基于网络防御知识图谱的 0day 攻击路径预测方法  被引量：9

作　　者：孙澄 胡浩[1] 杨英杰[1] 张红旗[1] SUN Cheng;HU Hao;YANG Yingjie;ZHANG Hongqi(Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学,河南郑州450001

出　　处：《网络与信息安全学报》2022年第1期151-166,共16页Chinese Journal of Network and Information Security

基　　金：国家自然科学基金(61902427)。

摘　　要：针对0day漏洞未知性造成的攻击检测难问题,提出了一种基于知识图谱的0day攻击路径预测方法。通过从现有关于网络安全领域本体的研究成果及网络安全数据库中抽取“攻击”相关的概念及实体,构建网络防御知识图谱,将威胁、脆弱性、资产等离散的安全数据提炼为互相关联的安全知识。在此基础上,依托知识图谱整合的知识,假设并约束0day漏洞的存在性、可用性及危害性等未知属性,并将“攻击”这一概念建模为知识图谱中攻击者实体与设备实体间存在的一种关系,从而将攻击预测问题转化为知识图谱的链接预测问题。采用基于路径排序算法的知识图谱推理方法挖掘目标系统中可能发生的0day攻击,并生成0day攻击图。复用分类器输出的预测得分作为单步攻击发生概率,通过计算并比较不同攻击路径的发生概率,预测分析0day攻击路径。实验证明,所提方法能够依托知识图谱提供的知识体系,为攻击预测提供较全面的知识支持,降低预测分析对专家模型的依赖,并较好地克服0day漏洞未知性对预测分析造成的不利影响,提高了0day攻击预测的准确性,并且借助路径排序算法基于图结构这一显式特征进行推理的特点,能够对推理结果形成的原因进行有效反溯,从而一定限度上提高了攻击预测分析结果的可解释性。To solve the difficulty of attack detection caused by the 0day vulnerability,a prediction method of 0day attack path based on cyber defense knowledge graph was proposed.The cyber defense knowledge graph was constructed to refine the discrete security data such as threat,vulnerability and asset into the complete and high-related knowledge format by extracting concepts and entities related to network attack from cyber security ontology research finds and databases.Based on the knowledge integrated by the knowledge graph,assumed and restricted the unknown attributes such as the existence,availability and harmfulness of 0day vulnerabilities,and model the concept of"attack"as a relationship between attacker entities and device entities in the knowledge graph to transform the attack prediction to the link prediction of knowledge graph.According to this,apply path ranking algorithm was applied to mine the potential 0day attack in the target system and construct the 0day attack graph.Predicted the 0day attack path by utilizing the scores output by classifiers as the occurrence probabilities of single step attack and computing the occurrence probabilities of different attack paths.The experimental result shows that with the help of complete knowledge system provided by knowledge graph,the proposed method can reduce the dependence of prediction analysis on expert model and overcome the bad influence of 0day vulnerability to improve the accuracy of 0day attack prediction.And utilizing the characteristic that path ranking algorithm reasons based on the structure of graph can also help to backtrack the reasons of predicting results so as to improve the explainability of predicting.

关 键 词：知识图谱 0day攻击 攻击路径预测 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]