CN106559414A - Network attack consequence dynamic quantitative appraisal procedure based on region situation information - Google Patents

Network attack consequence dynamic quantitative appraisal procedure based on region situation information Download PDF

Info

Publication number
CN106559414A
CN106559414A CN201610929385.9A CN201610929385A CN106559414A CN 106559414 A CN106559414 A CN 106559414A CN 201610929385 A CN201610929385 A CN 201610929385A CN 106559414 A CN106559414 A CN 106559414A
Authority
CN
China
Prior art keywords
website
flow
information
network attack
output
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610929385.9A
Other languages
Chinese (zh)
Other versions
CN106559414B (en
Inventor
周纯杰
朱钱详
秦元庆
印炜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201610929385.9A priority Critical patent/CN106559414B/en
Publication of CN106559414A publication Critical patent/CN106559414A/en
Application granted granted Critical
Publication of CN106559414B publication Critical patent/CN106559414B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a kind of network attack consequence dynamic quantitative appraisal procedure based on region situation information, obtain the operation information of all Intra-site techniques of industrial critical infrastructures and screened, obtain by the positional information for occurring caused by network attack extremely, and the useful running state information that physical equipment is current;The material stream abnormal information of website output is calculated using multilevel flow models, and sets up the input and output material flow calculation model of website;According to by website output material stream abnormal information caused by network attack, and the input and output material flow calculation model of website, and the topological graph model of transport net, Tendency Prediction model is set up, to predict the flow regime of material stream in whole industry critical infrastructures transport net in following a period of time;Obtaining the loss of income of the extremely caused operator of all production website production processes, transport net causes the loss caused by consumer's material requisite breach extremely;Realize dynamic to network attack consequence, quantitative assessment.

Description

Network attack consequence dynamic quantitative appraisal procedure based on region situation information
Technical field
The invention belongs to industrial critical infrastructures field of information security technology, is based on region more particularly, to a kind of The network attack consequence dynamic quantitative appraisal procedure of situation information.
Background technology
Industrial critical infrastructures are that society and the common people provide continuous matter and energy service, are the normal operation of society There is provided solid guarantee;With the fast development of IT application process, dependency of the industrial critical infrastructures to information technology Constantly strengthen;Be found along with the more leaks of intelligent control device, the progress of attack technology, industrial critical infrastructures face Face the information security issue of sternness.Industrial critical infrastructures have the stream of the topological characteristic and matter energy of complex network Dynamic feature.For the network attack of industrial critical infrastructures, its final goal is to cause matter energy service interior on a large scale Interruption so that consumer cannot obtain the service of matter energy;The assessment result of network attack consequence can be used for judgement and go to work The fragile part of industry critical infrastructures, the current and to-be of each website in acquisition system, which is formulated security decision and carries For important evidence;
The method that the existing network attack consequence to industrial critical infrastructures is estimated, is for specific research mostly The static analysis carried out by object outages;And the situation of industrial key foundation is real-time change, attack is also real Shi Bianhua's, static analysis be unable to accurate evaluation network attack to consequence caused by industrial critical infrastructures.
The content of the invention
For the disadvantages described above or Improvement requirement of prior art, the invention provides a kind of net based on region situation information Network attacks consequence dynamic quantitative appraisal procedure, its object is to enter Mobile state to the consequence that network attack is caused using situation information Qualitative assessment.
For achieving the above object, according to one aspect of the present invention, there is provided a kind of network based on region situation information Consequence dynamic quantitative appraisal procedure is attacked, is comprised the steps:
(1) multilevel flow models of the website for including multiple material streams and flow of information coupled structure are set up;Using many laminar flows The feature of model is screened to Intra-site information, is obtained current useful running state information, and is judged network attack Object;
(2) the material stream abnormal information of website output is calculated according to multilevel flow models, and sets up the input and output thing of website Mass flow computation model;
(3) according to the input and output material flowmeter by website output material stream abnormal information, website caused by network attack Model is calculated, the multilamellar graph model of industrial critical infrastructures topological structure is set up;Tendency Prediction mould is set up according to multilamellar graph model Type simultaneously carries out Tendency Prediction;
(4) according to Tendency Prediction information calculate all production extremely caused operator's losss of income of website production processes, And the loss caused by the extremely caused consumer's material requisite breach of transport net, obtain qualitative assessment result.
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, its step (1) is including as follows Sub-step:
(1.1) set up the multilevel flow models of website, including the relational model of website and technique, the Matter flows of technique, Material stream and functional role relational model, material stream Functional role model, flow of information and functional role relational model and information Stream and material stream reciprocal effect model;
(1.2) Intra-site information is screened according to the multilevel flow models of website, obtains the material service with website Output calculates relevant data;And judge whether exception;
Each equal arrangement of website diverse location has different types of probe, and the data bulk for collecting is big, species is various;Knot The feature of multilevel flow models is closed, and is filtered out by this step and the relevant data of calculating is exported with the material service of website, can be very big Reduce operand.
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, its step (1.1) include as Lower sub-step:
(1.1.1) set up the relational model of website and technique:The material service numerical quantity Serv that website i is outwardly providedi (t)=Fsi(prcI, 1(t) ..., prcI, m(t));
Wherein, the system of website i is coupled to form by m technique;prcI, jT material that () refers to technique j and provide for website i Amount, 1≤j≤m;FsiRefer to static function;
(1.1.2) Matter flows of technique are set up:Amount of substance prc that website i internal process j is providedI, j(t)= flowI, j(t);
Wherein, flowI, jT () refers to material stream Mat-flowI, jOutput amount of substance;
(1.1.3) material stream and functional role relational model are set up:Material stream Mat-flowkAmount of substance flow of outputk (t)=Fmk(ParK, 1(t) ..., ParK, s(t));
Wherein, material stream Mat-flowkIt is made up of s functional role, ParK, oT () refers to material stream Mat-flowkWork( The parameter value of energy role o;Wherein 1≤o≤s;
(1.1.4) set up material stream Functional role model Fvo(parO, 1(t) ..., parO, q(t))=0:Wherein, FvoGeneration Table static function;parO, qT () refers to q-th parameter value of functional role o;
Wherein, functional role refers to the combination of the single or multiple equipment for realizing a certain function, uses tlv triple<Par, FvDep>Represent;Par is the operational parameter value of the functional role, and static function Fv describes the current action of the functional role, quiet State function Dep describes the dependence of the functional role and other functional roles;Certain functional role o has q parameter value, then Paro(t)={ parO, 1(t) ..., parO, q(t)};A portion parameter is obtained by sensor acquisition, another part ginseng It is several then to pass through static function FvoCalculate and obtain, Fvo(parO, 1(t) ..., parO, q(t))=0;
(1.1.5) flow of information and functional role relational model are set up:
The output ctl of flow of information uu(t)=Fwu(PirU, s(t), PirU, d, PirU, a(t));
Wherein, PirU, sThe parameter value of (t) for perceptive function role in flow of information u, PirU, aT () is perform function role's Parameter value, PirU, dThe parameter value of (t) for decision making function role;Fw represents static function;
Regard technique the coupling of flow of information and material stream as, with tlv triple < Irole, Fw, ctl > represents the category of flow of information Property;Set of the Irole for the support function role of flow of information, the running of static function Fw description information stream, numerical value set Ctl (t) is the output of the flow of information, is expressed as the controlling value of control function role;
(1.1.6) flow of information and material stream reciprocal effect model are set up:
Wherein, material stream Mat-flowkThere are q support function role, function FaU, kRepresentative information stream regulates and controls parameter ctlu Parameter Par of (t) to material stream controllable function roleK, oThe impact of (t);Function FsU, kThe parameter of representative species stream functional role ParK, oT () is to flow of information perceptive function character parameters PirU, sThe impact of (t).
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, its step (1.2) include as Lower sub-step:
(1.2.1) all functional roles in the multilevel flow models of website are enumerated, by Intra-site information aggregate with it is above-mentioned The unrelated information of functional role is all abandoned, and is obtained and is exported the relevant data of calculating with the material service of website;
(1.2.2) judge the abnormal position for occurring:Export in the relevant data of calculating from above-mentioned with the material service of website,
The state description function Fv of material stream functional role o will not meto(parO, 1(t) ... parO, q(t))=0, and The incidence relation function Dep of adjacent functional role pO, p(Paro (t), Parp(t))=0 functional role parameter value extracts Come, obtain the information of the material stream functional role for occurring abnormal;
Interact shadow with material stream by flow of information not being met in the above-mentioned data relevant with the material service of website output calculating Ring model
And do not meet flow of information and functional role relational model ctlu=Fwu(PirU, s, PirU, d, PirU, a) flow of information Functional role parameter value is extracted, and obtains the information of the flow of information functional role for occurring abnormal;
Determined according to the information that abnormal material function role occurs and the information that abnormal flow of information functional role occurs By the website of network attack.
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, its step (2) is including as follows Sub-step:
(2.1) the qualitative assessment value of impact of the network attack to the output of technique is obtained according to multilevel flow models;
Specifically, when network attack causes flow of information Inf-flowiIn certain functional role IroleI, k, jIt is abnormal so as to belong to Parameter value mistake in property;Flow of information Inf-flow is obtained with functional role relational model according to flow of informationiThe abnormal control of output Value ctl processedi(t);
And impact of the parameter to the parameter of material stream controllable function role is regulated and controled according to flow of information, obtain material stream Mat- flowiIn each functional role parameter value ParI, j(t);
And the defeated of the technique is obtained with the relational model of technique with functional role relational model and website according to material stream Go out amount of substance prciT (), obtains network attack to technique ProcessiOutput impact qualitative assessment value prci(t);
(2.2) according to above-mentioned qualitative assessment value prci(t), and website material output with process relation model, obtain When website i is subject to network attack, the output Serv of the material of website ii(t);
(2.3) the output Serv according to the material of each website iiT () is calculated in obtaining industrial critical infrastructures owns The material throughput of website;
Industrial critical infrastructures are made up of multiple websites, obtain industry key base using multilevel flow models in this step The output Seru of all of website of Infrastructurei(t), 1≤i≤n;Including non-abnormal website and abnormal website.
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, its step (3) is including as follows Sub-step:
(3.1) the multilamellar graph model of the topological structure of industrial critical infrastructures is set up, by the propagation in synchronization Process is placed in same level;
(3.2) diffusion process of the website output abnormality in multilamellar graph model is caused to set up Tendency Prediction according to network attack Model simultaneously carries out Tendency Prediction.
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, the multilamellar of its step (3.1) Figure modeling method, including following sub-step:
(3.1.1) set up the topology diagram of industrial critical infrastructures transport net;
The topology diagram is the complex network of a directed acyclic<G, E>;G represents Website Hosting, and E is represented between website Pipeline line set;It is production Website Hosting G by Website Hosting G pointg, transmission Website Hosting GtWith consumption site set Gc
(3.1.2) to produce website as root node, to transmit website as intermediate node, set up by leaf node of consumption site Tree, obtains the set of paths from production website to consumption site;
To produce Website Hosting GgMiddle production website is root node, to transmit website as intermediate node, with consumption site is Leaf node sets up tree;L tree is built up by l production website, the time that the influence process of two neighboring node expends in these trees It is just the same;
(3.1.3) merging of multiple trees is formed into multilayer graph according to the rule of path segments so that acyclic complex network<G, E> In the same time period that material flow process is in when E is divided into multiple different set, identity set, by the same time The side of section is attributed to the same level in multilayer graph, thus by acyclic complex network<G, E>It is modeled as multilayer graph.
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, its step (3.2) include as Lower sub-step:
(3.2.1) the abnormal communication process and multilamellar in industrial critical infrastructures network of material is exported according to website Flow model calculates the material throughput of each website of single step process;
For abnormal website Gi, its material is calculated by step 2 and is output as ServiT (), obtains G by step 3.1iAssociation SideWherein 1≤s≤k, the i.e. side belong to s layers in multilayer graph;According to Es→Es+1→...→EkOrder by Step analysis website anomalous propagation process, calculates the material throughput of each website of single step process according to multilevel flow models;
(3.2.2) industrial critical infrastructures in each period after network attack occurs are calculated according to multilamellar graph model The material output state of each website;
For the network attack occurred in t, according to each website of multilamellar graph model within following each period material It is output as Servi(t- Δ t), Servi(t), Servi(t+ Δ t) ... .., 1 >=i≤n;
(3.2.3) output of each website after system stability is obtained according to multilevel flow models:
After industrial critical infrastructures are subjected to network attack, the material throughput of its internal each website can produce fluctuation, But final system can tend towards stability state;
Under the state:Servi(t+h × Δ t)=Servi(t+(h+1)×Δt)。
Preferably, the method that the above-mentioned network attack consequence based on region situation information is assessed, its step (4) is including as follows Sub-step:
(4.1) obtain the loss of income of industrial critical infrastructures holder
{ServG, 1(t- Δ t) ..., ServG, l(t- Δ t) } refer to that the industrial key foundation with l production website sets Apply the material output of all production websites when network attack is not affected by;
{ServG, 1(t+h × Δ t) ... ServG, l(t+h × Δ t) } refer to that the industrial critical system is being attacked by network The material output of all production websites after hitting, after system stability;tnMoment refers to the moment all repaired by impaired website, Price refers to the unit price of the material produced by website;
(4.2) calculate the productive life loss of consumer in industrial critical infrastructures overlay area
Wherein, { ServC, 1(t) ..., ServC, m(t) } refer to consumption site set GcReceive amount of substance;B refers to industry The consumption site quantity of critical infrastructures;{pI, 1, pI, 2, pI, 3Refer to consumption site GC, iThe material service Serv of receptionC, i Industry, business, civilian proportion are supplied in (t);Wherein pI, 1+pI, 2+pI, 3=1;{valueI, 1, valueI, 2, valueI, 3It is Refer to consumption site GC, iThe social economic value that neighbouring industry, business, civilian fractional unit material volume of services can be created;tnWhen Quarter refers to the moment all repaired by impaired website;
After network attack, the amount of substance that each consumption site is received is by { ServC, 1(t- Δ t) ..., ServC, b(t- Δ t) } it is changed into { ServC, 1(t+h × Δ t) ..., ServC, b(t+h×Δt)};
(4.3) obtained by institute caused by network attack according to the penalty values of industrial critical infrastructures holder and consumer There are penalty values Loss=Loss1+Loss2
In general, by the contemplated above technical scheme of the present invention compared with prior art, can obtain down and show Beneficial effect:
(1) the network attack consequence dynamic quantitative appraisal procedure based on region situation information that the present invention is provided, it is proposed that For obtaining and understanding the multilevel flow models of system trend;The coupling model of system and various streams can be set up by the model, and And the quantitatively dynamic flow process of description information stream, material stream, realize to the quantitative, accurate of industrial infrastructure network attack True situation is obtained and is understood with situation;
(2) the network attack consequence dynamic quantitative appraisal procedure based on region situation information that the present invention is provided, with reference to work The feature of the topological structure of industry critical infrastructures transport net, the flow process of analysis material stream, propose a kind of for analyzing Model-multilamellar the graph model of the abnormal diffusion process in whole transport net of website;By multilayer graph model analysiss network attack Generation on whole transport net affects, the material service of all websites dividing within following certain time in acquisition transport net Cloth information, realizes dynamically Tendency Prediction;
(3) the network attack consequence dynamic quantitative appraisal procedure based on region situation information that the present invention is provided, realizes Unified quantization method to all kinds loss consequence caused by network attack, can not only reduce to producing website production capacity and cause The profit on sales loss of network operator carry out qualitative assessment, and can be to industrial critical infrastructures transport net institute overlay area Productive life loss of the interior industry, Shang Wei, civilian industry caused by material demand for services cannot meet quantitatively is commented Estimate, improve assessment accuracy.
Description of the drawings
Fig. 1 is the topological structure schematic diagram of industrial critical infrastructures in embodiment;
Fig. 2 is the system structure diagram of industrial critical infrastructures website G1 in embodiment;
Fig. 3 is the schematic flow sheet of the dynamic quantitative appraisal procedure of the network attack consequence that embodiment is provided;
Fig. 4 is the flow of information material stream coupled structure schematic diagram of technique in embodiment;
Fig. 5 is industrial critical infrastructures topological network multilamellar graph model in embodiment.
Specific embodiment
In order that the objects, technical solutions and advantages of the present invention become more apparent, it is below in conjunction with drawings and Examples, right The present invention is further elaborated.It should be appreciated that specific embodiment described herein is only to explain the present invention, and It is not used in the restriction present invention.As long as additionally, technical characteristic involved in invention described below each embodiment Do not constitute conflict each other can just be mutually combined.
Network attack consequence dynamic quantitative appraisal procedure based on region situation information provided by the present invention, including situation Acquisition, situation understanding, Tendency Prediction and loss appraisal;Specifically explain below in conjunction with the industrial critical infrastructures shown in Fig. 1 This network attack consequence dynamic quantitative appraisal procedure of present invention offer is provided.
Industrial critical infrastructures shown in Fig. 1, constitute a transport net with pipeline by substantial amounts of website;Wherein stand Point includes producing website, transmission website, consumption site;Connected by pipeline between website, by the industrial critical infrastructures net Network is defined as the complex network of directed acyclic<G, E>, wherein G represents Website Hosting, and E represents the pipeline line set between website; Website Hosting G is classified, Website Hosting G is producedg={ G1, G6 }, transmits Website Hosting Gt={ G2, G5, G7 }, consumption site collection Close Gc=={ G3, G4, G8, G9 };Any one station system is combined by multiple technical processs.
Wherein, the structure of website G1 is as shown in Fig. 2 including two technical processs:Technique 1 and technique 2;The two technique mistakes Journey is series relationship, and the output material of technique 1 is the input raw material of technique 2.
Based on the network attack based on region situation information that above-mentioned typical industrial critical infrastructures, embodiment are provided Consequence dynamic quantitative appraisal procedure, its flow process is as shown in figure 3, specific as follows:
Situation is obtained:Obtain the operation information of all Intra-site techniques of industrial critical infrastructures, including control process And the operation information of physical process;Above-mentioned operation information is screened, acquisition causes the different of control device by network attack The positional information for often occurring, and the useful running state information that physical equipment is current;
Situation understands:The material stream abnormal information of website output is calculated using multilevel flow models, and sets up the input of website Output material stream computation model;
Tendency Prediction:According to defeated by website output material stream abnormal information caused by network attack, and the input of website Go out material flow calculation model, and the topological graph model of transport net, set up Tendency Prediction model, to predict following a period of time The flow regime of material stream in interior whole industrial critical infrastructures transport net;
Loss appraisal:Obtain the loss of income of the extremely caused operator of all production website production processes, and conveying Network Abnormal causes the loss caused by consumer's material requisite breach.
Below by taking the network attack of the technique 1 of the production website G1 to the industrial critical infrastructures shown in Fig. 1 as an example, tool Body illustrates the dynamic quantitative appraisal procedure of above-mentioned network attack consequence:It is specific as follows:
Step 1, situation are obtained:Obtain the situation of website G1 under attack and other websites for being not affected by attacking, bag Include following steps:
Step 1.1:Set up the multilevel flow models of website G1, including following sub-step:
(1.1.1) structural modeling is carried out to technique 1:
The multilamellar flow structure of technique 1 is as shown in figure 4, physical equipment combination includes raw material input equipment, raw material and product Product transmission equipment, raw material process equipment, product receiving device;Difference corresponding source functional role sou1, transfer function role Tra1 and tra2, response function role con1, receive capabilities role sin1;Sensor, executor, controller are corresponded to respectively and are perceived Functional role sen1, perform function role act1, decision making function role dec1;
Symbol definition is carried out, the symbol definition in the present embodiment is specifically as shown in table 5.1:
5.1 symbol definition of table
The multilevel flow models of technique 1 are set up according to symbol definition, such as shown in following formula (5.1):
(1.1.2) multilevel flow models of technique 2 in G1 are set up using the method for step (1.1.1);The structure of two techniques Unanimously, the output material f of technique 1process1The input amount of substance of (t) for technique 2, the input of the transfer function tra1 in technique 2 Output material f of the material value for technique 1process1(t);The output material Sev of website G1G1T () is Sev1(t)=fprocess2 (t)。
Step 1.2:The useful information of screening, and judge the object of network attack:During table 5.1 enumerates technique 1, institute is active Parameter type that can be in role attribute, shows as material stream and flow of information that each functional role is passed through, and role itself with The relevant value of stream;
Different types of data message is obtained by the probe that website is arranged, is rejected wherein with parameter type in table 5.1 not The data message of matching;For the multilamellar flow structure shown in Fig. 4, when input data i of the attacker to decision-making dec1Dec1, pT () enters Row is distorted, according to dependence i for perceiving sen1 and decision-making dec1Dec1, p(t)=iSen1, oT () judges that decision-making dec1 may be subject to Attack;When attacker is distorted to the data for perceiving the material stream that sen1 is collected, the parameter of con1 is reacted in for example change, Judge that attacker to perceive sen1 attacked with the dependence of transmission tra1, tra2 according to reaction con1.
Step 2, situation understand:Obtain impact of the network attack to output amount of substance Sev1 (t) of website G1, and other It is not affected by the output valve of the amount of substance of attack website;Website G1 systems include the multilamellar of technique 1 and technique 2, technique 1 and technique 2 The structure of stream shows as the reaction con1's of two techniques as shown in figure 4, the course of reaction only in consersion unit is different Function of movement is different;Step 2 includes following sub-step:
Step 2.1, obtaining output of the network attack on technical process 1 affects:When perform function role sen1 is subjected to network Attack, attacker is to being inputted data message iSen1, pT () distorts into iSen1, p(t)′;
The work(of the sen1 of the multilevel flow models illustrated according to formula (5.1) → (sen1-dec1) → dec1 →...→ sin1 Energy role attribute description obtains reception amount of substance f of dec1Sin1, pThe output amount of substance of (t) for technique 1, equal to the input of technique 2 The amount of raw material;The different type of other information stream functional role is attacked, such as DOS, go-between, change control logic are attacked, Final result is all so that the output parameter value of the flow of information functional role attacked changes, and is equivalent to the information of distorting and attacks Hit.
Step 2.2, obtains the output amount of substance of website G1;In embodiment, technique 1 and technique 2 are cascaded structures;Technique 1 Raw material is provided for technique 2;|input paramete f of technique tra1 is transmitted in technique 2Tra1, pThe output f of (t) equal to technique 1process1 (t);
According to its |input paramete fTra1, p(t) and multilevel flow models, according to the tra1 in formula (5.1) → (tra-con1) → The parameter of order step by step calculation these functional roles of con1 →...→ sin1, obtains output amount of substance f of technique 2process2 Output amount of substance Sev of (t), as website G11(t)。
Step 2.3, obtains the output amount of substance at the website current time for being not affected by network attack according to multilevel flow models Sevi(t), 2≤i≤9;
Consumption site GcInput amount of substance be adjacent transmission website output amount of substance;In t, set of sites is produced Close GgOutput amount of substance be Sevg(t)={ Sev1(t), Sev6(t)};Transmission Website Hosting GtOutput amount of substance is Sevt(t) ={ Sev2(t), Sev5(t), Sev7(t)};Consumption site set GcReception amount of substance be Sevc(t)={ Sev3(t), Sev4 (t), Sev8(t), Sev9(t)}。
Step 3, Tendency Prediction:G1 is caused the amount of substance exception of its output by network attack, and G1 is follow-up all biographies Defeated website and consumption site provide material, and as Anomalous Diffusion process has time delay, Tendency Prediction is obtained following each The amount of substance of all websites in time period, including following sub-step:
Step 3.1, sets up multilamellar graph model to the industrial critical infrastructures network shown in Fig. 1, and the structure shown in Fig. 1 is The figure of one directed acyclic<G, E>, wherein Website Hosting G={ Gg, Gt, Gc, produce Website Hosting Gg={ G1, G6, transfer station Point set Gt={ G2, G5, G7, consumption site set Gc={ G3, G4, G8, G9, line set E={ E1,2, E2,3, E2,4, E2,5, E5,7, E6,7, E7,8, E7,9, material stream GgBy GtReach Gc
The path with the two consumption sites as root node is set up respectively, it is specific as follows:
G1→Gc=<{G1→G2, { G2→G3, G2→G3, G2→G5, { G5→G7, { G7→G8, G7→G9}〉;G6→Gc= <{G6→G7, { G7→G8, G7→G9}〉;
Above-mentioned two trees are merged;The principle of merging is the node for determining whether to repeat, as described above In two trees, website G7 is used as G1 → GcWith G6 → GcIntermediate node, therefore, this part is merged, and when connecing according to diffusion process Row layering, obtains multilamellar graph model as shown in Figure 5;In the figure, all communication processes in same layer secondary site are in same One time period.
Step 3.2, calculates website G1 materials output abnormality diffusion process in the entire network;In t+ Δ ts, calculate Level LV0In communication process G1 → G2;The output Sev of G11The input of (t) as G2;
Output Sevs of the G2 at the moment2(t+Δt);And Sev1(t+ Δ t)=Sevi(t);
(t+2 × Δ t) moment calculates level LV1In communication process G2 → G3, G2 → G4, G2 → G5;It is derived from In (the input and output of t+4 × Δ t) moment all websites;
Production Website Hosting GgOutput amount of substance be:
Sevg(t+4 × Δ t)={ Sev1(t+4 × Δ t), Sev6t)+4×Δt)};
Transmission Website Hosting GtExporting amount of substance is:
Sevt(t+4 × Δ t)={ Sev2(t+4 × Δ t), Sev5(t+4 × Δ t), Sev7(t+4×Δt)};
Consumption site set GcReception amount of substance be:
Sevc(t+4 Δ t)={ Sev3(t+4 Δ t), Sev4(t+4 Δ t), Sev8(t+4 Δ t), Sev9(t+4Δt)}。
Step 4, loss appraisal:Do not occur network attack (t- Δ t) moment, the output material of each website are Sevi (t- Δ t), 1≤i≤9;
There is network attack in t, (t+4 × Δ t) moment, system tends towards stability after network attack;In tnWhen Carve reparation to finish, each website returns to the state attacked before occurring;The damage that this network attack is caused is calculated according to following steps Mistake value;
Step 4.1, calculates the loss of income of industrial critical infrastructures holder:For market price is the unit thing of pe Matter, GgCapacity loss value Loss of={ G1, G6 }1As shown in following formula (5.2):
Step 4.2, calculates the productive life loss of consumer;In embodiment, the material service that consumption site Gi is received ServiIn be supplied to industry, business, civilian proportion be { pI, 1, pI, 2, pI, 3, pI, 1+pI, 2+pI, 3Around=1, and website Gi The social value that industry, business, civilian utilization unit material service are created is { valueI, 1, valueI, 2, valueI, 3, i=3, 4,8,9;
Then penalty values Loss of consumer2As shown in following formula (5.3):
Penalty values Loss=Loss of industrial critical infrastructures caused by this network attack1+Loss2
As it will be easily appreciated by one skilled in the art that the foregoing is only presently preferred embodiments of the present invention, not to The present invention, all any modification, equivalent and improvement made within the spirit and principles in the present invention etc. are limited, all should be included Within protection scope of the present invention.

Claims (9)

1. a kind of network attack consequence dynamic quantitative appraisal procedure based on region situation information, it is characterised in that including as follows Step:
(1) multilevel flow models of the website for including multiple material streams and flow of information coupled structure are set up;Using many laminar flow moulds The feature of type is screened to Intra-site information, is obtained current useful running state information, and is judged the right of network attack As;
(2) the material stream abnormal information of website output is obtained according to the multilevel flow models, and sets up the input and output thing of website Mass flow computation model;
(3) according to the input and output material stream calculation mould by website output material stream abnormal information, website caused by network attack Type sets up the multilamellar graph model of industrial critical infrastructures topological structure;Tendency Prediction model is set up according to the multilamellar graph model And carry out Tendency Prediction;
(4) according to Tendency Prediction information calculate the extremely caused operator's loss of income of all production website production processes and The loss caused by the extremely caused consumer's material requisite breach of transport net, obtains qualitative assessment result.
2. network attack consequence dynamic quantitative appraisal procedure as claimed in claim 1, it is characterised in that step (1) bag Include following sub-step:
(1.1) multilevel flow models of website are set up, including the relational model of website and technique, the Matter flows of technique, material Stream and functional role relational model, material stream Functional role model, flow of information and functional role relational model and flow of information with Material stream reciprocal effect model;
(1.2) Intra-site information is screened according to the multilevel flow models of website, obtains the material service output with website Calculate relevant data;And judge whether website occurs exception.
3. network attack consequence dynamic quantitative appraisal procedure as claimed in claim 2, it is characterised in that the step (1.1) Including following sub-step:
(1.1.1) set up the relational model of website and technique:The material service numerical quantity Serv that website i is outwardly providedi(t)= Fsi(prcI, 1(t) ..., prcI, m(t));
Wherein, the system of website i is coupled to form by m technique;prcI, j(t) refer to website i internal process j output amount of substance, 1 ≤j≤m;FsiIt is the static function for describing the incidence relation of Alternative in website i;
(1.1.2) Matter flows of technique are set up:Amount of substance prc that website i internal process j is providedI, j(t)=flowI, j (t);
Wherein, flowI, jT () refers to material stream Mat-flowI, jOutput amount of substance;
(1.1.3) material stream and functional role relational model are set up:Material stream Mat-flowkAmount of substance flow of outputk(t)= Fmk(ParK, 1(t) ..., ParK, s)t));
Wherein, material stream k is made up of s functional role, ParK, oT () refers to material stream Mat-flowkIn o-th functional role Parameter value;Wherein 1≤o≤s;
(1.1.4) set up material stream Functional role model Fvo(parO, 1(t) ..., parO, q(t))=0;
Wherein, FvoIt is the static function of representation function role's running;parO, qT () refers to o-th functional role, q-th parameter Value;
(1.1.5) flow of information and functional role relational model are set up:Flow of information Inf-flowuOutput ctlu(t)=Fwu (PirU, s(t), PirU, d, PirU, a(t));
Wherein, ctluT () refers to described information stream Inf-flowuIn the control information of t output, PirU, sT () is perceptive function The parameter value of role, PirU, aThe parameter value of (t) for perform function role, PirU, dThe parameter value of (t) for decision making function role;Fw The static function of description information flow process;
(1.1.6) flow of information and material stream reciprocal effect model are set up:
Fa u , k ( Par k , 1 ( t ) , ... , Par k , q ( t ) , ctl u ( t ) ) = 0 Fs u , k ( Par k , 1 ( t ) , ... , Par k , q ( t ) , Pir u , s ( t ) ) = 0
Wherein, material stream has q support function role, material stream Mat-flowkWith flow of information Inf-flowuCoupling;Function FaU, k Representative information stream regulates and controls parameter ctluParameter Par of (t) to material stream controllable function roleK, oThe impact of (t);Function FsU, kGeneration Parameter Par of table material stream functional roleK, oT () is to flow of information perceptive function character parameters PirU, sThe impact of (t).
4. network attack consequence dynamic quantitative appraisal procedure as claimed in claim 3, it is characterised in that the step (1.2) Including following sub-step:
(1.2.1) all functional roles in the multilevel flow models of website are enumerated, by Intra-site information aggregate with functional role Unrelated information is all abandoned, and is obtained and is exported the relevant data of calculating with the material service of website;
(1.2.2) export in the relevant data of calculating with the material service of website from described, material stream functional role o will not met State description function extract with the functional role parameter value of the incidence relation function of adjacent functional role p, sent out The information of raw abnormal material stream functional role;
Described output in the relevant data of calculating with the material service of website flow of information and material stream reciprocal effect mould are not met into Type is extracted with flow of information functional role parameter value of the flow of information with functional role relational model is not met, and obtains and exception occurs Flow of information functional role information;
Determined according to the information of the information that abnormal material function role occurs and the flow of information functional role that exception occurs and be subject to The website of network attack.
5. network attack consequence dynamic quantitative appraisal procedure as claimed in claim 1 or 2, it is characterised in that the step (2) Including following sub-step:
(2.1) the qualitative assessment value of impact of the network attack to the output of technique is obtained according to multilevel flow models;
Specifically, when network attack causes flow of information Inf-folwuIn certain functional role IroleU, iIt is abnormal so as in attribute Parameter value mistake;Flow of information Inf-flow is obtained with functional role relational model according to flow of informationuException control value ctl of outputu (t);
And impact of the parameter to the parameter of material stream controllable function role is regulated and controled according to flow of information, obtain material stream Mat-flowkIn The parameter value Par of each functional roleK, l(t);
And according to technique ProcessiMaterial stream flow of information coupling model obtain technique ProcessiOutput amount of substance prci T (), obtains network attack and produces the qualitative assessment value for affecting to process operation process;
(2.2) according to described qualitative assessment value, and material output and the process relation model of website, obtain when website i is received During to network attack, the output Serv of the material of website ii(t);
(2.3) according to the multilevel flow models of website calculate obtain attack occur the moment it is all it is under attack and be not affected by attack station The amount of substance of the output of point.
6. network attack consequence dynamic quantitative appraisal procedure as claimed in claim 1 or 2, it is characterised in that the step (3) Including following sub-step:
(3.1) the multilamellar graph model of the topological structure of industrial critical infrastructures is set up, by the communication process in synchronization It is placed in same level;
(3.2) diffusion process of the website output abnormality in multilamellar graph model is caused to set up Tendency Prediction model according to network attack And carry out Tendency Prediction.
7. network attack consequence dynamic quantitative appraisal procedure as claimed in claim 6, it is characterised in that the step (3.1) The method for setting up multilamellar graph model, including following sub-step:
(3.1.1) set up the topology diagram of industrial critical infrastructures transport net;
The topology diagram is the complex network of a directed acyclic<G, E>;G represents Website Hosting, and E represents the pipe between website Road line set;It is production Website Hosting G by Website Hosting G pointg, transmission Website Hosting GtWith consumption site set Gc
(3.1.2) website is produced as root node, to transmit website as intermediate node, set up as leaf node with consumption site and set, Obtain the set of paths from production website to consumption site;
To produce Website Hosting GgMiddle production website is root node, to transmit website as intermediate node, with consumption site as leaf node Set up tree;L tree is built up by l production website;
(3.1.3) merging of l tree is formed into multilayer graph according to the rule of path segments so that acyclic complex network<G, E>In The same time period of material flow process is in when E is divided into multiple different set, identity set, by the same time period While the same level being attributed in multilayer graph, obtains the multilamellar graph model of industrial critical infrastructures topological network.
8. network attack consequence dynamic quantitative appraisal procedure as claimed in claims 6 or 7, it is characterised in that the step (3.2) including following sub-step:
(3.2.1) the abnormal communication process and many laminar flow moulds in industrial critical infrastructures network of material is exported according to website Type calculates the material throughput of each website of single step process;
(3.2.2) calculate industrial critical infrastructures in each period after network attack occurs according to multilamellar graph model respectively to stand The material output state of point;
(3.2.3) output of each website after system stability is obtained according to multilevel flow models.
9. network attack consequence dynamic quantitative appraisal procedure as claimed in claim 1 or 2, it is characterised in that the step (4) Including following sub-step:
(4.1) obtain the loss of income of industrial critical infrastructures holder
Loss 1 = &Sigma; i = 1 l &lsqb; ( Serv g , i ( t - &Delta; t ) - Serv g , i ( t + h &times; &Delta; t ) ) &times; ( t n - t ) &times; p r i c e &rsqb; ;
{ServG, 1(t- Δ t) ..., ServG, l(t- Δ t) } refer to that the industrial critical infrastructures with l production website exist It is not affected by the material output of all production websites during network attack;
{ServG, 1(t+h × Δ t) ..., ServG, l(t+h × Δ t) } refer to the industrial critical system by network attack Afterwards, after system stability, the material of all production websites is exported;tnMoment refers to the moment all repaired by impaired website, Price is the unit price of the material of website production;
(4.2) calculate the productive life loss of consumer in industrial critical infrastructures overlay area
Loss 2 = &Sigma; i = 1 b &lsqb; ( ( Serv c , i ( t - &Delta; t ) - Serv c , i ( t + h &times; &Delta; t ) ) &times; ( t n - t ) ) &times; &Sigma; j = 1 , 2 , 3 ( value i , j &times; p i , j ) &rsqb; ;
Wherein, { ServC, 1(t) ..., ServC, b(t) } refer to consumption site set GcReceive amount of substance;B refers to industrial key base The consumption site quantity of Infrastructure;{pI, 1, pI, 2, pI, 3Refer to consumption site GC, iThe material Serv of acquisitionC, iIt is supplied in (t) Industry, business, civilian proportion;Wherein pI, 1+pI, 2+pI, 3=1;{valueI, 1, valueI, 2, valueI, 3Refer to consumption site GC, iThe social economic value that neighbouring industry, business, civilian fractional unit material volume of services can be created;tnRefer to impaired station The moment all repaired by point;
The amount of substance received by each consumption site after network attack is by { ServC, 1(t- Δ t) ..., ServC, b(t-Δt)} It is changed into { ServC, 1(t+h × Δ t) ..., ServC, b(t+h×Δt)};
(4.3) obtained by institute caused by network attack according to the penalty values of the industrial critical infrastructures holder and consumer There are penalty values Loss=Loss1+Loss2
CN201610929385.9A 2016-10-31 2016-10-31 Network attack consequence dynamic quantitative appraisal procedure based on region situation information Active CN106559414B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610929385.9A CN106559414B (en) 2016-10-31 2016-10-31 Network attack consequence dynamic quantitative appraisal procedure based on region situation information

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610929385.9A CN106559414B (en) 2016-10-31 2016-10-31 Network attack consequence dynamic quantitative appraisal procedure based on region situation information

Publications (2)

Publication Number Publication Date
CN106559414A true CN106559414A (en) 2017-04-05
CN106559414B CN106559414B (en) 2018-02-27

Family

ID=58443166

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610929385.9A Active CN106559414B (en) 2016-10-31 2016-10-31 Network attack consequence dynamic quantitative appraisal procedure based on region situation information

Country Status (1)

Country Link
CN (1) CN106559414B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650137A (en) * 2019-09-23 2020-01-03 煤炭科学技术研究院有限公司 Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium
CN112104656A (en) * 2020-09-16 2020-12-18 杭州安恒信息安全技术有限公司 Network threat data acquisition method, device, equipment and medium
CN112469102A (en) * 2020-11-10 2021-03-09 南京大学 Time-varying network-oriented active network topology construction method and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436967A (en) * 2008-12-23 2009-05-20 北京邮电大学 Method and system for evaluating network safety situation
CN102355361A (en) * 2011-06-30 2012-02-15 江苏南大苏富特科技股份有限公司 Security assessment method based on alarm information
WO2014066500A1 (en) * 2012-10-23 2014-05-01 Hassell Suzanne P Cyber analysis modeling evaluation for operations (cameo) simulation system
CN105375453A (en) * 2015-09-23 2016-03-02 国电南瑞科技股份有限公司 An emergency control method based on a cascading failure damage degree index

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436967A (en) * 2008-12-23 2009-05-20 北京邮电大学 Method and system for evaluating network safety situation
CN102355361A (en) * 2011-06-30 2012-02-15 江苏南大苏富特科技股份有限公司 Security assessment method based on alarm information
WO2014066500A1 (en) * 2012-10-23 2014-05-01 Hassell Suzanne P Cyber analysis modeling evaluation for operations (cameo) simulation system
CN105375453A (en) * 2015-09-23 2016-03-02 国电南瑞科技股份有限公司 An emergency control method based on a cascading failure damage degree index

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110650137A (en) * 2019-09-23 2020-01-03 煤炭科学技术研究院有限公司 Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium
CN112104656A (en) * 2020-09-16 2020-12-18 杭州安恒信息安全技术有限公司 Network threat data acquisition method, device, equipment and medium
CN112104656B (en) * 2020-09-16 2022-07-12 杭州安恒信息安全技术有限公司 Network threat data acquisition method, device, equipment and medium
CN112469102A (en) * 2020-11-10 2021-03-09 南京大学 Time-varying network-oriented active network topology construction method and system
CN112469102B (en) * 2020-11-10 2022-09-23 南京大学 Time-varying network-oriented active network topology construction method and system

Also Published As

Publication number Publication date
CN106559414B (en) 2018-02-27

Similar Documents

Publication Publication Date Title
Pagani et al. Resilience or robustness: identifying topological vulnerabilities in rail networks
CN102289590A (en) Method for estimating operating state of SF6 high-voltage circuit breaker and intelligent system
CN103514366A (en) Urban air quality concentration monitoring missing data recovering method
CN102346964A (en) Real-time jam prediction and intelligent management system for road traffic network area
CN102340811A (en) Method for carrying out fault diagnosis on wireless sensor networks
CN106559414A (en) Network attack consequence dynamic quantitative appraisal procedure based on region situation information
CN101488284A (en) Intelligent management system for road traffic condition instant prediction
CN103593719B (en) A kind of rolling power-economizing method based on slab Yu contract Optimized Matching
CN107506938A (en) A kind of quality of material appraisal procedure based on machine learning
Huang et al. Physics-informed deep learning for traffic state estimation: Illustrations with LWR and CTM models
CN103065042A (en) Multiple target comprehensive decision evaluation method based on scene
CN103177289B (en) Modeling method for noise-uncertainty complicated nonlinear dynamic system
CN103711523A (en) Method for predicating gas concentration in real time based on local decomposition-evolution neural network
CN105139035A (en) Mixed attribute data flow clustering method for automatically determining clustering center based on density
CN107945510A (en) A kind of section detecting method for considering transport need and road network operational efficiency
Xue et al. A computational experiment-based evaluation method for context-aware services in complicated environment
CN105704031A (en) Data transmission path determination method and device
Juszczyk Residential buildings conceptual cost estimates with the use of support vector regression
Vasebi et al. Dynamic data reconciliation in mineral and metallurgical plants
CN102567640A (en) Method for monitoring mine gas
Imen et al. Developing a cyber-physical system for smart and sustainable drinking water infrastructure management
Li et al. Big data oriented macro-quality index based on customer satisfaction index and PLS-SEM for manufacturing industry
CN109210268B (en) Big data processing method based on ultralow-power electromagnetic valve
CN102880151B (en) Double-layer data model-driven plant-level chemical process monitoring method
Tang et al. A PCI-based evaluation method for level of services for traffic operational systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant