CN110572409B - Industrial Internet security risk prediction method, device, equipment and storage medium - Google Patents

Industrial Internet security risk prediction method, device, equipment and storage medium Download PDF

Info

Publication number
CN110572409B
CN110572409B CN201910870521.5A CN201910870521A CN110572409B CN 110572409 B CN110572409 B CN 110572409B CN 201910870521 A CN201910870521 A CN 201910870521A CN 110572409 B CN110572409 B CN 110572409B
Authority
CN
China
Prior art keywords
vulnerability
attack
host
predicted
current
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910870521.5A
Other languages
Chinese (zh)
Other versions
CN110572409A (en
Inventor
王进
时忆杰
杨诗曼
何跃鹰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
National Computer Network and Information Security Management Center
Original Assignee
Beijing University of Posts and Telecommunications
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications, National Computer Network and Information Security Management Center filed Critical Beijing University of Posts and Telecommunications
Priority to CN201910870521.5A priority Critical patent/CN110572409B/en
Publication of CN110572409A publication Critical patent/CN110572409A/en
Application granted granted Critical
Publication of CN110572409B publication Critical patent/CN110572409B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Abstract

The embodiment of the invention provides a method and a device for predicting the security risk of an industrial internet, electronic equipment and a storage medium, wherein the method comprises the following steps: generating a host probing list based on a preset host probing method; searching the vulnerability and vulnerability description information of the service and/or communication protocol existing in each host in the existing vulnerability library; based on the loopholes existing in each host, acquiring corresponding loophole basic scores from an existing loophole scoring system; establishing an attack rule base; taking the vulnerability to be predicted corresponding to the important host as an initial vulnerability attack node, and reversely generating an attack graph; and acquiring vulnerability attack nodes with the maximum accumulated attack probability and attack paths with the maximum attack probability according to the basic attack probability and the attack graph of each vulnerability. Therefore, by applying the embodiment of the invention, unlike the prior art that the traditional vulnerability scanning tool is used for vulnerability detection of the equipment in the Internet, the security risk of the industrial Internet can be predicted on the basis of not influencing the network operation.

Description

Industrial Internet security risk prediction method, device, equipment and storage medium
Technical Field
The invention relates to the technical field of network security, in particular to a method, a device, equipment and a storage medium for predicting security risk of an industrial internet.
Background
Industrial internet is a result of the convergence of industrial systems with advanced computing, analytics, sensing technologies, and internet connectivity, which facilitates the exchange of information between users and industrial devices, but at the same time presents many security issues to the industrial internet. The number of vulnerabilities associated with the industrial internet, which are easily exploited by hackers and endanger the security of the industrial internet, cause damage to industrial equipment and paralysis of industrial control systems, affecting the lives of the people, increases year by year.
At present, in the related art, a traditional vulnerability scanning tool is generally used for vulnerability detection of devices in the internet, so that risk prediction is performed on security of network devices. However, industrial equipment is usually required to run continuously in the industrial internet system, and this method is not suitable for use in the industrial internet system because the equipment may not be used normally in the vulnerability detection.
Therefore, there is an urgent need for a method for predicting the security risk of the industrial internet, so as to predict the security risk of the industrial internet without affecting the operation of the network, thereby improving the security of the industrial internet.
Disclosure of Invention
The embodiment of the invention aims to provide a method, a device, equipment and a storage medium for predicting the security risk of an industrial internet, so as to predict the security risk of the industrial internet on the basis of not influencing network operation. The specific technical scheme is as follows:
in a first aspect, the present invention provides a method for predicting security risks of an industrial internet, the method comprising:
generating a host exploration list of each host in the industrial Internet to be predicted based on a preset host exploration method, and determining important hosts and non-important hosts according to preset importance weight values of the hosts; the host probe list includes: each host and the service and/or the corresponding communication protocol which are correspondingly operated on each host;
based on the host probing list, searching for vulnerabilities and vulnerability description information existing in the service and/or communication protocol of each host in an existing vulnerability library; the vulnerability description information includes: the precondition that each vulnerability is utilized and the result generated after each vulnerability is utilized; the precondition that the vulnerability is utilized comprises: the vulnerability is utilized, and the user operation authority of the host where the vulnerability is located is required; the result generated after the vulnerability is exploited includes: the vulnerability is utilized to obtain the user operation authority of the attacked target host; the target host is the same as or different from the host where the vulnerability is located;
based on the loopholes existing in each host, acquiring corresponding loophole basic scores from an existing loophole scoring system;
storing the host with the vulnerability, the corresponding service and/or communication protocol and the corresponding vulnerability as the vulnerability to be predicted into a host threat list;
acquiring network connection relations among all hosts to be predicted and user operation permissions of all hosts before attack;
establishing an attack rule base based on the host probing list, the host threat list, the network connection relation and the user operation authority before attack of each host; the attack rule base comprises: the method comprises the following steps that holes to be predicted exist in each host in the industrial internet, preconditions of each hole to be predicted being utilized and results generated after each hole to be predicted is utilized;
according to a preset reverse attack graph generation algorithm, based on the host threat list and the attack rule base, taking a vulnerability to be predicted corresponding to an important host as an initial vulnerability attack node, and reversely generating an attack graph containing vulnerability attack nodes, state nodes and directed edges; each state node in the attack graph respectively represents a precondition that the vulnerability to be predicted is utilized or a result generated after the vulnerability to be predicted is utilized, and each directed edge in the attack graph represents attack relations between different vulnerability attack nodes and state nodes formed according to the attack rules;
calculating the basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic scores;
and calculating the cumulative attack probability of each vulnerability attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and acquiring the vulnerability attack node with the maximum cumulative attack probability and the attack path with the maximum attack probability.
In a second aspect, the present invention provides an apparatus for security risk prediction of an industrial internet, the apparatus comprising:
the host computer exploration list generating unit is used for generating a host computer exploration list of each host computer in the industrial Internet to be predicted based on a preset host computer exploration method, and determining important host computers and non-important host computers according to preset importance weight values of the host computers; the host probe list includes: each host and the service and/or the corresponding communication protocol which are correspondingly operated on each host;
the vulnerability and vulnerability description information searching unit is used for searching the vulnerability and vulnerability description information existing in the service and/or communication protocol of each host in the existing vulnerability library based on the host probing list; the vulnerability description information includes: the precondition that each vulnerability is utilized and the result generated after each vulnerability is utilized; the precondition that the vulnerability is utilized comprises: the vulnerability is utilized, and the user operation authority of the host where the vulnerability is located is required; the result generated after the vulnerability is exploited includes: the vulnerability is utilized to obtain the user operation authority of the attacked target host; the target host is the same as or different from the host where the vulnerability is located;
a vulnerability basic score obtaining unit, configured to obtain, based on vulnerabilities existing in the hosts, corresponding vulnerability basic scores in an existing vulnerability scoring system;
the storing unit is used for storing the host with the vulnerability, the corresponding service and/or communication protocol and the corresponding vulnerability as the vulnerability to be predicted into a host threat list;
the system comprises an acquisition unit, a prediction unit and a prediction unit, wherein the acquisition unit is used for acquiring the network connection relation among all hosts to be predicted and the user operation authority before attack of all hosts;
an attack rule base establishing unit, configured to establish an attack rule base based on the host probing list, the host threat list, the network connection relationship, and the pre-attack user operation permissions of the hosts; the attack rule base comprises: the method comprises the following steps that holes to be predicted exist in each host in the industrial internet, preconditions of each hole to be predicted being utilized and results generated after each hole to be predicted is utilized;
the attack graph generating unit is used for generating an attack graph comprising vulnerability attack nodes, state nodes and directed edges in a reverse direction by taking a vulnerability to be predicted corresponding to an important host as an initial vulnerability attack node based on the host threat list and the attack rule base according to a preset reverse attack graph generating algorithm; each state node in the attack graph respectively represents a precondition that the vulnerability to be predicted is utilized or a result generated after the vulnerability to be predicted is utilized, and each directed edge in the attack graph represents attack relations between different vulnerability attack nodes and state nodes formed according to the attack rules;
the basic attack probability calculation unit is used for calculating the basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic score;
and the vulnerability attack node with the maximum accumulated attack probability and the attack path with the maximum attack probability acquiring unit are used for calculating the accumulated attack probability of each vulnerability attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and acquiring the vulnerability attack node with the maximum accumulated attack probability and the attack path with the maximum attack probability.
In a third aspect, the present invention provides an electronic device, including a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing the steps of any one of the methods for predicting the security risk of the industrial Internet when the processor executes the program stored in the memory.
In a fourth aspect, the present invention provides a computer-readable storage medium having a computer program stored therein, where the computer program is executed by a processor to perform any one of the above-mentioned steps of the method for predicting a security risk of the industrial internet.
In a fifth aspect, an embodiment of the present invention further provides a computer program product containing instructions, which when run on a computer, causes the computer to execute any one of the above-mentioned methods for predicting a security risk of an industrial internet.
According to the method, the device, the electronic equipment and the storage medium for predicting the security risk of the industrial internet, the host probing list of each host in the industrial internet to be predicted can be generated firstly, the vulnerability to be predicted corresponding to the important host is taken as the initial vulnerability attack node to reversely generate the attack graph based on the host probing list, and then the vulnerability attack node with the maximum accumulated attack probability and the attack path with the maximum attack probability are calculated and obtained according to the attack graph, unlike the prior art that a traditional vulnerability scanning tool is used for carrying out vulnerability detection on equipment in the internet, so that the security risk of the industrial internet is predicted on the basis of not influencing network operation by applying the embodiment of the invention.
Of course, not all of the advantages described above need to be achieved at the same time in the practice of any one product or method of the invention.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a method for predicting security risk of the industrial internet according to an embodiment of the present invention;
fig. 2 is a specific flowchart of generating an attack graph in step S107 in fig. 1 according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for optimizing an attack graph according to an embodiment of the present invention;
FIG. 4 is an example of an attack graph provided by an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus for predicting a security risk of an industrial internet according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to predict the security risk of the industrial internet on the basis of not influencing network operation, the embodiment of the invention provides a method, a device, equipment and a storage medium for predicting the security risk of the industrial internet.
The method for predicting the safety risk of the industrial internet, provided by the embodiment of the invention, can be applied to any electronic equipment needing the safety risk prediction of the industrial internet, such as: a computer or a mobile terminal, etc., which are not limited herein. For convenience of description, the electronic device is hereinafter referred to simply as an electronic device.
Referring to fig. 1, a method for predicting security risk of an industrial internet according to an embodiment of the present invention is shown in fig. 1, and a specific processing flow of the method may include:
step S101, generating a host exploration list of each host in the industrial Internet to be predicted based on a preset host exploration method, and determining important hosts and non-important hosts according to preset importance weight values of each host; the host probe list includes: each host and the corresponding service and/or the corresponding communication protocol running on each host.
The method includes the steps that a host exploration tool namp tool can be used for sending messages to each host to be predicted in the to-be-predicted industrial internet, the host to be predicted returns the messages to the electronic equipment which is in communication connection with each host to be predicted in the to-be-predicted industrial internet, the electronic equipment obtains a target field from the messages and compares the target field with a host exploration library to generate a host exploration list.
The method can be implemented, and the host probing information of each host in the industrial internet to be predicted can be generated based on a preset host probing method; acquiring host information which is artificially supplemented and is not detected in the industrial Internet to be predicted; generating a host probing list according to the host probing information and the undetected host information; and determining important hosts and non-important hosts in the host exploration list according to preset importance weight values of all the hosts.
The importance weight value is set by a user, and can be set according to the number of the host computers and the bugs contained in the host computers which are to be predicted and in the industrial internet and which the user wants to protect the host computers in a key mode, for example, the host computers can want to protect the host computers in a key mode if the data in the host computers are more important, the host computers can also want to protect the host computers in a key mode if more bugs exist in the host computers, the importance weight value of the host computers can be set to be a larger value, and the value range of the importance weight value is between 0 and 1.
Step S102, based on the host computer exploration list, searching vulnerabilities and vulnerability description information existing in the service and/or communication protocol of each host computer in an existing vulnerability library; the vulnerability description information includes: the preconditions of each exploit and the results of each exploit.
The precondition that the vulnerability is utilized comprises: the vulnerability is utilized, and the user operation authority of the host where the vulnerability is located is required; the result generated after the vulnerability is exploited includes: the vulnerability is utilized to obtain the user operation authority of the attacked target host; the target host is the same as or different from the host where the vulnerability is located.
In an implementation manner, the model number, version number, service and/or communication protocol of the host in the host exploration list may be used as a keyword, the keyword is searched in an existing vulnerability library by using a fuzzy matching method, and corresponding vulnerabilities and vulnerability description information are respectively obtained to obtain vulnerabilities existing in each host and corresponding vulnerability description information.
And step S103, acquiring corresponding basic scores of the vulnerabilities from an existing vulnerability scoring system based on the vulnerabilities existing in the hosts.
In an implementation manner, based on the vulnerabilities, an Attack distance attach Vector, an Attack Complexity attach complex, a privilege Privileges Required and a User Interaction are obtained in an existing vulnerability scoring system to serve as basic scores of the vulnerabilities.
And step S104, storing the host with the vulnerability, the corresponding service and/or communication protocol and the corresponding vulnerability as the vulnerability to be predicted to a host threat list.
As may be implemented, the host may include a model number of the host and a version number of the host.
It may be implemented that the host threat list may further include a host number, a vulnerability number, and information on whether the host is an important host.
An example of a host threat list that may be implemented may be as shown in table one:
watch 1
Figure GDA0003142087610000071
In table one, the number of the host with the model 1 and the version number 1 is PLC1, and the host is an important host corresponding to the service and/or communication protocol 1, and has no holes to be predicted and no holes to be missed; the host of the model 2 and the version number 2 is numbered as PLC2, corresponds to a service and/or communication protocol 2, has no loopholes to be predicted and no hole leakage number, and is not an important host; the host with the model number 3 and the version number 3 is IP1, corresponds to a service and/or communication protocol 3, and comprises a vulnerability 1 to be predicted, a vulnerability 2 to be predicted, and a vulnerability 3 to be predicted, wherein the vulnerability numbers are v1, v2 and v3 respectively, and are important hosts, and the meanings of other data are analogized, and are not described in detail herein.
And step S105, acquiring the network connection relation among all the hosts to be predicted and the user operation authority of all the hosts before attack.
Step S106, establishing an attack rule base based on the host computer probing list, the host computer threat list, the network connection relation and the user operation authority before attack of each host computer; the attack rule base comprises: the method comprises the steps of detecting vulnerabilities to be predicted existing in each host in the industrial internet, and utilizing preconditions of each vulnerability to be predicted and results generated after each vulnerability to be predicted is utilized.
In practical implementation, corresponding to table one above, an example of an attack rule base table may be shown as table two:
watch two
Preconditions for vulnerabilities Leak hole Results generated after exploit of vulnerabilities
Obtaining rights 2 to IP1 v1 Obtaining privilege 1 of PLC2
Authority 3 for obtaining IP1 v2 Obtaining rights 2 to IP1
Authority 4 of obtaining IP1 v3 Authority 3 for obtaining IP1
Authority 4 of obtaining IP1 v4 Authority 4 of obtaining IP3
Authority 4 of obtaining IP3 v5 Authority 7 of obtaining IP1
Authority 4 of obtaining IP3 v6 Authority 5 for obtaining IP4
As shown in table two: the preconditions for exploiting the vulnerability v1 are: privilege 2 of IP1 is obtained, and the result after utilization is: obtaining authority 1 of the PLC 2; the preconditions for exploiting the vulnerability v2 are: authority 3 of IP1 is obtained, and the result after utilization is: right 2 to obtain IP 1; the preconditions for exploiting the vulnerability v3 are: authority 4 of IP1 is obtained, and the result after utilization is: right 3 to obtain IP 1; the preconditions for exploiting the vulnerability v4 are: authority 4 of IP1 is obtained, and the result after utilization is: authority 4 of IP3 is obtained; the preconditions for exploiting the vulnerability v5 are: authority 4 of IP3 is obtained, and the result after utilization is: authority 7 of IP 1; the preconditions for exploiting the vulnerability v6 are: authority 4 of IP3 is obtained, and the result after utilization is: authority 5 of IP4 is obtained.
And S107, reversely generating an attack graph comprising vulnerability attack nodes, state nodes and directed edges by taking a vulnerability to be predicted corresponding to an important host as an initial vulnerability attack node based on the host threat list and the attack rule base according to a preset reverse attack graph generation algorithm.
Each state node in the attack graph respectively represents a precondition that the vulnerability to be predicted is utilized or a result generated after the vulnerability to be predicted is utilized, and each directed edge in the attack graph represents attack relations between different vulnerability attack nodes and state nodes formed according to the attack rules.
And S108, calculating the basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic scores.
The Attack distance Attack Vector, the Attack Complexity Attack Complexity, the privilege Privileges Required, and the User Interaction may be multiplied, and the result of the multiplication may be used as the basic Attack probability of each vulnerability Attack node in the Attack graph.
It is practicable that after the basic attack probability is calculated, the method of optimizing the attack graph can be used to obtain the attack graph containing no loop.
Step S109, according to the basic attack probability of each bug and the attack graph, calculating the cumulative attack probability of each bug attack node based on the importance weight value of the corresponding host and the attack probability of each attack path, and obtaining the bug attack node with the maximum cumulative attack probability and the attack path with the maximum attack probability.
It can be implemented that the basic attack probability of each vulnerability can be calculated according to the following formula:
PijAV × AC × PR × UI; wherein, PijThe basic attack probability of the vulnerability is obtained, AV is the attack distance in the basic score of the vulnerability, AC is the attack complexity in the basic score of the vulnerability, PR is the privilege in the basic score of the vulnerability, and UI is the user interaction in the basic score of the vulnerability;
the step of calculating the attack probability of each attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and acquiring the attack node with the maximum attack probability and the attack path with the maximum attack probability comprises the following steps:
and acquiring the attack path with the maximum attack probability based on the basic attack probability of each vulnerability and the attack graph and the attack probability of each attack path according to the following formula:
Figure GDA0003142087610000091
wherein i is an attack path, j is a vulnerability attack node, k represents that k attack paths exist, and k representsiIndicating k on each attack pathiA main unit, /)ijIs the importance weight, P, of the hostiThe attack probability of each attack path;
calculating the cumulative attack probability of each vulnerability attack node based on the importance weight value of the corresponding host according to the following formula, and acquiring the vulnerability attack node with the maximum cumulative attack probability:
Figure GDA0003142087610000092
wherein i is an attack path, j is a vulnerability attack node, m represents that m vulnerability attack nodes exist, mjRepresenting that the attack path passed by each vulnerability attack node is mjA 1, lijIs the importance weight, Q, of the hostjAnd accumulating the attack probability of each vulnerability attack node based on the importance weight value of the corresponding host.
Therefore, by applying the embodiment of the invention, the host probing list of each host in the industrial internet to be predicted can be generated firstly, the attack graph is generated reversely by taking the loophole to be predicted corresponding to the important host as the initial loophole attack node based on the host probing list, and then the loophole attack node with the maximum accumulated attack probability and the attack path with the maximum attack probability are calculated and obtained according to the attack graph, unlike the prior art that the traditional loophole scanning tool is used for carrying out loophole detection on equipment in the internet, the safety risk of the industrial internet is predicted on the basis of not influencing network operation.
In addition, in this embodiment, an important host and a non-important host are determined according to preset importance weight values of the hosts, a vulnerability to be predicted corresponding to one important host is taken as an initial vulnerability attack node, an attack graph including vulnerability attack nodes, state nodes and directed edges is generated reversely, and the speed of generating the attack graph is high. Meanwhile, the accumulated attack probability of each vulnerability attack node and the attack probability of each attack path are calculated based on the importance weight value of the corresponding host, and the more important the host is, the more vulnerabilities are contained in the host, the larger the importance weight value of the host is, so that the importance weight value is introduced to calculate more objectively.
Specifically, referring to fig. 2, a specific implementation process of step S107 in the embodiment shown in fig. 1 may be shown, where fig. 2 is a specific flowchart of generating an attack graph in step S107 in the embodiment shown in fig. 1, and includes:
step S201, a current vulnerability to be predicted corresponding to an important host is obtained from the host threat list as a current vulnerability attack node.
Step S202, judging whether a service and/or a communication protocol in the host threat list meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized.
In an implementation manner, if a plurality of results are generated after the current vulnerability to be predicted is utilized, whether a service and/or a communication protocol in the host threat list meets the current result generated after the current vulnerability to be predicted stored in the attack rule base is utilized is respectively judged for the current result generated after each current vulnerability to be predicted is utilized.
If the judgment result is yes, namely the service and/or communication protocol in the host threat list meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized, executing step S203; if the result of the judgment is no, that is, no service and/or communication protocol in the host threat list meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized, step S208 is executed.
Step S203, using the current vulnerability to be predicted as a current first attack node, using a result generated after the current vulnerability to be predicted is utilized as a current first state node, and generating an edge of the current first attack node pointing to the current first state node.
And in practice, a result generated after each current vulnerability to be predicted is utilized is taken as each current first state node, and the edge of each current first state node pointed by the current first attack node is respectively generated.
Step S204, judging whether a service and/or a communication protocol in the host threat list meets the precondition that the current vulnerability to be predicted stored in the attack rule base is utilized.
In an implementation manner, if the current vulnerability to be predicted stored in the attack rule base is utilized under a plurality of precondition, for each current vulnerability to be predicted under the utilization precondition, whether a service and/or a communication protocol in the host threat list meets the current precondition that the current vulnerability to be predicted stored in the attack rule base is utilized is respectively judged.
If the result of the judgment is yes, that is, the service and/or the communication protocol in the host threat list meets the precondition that the current vulnerability to be predicted stored in the attack rule base is utilized, executing step S205; if the result of the judgment is no, that is, no service and/or communication protocol in the host threat list meets the precondition that the current vulnerability to be predicted stored in the attack rule base is utilized, step S208 is executed.
Step S205, using the precondition that the current vulnerability to be predicted is utilized as a current second state node, and generating an edge of the current second state node pointing to the current first attack node.
And in an implementation manner, the precondition that each current vulnerability to be predicted is utilized is taken as each current second state node, and the edge of each current first attack node pointed by the current second state node is respectively generated.
Step S206, judging whether another vulnerability to be predicted is utilized and the result generated after the vulnerability to be predicted is utilized is equal to the precondition that the current vulnerability to be predicted is utilized.
In an implementation manner, if the current vulnerability to be predicted is utilized under a plurality of preconditions, for each current vulnerability to be predicted, whether a service and/or a communication protocol in the host threat list meets the current precondition that each current vulnerability to be predicted is utilized and stored in the attack rule base is respectively judged.
If the result of the judgment is yes, that is, another result generated after the vulnerability to be predicted is utilized is equal to the precondition that the current vulnerability to be predicted is utilized, executing step S207; if the result of the judgment is no, that is, the result generated after no other vulnerability to be predicted is exploited is equal to the precondition that the current vulnerability to be predicted is exploited, step S208 is executed.
Step S207, using the another vulnerability to be predicted as a current first attack node, generating an edge pointing to the current second state node by the current first attack node, and using the another vulnerability to be predicted as the current vulnerability to be predicted. The process returns to step S204.
And in practice, taking each other vulnerability to be predicted as each current first attack node, respectively generating an edge of each current first attack node pointing to the corresponding current second state node, and taking each other vulnerability to be predicted as each current vulnerability to be predicted.
Step S208, judging whether the host threat list contains bugs to be predicted corresponding to the important hosts which are not acquired.
If the judgment result is yes, that is, the host threat list contains the vulnerability to be predicted corresponding to the important host which is not acquired, returning to execute the step S201; if the result of the determination is negative, that is, the host threat list does not include the vulnerability to be predicted corresponding to the important host that is not obtained, step S209 is executed.
Step S209, determine whether the host threat list includes a vulnerability to be predicted corresponding to an unobtainable unimportant host.
If the result of the judgment is yes, that is, the host threat list contains the vulnerability to be predicted corresponding to the non-important host which is not acquired, executing step S210; if the result of the determination is negative, that is, the host threat list does not include the vulnerability to be predicted corresponding to the non-important host that is not obtained, step S211 is executed.
Step S210, a vulnerability to be predicted corresponding to an unimportant host is obtained from the host threat list as a current vulnerability to be predicted. The process returns to step S202.
Step S211, determining that the generation of the attack graph is completed.
In this embodiment, a vulnerability to be predicted corresponding to an important host is taken as an initial vulnerability attack node, and an attack graph including vulnerability attack nodes, state nodes and directed edges is generated reversely.
In an implementation, after generating the attack graph according to the flow of fig. 2, the method for optimizing the attack graph may be performed to obtain the attack graph without a loop, specifically, referring to fig. 3, where fig. 3 is a flow chart of a method for optimizing the attack graph, and the method may include:
step S301, judging whether a loop exists in the attack graph; the loop is the situation that a result generated after the current vulnerability to be predicted is utilized by other vulnerabilities as a precondition for utilizing other vulnerabilities, and then is used as the precondition for utilizing the current vulnerability to be predicted.
It may be implemented that the loop is obtained in a manner that is pushed onto the stack. And adding an entry node of the attack graph into the root node array, wherein the entry node is an edge only pointing to other nodes, and no other edge pointing to the entry node.
And taking the entry node as a root node, performing depth-first traversal from the root node, continuously accessing the child nodes, marking the accessed child nodes and pushing the accessed child nodes into a stack until the child nodes do not exist or the accessed child nodes already exist in the stack. When the subnode exists in the stack, a loop is stored in the stack at the moment, the basic attack probability P is calculated for each vulnerability attack node in the loop, and the vulnerability attack node with the minimum basic attack probability in each loop is obtained to serve as a target node of the loop; deleting the directed edge of the target node in the loop that points to the state node in the loop.
During traversal, when no child node exists, backtracking is carried out, the nodes in the stack are popped, new unaccessed child nodes are inquired, and the depth-first traversal process is repeated. When the traversal taking the entry root node as the starting point is completed, the traversal is started from the next new entry node according to the method. And obtaining a loop-free attack graph until all the entry root nodes are completely traversed.
If the judgment result is yes, that is, a loop exists in the attack graph, executing step S302; if the result of the judgment is no, that is, no loop exists in the attack graph, step S305 is executed.
Step S302, each loop in the attack graph is obtained.
Step S303, acquiring the vulnerability attack node with the minimum basic attack probability in each loop as the target node of the loop.
The method comprises the following steps that executable, a vulnerability attack node with the minimum basic attack probability in a loop is calculated and used as a target node of the loop; when a plurality of loops exist, each target node of each loop is obtained.
And step S304, deleting the directed edge of the target node pointing to the state node in the loop.
It may be implemented to delete directed edges of the target nodes in each loop that point to state nodes in the loop.
And step S305, obtaining an optimized attack graph.
In the embodiment, loops in the attack graph can be eliminated, and the calculation result is more accurate when the vulnerability attack node with the maximum accumulated attack probability and the attack path with the maximum attack probability are obtained.
An example of generating the attack graph corresponding to the above table one and table two according to the method for generating the attack graph described in fig. 2 may be as shown in fig. 4, and includes:
acquiring a current vulnerability to be predicted v1 corresponding to any important host from a host threat list, and taking v1 as a current vulnerability attack node; judging whether a service and/or communication protocol in the host threat list meets a post result of acquiring the authority 1 of the PLC2 generated after the v1 is utilized, or not, and a service and/or communication protocol meets a post result of acquiring the authority 1 of the PLC2 generated after the v1 is utilized, and generating a directed edge pointing to the authority 1 of the PLC2 by the v 1; and judging whether the service and/or communication protocol meets the precondition that v1 is utilized to obtain the authority 2 of the IP1, and the service and/or communication protocol meets the precondition that v1 is utilized to generate a directed edge pointing to v1 by the authority 2 of the IP 1. And judging whether a result generated after another vulnerability to be predicted is utilized is equal to the precondition that v1 is utilized, and if the result is judged that v2 is satisfied, generating a directed edge pointing to the authority 2 of obtaining the IP1 by v 2.
Judging whether a service and/or communication protocol meets the precondition that v2 is utilized to obtain the authority 3 of the IP1, and if the service and/or communication protocol meets the precondition that v2 is utilized, generating a directed edge which points to v2 to obtain the authority 3 of the IP 1; judging whether a result generated after another vulnerability to be predicted is utilized is equal to a precondition that v2 is utilized, if the result is judged that v3 is satisfied, generating a directed edge pointing to the authority 3 of obtaining IP1 by v 3; judging whether a service and/or communication protocol meets the precondition of acquiring the authority 4 of the IP1 that v3 is utilized, judging whether a non-service and/or communication protocol meets the precondition of acquiring the authority 4 of the IP1 that v3 is utilized, judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not acquired, if so, taking any vulnerability to be predicted v4 corresponding to the important host which is not acquired, and taking v4 as the current attack node.
Judging whether a service and/or communication protocol in the host threat list meets a post result of acquiring the authority 4 of the IP3 generated after the v4 is utilized, and generating a directed edge pointing to the authority 4 of the IP3 by the v4 after the service and/or communication protocol meets the post result of acquiring the authority 4 of the IP3 generated after the v4 is utilized; judging whether a service and/or communication protocol meets the precondition that v4 is utilized to obtain the authority 4 of the IP1, and if the service and/or communication protocol meets the precondition that v4 is utilized, generating a directed edge which points to v4 to obtain the authority 4 of the IP 1; and judging whether another vulnerability to be predicted is utilized to generate a result equal to the precondition that v4 is utilized, judging whether the vulnerability to be predicted is not met, judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained, judging whether the vulnerability to be predicted contains v5, and taking v5 as the current vulnerability attack node.
Judging whether a service and/or communication protocol in the host threat list meets a post result of obtaining the authority 7 of the IP1 generated after the v5 is utilized, and generating a directed edge of the authority 7 of obtaining the IP1 pointed by the v5 after the service and/or communication protocol meets the post result of obtaining the authority 7 of the IP1 generated after the v5 is utilized; judging whether a service and/or communication protocol meets the precondition that v5 is utilized to obtain the authority 4 of the IP3, and if the service and/or communication protocol meets the precondition that v5 is utilized, generating a directed edge which points to v5 to obtain the authority 4 of the IP 3; judging whether another vulnerability to be predicted is utilized, and then generating a result equal to the precondition that v5 is utilized, judging whether the vulnerability to be predicted is not met, judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained, judging whether v6 is not obtained, and then taking v6 as the current vulnerability attack node.
Judging whether a service and/or communication protocol in the host threat list meets a post result of acquiring the authority 5 of the IP4 generated after the v6 is utilized, and generating a directed edge pointing to the authority 5 of the IP4 by the v6 after the service and/or communication protocol meets the post result of acquiring the authority 5 of the IP4 generated after the v6 is utilized; judging whether a service and/or communication protocol meets the precondition that v6 is utilized to obtain the authority 4 of the IP3, and if the service and/or communication protocol meets the precondition that v6 is utilized, generating a directed edge which points to v6 to obtain the authority 4 of the IP 3; and judging whether the host threat list contains the vulnerability to be predicted corresponding to the non-important host which is not obtained, judging that the vulnerability does not exist, and determining that the generation of the attack graph is finished.
Therefore, by applying the embodiment, the vulnerability to be predicted corresponding to any important host can be used as the initial vulnerability attack node, the attack graph containing the vulnerability attack node, the state node and the directed edge is generated reversely, the speed of generating the attack graph is high, the position of an attacker launching the attack does not need to be fixed like the related technology, and the method is more similar to the actual situation.
As shown in fig. 5, the schematic structural diagram of the device for predicting the security risk of the industrial internet according to the embodiment of the present invention includes:
a host probing list generating unit 501, configured to generate a host probing list of each host in the industrial internet to be predicted based on a preset host probing method, and determine an important host and a non-important host according to a preset importance weight value of each host; the host probe list includes: each host and the service and/or the corresponding communication protocol which are correspondingly operated on each host;
a vulnerability and vulnerability description information searching unit 502, configured to search, in an existing vulnerability library, vulnerabilities and vulnerability description information existing in a service and/or communication protocol of each host based on the host probing list; the vulnerability description information includes: the precondition that each vulnerability is utilized and the result generated after each vulnerability is utilized; the precondition that the vulnerability is utilized comprises: the vulnerability is utilized, and the user operation authority of the host where the vulnerability is located is required; the result generated after the vulnerability is exploited includes: the vulnerability is utilized to obtain the user operation authority of the attacked target host; the target host is the same as or different from the host where the vulnerability is located;
a vulnerability basic score obtaining unit 503, configured to obtain, based on vulnerabilities existing in the hosts, corresponding vulnerability basic scores in an existing vulnerability scoring system;
a storing unit 504, configured to store the host with the bug, the corresponding service and/or communication protocol, and the corresponding bug as a to-be-predicted bug in a host threat list;
an obtaining unit 505, configured to obtain a network connection relationship between hosts to be predicted and a pre-attack user operation authority of each host;
an attack rule base establishing unit 506, configured to establish an attack rule base based on the host probe list, the host threat list, the network connection relationship, and the pre-attack user operation permission of each host; the attack rule base comprises: the method comprises the following steps that holes to be predicted exist in each host in the industrial internet, preconditions of each hole to be predicted being utilized and results generated after each hole to be predicted is utilized;
an attack graph generation unit 507, configured to generate an attack graph including vulnerability attack nodes, state nodes, and directed edges in a reverse direction based on the host threat list and the attack rule base and using a vulnerability to be predicted corresponding to an important host as an initial vulnerability attack node according to a preset reverse attack graph generation algorithm; each state node in the attack graph respectively represents a precondition that the vulnerability to be predicted is utilized or a result generated after the vulnerability to be predicted is utilized, and each directed edge in the attack graph represents attack relations between different vulnerability attack nodes and state nodes formed according to the attack rules;
a basic attack probability calculation unit 508, configured to calculate a basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic score;
and an attack path obtaining unit 509 for obtaining the vulnerability attack node with the maximum cumulative attack probability and the attack path with the maximum attack probability, and calculating the cumulative attack probability of each vulnerability attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and obtaining the vulnerability attack node with the maximum cumulative attack probability and the attack path with the maximum attack probability.
Therefore, by applying the embodiment of the invention, the host probing list of each host in the industrial internet to be predicted can be generated firstly, the attack graph is generated reversely by taking the loophole to be predicted corresponding to the important host as the initial loophole attack node based on the host probing list, and then the loophole attack node with the maximum accumulated attack probability and the attack path with the maximum attack probability are calculated and obtained according to the attack graph, unlike the prior art that the traditional loophole scanning tool is used for carrying out loophole detection on equipment in the internet, the safety risk of the industrial internet is predicted on the basis of not influencing network operation.
An embodiment of the present invention further provides an electronic device, as shown in fig. 6, including a processor 601, a communication interface 602, a memory 603, and a communication bus 604, where the processor 601, the communication interface 602, and the memory 603 complete mutual communication through the communication bus 604,
a memory 603 for storing a computer program;
the processor 601 is configured to implement the following steps when executing the program stored in the memory 603:
generating a host exploration list of each host in the industrial Internet to be predicted based on a preset host exploration method, and determining important hosts and non-important hosts according to preset importance weight values of the hosts; the host probe list includes: each host and the service and/or the corresponding communication protocol which are correspondingly operated on each host; based on the host probing list, searching for vulnerabilities and vulnerability description information existing in the service and/or communication protocol of each host in an existing vulnerability library; the vulnerability description information includes: the precondition that each vulnerability is utilized and the result generated after each vulnerability is utilized; the precondition that the vulnerability is utilized comprises: the vulnerability is utilized, and the user operation authority of the host where the vulnerability is located is required; the result generated after the vulnerability is exploited includes: the vulnerability is utilized to obtain the user operation authority of the attacked target host; the target host is the same as or different from the host where the vulnerability is located; based on the loopholes existing in each host, acquiring corresponding loophole basic scores from an existing loophole scoring system; storing the host with the vulnerability, the corresponding service and/or communication protocol and the corresponding vulnerability as the vulnerability to be predicted into a host threat list; acquiring network connection relations among all hosts to be predicted and user operation permissions of all hosts before attack; establishing an attack rule base based on the host probing list, the host threat list, the network connection relation and the user operation authority before attack of each host; the attack rule base comprises: the method comprises the following steps that holes to be predicted exist in each host in the industrial internet, preconditions of each hole to be predicted being utilized and results generated after each hole to be predicted is utilized; according to a preset reverse attack graph generation algorithm, based on the host threat list and the attack rule base, taking a vulnerability to be predicted corresponding to an important host as an initial vulnerability attack node, and reversely generating an attack graph containing vulnerability attack nodes, state nodes and directed edges; each state node in the attack graph respectively represents a precondition that the vulnerability to be predicted is utilized or a result generated after the vulnerability to be predicted is utilized, and each directed edge in the attack graph represents attack relations between different vulnerability attack nodes and state nodes formed according to the attack rules; calculating the basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic scores; and calculating the cumulative attack probability of each vulnerability attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and acquiring the vulnerability attack node with the maximum cumulative attack probability and the attack path with the maximum attack probability.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
In still another embodiment of the present invention, there is further provided a computer-readable storage medium having a computer program stored therein, where the computer program is executed by a processor to implement the steps of any one of the above-mentioned industrial internet security risk prediction methods.
In still another embodiment of the present invention, there is further provided a computer program product containing instructions which, when run on a computer, causes the computer to execute the method for predicting a security risk of the industrial internet according to any one of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for embodiments such as the apparatus, the electronic device, the computer-readable storage medium, and the computer program product, since they are substantially similar to the method embodiments, the description is simple, and for relevant points, reference may be made to part of the description of the method embodiments.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (9)

1. A method for predicting security risks of industrial Internet, which is applied to an electronic device in communication connection with each host to be predicted in the industrial Internet to be predicted, and comprises the following steps:
generating a host exploration list of each host in the industrial Internet to be predicted based on a preset host exploration method, and determining important hosts and non-important hosts according to preset importance weight values of the hosts; the host probe list includes: each host and the service and/or the corresponding communication protocol which are correspondingly operated on each host;
based on the host probing list, searching for vulnerabilities and vulnerability description information existing in the service and/or communication protocol of each host in an existing vulnerability library; the vulnerability description information includes: the precondition that each vulnerability is utilized and the result generated after each vulnerability is utilized; the precondition that the vulnerability is utilized comprises: the vulnerability is utilized, and the user operation authority of the host where the vulnerability is located is required; the result generated after the vulnerability is exploited includes: the vulnerability is utilized to obtain the user operation authority of the attacked target host; the target host is the same as or different from the host where the vulnerability is located;
based on the loopholes existing in each host, acquiring corresponding loophole basic scores from an existing loophole scoring system;
storing the host with the vulnerability, the corresponding service and/or communication protocol and the corresponding vulnerability as the vulnerability to be predicted into a host threat list;
acquiring network connection relations among all hosts to be predicted and user operation permissions of all hosts before attack;
establishing an attack rule base based on the host probing list, the host threat list, the network connection relation and the user operation authority before attack of each host; the attack rule base comprises: the method comprises the following steps that holes to be predicted exist in each host in the industrial internet, preconditions of each hole to be predicted being utilized and results generated after each hole to be predicted is utilized;
acquiring a current vulnerability to be predicted corresponding to an important host from a host threat list as a current vulnerability attack node; judging whether a service and/or a communication protocol in the host threat list meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized; if no service and/or communication protocol meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized, judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained; if the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained, executing the step of obtaining the current vulnerability to be predicted corresponding to the important host from the host threat list as a current vulnerability attack node; if the host threat list does not contain the vulnerability to be predicted corresponding to the important host which is not obtained, judging whether the host threat list contains the vulnerability to be predicted corresponding to the non-important host which is not obtained; if the vulnerability to be predicted corresponding to the non-important host which is not obtained is not contained, determining that the generation of the attack graph is finished; if the current vulnerability to be predicted comprises the vulnerability to be predicted corresponding to the non-important host which is not obtained, obtaining a vulnerability to be predicted corresponding to the non-important host from the host threat list as the current vulnerability to be predicted, and executing the step of judging whether a service and/or a communication protocol in the host threat list meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized; if a service and/or communication protocol meets the result generated after the current vulnerability to be predicted is utilized, taking the current vulnerability to be predicted as a current first attack node, taking the result generated after the current vulnerability to be predicted is utilized as a current first state node, and generating an edge pointing to the current first state node by the current first attack node; judging whether a service and/or a communication protocol in the host threat list meets the precondition that the current vulnerability to be predicted stored in the attack rule base is utilized; if no service and/or communication protocol meets the precondition that the current vulnerability to be predicted stored in the attack rule base is utilized, returning to execute the step of judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained; if a service and/or communication protocol meets the precondition that the current vulnerability to be predicted is utilized, which is stored in an attack rule base, the precondition that the current vulnerability to be predicted is utilized is taken as a current second state node, and an edge of the current second state node pointing to the current first attack node is generated; judging whether a result generated after another vulnerability to be predicted is utilized is equal to a precondition that the current vulnerability to be predicted is utilized; if the result generated after the other vulnerability to be predicted is utilized is equal to the precondition that the current vulnerability to be predicted is utilized, taking the other vulnerability to be predicted as a current first attack node, and generating an edge of the current first attack node pointing to the current second state node; taking the other vulnerability to be predicted as the current vulnerability to be predicted, and returning and executing the precondition for judging whether the service and/or the communication protocol in the host threat list meets the utilization condition of the current vulnerability to be predicted stored in the attack rule base; if no result generated after another vulnerability to be predicted is utilized is equal to the precondition that the current vulnerability to be predicted is utilized, returning to execute the step of judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained; each state node in the attack graph respectively represents a precondition that the vulnerability to be predicted is utilized or a result generated after the vulnerability to be predicted is utilized, and each directed edge in the attack graph represents attack relations between different vulnerability attack nodes and state nodes formed according to the attack rules;
calculating the basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic scores;
and calculating the cumulative attack probability of each vulnerability attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and acquiring the vulnerability attack node with the maximum cumulative attack probability and the attack path with the maximum attack probability.
2. The method according to claim 1, wherein the step of generating a host computer exploration list of the object to be evaluated based on a preset host computer exploration method, and determining important host computers and non-important host computers according to preset importance weight values of the respective host computers comprises:
generating host computer exploration information of each host computer in the industrial Internet to be predicted based on a preset host computer exploration method;
acquiring host information which is artificially supplemented and is not detected in the industrial Internet to be predicted;
generating a host probing list according to the host probing information and the undetected host information;
and determining important hosts and non-important hosts in the host exploration list according to preset importance weight values of all the hosts.
3. The method of claim 1,
the step of searching the vulnerability existing in the service and/or communication protocol of each host and vulnerability description information in the existing vulnerability library based on the host probing list comprises the following steps:
and taking the model number of the host, the version number of the host, the service and/or the communication protocol in the host exploration list as keywords, searching the keywords in the existing vulnerability library by adopting a fuzzy matching method, respectively acquiring corresponding vulnerabilities and vulnerability description information, and acquiring vulnerabilities existing in the hosts and corresponding vulnerability description information.
4. The method according to claim 1, wherein the step of obtaining a corresponding vulnerability basic score in an existing vulnerability scoring system based on vulnerabilities existing in the respective hosts comprises:
based on each vulnerability, acquiring an Attack distance Attack Vector, an Attack Complexity Attack Complexity, a privilege Privileges Required and a User Interaction in an existing vulnerability scoring system as basic scores of the vulnerability;
the step of calculating the basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic scores comprises the following steps:
and multiplying the Attack distance Attack Vector, the Attack Complexity Attack Complexity, the privilege Privileges Required and the User Interaction, and taking the result of the multiplication as the basic Attack probability of each vulnerability Attack node in the Attack graph.
5. The method according to claim 4, wherein after the step of multiplying the Attack distance Attack Vector, Attack Complexity Attack Complexity, privilege Privileges Required, and User Interaction, and taking the result of the multiplication calculation as the basic Attack probability of each vulnerability Attack node in the Attack graph, the method further comprises:
judging whether a loop exists in the attack graph or not; the loop is the situation that a result generated after the current vulnerability to be predicted is utilized by other vulnerabilities as a precondition for utilizing other vulnerabilities, and then is used as the precondition for utilizing the current vulnerability to be predicted;
if yes, acquiring each loop in the attack graph;
acquiring a vulnerability attack node with the minimum basic attack probability in each loop as a target node of the loop;
deleting the directed edge of the target node in the loop that points to the state node in the loop.
6. The method according to claim 4, wherein the step of multiplying the Attack distance Attack Vector, Attack Complexity Attack Complexity, privilege Privileges Required, and User Interaction, and taking the result of the multiplication calculation as the basic Attack probability of each vulnerability Attack node in the Attack graph comprises:
calculating the basic attack probability of each vulnerability according to the following formula:
PijAV × AC × PR × UI; wherein, PijThe basic attack probability of the vulnerability is obtained, AV is the attack distance in the basic score of the vulnerability, AC is the attack complexity in the basic score of the vulnerability, PR is the privilege in the basic score of the vulnerability, and UI is the usage in the basic score of the vulnerabilityUser interaction;
the step of calculating the attack probability of each attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and acquiring the attack node with the maximum attack probability and the attack path with the maximum attack probability comprises the following steps:
and acquiring the attack path with the maximum attack probability based on the basic attack probability of each vulnerability and the attack graph and the attack probability of each attack path according to the following formula:
Figure FDA0003142087600000041
wherein i is an attack path, j is a vulnerability attack node, k represents that k attack paths exist, and k representsiIndicating k on each attack pathiA main unit, /)ijIs the importance weight, P, of the hostiThe attack probability of each attack path;
calculating the cumulative attack probability of each vulnerability attack node based on the importance weight value of the corresponding host according to the following formula, and acquiring the vulnerability attack node with the maximum cumulative attack probability:
Figure FDA0003142087600000042
wherein i is an attack path, j is a vulnerability attack node, m represents that m vulnerability attack nodes exist, mjRepresenting that the attack path passed by each vulnerability attack node is mjA 1, lijIs the importance weight, Q, of the hostjAnd accumulating the attack probability of each vulnerability attack node based on the importance weight value of the corresponding host.
7. An apparatus for predicting security risk of industrial internet, applied to an electronic device communicatively connected to each host to be predicted in the industrial internet to be predicted, the apparatus comprising:
the host computer exploration list generating unit is used for generating a host computer exploration list of each host computer in the industrial Internet to be predicted based on a preset host computer exploration method, and determining important host computers and non-important host computers according to preset importance weight values of the host computers; the host probe list includes: each host and the service and/or the corresponding communication protocol which are correspondingly operated on each host;
the vulnerability and vulnerability description information searching unit is used for searching the vulnerability and vulnerability description information existing in the service and/or communication protocol of each host in the existing vulnerability library based on the host probing list; the vulnerability description information includes: the precondition that each vulnerability is utilized and the result generated after each vulnerability is utilized; the precondition that the vulnerability is utilized comprises: the vulnerability is utilized, and the user operation authority of the host where the vulnerability is located is required; the result generated after the vulnerability is exploited includes: the vulnerability is utilized to obtain the user operation authority of the attacked target host; the target host is the same as or different from the host where the vulnerability is located;
a vulnerability basic score obtaining unit, configured to obtain, based on vulnerabilities existing in the hosts, corresponding vulnerability basic scores in an existing vulnerability scoring system;
the storing unit is used for storing the host with the vulnerability, the corresponding service and/or communication protocol and the corresponding vulnerability as the vulnerability to be predicted into a host threat list;
the system comprises an acquisition unit, a prediction unit and a prediction unit, wherein the acquisition unit is used for acquiring the network connection relation among all hosts to be predicted and the user operation authority before attack of all hosts;
an attack rule base establishing unit, configured to establish an attack rule base based on the host probing list, the host threat list, the network connection relationship, and the pre-attack user operation permissions of the hosts; the attack rule base comprises: the method comprises the following steps that holes to be predicted exist in each host in the industrial internet, preconditions of each hole to be predicted being utilized and results generated after each hole to be predicted is utilized;
the attack graph generating unit is used for generating an attack graph comprising vulnerability attack nodes, state nodes and directed edges in a reverse direction by taking a vulnerability to be predicted corresponding to an important host as an initial vulnerability attack node based on the host threat list and the attack rule base according to a preset reverse attack graph generating algorithm; each state node in the attack graph respectively represents a precondition that the vulnerability to be predicted is utilized or a result generated after the vulnerability to be predicted is utilized, and each directed edge in the attack graph represents attack relations between different vulnerability attack nodes and state nodes formed according to the attack rules;
the basic attack probability calculation unit is used for calculating the basic attack probability of each vulnerability attack node in the attack graph based on the vulnerability basic score;
the vulnerability attack node with the maximum accumulated attack probability and the attack path obtaining unit with the maximum attack probability are used for calculating the accumulated attack probability of each vulnerability attack node based on the importance weight value of the corresponding host and the attack probability of each attack path according to the basic attack probability of each vulnerability and the attack graph, and obtaining the vulnerability attack node with the maximum accumulated attack probability and the attack path with the maximum attack probability;
the attack graph generation unit is specifically configured to: acquiring a current vulnerability to be predicted corresponding to an important host from a host threat list as a current vulnerability attack node; judging whether a service and/or a communication protocol in the host threat list meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized; if no service and/or communication protocol meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized, judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained; if the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained, executing the step of obtaining the current vulnerability to be predicted corresponding to the important host from the host threat list as a current vulnerability attack node; if the host threat list does not contain the vulnerability to be predicted corresponding to the important host which is not obtained, judging whether the host threat list contains the vulnerability to be predicted corresponding to the non-important host which is not obtained; if the vulnerability to be predicted corresponding to the non-important host which is not obtained is not contained, determining that the generation of the attack graph is finished; if the current vulnerability to be predicted comprises the vulnerability to be predicted corresponding to the non-important host which is not obtained, obtaining a vulnerability to be predicted corresponding to the non-important host from the host threat list as the current vulnerability to be predicted, and executing the step of judging whether a service and/or a communication protocol in the host threat list meets the result generated after the current vulnerability to be predicted stored in the attack rule base is utilized; if a service and/or communication protocol meets the result generated after the current vulnerability to be predicted is utilized, taking the current vulnerability to be predicted as a current first attack node, taking the result generated after the current vulnerability to be predicted is utilized as a current first state node, and generating an edge pointing to the current first state node by the current first attack node; judging whether a service and/or a communication protocol in the host threat list meets the precondition that the current vulnerability to be predicted stored in the attack rule base is utilized; if no service and/or communication protocol meets the precondition that the current vulnerability to be predicted stored in the attack rule base is utilized, returning to execute the step of judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained; if a service and/or communication protocol meets the precondition that the current vulnerability to be predicted is utilized, which is stored in an attack rule base, the precondition that the current vulnerability to be predicted is utilized is taken as a current second state node, and an edge of the current second state node pointing to the current first attack node is generated; judging whether a result generated after another vulnerability to be predicted is utilized is equal to a precondition that the current vulnerability to be predicted is utilized; if the result generated after the other vulnerability to be predicted is utilized is equal to the precondition that the current vulnerability to be predicted is utilized, taking the other vulnerability to be predicted as a current first attack node, and generating an edge of the current first attack node pointing to the current second state node; taking the other vulnerability to be predicted as the current vulnerability to be predicted, and returning and executing the precondition for judging whether the service and/or the communication protocol in the host threat list meets the utilization condition of the current vulnerability to be predicted stored in the attack rule base; and if no result generated after another vulnerability to be predicted is utilized is equal to the precondition that the current vulnerability to be predicted is utilized, returning to execute the step of judging whether the host threat list contains the vulnerability to be predicted corresponding to the important host which is not obtained.
8. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1-6 when executing a program stored in the memory.
9. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 6.
CN201910870521.5A 2019-09-16 2019-09-16 Industrial Internet security risk prediction method, device, equipment and storage medium Active CN110572409B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910870521.5A CN110572409B (en) 2019-09-16 2019-09-16 Industrial Internet security risk prediction method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910870521.5A CN110572409B (en) 2019-09-16 2019-09-16 Industrial Internet security risk prediction method, device, equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110572409A CN110572409A (en) 2019-12-13
CN110572409B true CN110572409B (en) 2021-10-12

Family

ID=68780353

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910870521.5A Active CN110572409B (en) 2019-09-16 2019-09-16 Industrial Internet security risk prediction method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110572409B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111062040A (en) * 2019-12-19 2020-04-24 成都烽创科技有限公司 Method for determining unknown vulnerability, server and computer readable storage medium
CN111277561B (en) * 2019-12-27 2022-05-24 北京威努特技术有限公司 Network attack path prediction method and device and security management platform
CN110912945B (en) * 2019-12-31 2022-03-22 深信服科技股份有限公司 Network attack entry point detection method and device, electronic equipment and storage medium
CN111416818A (en) * 2020-03-17 2020-07-14 北京金山云网络技术有限公司 Website security protection method and device and server
CN112437093B (en) * 2020-12-02 2022-06-28 新华三人工智能科技有限公司 Method, device and equipment for determining safety state
CN112632555A (en) * 2020-12-15 2021-04-09 国网河北省电力有限公司电力科学研究院 Node vulnerability scanning method and device and computer equipment
CN112637178B (en) * 2020-12-18 2022-09-20 成都知道创宇信息技术有限公司 Attack similarity calculation method and device, electronic equipment and readable storage medium
CN112671609A (en) * 2020-12-21 2021-04-16 哈尔滨工大天创电子有限公司 Asset census and safety detection method and device and terminal equipment

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1694454A (en) * 2005-05-10 2005-11-09 西安交通大学 Active network safety loophole detector
CN102170431A (en) * 2011-03-25 2011-08-31 中国电子科技集团公司第三十研究所 Host risk evaluation method and device
CN102447695A (en) * 2011-11-14 2012-05-09 中国科学院软件研究所 Method for identifying key attack path in service system
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN105871885A (en) * 2016-05-11 2016-08-17 南京航空航天大学 Network penetration testing method
CN106657144A (en) * 2017-01-20 2017-05-10 北京理工大学 Dynamic protection path planning method based on reinforcement learning
KR20180007832A (en) * 2016-07-14 2018-01-24 국방과학연구소 Apparatus and Method for estimating automated network penetration path based on network reachability
CN108123962A (en) * 2018-01-19 2018-06-05 北京理工大学 A kind of method that BFS algorithms generation attack graph is realized using Spark
CN108416218A (en) * 2018-03-08 2018-08-17 国家计算机网络与信息安全管理中心 A kind of Web server validating vulnerability method
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN109117641A (en) * 2018-08-15 2019-01-01 北京理工大学 A kind of network security risk evaluation method based on I-HMM

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8392997B2 (en) * 2007-03-12 2013-03-05 University Of Southern California Value-adaptive security threat modeling and vulnerability ranking
US9276951B2 (en) * 2013-08-23 2016-03-01 The Boeing Company System and method for discovering optimal network attack paths

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1694454A (en) * 2005-05-10 2005-11-09 西安交通大学 Active network safety loophole detector
CN102170431A (en) * 2011-03-25 2011-08-31 中国电子科技集团公司第三十研究所 Host risk evaluation method and device
CN102447695A (en) * 2011-11-14 2012-05-09 中国科学院软件研究所 Method for identifying key attack path in service system
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN105871885A (en) * 2016-05-11 2016-08-17 南京航空航天大学 Network penetration testing method
KR20180007832A (en) * 2016-07-14 2018-01-24 국방과학연구소 Apparatus and Method for estimating automated network penetration path based on network reachability
CN106657144A (en) * 2017-01-20 2017-05-10 北京理工大学 Dynamic protection path planning method based on reinforcement learning
CN108123962A (en) * 2018-01-19 2018-06-05 北京理工大学 A kind of method that BFS algorithms generation attack graph is realized using Spark
CN108416218A (en) * 2018-03-08 2018-08-17 国家计算机网络与信息安全管理中心 A kind of Web server validating vulnerability method
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN108933793A (en) * 2018-07-24 2018-12-04 中国人民解放军战略支援部队信息工程大学 The attack drawing generating method and its device of knowledge based map
CN109117641A (en) * 2018-08-15 2019-01-01 北京理工大学 A kind of network security risk evaluation method based on I-HMM

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A Vulnerability Assessment Method in Industrial Internet of Things Based on Attack Graph and Maximum Flow;HUAN WANG et al;《IEEE Access》;20180213;全文 *
基于渗透测试的网络安全漏洞实时侦测技术;张志华;《科学技术与工程》;20180718(第20期);全文 *

Also Published As

Publication number Publication date
CN110572409A (en) 2019-12-13

Similar Documents

Publication Publication Date Title
CN110572409B (en) Industrial Internet security risk prediction method, device, equipment and storage medium
US11895150B2 (en) Discovering cyber-attack process model based on analytical attack graphs
CN107992738B (en) Account login abnormity detection method and device and electronic equipment
CN111355697B (en) Detection method, device, equipment and storage medium for botnet domain name family
CN111224941B (en) Threat type identification method and device
CN107659570A (en) Webshell detection methods and system based on machine learning and static and dynamic analysis
CN113486334A (en) Network attack prediction method and device, electronic equipment and storage medium
CN109344611B (en) Application access control method, terminal equipment and medium
CN110602137A (en) Malicious IP and malicious URL intercepting method, device, equipment and medium
CN104866770B (en) Sensitive data scanning method and system
CN111460445A (en) Method and device for automatically identifying malicious degree of sample program
CN114915475B (en) Method, device, equipment and storage medium for determining attack path
CN108769070A (en) One kind is gone beyond one's commission leak detection method and device
CN110213255B (en) Method and device for detecting Trojan horse of host and electronic equipment
CN111818055B (en) Network attack path analysis method based on dynamic feedback
CN114021051A (en) Vulnerability detection method and device for web application and computer-readable storage medium
CN114499939A (en) Optimal path selection method and system based on knowledge graph, storable medium and electronic equipment
Che et al. KNEMAG: key node estimation mechanism based on attack graph for IOT security
CN114157480B (en) Method, device, equipment and storage medium for determining network attack scheme
CN110730128B (en) Information propagation path processing method and device, electronic equipment and storage medium
CN109976828B (en) Method and device for configuring file
CN114528552B (en) Security event association method based on loopholes and related equipment
CN116015861A (en) Data detection method and device, electronic equipment and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
Hatada et al. Detecting and classifying Android PUAs by similarity of DNS queries

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant