CN110658796A - Method for identifying industrial control network key component - Google Patents
Method for identifying industrial control network key component Download PDFInfo
- Publication number
- CN110658796A CN110658796A CN201910960811.9A CN201910960811A CN110658796A CN 110658796 A CN110658796 A CN 110658796A CN 201910960811 A CN201910960811 A CN 201910960811A CN 110658796 A CN110658796 A CN 110658796A
- Authority
- CN
- China
- Prior art keywords
- node
- graph
- industrial control
- formula
- key components
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
- G05B19/4185—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/33—Director till display
- G05B2219/33139—Design of industrial communication system with expert system
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The invention relates to a method for identifying key components in an industrial control network system, which comprises the following steps: representing the dependency relationship between each node and each component in the industrial control system environment based on the form of an and-or graph; converting the AND-OR graph into an equivalent logic formula which can enable the target node to normally operate, and taking negation of the equivalent logic formula to express that an attacker can enable the target node to not normally operate; negation of the equivalent logic formula is converted into a conjunctive normal form, and the problem which can be met by the maximum weight of a local zone is constructed; and performing minimum weighted node cutting on the AND-OR graph, wherein the cutting represents a group of key components and represents that an attacker has the lowest attack cost. The method can effectively analyze the dependency relationship among all the components in the industrial control network system, analyze the safety situation of the whole industrial control network system, identify the key components in the industrial control system environment, facilitate technical personnel to perform key monitoring and protection on the key components, and cannot cause any adverse effect on the network performance.
Description
Technical Field
The invention relates to a method for identifying key components in an industrial control network system, belonging to the technical field of industrial control safety.
Background
The industrial control system is responsible for operating and monitoring the national critical industrial infrastructure, which includes a combination of data acquisition systems, distributed control systems, programmable logic controllers, and the like. Industrial control systems play an important role as supervisors and controllers in the infrastructure of the nuclear, electrical, water conservancy and other industries. With the increasingly tight combination of industrialization and informatization, industrial infrastructure also gradually develops towards networking, and most industrial control systems in operation state at present have increasingly increased possibility of being subjected to malicious intrusion and external threats under an open network environment, even seriously affect the normal operation of national key infrastructure, and will restrict the convergence of industrialization and the development of industry 4.0. Therefore, the monitoring and protection of key components in the industrial control network system are very important.
The existing network scanning tool can only find the vulnerability of a single component in a target network, but has no effect on analyzing the mutual dependency and vulnerability of each component in the target network, and cannot focus on the security situation analysis of the whole network system, especially cannot highlight the analysis of key components in an industrial control network system. In addition, such tools may have some impact on the performance of the network during the scanning process.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method for identifying key components in an industrial control network system, which can effectively analyze the dependency relationship between each component in a target network and identify the key components in the industrial control system environment, aiming at the problems existing in the prior art.
In order to achieve the purpose of the invention, the invention is realized by the following technical scheme:
a method for identifying key components in an industrial control network system comprises the following steps:
step 1, representing the dependency relationship among each node and each component in the industrial control system environment based on the form of an and-or graph;
step 3, converting negation of the equivalent logic formula into a conjunctive normal form, and constructing a partial band with the maximum weight to meet the problem;
and 4, performing minimum weighted node cutting on the AND-OR graph relative to the target node, wherein the cutting represents a group of key components and represents that the attack cost of an attacker is lowest.
Has the advantages that: compared with the prior art, the invention has the beneficial effects that: the dependency relationship among all components in the industrial control network system is effectively analyzed based on the and-or graph model, the safety situation of the whole industrial control network system is analyzed, key components in the industrial control system environment are identified, and technicians can conveniently perform key monitoring and protection on the key components. The method provided by the invention does not carry out active scanning on the industrial control network, so that the network performance is not influenced.
Drawings
FIG. 1 is a flow chart of the present invention.
FIG. 2 is a schematic diagram of an example of the AND/OR circuit of the present invention.
FIG. 3 is a diagram illustrating a specific process of identifying key components according to the present invention.
FIG. 4 is a diagram illustrating the results of identifying key components of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, the present invention discloses a method for identifying key components in an industrial control network system, which comprises the following steps:
step 1, representing the dependency relationship between each node and each component in the industrial control system environment based on the form of and-or graph.
In the step 1, a directed graph model is established on the basis of an and-or graph in an actual industrial control network scene, and is marked as G (V, E). Each node in the AND-OR graph comprises three basic nodes and two artificial nodes, wherein the basic node is marked as v and represents different component types in the industrial control network system; and the artificial node is marked as p and represents the logic dependency relationship among different components in the industrial control network system.
The three basic nodes in the AND-OR graph are a sensor node s, a software agent node d and a target node t respectively; AND the two artificial nodes in the AND-OR graph are AND nodes AND AND OR nodes respectively.
The dependency relationship among the components in the industrial control network system is embodied in that if a certain component in the industrial control network system cannot work normally, the operation condition of other components depending on the component is influenced.
The equivalent logic formula in the step 2 is converted and negated, and the specific steps are as follows:
step 2.1, traversing each node in the AND-OR graph until all nodes in the AND-OR graph are included;
step 2.2, converting the dependency relationship of each node in the AND-OR graph into an equivalent logic formula, which is marked as fG(t) if the Boolean value of this formula is 1 (i.e., true), it is noted as fGIf the value is (t) ═ true, the target node can normally operate; if the Boolean value of this formula is 0 (i.e., false), it is noted as fGIf (t) is false, it means that the attacker cannot operate the target node normally;
step 2.3, negating the equivalent logic formula and recording asIf the Boolean value of this formula is 1 (i.e., true), it is recorded as
Indicating that the target node is not operating properly.
In the step 3, negation of the equivalent logic formula is converted into a conjunctive norm formula, and a maximum satisfiable problem with local band weight is constructed, and the specific steps are as follows:
step 3.1, converting the negative equivalence of the equivalent logic formula into a Conjunctive Normal Form (CNF) by using the logic equivalence property, the De Morgan law and the Tseitin conversion, and recording the conjunction normal form as the CNF
I.e. h (v) ═ v1i∨…∨ν1j)∧…∧(vhi∨…∨vhj) Where the conjunctive normal form relates to the weight of each clause at the same time.
The weight of the clause is calculated by a cost function, and the corresponding weight of each basic node in the OR-graph is distributed by the cost function; wherein the cost function represents the cost required by an attacker to destroy the node v and is recorded asThe weight assigned to each basic node is recorded as
And 3.2, constructing the maximum weight of the local zone to meet the problem.
The local zone with the maximum weight can satisfy the problem, and is an optimization problem form which can satisfy the problem.
The local maximum weighted solution can satisfy the problem, equivalently, the minimum total weight for destroying the target node and the weighted node forming the minimum total weight are searched.
In step 4, the process of performing the minimum weighted node cut on the and-or graph with respect to the target node is as follows:
the performing of the minimum weighted node cutting on the target node on the and-or graph represents solving a problem that the local maximum weighted node can be satisfied, searching the minimum total weight destroying the target node and the weighted node forming the minimum total weight, and performing the cutting operation on the weighted node forming the minimum total weight. In the process, a group of key components are generated, which indicates that the attack cost of an attacker is the lowest, and if the components are damaged by the attacker, the network cannot operate normally.
The maximum local band weight satisfies the definition of the problem and the solution of the problem as shown in equation 1 and equation 2:
in said equation 1, μ (G, t) is an objective function, and the objective is to calculate the minimum total weight of the damaged target node and identify a set of nodes X ═ m { m } with the minimum attack cost of the attacker1,m2…mhIf the node in the node set is damaged, the target node t cannot work normally, and the network cannot operate normally;
ωcc(σ(G,X))≥2∨X={t} (2)
in the formula 2, where ω cc (G) is a constraint condition, the number of weakly connected components in the graph G is calculated, that is, the number of connected components is calculated when all directed edges in the directed graph are replaced with undirected edges, so as to ensure that the target node t is disconnected from a non-empty node set on which the target node t directly or indirectly depends; where σ (G, X) is used for node cutting operation, meaning that node X and the nodes having logical dependencies with this node are removed from graph G and a new graph G is regenerated.
As shown in fig. 2, the present invention provides a schematic diagram of an and-or example of an industrial control network system scenario. The AND-OR graph example schematic diagram of the industrial control network system scene is obtained by establishing a directed graph model based on the form of an AND-OR graph of an actual industrial control network scene. Including two sensor nodes s, a and c, respectively, two software agent nodes, b and d, respectively, and a target node c 1. The system also comprises two AND nodes AND AND one OR node OR, each component in the industrial control network system has a corresponding weight value which represents the attack cost, AND particularly inf represents infinity.
As shown in fig. 3, the present invention provides a specific process diagram for identifying key components in an example industrial control network system scenario. The specific process schematic diagram for identifying the key components in the industrial control network system scene example is as follows:
establishing a directed graph model shown in the figure 2 based on the and-or graph form of the actual industrial control network scene;
traversing each node in the AND-OR graph until all nodes in the AND-OR graph are included, converting the dependency relationship of each node in the AND-OR graph into an equivalent logic formula which enables a target node to normally operate and is marked as fG(c1) H is equal to c1 ^ (d ^ b (V-V (b ^ c))), f is equal to fG(c1) When the target node c1 can normally operate, specifically, the target node cannot normally operate when the target node is targeted by an attacker, the negation of the formula is recorded as
If it is
The target node can not normally operate, so that the target of an attacker is reached;
converting the negative equivalence of the equivalent logic formula into a Conjunctive Normal Form (CNF) by using the logic equivalence property, the De Morgan law and the Tseitin conversion, and recording the conversion as the Conjunctive Normal Form (CNF) 
The conjunctive normal form simultaneously relates to the weight of each clause, which is determined by a cost function
Distribution, each basic node is distributed with the weight as
Respectively (a, 2), (b, 5), (c, 2),(d, 10), (c1, inf), and constructing the local band weight to be the maximum can satisfy the problem.
The problem that the local weighted value is the largest and can be satisfied is solved, the minimum total weight for destroying the target node and the weighted node forming the minimum total weight are searched, the result is that the minimum total weight value mu (G, c1) is 4, and the weighted node forming the minimum total weight is the node a and the node c.
Carrying out a cutting operation on the node with the minimum weight, wherein the result of the cutting operation is { (c, 2), (a, 2) }; a group of key components are generated in the cutting process, which indicates that the attack cost of an attacker is the lowest, and if the components are damaged by the attacker, the network cannot operate normally.
As shown in FIG. 4, the present invention provides a schematic diagram of the result of identifying key components in an example industrial control network system scenario. The result schematic diagram for identifying the key components in the industrial control network system scene example marks a group of key components, namely (c, 2) and (a, 2).
The technical solutions provided by the embodiments of the present invention are described in detail above, and the principles and embodiments implemented by the present invention are explained in the present document by using specific examples, and the descriptions of the above examples are only used to help understanding the principles implemented by the present invention; meanwhile, for a person skilled in the art, the embodiment of the present invention may be changed in the specific implementation manner and the application scope, and in summary, the content of the present description should not be construed as limiting the present invention.
Claims (5)
1. A method for identifying key components in an industrial control network system is characterized by comprising the following steps:
step 1, representing the dependency relationship among each node and each component in the industrial control system environment based on the form of an and-or graph;
step 2, converting the AND-OR graph into an equivalent logic formula which can enable the target node to normally operate, and taking negation of the equivalent logic formula to express that an attacker can enable the target node to not normally operate;
step 3, converting negation of the equivalent logic formula into a conjunctive normal form, and constructing a partial band with the maximum weight to meet the problem;
and 4, performing minimum weighted node cutting on the AND-OR graph relative to the target node, wherein the cutting represents a group of key components and represents that the attack cost of an attacker is lowest.
2. The method for identifying key components in the industrial control network system according to claim 1, wherein the step 1 is to establish a directed graph model, denoted as G ═ V, E, representing each node and each dependency relationship between each component in the industrial control system environment based on an and-or graph.
3. The method for identifying key components in the industrial control network system according to claim 1, wherein the step 2 comprises the following steps:
step 2.1, traversing each node in the AND-OR graph until all nodes in the AND-OR graph are included;
step 2.2, converting the dependency relationship of each node in the AND-OR graph into an equivalent logic formula, which is marked as fG(t) the Boolean value of this formula is 1 (i.e., true), and is denoted as fGIf the value is (t) ═ true, the target node can normally operate;
step 2.3, negating the equivalent logic formula and recording as
Let the Boolean value of this formula be 1 (i.e., true), and be recorded asIndicating that the target node is not operating properly.
4. The method for identifying key components in an industrial control network system according to claim 1, wherein the step 3 comprises the following steps:
step 3.1, utilizing logical equivalence property, De Morgan's law and Tseitin conversion, converting the negative equivalence of the equivalent logic formula into a Conjunctive Normal Form (CNF), which is recorded as
I.e. h (v) ═ v1i∨…∨v1j)∧…∧(vhi∨…∨vhj). Wherein, the conjunctive normal form relates to the weight of each clause, and the weight corresponding to the clause is determined by the cost function
Assignment, the weight assigned to each base node, denoted
And 3.2, constructing the maximum weight of the local zone to meet the problem.
5. The method of claim 1, wherein the step 4 is a minimal weighted node cut on the and-or graph with respect to the target node.
The minimal weighted node cut of the and-or graph with respect to the target node represents the solution of the problem that the local weighted maximum can satisfy, and the definition of the problem and the solution of the problem that the local weighted maximum can satisfy are shown in formula 1 and formula 2:
the purpose of said formula 1 is to find the minimum total weight that destroys the target node and the weighted node that constitutes the minimum total weight;
ωcc(σ(G,X))≥2∨X={t} (2)
the purpose of said formula 2 is to perform a cutting operation on the node with the smallest weight; in the process, a group of key components is generated, which indicates that the attack cost of an attacker is the lowest, and if the components are damaged by the attacker, the network cannot operate normally.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910960811.9A CN110658796B (en) | 2019-10-10 | 2019-10-10 | Method for identifying industrial control network key component |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910960811.9A CN110658796B (en) | 2019-10-10 | 2019-10-10 | Method for identifying industrial control network key component |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110658796A true CN110658796A (en) | 2020-01-07 |
| CN110658796B CN110658796B (en) | 2020-11-17 |
Family
ID=69040470
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910960811.9A Active CN110658796B (en) | 2019-10-10 | 2019-10-10 | Method for identifying industrial control network key component |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110658796B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2504080A (en) * | 2012-07-16 | 2014-01-22 | Bae Systems Plc | Health impact assessment modelling to predict system health and consequential future capability changes in completion of objectives or mission |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| CN108733528A (en) * | 2018-04-23 | 2018-11-02 | 南京航空航天大学 | A kind of system failure method for implanting based on constraint |
| CN108768745A (en) * | 2018-06-14 | 2018-11-06 | 北京航空航天大学 | A kind of group system brittleness assessment method based on complex network |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
-
2019
- 2019-10-10 CN CN201910960811.9A patent/CN110658796B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| GB2504080A (en) * | 2012-07-16 | 2014-01-22 | Bae Systems Plc | Health impact assessment modelling to predict system health and consequential future capability changes in completion of objectives or mission |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| CN108733528A (en) * | 2018-04-23 | 2018-11-02 | 南京航空航天大学 | A kind of system failure method for implanting based on constraint |
| CN108768745A (en) * | 2018-06-14 | 2018-11-06 | 北京航空航天大学 | A kind of group system brittleness assessment method based on complex network |
| CN109818985A (en) * | 2019-04-11 | 2019-05-28 | 江苏亨通工控安全研究院有限公司 | A kind of industrial control system loophole trend analysis and method for early warning and system |
| CN110138764A (en) * | 2019-05-10 | 2019-08-16 | 中北大学 | A kind of attack path analysis method based on level attack graph |
Non-Patent Citations (2)
| Title |
|---|
| 张宏斌: "工控网络安全检测与防护体系研究", 《信息技术与网络安全》 * |
| 王晓帆: "信息融合中的态势评估技术研究", 《中国博士学位论文全文数据库信息科技辑》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110658796B (en) | 2020-11-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108737410B (en) | Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association | |
| CN107391598B (en) | Automatic threat information generation method and system | |
| CN110909811A (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
| KR102088509B1 (en) | Method and apparatus for detection of anomaly on computer system | |
| CN110768971B (en) | Confrontation sample rapid early warning method and system suitable for artificial intelligence system | |
| CN105376193A (en) | Intelligent association analysis method and intelligent association analysis device for security events | |
| CN105867347B (en) | Cross-space cascading fault detection method based on machine learning technology | |
| CN109981686A (en) | A kind of network security situational awareness method and system based on circulation confrontation | |
| US11886158B2 (en) | System architecture and method of processing data therein | |
| CN111935064A (en) | Industrial control network threat automatic isolation method and system | |
| Skvortsova et al. | A hybrid intelligent system for risk assessment based on unstructured data | |
| CN112866262A (en) | Power plant safety I area situation perception platform based on neural network | |
| CN112765660A (en) | Terminal security analysis method and system based on MapReduce parallel clustering technology | |
| Kim et al. | Comparative experiment on TTP classification with class imbalance using oversampling from CTI dataset | |
| CN110658796B (en) | Method for identifying industrial control network key component | |
| Kumar et al. | IIoT-IDS Network using Inception CNN Model | |
| Yu et al. | Mining anomaly communication patterns for industrial control systems | |
| CN114283306A (en) | Industrial control network anomaly detection method and system | |
| Ikeda et al. | Anomaly detection and anomaly location model for multiple attacks using finite automata | |
| Eid et al. | IIoT network intrusion detection using machine learning | |
| Krenc | Updating attribute fusion results with additional evidence using DSmT | |
| CN110727249A (en) | Method for controlling maximum permitted behavior information of automatic manufacturing system based on unobservable events | |
| CN115622796B (en) | Network security linkage response combat map generation method, system, device and medium | |
| Ejesh et al. | Safety of the SCADA Systems in Power Systems by Using Industry Protocols Data Communication | |
| Qi et al. | A combined prediction method of industrial internet security situation based on time series |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |