攻击技战术双层关联建模的个性化风险评估方法

仇晶; 农李晨; 孙一飞; 操晓春; 陈玺名; 张睿智

doi:10.12263/DZXB.20250681

您当前的位置：

首页 >

文章列表页 >

攻击技战术双层关联建模的个性化风险评估方法

学术论文 | 更新时间：2026-06-04

- 攻击技战术双层关联建模的个性化风险评估方法
- A Personalized Risk Assessment Approach for Two-Layer Association Modeling of Attack Techniques and Tactics
- 电子学报 2026年54卷第1期页码：1-18
- 作者机构：
  
  1.广州大学网络空间安全学院，广东广州 510006
  2.中山大学网络空间安全学院，广东深圳 519082
- 作者简介：
  
  [ "仇晶女，1983年5月出生于河北省石家庄市，现为广州大学网络空间安全学院教授，博士生导师。主要研究方向为网络安全、人工智能及大数据安全。中国电子学会会员编号：E190035636M。E-mail: qiujing@gzhu.edu.cn" ]
  [ "农李晨女，2002年8月出生于广西壮族自治区百色市，现为广州大学网络空间安全学院硕士研究生。主要研究方向为攻击图风险评估、攻击预测。E-mail: 2112433038@e.gzhu.edu.cn" ]
  [ "孙一飞男，1996年5月出生于安徽省马鞍山市，现为广州大学网络空间安全学院在站博士后。2024年获广东工业大学计算机科学与技术博士学位。主要研究方向为边缘计算、车联网、边缘智能。E-mail: asunyifei@gzhu.edu.cn" ]
  [ "操晓春男，1980年3月出生于安徽省安庆市，现为中山大学网络空间安全学院院长、校学术委员会委员、教授。主要研究方向为人工智能基础研究、网络空间内容安全应用研究等。中国电子学会会员编号：E190013018F。E-mail: caoxiaochun@mail.sysu.edu.cn" ]
  [ "陈玺名男，1996年11月出生于辽宁省营口市，现为广州大学网络空间安全学院博士研究生。主要研究方向为威胁预测与风险评估。E-mail: 2112019039@e.gzhu.edu.cn" ]
  [ "张睿智男，2001年9月出生于山东省泰安市，现为广州大学网络空间安全学院硕士研究生。主要研究领方向为基于攻击图的安全分析。E-mail: 2112433184@e.gzhu.edu.cn" ]
- 基金信息：
  
  国家自然科学基金(U24A20336);国家科技重大专项(2022ZD0119602);广州市科技计划项(2024A03J0399);鹏程实验室重大重点项目(PCL2024A05)
- DOI：10.12263/DZXB.20250681
  中图分类号： TN915.08;
- 收稿：2025-08-04，
  
  录用：2026-01-07，
  
  纸质出版：2026-01-25
- 稿件说明：
移动端阅览
仇晶, 农李晨, 孙一飞, 等. 攻击技战术双层关联建模的个性化风险评估方法[J]. 电子学报, 2026, 54(01): 1-18.

QIU Jing, NONG Lichen, SUN Yifei, et al. A Personalized Risk Assessment Approach for Two-Layer Association Modeling of Attack Techniques and Tactics[J]. Acta Electronica Sinica, 2026, 54(01): 1-18.
仇晶, 农李晨, 孙一飞, 等. 攻击技战术双层关联建模的个性化风险评估方法[J]. 电子学报, 2026, 54(01): 1-18. DOI：10.12263/DZXB.20250681

QIU Jing, NONG Lichen, SUN Yifei, et al. A Personalized Risk Assessment Approach for Two-Layer Association Modeling of Attack Techniques and Tactics[J]. Acta Electronica Sinica, 2026, 54(01): 1-18. DOI：10.12263/DZXB.20250681

摘要

以MITRE ATT&CK框架为指导，通过刻画攻击者的战术目标与技术手段，利用攻击图进行网络安全风险建模与评估，已成为当前应对复杂多步攻击威胁的重要手段之一。然而，随着攻击场景和攻击链条日益复杂，现有基于ATT&CK的攻击路径建模与风险评估方法仍存在一定局限性。一方面，现有攻击路径建模过程仅考虑ATT&CK框架中攻击技术间的直接转移关系，忽略了战术层面的攻击语义，削弱了对复杂多阶段攻击路径的高层次语义约束能力。另一方面，依赖通用漏洞特征的攻击图风险量化评估方法，忽略了不同组织对关键资产的关注差异，导致评估结果缺乏资产个性化适配。针对上述挑战，本文提出攻击技战术双层关联建模的个性化风险评估方法。首先，通过构建技战术双层关联模型对技战术间潜在关系建模，结合维特比算法求解攻击战术阶段演变路径，在路径推理过程中引入战术层面的阶段约束。随后，构建融合攻击行为属性与资产个性化的定制化威胁量化模型，通过前向算法将状态转移概率与威胁量化指标耦合，实现对网络整体安全风险评估。实验结果表明，所提出的方法在实际网络环境中，路径建模与风险评估能力均优于其他现有主流评估模型，其综合风险评估准确率相较对比方法平均提升48.95%，验证了该方法在复杂攻击场景下的有效性与实用价值。

Abstract

Guided by the MITRE ATT&CK framework

modeling and assessing cybersecurity risks by modeling attackers’ tactical objectives and technical methods through attack graphs have become one of the key approaches to countering complex multi-step attack threats. However

as attack scenarios and attack chains grow increasingly intricate

existing ATT&CK-based attack path modeling and risk assessment methods exhibit certain limitations. On the one hand

current attack path modeling processes only consider direct transition relationships between attack techniques within the ATT&CK framework

overlooking tactical-level attack semantics and weakening the ability to impose high-level semantic constraints on complex multi-stage attack paths. On the other hand

attack graph-based risk quantification methods relying on generic vulnerability characteristics overlook differences in organizational focus on critical assets

resulting in assessment outcomes that lack personalized asset adaptation.To address these challenges

this paper proposes a personalized risk assessment method based on dual-layer association modeling of attack techniques and tactics. First

a dual-layer association model is constructed to capture potential relationships between techniques and tactics. Combined with the Viterbi algorithm

this model infers the evolution paths of attack tactics

introducing tactical-level stage constraints during path inference. Subsequently

a customized threat quantification model is developed by integrating attack behavior attributes with asset-specific characteristics. Through a forward algorithm

state transition probabilities are coupled with threat quantification metrics to achieve holistic network security risk assessment.Experimental results demonstrate that the proposed method outperforms existing mainstream assessment models in both path modeling and risk evaluation capabilities in real-world network environments. Compared with competing approaches

the proposed method achieves an average improvement of 48.95% in comprehensive risk assessment accuracy

validating its effectiveness and practical value in complex attack scenarios.

关键词

Keywords

references

Business Verizon . 2024 Data Breach Investigations Report [R/OL ] . ( 2024-05-01 )[ 2025-04-25 ] . https://www.verizon.com/business/resources/reports/dbir/ https://www.verizon.com/business/resources/reports/dbir/ . DOI: 10.1016/s1361-3723(19)30060-0 http://dx.doi.org/10.1016/s1361-3723(19)30060-0

Buchta R , Gkoktsis G , Heine F , et al . Advanced persistent threat attack detection systems: A review of approaches, challenges, and trends [J ] . Digital Threats: Research and Practice , 2024 , 5 ( 4 ): 1 - 37 . DOI: 10.1145/3696014 http://dx.doi.org/10.1145/3696014

周勇 , 陈玺名 , 程度 , 等 . 基于服务器主动安全的自动化红队测试技术研究 [J ] . 微电子学与计算机 , 2026 , 43 ( 2 ): 126 - 138 .

Zhou Yong , Chen Ximing , Cheng Du , et al . Research on automated red teaming technique based on server active security [J ] . Microelectronics & Computer , 2026 , 43 ( 2 ): 126 - 138 . (in Chinese)

Ye Mai , Men Shiming , Xie Lei , et al . Detect advanced persistent threat in graph-level using competitive AutoEncoder [C ] // Proceedings of 2023 2nd International Conference on Networks, Communications and Information Technology . Qinghai : ACM , 2023 : 28 - 34 . DOI: 10.1145/3605801.3605807 http://dx.doi.org/10.1145/3605801.3605807

Li Zitong , Cheng Xiang , Sun Lixiao , et al . A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks [J ] . Security and Communication Networks , 2021 , 2021 ( 1 ): 9961342 . DOI: 10.1155/2021/9961342 http://dx.doi.org/10.1155/2021/9961342

仇晶 , 陈荣融 , 朱浩瑾 , 等 . 基于溯源图的网络攻击调查研究综述 [J ] . 电子学报 , 2024 , 52 ( 7 ): 2529 - 2556 .

Qiu Jing , Chen Rongrong , Zhu Haojin , et al . A survey of network attack investigation based on provenance graph [J ] . Acta Electronica Sinica , 2024 , 52 ( 7 ): 2529 - 2556 . (in Chinese)

Cai Yongxin , Qiu Jing , Zhang Fan , et al . A knowledge extraction framework on cyber threat reports with enhanced security profiles [C ] // Proceedings of the 48th international ACM SIGIR conference on research and development in information retrieval . Padua : ACM , 2025 : 326 - 336 . DOI: 10.1145/3726302.3729880 http://dx.doi.org/10.1145/3726302.3729880

Sheyner O , Haines J , Jha S , et al . Automated generation and analysis of attack graphs [C ] // Proceedings of 2002 IEEE Symposium on Security and Privacy . Berkeley : IEEE , 2002 : 273 - 284 .

Ou Xinming , Govindavajhala S , Appel A W . MulVAL: A logic-based network security analyzer [C ] // Proceedings of the 14th Conference on USENIX Security Symposium . Baltimore : USENIX Association , 2005 : 8 . DOI: 10.1109/msp.2004.9 http://dx.doi.org/10.1109/msp.2004.9

Zhou Weidong , Xia Chunhe , Feng Nan , et al . AIDE: Attack inference based on heterogeneous dependency graphs with MITRE ATT&CK [C ] // Proceedings of 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications . Sanya : IEEE , 2024 : 410 - 417 . DOI: 10.1109/trustcom63139.2024.00075 http://dx.doi.org/10.1109/trustcom63139.2024.00075

Saint-Hilaire K A . Automatic Generation of Attack and Remediation Graphs [D ] . Montreal : Ecole Polytechnique de Montreal , 2025 .

胡钢 , 卢志宇 , 王乐萌 , 等 . 基于复杂网络多阶邻域贡献度的节点重要性序结构辨识 [J ] . 电子学报 , 2023 , 51 ( 7 ): 1956 - 1963 .

Hu Gang , Lu Zhiyu , Wang Lemeng , et al . Identification of node importance order structure based on multi-order neighborhood contribution of complex network [J ] . Acta Electronica Sinica , 2023 , 51 ( 7 ): 1956 - 1963 . (in Chinese)

Wang Lingyu , Islam T , Long Tao , et al . An attack graph-based probabilistic security metric [C ] // Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security Data and Applications Security . London : Springer , 2008 : 283 - 296 . DOI: 10.1007/978-3-540-70567-3_22 http://dx.doi.org/10.1007/978-3-540-70567-3_22

Homer J , Xinming Ou , Schmidt D , et al . A sound and practical approach to quantifying security risk in enterprise networks [R ] . Moscow : University of Idaho , 2009 : 1 - 15 .

Wang Lingyu , Singhal A , Jajodia S . Toward measuring network security using attack graphs [C ] // Proceedings of 2007 ACM Workshop on Quality of Protection . Alexandria : ACM , 2007 : 49 - 54 . DOI: 10.1145/1314257.1314273 http://dx.doi.org/10.1145/1314257.1314273

Noel S , Jajodia S . Managing attack graph complexity through visual hierarchical aggregation [C ] // Proceedings of 2004 ACM Workshop on Visualization and Data Mining for Computer Security . Washington : ACM , 2004 : 109 - 118 . DOI: 10.1145/1029208.1029225 http://dx.doi.org/10.1145/1029208.1029225

Scarfone K , Mell P . An analysis of CVSS version 2 vulnerability scoring [C ] // Proceedings of 2009 3rd International Symposium on Empirical Software Engineering and Measurement . Lake Buena Vista : IEEE , 2009 : 516 - 525 . DOI: 10.1109/esem.2009.5314220 http://dx.doi.org/10.1109/esem.2009.5314220

Mell P , Scarfone K , Romanosky S . A complete guide to the common vulnerability scoring system version 2.0 [R ] . Gaithersburg : NIST , 2007 . DOI: 10.6028/nist.ir.7435 http://dx.doi.org/10.6028/nist.ir.7435

董洋 , 历超 , 杨英奎 , 等 . 基于漏洞信息和攻击图的信息路径风险评分系统 [J ] . 自动化技术与应用 , 2024 , 43 ( 10 ): 122 - 125 .

Dong Yang , Li Chao , Yang Yingkui , et al . Information route risk scoring system based on vulnerability information and attack graphs [J ] . Techniques of Automation and Applications , 2024 , 43 ( 10 ): 122 - 125 . (in Chinese)

MITRE Corporation . ATT&CK [EB/OL ] . [ 2025-05-30 ] . https://attack.mitre.org/ https://attack.mitre.org/ .

Swiler L P , Phillips C , Ellis D , et al . Computer-attack graph generation tool [C ] // Proceedings of DARPA Information Survivability Conference and Exposition II . DISCEX’ 01 . Anaheim : IEEE , 2001: 307 - 321 . DOI: 10.1109/discex.2001.932182 http://dx.doi.org/10.1109/discex.2001.932182

Zenitani K . Attack graph analysis: An explanatory guide [J ] . Computers & Security , 2023 , 126 : 103081 . DOI: 10.1016/j.cose.2022.103081 http://dx.doi.org/10.1016/j.cose.2022.103081

Jing J T W , Yong L W , Divakaran D M , et al . Augmenting MulVAL with automated extraction of vulnerabilities descriptions [C ] // Proceedings of TENCON 2017 - 2017 IEEE Region 10 Conference . Penang : IEEE , 2017 : 476 - 481 . DOI: 10.1109/TENCON.2017.8227911 http://dx.doi.org/10.1109/TENCON.2017.8227911

Tayouri D , Baum N , Shabtai A , et al . A survey of MulVAL extensions and their attack scenarios coverage [J ] . IEEE Access , 2023 , 11 : 27974 - 27991 . DOI: 10.1109/access.2023.3257721 http://dx.doi.org/10.1109/access.2023.3257721

Gao Jianbo , Zhang Baowen , Chen Xiaohua , et al . Ontology-based model of network and computer attacks for security assessment [J ] . Journal of Shanghai Jiaotong University (Science) , 2013 , 18 ( 5 ): 554 - 562 . DOI: 10.1007/s12204-013-1439-5 http://dx.doi.org/10.1007/s12204-013-1439-5

Zhang Jingci , Zheng Jun , Zhang Zheng , et al . ATT&CK-based advanced persistent threat attacks risk propagation assessment model for zero trust networks [J ] . Computer Networks , 2024 , 245 : 110376 . DOI: 10.1016/j.comnet.2024.110376 http://dx.doi.org/10.1016/j.comnet.2024.110376

杨宏宇 , 袁海航 , 张良 . 一种基于主机重要度的网络主机节点风险评估方法 [J ] . 北京邮电大学学报 , 2022 , 45 ( 2 ): 16 - 21 .

Yang Hongyu , Yuan Haihang , Zhang Liang . A risk assessment method of network host node with host importance [J ] . Journal of Beijing University of Posts and Telecommunications , 2022 , 45 ( 2 ): 16 - 21 . (in Chinese)

Zheng Dongyang , Gao Chengliang , Xing Jiaxu , et al . Dynamic analysis of attack paths based on Bayesian attack graph [C ] // Proceedings of the 3rd international conference on cyberspace simulation and evaluation . Shenzhen : Springer , 2024 : 60 - 76 . DOI: 10.1007/978-981-96-4506-0_4 http://dx.doi.org/10.1007/978-981-96-4506-0_4

Homer J , Zhang Su , Ou Xinming , et al . Aggregating vulnerability metrics in enterprise networks using attack graphs [J ] . Journal of Computer Security , 2013 , 21 ( 4 ): 561 - 597 . DOI: 10.3233/jcs-130475 http://dx.doi.org/10.3233/jcs-130475

MITRE Corporation . What is ATT&CK? [EB/OL ] . ( 2023-07-19 )[ 2025-04-08 ] . https://attack.mitre.org/resources/ https://attack.mitre.org/resources/ .

Strom B , Applebaum A , Miller D , et al . MITRE ATT&CK: Design and philosophy [R ] . Bedford : MITRE , 2020 .

Rabiner L R . A tutorial on hidden Markov models and selected applications in speech recognition [J ] . Proceedings of the IEEE , 1989 , 77 ( 2 ): 257 - 286 . DOI: 10.1109/5.18626 http://dx.doi.org/10.1109/5.18626

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于高斯隐马尔可夫模型的人机共享控制区域化决策算法

基于本地化差分隐私的时序位置发布方案研究

图像多尺度几何分析域隐马尔可夫树模型研究进展

一种基于系统安全性差距分析的风险评估尺度和方法

EM-HMM多频率线跟踪算法