CN116684135B - Weapon equipment network attack surface evaluation method based on improved SGA - Google Patents

Abstract

The invention discloses a weapon equipment network attack surface assessment method based on an improved SGA, which improves the traditional Bayesian network resource map method, and establishes a Bayesian network model based on an attack efficiency-cost ratio function, so that assessment data is closer to a practical scene and is more reasonable. And mapping the evaluation data into a population chromosome structural space, constructing an fitness function by adopting a minimum variance method, selecting operators by adopting a roulette selection method, performing cross operation on the selected chromosomes by adopting a single-point consistent cross method based on the probability of time attenuation, and performing mutation by adopting a reverse operation method and combining a pseudo-random number method, so that the evaluation data is further optimized by adopting iterative evolution, and is more similar to an actual network attack surface metric value. In the process, a multi-convergence condition judgment mechanism based on similarity is introduced to solve the problem of local optimization.

Description

Weapon equipment network attack surface evaluation method based on improved SGA

Technical Field

The invention relates to the field of weapon equipment network attack surface evaluation, in particular to a weapon equipment network attack surface evaluation method based on an improved SGA.

Background

At present, local warfare under new situation takes the countermeasure of high and new technical equipment which is informationized and organized as main characteristics as a main mode, and network cooperative interaction among weaponry is an important premise and guarantee for playing the system efficiency of the weaponry. With the rapid development of network technology and information technology, the network security risks faced by weaponry are also increased, and the types of threats faced by the weaponry are also increasingly complex. The degree of dependence of weapon equipment on computer and network technology is higher and higher, and equipment network security also gradually becomes the key factor that influences equipment war technical index, combat task completion ability. In order to cope with the increasingly severe network security situation of the weaponry, 2021, xie Weipeng and the like initially put forward a brand-new network security test identification thought of the weaponry, but related works are just started, and a great deal of research work still needs to be carried out on a specific technical method. The evaluation method of the equipment network security attack surface is an important support for discovering network security problems of the weapon equipment and carrying out network security identification test on the weapon equipment through a scientific method.

The evaluation method of the network attack surface aiming at the current literature is mainly a Bayesian network resource diagram method, and no evaluation research of the equipment network attack surface based on a genetic algorithm (Simple Genetic Algorithm, SGA) has been developed.

The Bayesian network resource graph method comprises the steps of establishing a Bayesian network graph through the relation among resources in a network, endowing an initial probability by adopting a certain general standard, and calculating the conditional probability distribution of each node under attack according to the vulnerability precondition or post-conditional relation between each node and a father node set in the network graph, so as to obtain the size or score of the whole attack surface, thereby representing the threat severity degree faced by the network. The Bayesian network resource graph formalizes and patterns all network resources, characterizes causal relations among the resources, and can predict and evaluate potential attack paths in the network. Therefore, most students currently adopt a Bayesian network-based method to conduct research on the vulnerability severity degree of resource nodes, the probability of attack probability of the nodes and the probability of attack path occurrence in the network. However, the bayesian network decision is based on a certain hypothesis to calculate the network attack probability, that is, a certain universality metric standard or the initial probability of a hypothesis model must be adopted, only a local optimal result can be obtained, the universality metric standard is difficult to show higher matching degree when the actual personalized problem is solved, the deviation of the evaluation result influenced by artificial subjective factors is larger, and the accuracy of practical application is not high.

Because the network security test identification and research work of the weaponry is just started, the related technical method provides less, so that the network attack surface evaluation method of the weaponry based on the improved SGA breaks through the traditional interpretable network security evaluation mode, solves the problem of low practical application precision of the traditional method, and has very important significance for the subsequent practical application in the network security test identification of the weaponry.

Disclosure of Invention

In view of the above, in order to solve the problems that the network attack surface evaluation is highly dependent on the initial probability, the accuracy is not high and the like when the traditional Bayesian network graph method is adopted for large-scale networking of equipment, so that the practical application problem of the network attack surface evaluation of the weaponry cannot be solved, the invention provides an improved SGA (generalized algorithm architecture) -based weaponry network attack surface evaluation method.

In order to achieve the above purpose, the present invention adopts the following technical scheme:

the invention provides a weapon equipment network attack surface evaluation method based on an improved SGA, which comprises the following steps:

s1, according to target equipment E and related network resource Res, network attack is performedFace definition triples (M ^Res ,C ^Res ,I ^Res ) The method comprises the steps of carrying out a first treatment on the surface of the Establishing a Bayesian network resource diagram, and calculating the node vulnerability severity degree under the prior condition; establishing a Bayesian network model based on the attack efficiency-cost ratio function, and obtaining a network attack surface metric value;

s2, networking the target equipment E for a plurality of times to obtain an initial network attack surface metric value of the Bayesian network model, performing iterative evolution by adopting an improved SGA, and initializing a population;

s3, selecting a coding strategy, and converting the population individual set into a chromosome structure space to form an initial population;

s4, constructing fitness functions by combining a Bayesian network model by adopting a minimum variance method, and calculating group fitness values;

s5, selecting operators by adopting a roulette selection method according to a genetic strategy, and selecting chromosomes in a population;

s6, directly forming a next generation population for the selected chromosome crossover operator when no variation occurs;

s7, when mutation occurs after crossing operators, further selecting mutation operators to act on the population, and forming a mutated population as the next generation population;

s8, adopting a multi-convergence condition judgment mechanism based on similarity, taking the next generation population in the step S6 or the step S7 as a current population, judging the similarity of the current population, realizing continuous iterative evolution, continuously optimizing the population until iteration is terminated, and meeting convergence conditions;

and S9, after the population evolution is completed, the obtained data set is a target equipment E network attack surface measurement value set based on the improved SGA, the adaptive value of the population individuals after decoding is calculated, the chromosome is evolved until the individual with the highest adaptive value is selected, and the solved maximum value is the closest actual network attack surface measurement value.

In one embodiment, in the step S1, a bayesian network resource map is established, and the node vulnerability severity under the prior condition is calculated; comprising the following steps:

s11, establishing a Bayesian network resource diagram, wherein each node in the network represents a port M, a protocol C and untrusted data I contained in equipment in the network, and a numerical value below each node represents the initial vulnerability severity degree of the node, namely the conditional probability distribution of each node in the network;

setting P as a parameter representing probability distribution relation among nodes in the Bayesian network, namely the initial probability of being attacked; any node X in a Bayesian network _i ，i∈(M ^Res ,C ^Res ,I ^Res ) At its parent node pa (X _i ) Under the given condition of the value, determining the dependency degree of each child node on the father node, namely the vulnerability severity degree of the child node relative to the father node;

and S12, using a Bayesian network model to carry out reasoning, and calculating the node vulnerability severity degree under the prior condition.

In one embodiment, in the step S1, a bayesian network model is established based on an attack efficiency-cost ratio function, and a network attack surface metric value is obtained; comprising the following steps:

s13, establishing a Bayesian network model based on an attack efficiency-cost ratio function, setting the vulnerability severity degree of a port m as p' (m), and setting the network attack efficiency-cost ratio as der _m (m)，m∈M ^Res The method comprises the steps of carrying out a first treatment on the surface of the The vulnerability severity of protocol c is p' (c), and the network attack efficiency-cost ratio is der _c (c)，c∈C ^Res The method comprises the steps of carrying out a first treatment on the surface of the The vulnerability severity of the untrusted data d is p' (d), and the network attack efficiency-cost ratio is der _d (d)，d∈I ^Res The method comprises the steps of carrying out a first treatment on the surface of the The network attack surface metric value of the target equipment E is a triplet:

wherein,

dl _i ac as index of damage degree of network attack to resource _i An attack cost size indicator paid for an attacker to attack a resource,the higher the obtained measurement value is for the number of the resource types i, the larger the network attack surface is;

obtaining a network attack surface measurement value: p' (i) Σder _i (i)，i∈(M ^Res ,C ^Res ,I ^Res )。

In one embodiment, the step S2 specifically includes:

mapping a Bayesian network attack surface measurement value triplet set obtained by multiple networking calculation of the target equipment into each individual in a population S, wherein each individual in the population corresponds to a group of network attack surface measurement values, and setting the population scale as N, wherein N is more than or equal to 1, namely performing N networking and penetration tests; the number of network resource nodes of each networking is as follows:

wherein i is E M ^Res ，j∈C ^Res ，k∈I ^Res 。

In one embodiment, the step S4 specifically includes:

s41, according to the fact that the values of attack accessibility of each network node in different network attack modes are fixed, average attack accessibility of each node in all different network attack modes is obtained, and the sum of average attack accessibility of each node of each type of resources of a port M, a protocol C and untrusted data I is obtained respectively;

s42, setting the attack accessibility of each node as omega, and setting the average attack accessibility of each node under all network attack modes as omegaConstructing fitness function by combining minimum variance method with Bayesian network method as

u is E [1, N ], N represents population scale, u represents population individuals in the population scale; and calculating the fitness of each individual in each generation of population, and carrying out genetic operation on the chromosome until the individual with the highest fitness is selected, and solving the largest value, namely the closest value of the actual network attack surface metric.

In one embodiment, the step S5 specifically includes:

selecting operators according to genetic strategy by adopting a roulette selection method, wherein for a population S with a scale of N, each chromosome x _i The probability of selection P (x) _i ) The determined chance of being selected by attack is divided into N times, N chromosomes are randomly selected from S, and are duplicated, and probability P (x _i ) The calculation formula of (2) is as follows:

f(x _i ) Represents the probability of selection, f (x _j ) Representing the accumulation probability;

in wheel selection, the larger the fitness value of an individual is, the larger the corresponding sector area is, namely the larger the selected probability is.

In one embodiment, the step S6 specifically includes:

cross probability P based on the characteristics of biological population evolution _c Gradually decreasing with time according to a certain rule; introducing a time attenuation function P (t) during the crossover operation, so that the crossover operation is more reasonable;

let t be the time difference between the current population evolution time and the initial population generation time, attenuation factorT represents a half-life factor; crossover probability P _c The decay function of (2) is: p (P) _c ′(t)＝P _c ·e ^-λ·t ；

According to the crossover probability P of the current time t _c ' (t), selecting a crossing position, i.e. crossing point, by a single point uniform crossing method, and crossing two individualsThe part after the point is exchanged.

In one embodiment, the step S7 specifically includes:

the basis of the variation is according to the variation probability P _m Replacing some of the gene values in the individual code string with other gene values, thereby forming a new individual; cross probability P based on the characteristics of biological population evolution _m Attenuation should be performed with time according to a certain rule;

establishing a mutation probability P _m The decay function of (2) is: p (P) _m ′(t)＝P _m ·e ^-λ·t

Probability of variation P in dependence on the current time t _m ' (t) altering a gene at one or more positions on a chromosome using a reverse manipulation; the two numbers i 'and j' are randomly selected using a pseudo-random number method, exchanging genes between the i 'and j' positions of the chromosome.

In one embodiment, the step S8 specifically includes:

the traditional genetic algorithm is improved, population individuals are judged in sequence according to known boundary conditions, fitness values are calculated, whether the new population performance meets a first threshold value of a convergence condition is judged, whether a second threshold value of the convergence condition is met is further judged, iteration is continued until the second threshold value of the convergence condition is met, and iteration is terminated;

(1) The first reconvergence condition is set as the judgment of the similarity of the generation; the similarity is calculated by the similarity of the chromosome codes of individuals in the population, and the generation similarity judgment is completed by pairwise comparison of the chromosome parity codes of the individuals in the current population; when the same bit number codes are different, the similarity is false; the similarity is true when the same bit number codes are identical; the set with true similarity is the overall similarity, when the overall similarity is larger than a first threshold value, iterative evolution is returned, and otherwise, the next re-judgment is carried out;

(2) The second-degree similarity judgment is set as parent similarity judgment; judging the similarity of the individuals of the new population relative to the parent population, namely comparing each individual of the new population with the chromosome binary codes of the individuals corresponding to the parent population one by one; if the codes of the same bit number are the same, the similarity is true; the same number of bits is encoded differently, then the similarity is false; and if the similarity is true, returning to iterative evolution when the overall similarity is larger than a second threshold value, otherwise decoding, and outputting a result to be the population after the iterative evolution in the population is terminated, wherein the individual with the largest fitness value is the optimal individual.

Compared with the prior art, the invention discloses a weapon equipment network attack surface evaluation method based on an improved SGA, improves the traditional Bayesian network resource map method, establishes a Bayesian network model based on an attack efficiency-cost ratio function, and enables evaluation data to be closer to a practical scene and more reasonable. And mapping the evaluation data into a population chromosome structural space, constructing an fitness function by adopting a minimum variance method, selecting operators by adopting a roulette selection method, performing cross operation on the selected chromosomes by adopting a single-point consistent cross method based on the probability of time attenuation, performing mutation after crossing the operators, and performing mutation processing by adopting a reverse operation method and a pseudo-random number method, thereby realizing further optimization of the evaluation data by iterative evolution, and enabling the evaluation data to be more similar to an actual network attack surface metric value. In the process, a multi-convergence condition judgment mechanism based on similarity is introduced to solve the problem of local optimization.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.

FIG. 1 is a flow chart of the network security attack surface evaluation of the weapon equipment based on the improved SGA of the present invention;

FIG. 2 is a Bayesian network resource diagram of simple networking of the weaponry of the present invention;

FIG. 3 is a Bayesian network resource diagram of the complex networking of the weapon equipment of the present invention;

FIG. 4 is a population evolution roulette operator selection based on an improved SGA of the present invention;

FIG. 5 is a population evolution crossover operator based on an improved SGA of the present invention;

FIG. 6 is a population mutation operator based on an improved SGA of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The embodiment of the invention discloses a weapon equipment network attack surface evaluation method based on an improved SGA, which comprises the following steps:

1) For a given equipment E and its associated network resources Res, the network attack plane of the equipment E may be defined as a triplet (M ^Res ,C ^Res ,I ^Res )。

2) And establishing a Bayesian network resource diagram, wherein each node in the network represents resources such as a port (M), a protocol (C), untrusted data (I) and the like contained in equipment in the network, and a numerical value below each node represents the initial vulnerability severity of the node, namely the conditional probability distribution of each node in the network. The root nodes of the Bayesian network are independent in condition, the conditional probability of any other node depends on the conditional probability of the father node, and P is set as a parameter representing the probability distribution relation among the nodes in the Bayesian network, namely the initial probability of being attacked. Any node X in a Bayesian network _i ，i∈(M ^Res ,C ^Res ,I ^Res ) At its parent node pa (X _i ) Given a value, the dependency degree of each child node on the father node, that is, the vulnerability severity degree of the child node relative to the father node, may be determined, and the joint probability density distribution P (X) between the bayesian network nodes is:

3) After determining the severity of the initial vulnerability of the node and the structure of the Bayesian network, the Bayesian network model is used for reasoning, and finally the severity of the vulnerability of the node P' (x) under the prior condition is calculated.

4) Establishing a Bayesian network model based on an attack efficiency-cost ratio function, setting the vulnerability severity degree of a port m as p' (m), and setting the network attack efficiency-cost ratio as der _m (m)，m∈M ^Res The method comprises the steps of carrying out a first treatment on the surface of the The vulnerability severity of protocol c is p' (c), and the network attack efficiency-cost ratio is der _c (c)，c∈C ^Res The method comprises the steps of carrying out a first treatment on the surface of the The vulnerability severity of the untrusted data d is p' (d), and the network attack efficiency-cost ratio is der _d (d)，d∈I ^Res The network attack surface metric value of equipment E is a triplet

Wherein,

dl _i ac as index of damage degree of network attack to resource _i An attack cost size indicator paid for an attacker to attack a resource,for the number of resource types i, i ε (M ^Res ,C ^Res ,I ^Res ) The higher the derived metric, the larger the network attack surface.

5) Based on the initial network attack surface metric value of the Bayesian network, adopting an improved SGA to carry out iterative evolution, and initializing a population. And preprocessing the Bayesian network attack surface measurement value of the equipment for multiple networking to ensure that the Bayesian network attack surface measurement value is suitable for the evolution of a genetic algorithm. Firstly, mapping a Bayesian network attack surface measurement value triplet set obtained by repeated networking calculation of equipment E into each individual in a population S, wherein each individual in the population corresponds to a group of network attack surface measurement values, setting the population scale as N (N is more than or equal to 1), and performing N networking and penetration tests. The number of network resource nodes of each networking is

Wherein i is E M ^Res ，j∈C ^Res ，k∈I ^Res 。

6) Selecting a coding strategy, and converting a population individual set into a chromosome structure space to form an initial population; chromosome is encoded by 9-bit binary number, weapon equipment network attack surface triplets are respectively represented by 3-bit binary code, if the network attack surface measurement value triplets of equipment E ith networking are (4,7,6), then s _i = 100111110. Therefore, the traditional network attack surface probability calculation problem is converted into the genetic algorithm iterative evolution problem, and the obtained population chromosomes are used as data preparation for improving the SGA.

7) And constructing a fitness function, and calculating a population fitness value.

In the measurement of the equipment network attack surface, the individual closest to the actual attack surface measurement value of the population individual is optimal, and the measurement corresponds to two points with the nearest Euclidean distance in the set. While the actual attack surface metrics are unknown, for a given equipment E, its attack surface metrics, i.e. vulnerability severity, are highly correlated with the average attack reachability, which is generally considered an important reference basis before obtaining the attack surface metrics in the equipment qualification test. Because the values of the attack accessibility rates of different network attack modes are fixed for each network node, the average attack accessibility rates of all nodes in different network attack modes can be obtained, and the sum of the average attack accessibility rates of all nodes of each type of resources of the port (M), the protocol (C) and the untrusted data (I) can be obtained respectively. Therefore, the attack accessibility of each node is omega, and the average attack accessibility of each node under all network attack modes is omegaCombining Bayesian network parties by adopting a minimum variance methodConstructing fitness function by method as

u is E [1, N ], N represents population scale, u represents population individuals in the population scale; and calculating the fitness of each individual in each generation of population, and carrying out genetic operation on the chromosome until the individual with the highest fitness is selected, and solving the largest value, namely the closest value of the actual network attack surface metric.

8) Selecting operators according to genetic strategy by adopting a roulette selection method, wherein for a population S with a scale of N, each chromosome x _i The probability of selection P (x) _i ) The determined chance of being selected by attack is divided into N times, N chromosomes are randomly selected from S, and are duplicated, and probability P (x _i ) The calculation formula of (2) is as follows:

f(x _i ) Represents the probability of selection, f (x _j ) Representing the accumulation probability;

then, in the wheel selection, the larger the fitness value of the individual, the larger the corresponding sector area, i.e., the greater the probability of being selected, similar to the wheel used in the wheel shooting game.

9) For the selected chromosome crossover operator, when no variation occurs, the next generation population is directly formed. The single point coincidence crossing method is adopted, the position of one crossing, namely the crossing point is selected, and the parts behind the two individual crossing points are exchanged. Cross probability P based on the characteristics of biological population evolution _c Should gradually decrease with time according to a certain rule. Therefore, a time attenuation function P (t) is introduced during the re-interleaving operation, so that the interleaving operation is more reasonable. Let t be the time difference between the current population evolution time and the initial population generation time, decayFactors ofT represents a half-life factor; namely P _c The time required from start to decay to half.

Thus, the crossover probability P _c The decay function of (2) is:

P _c ′(t)＝P _c ·e ^-λ·t

according to the crossover probability P of the current time t _c ' t. A single point coincidence crossing method is used to select the position of a crossing, i.e. the crossing point, and then the parts following the two individual crossing points are swapped.

10 When mutation occurs after crossing operators, further selecting mutation operators to act on the population, and forming a mutated population as the next generation population. The basis of the variation is according to the variation probability P _m Certain gene values in the individual code string are replaced with other gene values, thereby forming a new individual. Also, according to the characteristics of the evolution of the biological population, the crossover probability P _m The decay should be performed with time according to a certain law. Thus, a variation probability P is established _m The decay function of (2) is:

P _m ′(t)＝P _m ·e ^-λ·t

probability of variation P in dependence on the current time t _m ' (t) altering a gene at one or more positions on a chromosome using a reverse manipulation. The two numbers i 'and j' are randomly selected using a pseudo-random number method, exchanging genes between the i 'and j' positions of the chromosome.

11 In order to output globally optimal individuals through fewer population numbers, the traditional genetic algorithm needs to be improved, namely population individuals are judged in sequence according to known boundary conditions, fitness values are calculated, whether new population performance meets a first threshold of a convergence condition or not is judged, whether a second threshold of the convergence condition is met or not is further judged if the new population performance meets the first threshold of the convergence condition, and iteration is continued until the second threshold of the convergence condition is met, if the new population performance does not meet the second threshold of the convergence condition, iteration is terminated.

(1) The first reconvergence condition is set as the present generation similarity determination. The similarity is calculated by the similarity of the chromosome codes of individuals in the population, and the generation similarity judgment is completed by pairwise comparison of the chromosome parity codes of the individuals in the current population. When the same bit number codes are different, the similarity is false, namely 0; when the same bit number codes are identical, the similarity is true, namely 1. And returning to iterative evolution when the overall similarity is larger than a threshold value, otherwise, entering the next re-judgment.

For the current population s=s ₁ ，s ₂ ，…，s _i ，…，s _n Let one of 9-bit chromosome codes of population individuals be x _ir 、x _jr I and j are random numbers of individuals in the population, r is the number of encoding bits of the chromosome of the individuals, n is the population scale, eta is a threshold value, and then the current population generation similarity objective function can be expressed as

Wherein i, j is [1, N ], (N is N), and i is not equal to j, r is [1,9]

Then when F (x _ijr )>Returning to iterate evolution when eta is reached; when F (x) _ijr )<And eta, satisfying the first re-convergence condition and entering the second re-judgment.

(2) The second duplicate similarity determination is set as a parent similarity determination. The similarity of the individuals of the new population relative to the parent population is judged by comparing each individual of the new population with the chromosome binary codes of the individuals corresponding to the parent (previous generation) population one by one. If the codes of the same bit number are the same, the similarity is true, namely 1; the same number of bits is encoded differently, then the similarity is false, i.e., 0. And returning to iterative evolution when the overall similarity is larger than a threshold value, otherwise, entering the next re-judgment.

For the current population s=s1, S2, …, S _i …, sn, one of the 9-position chromosomal codes of the population is set to be x _irk I is the random number of population individuals, r is the chromosome number, k is the population evolution algebra, and n is the population scaleXi is a threshold value, and the similarity objective function of the new population individuals and the parent individuals can be expressed as

Wherein i ε [1, N ], (N ε N), m+.gtoreq.1, and i+.j, r ε [1,9]

Then when F (x _irk )>Returning to iterate and evolve again when xi; when F (x) _irk )<And xi, satisfying a second convergence condition, decoding, and outputting a result to be the population after the iteration evolution in the population is terminated, wherein the individual with the largest fitness value is the optimal individual.

The steps 8), 9), 10) and 11) respectively adopt a minimum variance method to combine with a Bayesian network model to construct an fitness function, and the combination of a genetic algorithm and the Bayesian network method increases the interpretability of the algorithm; selecting operators by adopting a roulette selection method; then, performing crossover operation on the selected chromosome by adopting an attenuation function and a single-point consistent crossover method, so that the crossover operation has higher rationality and applicability; and for the situation of mutation after crossing operators, the attenuation function is combined with the inversion operation method and the pseudo-random number method to carry out mutation, so that the genetic mutation is more reasonable and applicable.

12 After the population evolution is completed, calculating an adaptive value of the population individuals after decoding, and evolving chromosomes until the individuals with the highest adaptive values are selected, wherein the maximum value obtained by solving is the closest actual network attack surface metric value.

And judging the similarity of the current population by introducing a multiple convergence condition judging mechanism based on the similarity, realizing continuous iterative evolution, continuously optimizing the population until iteration is terminated, and meeting the convergence condition. The network attack surface metric value of the equipment E obtained after decoding is closer to the actual value, and the problem of local optimization of the evolution result is avoided.

The invention is further described below with reference to the accompanying drawings and specific examples.

The invention provides a weapon equipment network attack surface evaluation method based on improved SGA. In the method, in the evaluation of the network attack surface of the weapon equipment, on the basis of the traditional network attack surface probability calculation method, a genetic algorithm and a Bayesian network method are combined to construct a fitness function, so that the interpretability of the algorithm is improved, the genetic algorithm is adopted to perform an optimization process, and a multi-convergence condition judgment mechanism based on similarity is added, and a flow chart of the method is shown in figure 1.

In the implementation process, a weapon equipment is adopted to identify a certain ground assault equipment E of a test object for networking, and the networking is used as an experimental environment. According to the traditional Bayesian network graph method, calculating a network attack surface metric value, synchronously performing penetration test attack through multiple networking, generating an actual attack surface metric value through a situation awareness platform, and acquiring a large amount of data of multiple experiments. Based on the background and the condition, an improved SGA algorithm is adopted to optimize the network attack surface measurement value, and a simulation system is used for simulation analysis. The specific implementation steps are as follows:

(1) The equipment E establishes a Bayesian resource diagram through multiple networking respectively according to the method of the traditional Bayesian network diagram in the steps 1) -2), and the Bayesian resource diagram is shown in fig. 2 and 3; and (3) establishing a model according to the steps 3) to 4), and generating a plurality of groups of initial measurement values of the equipment E network attack surface to serve as data preparation for improving SGA.

(2) And (3) synchronously performing penetration test attack when the equipment E is networked for many times, performing penetration test attack through the whole network killing chain process of target investigation, network attack weapon construction, load delivery, vulnerability utilization, installation implantation, command control, target achievement and the like, wherein each time, different attack modes are adopted for the network nodes, and the penetration test method is shown in table 1.

Table 1 weapon equipment penetration test attack method table

(3) And collecting and calculating an attack surface measurement value when networking penetration test attacks are performed each time by using a situation awareness platform deployed in the network, and taking the attack surface measurement value as verification data for improving the SGA.

(4) Preprocessing the Bayesian network attack surface measurement values of the equipment for multiple networking according to the method in the step 5), so that the Bayesian network attack surface measurement values are suitable for the evolution of a genetic algorithm, namely mapping a plurality of groups of attack surface measurement value sets of the equipment E into each individual of the population S. The operating parameters may be set at this point:

n: the population size is 10, namely, the initial population size is 10 after 10 networking;

t: the final evolution algebra of the genetic operation is 500;

P _c : the crossover probability is 0.3;

P _m : the probability of variation was 0.01.

The ratio of the number of chromosomes to the total number of chromosomes participating in the crossover operation is denoted as P _c . Since crossover of chromosomes occurs with a certain probability during biological reproduction, there is a certain proportion of chromosomes participating in crossover operations.

The mutation rate is the ratio of the number of mutated gene bits to the number of gene bits of the whole chromosome, and is designated as P _m . Because the mutation also occurs with a certain probability in the process of the reproduction and evolution of the organism, the probability of occurrence is generally very small.

(5) According to the method of the step 5) to the step 10), the population individual set is converted into a chromosome structure space by adopting a coding strategy. Then, the fitness function is built by combining a minimum variance method with a Bayesian network model, and operators are selected by adopting a roulette selection method, as shown in fig. 4. Then based on the crossover probability P for the selected chromosome _c Performing cross operation by adopting a single-point consistent cross method; when mutation occurs after crossing operators, see fig. 5. Based on the variation probability P _m The variation was performed by a reverse operation method in combination with a pseudo-random number method, as shown in fig. 6. And (3) carrying out numerical calculation by using a simulation system to realize rapid iterative evolution.

(6) According to the method in the step 11), a multi-convergence condition judgment mechanism based on similarity is adopted to judge the similarity of the current population, so that continuous iterative evolution is realized, the population is continuously optimized until iteration is terminated, and the convergence condition is met.

(7) After the population evolution is completed, the obtained data set is the weapon equipment network attack surface measurement value set based on the improved SGA, the adaptive value of the population individual after decoding is calculated, and the individual with the highest adaptive value is selected from the adaptive value to be the optimized network attack surface measurement value.

(8) And comparing and analyzing a plurality of groups of initial metric values of the traditional Bayesian network of the equipment E, a plurality of groups of metric values optimized by adopting the improved SGA and the corresponding situation awareness platform attack surface metric values of the penetration test to obtain a test conclusion, namely, the weapon equipment network attack surface metric values based on the improved SGA are closer to the actual metric values of the penetration test.

The invention provides a weapon equipment network attack surface evaluation method based on an improved SGA (serving gateway architecture), which aims at the original Bayesian network resource diagram method and provides the weapon equipment network attack surface evaluation method based on the improved SGA.

The traditional equipment network security assessment method depends on the assumption of initial probability, is greatly influenced by human subjective factors, can only obtain a local optimal result, and has insufficient accuracy and practicality, so that the potential network security risk problem of the weapon equipment cannot be effectively solved. Therefore, a weapon equipment network attack surface assessment method based on improved SGA is provided. And adopting the improved SGA to iteratively evolve the initial network attack surface metric value of the Bayesian network. The minimum variance method is adopted in the SGA to combine with the Bayesian network model to construct the fitness function, and the combination of the genetic algorithm and the Bayesian network method increases the interpretation of the algorithm. The crossover operator adopts an attenuation function and a single-point consistent crossover method, and the mutation operator adopts an attenuation function and a reverse operation method and a pseudo-random number method, so that crossover and mutation operations are more reasonable and applicable. In the evolution process, iterative evolution is carried out based on initial network attack surface measurement values of the Bayesian network by introducing a multi-convergence condition judgment mechanism based on similarity, so that the problem of local optimization of an evolution result is avoided. And comparing the evaluation result of the network security attack surface of the improved SGA applied to the certain ground assault equipment E with the evaluation result of the traditional Bayesian network. Simulation experiments show that the network security attack surface evaluation result based on the improved SGA is closer to the penetration test result, so that the problem of low accuracy of the traditional network security attack surface evaluation method is effectively solved, the calculation accuracy is improved, and verification and analysis of the effectiveness and the practicability of the network attack surface evaluation method of the improved SGA weapon equipment are realized.

In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (8)

1. The weapon equipment network attack surface evaluation method based on the improved SGA is characterized by comprising the following steps of:

s1, defining a triplet (M ^Res ,C ^Res ,I ^Res ) The method comprises the steps of carrying out a first treatment on the surface of the Establishing a Bayesian network resource diagram, and calculating the node vulnerability severity degree under the prior condition; establishing a Bayesian network model based on the attack efficiency-cost ratio function, and obtaining a network attack surface metric value;

s2, networking the target equipment E for a plurality of times to obtain an initial network attack surface metric value of the Bayesian network model, performing iterative evolution by adopting an improved SGA, and initializing a population;

s3, selecting a coding strategy, and converting the population individual set into a chromosome structure space to form an initial population;

s4, constructing fitness functions by combining a Bayesian network model by adopting a minimum variance method, and calculating group fitness values;

s5, selecting operators by adopting a roulette selection method according to a genetic strategy, and selecting chromosomes in a population;

s6, directly forming a next generation population for the selected chromosome crossover operator when no variation occurs;

s7, when mutation occurs after crossing operators, further selecting mutation operators to act on the population, and forming a mutated population as the next generation population;

s8, adopting a multi-convergence condition judgment mechanism based on similarity, taking the next generation population in the step S6 or the step S7 as a current population, judging the similarity of the current population, realizing continuous iterative evolution, continuously optimizing the population until iteration is terminated, and meeting convergence conditions;

s9, after the population evolution is completed, the obtained data set is a target equipment E network attack surface measurement value set based on an improved SGA, the adaptive value of the population individuals after decoding is calculated, the chromosome is evolved until the individual with the highest adaptive value is selected, and the solved maximum value is the closest actual network attack surface measurement value;

the step S2 specifically includes:

mapping a Bayesian network attack surface measurement value triplet set obtained by multiple networking calculation of the target equipment into each individual in a population S, wherein each individual in the population corresponds to a group of network attack surface measurement values, and setting the population scale as N, wherein N is more than or equal to 1, namely performing N networking and penetration tests; the number of network resource nodes of each networking is as follows:

wherein i is E M ^Res ，j∈C ^Res ，k∈I ^Res 。

2. The method for evaluating the network attack surface of the weapon equipment based on the improved SGA as claimed in claim 1, wherein in the step S1, a Bayesian network resource diagram is established, and the node vulnerability severity degree under the prior condition is calculated; comprising the following steps:

s11, establishing a Bayesian network resource diagram, wherein each node in the network represents a port M, a protocol C and untrusted data I contained in equipment in the network, and a numerical value below each node represents the initial vulnerability severity degree of the node, namely the conditional probability distribution of each node in the network;

setting P as a parameter representing probability distribution relation among nodes in the Bayesian network, namely the initial probability of being attacked; any node X in a Bayesian network _i ，i∈(M ^Res ,C ^Res ,I ^Res ) At its parent node pa (X _i ) Under the given condition of the value, determining the dependency degree of each child node on the father node, namely the vulnerability severity degree of the child node relative to the father node;

and S12, using a Bayesian network model to carry out reasoning, and calculating the node vulnerability severity degree under the prior condition.

3. The method for evaluating the network attack surface of the weapon equipment based on the improved SGA according to claim 2, wherein in the step S1, a Bayesian network model is established based on an attack efficiency-cost ratio function to obtain a network attack surface metric value; comprising the following steps:

s13, establishing a Bayesian network model based on an attack efficiency-cost ratio function, setting the vulnerability severity degree of a port m as p' (m), and setting the network attack efficiency-cost ratio as der _m (m)，m∈M ^Res The method comprises the steps of carrying out a first treatment on the surface of the The vulnerability severity of protocol c is p' (c), and the network attack efficiency-cost ratio is der _c (c)，c∈C ^Res The method comprises the steps of carrying out a first treatment on the surface of the The vulnerability severity of the untrusted data d is p' (d), and the network attack efficiency-cost ratio is der _d (d)，d∈I ^Res The method comprises the steps of carrying out a first treatment on the surface of the The network attack surface metric value of the target equipment E is a triplet:

wherein,

dl _i ac as index of damage degree of network attack to resource _i An attack cost size indicator paid for an attacker to attack a resource,the higher the obtained measurement value is for the number of the resource types i, the larger the network attack surface is;

obtaining a network attack surface measurement value: p' (i) Σder _i (i)，i∈(M ^Res ,C ^Res ,I ^Res )。

4. The method for evaluating the network attack surface of the weapon equipment based on the improved SGA according to claim 1, wherein the step S4 specifically includes:

s41, according to the fact that the values of attack accessibility of each network node in different network attack modes are fixed, average attack accessibility of each node in all different network attack modes is obtained, and the sum of average attack accessibility of each node of each type of resources of a port M, a protocol C and untrusted data I is obtained respectively;

s42, setting the attack accessibility of each node as omega, and setting the average attack accessibility of each node under all network attack modes as omegaConstructing fitness function by combining minimum variance method with Bayesian network method as

u is E [1, N ], N represents population scale, u represents population individuals in the population scale; and calculating the fitness of each individual in each generation of population, and carrying out genetic operation on the chromosome until the individual with the highest fitness is selected, and solving the largest value, namely the closest value of the actual network attack surface metric.

5. The method for evaluating the network attack surface of the weapon equipment based on the improved SGA according to claim 1, wherein the step S5 specifically includes:

selecting operators according to genetic strategy by adopting a roulette selection method, wherein for a population S with a scale of N, each chromosome x _i The probability of selection P (x) _i ) The determined chance of being selected by attack is divided into N times, N chromosomes are randomly selected from S, and are duplicated, and probability P (x _i ) The calculation formula of (2) is as follows:

f(x _i ) Represents the probability of selection, f (x _j ) Representing the accumulation probability;

in wheel selection, the larger the fitness value of an individual is, the larger the corresponding sector area is, namely the larger the selected probability is.

6. The method for evaluating the network attack surface of the weapon equipment based on the improved SGA according to claim 1, wherein the step S6 specifically includes:

cross probability P based on the characteristics of biological population evolution _c Gradually decreasing with time according to a certain rule; introducing a time attenuation function P (t) during the crossover operation, so that the crossover operation is more reasonable;

let t be the time difference between the current population evolution time and the initial population generation time, attenuation factorT represents a half-life factor; crossover probability P _c The decay function of (2) is: p (P) _c ′(t)＝P _c ·e ^-λ·t ；

According to the crossover probability P of the current time t _c ' t. A single point coincidence crossing method is used to select the position of a crossing, i.e. the crossing point, and then the parts following the two individual crossing points are swapped.

7. The method for evaluating the network attack surface of the weapon equipment based on the improved SGA according to claim 1, wherein the step S7 specifically includes:

the basis of the variation is according to the variation probability P _m Replacing some of the gene values in the individual code string with other gene values, thereby forming a new individual; cross probability P based on the characteristics of biological population evolution _m Attenuation should be performed with time according to a certain rule;

establishing a mutation probability P _m The decay function of (2) is: p (P) _m ′(t)＝P _m ·e ^-λ·t

Probability of variation P in dependence on the current time t _m ' (t) altering a gene at one or more positions on a chromosome using a reverse manipulation; the two numbers i 'and j' are randomly selected using a pseudo-random number method, exchanging genes between the i 'and j' positions of the chromosome.

8. The method for evaluating the network attack surface of the weapon equipment based on the improved SGA according to claim 1, wherein the step S8 specifically includes:

the traditional genetic algorithm is improved, population individuals are judged in sequence according to known boundary conditions, fitness values are calculated, whether the new population performance meets a first threshold value of a convergence condition is judged, whether a second threshold value of the convergence condition is met is further judged, iteration is continued until the second threshold value of the convergence condition is met, and iteration is terminated;

(1) The first reconvergence condition is set as the judgment of the similarity of the generation; the similarity is calculated by the similarity of the chromosome codes of individuals in the population, and the generation similarity judgment is completed by pairwise comparison of the chromosome parity codes of the individuals in the current population; when the same bit number codes are different, the similarity is false; the similarity is true when the same bit number codes are identical; the set with true similarity is the overall similarity, when the overall similarity is larger than a first threshold value, iterative evolution is returned, and otherwise, the next re-judgment is carried out;

(2) The second-degree similarity judgment is set as parent similarity judgment; judging the similarity of the individuals of the new population relative to the parent population, namely comparing each individual of the new population with the chromosome binary codes of the individuals corresponding to the parent population one by one; if the codes of the same bit number are the same, the similarity is true; the same number of bits is encoded differently, then the similarity is false; and if the similarity is true, returning to iterative evolution when the overall similarity is larger than a second threshold value, otherwise decoding, and outputting a result to be the population after the iterative evolution in the population is terminated, wherein the individual with the largest fitness value is the optimal individual.