Network Modeling and Analysis of combined attacks (attacks that may exist in the network for analysis)
Here is the quote "Advances in network modeling methods combined attack" Mao Handong Zhang Weiming Chen Feng Zhu Cheng Computer Science ZOO 7 Vol.34 N0.11
"Advances in network modeling methods combined attack - Computer Science ZOO Vol34 N0.11" a text of this article to analyze, interpret, hope this will help everyone learn together.
1. What is a combination of network attack modeling
Network modeling combined attack, speaking more abstract. We attack from the perspective of the relationship between each network vulnerability analysis, network attacks depicts a possible attack paths can lead to the direct and indirect impact of effective safety assessment of network attacks. That is, to identify possible attack paths, if with IDS, can predict the target.
2, a basic model framework
2.1 attacked network modeling
Network host set H
| Host unique identification | Host running network application service name and corresponding listening port list |
| Other software list type of operating system version | The vulnerability of existing host software vulnerabilities |
| Misconfiguration vulnerability | Vulnerability Management |
Mutual connection relationships between reachability host C
| C(h1,h2,p) | Host with the host port p h1 by h2 up, increase the network layer, the transport layer, application layer connectivity properties |
Trust relationships between host T
| T(h1,h2) | h1 h2 may not need to authorize access |
Defense Modeling 2.2 Network
ids intrusion detection model
| Describe what actions can be found in the intrusion detection system |
2.3 Modeling menace
I intruder capacity
| Intruder know the host user name and password | User privileges on each host |
A intruder may take the atomic attacks
| Memory overflow attacks | Software Vulnerability | Remote login |
2.4 atom attack mode library
Set of premises:
when trying to use the main threat to describe a set of essential conditions needed to have a vulnerability, and only set of premises to meet the main threat, it could successfully exploit this vulnerability.
The results set:
the result set describe the results by successfully exploited this vulnerability arising, including elevated privileges, increasing connectivity relationships, secure destruction and the destruction of data security services.
For example: A condition required for the
operating system: windows, version 7 or less, the architecture is not limited to, the kernel is not limited to
the application: HTTP, 1.0 the following
access requirements: remote access, root privileges
open port 80, run the program not
generated the results are:
confidentiality: files on the available hosts
integrity: users can modify the file
usability: users can paralyze the network
security: to obtain root privileges
3, a combination of network attack model generation algorithm
Forward search algorithm: initial state to target state path up the search.
The initial state
| Network access | |
| The state of the network itself | Host configuration information, trust network connection information between information, host |
| IDS status of defensive measures |
Target state:
probably a collection of network attacks is because a path, when the attack to a different step, network status and state of defense may be different.
Search process:
breadth-first, depth-first search algorithm, the atomic attack mode library for each attack mode to match the conditions, if the attack is successful then the next state match further attacks. The calculation process and the presence of relatively large search space.
Backward search algorithm, the search to the initial state from the target state, regardless of the state of the target state does not produce.
4, attack model data structure
4.1 attack tree structure
The picture shows the tree structure under attack, the background is a software attack, up to watch, from the presence of "or", "and" two structures, $ money it takes to take this measure.
Attack Tree advantages: (1) to take expert brainstorming, and the integration of these observations to attack the tree go. (2) capable of cost-benefit analysis or probabilistic analysis. (3) capable of modeling non
often complex attack scenarios.
Attack Tree disadvantages: (1) Due to the inherent limitations of the tree, the tree can not be used to model multiple attacks to try to attack, and time-dependent access control scenarios. (2) can not be used to model recurring events. (3) For the reality of large-scale network attack tree method to deal with them will be very complicated.
4.2 attack graph structure
4.2.1 FIG attacks based on the state
of a node represents a state of the system, to take every state change such attack.
4.2.2 attacks based on FIG permeate
began to evolve from the initial state, the nodes represent the penetration means, the edges represent state changes.
In this paper, permeation based attacks FIG lower spatial complexity.
