Complete Attack Graph Automatic Generation Method  Based on Attack Pattern

doi:10.3969/j.issn.1000-3428.2013.10.027

Computer Engineering

Previous Articles Next Articles

Complete Attack Graph Automatic Generation Method Based on Attack Pattern

LIU Long^a, CHEN Xiu-zhen ^a, LI Jian-hua^b

(a. School of Information Security Engineering; b. School of Electronic Information and Electrical Engineering, Shanghai Jiaotong University, Shanghai 200240, China)

Received:2012-09-19 Online:2013-10-15 Published:2013-10-14

基于攻击模式的完备攻击图自动生成方法

刘龙^a，陈秀真^a，李建华^b

(上海交通大学 a. 信息安全工程学院；b. 电子信息与电气工程学院，上海 200240)

作者简介:刘龙(1988－)，男，硕士研究生，主研方向：网络安全；陈秀真(通讯作者)，副教授、博士；李建华，教授、博士
基金资助:
国家“973”计划基金资助项目(2010CB731403,2010CB731406)；国家自然科学基金资助项目(61071152,61271316)； “十二五”国家科技支撑计划基金资助项目(2012BAH38B04)；西安交通大学制造系统工程国家重点实验室开放课题基金资助项目(sklms2012005)

Abstract

Abstract: As the generation of attack graph without loops leads to missing of attack paths, this paper puts forward the concept of complete attack graph and builds its automatic generation method. It obtains the network connectivity automatically by analyzing the firewall configuration files, to get rid of tedious manual input. Then the attack patterns are enriched to cover almost all network attack types and based on them, an efficient approach to complete attack graph generation is built. In the end, a model to generate complete attack graph automatically using the algorithm is built. Experimental result shows that this method has less time consumption, high degree of automation, and it can be applied to large networks.

Key words: network security, vulnerability, attack graph, network connectivity, firewall, attack pattern

摘要： 无圈攻击图结构简单，但在构建过程中会导致部分路径缺失。为此，给出完备攻击图的概念，提出基于攻击模式的完备攻击图自动生成方法。通过分析网络防火墙的配置文件，自动获取网络连通性。完善攻击模式知识库以优化攻击者能力建模，并在此基础上设计广度优先前向搜索的攻击图生成算法，实现自动生成完备攻击图的原型。实验结果表明，该方法的自动化程度高、时间消耗少，可应用于大型网络。

关键词: 网络安全, 脆弱性, 攻击图, 网络连通性, 防火墙, 攻击模式

CLC Number:

TP309.2

LIU Long, CHEN Xiu-zhen, LI Jian-hua. Complete Attack Graph Automatic Generation Method Based on Attack Pattern[J]. Computer Engineering.

刘龙，陈秀真，李建华. 基于攻击模式的完备攻击图自动生成方法[J]. 计算机工程.

/ Recommend / Download Citations

URL:

https://www.ecice06.com/EN/Y2013/V39/I10/127

References

参考文献 [1] Swiler L P, Phillips C, Ellis D, et al. Computer-attack Graph Generation Tool[C]//Proc. of the 2nd DARPA Information Survivability Conference and Exposition. Los Alamitos, USA: IEEE Computer Society Press, 2001: 307-321. [2] Lippmann R P, Ingols K W. An Annotated Review of Past Papers on Attack Graphs[R]. Technical Report: ESC-TR-2005- 054, MIT Lincoln Laboratory, 2005. [3] Ritchey R, Ammann P. Using Model Checking to Analyze Network Vulnerabilities[C]//Proc. of 2000 IEEE Symp. on Security and Privacy. Oakland, USA: IEEE Computer Society Press, 2000: 156-165. [4] Jha S, Sheyner O, Wing J. Two Formal Analyses of Attack Graphs[C]//Proc. of the 15th IEEE Computer Security Foundations Workshop. Cape Breton, Canada: IEEE Computer Society Press, 2002: 49-63. [5] 陈锋, 张怡, 苏金树, 等. 攻击图的两种形式化分析[J]. 软件学报, 2010, 21(4): 838-848. [6] Jajodia S, Noel S, O’Beny B. Topological Analysis of Network Attack Vulnerability[C]//Proc. of Managing Cyber Threats: Issues, Approaches and Challenges. Boston, USA: Kluwer Academic Publisher, 2003: 3-4. [7] Ou Xinming, Boyer W F, McQueen M A. A Scalable Approach to Attack Graph Generation[C]//Proc of the 13th ACM Conference on Computer and Communications Security. New York, USA: ACM Press, 2006: 336-345. [8] Danforth M. Models for Threat Assessment in Networks[D]. Davis, USA: University of California, 2006. [9] Zhong Shangqin, Yan Danfeng, Liu Chen. Automatic Genera- tion of Host-based Network Attack Graph[C]//Proc. of WRI World Congress on Computer Science and Information Engineering. Los Angeles, USA: IEEE Computer Society Press, 2009: 93-98. [10] 赵豹. 基于攻击图的网络脆弱性分析技术研究[D]. 长沙: 国防科学技术大学, 2009. [11] Ingols K, Lippmann R, Piwowarski K. Practical Attack Graph Generation for Network Defense[C]//Proc. of the 22nd Annual Computer Security Applications Conference. Miami Beach, USA: IEEE Computer Society Press, 2006: 121-130. [12] Li Wei. An Approach to Graph-based Modeling of Network Ex- ploitations[D]. Starkville, USA: Mississippi State University, 2005. [13] 赵豹, 张怡, 孟源. 基于攻击模式的反向搜索攻击图生成算法[J]. 计算机工程与科学, 2011, 33(7): 18-24. 编辑金胡考

[1]	LIU Zhuang, GU Kangzheng, TAN Xin, ZHANG Yuan. Automatic Generation of Code for Heap Spraying Object Manipulation Targeting Kernel Vulnerability Exploitation [J]. Computer Engineering, 2025, 51(4): 178-187.
[2]	Qiong SHI, Hui DUAN, Zhibin SHI. Trusted Task Offloading Scheme Based on Deep Reinforcement Learning [J]. Computer Engineering, 2024, 50(8): 142-152.
[3]	GAO Shan, WANG Chengyu, BI Chengming, ZHU Tieying. Smart Contract Reentrancy Vulnerability Detection Based on Symbolic Execution [J]. Computer Engineering, 2024, 50(10): 196-204.
[4]	Sha ZHOU, Guowei SHEN, Chun GUO. Vulnerability Information Completion Based on Security Knowledge Graph and Reverse Features [J]. Computer Engineering, 2024, 50(1): 145-155.
[5]	Changhong YU, Ya LU, Haixin WANG, Ming GAO. Traffic Classification Algorithm for IoT Device Based on Sliding Time Window [J]. Computer Engineering, 2023, 49(7): 259-268.
[6]	ZHANG Liqun, PAN Zulie, HUANG Hui, WANG Ruipeng, LI Yang. Research on Automatic Verification Method of Tcache Poisoning Heap Vulnerability Based on Symbolic Execution [J]. Computer Engineering, 2023, 49(6): 24-33.
[7]	GU Yunjie, WU Changhe, WU Qing, ZHANG Wei, Lü Tianhang, HU Qi, SONG Xiaobin, YAN Jiyu. Cascade Vulnerability Scanning Engine Deployment Strategy for Delay Optimization [J]. Computer Engineering, 2023, 49(3): 161-167,176.
[8]	Huayu LIU, Shuitao GAN, Xiaokang YIN, Xiaolong LIU, Shengli LIU, Hongliang LI. A Gray-box Test Technology Based on Intelligent Inference of Protocol Format [J]. Computer Engineering, 2023, 49(12): 129-135, 145.
[9]	Peng ZHENG, Letian SHA. Java Deserialization Vulnerability Detection Method Based on Hybrid Analysis [J]. Computer Engineering, 2023, 49(12): 136-145.
[10]	CUI Jingyang, CHEN Zhenguo, TIAN Liqin, ZHANG Guanghua. Overview of User and Entity Behavior Analytics Technology Based on Machine Learning [J]. Computer Engineering, 2022, 48(2): 10-24.
[11]	ZHU Simeng, DU Ruiying, CHEN Jing, HE Kun. Web Application Firewall Reinforcement Scheme Based on Recurrent Neural Network [J]. Computer Engineering, 2022, 48(11): 120-126.
[12]	SUN Pengyu, ZHANG Hengwei, TAN Jinglei, LI Chenwei, MA Junqiang, WANG Jindong. Network Security Defense Decision Method Based on Time Game [J]. Computer Engineering, 2022, 48(11): 145-151.
[13]	NI Siyuan, HU Hongchao, LIU Wenyan, LIANG Hao. Heterogeneous Cloud Resource Allocation Algorithm Based on Rotation Strategy [J]. Computer Engineering, 2021, 47(6): 44-51,67.
[14]	YANG Yanli, SONG Lipeng. Attack Graph Generation Method Integrating Social Network Threats [J]. Computer Engineering, 2021, 47(5): 104-116.
[15]	LI Minglei, LU Yuliang, HUANG Hui, ZHU Kailong. Guided Grey-Box Fuzzing Test Method Combining Distance and Weight [J]. Computer Engineering, 2021, 47(3): 147-154.

Please choose a citation manager

Content to export

Complete Attack Graph Automatic Generation Method Based on Attack Pattern

基于攻击模式的完备攻击图自动生成方法

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments

模态框（Modal）标题

Please choose a citation manager

Content to export

Complete Attack Graph Automatic Generation Method Based on Attack Pattern

基于攻击模式的完备攻击图自动生成方法

PDF

Knowledge

Cited

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Comments