[go: up one dir, main page]

CN110417733B - Attack prediction method, device and system based on QBD attack and defense random evolution game model - Google Patents

Attack prediction method, device and system based on QBD attack and defense random evolution game model Download PDF

Info

Publication number
CN110417733B
CN110417733B CN201910549015.6A CN201910549015A CN110417733B CN 110417733 B CN110417733 B CN 110417733B CN 201910549015 A CN201910549015 A CN 201910549015A CN 110417733 B CN110417733 B CN 110417733B
Authority
CN
China
Prior art keywords
attack
defense
qbd
strategy
random
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910549015.6A
Other languages
Chinese (zh)
Other versions
CN110417733A (en
Inventor
谭晶磊
金辉
张红旗
杨英杰
刘小虎
雷程
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201910549015.6A priority Critical patent/CN110417733B/en
Publication of CN110417733A publication Critical patent/CN110417733A/en
Application granted granted Critical
Publication of CN110417733B publication Critical patent/CN110417733B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • Evolutionary Computation (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Artificial Intelligence (AREA)
  • Medical Informatics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Computational Linguistics (AREA)
  • Computer Hardware Design (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明属于网络安全技术领域,特别涉及一种基于QBD攻防随机演化博弈模型的攻击预测方法、装置及系统,该方法包含:将攻防演化过程抽象为拟生灭过程QBD,引入学习程度和噪声因子刻画随机扰动下攻防参与者策略学习调整的动态演化轨迹,构建QBD攻防随机演化博弈模型;依据QBD攻防随机演化博弈模型建立拟生灭攻防对抗过程的平衡方程;对平衡方程进行求解,获取拟生灭攻防对抗过程的策略平衡概率分布;依据策略平衡概率分布,得到最具威胁的攻击策略。本发明更贴近于实际攻防对抗场景,考虑攻防演化过程中随机扰动影响,提出拟生灭攻防随机演化博弈模型,增强预测攻击行为能力,提升攻击预测准确性和模型有效性,对于网络安全技术发展都具有重要指导意义。

Figure 201910549015

The invention belongs to the technical field of network security, and in particular relates to an attack prediction method, device and system based on a QBD attack-defense random evolutionary game model. Describe the dynamic evolution trajectory of the strategy learning and adjustment of offense and defense participants under random disturbance, and construct the QBD random evolutionary game model of offense and defense; establish the equilibrium equation of the attack and defense confrontation process based on the QBD attack and defense random evolution game model; The strategy balance probability distribution of the attack and defense confrontation process; according to the strategy balance probability distribution, the most threatening attack strategy is obtained. The invention is closer to the actual attack and defense confrontation scene, considering the influence of random disturbance in the evolution process of attack and defense, and proposes a random evolution game model of attack and defense to be born and destroyed, which enhances the ability to predict attack behavior, and improves the accuracy of attack prediction and model validity. have important guiding significance.

Figure 201910549015

Description

基于QBD攻防随机演化博弈模型的攻击预测方法、装置及系统Attack prediction method, device and system based on QBD attack and defense random evolutionary game model

技术领域technical field

本发明属于网络安全技术领域,特别涉及一种基于QBD攻防随机演化博弈模型的攻击预测方法、装置及系统。The invention belongs to the technical field of network security, and in particular relates to an attack prediction method, device and system based on a QBD attack-defense random evolutionary game model.

背景技术Background technique

在网络安全领域中攻击者利用多种攻击手段对防御系统实施攻击获取更多有价值的信息资源,而防御者则针对攻击者的意图采取不同的防御手段对防御系统进行保护,防止信息资源被攻击者窃取。为了对信息系统进行有效防御,防御者需要事先对攻击行为进行准确预测以避免信息资源遭受巨大损失。网络攻防对抗过程中攻防双方所体现出的目标对立性、策略依存性和关系非合作性与博弈论的基本特征完美契合。因此,博弈论在网络安全领域的研究和应用已成为近年来各专家学者研究的重点和热点。In the field of network security, attackers use a variety of attack methods to attack the defense system to obtain more valuable information resources, while defenders use different defense methods to protect the defense system according to the attacker's intention to prevent information resources from being compromised. Attacker steals. In order to effectively defend information systems, defenders need to accurately predict attack behaviors in advance to avoid huge losses of information resources. In the process of network attack and defense confrontation, the goal antagonism, strategy dependence and relationship non-cooperation reflected by the two sides of the attack and defense are in perfect agreement with the basic characteristics of game theory. Therefore, the research and application of game theory in the field of network security has become the focus and hotspot of various experts and scholars in recent years.

目前,有关博弈论在网络安全领域的研究成果均基于完全理性的假设,认为博弈的攻防参与者完全掌握对手的可选策略及收益结构,通过求解纳什均衡,得到最优响应策略。但是,上述成果并没有考虑现实攻防参与者有限理性的特点,即攻防参与者具备的安全知识、技能水平和获取的博弈信息有限,决策时并不总是推理正确,也不可能在任何情况下根据决策环境的变化做出最优反应,理想化的完全理性假设与实际网络攻防情况不符,实用效果偏差。随着演化博弈理论在网络安全领域的研究和应用,以基于有限理性的演化博弈思想分析攻击行为预测和防御策略选取,更符合网络攻防对抗场景。演化博弈考虑攻防参与者有限理性的特点,通过策略的不断学习调整,参与者逐渐掌握决策环境、对手信息及不同策略博弈产生的收益差等信息,最终动态演化到稳定均衡状态。目前的研究中,从信息安全中的攻防成本出发,建立了信息安全攻防对抗演化博弈模型,根据攻防群体复制动态的关系,得出信息安全攻防对抗的演化稳定策略;结合演化博弈和系统动力学建立攻防演化博弈模型,从系统边界、有效性和参数灵敏度方面对模型进行检验,证明了模型具有客观性、科学性和实用性;从攻防参与者有限理性的角度出发研究防御策略选取问题,并构建攻防演化博弈模型,利用复制动态学习机制提出了演化稳定策略的求解方法并对其进行分析;建立物联网的多阶段攻防演化博弈模型,对攻防策略的收益/成本进行量化,并利用复制动态学习机制确定最优防御策略。然而,上述研究均基于复制动态学习机制,这是一种确定性的、无变异的自然选择学习模型,总是确定选择期望收益比平均收益高的策略。而实际攻防对抗过程在攻击行为和意图不确定、决策环境变化等随机扰动的影响下,确定性的复制动态机制难以准确估计和预测攻防动态演化。At present, the research results of game theory in the field of network security are all based on the assumption of complete rationality. It is believed that the players in the game attack and defense fully grasp the opponent's optional strategies and income structure, and obtain the optimal response strategy by solving the Nash equilibrium. However, the above results do not take into account the bounded rationality of the actual offensive and defensive participants, that is, the security knowledge, skill level and game information obtained by the offensive and defensive participants are limited, and the reasoning is not always correct when making decisions, and it is impossible under any circumstances. The optimal response is made according to changes in the decision-making environment. The idealized assumption of complete rationality is inconsistent with the actual network attack and defense situation, and the practical effect is deviated. With the research and application of evolutionary game theory in the field of network security, the analysis of attack behavior prediction and defense strategy selection based on the evolutionary game idea based on bounded rationality is more in line with the network attack and defense confrontation scenario. The evolutionary game considers the limited rationality of the offensive and defensive participants. Through the continuous learning and adjustment of strategies, the participants gradually grasp the decision-making environment, opponent information and the income difference generated by different strategies, and finally dynamically evolve to a stable equilibrium state. In the current research, starting from the cost of attack and defense in information security, an evolutionary game model of information security attack and defense confrontation is established. According to the dynamic relationship between attack and defense groups, an evolutionary and stable strategy for information security attack and defense confrontation is obtained. Combining evolutionary game and system dynamics An evolutionary game model of offense and defense is established, and the model is tested from the aspects of system boundary, validity and parameter sensitivity, which proves that the model is objective, scientific and practical. Build an evolutionary game model of attack and defense, and use the replication dynamic learning mechanism to propose and analyze the solution method of the evolutionary stable strategy; establish a multi-stage attack and defense evolutionary game model of the Internet of Things, quantify the benefits/costs of the attack and defense strategy, and use the replication dynamic The learning mechanism determines the optimal defense strategy. However, the above studies are all based on a replicative dynamic learning mechanism, which is a deterministic, non-variant learning model of natural selection that always determines the choice of strategies with higher expected returns than average returns. However, in the actual attack-defense confrontation process, under the influence of random disturbances such as the uncertainty of attack behavior and intention, and the change of decision-making environment, it is difficult for the deterministic replication dynamic mechanism to accurately estimate and predict the dynamic evolution of attack and defense.

发明内容SUMMARY OF THE INVENTION

为此,本发明提供一种基于QBD攻防随机演化博弈模型的攻击预测方法、装置及系统,更加贴近实际攻防对抗场景,增强预测攻击行为能力,提升攻击预测的准确性和有效性,具有很强的应用前景。Therefore, the present invention provides an attack prediction method, device and system based on the QBD attack-defense random evolutionary game model, which is closer to the actual attack-defense confrontation scenario, enhances the ability to predict attack behavior, improves the accuracy and effectiveness of attack prediction, and has strong application prospects.

按照本发明所提供的设计方案,一种基于QBD攻防随机演化博弈模型的攻击预测方法,包含如下内容:According to the design scheme provided by the present invention, an attack prediction method based on the QBD attack-defense random evolutionary game model includes the following contents:

将攻防演化过程抽象为拟生灭过程QBD,引入学习程度和噪声因子刻画随机扰动下攻防参与者策略学习调整的动态演化轨迹,构建QBD攻防随机演化博弈模型;Abstract the evolution process of offense and defense as a quasi-birth-death process QBD, introduce learning degree and noise factor to describe the dynamic evolution trajectory of the strategy learning adjustment of offense and defense participants under random disturbance, and build a QBD offense and defense random evolutionary game model;

依据QBD攻防随机演化博弈模型建立拟生灭攻防对抗过程的平衡方程;According to the QBD attack-defense random evolutionary game model, the equilibrium equation of the quasi-birth-death attack-defense confrontation process is established;

对平衡方程进行求解,获取拟生灭攻防对抗过程的策略平衡概率分布;依据策略平衡概率分布,得到最具威胁的攻击策略。Solve the balance equation to obtain the strategy balance probability distribution of the attack-defense confrontation process; according to the strategy balance probability distribution, the most threatening attack strategy is obtained.

上述的,QBD攻防随机演化博弈模型通过七元组表示:QBD-ADSEGM=(Γ,N,S,χ(t),α,β,U),其中,Γ表示攻防博弈群体,N表示攻防参与者数量,S表示攻防参与者策略空间,χ(t)表示t时刻攻防状态空间,α表示攻防参与者学习程度集合,β表示攻防参与者噪声因子,U表示攻防双方受益函数集合。As mentioned above, the QBD attack and defense random evolutionary game model is represented by a seven-tuple: QBD-ADSEGM=(Γ,N,S,χ(t),α,β,U), where Γ represents the attack and defense game group, and N represents the attack and defense participation The number of players, S represents the strategy space of the offense and defense participants, χ(t) represents the offense and defense state space at time t, α represents the learning degree set of the offense and defense participants, β represents the noise factor of the offense and defense participants, and U represents the benefit function set of both offense and defense.

上述的,攻防参与者学习程度集合包含用于描述攻击者对攻防信息掌握程度的学习参数和用于描述防御者对攻防信息掌握程度的学习参数;攻防参与者噪声因子,用来描述攻防过程中的随机扰动,并设定攻防参与者噪声因子大于0。As mentioned above, the learning level set of the attack and defense participants includes the learning parameters used to describe the attacker's mastery of the attack and defense information and the learning parameters used to describe the defender's mastery of the attack and defense information; the noise factor of the attack and defense participants is used to describe the attack and defense process. , and set the noise factor of the offensive and defensive participants to be greater than 0.

上述的,依据QBD攻防随机演化博弈模型,构造对应的拟生灭过程,获取拟生灭过程的状态空间,建立平衡方程。As mentioned above, according to the QBD attack-defense random evolutionary game model, the corresponding quasi-birth-death process is constructed, the state space of the quasi-birth-death process is obtained, and the equilibrium equation is established.

上述的,建立平衡方程过程如下:首先,定义攻击者和防御者策略选择的转移概率;依据转移概率矩阵,构造出拟生灭攻防演化过程,得到攻防演化过程的平衡方程。The above-mentioned process of establishing the balance equation is as follows: first, define the transition probability of the strategy selection of the attacker and the defender; according to the transition probability matrix, construct the evolution process of offense and defense, and obtain the balance equation of the evolution process of offense and defense.

上述的,平衡状态求解过程中,首先对平衡方程进行初等变换并求解,由正常返条件获取QBD攻防演化过程平稳概率分布,从而得到攻防随机演化博弈的平稳概率分布。As mentioned above, in the process of solving the equilibrium state, the equilibrium equation is first transformed and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained from the normal return condition, so as to obtain the stable probability distribution of the attack and defense random evolutionary game.

优选的,依据平衡方程的非线性齐次方程组性质,采用高斯消元法对平衡方程进行初等变换。Preferably, according to the property of the non-linear homogeneous equation system of the balance equation, the Gaussian elimination method is used to perform elementary transformation on the balance equation.

优选的,平衡方程求解中,通过分析博弈群体间的对抗分析和相互学习,获取博弈信息,计算不同策略博弈产生的收益,以期望收益、学习程度和噪声因子决定转移概率。Preferably, in the solution of the equilibrium equation, the game information is obtained by analyzing the confrontation analysis and mutual learning among the game groups, and the income generated by the game with different strategies is calculated, and the transition probability is determined by the expected income, the degree of learning and the noise factor.

进一步地,本发明还提供一种基于QBD攻防随机演化博弈模型的攻击预测装置,包含:模型构建模块、方程建立模块和分析求解模块;其中,Further, the present invention also provides an attack prediction device based on a QBD attack-defense random evolutionary game model, comprising: a model building module, an equation building module, and an analysis and solving module; wherein,

模型建立模块,用于将攻防演化过程抽象为拟生灭过程QBD,引入学习程度和噪声因子刻画随机扰动下攻防参与者策略学习调整的动态演化轨迹,构建QBD攻防随机演化博弈模型;The model building module is used to abstract the evolution process of offense and defense into a quasi-birth-death process QBD, introduce the learning degree and noise factor to describe the dynamic evolution trajectory of the strategy learning adjustment of offense and defense participants under random disturbance, and build a QBD offense and defense random evolutionary game model;

方程建立模块,用于依据QBD攻防随机演化博弈模型建立拟生灭攻防对抗过程的平衡方程;The equation building module is used to establish the equilibrium equation of the attack and defense confrontation process based on the QBD attack and defense random evolution game model;

分析求解模块,用于对平衡方程进行求解,获取拟生灭攻防对抗过程的策略平稳概率分布;依据策略平稳概率分布,得到最具威胁的攻击策略。The analysis and solution module is used to solve the equilibrium equation and obtain the strategy stable probability distribution of the attack-defense confrontation process; according to the strategy stable probability distribution, the most threatening attack strategy is obtained.

进一步地,本发明还提供一种网络安全系统,包含上述的基于QBD攻防随机演化博弈模型的攻击预测装置。Further, the present invention also provides a network security system, including the above-mentioned attack prediction device based on the QBD attack-defense random evolutionary game model.

本发明的有益效果:Beneficial effects of the present invention:

本发明引入学习程度参数和噪声因子,刻画在随机扰动下攻防参与者策略学习调整的动态演化轨迹,通过建立拟生灭攻防对抗过程的平衡方程,求解拟生灭攻防演化过程的策略平稳概率分布给出最具威胁的攻击策略;针对攻防群体在博弈过程中受随机扰动的影响,通过引入学习程度参数和噪声因子,基于拟生灭过程对攻防随机演化博弈进行建模,对所构建的攻防博弈拟生灭过程的平衡方程进行求解,得到攻防群体极限情况下策略的平稳概率分布,从而可知最具威胁的攻击策略,达到攻击预测的效果;更贴近于实际攻防对抗场景,考虑攻防演化过程中随机扰动的影响,提出拟生灭攻防随机演化博弈模型,增强预测攻击行为的能力,并通过仿真实验验证攻击预测的准确性和模型的有效性,对于网络安全技术发展都具有重要的指导意义。The invention introduces a learning degree parameter and a noise factor to describe the dynamic evolution trajectory of the strategy learning and adjustment of the offense and defense participants under random disturbance, and by establishing the equilibrium equation of the quasi-birth-destruction attack-defense confrontation process, the strategy stable probability distribution of the quasi-birth-destruction attack-defense evolution process is solved. The most threatening attack strategy is given; for the attack and defense groups are affected by random disturbances in the game process, by introducing the learning degree parameter and noise factor, the attack and defense random evolutionary game is modeled based on the quasi-birth and death process, and the constructed attack and defense are modeled. The equilibrium equation of the game quasi-birth-death process is solved, and the stable probability distribution of the strategy under the limit of the attack and defense group is obtained, so that the most threatening attack strategy can be known to achieve the effect of attack prediction; it is closer to the actual attack and defense confrontation scenario, and the evolution process of attack and defense is considered. Based on the influence of random disturbance, a random evolutionary game model of quasi-birth-destruction attack and defense is proposed to enhance the ability to predict attack behavior, and the accuracy of attack prediction and the validity of the model are verified through simulation experiments, which has important guiding significance for the development of network security technology. .

附图说明:Description of drawings:

图1为实施例中攻击预测方法流程示意图;1 is a schematic flowchart of an attack prediction method in an embodiment;

图2为实施例中攻击预测装置示意图;2 is a schematic diagram of an attack prediction device in an embodiment;

图3为实施例中网络信息实验系统拓扑图;Fig. 3 is the network information experiment system topology diagram in the embodiment;

图4为实施例中α=0.1时攻击群体的平稳概率分布;Fig. 4 is the stationary probability distribution of attack group when α=0.1 in the embodiment;

图5为实施例中α=0.1时防御群体的平稳概率分布;Fig. 5 is the stationary probability distribution of the defense population when α=0.1 in the embodiment;

图6为实施例中不同α取值下使用攻击策略A1的平稳概率分布;Fig. 6 is the stationary probability distribution of using attack strategy A 1 under different α values in the embodiment;

图7为实施例中不同α取值时使用防御策略D1的平稳概率分布;Fig. 7 is the stationary probability distribution of using defense strategy D 1 when different α values in the embodiment;

图8为实施例中β取不同值时攻击群体的平稳概率分布;Fig. 8 is the stationary probability distribution of attacking groups when β takes different values in the embodiment;

图9为实施例中β取不同值时防御群体的平稳概率分布。FIG. 9 shows the stationary probability distribution of the defense population when β takes different values in the embodiment.

具体实施方式:Detailed ways:

为使本发明的目的、技术方案和优点更加清楚、明白,下面结合附图和技术方案对本发明作进一步详细的说明。In order to make the objectives, technical solutions and advantages of the present invention clearer and more comprehensible, the present invention will be described in further detail below with reference to the accompanying drawings and technical solutions.

针对现有实际攻防对抗过程在攻击行为和意图不确定、决策环境变化等随机扰动的影响下,确定性的复制动态机制难以准确估计和预测攻防动态演化等的情形,本发明实施例,参见图1所示,提供一种基于QBD攻防随机演化博弈模型的攻击预测方法,包含如下内容:Aiming at the situation that the deterministic replication dynamic mechanism is difficult to accurately estimate and predict the dynamic evolution of attack and defense under the influence of random disturbances such as uncertainty of attack behavior and intention, and changes in decision-making environment in the existing actual attack-defense confrontation process, the embodiment of the present invention is shown in Fig. As shown in Figure 1, an attack prediction method based on the QBD attack and defense random evolutionary game model is provided, including the following contents:

S101、将攻防演化过程抽象为拟生灭过程QBD,引入学习程度和噪声因子刻画随机扰动下攻防参与者策略学习调整的动态演化轨迹,构建QBD攻防随机演化博弈模型;S101, abstracting the evolution process of offense and defense into a quasi-birth-death process QBD, introducing learning degree and noise factor to describe the dynamic evolution trajectory of strategy learning adjustment of offense and defense participants under random disturbance, and constructing a random evolutionary game model of offense and defense of QBD;

S102、依据QBD攻防随机演化博弈模型建立拟生灭攻防对抗过程的平衡方程;S102, establishing the equilibrium equation of the quasi-birth-destruction attack-defense confrontation process according to the QBD attack-defense random evolutionary game model;

S103、对平衡方程进行求解,获取拟生灭攻防对抗过程的策略平衡概率分布;依据策略平衡概率分布,得到最具威胁的攻击策略。S103. Solve the balance equation to obtain the strategy balance probability distribution of the quasi-birth-destruction attack-defense confrontation process; and obtain the most threatening attack strategy according to the strategy balance probability distribution.

拟生灭过程以二维随机变量χ(t)=(χA(t),χD(t))定义状态,描述攻防群体中参与者使用各自某一策略的人数,通过使用策略的人数变化(增加、减少或者不变)刻画状态转移过程。第t+1次博弈,攻防参与者根据第t次博弈群体间的对抗分析和群体内的相互学习,直接或间接地获取博弈信息,计算不同策略博弈产生的收益,以期望收益、学习程度和噪声因子决定的转移概率随机地选取高收益策略,则使用高收益策略的参与者数量增加,其中学习程度描述攻防参与者对决策环境、对手信息及不同策略博弈产生的收益差等信息的掌握程度,噪声因子刻画攻防过程中的随机扰动。经过多次博弈之后,随着参与者学习程度的提升,在策略学习调整的机制下,直到状态空间上的策略概率分布趋近于稳定,即平稳概率分布,是群体行为意义上纳什均衡的实现,随着时间的推移,攻防参与者经过策略博弈、学习、改进,最终群体中各个策略选取的比例达到稳定状态,其概率越大,说明在群体中演化稳定策略的认同度越高。The quasi-birth-death process is defined by a two-dimensional random variable χ(t)=(χ A (t), χ D (t)), which describes the number of participants in the attack and defense group who use a certain strategy, and the number of people who use the strategy changes. (Increase, decrease or unchanged) describe the state transition process. In the t+1th game, the offensive and defensive participants obtain game information directly or indirectly according to the confrontation analysis between the groups and the mutual learning in the t-th game, and calculate the income generated by different strategies to calculate the expected income, learning degree and The transition probability determined by the noise factor randomly selects high-yield strategies, and the number of participants who use high-yield strategies increases. The learning degree describes the degree of mastery of offense and defense participants on the decision-making environment, opponent information, and the income difference generated by different strategies games. , the noise factor describes the random disturbance in the attack and defense process. After many games, with the improvement of the learning level of the participants, under the mechanism of policy learning adjustment, until the policy probability distribution on the state space tends to be stable, that is, the stable probability distribution, which is the realization of Nash equilibrium in the sense of group behavior. , with the passage of time, through strategy game, learning and improvement, the proportion of each strategy selected in the final group reaches a stable state.

进一步地,本发明实施例中,QBD攻防随机演化博弈模型通过七元组表示:QBD-ADSEGM=(Γ,N,S,χ(t),α,β,U),其中,Further, in the embodiment of the present invention, the QBD attack and defense random evolutionary game model is represented by a seven-tuple: QBD-ADSEGM=(Γ,N,S,χ(t),α,β,U), where,

1)Γ=(attackers,defenders)表示参与博弈的群体,attackers表示攻击群体,defenders表示防御群体;1) Γ=(attackers, defenders) represents the group participating in the game, attackers represents the attack group, and defenders represents the defense group;

2)N=(NA,ND)表示博弈参与者的数量,NA表示攻击群体中攻击者的数量,ND表示防御群体中防御者的数量;2) N = (NA , ND ) represents the number of players in the game, NA represents the number of attackers in the attacking group, and ND represents the number of defenders in the defense group;

3)S=(SA,SD)表示攻防参与者的策略空间,其中攻击策略集SA={A1,A2,…,Am},防御策略集SD={D1,D2,…,Dn},m和n表示攻防策略数量,满足m,n∈Z且m,n≥2;3) S=(S A , S D ) represents the strategy space of attack and defense participants, wherein the attack strategy set S A ={A 1 ,A 2 ,...,A m }, the defense strategy set S D ={D 1 ,D 2 ,...,D n }, m and n represent the number of offensive and defensive strategies, satisfying m,n∈Z and m,n≥2;

4)

Figure GDA0002108748360000051
表示t时刻的攻防演化的状态空间,是一个二维随机变量,其中
Figure GDA0002108748360000052
表示攻击群体中选择策略Ai的攻击者数量,满足
Figure GDA00021087483600000611
Figure GDA0002108748360000061
Figure GDA0002108748360000062
表示防御群体中选择策略Dj的防御者数量,满足
Figure GDA0002108748360000063
Figure GDA0002108748360000064
状态空间χ(t)的规模为(NA+1)(ND+1);4)
Figure GDA0002108748360000051
The state space representing the evolution of attack and defense at time t is a two-dimensional random variable, where
Figure GDA0002108748360000052
Represents the number of attackers who choose strategy A i in the attack group, satisfying
Figure GDA00021087483600000611
and
Figure GDA0002108748360000061
Figure GDA0002108748360000062
is the number of defenders who choose strategy D j in the defense group, satisfying
Figure GDA0002108748360000063
and
Figure GDA0002108748360000064
The size of the state space χ(t) is (N A +1)(N D +1);

5)α=(α12)表示攻防参与者的学习程度集合,用于描述攻防参与者对决策环境、对手信息及不同策略博弈产生的收益差等信息的掌握程度,其中α1是攻击者的学习程度,α2是防御者的学习程度,且满足α1∈[0,2],α2∈[0,2];5) α=(α 1 , α 2 ) represents the learning degree set of the offense and defense participants, which is used to describe the degree of mastery of the offense and defense participants on the decision-making environment, opponent information and the difference in returns generated by different strategies games, where α 1 is The learning degree of the attacker, α 2 is the learning degree of the defender, and satisfies α 1 ∈ [0,2], α 2 ∈ [0,2];

6)β表示攻防参与者的噪声因子,用来描述攻防过程中的随机扰动,满足β>0;6) β represents the noise factor of the attack and defense participants, which is used to describe the random disturbance in the attack and defense process, satisfying β>0;

7)U=(UA,UD)是攻防双方收益函数的集合,它由攻防双方的策略共同决定,不同的攻防策略组合所获得的收益也不同。7) U=(U A , U D ) is the set of revenue functions of both offensive and defensive parties, which is jointly determined by the strategies of both offensive and defensive parties, and the benefits obtained by different combinations of offensive and defensive strategies are also different.

当攻击者采用策略Ai,防御者采用策略Dj时,攻击者和防御者的策略收益分别用aij和dij表示。由此可得,攻击者在博弈中使用策略Ai的期望收益为

Figure GDA0002108748360000065
和防御者在博弈中使用策略Dj的期望收益
Figure GDA0002108748360000066
When the attacker adopts the strategy A i and the defender adopts the strategy D j , the strategy benefits of the attacker and the defender are denoted by a ij and di ij respectively. It can be obtained that the expected payoff of the attacker using strategy A i in the game is
Figure GDA0002108748360000065
and the expected payoff of using strategy D j in the game with the defender
Figure GDA0002108748360000066

Figure GDA0002108748360000067
Figure GDA0002108748360000067

Figure GDA0002108748360000068
Figure GDA0002108748360000068

并且在攻防参与者对对手博弈信息不确定的情况下,均以策略ψA(t),ψD(t)参与博弈,即:And in the case that the offensive and defensive players are uncertain about the opponent's game information, they all participate in the game with strategies ψ A (t), ψ D (t), namely:

Figure GDA0002108748360000069
Figure GDA0002108748360000069

Figure GDA00021087483600000610
Figure GDA00021087483600000610

进一步地,本发明实施例中,依据QBD攻防随机演化博弈模型,构造对应的拟生灭过程,获取拟生灭过程的状态空间,建立平衡方程。Further, in the embodiment of the present invention, according to the QBD attack-defense random evolutionary game model, a corresponding quasi-birth-death process is constructed, the state space of the quasi-birth-death process is obtained, and a balance equation is established.

根据QBD攻防随机演化博弈模型,构造出与其对应的拟生灭过程,记为{x(t),t≥0,

Figure GDA0002108748360000071
由此可知这个拟生灭过程的状态空间为:Θ={(0,0),(0,1),...(0,ND);(1,0),(1,1),...(1,ND);...;(NA,0),(NA,1),...(NA,ND)}。According to the QBD attack-defense random evolutionary game model, the corresponding quasi-birth-death process is constructed, denoted as {x(t), t≥0,
Figure GDA0002108748360000071
It can be seen from this that the state space of this quasi-birth-death process is: Θ={(0,0),(0,1),...(0,N D ); (1,0),(1,1), ...( 1 , ND ); ...;(NA,0),(NA, 1 ),...(NA, ND ) }.

进一步地,本发明实施例中,建立平衡方程过程如下:首先,定义攻击者和防御者策略选择的转移概率;依据转移概率矩阵,构造出拟生灭攻防演化过程,得到攻防演化过程的平衡方程。Further, in the embodiment of the present invention, the process of establishing the balance equation is as follows: first, define the transition probability of the strategy selection of the attacker and the defender; according to the transition probability matrix, construct the evolution process of offense and defense to be born and destroy, and obtain the balance equation of the evolution process of offense and defense. .

首先,定义攻击者策略选择的转移概率

Figure GDA0002108748360000072
First, define the transition probability of the attacker's policy choice
Figure GDA0002108748360000072

Figure GDA0002108748360000073
Figure GDA0002108748360000073

Figure GDA0002108748360000074
Figure GDA0002108748360000074

其中,A-i=(A1,…,Ai-1,Ai+1,…,Am)表示除i之外的所有攻击策略组成的向量,

Figure GDA0002108748360000075
表示Ai之外的其它策略的期望收益中的最大值,
Figure GDA0002108748360000076
表示选取策略A-i的攻击者将改变策略,转而选取策略Ai的概率,
Figure GDA0002108748360000077
表示选取策略Ai的攻击者改变策略,转而选取策略A-i的概率。Among them, A -i =(A 1 ,...,A i-1 ,A i+1 ,...,A m ) represents the vector composed of all attack strategies except i,
Figure GDA0002108748360000075
represents the maximum value among the expected returns of other strategies other than A i ,
Figure GDA0002108748360000076
represents the probability that an attacker who chooses strategy A -i will change the strategy and choose strategy A i instead,
Figure GDA0002108748360000077
Represents the probability that an attacker who chooses strategy A i changes the strategy and chooses strategy A -i instead.

同理,防御者策略选择的转移概率

Figure GDA0002108748360000078
Similarly, the transition probability of the defender's strategy choice
Figure GDA0002108748360000078

Figure GDA0002108748360000079
Figure GDA0002108748360000079

Figure GDA00021087483600000710
Figure GDA00021087483600000710

其中,

Figure GDA00021087483600000711
表示选取策略Dj的防御者将改变策略,转而选取策略D-j的概率,
Figure GDA00021087483600000712
表示选取策略D-j的防御者将改变策略,转而选取策略Dj的概率。in,
Figure GDA00021087483600000711
represents the probability that the defender who chooses strategy D j will change strategy and choose strategy D -j instead,
Figure GDA00021087483600000712
Denotes the probability that a defender who chooses strategy D -j will change strategy and instead choose strategy Dj .

则拟生灭攻防演化过程

Figure GDA00021087483600000713
的转移概率矩阵为:Then the evolution process of quasi-birth-destruction attack and defense
Figure GDA00021087483600000713
The transition probability matrix of is:

Figure GDA0002108748360000081
Figure GDA0002108748360000081

上述矩阵中,

Figure GDA0002108748360000082
表示矩阵Qβ主对角线上的子矩阵,记为:In the above matrix,
Figure GDA0002108748360000082
Represents the submatrix on the main diagonal of the matrix Q β , denoted as:

Figure GDA0002108748360000083
Figure GDA0002108748360000083

当k=0时,记:When k=0, record:

Figure GDA0002108748360000084
Figure GDA0002108748360000084

当1≤k≤NA-1时,记:When 1≤k≤NA -1, record:

Figure GDA0002108748360000085
Figure GDA0002108748360000085

当k=NA时,记:When k =NA, write:

Figure GDA0002108748360000086
Figure GDA0002108748360000086

此外,

Figure GDA0002108748360000087
是矩阵Qβ右上次对角线的子矩阵,记为:also,
Figure GDA0002108748360000087
is the submatrix of the upper right diagonal of the matrix Q β , denoted as:

Figure GDA0002108748360000091
Figure GDA0002108748360000091

Figure GDA0002108748360000092
表示矩阵Qβ左下次对角线的子矩阵,记为:
Figure GDA0002108748360000092
Represents the submatrix of the left next diagonal of the matrix Q β , denoted as:

Figure GDA0002108748360000093
Figure GDA0002108748360000093

进一步地,本发明实施例中,平衡状态求解过程中,首先对平衡方程进行初等变换并求解,由正常返条件获取QBD攻防演化过程平稳概率分布,从而得到攻防随机演化博弈的平衡概率分布。优选的,依据平衡方程的非线性齐次方程组性质,采用高斯消元法对平衡方程进行初等变换。优选的,平衡方程求解中,通过分析博弈群体间的对抗分析和群体内的相互学习,获取博弈信息,计算不同策略博弈产生的收益,以期望收益、学习程度和噪声因子决定转移概率。Further, in the embodiment of the present invention, in the process of solving the equilibrium state, the equilibrium equation is firstly transformed and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained from the normal return condition, so as to obtain the equilibrium probability distribution of the attack and defense random evolutionary game. Preferably, according to the property of the non-linear homogeneous equation system of the balance equation, the Gaussian elimination method is used to perform elementary transformation on the balance equation. Preferably, in the solution of the equilibrium equation, the game information is obtained by analyzing the confrontation analysis between the game groups and the mutual learning within the group, and the income generated by the game with different strategies is calculated, and the transition probability is determined by the expected income, the degree of learning and the noise factor.

Figure GDA0002108748360000094
表示QBD的平稳概率分布,其中
Figure GDA0002108748360000095
假定QBD过程正常返,则平衡方程P(β)Qβ=0,P(β)e=1,并且可知
Figure GDA0002108748360000096
为方便理解,令
Figure GDA0002108748360000097
则平衡方程等价于make
Figure GDA0002108748360000094
represents the stationary probability distribution of the QBD, where
Figure GDA0002108748360000095
Assuming that the QBD process returns normally, the equilibrium equation P( β )Qβ=0, P(β)e=1, and it can be known that
Figure GDA0002108748360000096
For ease of understanding, let
Figure GDA0002108748360000097
Then the equilibrium equation is equivalent to

Figure GDA0002108748360000098
Figure GDA0002108748360000098

本发明实施例中所构建的平衡方程实际是一个非线性齐次方程组,通过采用基于分块矩阵的Guass消元法,对平衡方程进行初等变换,求解QBD平衡方程,由正常返的条件可知P(β)为QBD平稳概率分布,从而得到攻防随机演化博弈的长期稳定均衡。The equilibrium equation constructed in the embodiment of the present invention is actually a nonlinear homogeneous equation system. By adopting the Guass elimination method based on the block matrix, the equilibrium equation is subjected to elementary transformation, and the QBD equilibrium equation is solved. It can be known from the normal return condition P(β) is the QBD stationary probability distribution, so as to obtain the long-term stable equilibrium of the attack-defense random evolutionary game.

进一步地,本发明实施例还提供一种基于QBD攻防随机演化博弈模型的攻击预测装置,参见图2所示,包含:模型构建模块101、方程建立模块102和分析求解模块103,其中,Further, an embodiment of the present invention also provides an attack prediction device based on a QBD attack-defense random evolutionary game model, as shown in FIG. 2 , including: a model building module 101, an equation building module 102, and an analysis and solving module 103, wherein,

模型建立模块101,用于将攻防演化过程抽象为拟生灭过程QBD,引入学习程度和噪声因子刻画随机扰动下攻防参与者策略学习调整的动态演化轨迹,构建QBD攻防随机演化博弈模型;The model building module 101 is used for abstracting the evolution process of offense and defense into a quasi-birth-death process QBD, introducing learning degree and noise factor to describe the dynamic evolution trajectory of strategy learning and adjustment of offense and defense participants under random disturbance, and constructing a random evolutionary game model of offense and defense of QBD;

方程建立模块102,用于依据QBD攻防随机演化博弈模型建立拟生灭攻防对抗过程的平衡方程;The equation establishment module 102 is used to establish a balance equation of the quasi-birth-destruction attack-defense confrontation process according to the QBD attack-defense random evolutionary game model;

分析求解模块103,用于对平衡方程进行求解,获取拟生灭攻防对抗过程的策略平衡概率分布;依据策略平衡概率分布,得到最具威胁的攻击策略。The analysis and solution module 103 is used to solve the balance equation to obtain the strategy balance probability distribution of the attack-defense confrontation process; and obtain the most threatening attack strategy according to the strategy balance probability distribution.

进一步地,本发明实施例还提供一种网络安全系统,包含上述实施例中的基于QBD攻防随机演化博弈模型的攻击预测装置,用于对网络系统中的攻击行为进行预测分析。Further, an embodiment of the present invention also provides a network security system, including the attack prediction device based on the QBD attack-defense random evolutionary game model in the above-mentioned embodiment, which is used to predict and analyze the attack behavior in the network system.

为验证本发明实施例中提出的QBD随机演化博弈模型的有效性和攻击预测的准确性,在特定的网络信息系统环境进行实验,如图3所示,网络系统环境主要由外网攻击群、DMZ域和内网组成,其中网络安全防护设备有防火墙、入侵防御设备和堡垒主机,用于保护内网的数据库服务器,防止数据资源被窃取。通过Nessus对系统环境进行扫描,参照美国MIT的攻防行为数据库,根据国家信息安全漏洞库(CNNVD)信息,设计实验中采用的攻防策略集,即攻击策略为A1(数据库监听)和A2(端口扫描攻击),防御策略为D1(数据库升级)和D2(关闭闲置的端口服务)。In order to verify the validity of the QBD random evolutionary game model proposed in the embodiment of the present invention and the accuracy of the attack prediction, experiments are carried out in a specific network information system environment. As shown in Figure 3, the network system environment is mainly composed of external network attack groups, The DMZ domain and the intranet are composed of network security protection devices including firewalls, intrusion prevention devices and bastion hosts, which are used to protect the database server of the intranet and prevent data resources from being stolen. Scan the system environment through Nessus, refer to MIT's offensive and defensive behavior database, and design the set of offensive and defensive strategies used in the experiment according to the information of the National Information Security Vulnerability Database (CNNVD), that is, the attack strategies are A 1 (database monitoring) and A 2 ( Port scan attack), defense strategies are D 1 (database upgrade) and D 2 (close idle port services).

基于建立的QBD随机演化博弈模型,考虑到攻防参与者有限理性的特点,在追求信息安全的风险和投入之间均衡的前提下,使各自的收益最大化,由此,参考收益量化方法,结合拟生灭过程的特点,计算不同攻防策略博弈产生的收益,可得表1的攻防策略收益矩阵。Based on the established QBD stochastic evolutionary game model, taking into account the limited rationality of the offensive and defensive participants, and under the premise of pursuing a balance between the risk and investment of information security, maximize their respective benefits. According to the characteristics of the quasi-birth-destruction process, and calculating the income generated by the game of different offensive and defensive strategies, the income matrix of the offensive and defensive strategies in Table 1 can be obtained.

表1攻防策略收益矩阵Table 1. Offensive and defensive strategy benefit matrix

Figure GDA0002108748360000101
Figure GDA0002108748360000101

并且假设攻击者的数量为NA=8,防御者的数量为ND=10。And assume that the number of attackers is NA = 8 and the number of defenders is ND =10.

考虑攻防对抗过程中受到一定随机扰动的影响,假定噪声因子β=0.5。在这样的仿真场景下,通过改变学习程度参数αi(i=1,2),观察攻防双方学习程度的提升对攻击预测的影响,即当α1=α2=α=0.1,0.5,1.0,2.0时,研究攻防双方博弈的演化规律。Considering the influence of certain random disturbances in the process of attack and defense, it is assumed that the noise factor β=0.5. In such a simulation scenario, by changing the learning degree parameter α i (i=1, 2), observe the impact of the improvement of the learning degree of the attacker and the defender on the attack prediction, that is, when α 12 =α=0.1,0.5,1.0 , 2.0, study the evolution law of the game between the offense and defense.

求解本组QBD攻防随机演化博弈模型的平稳概率分布。当α=0.1,通过计算可得平稳概率分布的P矩阵为:Solve the stationary probability distribution of this group of QBD attack and defense random evolutionary game models. When α=0.1, the P matrix of the stationary probability distribution can be obtained by calculation as:

Figure GDA0002108748360000111
Figure GDA0002108748360000111

设:Assume:

Figure GDA0002108748360000112
Figure GDA0002108748360000112

其中,

Figure GDA0002108748360000113
表示攻击群体中采用策略A1的攻击者数量为i,同时防御群体中选取策略D1的防御者数量为j的平稳概率。
Figure GDA0002108748360000114
表示多次博弈后攻击群体中采用策略A1的攻击者数量为i的平稳概率;
Figure GDA0002108748360000115
表示多次博弈后防御群体中采用策略D1的防御者数量为j的平稳概率。由此可得攻防群体演化博弈的策略平稳概率分布如图4和5所示,其中,图4为α=0.1时攻击群体的平稳概率分布,图5为α=0.1时防御群体的平稳概率分布in,
Figure GDA0002108748360000113
Indicates the stationary probability that the number of attackers adopting strategy A 1 in the attack group is i, and the number of defenders who choose strategy D 1 in the defense group is j.
Figure GDA0002108748360000114
Represents the stationary probability that the number of attackers adopting strategy A 1 is i in the attacking group after multiple games;
Figure GDA0002108748360000115
Represents the stationary probability that the number of defenders adopting strategy D 1 is j in the defending group after multiple games. From this, the stationary probability distribution of the strategy of the evolutionary game of the offensive and defensive groups can be obtained as shown in Figures 4 and 5, in which Figure 4 is the stationary probability distribution of the attacking group when α=0.1, and Figure 5 is the stationary probability distribution of the defensive group when α=0.1

图4中攻击群体的平稳概率分布,横坐标表示攻击者的数量,即选择策略A1或者A2的攻击者数量,纵坐标表示策略A1的平稳概率。α=0.1时,攻击群体中所有攻击者选择策略A1的概率仅为58.79%,也就是说,7个攻击者选取策略A1但有1个攻击者选取策略A2的概率为24.44%,有6个攻击者选取策略A1但有2个攻击者选取策略A2的概率为10.07%。因此,数值结果表明攻击策略选取产生了显著的分歧。同理,由图5可知,所有防御者选择策略D1的概率仅为65.39%,而其中有1个防御者选取策略D2的概率为22.61%,策略选取明显不一致。The stationary probability distribution of the attacking group in Fig. 4 , the abscissa represents the number of attackers, that is, the number of attackers who choose strategy A1 or A2, and the ordinate represents the stationary probability of strategy A1. When α= 0.1 , the probability of all attackers choosing strategy A1 in the attack group is only 58.79%, that is to say, the probability that 7 attackers choose strategy A1 but one attacker chooses strategy A2 is 24.44%, The probability that 6 attackers choose strategy A 1 but 2 attackers choose strategy A 2 is 10.07%. Therefore, the numerical results show that there is a significant divergence in the selection of attack strategies. Similarly, it can be seen from Figure 5 that the probability of all defenders choosing strategy D 1 is only 65.39%, while the probability of one defender choosing strategy D 2 is 22.61%, and the strategy selection is obviously inconsistent.

同理可得,当α=α1=α2=0.1,0.5,1.0,2.0时,即攻防群体演化博弈在不同学习程度参数下的平稳概率分布结果,见表2和表3。其中

Figure GDA0002108748360000121
表示攻击群体中选取策略A1的攻击者数量为i;
Figure GDA0002108748360000122
表示防御群体中选取策略D1的防御者数量为j。Similarly, when α=α 12 =0.1, 0.5, 1.0, 2.0, that is, the stationary probability distribution results of the attack-defense group evolutionary game under different learning degree parameters, see Tables 2 and 3. in
Figure GDA0002108748360000121
Indicates that the number of attackers who choose strategy A 1 in the attack group is i;
Figure GDA0002108748360000122
Indicates that the number of defenders who choose strategy D 1 in the defense group is j.

表2在不同学习程度参数下,攻击群体演化博弈的平稳概率分布结果Table 2. The stationary probability distribution results of the evolutionary game of the attacking group under different learning degree parameters

Figure GDA0002108748360000123
Figure GDA0002108748360000123

表3在不同学习程度参数下,防御群体演化博弈的平稳概率分布结果Table 3. The stationary probability distribution results of the defense group evolutionary game under different learning degree parameters

Figure GDA0002108748360000124
Figure GDA0002108748360000124

通过Matlab2016b仿真得到如图6和7所示的不同学习程度参数下的攻防群体演化的平稳概率分布图,可以直观地分析和比较表2、表3所示的两组数值结果。Through Matlab2016b simulation, the stationary probability distribution diagrams of the evolution of attack and defense groups under different learning degree parameters as shown in Figures 6 and 7 can be obtained, and the two sets of numerical results shown in Table 2 and Table 3 can be analyzed and compared intuitively.

根据学习程度α在区间[0,2]的取值变化,由图6和7可以看出,攻防群体中选取攻击策略A1和选取防御策略D1分别对应的平稳概率分布变化趋势。当α趋向于2时,攻击策略选取收敛于最优策略A1,防御策略选取收敛于最优策略D1,即攻击群体中所有攻击者选取策略A1的概率为96.94%(误差小于5%),而防御群体中所有防御者选取策略D1的概率为96.61%(误差小于5%)。According to the value change of the learning degree α in the interval [0, 2], it can be seen from Figures 6 and 7 that in the attack and defense group, the change trend of the stable probability distribution corresponding to the attack strategy A 1 and the defense strategy D 1 respectively. When α tends to 2, the attack strategy selection converges to the optimal strategy A 1 , and the defense strategy selection converges to the optimal strategy D 1 , that is, the probability that all attackers in the attack group choose strategy A 1 is 96.94% (the error is less than 5% ), and the probability of all defenders in the defense group choosing strategy D 1 is 96.61% (error less than 5%).

由上述数值结果可以得出以下结论:通过群体间的对抗分析和同一群体内的相互学习,收集并分析博弈信息,逐渐增强了攻防参与者对对手行为和意图以及决策环境的了解。随着学习程度α的提升,选取最优攻击策略A1达到了稳定,从而可知攻击策略A1为预测到的最具威胁的攻击策略。当α值较小时,表明攻防参与者缺乏对博弈结果和决策环境的了解,如果攻防决策过程中有明显的随机性,则演化博弈的平稳概率分布不一定收敛于某一特定的策略。From the above numerical results, the following conclusions can be drawn: through the confrontation analysis between groups and mutual learning within the same group, the game information is collected and analyzed, and the understanding of the opponent's behavior and intentions as well as the decision-making environment is gradually enhanced by the offensive and defensive participants. As the learning degree α increases, the optimal attack strategy A 1 is selected to be stable, so it can be seen that the attack strategy A 1 is the most threatening attack strategy predicted. When the value of α is small, it indicates that the offense and defense participants lack the understanding of the game results and the decision-making environment. If there is obvious randomness in the offense and defense decision-making process, the stationary probability distribution of the evolutionary game does not necessarily converge to a specific strategy.

假定学习程度为固定常数α1=α2=0.7,β=0.2,1.2,2.2,5.0,在这样的仿真场景下,观察不同噪声因子β对攻防双方博弈演化的影响。求解该组模型所对应的拟生灭过程的平稳概率分布,可得到在不同噪声因子下,攻防群体的内部演化博弈结果如表4、表5所示。Assuming that the learning degree is a fixed constant α 12 =0.7, β=0.2, 1.2, 2.2, 5.0, in such a simulation scenario, observe the influence of different noise factors β on the game evolution of the offensive and defensive sides. By solving the stationary probability distribution of the quasi-birth-death process corresponding to this group of models, we can get the results of the internal evolutionary game of the offensive and defensive groups under different noise factors, as shown in Table 4 and Table 5.

表4在不同噪声因子下,攻击群体演化博弈的平稳概率分布结果Table 4. The stationary probability distribution results of the evolutionary game of the attacking group under different noise factors

Figure GDA0002108748360000131
Figure GDA0002108748360000131

表5在不同噪声因子下,防御群体演化博弈的平稳概率分布结果Table 5. The stationary probability distribution results of defense group evolutionary game under different noise factors

Figure GDA0002108748360000132
Figure GDA0002108748360000132

图8和图9可直观地得出攻防群体的内部演化规律。当β=0.2时,攻击者(防御者)的行为受随机扰动的影响较小,策略选取具有高度一致性,即攻击群体中所有攻击者选择策略A1的概率为96.53%,防御群体中所有防御者选取D1的概率为96.15%。然而,随着β逐渐增大,当β=5.0时,受随机扰动的影响明显,群体中的攻击者在策略选取上产生分歧。攻击群体中所有攻击者选择A1的概率仅有49.39%,有1个攻击者选择策略A2的概率为25.41%,有2个攻击者选择A2的概率为12.96%;同样地,防御群体的数据结果也表明,β=5.0时,所有防御者采用策略D1的概率仅有59.51%,而群体中有1个防御者选择策略D2的概率为24.01%,策略选取明显不一致。Figures 8 and 9 can intuitively draw the internal evolution law of the offensive and defensive groups. When β = 0.2, the behavior of the attacker (defender) is less affected by random disturbance, and the strategy selection is highly consistent. The defender has a 96.15% probability of picking D 1 . However, as β gradually increases, when β = 5.0, it is obviously affected by random disturbances, and the attackers in the group have divergences in strategy selection. The probability of all attackers in the attack group choosing A 1 is only 49.39%, the probability of one attacker choosing strategy A 2 is 25.41%, and the probability of 2 attackers choosing A 2 is 12.96%; similarly, the defense group has a probability of choosing A 2. The data results also show that when β=5.0, the probability of all defenders adopting strategy D 1 is only 59.51%, while the probability of one defender choosing strategy D 2 in the group is 24.01%, and the strategy selection is obviously inconsistent.

本发明针对攻防群体在博弈过程中受随机扰动的影响,通过引入学习程度参数和噪声因子,基于拟生灭过程对攻防随机演化博弈进行建模,利用Gauss消元法对所构建的攻防博弈拟生灭过程的平衡方程进行求解,得到攻防群体极限情况下策略的平稳概率分布,从而可知最具威胁的攻击策略,达到攻击预测的效果。研究结果表明,随着攻防演化的推进,攻防群体通过收集对方博弈特征信息,逐步加深对决策环境和对手的了解,学习程度不断增强,在参与者选择策略方面没有出现明显的分歧,所有参与者倾向于选择演化稳定的策略。但是,随着随机扰动的增强,使博弈系统趋于不稳定,博弈结果主要受到随机扰动的影响,攻防群体在策略选择上出现明显分歧。在实际攻防场景中,随机因素不可避免,但尽可能地降低随机因素的影响,增强学习程度,对于指导实际网络攻击预测具有指导性意义。Aiming at the influence of random disturbance on the offensive and defensive groups in the game process, the invention models the offensive and defensive random evolutionary game based on the pseudo-birth-death process by introducing the learning degree parameter and the noise factor, and uses the Gauss elimination method to simulate the constructed offensive and defensive game. The equilibrium equation of the birth and death process is solved, and the stable probability distribution of the strategy under the limit of the attack and defense group is obtained, so that the most threatening attack strategy can be known, and the effect of attack prediction can be achieved. The research results show that with the advancement of the evolution of offense and defense, the offense and defense groups gradually deepen their understanding of the decision-making environment and opponents by collecting information about the game characteristics of the opponent, and the degree of learning continues to increase. Tends to choose strategies that are evolutionarily stable. However, with the increase of random disturbance, the game system tends to be unstable, the game result is mainly affected by random disturbance, and the attack and defense groups have obvious differences in strategy selection. In actual attack and defense scenarios, random factors are unavoidable, but reducing the influence of random factors as much as possible and enhancing the degree of learning has guiding significance for guiding actual network attack prediction.

除非另外具体说明,否则在这些实施例中阐述的部件和步骤的相对步骤、数字表达式和数值并不限制本发明的范围。The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the invention unless specifically stated otherwise.

基于上述的方法,本发明实施例还提供一种服务器,包括:一个或多个处理器;存储装置,用于存储一个或多个程序,当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述的方法。Based on the above method, an embodiment of the present invention further provides a server, including: one or more processors; and a storage device for storing one or more programs, when the one or more programs are stored by the one or more programs The execution of the one or more processors causes the one or more processors to implement the above-described method.

基于上述的方法,本发明实施例还提供一种计算机可读介质,其上存储有计算机程序,其中,该程序被处理器执行时实现上述的方法。Based on the foregoing method, an embodiment of the present invention further provides a computer-readable medium on which a computer program is stored, wherein the foregoing method is implemented when the program is executed by a processor.

本发明实施例所提供的装置,其实现原理及产生的技术效果和前述方法实施例相同,为简要描述,装置实施例部分未提及之处,可参考前述方法实施例中相应内容。The implementation principle and technical effects of the device provided by the embodiment of the present invention are the same as those of the foregoing method embodiment. For brief description, for the parts not mentioned in the device embodiment, reference may be made to the corresponding content in the foregoing method embodiment.

所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统和装置的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and brevity of description, for the specific working process of the system and device described above, reference may be made to the corresponding process in the foregoing method embodiments, which will not be repeated here.

所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个处理器可执行的非易失的计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The functions, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a processor-executable non-volatile computer-readable storage medium. Based on this understanding, the technical solution of the present invention can be embodied in the form of a software product in essence, or the part that contributes to the prior art or the part of the technical solution. The computer software product is stored in a storage medium, including Several instructions are used to cause a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, Read-Only Memory (ROM, Read-Only Memory), Random Access Memory (RAM, Random Access Memory), magnetic disk or optical disk and other media that can store program codes .

最后应说明的是:以上所述实施例,仅为本发明的具体实施方式,用以说明本发明的技术方案,而非对其限制,本发明的保护范围并不局限于此,尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,其依然可以对前述实施例所记载的技术方案进行修改或可轻易想到变化,或者对其中部分技术特征进行等同替换;而这些修改、变化或者替换,并不使相应技术方案的本质脱离本发明实施例技术方案的精神和范围,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应所述以权利要求的保护范围为准。Finally, it should be noted that the above-mentioned embodiments are only specific implementations of the present invention, and are used to illustrate the technical solutions of the present invention, but not to limit them. The protection scope of the present invention is not limited thereto, although referring to the foregoing The embodiment has been described in detail the present invention, those of ordinary skill in the art should understand: any person skilled in the art who is familiar with the technical field within the technical scope disclosed by the present invention can still modify the technical solutions described in the foregoing embodiments. Or can easily think of changes, or equivalently replace some of the technical features; and these modifications, changes or replacements do not make the essence of the corresponding technical solutions deviate from the spirit and scope of the technical solutions of the embodiments of the present invention, and should be covered in the present invention. within the scope of protection. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (7)

1. An attack prediction method based on a QBD attack and defense random evolution game model is characterized by comprising the following contents:
abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and constructing a QBD attack and defense random evolution game model;
establishing a balance equation of the simulated firefighting, attacking and defending and confrontation process according to the QBD attacking and defending random evolution game model;
solving a balance equation to obtain strategy balance probability distribution of the process of simulating living, fighting and defense; according to the strategy balance probability distribution, obtaining the most threatening attack strategy;
constructing a corresponding simulated birth and death process according to a QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation;
the equilibrium equation is established as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process;
the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
2. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that the attack and defense participant learning degree set comprises learning parameters for describing the mastery degree of an attacker on attack and defense information and learning parameters for describing the mastery degree of a defender on attack and defense information; and the noise factor of the attack and defense participants is used for describing random disturbance in the attack and defense process and setting the noise factor of the attack and defense participants to be greater than 0.
3. The attack prediction method based on the QBD attack and defense random evolution game model according to claim 1, characterized in that in the equilibrium state solving process, the equilibrium equation is first transformed and solved, and the stable probability distribution of the QBD attack and defense evolution process is obtained through normal return conditions, so that the stable probability distribution of the attack and defense random evolution game is obtained.
4. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that the equilibrium equation is subjected to elementary transformation by adopting a Gaussian elimination method according to the nonlinear homogeneous equation set property of the equilibrium equation.
5. The attack prediction method based on the QBD attack and defense random evolution game model is characterized in that in the balance equation solving, game information is obtained by analyzing the confrontation analysis and mutual learning among game groups, earnings generated by games with different strategies are calculated, and the transition probability is determined according to the expected earnings, the learning degree and the noise factor.
6. An attack prediction device based on QBD attack and defense random evolution game model is characterized by comprising: a model building module, an equation building module and an analysis solving module, wherein,
the model establishing module is used for abstracting an attack and defense evolution process into a simulated life and death process QBD, introducing a learning degree and a noise factor to depict a dynamic evolution track of strategy learning adjustment of attack and defense participants under random disturbance, and establishing a QBD attack and defense random evolution game model;
the equation establishing module is used for establishing a balance equation of the simulated fighting process according to the QBD attack and defense random evolution game model;
the analysis solving module is used for solving the balance equation to obtain the strategy stable probability distribution of the process of the simulated fighting and fighting; obtaining the most threatening attack strategy according to the strategy stable probability distribution;
constructing a corresponding simulated birth and death process according to a QBD attack and defense random evolution game model, acquiring a state space of the simulated birth and death process, and establishing a balance equation;
the equilibrium equation is established as follows: firstly, defining the transition probability of strategy selection of an attacker and a defender; constructing a simulated elimination evolution process according to the transition probability matrix to obtain a balance equation of the attack and defense evolution process;
the QBD attack and defense random evolution game model is represented by a seven-tuple: QBD-ADSEGM (gamma, N, S, chi (t), alpha, beta, U), wherein gamma represents the attacking and defending game group, N represents the number of attacking and defending participants, S represents the strategy space of the attacking and defending participants, chi (t) represents the attacking and defending state space at the time t, alpha represents the learning degree set of the attacking and defending participants, beta represents the noise factor of the attacking and defending participants, and U represents the benefit function set of both attacking and defending parties.
7. A network security system, characterized by comprising the attack prediction device based on QBD attack and defense random evolution game model in claim 6.
CN201910549015.6A 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model Active CN110417733B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910549015.6A CN110417733B (en) 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910549015.6A CN110417733B (en) 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model

Publications (2)

Publication Number Publication Date
CN110417733A CN110417733A (en) 2019-11-05
CN110417733B true CN110417733B (en) 2021-09-10

Family

ID=68359709

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910549015.6A Active CN110417733B (en) 2019-06-24 2019-06-24 Attack prediction method, device and system based on QBD attack and defense random evolution game model

Country Status (1)

Country Link
CN (1) CN110417733B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112261016A (en) * 2020-10-12 2021-01-22 国网甘肃省电力公司电力科学研究院 Power grid protection method in attack scene
CN112417751B (en) * 2020-10-28 2024-03-29 清华大学 Anti-interference fusion method and device based on graph evolution game theory
CN112434922B (en) * 2020-11-13 2021-08-24 北方工业大学 Urban power grid system security control method and device based on zero sum game
CN114024738A (en) * 2021-11-03 2022-02-08 哈尔滨理工大学 Network defense method based on multi-stage attack and defense signals
CN115001855A (en) * 2022-07-18 2022-09-02 南京理工大学 Deep reinforcement learning intelligent agent selection attack method based on track approximation
CN115277250B (en) * 2022-09-23 2023-02-21 中国汽车技术研究中心有限公司 Method, device and storage medium for vehicle-end attack path identification

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9471777B1 (en) * 2012-02-24 2016-10-18 Emc Corporation Scheduling of defensive security actions in information processing systems
CN106446674A (en) * 2016-07-27 2017-02-22 长春理工大学 Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment
CN107070956A (en) * 2017-06-16 2017-08-18 福建中信网安信息科技有限公司 APT Attack Prediction methods based on dynamic bayesian game

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8863293B2 (en) * 2012-05-23 2014-10-14 International Business Machines Corporation Predicting attacks based on probabilistic game-theory

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9471777B1 (en) * 2012-02-24 2016-10-18 Emc Corporation Scheduling of defensive security actions in information processing systems
CN106446674A (en) * 2016-07-27 2017-02-22 长春理工大学 Attack prediction-based virtual machine monitoring resource allocation method in cloud computing environment
CN107070956A (en) * 2017-06-16 2017-08-18 福建中信网安信息科技有限公司 APT Attack Prediction methods based on dynamic bayesian game

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种入侵防御系统性能分析方法;刘伟等;《信息网络安全》;20150930(第9期);全文 *

Also Published As

Publication number Publication date
CN110417733A (en) 2019-11-05

Similar Documents

Publication Publication Date Title
CN110417733B (en) Attack prediction method, device and system based on QBD attack and defense random evolution game model
CN107566387B (en) Network defense action decision method based on attack and defense evolution game analysis
CN107135224B (en) Network defense strategy selection method and device based on Markov evolution game
CN108833402A (en) A method and device for selecting an optimal network defense strategy based on bounded rationality game theory
CN106936855B (en) Network security defense decision-making determination method and device based on attack and defense differential game
Hu et al. Optimal decision making approach for cyber security defense using evolutionary game
CN110460572B (en) Method and device for selecting defense strategy of moving target based on Markov signal game
CN110191083A (en) Security defense method, device and electronic equipment for advanced persistent threats
CN107483486A (en) Network defense strategy selection method based on stochastic evolutionary game model
Neverova et al. A model of interaction between anticorruption authority and corruption groups
Hu et al. Optimal network defense strategy selection based on incomplete information evolutionary game
Boudko et al. Adaptive cybersecurity framework for healthcare internet of things
CN111245828A (en) A Defensive Strategy Generation Method Based on Three-Party Dynamic Game
CN113553591A (en) A multi-stage dynamic defense method based on evolutionary game theory
CN110018895A (en) A kind of execution body dispatching method and system based on isomerism and service quality
Basak et al. An initial study of targeted personality models in the flipit game
Maqbool et al. Cyber security: effects of penalizing defenders in cyber-security games via experimentation and computational modeling
Zolotarev et al. Strategies of social engineering attacks on information resources of gamified online education projects
CN113132398B (en) A Q-learning-based defense strategy prediction method for array honeypot systems
CN114024738A (en) Network defense method based on multi-stage attack and defense signals
Zawadzki et al. Deterrence against Terrorist Attacks in Sports‐Mega Events: A Method to Identify the Optimal Portfolio of Defensive Countermeasures
CN116579430A (en) Method and system for solving network attack and defense game refining BNE
CN114157478B (en) A Differential Game-Based False Data Injection Attack Defense Method
CN115314316A (en) Attack and defense game-based complex network dynamic defense decision method and system
Trad Transformation Projects and Virtual Military Strategy

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant