 - 12 .

WANG L , LIU A , JAJODIA S . Using attack graphs for correlating,hypothesizing,and predicting intrusion alerts [J ] . Computer Communications , 2006 , 29 ( 15 ): 2917 - 2933 .

AHMADINEJAD S H , JALILI S , ABADI M . A hybrid model for correlating alerts of known and unknown attack scenarios and updating attack graphs [J ] . Computer Networks , 2011 , 55 ( 9 ): 2221 - 2240 .

刘威歆 , 郑康锋 , 武斌 , 等 . 基于攻击图的多源告警关联分析方法 [J ] . 通信学报 , 2015 , 36 ( 9 ): 135 - 144 .

LIU W X , ZHENG K F , WU B , et al . Alert processing based on attack graph and multi-source analyzing [J ] . Journal on Communications , 2015 , 36 ( 9 ): 135 - 144 .

徐丽娟 . 基于攻击图的工业控制网络安全隐患分析 [D ] . 北京:北京邮电大学 , 2015 .

XU L J . Industrial control system network’s potential risk analysis based on attack graph [D ] . Beijing:Beijing University of Posts and Telecommunications , 2015 .

黄家辉 , 冯冬芹 , 王虹鉴 . 基于攻击图的工控系统脆弱性量化方法 [J ] . 自动化学报 , 2015 , 42 ( 5 ): 792 - 798 .

HUANG J H , FENG D Q , WANG H J . A method for quantifying vulnerability of industrial control system based on attack graph [J ] . Acta Automatica Sinica , 2015 , 42 ( 5 ): 792 - 798 .

LEVER K E , MACDERMOTT Á , KIFAYAT K . Evaluating interdependencies and cascading failures using distributed attack graph generation methods for critical infrastructure defence [C ] // The 2015 Developments of E-Systems Engineering (DeSE) . 2015 : 47 - 52 .

胡双双 . 基于蜜网的攻击行为分析 [D ] . 北京:北京邮电大学 , 2015 .

HU S S . Analysis of attack based on honeynet [D ] . Beijing:Beijing University of Posts and Telecommunications , 2015 .

HAWRYLAK P J , HARTNEY C , PAPA M , et al . Using hybrid attack graphs to model and analyze attacks against the critical information infrastructure [M ] // Critical Information Infrastructure Protection and Resilience in the ICT Sector . IGI Global , 2013 : 173 - 197 .

武文博 , 康锐 , 李梓 . 基于攻击图的信息物理系统信息安全风险评估方法 [J ] . 计算机应用 , 2016 , 36 ( 1 ): 203 - 206 .

WU W B , KANG R , LI Z . Attack graph based risk assessment method for cyber security of cyber-physical system [J ] . Journal of Computer Applications , 2016 , 36 ( 1 ): 203 - 206 .

NICHOLS W , HAWRYLAK P , HALE J , et al . Introducing priority into hybrid attack graphs [C ] // The 12th Annual Conference on Cyber and Information Security Research . ACM , 2017 :12.

LUCKETT P , MCDONALD J , GLISSON W . Attack-graph threat modeling assessment of ambulatory medical devices [C ] // The 50th Hawaii International Conference on System Sciences . 2017 : 3648 - 3657 .

OU X , GOVINDAVAJHALA S , APPEL A W . MulVAL:a logic- based network security analyzer [C ] // 14th USENIX Security . 2005 : 1 - 16 .

SAHA D , . Extending logical attack graphs for efficient vulnerability analysis [C ] // The 15th ACM Conference on Computer and Communications Security . 2008 : 63 - 74 .

LIPPMANN R , INGOLS K , SCOTT C , et al . Validating and restoring defense in depth using attack graphs [C ] // Milcom 2006 Military Communications Conference . 2006 : 1 - 10 .

FREDRIK J S . A test of attack graph-based evaluation of IT-security [D ] . Sweden,Västerbotten:Umeå University , 2014 .

浏览量

2612

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于攻击图的多源告警关联分析方法

基于贝叶斯攻击图的SDN入侵意图识别算法的研究

基于吸收马尔可夫链攻击图的网络攻击分析方法研究

基于攻击图的主机安全评估方法

基于贝叶斯攻击图的网络入侵意图分析模型