基于贪心策略的多目标攻击图生成方法

为解决网络脆弱性分析中攻击图生成方法存在的状态组合爆炸问题,使生成的攻击图能用于网络中多个目标主机的脆弱性分析,本文提出了一种基于贪心策略的多目标攻击图生成方法。该方法引入节点关联关系,采用贪心策略精简漏洞集,从所有攻击路径中选取使攻击者以最大概率获取网络节点权限的攻击路径,生成由这些攻击路径所构成的攻击图。算法分析和实验结果表明,该方法的时间和空间复杂度都是网络节点数和节点关联关系数的多项式级别,较好地解决了状态组合爆炸的问题,生成的攻击图覆盖了攻击可达的所有节点,能够用于网络中多个目标主机的脆弱性分析。

A Method of Generating the Multi-Targets Attack Graphs Based on Greedy Policies

In order to avoid the combination of states occurred in the generation of attack graphs while analyzing network vulnerabilities and to make the attack graphs available for analyzing the multi targets’ vulnerabilities, a new method of generating attack graphs based on greedy policies is proposed. The method introduces the  network node correlations, uses greedy policies to reduce the amount of vulnerabilities, chooses the attack routes that allow attackers to gain network node priority with the greatest potential and generate the attack graphs with those attack routes. The algorithm analysis and the experimental results show that the cost of time and space of the method is the polynomial level of the network node number and the network node correlation number, which means it has solved the problem of the great combination of states effectively. The attack graph it generates covers all network nodes that attackers can access, so the method can be used to analyze the multi targets’ vulnerabilities.