KR20170091989A - System and method for managing and evaluating security in industry control network - Google Patents
System and method for managing and evaluating security in industry control network Download PDFInfo
- Publication number
- KR20170091989A KR20170091989A KR1020160012967A KR20160012967A KR20170091989A KR 20170091989 A KR20170091989 A KR 20170091989A KR 1020160012967 A KR1020160012967 A KR 1020160012967A KR 20160012967 A KR20160012967 A KR 20160012967A KR 20170091989 A KR20170091989 A KR 20170091989A
- Authority
- KR
- South Korea
- Prior art keywords
- traffic
- attack
- network
- control network
- scenario
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/50—Testing arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
Abstract
Description
The present invention relates to an industrial control network, and more particularly, to a security control evaluation system and method in an industrial control network for controlling and evaluating security for events occurring in an industrial control network.
Recent cyber attacks are evolving into persistent and intelligent threats known as APT (Advanced Persistent Threat). APT attacks are used for various purposes such as target attacks targeting specific companies, cyber-espionage activities aimed at taking over confidential national data, and hacktivism as a hacking for political and social purposes. These threats are carried out over a long period of time by attack procedures such as reconnaissance, weaponization, distribution, abuse and installation, and command control, and they are well prepared for not being detected by existing security systems such as vaccines and intrusion detection systems. Even if it is a company, detecting and responding to attacks in real time is not easy.
Traditional cyber threats such as social engineering attacks, packet spoofing, session hijacking and automated scanning in the 1990s have evolved into targeted attacks in 2010. For example, it has evolved into a continuous and intelligent cyber threat, often known as APT, such as client software attacks, control system target attacks, continuous malware penetration, and supply chain destruction attacks. Since 2010, It is expected to develop into a threat.
The disadvantage of the security control system in the existing industrial control network against such an attack is that the signature or profile for detection of the infringement accident is not defined before considering the priority of the accident, frequency of occurrence, severity of the damage, Policies and procedures, or the type of platform or source of data. This means that it is not possible to respond appropriately to the new type of infringing behaviors of the new internal and foreign riches and it is highly likely to show a high false positive rate for the new type of normal use.
In recent years, security control technology flow in industrial control networks has been transferred to the development of intelligent control network security control technology using artificial intelligence or machine learning method in rule-based traditional security control using signatures. However, in spite of these various attempts, it is very rare to be put to practical use due to the technical limitations of the mechanical learning method. In addition, security control in the current industrial control network is not well known.
An object of the present invention is to provide a system and method for security management evaluation in an industrial control network capable of effectively detecting and responding to evolving cyber threats by grasping the limitations of a conventional security management method for responding to cyber threats and suggesting new security management modeling .
It is another object of the present invention to provide an industrial control system capable of adapting to a change in a normal utilization type and an abnormal utilization type according to a change in an industrial control network environment by generating normal events and abnormal events suitable for security control of an industrial control network, And to provide a security management evaluation system and method in a network.
It is also an object of the present invention to verify and improve a continuous seamless industrial control network security environment by performing a seamless environment test using a data set using a combination of abnormal symptom scenarios through an event generator for an industrial control network The present invention also provides a system and method for security management evaluation in an industrial control network.
In order to achieve the above-described object of the present invention and to achieve the specific effects of the present invention described below, the characteristic structure of the present invention is as follows.
According to an aspect of the present invention, there is provided a security management evaluation system in an industrial control network, comprising: a normal traffic generation unit generating at least one normal traffic; An attack traffic generating unit for generating at least one attack traffic; An evaluation data set generation unit for generating a performance evaluation data set by combining at least one normal traffic generated in the normal traffic generation unit and at least one attack traffic generated in the attack traffic generation unit; A traffic detection unit for detecting traffic generated by the performance evaluation data set in the control network; And a traffic analyzer for analyzing the traffic detected by the traffic detector.
The normal traffic generation unit may generate normal traffic based on at least one scenario configured according to the model of the control network.
The normal traffic generator may generate normal traffic based on at least one of an IP (internet protocol), a UDP (user datagram protocol), and a TCP (transmission control protocol).
The attack traffic generating unit may generate attack traffic based on at least one attack scenario configured according to the model of the control network.
Preferably, the attack traffic generating unit may generate attack traffic based on an attack scenario classified by an attacker, an attack purpose, an attackable area, a vulnerability, an action, and a goal.
The control unit may further include an evaluation result calculation unit for calculating an evaluation result for the control network based on the data analyzed by the traffic analysis unit.
Preferably, the traffic analyzing unit may assign a predetermined weight according to the risk of the detected traffic and analyze the weighted value.
According to another aspect of the present invention, there is provided a method for security management evaluation in an industrial control network, the method comprising: generating at least one normal traffic; Generating at least one attack traffic; Generating a performance evaluation data set by combining the at least one normal traffic and the at least one attack traffic; Detecting traffic generated by the performance evaluation data set in a control network; And analyzing the detected traffic.
The generating of the normal traffic may generate normal traffic based on at least one scenario configured according to the model of the control network.
The generating of the normal traffic may generate normal traffic based on at least one of IP (internet protocol), UDP (user datagram protocol), and TCP (transmission control protocol).
The generating of the attack traffic may generate attack traffic based on at least one attack scenario configured according to the model of the control network.
Advantageously, the step of generating the attack traffic may generate attack traffic based on an attack scenario classified by an attacker, an attack purpose, an attackable area, a vulnerability, an action, and a goal.
The method may further include the step of numerically calculating an evaluation result of the control network based on the analyzed data of the detected traffic.
Preferably, the analyzing of the traffic may be performed by applying predetermined weights according to the risk of the detected traffic.
Meanwhile, the information for performing the security control evaluation method in the industrial control network may be stored in a recording medium readable by the server computer. Such a recording medium includes all kinds of recording media in which programs and data are stored so that they can be read by a computer system. Examples include ROMs (Read Only Memory), Random Access Memory, CD (Compact Disk), DVD (Digital Video Disk) -ROM, magnetic tape, floppy disk, optical data storage device, (For example, transmission over the Internet). Such a recording medium may also be distributed over a networked computer system so that computer readable code in a distributed manner can be stored and executed.
As described above, according to the present invention, it is possible to provide a technical basis for early detection / response, evidence preservation and cause analysis through rapid analysis of an infringement accident specialized in an industrial control network. In addition, it is possible to prepare a quick technical solution suitable for intelligent new attack.
Further, according to the present invention, it is possible to secure the advanced intelligent detection system technology based on the evaluation system technology by verifying the application scalability of the security control system of the industrial control network. In addition, the development of feature selection algorithms as well as the upgraded appropriate signature and profile finding due to the evaluation system can also contribute greatly to improving the performance of the intelligent detection system in securing real-time performance, high accuracy, and low false positive rate.
1 is a diagram showing the configuration of an industrial control network to which the present invention is applied.
2 and 3 are diagrams showing the configuration of a system according to an embodiment of the present invention.
4 is a block diagram illustrating a detailed structure of a security control apparatus according to an embodiment of the present invention.
5 is a signal flow diagram illustrating a security management evaluation procedure in an industrial control network according to an embodiment of the present invention.
6 is a diagram illustrating an attack classification in a control network according to an embodiment of the present invention.
FIG. 7 is a graph showing the results of measurement of symptoms and risk during infection according to an embodiment of the present invention. FIG.
8A and 8B are diagrams showing calculation criteria for symptom upon infection according to an embodiment of the present invention.
The following detailed description of the invention refers to the accompanying drawings, which illustrate, by way of illustration, specific embodiments in which the invention may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the invention. It should be understood that the various embodiments of the present invention are different, but need not be mutually exclusive. For example, certain features, structures, and characteristics described herein may be implemented in other embodiments without departing from the spirit and scope of the invention in connection with one embodiment. It is also to be understood that the position or arrangement of the individual components within each disclosed embodiment may be varied without departing from the spirit and scope of the invention. The following detailed description is, therefore, not to be taken in a limiting sense, and the scope of the present invention is to be limited only by the appended claims, along with the full scope of equivalents to which the claims are entitled, if properly explained. In the drawings, like reference numerals refer to the same or similar functions throughout the several views.
Various embodiments of the present invention provide an efficient security management evaluation system and method in an industrial control network by verifying whether or not an event generated by constructing an event expressing normal and abnormal behavior is detected through security control in an industrial control network .
In addition, according to various embodiments of the present invention, the detected event can be quantified and evaluated, and an optimum profile and signature of the corresponding industrial control network can be found based on the evaluation system value.
To this end, in various embodiments of the present invention, in order to evaluate the occurrence of a specific event in an industrial control network (closed network), a normal or abnormal event (e.g., a malicious event) Lt; / RTI >
Further, in various embodiments of the present invention, the generated event combination may be detected or detected by the security control system, and the counted value of the importance of the event may be compared with the evaluated value, , Anomalous signatures, misuse, and the like can be evaluated to evaluate the security status of the system. In addition, it is possible to repeatedly generate the event combination for each day of the week and for each time to perform more efficient analysis.
Further, in various embodiments of the present invention, it is possible to reevaluate events for false positives and false detections, and to suspend and modify false positives and false positive detections. In this way, the evaluation can be quantified by analyzing the detected event combination and the number detected by the security control system.
Intrusion Detection System (IDS), which is a device and application that monitors the attack of network or system activity and reports it to the management base, is divided into two types, network-based and host-based. The Network Intrusion Detection System (NIDS) detects intrusions by connecting to a network hub / switch configured for port mirroring or by connecting to a network tap to constantly monitor network traffic. NIDS captures all network traffic and checks the nature of each packet using sensors to determine whether it is normal or attacking. An example of NIDS is Snort.
A host-based intrusion detection system (HIDS), which monitors processes within a host, analyzes host activity and status, such as system calls, application logs, and file system variations such as binary or password files, use. An example of HIDS is OSSEC.
IDS detection schemes include signature-based detection and anomaly detection. Signature-based detection can be accurately detected because a pattern of known intrusion behavior is determined and considered as an intrusion only if there is a match. However, it is difficult to achieve effectiveness in a network environment where new types of attacks occur frequently. The anomaly detection can detect a new type of attack because it regards the case where the normal pattern of the user does not match the normal pattern as a potential attack. However, for the practical use, the normal operation is mistaken as the intrusion The vulnerability must be resolved.
A typical attack on a network is a series of exploits that exploit vulnerabilities in IT systems to compromise security. Each exploit satisfies the preconditions for subsequent exploits and establishes a causal relationship between them. This set of exploits constitutes an attack path, and an attack graph, which can be regarded as a set of possible attack paths, is used to predict the risks of the IT system and to infer the most vulnerable resources. Isolated vulnerabilities can be identified through vulnerability scanners, but in order to identify network-wide risks, a logical formality and correlation between vulnerabilities spanning one or more hosts is needed. Therefore, IDS based on symptom detection is required for the entire traffic that represents the change before and after the attack.
In the present invention, a data set is generated in order to evaluate the performance of a network-based abnormal event monitoring system. To do this, the control network is first modeled to form a normal traffic scenario, and an arbitrary attack scenario is reconstructed from an attack template composed of a corresponding series of unit attacks. According to the present invention, a data generation tool is used to generate an IDS performance evaluation data set in which normal traffic and attack are combined according to the scenario.
In order to evaluate the anomalous symptom monitoring system in the control network, evaluation methods and procedures are proposed based on the items' weights for individual risks for detection rate and non - detection, and case studies were conducted to verify the validity of the proposed evaluation methods ), Verification using AHP statistical technique, comparison of the experimental results with the experimental system in the experimental network, and final evaluation criteria are presented through the calibration and verification process.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings, so that those skilled in the art can easily carry out the present invention.
First, the structure of a system and an apparatus according to an embodiment of the present invention will be described with reference to FIGS. 1 to 4, and then a procedure according to an embodiment of the present invention will be described in detail with reference to FIG.
1 is a diagram showing the configuration of an industrial control network to which the present invention is applied. 1, an industrial control network includes an
Hereinafter, the detailed configuration of the
Referring to FIG. 1, in the control network connection model, the
- HMI (Human Machine Interface): Supports various control screens, alarm display and report output from information processed by Host
- Host 1: All node and DB management of control network, real-time data processing and alarm processing acquired from each node
- Host2: Backup system that is synchronized in real time for rapid replacement when Host1 is defective.
- Engineering Workstation: Correction and data analysis of field gauge operation of remote field
- DB Server: Record all processing information in the control network (Data Historian).
- Operational information delivery server / client: Clients located in the control network periodically transmit data to the server of the business network to enable monitoring of the control network in the business network. The client also downloads control network system modification / upgrade information from the server.
- System Management Server: periodically collects system status information and manages hard / software upgrades of the system. It runs with its own database (mysql) and works with DB Server (mssql)
- FEP (Front End Processor): It performs message transmission and reception, assembly and disassembly of packets between the RTU connected communication line and the host which is the main control device, and supports various communication methods such as DNP3 and TCP / IP.
- RTU (Remote Terminal Unit): A remote terminal unit that collects data from a remote place and sends it to FEP
- PLC (Programmable Logic Controller): An integrated device that can control the functions of various relays, timers and counters through a microprocessor program
In the embodiment of the present invention, it is possible to judge whether an event is detected or not by evaluating a combination of normal traffic and attack traffic generated according to a preset scenario through the
Hereinafter, a packet movement path in the control network model shown in FIG. 1 will be described.
In the control network model of FIG. 1, the flow of packets between each terminal can be unidirectional, bi-directional, or via another terminal. Since the
For the reason that the actual data of the
The dataset created for the IDS evaluation is a combination of background data that does not contain any attack at all and attack data to construct attack scenarios. The data generation equipment generates these two components at the same time, and the captured network traffic for evaluation consists of generated background data, built-in attacks, and responses of systems that are part of the test framework. If you look at background data and responses as noise, and attack data and responses as signals, the IDS problem can be characterized as detecting the signal in noise.
In the various embodiments of the present invention, a process of generating background data and attack data using information extracted from normal traffic scenarios and attack traffic scenarios based on the control network model will be described.
For example, according to the control network model, a plurality of (for example, twelve) scenarios can be conceived and normal traffic can be generated based on the IP, UDP, and TCP protocols as follows.
≪ Example of normal traffic scenario >
(1) In the business network, K accesses the company site through his PC browser and receives e-mails from the company web mail. Upload control information management document attached to e-mail to 'operational information delivery server'.
(2) In the business network, P accesses the operational information delivery server from its own PC and downloads the control network operation related files. Some of these files are attached to the mail and sent to the relevant authorities.
(3) A network security control server collects security events from agents residing in each server every minute.
(4) The control network manager accesses the operational information delivery server located in the business network from the operational information delivery client to check whether the control network system is modified or upgraded. Download fix information to PLC and upgrade through system management server and host.
(5) Data collected from the field instrument PLC1 / 2 to the RTU is transmitted to Host1 every 10 seconds via FEP.
(6) Information processed in Host1 is periodically transmitted to DB Server, HMI1 / 2, and Engineering Workstation.
(7) L with remote log-in authority of host connects to RPC (Remote Procedure Call) service on the business network PC and copies real-time information of the scene state.
(8) The B network security control server collects security events from agents residing in each system every 5 minutes.
(9) The administrator changes the setting information of Host1, FEP, RTU, PLC1, PLC2 irregularly through Engineering Workstation.
(10) If there is a change in Host1, Host2 is synchronized in real time through rsync service.
(11) Operational Information Delivery The client periodically transmits data to the operational information delivery server every 5 minutes.
(12) The system management server periodically receives system status information from Host1, Host2, and FEP every five minutes.
2 and 3 are diagrams showing the configuration of a system according to an embodiment of the present invention. Referring to FIG. 2, a
If the flow of packets associated with the
3, an evaluation data set in which the normal traffic and the attack traffic are combined is generated in the
4 is a block diagram illustrating a detailed structure of a security control apparatus according to an embodiment of the present invention. 4, the
The normal
According to an embodiment of the present invention, the evaluation
The
Specific implementations of the respective functional blocks of the
In the meantime, the respective components of the apparatus are separately shown in the drawings to show that they can be functionally and logically separated, and do not necessarily mean physically separate components or separate codes.
In this specification, each functional unit (or module) may mean a functional and structural combination of hardware for carrying out the technical idea of the present invention and software for driving the hardware. For example, each functional unit may refer to a logical unit of a predetermined code and a hardware resource for executing the predetermined code, and may be a code physically connected to the functional unit, But can be easily deduced to the average expert in the field of the invention.
In the foregoing, the structure of the system and the apparatus according to the embodiment of the present invention has been described with reference to Figs. Hereinafter, a procedure according to an embodiment of the present invention will be described in detail with reference to FIG.
5 is a signal flow diagram illustrating a security management evaluation procedure in an industrial control network according to an embodiment of the present invention. Referring to FIG. 5, at least one normal traffic may be generated 502 and at least one attack traffic may be generated 504.
Next, the performance evaluation data set may be generated 506 by combining the at least one normal traffic and the at least one attack traffic.
Next, in the control network, traffic generated by the performance evaluation data set may be detected 508, and the detected traffic may be analyzed 510. Lastly, the analysis result may be numerically expressed to calculate the evaluation result (512).
At least one of the operations shown in FIG. 5 may be omitted and at least one other operation may be added between the operations. 5 may be processed in the order shown, and the execution order for at least one operation may be changed and processed in accordance with the execution order of the other operation. In addition, the operations shown in FIG. 5 may be performed in the electronic device, or may be performed in the server. Further, at least one of the operations shown in FIG. 5 may be performed in the electronic device, and the remaining operations may be implemented in the server.
Meanwhile, the method according to an embodiment of the present invention may be implemented in the form of a program command which can be executed through various computer means and recorded in a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, and the like, alone or in combination. The program instructions recorded on the medium may be those specially designed and configured for the present invention or may be available to those skilled in the art of computer software. Examples of computer-readable media include magnetic media such as hard disks, floppy disks and magnetic tape; optical media such as CD-ROMs and DVDs; magnetic media such as floppy disks; Magneto-optical media, and hardware devices specifically configured to store and execute program instructions such as ROM, RAM, flash memory, and the like. Examples of program instructions include machine language code such as those produced by a compiler, as well as high-level language code that can be executed by a computer using an interpreter or the like. The hardware devices described above may be configured to operate as one or more software modules to perform the operations of the present invention, and vice versa.
On the other hand, the traffic generated according to the normal traffic scenario can be classified into the above four routes by extracting based on {src_IP, src_Port, dst_IP, dst_Port, and Protocol (TCP / UDP)} information of each packet. The extracted packet information can be used by the data generation tool to generate a data set.
First, the traffic between the business network and the control network can be generated as shown in Table 1 below.
Next, traffic inside the business network can be generated as shown in Table 2 below.
Also, the traffic inside the control network can be generated as shown in Table 3 below.
Also, the traffic between the control network and the field site can be generated as shown in Table 4 below.
The impact of risk or relative severity can be determined proportionally by the value of the damage to the asset, the value of the loss and the expected frequency of the threat. Here, attack traffic refers to an activity that causes cyber danger.
Hereinafter, classification of attack traffic will be described.
In order to evaluate the anomalous state monitoring system in the control network, as shown in FIG. 6, in the embodiment of the present invention, it is possible to display results in the order of Attacker-> Perposes-> attackable area-> vulnerability-> behavior-> have.
Hereinafter, detailed attack classification will be described in detail.
(1) attack using system and service configuration vulnerability
Attacks using system and service configuration vulnerabilities exploit vulnerabilities related to system and system service settings, and the level is not so high. Vulnerabilities existing in the system can be found by using general system analysis tools. It is relatively easy to attack because hacking does not require any advanced techniques such as special source coding tasks. If you can, you can attack more easily.
Classifying attack techniques in detail involves using vulnerabilities in file system write access, using SUID program management problems, and using environment variables. This is an example of abusing file permissions (rwxs-rwx-rwx) that are usually used in Unix systems as a method that can be easily applied to an attack if system commands can be used and system settings can be confirmed. Is as follows.
a. Attack using write permission vulnerability
Multi-user operating systems prohibit other users from reading their files or writing other contents to files for security reasons. This role is called Permission and is used to prevent other users' files from being accessed at will. Permissions consist of three permissions: read, write, and execute. In other words, by granting each access right to a file or directory, only the authorized user (group) can access and execute the file, so that the file or directory can be shared securely with others or for personal use only.
Permissions are divided into the group to which the owner belongs, and the user (group). If the administrator gives wrong permissions to the file or directory, the unauthorized person can execute a malicious action by executing a specific file.
b. Attacks using Suid program management issues
Generally, the permissions of the file are subject to the permissions of the user who executed it, but if Suid is set, the permissions of the owner follow the permissions of the owner. For example, a password file must have administrator privileges. In this case, Suid allows the user to temporarily acquire administrative privileges and modify the password. Therefore, if Suid privilege is given incorrectly when the file is created, the attacker can execute the program and execute cyber attack with administrator's authority without any restriction.
(2) Attack using program vulnerability
Attack techniques that exploit program vulnerabilities can have vulnerabilities that result from security errors in programming and security errors in program operations. In the latter case, the problem may occur alone in the program, but in some cases, problems may occur when the various programs are executed at the same time. A problem caused by an error in the program operation is known as an advisory form for a specific program and can be patched.
The technique of using program error is the core of hacking. CGI / JAVA script vulnerability, ASP, PHP script vulnerability attack, buffer overflow attack, heap overflow attack, race conditioning attack, format string attack etc. Because the vulnerability of various scripting languages basically requires the ability to read various source files. In general, the vulnerabilities of various scripts are mostly used in connection with other hacking techniques rather than being used for hacking only by the problem of the script itself.
a. Buffer Overflow Attack
Buffer overflow refers to a phenomenon that occurs when data (mainly strings) are stored in the memory space allocated to the array, and other storage spaces are moved beyond the allocated array space. It refers to the phenomenon of array boundary invasion at runtime depending on the programming language. Depending on the programming language, you can allow or disallow array bounds at runtime, and the C / C ++ programming language is one of the more typical languages that allow boundary invasion. Buffer overflow can be an attack tool for security breach because most of the buffer (array space) can be allocated to the stack area, and control information such as return address for determining program flow exists around the buffer to be. That is, if some data overflows the buffer and overwrites the control information, and if the address of the data exists in the place where the malicious code exists, the program is not executed according to the original purpose, and the attacker performs the intended infringement function.
Buffer is a kind of temporary storage space for temporarily storing data. There are two types of buffers: Stack and Heap. Therefore, buffer overflow attacks are classified into stack-based buffer overflow and heap-based buffer overflow.
b. Format string attack
Format String is a symbol used in C language to accept or output data variables in a certain form in input / output statements. Attacker exploits incorrect method in output statement to attack actual memory address and change it to desired value. Or an attacker's ability to steal system administrator privileges.
(3) Attack using protocol vulnerability
In the case of an attack technique using a vulnerability of a protocol, a hacker must understand various protocols themselves. Therefore, it is higher than other hacking techniques. In general, hacking using protocol vulnerabilities is mostly done using a pre-written hacking program.
The TCP / IP protocol, which is a typical Internet protocol, was initiated by the DoD (Department of Defense) of the United States in the 1960s as a communication technology business and was completed in 1975 by the ARPANET IFIP (International Federation of Information Processing Work Group 6.1). The TCP / IP protocol consists of multiple layers for data communication. The TCP protocol is a protocol for sending and receiving data. It is very vulnerable to cyber attacks because it focuses on the usability rather than the security aspect. Currently, the Internet is based on TCP / IP, and hackers are still performing cyber attacks using TCP / IP protocol vulnerabilities.
Vulnerabilities in the protocol include not only TCP / IP but also design weaknesses of various Internet protocols (ICMP, ARP, RARP, UDP, etc.).
a. DoS attack
An attack that prevents many computers distributed on the network from sending packets to specific computer equipment (servers, etc.) at once, overflowing the network, exhausting the availability of computer equipment (servers, etc.) . Computer users have no intention of attacking, but their computer is attacked by a hacker and unwittingly attacked. A hacker hackes a number of computers regardless of the attack target, installs an attack program (trojan horse), and sends an attack command to the zombie PC. It is difficult to find the actual attacker because the targeted server is attacked from the computer where the Trojan horse is installed.
DDoS attacks are divided into Flooding attack, Connection attack and Application attack. In recent years, the method of destroying the HDD (HDD) has become increasingly sophisticated. The DDoS attack must secure the zombie PC before attacking the victim system and attack it at once by attack command. DDoS attacks are mainly performed by specialized hacking organizations such as causing national confusion or degrading corporate image by attacking game companies or financial institutions.
b. Sniffing Attack
Sniffing has the meaning of sniffing, sniffing, and so on. This attack is an act of listening to the other party's Internet communication on the network, as in the dictionary meaning. Simply put, the process of eavesdropping on network traffic is called "sniffing." Sniffing attacks are difficult to block, and detection is not easy. A program that allows sniffing is called a "sniffer", and the process of installing a sniffer is similar to the process of installing a tether in a telephone.
Sniffing is an attack method that damages the confidentiality among the basic elements of security, and it can cut communication contents through the Internet. In order to cope with such an attack, data encryption communication must be performed.
Sniffing on the LAN works in promiscuous mode. The LAN card has a set IP address and unique MAC (Media Access Control) information, and recognizes the IP address and MAC information according to the protocol type inputted to the LAN card and determines whether or not the MAC address is stored in its own buffer. Sniffing, however, accepts all the other network information that you should not receive. Promiscuous mode is a state in which all packets are ignored, ignoring their network information (IP, MAC). Typical attack techniques include Switch Jamming, ARP Redirect Attacks, ARP spoofing attacks, and ICMP Redirect Attacks.
(4) Attacks using social engineering
a. Phishing
Phishing is a type of social engineering that uses email or instant messenger to pretend to be a message sent by a trusted person or company and to steal passwords, credit card numbers, and other confidential information. The term 'phishing' comes from the use of increasingly complex baits to 'catch' users' financial information and passwords.
Unlike ordinary hackers, Internet scammers (fishers) are not interested in announcing their hardware and software corruption or their name, and are only interested in monetary gain through financial fraud.
Phish attackers are constantly developing and improving technologies that can anonymously and cost-effectively extract valuable information through more effective means.
Some of the most common types of phishing include Domain Spoofing, Trusted Official Agency Implications, Certain Social News Articles, and Fake Sites.
b. Mail attack
Means sending an e-mail or newsgroup article for a specific purpose to an unspecified number of people regardless of the recipient's intention on the Internet. Most spam is an unwanted, uninteresting message, or an article that does not relate to the discussion topic of each newsgroup, and is used to advertise products to a large number of people, or to send out e-mails for the purpose of defaming a particular product or business Acts.
(5) Attack by malware
Malicious code is an attack using viruses, trojans, and backdoor worms. In particular, backdoor worms are the most commonly used attacks because they are hacking the system and copying itself. Trojan and backdoor worms come in a wide variety of forms, and in recent years there have also been programs that use easy-to-use interfaces that allow them to be used even if they are not experts. Attacks using backdoor worms should have an understanding of vulnerabilities in the operating system or application programs and the ability to produce programs. The following are the types of malicious code.
a. virus
A virus is a code or program that infiltrates a computer system and destroys computer systems and files by infecting itself or transforming itself into a host program or executable file and infecting another. Virus performs malicious actions such as causing abnormal operation of computer, deleting data, deteriorating computer performance, slowing internet speed.
b. Worm
A worm is self-replicating and runs independently without a host program or file, replicating itself in the program itself, moving it between programs and programs, or between computers and computers and propagating them in code form or executable It is an existing program piece. Worm performs malicious actions such as copying itself, sending emails in a way that the user does not recognize, inserting new code into a normal file not distributed by the program or developer, etc. Virus and Worm All have commonality in that they are self-replicating, but there is a difference in the propagation method. The virus is spread by being inserted into a file or the like, but the worm propagates itself through the network, independently of the file itself.
c. Trojan Horse
Trojan Horse is a program that masquerades as a normal single program but contains malicious routines. Trojan Horse is included in other programs that the user does not know, and can not be copied by itself. It is different from a program bug because an attacker deliberately inserts it, and has different features from Worm or Virus because it can not replicate itself. Major malicious activities of Trojan Horse include backdoor installation, DDoS attack, ID and password collection through key logging. Trojan Horse is unable to self-replicate and infect other files, causing the user to run and cause damage to itself. Virus is propagated by infecting normal boot areas and files.
d.Bot
Bot is a program that allows an attacker to take control of a user's computer. It infects the user's computer in various ways and operates according to the instructions of the Bot Master. Bot Master can not only control bot infected computer but also collect information stored in computer, so it can be used for attacking other systems. The case where these bots form a network is called a botnet.
e. Key-logger
Key-logger is a malicious code that monitors the input from the keyboard and sends it to the attacker. The key-logger performs malicious actions that can steal all data such as ID, password, social security number, account number, credit card number, etc. entered by the user of the infected computer through the keyboard.
Hereinafter, various attack scenarios based on the attack method will be described.
The target of the attack is an attack by a worm or a bot or insider infected by an external hacker to the control network. The attack route is an intrusion or infection from inside or outside of the control network or USB from the control network system. Infection.
Attacker's control network attack target is abnormal operation of control network due to information leakage in control network, control system suspension, monitoring change, malicious control command transmission, malicious code propagation.
To acquire information for attack, internal information is acquired by using Port scan, IP scan, and Function scan.
The scenario of the attack scenario is as follows. Unlike the attack method, the scenario number can be set as the serial number separately for the test.
1. Worm attack using worm
(1) Stuxnet (Dropper.Stuxnet.611840)
Connected to the B network (control network) of the infected Stuxnet with USB, Stuxnet is self-replicating using automatic execution function of other removable storage media, LNK automatic execution vulnerability of MS's Windows shortcut file, P2P method on LAN It has the feature to update itself, to try to circumvent the existing anti-virus software, the binary rooted Windows rootkit.
If we look briefly at the attack scenario of Stuxnet, we first obtain the design document of the control system. The design documentation is obtained through internal staff or early versions of Stuxnet and other malicious binaries. Attacks the control network based on the design document obtained.
The test method is the same as that of the target control system by modeling the Stuxnet attack method.
When the test is completed, the infected person is attempted to infect directly with the access authority. All functions for destroying the target control system have already been implemented in the Stuxnet executable, and after changing the PLC code of the infected computer, the PLC system is destroyed and the code changes are hidden.
The scenario by the Stuxnet can be expressed as shown in Table 5 below.
(HMI2)
192.168.109.255
(Operational Information Delivery Server)
And networks
(FEP)
(RTU)
(RTU)
(PLC)
The results of the control network risk analysis by the Stuxnet are shown in Table 6 below.
Other attacking examples to be described below may be explained as shown in Table 5 and Table 6, but detailed embodiments thereof will be omitted.
(2) Duch (W.32 Duqu)
The insider infects W.32 Duqu on HMI of B network via USB and stores keyboard input and system information in DB server of B network. In operation information transfer server of A network, Obtain log information by accessing DB server. The captured data can be used to attack future attacks.
(3) Slammer (Worm.SQL.Slammer)
In the process of Worm.SQL.Slammer being propagated to B network through A network operating information delivery server through A web server, FEP is infected with slapper worm and stops receiving DDoS attack. Therefore, the information of the field device can not be confirmed in the control network.
2. Mail + worm virus
(4) Use LovGate.worm.155648 on the Mail server of the A network by using the target type spam mail from the outside, and propagate it to the whole A network. The worm is replicated across the B network through the operational information delivery server, which causes the port 20168 to open and infect files that can be extended with * .EXE.
(5) Crawler bot is planted in the process of checking e-mail sent by an external botnet to a personal PC of network A, so that Crawler bot is spread throughout A network to form a malicious network composed of zombies. A botnet penetrates into the B network from the botnet of the network A and forms the entire B network into a malicious network, thereby instructing the field device to issue a malicious control command.
(6) The spam e-mail has been infected with a malicious code called DNS changer, which connects to the DNS server operated by the attacker rather than the DNS server set on the PC, infects MyDoom.worm.32768, 3127 is opened and remote control is performed by accessing from outside without access authority. The attacker infects MyDoom.worm.32768 on the HMI of the B network through the operation information delivery server on the personal network of the A network, and sends the malicious control command by remote control to overload the PLC.
3. Hacking
(7) A personal computer user of A network downloads a keylogger program hidden by the hacker in the attachment of the website from outside. When the attached file is executed, the keylog program is installed and the system A in the B network HMI, Engineering Workstation. Then, the keylogger is installed with HMI, Engineering Workstation, and log information is transmitted to the Internet.
(8) The insider installs the keylogger on the system management server of the B network via the operational information delivery server through the personal PC of the A network. The keylogger then transmits the information to the Internet.
(9) The insider connects to the B network HMI via the operation information delivery server through the personal PC of network A and sends the dangerous control command to FEP → RTU → PLC to stop the PLC.
(10) A hacker manipulates his / her PC on his / her personal PC via the information transfer server, manipulating data transmitted from the B-network host to the HMI in the form of a Man-in-the-Middle attack, thereby providing erroneous data to the HMI.
(11) When a hacker spreads Malicious Bot to another system by his PC and receives his / her PC, he / she can remotely control it by a hacker. After accessing the HMI of B network through the operation information transmitting server, Lt; / RTI >
4. Insiders
(12) Insider infects Witty.Worm on DB server of B network via USB and damages data, and network traffic increases from UDP port 4000 to HMI.
(13) The insider of the D network transmits an abnormal control command to the HMI in the B network.
(14) The insider of E network infects Trojan.Win32.Agent.500224.B to DB server in B network. DB information and user information can be leaked to the outside.
(15) The HMI of the B network through the insider USB infects Trojan.Win32.S.Agent.881848, and stores the information of the PLC infected with the malicious code through the FEP and the RTU in the DB server of the B network. DB information and user information can be leaked to the outside.
(16) The insider transmits operating information via USB. Malicious code infected by client sends internal information to E network (or D network) through Host.
(17) Save the executable file downloaded from P2P to USB and transfer the saved file to the operational information delivery client, and execute the infected Warpigs.worm. 67104 is infected to the whole B network, port 113 is opened and the packet is sent to the operational information delivery server.
(18) After collecting information on the network by port scan and IP scan on the HMI of B network via USB, Bugbear.B is infected with Engineering Workstation and Host in B network to infect executable files.
(19) After infection of Trojan.Win32.Bymer with information in B network to HMI through USB, it is propagated to Engineering Workstation, Host in B network without collecting information in the network.
(20) Operation information transmission via USB Dropper.S.Agent.138949.A infected by clients infiltrates the internal information through the A network to the Internet.
5. Additional attacks in attack scenarios
(21) Add an overflow attack to
(22) Add a sniffing attack in scenario # 6 to overload the PLC and stop it.
6. Multiple concurrent attacks
(23) Attacking scenario 4, 6, 9, and 14 at the same time to infect files that can be extended with * .EXE throughout B network, DOWN the field device PLC and leak DB data to the outside.
Each attack scenario described above can be classified into tools, vulnerabilities, behaviors, and targets, and scenarios for each detailed attack classification can be applied.
Next, an example of an abnormal symptom detection method using normal traffic and abnormal traffic will be described according to an embodiment of the present invention.
1 and 2, in the network configuration, the
The control network abnormality monitoring system (security control apparatus 200) can be installed in the
For example, the
Next, a method and a procedure for evaluating an abnormal symptom monitoring system using a data set according to various embodiments of the present invention will be described in detail.
In various embodiments of the present invention, evaluation methods and procedures are proposed based on item weighting for individual risk for detection rate and non-detection for evaluation of anomalous symptom monitoring system in the control network, and the validity of the proposed evaluation method In order to verify the validity of the test results, we conducted the calibration work using the case study, the verification using the AHP statistical technique, and the comparative analysis with the experimental system in the experimental network. .
<Evaluation Items>
1. Scenario Attack
(1) Detection of sequential scenario attacks (
(2) Whether or not detection is performed when another attack is used in the same scenario (Scenario 21-22)
(3) Detection in simultaneous multiple attack (scenario 23)
2. Alarm control
(1) Whether normal scenario alarm control
- In the control network, if the anomaly monitoring system requests an alarm for the traffic related to the normal scenario, check whether the requested feature can be detected. (Right / left)
(2) Whether the alarm information is detailed when an attack is detected
- In the control network, the anomaly monitoring system checks whether the attack information, the attack level, the detail attack details, and the resolution method are listed in the alarm information when the attacking traffic is detected. (Right / left)
(3) Separate alarms for multiple simultaneous attacks (expressed as I /
- In the control network, if there are two or more attack scenarios and multiple attacks are performed, it is checked whether they are related to the attack traffic separately. (Right / left)
(4) The degree of whitelist expression (expressed as I /
- Check if the abnormal symptom monitoring system detects an attack in the normal situation in the control network. (Right / left)
<Evaluation method>
The evaluation criteria for the control network abnormality monitoring system using datasets are calculated by adding the weighting variables based on the evaluation items described above.
The evaluation score R for calculating the evaluation of the anomalous symptom monitoring system based on the above method can be expressed as Equation (1) below.
In the above equation (1), λ is an alarm control, i and j are variable items, x is a scenario attack detection, and α and b are weighting variables.
The evaluation of the scenario attack according to the characteristics of the control network can be classified into the acquisition of the detection target, the infection path at the time of acquisition failure, symptoms at the time of infection, difficulty of defensive measures, and the like. Defensive Action Difficulty is a criterion that must be included in the evaluation because it is important from a reactive point of view.
There are two broad categories of additional considerations. In case of detection failure, the first should take into account the weight of the specific asset when it becomes the object of infection, and second, the state of the weight of the failure of each system should be integrated and reflected.
As a result of the above scenarios, you can run 20 scenario attacks and attack against known worm viruses until now. By adding weights for undetected attacks when not detected, symptoms and risks can be measured during infection.
The symptoms at the time of infection are largely classified into network symptoms and system symptoms, and the risk calculation items can be shown in FIG.
Hereinafter, each of the above items will be described in detail.
(1) network physical failure
Network physical failures include the inability to use network equipment, slowing down the network to which the infected system belongs, and slowing down the network between infected systems and specific systems.
(2) Network service failure
A network service failure can cause problems such as the inability to access DNS, the inaccessibility of a specific web server, and the interception of a session when accessing a specific web server.
(3) Network potential failure
Network Potential failures are those that are performed for additional purposes other than those performed by the worm virus. It can be used to perform a secondary attack by installing a backdoor or opening a backdoor port. In addition, a Trojan or backdoor may be downloaded by attempting to connect to a specific site, or a denial of service attack may be caused by sending a large number of packets to a specific site.
(4) System physical failure
System physical faults include information leaks, file tampering and deletion such as system device unavailability, hard disk formatting, OS unbootable, OS down or reboot, system critical file corruption, and user passwords through key logging. Physical failures in the system represent high risk because information is leaked and destroyed.
(5) System service failure
System service outages are those that interfere with the service, such as forcibly terminating security-related processes that are running or preventing the execution of anti-virus programs.
(6) System potential failure
Recent attacks on the control network may be transmitted via USB or social engineering methods or transmitted through vulnerabilities, but they are potentially propagated by duplicating themselves in the shared folders used by each application.
<Calculation of score by scenario>
In the control network, the anomalous signal monitoring system can be tested in scenario scenario by mixing attack dataset with normal dataset, and the result can be calculated as follows.
On the other hand, the criteria for calculating the symptoms at the time of infection can be set as shown in Figs. 8A and 8B.
<Weight verification>
The risk of worm viruses, which have been a major threat since 2003, was sought according to the degree of risk, and the level of alert issuance was compared with the standard issued by the National Cyber Safety Center. The time of applying the risk is based on when the worm virus is most active. Table 8 below shows the results of evaluating the risk for selected worm viruses.
15 times
12 times
8 times
17 times
No. 7
(4th grade)
(Grade 5)
According to the results in Table 8 above, the Revacc variant was alerted to "caution" under the 4th grade alarm system in 2004, but the "interest" rating lower than the "caution" rating was issued in this study. This difference is presumed to be due to the fact that the Revacc variant has spread to national institutions and that a high level of alarm has been issued due to the surge of the important information leakage.
For the MyDoom worm, the "interest" rating, which is higher than the actual "forecast"
Overall, the results were similar to those issued by the National Cyber Safety Center. In some cases, such as Revacc and MyDoom, there were some cases where the alarm level was higher or lower than the actual alarm level.
≪ Evaluation result of abnormality indication system of control network >
In the control network anomaly monitoring system evaluation, an individual risk is calculated according to detection and non-detection of attack traffic by 30 kinds of worm viruses and attack scenarios, and a weight value is calculated according to the symptom and risk of each scenario. Thereafter, the evaluation result of the corresponding grade comes out according to the grade of the result calculated by adding the evaluation of the system function.
<Table 9> shows the result of scenario attack detection evaluation that calculates the weight value as follows.
History
History
History
score
score
score
As a part of the alarm control, the evaluation result value can be expressed as shown in Table 10 below.
In the control network, the evaluation criteria for the evaluation of anomaly symptom monitoring system are applied to the evaluation table for the threats according to the other evaluation results, and the appropriate criteria are set.
Table 9 shows the level of evaluation as a result of applying to various control networks. In the alarm control evaluation result of <Table 10>, if one evaluation result is indicated as 'negative' through four evaluation results, the level is lowered to one level, and when the evaluation result is two to four, the level is lowered accordingly.
As a result, 59 points or less are "underdone" when there is no 'wealth', 60 points are 'lack', 69 points are 'ordinary', 89 points are 'excellent' And the level of evaluation.
The invention has been described above with the aim of method steps illustrating the performance of certain functions and their relationships. The boundaries and order of these functional components and method steps have been arbitrarily defined herein for convenience of description. Alternative boundaries and sequences may be defined as long as the specific functions and relationships are properly performed. Any such alternative boundaries and sequences are therefore within the scope and spirit of the claimed invention. In addition, the boundaries of these functional components have been arbitrarily defined for ease of illustration. Alternative boundaries can be defined as long as certain important functions are properly performed. Likewise, the flow diagram blocks may also be arbitrarily defined herein to represent any significant functionality. For extended use, the flowchart block boundaries and order may have been defined and still perform some important function. Alternative definitions of both functional components and flowchart blocks and sequences are therefore within the scope and spirit of the claimed invention.
The invention may also be described, at least in part, in the language of one or more embodiments. Embodiments of the invention are used herein to describe the invention, aspects thereof, features thereof, concepts thereof, and / or examples thereof. The physical embodiment of an apparatus, article of manufacture, machine, and / or process for implementing the invention may include one or more aspects, features, concepts, examples, etc., described with reference to one or more embodiments described herein . Moreover, in the entire drawings, embodiments may incorporate the same or similarly named functions, steps, modules, etc. that may use the same or different reference numerals, and so forth, Steps, modules, etc., may be the same or similar functions, steps, modules, etc., or the like.
As described above, the present invention has been described with reference to particular embodiments, such as specific elements, and specific embodiments and drawings. However, it should be understood that the present invention is not limited to the above- And various modifications and changes may be made thereto by those skilled in the art to which the present invention pertains.
Accordingly, the spirit of the present invention should not be construed as being limited to the embodiments described, and all of the equivalents or equivalents of the claims, as well as the following claims, belong to the scope of the present invention .
110: internal business network 120: control network
130: Internet 200: Security control device
300: traffic generation unit 410: normal traffic generation unit
420: attack traffic generation unit 430: evaluation data set generation unit
440: traffic detection unit 450: traffic analysis unit
460: Evaluation result calculating section
Claims (4)
A normal traffic generating unit generating at least one normal traffic;
An attack traffic generating unit for generating at least one attack traffic;
An evaluation data set generation unit for generating a performance evaluation data set by combining at least one normal traffic generated in the normal traffic generation unit and at least one attack traffic generated in the attack traffic generation unit;
A traffic detection unit for detecting traffic generated by the performance evaluation data set in the control network; And
And a traffic analyzer for analyzing the traffic detected by the traffic detector.
And generates normal traffic based on at least one scenario configured according to the model of the control network.
Generating at least one normal traffic;
Generating at least one attack traffic;
Generating a performance evaluation data set by combining the at least one normal traffic and the at least one attack traffic;
Detecting traffic generated by the performance evaluation data set in a control network; And
And analyzing the detected traffic. ≪ Desc / Clms Page number 19 >
And generates normal traffic based on at least one scenario configured according to the model of the control network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR1020160012967A KR20170091989A (en) | 2016-02-02 | 2016-02-02 | System and method for managing and evaluating security in industry control network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR1020160012967A KR20170091989A (en) | 2016-02-02 | 2016-02-02 | System and method for managing and evaluating security in industry control network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| KR20170091989A true KR20170091989A (en) | 2017-08-10 |
Family
ID=59652188
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| KR1020160012967A KR20170091989A (en) | 2016-02-02 | 2016-02-02 | System and method for managing and evaluating security in industry control network |
Country Status (1)
| Country | Link |
|---|---|
| KR (1) | KR20170091989A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20210087854A (en) * | 2020-01-02 | 2021-07-13 | 인스티튜트 포 인포메이션 인더스트리 | Device, method and non-transitory tangible machine-readable medium for testing a cyber defense mechanism of a device under test |
| US11245712B2 (en) | 2018-11-28 | 2022-02-08 | Korea Internet & Security Agency | Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code |
| KR102391921B1 (en) * | 2021-09-15 | 2022-04-29 | 한화시스템 주식회사 | Interactive analysis visualization apparatus and method for bgp anomaly detection |
| KR20230000376A (en) | 2021-06-24 | 2023-01-02 | 국민대학교산학협력단 | Security monitoring intrusion detection alarm processing device and method using artificial intelligence |
| KR20230050869A (en) * | 2021-10-08 | 2023-04-17 | 엘에스일렉트릭(주) | Vulnerability testing method and apparatus for serial communication apparaus |
-
2016
- 2016-02-02 KR KR1020160012967A patent/KR20170091989A/en not_active Application Discontinuation
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11245712B2 (en) | 2018-11-28 | 2022-02-08 | Korea Internet & Security Agency | Method and apparatus for generating virtual malicious traffic template for terminal group including device infected with malicious code |
| KR20210087854A (en) * | 2020-01-02 | 2021-07-13 | 인스티튜트 포 인포메이션 인더스트리 | Device, method and non-transitory tangible machine-readable medium for testing a cyber defense mechanism of a device under test |
| KR20230000376A (en) | 2021-06-24 | 2023-01-02 | 국민대학교산학협력단 | Security monitoring intrusion detection alarm processing device and method using artificial intelligence |
| KR102391921B1 (en) * | 2021-09-15 | 2022-04-29 | 한화시스템 주식회사 | Interactive analysis visualization apparatus and method for bgp anomaly detection |
| KR20230050869A (en) * | 2021-10-08 | 2023-04-17 | 엘에스일렉트릭(주) | Vulnerability testing method and apparatus for serial communication apparaus |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Panchal et al. | Security issues in IIoT: A comprehensive survey of attacks on IIoT and its countermeasures | |
| Cazorla et al. | Cyber stealth attacks in critical information infrastructures | |
| CN113660224B (en) | Situation awareness defense method, device and system based on network vulnerability scanning | |
| CN108369541B (en) | System and method for threat risk scoring of security threats | |
| KR20170091989A (en) | System and method for managing and evaluating security in industry control network | |
| Gupta et al. | Taxonomy of cloud security | |
| US20210194915A1 (en) | Identification of potential network vulnerability and security responses in light of real-time network risk assessment | |
| US11611572B2 (en) | System and method of processing information security events to detect cyberattacks | |
| US20240045954A1 (en) | Analysis of historical network traffic to identify network vulnerabilities | |
| Yaacoub et al. | A survey on ethical hacking: issues and challenges | |
| Newman | Cybercrime, identity theft, and fraud: practicing safe internet-network security threats and vulnerabilities | |
| Miloslavskaya et al. | Taxonomy for unsecure big data processing in security operations centers | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| Adeleke | Intrusion detection: issues, problems and solutions | |
| Le et al. | A threat computation model using a Markov Chain and common vulnerability scoring system and its application to cloud security | |
| Cagalaban et al. | Improving SCADA control systems security with software vulnerability analysis | |
| Zhao et al. | Network security model based on active defense and passive defense hybrid strategy | |
| Georgina et al. | Deception Based Techniques Against Ransomwares: a Systematic Review | |
| Chen et al. | A proactive approach to intrusion detection and malware collection | |
| Bendiab et al. | IoT Security Frameworks and Countermeasures | |
| Maciel et al. | Impact assessment of multi-threats in computer systems using attack tree modeling | |
| Virvilis-Kollitiris | Detecting advanced persistent threats through deception techniques | |
| Kumar et al. | A review on 0-day vulnerability testing in web application | |
| Alhasawi | ICSrank: A Security Assessment Framework for Industrial Control Systems (ICS) | |
| Larkin | A Stochastic Game Theoretical Model for Cyber Security |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| A201 | Request for examination | ||
| E902 | Notification of reason for refusal | ||
| E601 | Decision to refuse application |