面向内部威胁的最优安全策略算法研究

内部攻击行为具有很强的伪装性，这使得检测结果具有不确定性.攻击图模型经常用于描述攻击行为的多个攻击步骤之间的因果关系，但在计算最优安全策略时，很少考虑到当前观测事件所具有的不确定性，也没有从概率的角度刻画安全防护策略实施后对攻击成功概率带来的影响.在前人的概率攻击图模型研究基础上，首次提出了一种面向内部威胁的安全防护策略概率攻击图(measures probablitity attack graph, MPAG)，在该模型中较为完备地讨论了内部攻击的3类不确定性，并引入安全防护措施节点及其对攻击成功的概率影响.在该模型基础上，最优安全防护策略计算被证明是一个NP难问题，一种贪心算法被提出解决该问题，该算法能在多项式时间内动态计算近似最优安全防护策略集合.最后给出一个真实的内部威胁网络环境的概率攻击图实例，说明该模型及相应的贪心算法能根据当前观测事件及其置信概率，计算满足一定代价限制条件的近似最优安全防护策略集合.

Algorithm of Optimal Security Hardening Measures Against Insider Threat

Attacks from insiders usually disguise themselves as normal behaviors, which causes the uncertainty of the results based on anomaly detection models. Attack graph model is frequently used to describe the causal relationships among the steps in multiple attack progress, yet the uncertainty of events represented by the current observations is rarely considered in calculating the optimal security hardening measures, neither the impact of the probability of the attack success is depicted from the angle of probability after the implementation of the security measures. In this paper, we discuss completly three kinds of uncertainty in attack graph, and add the security hardening nodes into the probability attack graph model based on previous studies, and clarify the influence of the transition probability by security hardening measures. For the first time we put forward measures probability attack graph (MPAG) and apply it to the calculation of the optimal security hardening measures for insider threat risk analysis and mitigation. Based on this model, we prove that the calculation for optimal security hardening measures is an NP-hard problem, furthermore, we propose a greedy algorithm to calculate dynamically the approximate optimal security hardening measures set. Finally the paper proves in real network environment that the algorithm can calculate the approximate optimal security hardening measures set under certain cost constraints, given current observables sequence and the responding confidence probability.