Network Attack and Defense Modeling and System Security Analysis: A Novel Approach Using Stochastic Evolutionary Game Petri Net

. At present, most network security analysis theory assumes that the players are completely rational. However, this is not consistent with the actual situation. In this paper, based on the eﬀectiveness constraints on both sides with network attack and defense, with the help of stochastic Petri net and evolutionary game theory, the Petri net model of network attack and defense stochastic evolutionary game is reconstructed, the speciﬁc deﬁnition of the model is given, and the modeling method is given through the network connection relationship and attack and defense strategy set. Using this model, a quantitative analysis of network attack events is carried out to solve a series of indicators related to system security, namely, attack success rate, average attack time, and average system repair time. Finally, the proposed model and analysis method are applied to a classic network attack and defense process for experimental analysis, and the results verify the rationality and accuracy of the model and analysis method.


Introduction
In recent years, with the rapid development of information technology, it has provided great convenience for the country's scientific and technological development and the people's living needs. However, the increasing complexity of network scale also brings growing security problems since malicious entity behaviors are turning to be more threatening, such as the loss of private data, attacks against the network, and detection of these attacks [1,2]. It is particularly important to note that the threat behavior of malicious users poses a great threat to the security of the network system [3]. For example, in a network session, when a malicious user pretends to be a normal user to access the system and conducts unsafe behavior, the network system will be misled by fraudulent behavior. If an entity in the network threatens the security of the system, the network administrator should exercise certain control over it.
However, the traditional passive security defense strategy has been unable to meet the actual needs of network development. It is urgent to analyze and predict the network attack events and then implement the new technology of active security defense [4,5]. In network attack events, the basic characteristics of game theory are target opposition, strategic dependence, and noncooperation. erefore, game theory has become a popular method for theoretical analysis and modeling of network security proposed in recent years [6,7]. Roy et al. [8] summarize the application results of existing game theory in solving network security problems and classify the solutions according to the applicability of the method. Anderson [9] applied game theory to the problem of network security offense and defense based on the opposition between the two parties in the game and the interdependence of the two parties' strategy selection. Shamma [10] proposed two person zero sum games and noncooperative intrusion detection system models and introduced the application of game theory in decision system. Wu et al. [11] proposed a two-stage game model to provide the optimal security detection strategy for heterogeneous network systems; Li et al. [12] proposed a Stackelberg game model to solve the problem of interactive decision-making between attackers and defenders in network control systems. Liu et al. [13] proposed a network attack and defense game model based on Bayes Nash equilibrium, solved the attack and defense problem through the utility maximization problem, and focused on the attack and defense game problem of insecure information network based on risk aversion. In Zhang et al. [14], in order to more accurately describe the timely response of network confrontation combining with the theory of differential game, the game model of attack and defense differential game is established. Guan et al. [15] believed that the effectiveness of network attack and defense depends on some network performance indicators, which are defined to evaluate the performance of the whole network system. ey propose a networked colonial bottom game for the attack defense strategy, which enables attackers and defenders to reasonably allocate limited network resources on each node. In addition, this paper also proposes a coevolution algorithm to obtain the actual behavior set and finally realizes the Nash equilibrium of the mixed strategy. Tan et al. [16] used game theory to analyze the continuous network attack defense process based on the dynamic spatiotemporal confrontation characteristics of network attack and defense, established a FlipIt-based moving target defense and temporospatial strategies model, and gave the quantitative calculation method for the utility of the attacker and the defender. Gao et al. [17] focused on the research of offensive and defensive games between multiple groups of terminals in wireless networks and proposed an optimal strategy selection algorithm based on differential game between multiple attackers and multiple defenders. Finally, through simulation experiments, we demonstrated the evolution trajectory of the optimal strategy.
In summary, in the early research work of network security game models, most researchers pay more attention to preventing attacks in network systems. Later research focuses on designing the system's security mechanism, which is the system's active defense function of network security by detecting and preventing malicious attacks.
Although the above methods provide a lot of research ideas for network security analysis, these methods also have some limitations [18]. Firstly, in a cyber security incident, the actions of both offensive and defensive parties influence each other, and both parties are in a state of ebb and flow. Pure game theory does not have enough modeling ability to completely describe complex network attack events; secondly, as far as we know, almost all of the existing modeling methods based on game theory set the players in the game as completely rational, but such assumptions are often inconsistent with our actual situation. As a qualitative experimental simulation, sometimes, we can consider this assumption to be reasonable. However, in practical applications, we doubt the rationality of this assumption. In the real network environment, network attack is a kind of man-made behavior. e fundamental reason for its formation is closely related to human interests. e behavior of both sides of the network attack and defense can not be a completely rational behavior; they show more effective rational behavior. erefore, if we regard both sides of the game as completely rational players for modeling and analysis, the results will deviate from the actual situation. Similarly, this assumption will greatly weaken the accuracy and guiding significance of the results obtained by the model.
In view of the limitations of the above methods, we transform and upgrade the traditional modeling methods. We find that Petri net is a tool with parallel processing ability and graphical problem description [19]. In addition, in the actual process of network attack and defense, the choice of attack and defense strategies, the change of system environment, and the interference of external factors all have a certain randomness.
ere are many references [20,21], which have applied the analysis method based on stochastic model to network security evaluation. However, the stochastic Petri net is formed on the basis of the Petri net. In addition to the basic characteristics of the Petri net, it also has the ability to dynamically analyze the concurrency, asynchrony, and uncertainty of the network system [22]. It can be conveniently used to model and analyze complex systems, such as system performance analysis and reliability evaluation. In addition, stochastic Petri nets have good expansibility [23], and new constructions can be added easily. erefore, we believe that stochastic Petri nets are more suitable for modeling and security analysis of network systems.
Taking into account the two characteristics of bounded rationality and repeated games in network confrontation games [24], they are the premise of evolutionary game theory; and evolutionary game theory abandons the defect of traditional game theory that players are completely rational. erefore, evolutionary game theory can be better used to describe the influence of human factors on the development of network attack and defense and is more suitable for the modeling and analysis of network attack and defense confrontation behavior [25]. erefore, in order to improve the rationality and accuracy of the model, this paper will take the attack and defense sides of the network under the condition of bounded rationality as the problem object, with the help of evolutionary game theory and stochastic Petri net, construct a network attack and defense model based on stochastic evolutionary game Petri net, and analyze the security of the attacked network system. e contributions of this paper are threefold: (1) We first analyzed the strategies that the offensive and defensive parties can adopt in a cyber attack event, provided an evaluation program closer to the real world, enabled the research community to conduct systematically, and evaluated a trust model. (2) We propose to apply stochastic Petri net and evolutionary game theory in the evaluation process of network trust model and discuss the detailed simulation scenarios of modeling. (3) We apply our stochastic evolutionary game Petri net model to an example classic attack event. e evaluation results suggest that our model can describe in detail the complete process of an attack event. Since the evolutionary game theory is used in the model, after many games, the malicious entity will converge to a final state, which is also the best state. erefore, the method we propose is more scientific and accurate for the trust evaluation results of network entities. e rest of the paper is organized as follows. First, we introduce the basic definition and related attributes of stochastic evolutionary game Petri net model in Section 2.
en, we introduce the specific methods of modeling in Section 3. In Section 4, through an example, the proposed model is applied to the actual network attack and defense events. In Section 5, we analyze the experimental results. Finally, we summarize our paper with feature work in Section 6.

Petri Net Model of Stochastic Evolutionary
Game for Network Attack and Defense e traditional network attack and defense game model is based on the complete rationality of both sides of the game. In practice, the behavior of both sides of the network attack and defense is a kind of limited rationality. Based on evolutionary game and stochastic Petri net, this paper constructs a Petri net model of network attack defense stochastic evolutionary game. Definition 1. A Petri net model of stochastic evolutionary game of network attack and defense can be represented by a 9-tuple: (1) N � N a , N d denotes the set of players; N a is the attacker, and N d is the defender. (2) P � P 1 , P 2 , . . . , P n is a finite set of places; P i represents the state of the system after the attack event.
represents the player's behavior strategy. For example, a represents the set of strategies that the defender can adopt. 1] represents the probability that the transition is selected, that is, the probability that the player chooses a certain behavior strategy. (6) λ � λ 1 , λ 2 , . . . , λ n is a collection of change implementation rates. (7) Δ � δ N a , δ N b is the set of random interference intensity coefficients; δ N a is the influence strength coefficient of random interference on the attacker; δ N d is the influence intensity coefficient of random interference on the defender. For AD-SEGPN model, the behavior choice and implementation of each player depend on their own state and the state and potential behavior of other players. erefore, it is necessary to build an appropriate model and set the rules of transition according to the specific situation. is paper is based on the trigger rule of transition in classical Petri nets. Token is used to mark the state of the players. If there is a mark in P i , it means that the player is in this position. Any change may lead to the change of the player's state, which is graphically displayed in the model by the flow of markers.
is he probability that the attacker chooses to implement behavior t i ; the defender's strategy is expressed as is the probability that the defender chooses to carry out the action t j .

Modeling Method.
e Petri net model of stochastic evolutionary game inherits the basic elements of stochastic Petri net, such as position, transition, and arc. At the same time, it absorbs the return, utility, strategy, and other elements of player's behavior in evolutionary game theory, so as to realize the modeling and analysis of game process visualization. e specific modeling steps are as follows: (1) Determine the players in the game and analyze the types of the game. behavior, that is, triggering the occurrence of changes, will make the state of the whole system change, that is, from one state to another, and connect them by using arcs, so as to form a complete system model. (5) Determine the utility R. In AD-SEGPN model, utility R is the income that the actor can obtain after the implementation of transition T, which is recorded as Security and Communication Networks R: T ⟶ (r 1 , r 2 , . . . , r n ), r i ∈ (−∞, +∞). If r i < 0, it means that the actor has paid the price. Utility can be expressed by letters or utility function. e variables of the function can be associated with their own state parameters and can also be associated with the state parameters of other players in the game. (6) Evolutionary equilibrium solution. Under the condition of bounded rationality, both sides of evolutionary game will conduct dynamic repeated game through the process of "imitation-learning-strategy adjustment" and finally reach the stable equilibrium state of the game [26]. Refer to Section 3.2 for the specific method of solving evolutionary equilibrium. (7) According to the equilibrium strategy obtained in (6), as the probability of transition being selected in the model, and then, given the transition rate, according to the calculation method of stochastic Petri net, the important results related to network security analysis are further calculated.

Evolutionary Equilibrium Solution.
In network attack, attacker N a and defender N d have a variety of strategies to choose from. Suppose that the attacker N a can choose T N a � a 1 , a 2 , . . . , a n and the defender where m, n ∈ N and m, n ≥ 2. Because network attack event can be regarded as a multistage game process, attackers and defenders will choose strategies with different probabilities in different stages, and the probabilities will change with the passage of time under the effect of learning mechanism, so that the selection of attack and defense strategies will form a dynamic change process. Finally, the attack and defense sides will find their own equilibrium stable strategy (ESS) [27].
Definition 3. Equilibrium stable strategy in offensive and defensive events. In a network attack and defense event, there is a strategy; if all members of the attacker or defender adopt it, then any mutation strategy will not invade the population under the influence of natural selection. e condition for a strategy x to be ESS of the offensive and defensive events is that for any strategy y ≠ x.
where μ(x, y) is the payoff of attacker's strategy x when interacting with defensive's strategy y.
Let p i be the probability that the attacker chooses the attack strategy a i , and let q j be the probability that the defender chooses the attack strategy d j , i ∈ n, j ∈ m： n i�1 p i � 1, m j�1 q j � 1.
(3) U ij N a and U ij N d are the respective gains of the attacker and the defender when they tke a i and d j , respectively. In the attack event, the two sides of the game adopt different strategies, which will produce the corresponding income value. e benefits obtained by the attacker and the defender after choosing strategies with different probabilities at a certain stage of the game are shown in Figure 1.
Furthermore, we can calculate the expected return and average return of different strategies chosen by both sides of the game: (1) e expected revenue U i N a and average revenue U N a of the attacker are as follows: (2) e expected return U j N d and average return U d of the defender are as follows: In the evolutionary game of network attack and defense, when the attacker chooses a strategy that leads to low profit, he will adjust the current strategy to improve his own profit; similarly, it is the same for the defender. erefore, for both sides of the game, the probability of the behavior strategy available for them to choose is a time function, which can be expressed by p i (t) and q j (t), and its dynamic change rate can be expressed by copying the dynamic equation: By combining formulas (6) and (7), let

Experimental Simulation
In this section, we will analyze the rationality and accuracy of our scheme by experimental evaluation. Figure 2 shows a typical network topology, which consists of Internet and intranet. Among them, intranet includes web server, information center, and some private PCs, which are usually chosen by attackers as the target of stealing confidential information. In addition, in the basic network system, IDS is often used to build the basic security control defense system. In practical applications, attackers will steal the confidential information in the system by installing sniffers. e responsibility of network administrators is to obtain the attacker's evidence and relevant information as much as possible and organize the occurrence of attacks.

Attack and Defense
Information. When attackers and defenders choose different behavior strategies with different probabilities, the system will transfer from one state to another in a probabilistic way. According to the network topology shown in Figure 2, we can describe the attack and defense process as follows.

Attack Process
(i) e attacker scans the port of the web server in the target network and analyzes the network services provided by the target server (ii) e attacker takes advantage of the vulnerability of the web server to obtain the login account and password (iii) e attacker successfully logs into the system and obtains the root operation permission (iv) e attacker uses the root privilege to install sniffer on the web server to steal the confidential information on the terminal host

Defense Process
(i) IDS detects the attack and reports it to the server (ii) According to the reported dangerous behavior information, the server notifies the firewall and trap machine for further observation and tracking (iii) e trap machine induces the attacker to continue to visit the server, records the attack behavior, and obtains the attack evidence of the attacker (iv) e server blocks the attacker's IP and clears the sniffer Based on the above attack and defense process, we can get the behavior set of attack and defense in AD-SEGPN model, as shown in Table 1.  Table 2.

Parameter
Setting. According to the model diagram of Figure 3, the parameter information needed in the AD-SEGPN model is given in Table 3, where λ represents the behavior ability of transition and π represents the probability of behavior being selected. e exact value of λ can be assumed according to the difficulty in the actual attack process, and the exact value of π is the calculation result of evolutionary equilibrium strategy in Section 3.2.

Network System Security Analysis
After modeling the network system based on the model proposed above, we use the pipe software to calculate and analyze the AD-SEGPN model shown in Figure 3. Next, we analyze the security of the network system from two aspects. Firstly, we discussed the typical evaluation factors of network system security; then, we made an overall evaluation of network system security from two aspects.

Attack Success Rate.
Attack success rate is the probability that an attacker can attack a target successfully. In our model, the initial position P 0 contains a token, which represents the normal state of the system at the beginning. With the attack, the identity begins to flow. When the identity flows to the location P i , it means that the attacker has successfully invaded a part of the system. erefore, the Attacker Defender Defender …… …… (q 1 ,d 1 ) (p 1 ,a 1 ) ( p 2 ,a 2 ) ( p n ,a n ) attack success rate of the attacker to the system component i can be expressed as P N a ⟶ P i � P m P i � 1 � 1 − P m P i � 0 , (8) where P m(P) i � 1 is the probability that the location P i contains a token. e calculation results are obtained by the software package pipe. In Figure 4, we get the change of attack success rate with system time under different attack rates.
It can be seen from the figure that, with the increase of attack rate, the probability of successful attack also increases. However, after a period of time, the time required for successful attack becomes longer. is is because the higher the attack rate is, the more frequent the attack occurs, and the easier it is to be detected by the defender. At the same time, when the attack rate is greater than 10, and the system time tends to be stable, the attack success rate is no longer affected by the attack rate.
is is an important result.  e normal state of the system T 0 Vulnerability scan of network system P 1 e vulnerability of the web server was discovered T 1 Obtain user login information P 2 Get normal operation permission T 2 Enhance the operating permission P 3 Get root operation authority T 3 Install sniffer software to invade the host P 4 Implant sniffer T 4 Steal system confidential data resources P 5 System confidential data resources was stolen T 5 , T 6 , T 7 T 8 , T 9 IDS_scan P 6 Admin_know T 10 Blockade_IP P 7 Attack_terminated T 11 Remove_sniffer P 8 Sniffer_removed According to this result, in this case, the defense mechanism of the system only needs to care about the attacker's attack ability and expected benefits and can not consider the attacker's attack rate.

Average Time of Successful Intrusion.
Because the whole attack process is a progressive process, the attacker through step-by-step intrusion system components ultimately achieves the goal of stealing system confidential data. erefore, the average time T a of an attacker's successful intrusion can be calculated as follows.
First of all, the response time T i a � 1/TH a of an attacker to complete an attack on a subtarget, where TH a is the throughput of transition in the model.
Secondly, TH a � M∈H P[M]λ a , where H is the marker set of attack transition, and λ a is the rate of attack transition; Finally, T a � n i�1 T i a /n, where n refers to the number of subattack targets protected in the whole attack process. We find that the attack time of attackers increases with time under different attack rates. Moreover, the higher the attack rate is, the more attack time is needed. is is because the higher the attack rate is, the easier the attack behavior is to be found. On the contrary, the smaller the attack rate is, the less it is to be found. erefore, less time is needed for the successful attack. is result is completely in line with the actual situation.

Mean Time to Repair (MTTR) of the System.
System repair time refers to the time from system failure to normal operation. If the location of the identifier in the model is regarded as a queue, the average repair time of the system can be understood as the average time of the identifier starting from P 1 and returning to P 0 . erefore, we define the average repair time of the system as follows: MTTR � N/λ * , where N is the average length of the queue and λ * is the average rate of arrival of the queue. Figure 6 shows the average system repair time versus system time under different attack rates.
As shown in Figure 6, the average repair time of the system increases first and then decreases. is is because, in the initial stage of system attack, the system needs to spend a certain amount of time to find the intrusion point and then repair it. Moreover, we also found that the higher the attack rate, the longer the average repair time of the system. is is because higher intrusion frequency will bring more difficulties to the repair of the system.
In addition, through the analysis of the above experiments, we should note that, in the initial stage of the attack, the lower the frequency of the attack, the smaller the intrusion time, ultimately making the average repair time of the system not lower than that of the high-frequency attack, which is an important conclusion that is easy to be ignored. From this result, we conclude that low-frequency attack behaviors will also have a serious impact on the security of the system, and sometimes even more destructive than highfrequency behaviors, because it occurs at the beginning of the attack event.

Reliability.
Reliability refers to the probability that the network system will continue to provide a certain network service within a certain period of time, and it reflects the continuity of the network system's safe operation [28]. erefore, in the security research of the network system, we are concerned about the ability of the network system to provide certain network services normally and continuously.
If S R is the state set when the system provides a certain normal network service, and X(t) represents the state of the system at time t, the mathematical expression of the instantaneous reliability A reliablitty (t) of the system in time [0, t] is as follows.
Suppose X(0) ∈ S R , τ � inf t: X(t) ∉ S R , and then A reliability (t) � P τ > t { }. When performing quantitative calculations, we generally use MTTF to describe the steady-state reliability of the system, also known as the inherent reliability of the system, which can express mathematical expectations:

Availability.
Availability refers to the ability to complete the specified functions in a repairable network system in a specified manner of use and maintenance, and within a given time [29]. In the security research of the network system, we are concerned about the steady-state availability of the repairable system, which is mainly used to reflect the specific performance of the process of alternate changes(normal↔failure) between the state of the network system. Suppose that X(u) represents the state of the system at time u, S A is the set of the system in a normal operating state, and π i is the steady-state probability of the system at time i. en, the mathematical expression of the steady-state availability A availability of the network system in time [0, t] is    According to the above formula and the parameter settings in Section 4, we can obtain the changes of reliability and availability with system time, as shown in Figure 7.
From the figure, we can clearly find that the change trend of reliability and availability is that it will gradually decrease at the beginning and then slowly rise to a certain value over time. is performance result is fully in line with the development trend of network attack events. erefore, for network system administrators, attack behavior should be detected as early as possible, or the attack behavior can be predicted in advance, which is very important to the security of the network system.

Conclusion
is paper presents a novel modeling method for analyzing network attack events (AD-SEGPN), which can deal with the dynamic game problems in network attack and defense environment.
is model not only inherits the game framework of evolutionary game theory, but also fully absorbs the advantages of stochastic Petri net, which can be used to model flexibly.
rough a series of experimental analysis, we can conclude that when the system is in a stable state, the success rate of the attacker's attack has little to do with the rate of attack behavior, which is an important conclusion. According to this conclusion, for a network system, if the system has established a defense mechanism, then the administrator of the system should focus on the attacker's attack ability and his expected return, regardless of the attacker's attack frequency. In addition, we also calculate the trend of intrusion success rate, average intrusion time, and average system repair time with system time under different attack rates. e results show that, for a repairable network system, the lower the attack frequency, the greater the damage to the network, which requires the administrator of the network system to pay attention to the low-frequency detection and prevention of frequent attacks. In the future, our work will focus on optimizing models to meet the needs of more complex network environments and multiple types of network systems [30].

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.  Security and Communication Networks 9