Attack path prediction based on Bayesian game model

The current network risk assessment model often ignores the impact of attack cost and intrusion intention on network security. In order to better solve the problem of information security defense strategy selection and accurately assess the target network risk, this paper proposes an attack path prediction method based on game model.The atomic attack probability is calculated by vulnerability value, attack cost and attack benefit. The static risk assessment model is established combined with Bayesian belief network quantitative attack graph. And the dynamic update model of intrusion intention is used to realize the effective prediction of attack action under rational assumption, which provides the basis for dynamic defense measures of attack surface. The experimental results verify the feasibility and effectiveness of the model and method.

(1) Considering the complex factors that affect the attacker's attack behavior, the atomic attack probability is calculated from the three aspects of vulnerability value, attack cost and attack profit, which better reflects the use of the vulnerability in the actual network.
(2) Combining the Bayesian belief network and the attack graph, a static risk assessment model for attack intention is established. The model is used to work with complex networks with constantly changing security elements, so as to improve the accuracy of risk assessment.
(3) The attack path is generated and the total reachability probability of the path is calculated to realize the prediction of the attack path, avoiding the influence of the vulnerability of a single network node on the path selection, and improves the accuracy of the prediction.

Bayesian attack graph establishment
Attack graph can be divided into state attack graph and attribute attack graph. The state attack cannot cope with the rapid growth of state nodes, and its structure is not intuitive enough, so it is not suitable for large-scale network. Each attribute vertex in the attribute attack graph is an independent security element, which avoids the problem of the state of the explosive state attack graph. Therefore, attribute attack graph has better adaptability to complex large-scale network. In order to calculate the probability of vertex arrival in attack schedule and the possible path of attack, Bayesian belief network is used to describe the causal relationship between attacks. Combined with the graph structure of attack graph, Bayesian attack graph is created to evaluate the risk of target network.

Bayesian attack graph definition
The BAG (Bayesian attack graph) is a directed acyclic graph, which can be expressed as , and the specific definition is as follows.
(1) R is a collection of attribute nodes, divided into three categories, namely . Among them, AND means that the attack can only be completed when the state of all parent nodes is true; OR means that as long as the status of one of the parent nodes is true.
(5) p is the static reachability probability of the attribute node in the attack graph.

Bayesian attack graph structure establishment
The structure of the Bayesian attack graph is similar to that of the general attack graph. This article uses a modeling method to generate the main structure of the attack graph. An example is shown in Figure 1.  Figure 1, o R is the initiating node of the attack, 1 R and 2 R are process attribute nodes, which are the target network nodes of the attacker. 1 5 S , and 6 S are atomic attacks. AND means that both the atomic attack and the arrived attack strategy are true, the attack can be realized; OR means that as long as one of the atomic attack and the arrived attack strategy is true, the attack can be realized, that is, the two attack paths shown in Figure 1 can complete any one of them. The attack on the target node can be completed.

Bayesian attack graph quantification
The value of vulnerability is related to the complexity and impact of attribute node vulnerability, which is usually quantified the Common Vulnerability Scoring System (CVSS) [6] provided by the National Common Vulnerability Database (NVD) of the United States. In this paper, according to CVSS quantitative standard, vulnerability is quantified by three indicators: availability, impact and scope. If the attacker attacks the vulnerability, the value of the vulnerability will be considered according to the existence and impact of the vulnerability. Therefore, in order to quantify the vulnerability value, we first need to calculate the vulnerability estimation value representing the vulnerability value, and its formula is:

Basic assumptions of the model
In the actual information security attack and defense game, attackers are often the originator of the game. The defenders respond according to the existing strategies. Neither party can observe the actions of the other party before the action, so both sides can be regarded as simultaneous actions. The establishment of the game model of attack and Defense meets the following three basic assumptions. Assume 1 (Rational people assume) Assume that the attacker and the defender are completely rational, the attacker and the defender choose strategies according to the principle of maximizing their own benefits.
Assume 2 (Benefit assume) It is assumed that the game gains are evaluated based on the economic value of information assets.
Assume 3 (Type assume) Assume that the defender has a priori judgment on the probability distribution of the attacker type, and the defender type is the common information of the attacker and the defender [7].

Model definition
Generally speaking, the components of an offensive and defensive game mainly include players, strategy and payoff function. The strategy execution effect of both offense and defense is not only related to their own strategy, but also closely related to the other's strategy. This is the principle of "strategic dependence" and the basic characteristic of the game process [8].
Definition 2 ADG(attack-defense game) The information security attack-defense game can be described by the quintuple ( , , , , )

ADG N T H P U 
, and its specific meaning is as follows: (1) N represents the collection of players participating in the offensive and defensive game. In the network offensive and defensive game, the participants are the main body of strategy selection and the strategy makers. In most of the network offensive and defensive games, the two sides of the game can be regarded as a two-player game of attacker a A and defender d A .
(2) T represents the type space of attacker a A and defender d A . Based on the possible actions and benefits of the attacker, and the defender's understanding of the attacker, this article divides the attackers into adventurous attackers h a A and conservative attackers l a A . Adventurous attackers are willing to pay more for more frequent and longer attacks in order to obtain a higher attack success rate; but the defender collects relevant information and evidence, and then implements legal accountability or counter attacks The probability is also higher. Conservative attackers tend to attack at a lower cost, and their attack success rate is relatively low; but the probability of being held accountable by law or countering attacks is also low.  and losses of the participants, and the use of different strategies for the game will result in different game results, and the benefits will also be different. Among them, a u is the profit function of the attacker, and d u is the profit function of the defender.

Income quantification and calculation method
Quantifying the benefits of both offense and defense is the basis for quantitative calculation and game analysis, and it directly affects the outcome of the game as an input to the offense and defense game model. The implementation of network offensive and defensive actions by the intermediary nodes according to the confrontation strategy requires resource costs such as manpower, material resources and calculations, but at the same time it also generates corresponding security returns, which has economic characteristics. For the defender, the choice of defense strategy must find a balance between cost and reward in order to achieve the overall optimum. Definition related symbols and descriptions are shown in Table 1. According to the above definition, an offensive and defensive game scenario is established. In the following, we will study the method of calculating the benefits of both offense and defense for the game between adventurous attackers, conservative attackers and defenders.
① For adventurous attackers, you can get the income expectations of the attacker and the defender: guidance of this principle, each participant will eventually reach an equilibrium, named Bayesian Nash equilibrium. Specifically, Bayesian Nash Equilibrium is a combination of strategies and beliefs of all participants. It satisfies the following conditions: Given the probability distribution of their own type and the type of others, the expected utility of each participant has reached Maximization, that is, no one has the enthusiasm to choose other strategies [9]. Therefore, the attack strategy under this equilibrium is the optimal choice conclusion, and the defender should choose the defense strategy corresponding to this attack strategy as the optimal defense strategy.
The strategy portfolio  