CN109639670B - Knowledge graph-based industrial control network security situation quantitative evaluation method - Google Patents
Knowledge graph-based industrial control network security situation quantitative evaluation method Download PDFInfo
- Publication number
- CN109639670B CN109639670B CN201811504551.6A CN201811504551A CN109639670B CN 109639670 B CN109639670 B CN 109639670B CN 201811504551 A CN201811504551 A CN 201811504551A CN 109639670 B CN109639670 B CN 109639670B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- host
- score
- attack
- knowledge graph
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Abstract
The invention relates to the field of industrial control network security, in particular to an industrial control network security situation quantitative evaluation method based on a knowledge graph, which mainly comprises the following steps: the method for quantitatively evaluating the security situation of the industrial control network based on the knowledge graph uses a knowledge graph technology, supports quick graph calculation based on a graph database, calculates indirect threats brought by attack events through breadth traversal and depth traversal, more comprehensively evaluates risks, and is convenient for early warning of the non-occurred threats.
Description
Technical Field
The invention relates to the field of industrial control network security, in particular to an industrial control network security situation quantitative evaluation method based on a knowledge graph.
Background
An important functional point in the security situation awareness system is to quantitatively evaluate the network security situation, which is also a technical difficulty of the situation awareness system.
The traditional network security situation assessment quantitative scoring method generally comprises the steps of firstly carrying out security assessment on the basis of a single asset, and then carrying out weighted calculation on asset scores according to the importance degree of the asset to obtain the security situation scores of the network. When a single asset is evaluated, vulnerability scoring is generally performed according to vulnerabilities of the asset, and some vulnerabilities are evaluated in combination with attack information.
The existing algorithm can not effectively combine attacks, vulnerabilities and network topology for comprehensive evaluation, and the true evaluation of threats is not accurate enough. Some attacks can only be effective for a single machine and cannot be spread in the network, and the threat index of the attack is smaller. Some attacks can effectively utilize the existing vulnerabilities to spread in the network, and one machine is used as a springboard to possibly affect a plurality of hosts, so that the threat index of the attacks is larger.
For example, the Chinese patent application number is: the patent of CN201710234882.1 discloses a network security dynamic early warning method based on knowledge graph. The patent is used for constructing a knowledge graph aiming at network security data and domain knowledge of a complex heterogeneous environment, extracting target information by using a graph query method facing the network security domain, and accurately describing to finally obtain the target information by sorting and analyzing the security data. The key point of the patent is to quickly query the attack event and determine the target related to the attack event. The knowledge graph mainly stores attack source IP related information (regions and enterprises), attack destination IP related information (regions and enterprises) and attack type information. The structure diagram of the knowledge graph of the patent is shown in fig. 1, and obviously, the patent does not relate to threat risk analysis and security situation assessment.
Also, for example, the Chinese patent application number is: the patent of CN201810036765.9 discloses a distributed security event correlation analysis method based on knowledge graph. The patent constructs a network security knowledge graph comprising five dimensions, namely a basic dimension (asset), a vulnerability dimension, a threat dimension, an alarm event dimension and an attack rule dimension, and performs multi-correlation analysis on the security events, so that false alarms can be reduced, and alarm aggregation and accurate identification can be realized. In addition, the distributed architecture realized by the system is also emphasized. The architecture diagram of the patent is shown in fig. 2, and obviously, the patent focuses on the correlation analysis of a plurality of alarm events, and does not relate to network topology information, attack prediction and security situation assessment of the whole network.
For another example, the Chinese patent application number is: the patent of CN201710050255.2 discloses a quantitative evaluation method for network security situation based on attack graph, belonging to the technical field of information security. The method specifically comprises the following steps: step one, generating an attack graph. And step two, evaluating the importance of the nodes in the attack graph G. And step three, calculating the maximum probability of successful penetration of the nodes in the attack graph G on the basis of the operation of the step one. And step four, obtaining the evaluation value of the network security situation. The patent uses network topology knowledge to comprehensively evaluate the security situation, the technical architecture diagram is shown in fig. 3, the patent does not use knowledge mapping technology, and the modeling scheme of the attack diagram is a relatively complex theoretical model: attack graph G ═ C0∪CdT, E), wherein C0Representing an initial set of nodes, CdRepresenting a middle node set, T representing a target node set, and E representing a phased arc set between connecting nodes. This model is much more complex and difficult to implement than a knowledge graph. The method uses a PageRank algorithm based on a webpage scoring standard when evaluating the importance of the attacked node, and the algorithm is not suitable for industrial control networks and cannot reflect the importance of the node on industrial control production in service. In addition, because the graph model of the algorithm is complex, the algorithm for calculating the attack penetration success rate is also complex, and the algorithm is difficult to realize by products.
In view of the incompleteness of the traditional security situation assessment scheme and the schemes in the related patents, the patent provides a knowledge map technology, fuses knowledge of network topology, asset information, a vulnerability library, an attack model and the like, constructs a complete network security knowledge map, performs complete quantitative assessment on the security situation of the whole network based on the security knowledge map of the whole network, and performs attack diffusion early warning.
Some of the technical terms of the inventive solution are explained:
attack patterns are classified into 4 broad categories in this patent, with reference to the definition of KDD 99:
1) DoS (dental-of-Service): denial of service attacks such as ping-of-death, smurf, etc.;
2) R2L (Unauturized Access from a Remote Machine to a Local Machine): unauthorized access from a remote host, such as a licensing password;
3) U2R (Unauuthorized Access to Local Superuser principles by Local Unpivilled User): unauthorized local supervisor privileged access, such as buffer over flow attecks;
4) PROBING (Surveillance and binding): port monitoring or scanning, such as port-scan, pingscan, etc.
The adoption of KDD99 for defining the broad class of attacks is relatively simple and facilitates the definition of patent solutions in this document. In actual use, the attack mode can be refined, and the attack effect can be analyzed more accurately.
KDD is short for Data Mining and Knowledge Discovery (Data Mining and Knowledge Discovery), and the KDD99 dataset is the dataset adopted by the KDD competition when held in 1999. Although older, the KDD99 dataset remains the de facto basis for the field of network intrusion detection.
The preferable Neo4j of the patent is used for constructing and storing the knowledge graph. Neo4j is a high-performance graph engine database that performs data modeling based on graphs to express domain data in node space. The whole data space comprises three elements of nodes, attributes and relations, wherein the nodes and the relations can have a plurality of attributes, and the attributes are a Key-Value combination. Neo4j addresses the performance degradation problem that occurs with large data association queries in conventional RDBMS. By modeling the data around the graph, Neo4j will traverse nodes and edges at nearly the same speed, with no relationship to the amount of data that makes up the graph.
Direct threat index HRS: refers to the security threat created by an attack event that occurs directly on the host.
Indirect threat index NRS: refers to the security threat that attack events occurring at other nodes in the network may bring to the node.
Disclosure of Invention
The invention aims to provide a knowledge graph-based industrial control network security situation quantitative evaluation method for comprehensively and accurately quantitatively evaluating the network security situation aiming at the defects of the prior art.
The method for quantitatively evaluating the safety situation of the industrial control network based on the knowledge graph comprises the following steps:
step 1, defining and constructing a network security knowledge graph:
1) defining the knowledge graph as KG, wherein KG is { E, R }, wherein E represents the set of all nodes in the network security knowledge graph and comprises a host and a vulnerability; r represents a collection of relationships between nodes in a network security knowledge graph,
including having, communicating and associating;
2) specific specifications and definitions are set for E, R in the network security knowledge graph:
the nodes included in E are divided into 2 types: host (Host) and Vulnerability (Vulnerability);
the host has attributes including: name, IP (IP address), MAC (address), OS (operating system), Version, and Weights (traffic weight);
the attributes that a vulnerability has include: ID (CVE encoding, unique identification), Name (Name), descriptor (description), Type (vulnerability Type), Score (CVSS Score), Soft (affected software information), Patch (Patch information), AV (attack path), AC (attack complexity), PR (authorization requirement), UI (user interface), Scope (Scope of influence), configurability (Confidentiality), Integrity (Integrity), and Availability (Availability);
r comprises the relation between the host and the relation between the host and the vulnerability; the relationship between hosts is labeled Connection, representing a network Connection of one host to another, with attributes including: direction (flow Direction) and Bandwidth, the value range of the Direction includes In (receiving), Out (sending), All (bidirectional) and Unknown;
the relation between the host and the vulnerability is marked as Has, and the Has marks that the host Has a certain vulnerability;
step 2, defining the service weight of the nodes in the network security knowledge graph:
the service weight of the node is marked by Weights, the importance degree of the node in the industrial control service is represented, the score range is defined to be 1-10, and the higher the score is, the higher the weight is;
step 3, calculating a threat index according to the attack event:
1) the attack events are classified into 4 categories: DoS (denial of service), R2L (remote illegal access), U2R (local illegal granting) and PROBING (scanning);
2) calculating the direct threat index HRS of the attacked host:
combining the attack target service weight, the vulnerability score and the matching degree of the attack event and the vulnerability to perform direct threat index evaluation of a single host;
marking the Score of the vulnerability as Score, wherein the value range of the Score is 0-10;
defining: VS ═ Score1,Score2,Score3,...ScoremH, wherein m is the number of holes;
the matching degree of the vulnerability attack event and the vulnerability is recorded as Match, the score range of the Match is 0-10, and the matching scores of the vulnerability attack event and the vulnerability are comprehensively evaluated according to the attack type and the CVSS score of the vulnerability;
defining: VM ═ Match1,Match2,Match3,...MatchmH, wherein m is the number of holes;
a plurality of vulnerabilities exist in a single host, and when various attack events occur, the HRS is directly threatened to select the maximum value of the fractional product of the attack events and the vulnerabilities matched with the attack events;
the direct threat index HRS of an attacked single host is calculated as follows:
3) calculating an indirect threat index NRS of the host:
the indirect threat index NRS is influenced by spread of attack events, namely, subsequent attacks possibly caused after the nodes where the attack events occur are attacked;
identifying the diffusion index of the attack event by using Spread, wherein the value range is 0-10;
setting Depth of Depth traversal as Depth, setting the Depth of a node adjacent to the attacked node as 1, and gradually increasing;
the indirect threat index NRS _ ONE of a single attacked node to an adjacent node is calculated by the formula:
the influence of a plurality of attacked nodes is superposed, and the indirect threat index NRS calculation formula of the adjacent nodes is as follows:
4) calculating the complete threat index RS of the host:
the complete threat index RS of the host takes the maximum value of the direct threat index and the indirect threat index as follows:
RS=Max{HRS|NRS},0≤RS≤100;
5) calculating the threat index NetworkRS of the whole network:
calculating the threat index NetworkRS of the whole network by a weighted mean algorithm according to the threat indexes and the weights of all the hosts, wherein the calculation formula is as follows:
Further, in step 1, the vulnerability contained in E is obtained by scanning the whole network through a vulnerability scanning tool.
Further, in step 1, the incidence relation between the host and the vulnerability in the R is obtained by scanning with a vulnerability scanning tool.
Further, in step 3, a vulnerability score value is in direct proportion to the severity of the vulnerability, and a matching degree value of the attack event and the vulnerability is in direct proportion to the matching degree of the attack event and the vulnerability.
Further, in step 3, the value of the diffusion index Spread of the attack event is increased along with the increase of the diffusion propagation degree; meanwhile, the value of the Spread index Spread of the attack event attenuates with the deepening of the path, and the attenuation of each layer of path is 80 percent; for DoS attack, the initial value of the Spread index Spread of the attack event is set to 0; for other attacks, the initial value of the Spread index Spread of the attack event is set to 10.
Further, the business weight Weights, the vulnerability scores, the Score, the matching degree Match of the vulnerability attack events and the vulnerabilities, the Spread index Spread of the attack events and the Depth of the Depth traversal are adjusted according to the real-time evaluation condition of the industrial control network.
Compared with the prior art, the method for quantitatively evaluating the safety situation of the industrial control network based on the knowledge graph has the following beneficial effects:
1. the knowledge graph based industrial control network security situation quantitative evaluation method uses a knowledge graph technology and supports rapid graph calculation based on a graph database.
2. The knowledge graph-based industrial control network security situation quantitative evaluation method combines attack and vulnerability information, and more accurately evaluates threats brought by attack events.
3. The method for quantitatively evaluating the safety situation of the industrial control network based on the knowledge graph is combined with the network graph, calculates indirect threats brought by attack events through breadth traversal and depth traversal, more comprehensively evaluates risks, and is convenient for early warning of the non-occurred threats.
4. The method for quantitatively evaluating the safety situation of the industrial control network based on the knowledge graph combines the service weight of the node, so that the calculation of the threat index is more valuable.
Drawings
FIG. 1 shows the Chinese patent application numbers: a knowledge graph representation of the patent of CN 201710234882.1;
FIG. 2 shows the Chinese patent application numbers: the technical architecture diagram of CN201810036765.9 patent;
FIG. 3 shows the Chinese patent application numbers: the technical architecture diagram of CN201710050255.2 patent;
FIG. 4 is a system flow chart of the method for quantitatively evaluating the safety situation of the industrial control network based on the knowledge graph;
fig. 5 is an exemplary diagram of a knowledge graph of the method for quantitatively evaluating the security situation of the industrial control network based on the knowledge graph.
Detailed Description
The invention is further described with reference to the drawings and the specific embodiments in the following description.
As shown in fig. 4, the method for quantitatively evaluating the security situation of the industrial control network based on the knowledge graph includes the following steps:
step 1, defining and constructing a network security knowledge graph:
1) defining the knowledge graph as KG, wherein KG is { E, R }, wherein E represents the set of all nodes in the network security knowledge graph and comprises a host and a vulnerability; r represents a collection of relationships between nodes in a network security knowledge graph,
including having, communicating, associating, etc.; both E and R have one or more attributes, i.e., Key-Value values.
2) Specific specifications and definitions are set for E, R in the network security knowledge graph:
the nodes included in E are divided into 2 types: host (Host) and Vulnerability (Vulnerability);
the host has the following attributes:
| Key | Value |
| Name | name, unique identification |
| IP | IP address |
| MAC | MAC address |
| OS | Operating system |
| Version | Version number |
| Weights | Weight, degree of business importance |
Vulnerabilities have the following attributes:
the R comprises the relation between the host and the relation between the host and the vulnerability, and the incidence relation between the host and the vulnerability is obtained after scanning by adopting a vulnerability scanning tool; the relationship between hosts is labeled Connection, representing a network Connection from one host to another, with the following attributes:
the relation between the host and the vulnerability is marked as Has, and the Has marks that the host Has a certain vulnerability;
step 2, defining the service weight of the network node:
the business weight of the assets is marked by Weights, the importance degree of the nodes in the industrial control business is represented, the score range is manually defined by an administrator to be 1-10, and the higher the score is, the higher the weight is;
step 3, calculating a threat index according to the attack event:
1) the attack events are classified into 4 categories: DoS (denial of service), R2L (remote illegal access), U2R (local illegal granting) and PROBING (scanning);
2) calculating the direct threat index HRS of the attacked host:
combining the attack target service weight, the vulnerability score and the matching degree of the attack event and the vulnerability to perform direct threat index evaluation of a single host;
marking the vulnerability Score as Score, wherein the value range of Score is 0-10, and the value of the vulnerability Score is in direct proportion to the severity of the vulnerability;
defining: VS ═ Score1,Score2,Score3,...ScoremH, wherein m is the number of holes;
the matching degree of the vulnerability attack event and the vulnerability is recorded as Match, the score range of the Match is 0-10, the matching scores of the vulnerability attack event and the vulnerability are comprehensively evaluated by referring to the attack type and the CVSS score of the vulnerability, and the value of the matching degree of the vulnerability attack event and the vulnerability is in direct proportion to the matching degree of the vulnerability attack event and the vulnerability;
defining: VM ═ Match1,Match2,Match3,...MatchmH, wherein m is the number of holes;
a plurality of vulnerabilities exist in a single host, and when various attack events occur, the HRS directly threatens to select the maximum value of the fractional product of the attack event and the vulnerability matched with the attack event;
the direct threat index HRS of an attacked single host is calculated as follows:
3) calculating an indirect threat index NRS of the host:
the indirect threat index NRS is influenced by the spread of the attack event, namely the subsequent attack possibly caused after the node where the attack event occurs is attacked; from an attacked target, using the graph computing power of the network security knowledge graph, firstly traversing in a breadth mode and then traversing in a depth mode, namely, firstly traversing the reachable adjacent nodes of the network from the attacked node and then performing depth propulsion from the adjacent nodes; by calculating the diffusion range of the attack event in the network graph, the indirect threat index NRS of each possibly affected host node is calculated.
Meanwhile, whether the attack event of one host can be diffused on the network to form network attack or not is mainly determined according to the attack type and the vulnerability type of the adjacent point. According to the definition, the attack types are divided into 4 categories, wherein the DoS attack mainly forms a threat aiming at a single node, the attacked node is not used as a springboard to form diffusion on the network, and other attacks are possible to diffuse on the network.
Identifying the diffusion index of the attack event by using Spread, wherein the value range is 0-10; the value of the Spread index Spread of the attack event is increased along with the increase of the Spread propagation degree; meanwhile, the value of the Spread index Spread of the attack event attenuates with the deepening of the path, and the attenuation of each layer of path is 80 percent; for DoS attack, the initial value of the Spread index Spread of the attack event is set to 0; for other attacks, the initial value of the Spread index Spread of the attack event is set to 10;
setting Depth of Depth traversal as Depth, setting the Depth of a node adjacent to the attacked node as 1, and gradually increasing;
the indirect threat index NRS _ ONE of a single attacked node to an adjacent node is calculated by the formula:
the influence of a plurality of attacked nodes is superposed, and the indirect threat index NRS calculation formula of the adjacent nodes is as follows:
4) calculating the complete threat index RS of the host
The complete threat index RS of the host takes the maximum value of the direct threat index and the indirect threat index as follows:
RS=Max{HRS|NRS},0≤RS≤100;
5) and calculating the threat index NetworkRS of the whole network.
Calculating the threat index NetworkRS of the whole network by a weighted mean algorithm according to the threat indexes and the weights of all the hosts, wherein the calculation formula is as follows:
further, the business weight Weights, the vulnerability scores, the Score, the matching degree Match of the vulnerability attack events and the vulnerabilities, the Spread index Spread of the attack events and the Depth of the Depth traversal are adjusted according to the real-time evaluation condition of the industrial control network.
For example, in combination with data generated by technologies such as asset scanning, vulnerability scanning, topology generation, etc., a network security knowledge graph is constructed as shown in fig. 5, and corresponding host service weight and vulnerability score are set, then:
host-1: the system is provided with a bug-1 and a bug-2, the service weight is 5, and the system is a general service host.
A host-2: the service is an important service host with a vulnerability-2 and a service weight of 10.
Host-3: and no leak exists, the service weight is 10, and the service is an important service host.
Host-4: the service host has a vulnerability-2 and a service weight of 5, and is a common service host.
Host-5: the service host has a vulnerability-1 and a service weight of 5, and is a common service host.
Host-6: the service host has a vulnerability-2 and a service weight of 5, and is a common service host.
Vulnerability-1: and the vulnerability Score is 10, belongs to high-risk vulnerabilities and is triggered by the network.
Vulnerability-2: the vulnerability Score is 5, belongs to general vulnerability, and is triggered by the network.
Assuming a remote attack of the type R2L is encountered, the target host is host-1, and a direct threat index for host-1 is calculated: HRS is 5 × (10 × 10/10) ═ 50, since there is only one attack event, host-1 has a threat index of: RS 50.
Other hosts are not under direct attack, but are under indirect threat, traversing from host-1, first host-2.
Calculating the indirect threat index of the host-2 to the attack: NRS _ ONE ═ 5 × 10 × 0.8 ═ 40, because there is only this ONE attack event, host-2's indirect threat index: NRS 10 × (40/10) ═ 40.
Finally, the threat index for host-2 is: RS-40.
From the host-2, traversing the host-3 and the host-4, wherein the host-3 has no loopholes, so the threat index is 0; the indirect threat index for host-4 is: NRS _ ONE is 5 × 10 × 0.8 × 0.8 is 32, NRS is 5 × (32/10) is 16, and RS is 16.
There is no communication from host-4 to host-5 and host-6, so this attack has no effect on host-5 and host-6, and their threat index is 0.
And finally, calculating the threat index of the whole network as follows:
NetworkRS=(50+40+16)/(5+10+10+5+5+5)×10=26.5。
the above description is only a preferred embodiment of the present invention, and all equivalent changes and modifications made in accordance with the claims of the present invention are included in the scope of the present invention.
Claims (6)
1. A knowledge graph-based industrial control network security situation quantitative evaluation method is characterized by comprising the following steps:
step 1, defining and constructing a network security knowledge graph:
1) defining the knowledge graph as KG, wherein KG is { E, R }, wherein E represents the set of all nodes in the network security knowledge graph and comprises a host and a vulnerability; r represents a collection of relationships between nodes in a network security knowledge graph,
including having, communicating and associating;
2) specific specifications and definitions are set for E, R in the network security knowledge graph:
e comprises the following nodes: a host, a vulnerability;
the host has attributes including: name, IP, MAC, OS, Version, and Weights;
the attributes that a vulnerability has include: ID. Name, Descripte, Type, Score, Soft, Patch, AV, AC, PR, UI, Scope, Confidentiality, Integrity, and Availability;
r comprises the relation between the host and the relation between the host and the vulnerability; the relationship between hosts is labeled Connection, representing a network Connection of one host to another, with attributes including: the Direction and Bandwidth, the numeric area of the Direction includes In, Out, All and Unknown;
the relation between the host and the vulnerability is marked as Has, and the Has marks that the host Has a certain vulnerability;
step 2, defining the service weight of the nodes in the network security knowledge graph:
the service weight of the node is marked by Weights, the importance degree of the node in the industrial control service is represented, the score range is defined to be 1-10, and the higher the score is, the higher the weight is;
step 3, calculating a threat index according to the attack event:
1) the attack events are classified into 4 categories: DoS, R2L, U2R, and PROBING;
2) calculating the direct threat index HRS of the attacked host:
combining the attack target service weight, the vulnerability score and the matching degree of the attack event and the vulnerability to perform direct threat index evaluation of a single host;
marking the Score of the vulnerability as Score, wherein the value range of the Score is 0-10;
defining: VS ═ Score1,Score2,Score3,...ScoremH, wherein m is the number of holes;
the matching degree of the vulnerability attack event and the vulnerability is recorded as Match, the score range of the Match is 0-10, and the matching scores of the vulnerability attack event and the vulnerability are comprehensively evaluated according to the attack type and the CVSS score of the vulnerability;
defining: VM ═ Match1,Match2,Match3,...MatchmH, wherein m is the number of holes;
a plurality of vulnerabilities exist in a single host, and when various attack events occur, the HRS is directly threatened to select the maximum value of the fractional product of the attack events and the vulnerabilities matched with the attack events;
the direct threat index HRS of an attacked single host is calculated as follows:
3) calculating an indirect threat index NRS of the host:
the NRS is influenced by Spread of an attack event, and the Spread index of the attack event is identified by Spread and has a value range of 0-10;
setting Depth of Depth traversal as Depth, setting the Depth of a node adjacent to the attacked node as 1, and gradually increasing;
the indirect threat index NRS _ ONE of a single attacked node to an adjacent node is calculated by the formula:
NRS_ONE=Max{Score|Score∈VS}*Spread*0.8Depth,
Depth≤8,0≤NRS_ONE≤100,
the influence of a plurality of attacked nodes is superposed, and the indirect threat index NRS calculation formula of the adjacent nodes is as follows:
4) calculating the complete threat index RS of the host:
the complete threat index RS of the host takes the maximum value of the direct threat index and the indirect threat index as follows:
RS=Max{HRS|NRS},0≤RS≤100;
5) calculating the threat index NetworkRS of the whole network:
calculating the threat index NetworkRS of the whole network by a weighted mean algorithm according to the threat indexes and the weights of all the hosts, wherein the calculation formula is as follows:
2. The method for quantitatively evaluating the security posture of the industrial control network based on the knowledge graph as claimed in claim 1, wherein in the step 1, the vulnerability contained in E is obtained by scanning the whole network through a vulnerability scanning tool.
3. The method for quantitatively evaluating the security posture of the industrial control network based on the knowledge graph as claimed in claim 1, wherein in the step 1, the incidence relation between the host and the vulnerability in the R is obtained by scanning with a vulnerability scanning tool.
4. The method for quantitatively evaluating the security posture of the industrial control network based on the knowledge graph as claimed in claim 1, wherein in the step 3, the score value of the vulnerability is proportional to the severity of the vulnerability, and the matching degree value of the attack event and the vulnerability is proportional to the matching degree of the attack event and the vulnerability.
5. The method for quantitatively evaluating the security posture of the industrial control network based on the knowledge graph as claimed in claim 1, wherein in the step 3, the value of the Spread index Spread of the attack event is increased along with the increase of the Spread propagation degree; meanwhile, the value of the Spread index Spread of the attack event attenuates with the deepening of the path, and the attenuation of each layer of path is 80 percent; for DoS attack, the initial value of the Spread index Spread of the attack event is set to 0; for other attacks, the initial value of the Spread index Spread of the attack event is set to 10.
6. The method for quantitatively evaluating the security posture of the industrial control network based on the knowledge graph as claimed in claim 1, wherein the business Weights weight in step 2, the Score of the vulnerability in step 3) 2), the matching degree Match of the vulnerability attack event and the vulnerability in step 3) 2), the Spread index Spread of the attack event in step 3) and the Depth of the Depth traversal in step 3) are adjusted according to the real-time evaluation condition of the industrial control network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811504551.6A CN109639670B (en) | 2018-12-10 | 2018-12-10 | Knowledge graph-based industrial control network security situation quantitative evaluation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811504551.6A CN109639670B (en) | 2018-12-10 | 2018-12-10 | Knowledge graph-based industrial control network security situation quantitative evaluation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109639670A CN109639670A (en) | 2019-04-16 |
| CN109639670B true CN109639670B (en) | 2021-04-16 |
Family
ID=66072562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811504551.6A Active CN109639670B (en) | 2018-12-10 | 2018-12-10 | Knowledge graph-based industrial control network security situation quantitative evaluation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109639670B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110135171A (en) * | 2019-05-24 | 2019-08-16 | 武汉华电工研科技有限公司 | A kind of Internet of Things information security situation system |
| CN110516075B (en) * | 2019-07-22 | 2022-04-15 | 平安科技(深圳)有限公司 | Early warning report generation method and device based on machine learning and computer equipment |
| CN111431865B (en) * | 2020-02-28 | 2022-01-04 | 四川亿览态势科技有限公司 | Network deep threat detection method |
| CN111598408B (en) * | 2020-04-23 | 2023-04-18 | 成都数之联科技股份有限公司 | Construction method and application of trade information risk early warning model |
| CN114268446A (en) * | 2020-09-15 | 2022-04-01 | 中国电信股份有限公司 | Data asset security assessment method, device and storage medium |
| CN112149135B (en) * | 2020-09-16 | 2023-05-02 | 国网河北省电力有限公司电力科学研究院 | Method and device for evaluating security vulnerabilities and computer-readable storage medium |
| CN112600800B (en) * | 2020-12-03 | 2022-07-05 | 中国电子科技网络信息安全有限公司 | Network risk assessment method based on map |
| CN112819336B (en) * | 2021-02-03 | 2023-12-15 | 国家电网有限公司 | Quantification method and system based on network threat of power monitoring system |
| CN112699382B (en) * | 2021-03-25 | 2021-06-18 | 哈尔滨工业大学(深圳)(哈尔滨工业大学深圳科技创新研究院) | Internet of things network security risk assessment method and device and computer storage medium |
| CN113783874B (en) * | 2021-09-10 | 2023-08-29 | 国网数字科技控股有限公司 | Network security situation assessment method and system based on security knowledge graph |
| CN115168868B (en) * | 2022-07-07 | 2023-05-16 | 广东永禾信息技术有限公司 | Business vulnerability analysis method and server applied to artificial intelligence |
| CN116389279B (en) * | 2023-04-20 | 2023-12-22 | 博智安全科技股份有限公司 | Automatic penetration test three-dimensional analysis method, device and system for industrial control network |
| CN116743503B (en) * | 2023-08-11 | 2023-11-07 | 浙江国利网安科技有限公司 | Health evaluation method based on industrial control asset |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102340485A (en) * | 2010-07-19 | 2012-02-01 | 中国科学院计算技术研究所 | Network security situation awareness system and method based on information correlation |
| CN106897273A (en) * | 2017-04-12 | 2017-06-27 | 福州大学 | A kind of network security dynamic early-warning method of knowledge based collection of illustrative plates |
| CN108090703A (en) * | 2018-01-17 | 2018-05-29 | 许军营 | A kind of analysis of distribution operation risk and assessment system based on big data |
| CN108270785A (en) * | 2018-01-15 | 2018-07-10 | 中国人民解放军国防科技大学 | Knowledge graph-based distributed security event correlation analysis method |
| CN108594769A (en) * | 2018-03-08 | 2018-09-28 | 上海洺淀智能科技有限公司 | A kind of industrial control system core network prevents safely outer invade and security evaluation device |
| CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10536472B2 (en) * | 2016-08-15 | 2020-01-14 | International Business Machines Corporation | Cognitive analysis of security data with signal flow-based graph exploration |
-
2018
- 2018-12-10 CN CN201811504551.6A patent/CN109639670B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102340485A (en) * | 2010-07-19 | 2012-02-01 | 中国科学院计算技术研究所 | Network security situation awareness system and method based on information correlation |
| CN106897273A (en) * | 2017-04-12 | 2017-06-27 | 福州大学 | A kind of network security dynamic early-warning method of knowledge based collection of illustrative plates |
| CN108270785A (en) * | 2018-01-15 | 2018-07-10 | 中国人民解放军国防科技大学 | Knowledge graph-based distributed security event correlation analysis method |
| CN108090703A (en) * | 2018-01-17 | 2018-05-29 | 许军营 | A kind of analysis of distribution operation risk and assessment system based on big data |
| CN108594769A (en) * | 2018-03-08 | 2018-09-28 | 上海洺淀智能科技有限公司 | A kind of industrial control system core network prevents safely outer invade and security evaluation device |
| CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109639670A (en) | 2019-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109639670B (en) | Knowledge graph-based industrial control network security situation quantitative evaluation method | |
| Protić | Review of KDD Cup ‘99, NSL-KDD and Kyoto 2006+ datasets | |
| Bryant et al. | A novel kill-chain framework for remote security log analysis with SIEM software | |
| Meena et al. | A review paper on IDS classification using KDD 99 and NSL KDD dataset in WEKA | |
| CN110620759B (en) | Multi-dimensional association-based network security event hazard index evaluation method and system | |
| Jiang et al. | Novel intrusion prediction mechanism based on honeypot log similarity | |
| Wang et al. | MAAC: Novel alert correlation method to detect multi-step attack | |
| CN113051575A (en) | Method and system for generating red and blue attack resisting exercise scheme based on graph database | |
| RU2610395C1 (en) | Method of computer security distributed events investigation | |
| CN109583056A (en) | A kind of network-combination yarn tool performance appraisal procedure and system based on emulation platform | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| Mathew et al. | Understanding multistage attacks by attack-track based visualization of heterogeneous event streams | |
| Ju et al. | MCKC: a modified cyber kill chain model for cognitive APTs analysis within Enterprise multimedia network | |
| KR20130116418A (en) | Apparatus, method and computer readable recording medium for analyzing a reputation of an internet protocol | |
| AlZoubi et al. | The effect of using honeypot network on system security | |
| WO2023087554A1 (en) | Asset risk control method, apparatus, and device, and storage medium | |
| CN115694928A (en) | Cloud honeypot of whole-ship computing environment, attack event perception and behavior analysis method | |
| Wang et al. | Research of network vulnerability analysis based on attack capability transfer | |
| CN113378159A (en) | Centralized control-based threat information assessment method | |
| Ambikavathi et al. | Integrated intrusion detection approach for cloud computing | |
| Bhati et al. | A survey on intrusion detection tools | |
| KR20060013120A (en) | Method of visualizing intrusion detection using correlation of intrusion detection alert message | |
| Hsiao et al. | Detecting stepping‐stone intrusion using association rule mining | |
| Sahli | A comparison of the NSL-KDD dataset and its predecessor the KDD Cup’99 dataset | |
| Ying et al. | Anteater: Malware Injection Detection with Program Network Traffic Behavior |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211119 Address after: 907, 9 / F, block F, No. 9, Shangdi 3rd Street, Haidian District, Beijing 100085 Patentee after: BEIJING WINICSSEC TECHNOLOGIES CO.,LTD. Patentee after: LIAONING DATANG INTERNATIONAL NEW ENERGY Co.,Ltd. Patentee after: LIAONING DATANG INTERNATIONAL CHANGTU WIND POWER Co.,Ltd. Patentee after: Liaoning Datang International Fuxin Wind Power Co.,Ltd. Patentee after: Datang (Dalian) new energy Co.,Ltd. Patentee after: Faku branch of Liaoning Datang International New Energy Co.,Ltd. Address before: 907, 9 / F, block F, No. 9, Shangdi 3rd Street, Haidian District, Beijing 100085 Patentee before: BEIJING WINICSSEC TECHNOLOGIES CO.,LTD. |