CN110971565A - Source network load system vulnerability evaluation method and system based on malicious attack modeling - Google Patents

Source network load system vulnerability evaluation method and system based on malicious attack modeling Download PDF

Info

Publication number
CN110971565A
CN110971565A CN201811145596.9A CN201811145596A CN110971565A CN 110971565 A CN110971565 A CN 110971565A CN 201811145596 A CN201811145596 A CN 201811145596A CN 110971565 A CN110971565 A CN 110971565A
Authority
CN
China
Prior art keywords
attack
model
load system
network
modeling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811145596.9A
Other languages
Chinese (zh)
Other versions
CN110971565B (en
Inventor
费稼轩
张涛
黄秀丽
范杰
石聪聪
张小建
章锐
高昇宇
朱红
韦磊
李维
葛永高
王伏亮
陈颢
王齐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Global Energy Interconnection Research Institute
Weifang Power Supply Co of State Grid Shandong Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Global Energy Interconnection Research Institute
Weifang Power Supply Co of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, Global Energy Interconnection Research Institute, Weifang Power Supply Co of State Grid Shandong Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201811145596.9A priority Critical patent/CN110971565B/en
Publication of CN110971565A publication Critical patent/CN110971565A/en
Application granted granted Critical
Publication of CN110971565B publication Critical patent/CN110971565B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The source network load system vulnerability evaluation method and system based on malicious attack modeling comprise the following steps: attacking a source network load system by a preset attack model by adopting a simulation platform; obtaining the attack success probability of the attack model to the source network load system; performing vulnerability assessment on the source network load system based on the attack success rate; the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model. The technical scheme of the invention is based on the actual situation of the source network load system, analyzes the electric power communication characteristics and the safety defense mechanism, is helpful for indicating the vulnerability of the source network load system and evaluating the possibility of the source network load system suffering from network attack, and further helps to improve the safety of the source network load system.

Description

Source network load system vulnerability evaluation method and system based on malicious attack modeling
Technical Field
The invention relates to the field of network security of a power system, in particular to a source network load system vulnerability evaluation method and system based on malicious attack modeling.
Background
In a power information physical fusion system (CPS), the physical environments of a computing system, a communication network and a power system are fused into a whole to form a complex system integrating real-time perception, dynamic control and information service. The source network charge system is an implementation form of the electric power CPS, and compared with the traditional electric power system, the source network charge system has the important characteristic that the source network charge system can quickly and accurately control a power network source, a power network and a power charge in real time by means of an intelligent network charge interaction terminal, an intelligent meter and an information communication network. But simultaneously, because the dependency on information and control is higher, the interaction behavior of the source network load becomes more and more complex, and the safety of the information system of the source network load system has larger influence on the system function. Compared with the method of directly attacking the primary equipment of the power grid, the method for network attack on the information system has the advantages of lower cost, more convenient operation and more abundant means, and the attack on the information network can also cause the consequences of a physical system, such as equipment function failure, equipment misoperation, refusal action and the like; the possibility of network attack is rarely considered in the aspect of traditional power system security protection, the source network load system has relatively weak capability of dealing with industrial control malicious attack with organization, group type, advanced customization, complex attack mechanism, high concealment and strong speciality, and the network attack may cause the source network load system to break down, thereby becoming a new threat to the safe and stable operation of the source network load system.
At present, the research on malicious attacks on the electric power engineering system including the source network load system is still in a preliminary stage. The research on the process model of the source network load system malicious attack is of great significance to the understanding of the influence mechanism of the network attack, the analysis of the vulnerability of the system, the next risk assessment and the defense decision.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a source network load system vulnerability evaluation method and system based on malicious attack modeling.
The technical scheme provided by the invention is as follows:
the source network load system vulnerability evaluation method based on malicious attack modeling comprises the following steps:
attacking a source network load system by a preset attack model by adopting a simulation platform;
obtaining the attack success probability of the attack model to the source network load system;
performing vulnerability assessment on the source network load system based on the attack success rate;
the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model.
Preferably, the constructing of the attack model includes:
modeling the key network safety equipment based on a stochastic Petri network and a time Petri network to obtain a key network safety equipment model;
modeling a network security protection mechanism based on a stochastic Petri network and a time Petri network to obtain a network security protection mechanism model;
and performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
Preferably, the key network security device model includes:
a firewall filters a data packet machine model and a terminal port management machine model;
the firewall filtering data packet mechanism model comprises: the transformer substation access layer firewall and the master station layer firewall.
Preferably, the key network security device model includes:
the network security protection mechanism model comprises: the intelligent network charge interactive terminal identity authentication model and the meter execute the encryption command model.
Preferably, the performing cascade modeling on the key network security device model and the network security protection mechanism model based on the attack mode to obtain an attack model includes:
according to a false data injection attack mode, cascading a transformer substation access layer firewall, a main station layer firewall and an intelligent network charge interactive terminal identity authentication model to obtain a production control area false data injection attack model;
modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal (DoS) attack model;
according to a forged instruction attack mode, modeling is carried out on the encryption command executed by a single meter to obtain a terminal meter forged instruction attack model;
the attack mode comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode.
Preferably, the obtaining of the attack success probability of the attack model on the source network load system includes:
injecting false data of the production control area into an attack model through a Yasper simulation tool, starting attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of attacking a source network load system;
directly acquiring the control authority of an attack object by a DoS attack model of a negative control terminal in a production control area through a Yasper simulation tool, so that the attack object refuses service, and a second statistical probability of success of an attack source network load system is obtained;
and (3) directly forging the instruction at the communication channel or the equipment entity interface by using a terminal meter forged instruction attack model through a Yasper simulation tool to cause a false action, so as to obtain a third statistical probability of success of the attack source network load system.
Preferably, the vulnerability assessment of the source network load system based on the attack success rate includes:
obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
if the successful defense probability is higher than a preset threshold value, the source network load system has high defense performance; otherwise, the source net load system has low defense performance.
Compared with the closest prior art, the technical scheme provided by the invention has the following beneficial effects:
the technical scheme of the invention provides a source network load system vulnerability evaluation method based on malicious attack modeling, which is characterized by comprising the following steps: attacking a source network load system by a preset attack model by adopting a simulation platform; obtaining the attack success probability of the attack model to the source network load system; performing vulnerability assessment on the source network load system based on the attack success rate; the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model. The influence mechanism and the system vulnerability of the network attack are known through a source network load system attack model, so that the possibility that the source network load system is subjected to malicious attack is evaluated; by the source network load system easy-attack modeling method, the electric power communication characteristics and the safety defense means mechanism are analyzed, the method has instructive significance for strengthening the software and hardware protection mechanism, and is beneficial to carrying out the next risk assessment and defense decision.
Drawings
FIG. 1 is a flow chart of a method of a source net load system attack model of the present invention;
FIG. 2 is a schematic diagram of the communication network connections of an actual source network load system of the present invention;
FIG. 3 is a Petri network model of the intelligent network charge interactive terminal identity authentication module according to the present invention;
FIG. 4 is a diagram of a meter terminal executing an encrypt message command model in accordance with the present invention;
FIG. 5 is a Petri Net model of a firewall filter packet mechanism of the present invention;
FIG. 6 is a model of the management mechanism of the terminal port of the present invention;
FIG. 7 is a Petri net model of the false data injection attack of the production control area.
Detailed Description
For a better understanding of the present invention, reference is made to the following description taken in conjunction with the accompanying drawings and examples.
The first embodiment is as follows:
the invention provides a source network load system vulnerability evaluation method and system based on malicious attack modeling, as shown in figure 1, the source network load system vulnerability evaluation method based on the malicious attack modeling comprises the following steps:
attacking a source network load system by a preset attack model by adopting a simulation platform;
obtaining the attack success probability of the attack model to the source network load system;
performing vulnerability assessment on the source network load system based on the attack success rate;
the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model.
The construction of the attack model comprises the following steps:
modeling the key network safety equipment based on a stochastic Petri network and a time Petri network to obtain a key network safety equipment model;
modeling a network security protection mechanism based on a stochastic Petri network and a time Petri network to obtain a network security protection mechanism model;
and performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
The critical network security device model comprises:
a firewall filters a data packet machine model and a terminal port management machine model;
the firewall filtering data packet mechanism model comprises: the transformer substation access layer firewall and the master station layer firewall.
The critical network security device model comprises:
the network security protection mechanism model comprises: the intelligent network charge interactive terminal identity authentication model and the meter execute the encryption command model.
The method for performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on the attack mode to obtain an attack model comprises the following steps:
according to a false data injection attack mode, cascading a transformer substation access layer firewall, a main station layer firewall and an intelligent network charge interactive terminal identity authentication model to obtain a production control area false data injection attack model;
modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal (DoS) attack model;
according to a forged instruction attack mode, modeling is carried out on the encryption command executed by a single meter to obtain a terminal meter forged instruction attack model;
the attack mode comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode.
The obtaining of the attack success probability of the attack model to the source network load system includes:
injecting false data of the production control area into an attack model through a Yasper simulation tool, starting attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of attacking a source network load system;
directly acquiring the control authority of an attack object by a DoS attack model of a negative control terminal in a production control area through a Yasper simulation tool, so that the attack object refuses service, and a second statistical probability of success of an attack source network load system is obtained;
and (3) directly forging the instruction at the communication channel or the equipment entity interface by using a terminal meter forged instruction attack model through a Yasper simulation tool to cause a false action, so as to obtain a third statistical probability of success of the attack source network load system.
And performing vulnerability assessment on the source network load system based on the attack success rate, wherein the vulnerability assessment comprises the following steps:
obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
if the successful defense probability is higher than a preset threshold value, the source network load system has high defense performance; otherwise, the source net load system has low defense performance.
Example two:
based on the same invention concept, the invention also provides a source network load system vulnerability evaluation system based on malicious attack modeling, which is characterized by comprising the following steps:
a simulation module: attacking a source network load system by a preset attack model by adopting a simulation platform;
a probability obtaining module: obtaining the attack success probability of the attack model to the source network load system;
an evaluation module: performing vulnerability assessment on the source network load system based on the attack success rate;
the attack model in the simulation module comprises a key network security equipment attack model and a network security protection mechanism attack model.
The simulation module comprises a construction submodule comprising:
the building submodule comprises:
the key network safety equipment modeling unit: modeling the key network safety equipment based on a stochastic Petri network and a time Petri network to obtain a key network safety equipment model;
a network security protection mechanism modeling unit: modeling a network security protection mechanism based on a stochastic Petri network and a time Petri network to obtain a network security protection mechanism model;
a cascade unit: and performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
The critical network security device model comprises:
a firewall filters a data packet machine model and a terminal port management machine model;
the firewall filtering data packet mechanism model comprises: the transformer substation access layer firewall and the master station layer firewall.
The critical network security device model comprises:
the network security protection mechanism model comprises: the intelligent network charge interactive terminal identity authentication model and the meter execute the encryption command model.
The cascade unit includes:
a first cascade subunit: according to a false data injection attack mode, cascading a transformer substation access layer firewall, a main station layer firewall and an intelligent network charge interactive terminal identity authentication model to obtain a production control area false data injection attack model;
a second cascade subunit: modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal (DoS) attack model;
a third cascade subunit: according to a forged instruction attack mode, modeling is carried out on the encryption command executed by a single meter to obtain a terminal meter forged instruction attack model;
the attack mode in the cascade unit comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode.
The obtaining the probability obtaining module includes:
a first statistical probability obtaining submodule: injecting false data of the production control area into an attack model through a Yasper simulation tool, starting attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of attacking a source network load system;
a second statistical probability obtaining submodule: directly acquiring the control authority of an attack object by a DoS attack model of a negative control terminal in a production control area through a Yasper simulation tool, so that the attack object refuses service, and a second statistical probability of success of an attack source network load system is obtained;
a third statistical probability obtaining submodule: and (3) directly forging the instruction at the communication channel or the equipment entity interface by using a terminal meter forged instruction attack model through a Yasper simulation tool to cause a false action, so as to obtain a third statistical probability of success of the attack source network load system.
The evaluation module comprises:
an evaluation submodule: obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
a judgment submodule: if the successful defense probability is higher than a preset threshold value, the source network load system has high defense performance; otherwise, the source net load system has low defense performance.
Example three:
the invention relates to a source network load system malicious attack modeling method based on a Petri network, which consists of a key network security equipment model of a source network charge power system, a network security protection mechanism model and a system level connection modeling method, and is used for realizing modeling of malicious attacks in the source network load system. The method comprises the steps of adopting a random Petri network and a time Petri network, modeling intelligent network charge interaction terminals, electricity utilization acquisition modules, system firewalls and other devices adopted by a source network charge system, considering different attack modes, determining the propagation mode of the attack in the system, and cascading independent devices to form a complete process model of the network attack. The method is based on the actual situation of the source network load system, analyzes the electric power communication characteristics and the safety defense mechanism, is helpful for indicating the vulnerability of the source network load system and evaluating the possibility of the source network load system suffering from network attack, and further helps to improve the safety of the source network load system.
A schematic diagram of the communication network connection of an actual source load system is shown in fig. 2.
The source network load system malicious attack modeling method based on the Petri network comprises the following steps:
1) modeling an independent safety protection device and a safety protection mechanism;
and modeling the safety protection measures in the source network load system by adopting a stochastic Petri network and time Petri network model, describing the attack steps and the propagation process by adopting time delay and stochastic transition, and evaluating the probability of successfully reaching the target of the attack. The invention respectively models a terminal hardware encryption identity authentication module principle, a meter terminal message execution encryption mechanism, a firewall malicious packet filtering mechanism and an intelligent network load interaction terminal port management mechanism in a source network load system.
Specifically, the method establishes the following model units:
1-1) intelligent network charge interactive terminal identity authentication model
The Petri network model of the intelligent network charge interactive terminal identity authentication module is shown in FIG. 3.
Wherein λ isaIndicates the time, lambda, required for acquiring the IP address of the network load interactive terminalfIndicating the period of system replacement IP configuration. Lambda [ alpha ]eIndicating the time, lambda, for acquiring a transmission protocol and an authentication method by eavesdropping on the analysis of the messagehIndicates the time, lambda, for acquiring the transmission protocol and the authentication method by artificially managing the loopholes and the likerIndicating time, lambda, for changing authentication methods or modifying message protocolscAnd the time of the upper layer equipment responding to the FDIA message is represented.
1-2) Meter execution encryption Command model
The meter terminal executes the encrypted message command model as shown in fig. 4.
Wherein λ is(e,e)Is the time, lambda, required for eavesdropping on the cipher text of the switching-off command(f,e)Is the period of ciphertext change. p is a radical of(np,a)Is the probability of success, p, of inserting a new network line directly into the meter to establish communication(wl,a)Is the success probability, p, of establishing a communication from a wireless public network intrusion(f,a)Is the probability of a failure to establish a communication connection. After the switching-off command ciphertext is obtained and the switching-off command ciphertext can be communicated with the meter, an attacker can choose to attack and cut off the power supply of the user at one moment. Lambda [ alpha ]gcIs the time interval from the success of acquiring the right to the issuance of the pull-off command
1-3) Firewall filtering data packing model
The Petri net model of the mechanism for the firewall to filter the data packets is shown in FIG. 5.
Wherein
Figure BDA0001816732340000081
Indicating the probability of passing the firewall rule j. p is a radical offrIs the probability that the packet is rejected by the firewall.
Firewall execution speed lambdafIs the number of instructions executed per second that can be used to estimate the validation rules and the time to pass through the firewall. Average response speed λnrDepending on the network transmission conditions.
1-4) terminal port management mechanism model
The management mechanism model of the terminal port is shown in fig. 6.
Wherein p isvIndicating the probability that an idle port is not closed, ptThe probability that the malicious attack packet can be sent through the normal port, p, indicates that the use authority of the normal working port of the intelligent network charge interactive terminal is obtainedfTo representThe port management mechanism has no probability of a vulnerability being exploited by an attacker.
Different attack models under the source network load system can be formed by the four model units.
2) Modeling an attack mode;
since an attacker can destroy the system in different attack modes, the different attack modes have different targets, and different safety protection measures need to be broken through to obtain corresponding control permissions.
Specifically, the attack process of several attack modes is described as follows:
2-1) false data injection attacks
The process of carrying out the false data injection attack on the production control area comprises the following steps: initiating an intrusion from the data acquisition channel; acquiring an information transmission protocol format and an authentication method adopted by a system; passing identity authentication; injecting dummy data into the system in a masquerading identity; false data finally enters the data processing module of the main station through the firewall of the access layer of the transformer substation and the firewall of the main station layer, and after the false data is adopted by the system, the false judgment of the system on the state is caused, misoperation is caused, and the purpose of attack is achieved.
2-2) denial of service attacks
The process of performing denial of service attacks on the device is as follows: scanning an unclosed idle port of the equipment, or obtaining the use authority of a normal port of the equipment; continuously sending garbage through the available ports; a large amount of useless information exhausts the processing resources of the attack target equipment to lead the attack target equipment to be paralyzed, thereby achieving the purpose of attack.
2-3) forged instruction attacks
The attack process of the forged instruction attack comprises the following steps: obtaining a message of a control command; establishing communication connection by invading communication channel or accessing communication interface of device; and sending a control message to cause misoperation and achieve the purpose of attack.
3) Source network load system attack model
The source network load system malicious attack model considers the hierarchical partition architecture of the source network load system communication network and the authority required by different attack modes, and the modeling is as follows:
3-1) false data injection attack in production control area
Referring to the false data injection attack process of 2-1), the attack invasion starts from the terminal, the message transmission between the terminal and the longitudinal encryption device uses the plaintext, the false data message needs to pass the authentication, and 1-1) the intelligent network charge interactive terminal identity authentication model is adopted to represent the safety protection measure. And (3) when the data is transmitted to the upper layer, the firewall and the master station layer firewall are accessed through the transformer substation, and 1-3) the firewall filtering data packing model represents the two sections of safety protection measures and finally invades the master station layer control system. Therefore, a Petri net model for production control area spurious data injection attacks is shown in FIG. 7.
3-2) production control area load control terminal DoS attack
Referring to the DoS attack process of 2-2), the DoS attack on the negative control terminal only needs to obtain control authority aiming at a single attack target, injection of malicious messages can be completed by scanning an unclosed idle port of the terminal or controlling a normal working port, attack is only carried out on a terminal layer, and safety measures of other layers do not need to be broken through. In summary, the terminal port management mechanism model in 1-4) can represent the DoS attack process, and the negative control terminal DoS attack model is the same as that in FIG. 6.
3-3) terminal meter forged instruction attack
Referring to 2-3) a process of forging instruction attack, the step of counting the forging instruction attack by the terminal meter is as follows: obtaining a message of a control command; establishing communication connection with a terminal meter, and accessing a communication channel of a terminal layer or a communication interface of terminal equipment; control messages are sent, causing malfunctions. Because the attack forgery instruction is directly injected from the communication channel or the device entity interface, when the attack is started, the attack is only carried out at the terminal layer without breaking the security measures of other layers, so the source network load system forgery instruction attack can be expressed by adopting 1-2) meter execution encryption command model. The terminal meter models the fake instruction attack as in fig. 4.
After the source network load system malicious attack models are established, the models can be used for evaluating the probability of various consequences of attack through a simulation tool to obtain the probability of success of the attack of the three attack models on the source network load system, the first statistical probability, the second statistical probability and the third statistical probability, and if the success defense probability of the source network load system is higher than a preset threshold value, the defense performance of the source network load system is high according to the first statistical probability, the second statistical probability and the third statistical probability to obtain the success defense probability of the source network load system; otherwise, the source net load system has low defense performance.
Analyzing the success probability of different attack modes; and the influence degree of different factors on the attack success probability can be analyzed by modifying the parameters set by the model.
Example four:
the source network load system attack model is completed by means of a Petri network model, the change of the Petri network represents the attack step, and the state of the Petri network represents the state which can be caused by the attack. According to the three source network load system attack models described in the specific implementation mode, simulation can be performed through a simulation tool Yasper special for the Petri network. In the embodiment of the invention, a computer provided with Yasper software is adopted to simulate the probability of network attack reaching each consequence. The above attack method is simulated as follows.
1) Production control zone dummy data injection attacks
And (3) according to the source network load system false data injection attack model of the figure 7, building a test system in a Yasper simulation tool to evaluate the success probability of the false data injection attack.
Simulating the system, completing 100000 attack attempts, and counting the results as follows:
TABLE 1 evaluation of false data injection attack probability in production control area of source network load system
Figure BDA0001816732340000111
That is, the model yields that the probability that the control system of the source grid load system production control area is attacked by successful spurious data injection is 0.006.
The modeling method can also evaluate the influence degree of a certain link on the attack success probability. For example, when the identity authentication loop is not adopted, the simulation is performed again, and the probability that malicious data is transmitted from the terminal to the master station is 0.0392.
2) Production control area DoS attacks
And (3) establishing a simulation model for the graph 6 in the Yasper software, and calculating to obtain that the probability of the success of the DoS attack is 0.022.
3) Terminal meter forged instruction attack
And (3) establishing a simulation model for the image 4 in the Yasper software, and calculating to obtain 0.004994 of the probability of successful attack of the forged instruction.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The present invention is not limited to the above embodiments, and any modifications, equivalent replacements, improvements, etc. made within the spirit and principle of the present invention are included in the scope of the claims of the present invention which are filed as the application.

Claims (10)

1. The source network load system vulnerability evaluation method based on malicious attack modeling is characterized by comprising the following steps:
attacking a source network load system by adopting a simulation platform through a preset attack model;
obtaining the attack success probability of the attack model to the source network load system;
performing vulnerability assessment on the source network load system based on the attack success rate;
the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model.
2. The source network load system vulnerability assessment method based on malicious attack modeling according to claim 1, wherein the construction of the attack model comprises:
modeling the key network safety equipment based on a stochastic Petri network and a time Petri network to obtain a key network safety equipment model;
modeling a network security protection mechanism based on a stochastic Petri network and a time Petri network to obtain a network security protection mechanism model;
and performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
3. The method for evaluating vulnerability of source network load system based on malicious attack modeling according to claim 2, wherein the key network security device model comprises:
a firewall filters a data packet machine model and a terminal port management machine model;
the firewall filtering data packet mechanism model comprises: the transformer substation access layer firewall and the master station layer firewall.
4. The method for evaluating vulnerability of source network load system based on malicious attack modeling according to claim 2, wherein the key network security device model comprises:
the network security protection mechanism model comprises: the intelligent network charge interactive terminal identity authentication model and the meter execute the encryption command model.
5. The method for evaluating the vulnerability of the source network load system based on the malicious attack modeling as claimed in claim 2, wherein the step of performing the cascade modeling on the key network security device model and the network security protection mechanism model based on the attack mode to obtain the attack model comprises:
according to a false data injection attack mode, cascading a transformer substation access layer firewall, a main station layer firewall and an intelligent network charge interactive terminal identity authentication model to obtain a production control area false data injection attack model;
modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal (DoS) attack model;
according to a forged instruction attack mode, modeling is carried out on the encryption command executed by a single meter to obtain a terminal meter forged instruction attack model;
the attack mode comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode.
6. The method for evaluating the vulnerability of the source network load system based on the malicious attack modeling according to claim 5, wherein the obtaining the attack success probability of the attack model to the source network load system comprises:
injecting false data of the production control area into an attack model through a Yasper simulation tool, starting attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of attacking a source network load system;
directly acquiring the control authority of an attack object by a DoS attack model of a negative control terminal in a production control area through a Yasper simulation tool, so that the attack object refuses service, and a second statistical probability of success of an attack source network load system is obtained;
and (3) directly forging the instruction at the communication channel or the equipment entity interface by using a terminal meter forged instruction attack model through a Yasper simulation tool to cause a false action, so as to obtain a third statistical probability of success of the attack source network load system.
7. The method of claim 6, wherein the performing vulnerability assessment on the source network load system based on the attack success rate comprises:
obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
if the successful defense probability is higher than a preset threshold value, the source network load system has high defense performance; otherwise, the source net load system has low defense performance.
8. A source network load system vulnerability evaluation system based on malicious attack modeling is characterized by comprising the following steps:
a simulation module: attacking a source network load system by a preset attack model by adopting a simulation platform;
a probability obtaining module: obtaining the attack success probability of the attack model to the source network load system;
an evaluation module: and performing vulnerability assessment on the source network load system based on the attack success rate.
9. The source-network-load system vulnerability assessment system based on malicious attack modeling, according to claim 8, wherein the attack models in the simulation module include a key network security device attack model and a network security protection mechanism attack model;
the simulation module comprises a construction submodule.
10. The malicious attack modeling-based source-grid-load system vulnerability assessment system of claim 9, wherein the construction sub-module comprises:
the key network safety equipment modeling unit: modeling the key network safety equipment based on a stochastic Petri network and a time Petri network to obtain a key network safety equipment model;
a network security protection mechanism modeling unit: modeling a network security protection mechanism based on a stochastic Petri network and a time Petri network to obtain a network security protection mechanism model;
a cascade unit: and performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
CN201811145596.9A 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling Active CN110971565B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811145596.9A CN110971565B (en) 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811145596.9A CN110971565B (en) 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling

Publications (2)

Publication Number Publication Date
CN110971565A true CN110971565A (en) 2020-04-07
CN110971565B CN110971565B (en) 2023-04-28

Family

ID=70027192

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811145596.9A Active CN110971565B (en) 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling

Country Status (1)

Country Link
CN (1) CN110971565B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756687A (en) * 2020-05-15 2020-10-09 国电南瑞科技股份有限公司 Defense measure configuration method and system for coping with network attack
CN114363095A (en) * 2022-03-18 2022-04-15 深圳市永达电子信息股份有限公司 System vulnerability analysis method, system and medium based on petri net

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080072770A (en) * 2007-01-31 2008-08-07 성균관대학교산학협력단 Cyber attack system for vulnerability assessment and method thereof
CN105429133A (en) * 2015-12-07 2016-03-23 国网智能电网研究院 Information network attack-oriented vulnerability node evaluation method for power grid
CN105763562A (en) * 2016-04-15 2016-07-13 全球能源互联网研究院 Electric power information network vulnerability threat evaluation model establishment method faced to electric power CPS risk evaluation and evaluation system based on the model
CN106100877A (en) * 2016-06-02 2016-11-09 东南大学 A kind of power system reply network attack vulnerability assessment method
CN107220775A (en) * 2017-06-01 2017-09-29 东北大学 A kind of active power distribution network various visual angles collaboration vulnerability assessment method for considering information system effect
CN107360133A (en) * 2017-06-08 2017-11-17 全球能源互联网研究院 A kind of network attack emulation mode and system towards electric network information physical system
US20180075243A1 (en) * 2016-09-13 2018-03-15 The Mitre Corporation System and method for modeling and analyzing the impact of cyber-security events on cyber-physical systems

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080072770A (en) * 2007-01-31 2008-08-07 성균관대학교산학협력단 Cyber attack system for vulnerability assessment and method thereof
CN105429133A (en) * 2015-12-07 2016-03-23 国网智能电网研究院 Information network attack-oriented vulnerability node evaluation method for power grid
CN105763562A (en) * 2016-04-15 2016-07-13 全球能源互联网研究院 Electric power information network vulnerability threat evaluation model establishment method faced to electric power CPS risk evaluation and evaluation system based on the model
CN106100877A (en) * 2016-06-02 2016-11-09 东南大学 A kind of power system reply network attack vulnerability assessment method
US20180075243A1 (en) * 2016-09-13 2018-03-15 The Mitre Corporation System and method for modeling and analyzing the impact of cyber-security events on cyber-physical systems
CN107220775A (en) * 2017-06-01 2017-09-29 东北大学 A kind of active power distribution network various visual angles collaboration vulnerability assessment method for considering information system effect
CN107360133A (en) * 2017-06-08 2017-11-17 全球能源互联网研究院 A kind of network attack emulation mode and system towards electric network information physical system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
徐义等: "电力Cyber-Physical系统建模仿真研究综述", 《计算机仿真》 *
杨国泰等: "电力CPS信息网络脆弱性及其评估方法", 《中国电力》 *
郭庆来等: "电力系统信息物理融合建模与综合安全评估:驱动力与研究构想", 《中国电机工程学报》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756687A (en) * 2020-05-15 2020-10-09 国电南瑞科技股份有限公司 Defense measure configuration method and system for coping with network attack
CN111756687B (en) * 2020-05-15 2022-09-20 国电南瑞科技股份有限公司 Defense measure configuration method and system for coping with network attack
CN114363095A (en) * 2022-03-18 2022-04-15 深圳市永达电子信息股份有限公司 System vulnerability analysis method, system and medium based on petri net
CN114363095B (en) * 2022-03-18 2022-07-12 深圳市永达电子信息股份有限公司 System vulnerability analysis method, system and medium based on petri net

Also Published As

Publication number Publication date
CN110971565B (en) 2023-04-28

Similar Documents

Publication Publication Date Title
Wlazlo et al. Man‐in‐the‐middle attacks and defence in a power system cyber‐physical testbed
Ustun et al. A novel approach for mitigation of replay and masquerade attacks in smartgrids using IEC 61850 standard
Udd et al. Exploiting bro for intrusion detection in a SCADA system
Radoglou-Grammatikis et al. Attacking iec-60870-5-104 scada systems
Yusheng et al. Intrusion detection of industrial control system based on Modbus TCP protocol
CN101771702B (en) Method and system for defending distributed denial of service attack in point-to-point network
CN110719250B (en) Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
Sun et al. Network security technology of intelligent information terminal based on mobile internet of things
CN110943969A (en) Network attack scene reproduction method, system, equipment and storage medium
CN111770069A (en) Vehicle-mounted network simulation data set generation method based on intrusion attack
CN115550069B (en) Intelligent charging system of electric automobile and safety protection method thereof
CN110266650A (en) The recognition methods of Conpot industry control honey jar
CN115865526B (en) Industrial Internet security detection method and system based on cloud edge cooperation
CN110971565B (en) Source network load system vulnerability evaluation method and system based on malicious attack modeling
Darwish et al. Vulnerability Assessment and Experimentation of Smart Grid DNP3.
CN114268505B (en) Method and device for adjusting fraud policy of honeynet, electronic equipment and storage medium
Qassim et al. Simulating command injection attacks on IEC 60870-5-104 protocol in SCADA system
Banik et al. Implementing man-in-the-middle attack to investigate network vulnerabilities in smart grid test-bed
Nguyen et al. Towards improving explainability, resilience and performance of cybersecurity analysis of 5G/IoT networks (work-in-progress paper)
CN116170806B (en) Smart power grid LWM2M protocol security access control method and system
Xu et al. Attack identification for software-defined networking based on attack trees and extension innovation methods
CN111695115A (en) Industrial control system network attack tracing method based on communication delay and security evaluation
Shibly et al. Personalized federated learning for automotive intrusion detection systems
Olakanmi et al. Throttle: An efficient approach to mitigate distributed denial of service attacks on software‐defined networks
Feng et al. A New Scheme of BACnet Protocol Based on HCPN Security Evaluation Method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant