CN110971565B - Source network load system vulnerability evaluation method and system based on malicious attack modeling - Google Patents

Source network load system vulnerability evaluation method and system based on malicious attack modeling Download PDF

Info

Publication number
CN110971565B
CN110971565B CN201811145596.9A CN201811145596A CN110971565B CN 110971565 B CN110971565 B CN 110971565B CN 201811145596 A CN201811145596 A CN 201811145596A CN 110971565 B CN110971565 B CN 110971565B
Authority
CN
China
Prior art keywords
attack
model
network load
load system
source network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811145596.9A
Other languages
Chinese (zh)
Other versions
CN110971565A (en
Inventor
费稼轩
张涛
黄秀丽
范杰
石聪聪
张小建
章锐
高昇宇
朱红
韦磊
李维
葛永高
王伏亮
陈颢
王齐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Global Energy Interconnection Research Institute
Weifang Power Supply Co of State Grid Shandong Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Jiangsu Electric Power Co Ltd
Global Energy Interconnection Research Institute
Weifang Power Supply Co of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Jiangsu Electric Power Co Ltd, Global Energy Interconnection Research Institute, Weifang Power Supply Co of State Grid Shandong Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201811145596.9A priority Critical patent/CN110971565B/en
Publication of CN110971565A publication Critical patent/CN110971565A/en
Application granted granted Critical
Publication of CN110971565B publication Critical patent/CN110971565B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A vulnerability evaluation method and system of a source network load system based on malicious attack modeling comprises the following steps: adopting a simulation platform to attack a source network load system by a preset attack model; obtaining the attack success probability of the attack model on a source network load system; carrying out vulnerability assessment on a source network load system based on the attack success rate; the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model. The technical scheme of the invention is based on the actual condition of the source network load system, analyzes the power communication characteristics and the security defense mechanism, is helpful for indicating the vulnerability of the source network load system and evaluating the possibility of the source network load system to be attacked by the network, and further helps to improve the security of the source network load system.

Description

Source network load system vulnerability evaluation method and system based on malicious attack modeling
Technical Field
The invention relates to the field of network security of power systems, in particular to a source network load system vulnerability evaluation method and system based on malicious attack modeling.
Background
The computing system, the communication network and the physical environment of the power system are integrated in a power information physical integration system (CPS) to form a complex system integrating real-time sensing, dynamic control and information service. Compared with the traditional power system, the source network load system is characterized in that the source network load system can rapidly and accurately control three parts of a power grid source, a power grid and a power grid in real time by means of an intelligent network load interaction terminal, an intelligent meter and an information communication network. But at the same time, because the dependence on information and control is higher, the interaction behavior of the source network load is more and more complex, and the safety of the information system of the source network load system has a great influence on the system function. Compared with the direct attack of primary equipment of a power grid, the network attack of the information system has lower cost, more convenient operation and richer means, and the attack of the information network can also cause the consequences of a physical system, such as equipment function failure, equipment misoperation and refusal operation; the possibility of network attack is rarely considered in the aspect of the safety protection of the traditional power system, the source network charge system has relatively weak capability of coping with industrial control malicious attacks with organized, group-type, advanced customization, complex attack mechanism, high concealment and strong specialization, and the network attack is likely to cause the failure of the source network charge system, thereby becoming a new threat to the safe and stable operation of the source network charge system.
At present, the research on malicious attacks of an electric power industrial control system including a source network load system is still in a preliminary stage. The research of the process model of the malicious attack of the source network load system has important significance for solving the influence mechanism of the network attack, analyzing the vulnerability of the system and carrying out the next risk assessment and defense decision.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a source network load system vulnerability evaluation method and system based on malicious attack modeling.
The technical scheme provided by the invention is as follows:
a vulnerability evaluation method of a source network load system based on malicious attack modeling comprises the following steps:
adopting a simulation platform to attack a source network load system by a preset attack model;
obtaining the attack success probability of the attack model on a source network load system;
carrying out vulnerability assessment on a source network load system based on the attack success rate;
the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model.
Preferably, the constructing of the attack model includes:
modeling the key network safety equipment based on a random Petri network and a time Petri network to obtain a key network safety equipment model;
modeling a network security protection mechanism based on a random Petri network and a time Petri network to obtain a network security protection mechanism model;
and carrying out cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
Preferably, the key network security device model includes:
the firewall filters the data packet mechanism model and the terminal port management mechanism model;
the firewall filtering data packaging machine model comprises: substation access layer firewall and master station layer firewall.
Preferably, the key network security device model includes:
the network security protection mechanism model comprises: the intelligent network load interaction terminal identity authentication model and the meter execute the encryption command model.
Preferably, the cascade modeling is performed on the key network security equipment model and the network security protection mechanism model based on the attack mode to obtain an attack model, which includes:
cascading the substation access layer firewall, the master station layer firewall and the intelligent network load interaction terminal identity authentication model according to a false data injection attack mode to obtain a false data injection attack model of a production control area;
modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal DoS attack model;
modeling the single meter execution encryption command according to the counterfeit instruction attack mode to obtain a terminal meter counterfeit instruction attack model;
the attack mode comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode.
Preferably, the obtaining the attack success probability of the attack model on the source network load system includes:
injecting false data of a production control area into an attack model by a Yasper simulation tool to start attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of an attack source network load system;
directly acquiring the control authority of an attack object by using a DoS attack model of a negative control terminal of a production control area through a Yasper simulation tool, so that the attack object refuses service, and obtaining a second statistical probability of success of an attack source network load system;
and directly forging an instruction at a communication channel or a device entity interface by using a terminal meter forging instruction attack model through a Yasper simulation tool to cause false actions, so as to obtain a third statistical probability of success of an attack source network load system.
Preferably, the vulnerability assessment of the source network load system based on the attack success rate includes:
obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
if the successful defense probability is higher than a preset threshold, the source network load system has high defense performance; otherwise, the source network load system has low defending performance.
Compared with the closest prior art, the technical scheme provided by the invention has the following beneficial effects:
the technical scheme of the invention provides a vulnerability evaluation method of a source network load system based on malicious attack modeling, which is characterized by comprising the following steps: adopting a simulation platform to attack a source network load system by a preset attack model; obtaining the attack success probability of the attack model on a source network load system; carrying out vulnerability assessment on a source network load system based on the attack success rate; the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model. The influence mechanism and system vulnerability of network attack are known through the source network load system attack model, so that the possibility of malicious attack of the source network load system is evaluated; the modeling method for easily attacking the source network load system is used for analyzing the power communication characteristics and the security defense mechanism, has guiding significance for reinforcing the software and hardware protection mechanism, and is beneficial to carrying out the next risk assessment and defense decision.
Drawings
FIG. 1 is a flow chart of a method of the source network load system attack model of the present invention;
FIG. 2 is a schematic diagram of a communication network connection of an actual source network load system according to the present invention;
FIG. 3 is a Petri network model of the intelligent network load interaction terminal identity authentication module of the invention;
FIG. 4 is a diagram of a meter terminal executing a encrypted message command model in accordance with the present invention;
FIG. 5 is a Petri network model of the firewall filtering packet mechanism of the present invention;
FIG. 6 is a management mechanism model of a terminal port according to the present invention;
FIG. 7 is a Petri net model of the production control area spurious data injection attack of the present invention.
Detailed Description
For a better understanding of the present invention, reference is made to the following description, drawings and examples.
Embodiment one:
the invention provides a source network load system vulnerability assessment method and a system based on malicious attack modeling, as shown in fig. 1, the source network load system vulnerability assessment method based on malicious attack modeling comprises the following steps:
adopting a simulation platform to attack a source network load system by a preset attack model;
obtaining the attack success probability of the attack model on a source network load system;
carrying out vulnerability assessment on a source network load system based on the attack success rate;
the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model.
The construction of the attack model comprises the following steps:
modeling the key network safety equipment based on a random Petri network and a time Petri network to obtain a key network safety equipment model;
modeling a network security protection mechanism based on a random Petri network and a time Petri network to obtain a network security protection mechanism model;
and carrying out cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
The key network security device model comprises:
the firewall filters the data packet mechanism model and the terminal port management mechanism model;
the firewall filtering data packaging machine model comprises: substation access layer firewall and master station layer firewall.
The key network security device model comprises:
the network security protection mechanism model comprises: the intelligent network load interaction terminal identity authentication model and the meter execute the encryption command model.
The cascade modeling is carried out on the key network security equipment model and the network security protection mechanism model based on the attack mode to obtain an attack model, and the cascade modeling comprises the following steps:
cascading the substation access layer firewall, the master station layer firewall and the intelligent network load interaction terminal identity authentication model according to a false data injection attack mode to obtain a false data injection attack model of a production control area;
modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal DoS attack model;
modeling the single meter execution encryption command according to the counterfeit instruction attack mode to obtain a terminal meter counterfeit instruction attack model;
the attack mode comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode.
The obtaining the attack success probability of the attack model to the source network load system comprises the following steps:
injecting false data of a production control area into an attack model by a Yasper simulation tool to start attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of an attack source network load system;
directly acquiring the control authority of an attack object by using a DoS attack model of a negative control terminal of a production control area through a Yasper simulation tool, so that the attack object refuses service, and obtaining a second statistical probability of success of an attack source network load system;
and directly forging an instruction at a communication channel or a device entity interface by using a terminal meter forging instruction attack model through a Yasper simulation tool to cause false actions, so as to obtain a third statistical probability of success of an attack source network load system.
Vulnerability assessment is carried out on the source network load system based on the attack success rate, and the vulnerability assessment comprises the following steps:
obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
if the successful defense probability is higher than a preset threshold, the source network load system has high defense performance; otherwise, the source network load system has low defending performance.
Embodiment two:
based on the same inventive concept, the invention also provides a source network load system vulnerability evaluation system based on malicious attack modeling, which is characterized by comprising the following steps:
and (3) a simulation module: adopting a simulation platform to attack a source network load system by a preset attack model;
probability obtaining module: obtaining the attack success probability of the attack model on a source network load system;
and an evaluation module: carrying out vulnerability assessment on a source network load system based on the attack success rate;
the attack model in the simulation module comprises a key network security equipment attack model and a network security protection mechanism attack model.
The simulation module comprises a building submodule, wherein the building submodule comprises:
the building sub-module comprises:
key network security device modeling unit: modeling the key network safety equipment based on a random Petri network and a time Petri network to obtain a key network safety equipment model;
network security protection mechanism modeling unit: modeling a network security protection mechanism based on a random Petri network and a time Petri network to obtain a network security protection mechanism model;
a cascade unit: and carrying out cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model.
The key network security device model comprises:
the firewall filters the data packet mechanism model and the terminal port management mechanism model;
the firewall filtering data packaging machine model comprises: substation access layer firewall and master station layer firewall.
The key network security device model comprises:
the network security protection mechanism model comprises: the intelligent network load interaction terminal identity authentication model and the meter execute the encryption command model.
The cascade unit includes:
a first cascade subunit: cascading the substation access layer firewall, the master station layer firewall and the intelligent network load interaction terminal identity authentication model according to a false data injection attack mode to obtain a false data injection attack model of a production control area;
a second cascade subunit: modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal DoS attack model;
third cascade subunit: modeling the single meter execution encryption command according to the counterfeit instruction attack mode to obtain a terminal meter counterfeit instruction attack model;
the attack mode in the cascade unit comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode.
The obtaining the probability obtaining module includes:
a first statistical probability acquisition sub-module: injecting false data of a production control area into an attack model by a Yasper simulation tool to start attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of an attack source network load system;
and a second statistical probability acquisition sub-module: directly acquiring the control authority of an attack object by using a DoS attack model of a negative control terminal of a production control area through a Yasper simulation tool, so that the attack object refuses service, and obtaining a second statistical probability of success of an attack source network load system;
and a third statistical probability acquisition sub-module: and directly forging an instruction at a communication channel or a device entity interface by using a terminal meter forging instruction attack model through a Yasper simulation tool to cause false actions, so as to obtain a third statistical probability of success of an attack source network load system.
The evaluation module comprises:
an evaluation sub-module: obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
and a judging sub-module: if the successful defense probability is higher than a preset threshold, the source network load system has high defense performance; otherwise, the source network load system has low defending performance.
Embodiment III:
the invention relates to a Petri network-based malicious attack modeling method of a source network load system, which consists of a key network security equipment model, a network security protection mechanism model and a system cascading modeling method of a source network load power system, so as to model malicious attacks in the source network load system. The method comprises the steps of modeling intelligent network load interaction terminals, power acquisition modules, system firewalls and other devices adopted by a source network load system by adopting a random Petri network and a time Petri network, determining the propagation modes of attacks in the system by considering different attack modes, and cascading independent devices to form a complete process model of network attacks. The method is based on the actual condition of the source network load system, analyzes the power communication characteristics and the security defense mechanism, is helpful for indicating the vulnerability of the source network load system and evaluating the possibility of the source network load system being attacked by the network, and further helps to improve the security of the source network load system.
A schematic diagram of the communication network connection of the actual source network load system is shown in fig. 2.
A source network load system malicious attack modeling method based on Petri network comprises the following steps:
1) Modeling the independent safety protection equipment and a safety protection mechanism;
modeling safety protection measures in a source network load system by adopting a random Petri network and a time Petri network model, and evaluating the probability of successfully reaching a target by adopting steps and propagation processes of describing attacks by time delay and random transition. The invention is aimed at the terminal hardware encryption identity authentication module principle in the source network load system, the mechanism of the meter terminal executing the encrypted message, the mechanism of the firewall filtering malicious packets and the intelligent network load interaction terminal port management mechanism for modeling respectively.
Specifically, the method establishes the following model elements:
1-1) intelligent network load interaction terminal identity authentication model
The Petri network model of the intelligent network load interaction terminal identity authentication module is shown in figure 3.
Wherein lambda is a Represents the time lambda required for acquiring the IP address of the network load interaction terminal f Indicating the period for the system to change IP configurations. Lambda (lambda) e Time lambda representing the acquisition of transmission protocol and authentication method by eavesdropping of analysis message h Represents the time, lambda, of acquiring the transmission protocol and the authentication method by means of man-made management loopholes and the like r Time lambda indicating the replacement of authentication method or the modification of message protocol c Indicating the time at which the upper device responds to the FDIA message.
1-2) Meter execution encryption Command model
The meter terminal executing the encrypted message command model is shown in fig. 4.
Wherein lambda is (e,e) Is the time required for eavesdropping the ciphertext of the switching-off command lambda (f,e) Is the period of replacing ciphertext. P is p (np,a) Is the success probability of directly inserting a new network cable into the meter to establish communication, p (wl,a) Is the probability of success of establishing communication from wireless public network intrusion, p (f,a) Is the probability of failure to establish a communication connection. After the switching-off command ciphertext is obtained and can be communicated with the meter, an attacker can choose a moment to launch an attack to cut off the power supply of the user. Lambda (lambda) gc Is the time interval from the success of the acquisition of the rights to the issuing of the switch-off command
1-3) Firewall filtration data packet mechanism model
A Petri net model of the mechanism by which the firewall filters the packets is shown in fig. 5.
Wherein the method comprises the steps of
Figure BDA0001816732340000081
The probability of passing through firewall rule j is represented. P is p fr Is the probability that the packet will be rejected by the firewall.
Firewall execution speed lambda f Is the number of instructions executed per second and can be used to estimate the validation rules and the time of passage through the firewall. Average response speed lambda nr Depending on the network transmission conditions.
1-4) terminal Port management mechanism model
The management mechanism model of the terminal port is shown in fig. 6.
Wherein p is v Indicating the probability that the idle port is not closed, p t Indicating the probability that the use permission of the normal working port of the intelligent network load interaction terminal is obtained and a malicious attack packet can be sent through the normal port, p f Representing the probability that the port management mechanism has not occurred for the case where the vulnerability was exploited by an attacker.
By the four model units, different attack models under the source network load system can be formed.
2) Modeling an attack mode;
because an attacker can adopt different attack modes to destroy the system, the different attack modes have different targets, and different safety protection measures are required to be broken through to acquire corresponding control rights.
Specifically, the attack procedure of several attack modes is described as follows:
2-1) false data injection attack
The false data injection attack process for the production control area is as follows: initiating an intrusion from a data acquisition channel; acquiring an information transmission protocol format and an authentication method adopted by a system; passing identity authentication; injecting dummy data into the system in a disguised identity; false data passes through the firewall of the access layer of the transformer substation, passes through the firewall of the main station layer, finally enters the main station data processing module, and is adopted by the system to cause misjudgment of the state of the system and cause misoperation, so that the attack purpose is achieved.
2-2) denial of service attacks
The process of carrying out denial of service attack on the equipment comprises the following steps: scanning the unopened idle port of the equipment or obtaining the use authority of a normal port of the equipment; continuously sending useless information through available ports; the processing resource of the attack target equipment is exhausted by a large amount of useless information to paralysis, so that the attack aim is achieved.
2-3) counterfeit instruction attack
The attack process of the fake instruction attack is as follows: obtaining a message of a control command; establishing communication connection by an intrusion communication channel or accessing a device communication interface; and sending a control message to cause misoperation so as to achieve the aim of attack.
3) Source network load system attack model
The malicious attack model of the source network load system considers the hierarchical partition architecture of the communication network of the source network load system and the rights required by different attack modes, and is modeled as follows:
3-1) false data injection attack in production control area
Referring to the false data injection attack process of 2-1), attack invasion starts from a terminal, plaintext is used for message transmission between the terminal and a longitudinal encryption device, the false data message needs to pass authentication, and 1-1) the intelligent network load interaction terminal identity authentication model is adopted to represent the security protection measure. When the data packet is transmitted to the upper layer, the firewall and the firewall of the access layer of the transformer substation and the firewall of the master station layer are adopted, 1-3) the firewall filtering data packet mechanism model represents the two sections of safety protection measures, and finally the data packet filtering mechanism model invades the control system of the master station layer. Thus, a Petri net model of a production control area spurious data injection attack is shown in FIG. 7.
3-2) DoS attack of production control area negative control terminal
Referring to the DoS attack process of 2-2), the DoS attack on the negative control terminal only needs to obtain control authority for a single attack target, the injection of the malicious message can be completed by scanning the unopened idle port of the terminal or controlling the normal working port, the attack is only performed at the terminal layer, and the security measures of other layers are not required to be broken through. In summary, the terminal port management mechanism model described in 1-4) can represent the DoS attack process, and the negative control terminal DoS attack model is the same as that of fig. 6.
3-3) terminal meter forgery instruction attack
Referring to 2-3) the process of the counterfeit instruction attack, the steps of the terminal meter counterfeit instruction attack are as follows: obtaining a message of a control command; establishing communication connection with a terminal meter, and accessing a communication interface of terminal equipment through an intrusion terminal layer communication channel; and sending a control message to cause misoperation. Because the attack forgery instruction is directly injected from a communication channel or a device entity interface, the attack is only carried out at a terminal layer when the attack is launched, and the security measures of other layers are not required to be broken through, so that the attack of the forgery instruction of the source network load system can be represented by adopting a 1-2) meter execution encryption command model. The model of the terminal meter forgery instruction attack is the same as that of fig. 4.
After the malicious attack models of the source network load system are established, the models can be utilized to evaluate the probability that the attack reaches various results through a simulation tool to obtain the probability that the source network load system is successfully attacked by three attack models, wherein the probability that the source network load system is successfully attacked by the three attack models is obtained according to the first statistical probability, the second statistical probability and the third statistical probability, and if the probability that the source network load system is successfully defended is higher than a preset threshold value, the defending performance of the source network load system is high; otherwise, the source network load system has low defending performance.
Analyzing the success probability of different attack modes; the influence degree of different factors on the attack success probability can be analyzed by modifying parameters set by the model.
Embodiment four:
the source network load system attack model is completed by means of the Petri network model, the step of attack is represented by the transition of the Petri network, and the state of the Petri network represents the state which can be caused by the attack. According to the three source network load system attack models described in the specific implementation mode, simulation can be carried out through a simulation tool Yasper special for the Petri network. In the embodiment of the invention, a computer with a Yasper software is adopted to simulate the probability of network attack reaching each result. The attack pattern described above is simulated as follows.
1) False data injection attack in production control area
The source network load system false data injection attack model according to fig. 7 builds a test system in the Yasper simulation tool to evaluate the success probability of the false data injection attack.
The system is simulated to complete 100000 attack attempts, and the statistical result is as follows:
TABLE 1 evaluation of probability of false data injection attack in production control area of source network load system
Figure BDA0001816732340000111
That is, the model gives a probability of 0.006 that the control system of the source network load system production control area is attacked by successful dummy data injection.
The modeling method can also evaluate the influence degree of a certain link on the attack success probability. For example, when the identity authentication link is not adopted, simulation is performed again, so that the probability that malicious data is sent from the terminal to the master station is 0.0392.
2) Production control area DoS attack
The simulation model is built in the Yasper software for fig. 6, and the probability of successful DoS attack is calculated to be 0.022.
3) Terminal meter fake instruction attack
The simulation model is built in the Yasper software for fig. 4, and the probability of successful attack of the fake command is calculated to be 0.004994.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is illustrative of the present invention and is not to be construed as limiting thereof, but rather as providing for the use of additional embodiments and advantages of all such modifications, equivalents, improvements and similar to the present invention are intended to be included within the scope of the present invention as defined by the appended claims.

Claims (4)

1. The vulnerability evaluation method of the source network load system based on malicious attack modeling is characterized by comprising the following steps:
adopting a simulation platform to attack the source network load system by a preset attack model;
obtaining the attack success probability of the attack model on a source network load system;
carrying out vulnerability assessment on a source network load system based on the attack success probability;
the attack model comprises a key network security equipment attack model and a network security protection mechanism attack model;
the construction of the attack model comprises the following steps:
modeling the key network safety equipment based on a random Petri network and a time Petri network to obtain a key network safety equipment model;
modeling a network security protection mechanism based on a random Petri network and a time Petri network to obtain a network security protection mechanism model;
performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model;
the cascade modeling is carried out on the key network security equipment model and the network security protection mechanism model based on the attack mode to obtain an attack model, and the cascade modeling comprises the following steps:
cascading the substation access layer firewall, the master station layer firewall and the intelligent network load interaction terminal identity authentication model according to a false data injection attack mode to obtain a false data injection attack model of a production control area;
modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal DoS attack model;
modeling the single meter execution encryption command according to the counterfeit instruction attack mode to obtain a terminal meter counterfeit instruction attack model;
the attack mode comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode;
the obtaining the attack success probability of the attack model to the source network load system comprises the following steps:
injecting false data of a production control area into an attack model by a Yasper simulation tool to start attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of an attack source network load system;
directly acquiring the control authority of an attack object by using a DoS attack model of a negative control terminal of a production control area through a Yasper simulation tool, so that the attack object refuses service, and obtaining a second statistical probability of success of an attack source network load system;
the terminal meter fake instruction attack model is directly used for fake instructions at a communication channel or equipment entity interface through a Yasper simulation tool, false actions are caused, and a third statistical probability of success of an attack source network load system is obtained;
vulnerability assessment is carried out on the source network load system based on the attack success probability, and the vulnerability assessment comprises the following steps:
obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
if the successful defense probability is higher than a preset threshold, the source network load system has high defense performance; otherwise, the source network load system has low defending performance.
2. The method for evaluating vulnerability of source network load system based on malicious attack modeling according to claim 1, wherein the key network security device model comprises:
the firewall filters the data packet mechanism model and the terminal port management mechanism model;
the firewall filtering data packaging machine model comprises: substation access layer firewall and master station layer firewall.
3. The method for evaluating vulnerability of source network load system based on malicious attack modeling according to claim 1, wherein the network security protection mechanism model comprises: the intelligent network load interaction terminal identity authentication model and the meter execute the encryption command model.
4. The vulnerability evaluation system of the source network load system based on malicious attack modeling is characterized by comprising the following components:
and (3) a simulation module: adopting a simulation platform to attack a source network load system by a preset attack model;
probability obtaining module: obtaining the attack success probability of the attack model on a source network load system;
and an evaluation module: carrying out vulnerability assessment on a source network load system based on the attack success probability;
the attack model in the simulation module comprises a key network security equipment attack model and a network security protection mechanism attack model;
the simulation module comprises a construction sub-module;
the building sub-module comprises:
key network security device modeling unit: modeling the key network safety equipment based on a random Petri network and a time Petri network to obtain a key network safety equipment model;
network security protection mechanism modeling unit: modeling a network security protection mechanism based on a random Petri network and a time Petri network to obtain a network security protection mechanism model;
a cascade unit: performing cascade modeling on the key network security equipment model and the network security protection mechanism model based on an attack mode to obtain an attack model;
the cascade unit includes:
a first cascade subunit: cascading the substation access layer firewall, the master station layer firewall and the intelligent network load interaction terminal identity authentication model according to a false data injection attack mode to obtain a false data injection attack model of a production control area;
a second cascade subunit: modeling a single terminal port management mechanism model according to a denial of service attack mode to obtain a production control area negative control terminal DoS attack model;
third cascade subunit: modeling the single meter execution encryption command according to the counterfeit instruction attack mode to obtain a terminal meter counterfeit instruction attack model;
the attack mode in the cascade unit comprises the following steps: a false data injection attack mode, a denial of service attack mode and a fake instruction attack mode;
the probability obtaining module comprises:
a first statistical probability acquisition sub-module: injecting false data of a production control area into an attack model by a Yasper simulation tool to start attack from a terminal, and invading the production control area through a firewall of an access layer and a firewall of a main station layer of a transformer substation to obtain a first statistical probability of success of an attack source network load system;
and a second statistical probability acquisition sub-module: directly acquiring the control authority of an attack object by using a DoS attack model of a negative control terminal of a production control area through a Yasper simulation tool, so that the attack object refuses service, and obtaining a second statistical probability of success of an attack source network load system;
and a third statistical probability acquisition sub-module: the terminal meter fake instruction attack model is directly used for fake instructions at a communication channel or equipment entity interface through a Yasper simulation tool, false actions are caused, and a third statistical probability of success of an attack source network load system is obtained;
the evaluation module comprises:
an evaluation sub-module: obtaining the successful defense probability of the source network load system according to the first statistical probability, the second statistical probability and the third statistical probability;
and a judging sub-module: if the successful defense probability is higher than a preset threshold, the source network load system has high defense performance; otherwise, the source network load system has low defending performance.
CN201811145596.9A 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling Active CN110971565B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811145596.9A CN110971565B (en) 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811145596.9A CN110971565B (en) 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling

Publications (2)

Publication Number Publication Date
CN110971565A CN110971565A (en) 2020-04-07
CN110971565B true CN110971565B (en) 2023-04-28

Family

ID=70027192

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811145596.9A Active CN110971565B (en) 2018-09-29 2018-09-29 Source network load system vulnerability evaluation method and system based on malicious attack modeling

Country Status (1)

Country Link
CN (1) CN110971565B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111756687B (en) * 2020-05-15 2022-09-20 国电南瑞科技股份有限公司 Defense measure configuration method and system for coping with network attack
CN114363095B (en) * 2022-03-18 2022-07-12 深圳市永达电子信息股份有限公司 System vulnerability analysis method, system and medium based on petri net

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080072770A (en) * 2007-01-31 2008-08-07 성균관대학교산학협력단 Cyber attack system for vulnerability assessment and method thereof
CN105429133A (en) * 2015-12-07 2016-03-23 国网智能电网研究院 Information network attack-oriented vulnerability node evaluation method for power grid
CN105763562A (en) * 2016-04-15 2016-07-13 全球能源互联网研究院 Electric power information network vulnerability threat evaluation model establishment method faced to electric power CPS risk evaluation and evaluation system based on the model
CN106100877A (en) * 2016-06-02 2016-11-09 东南大学 A kind of power system reply network attack vulnerability assessment method
CN107220775A (en) * 2017-06-01 2017-09-29 东北大学 A kind of active power distribution network various visual angles collaboration vulnerability assessment method for considering information system effect
CN107360133A (en) * 2017-06-08 2017-11-17 全球能源互联网研究院 A kind of network attack emulation mode and system towards electric network information physical system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10262143B2 (en) * 2016-09-13 2019-04-16 The Mitre Corporation System and method for modeling and analyzing the impact of cyber-security events on cyber-physical systems

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20080072770A (en) * 2007-01-31 2008-08-07 성균관대학교산학협력단 Cyber attack system for vulnerability assessment and method thereof
CN105429133A (en) * 2015-12-07 2016-03-23 国网智能电网研究院 Information network attack-oriented vulnerability node evaluation method for power grid
CN105763562A (en) * 2016-04-15 2016-07-13 全球能源互联网研究院 Electric power information network vulnerability threat evaluation model establishment method faced to electric power CPS risk evaluation and evaluation system based on the model
CN106100877A (en) * 2016-06-02 2016-11-09 东南大学 A kind of power system reply network attack vulnerability assessment method
CN107220775A (en) * 2017-06-01 2017-09-29 东北大学 A kind of active power distribution network various visual angles collaboration vulnerability assessment method for considering information system effect
CN107360133A (en) * 2017-06-08 2017-11-17 全球能源互联网研究院 A kind of network attack emulation mode and system towards electric network information physical system

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
电力CPS信息网络脆弱性及其评估方法;杨国泰等;《中国电力》;20180105(第01期);全文 *
电力Cyber-Physical系统建模仿真研究综述;徐义等;《计算机仿真》;20121115(第11期);全文 *
电力系统信息物理融合建模与综合安全评估:驱动力与研究构想;郭庆来等;《中国电机工程学报》;20160320(第06期);全文 *

Also Published As

Publication number Publication date
CN110971565A (en) 2020-04-07

Similar Documents

Publication Publication Date Title
Olufowobi et al. Anomaly detection approach using adaptive cumulative sum algorithm for controller area network
CN112073411B (en) Network security deduction method, device, equipment and storage medium
Udd et al. Exploiting bro for intrusion detection in a SCADA system
CN111770069B (en) Vehicle-mounted network simulation data set generation method based on intrusion attack
CN110719250B (en) Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
CN105610856A (en) DDoS(Distributed Denial of Service)attack defensive system for application layer based on multiple feature recognition
CN110971565B (en) Source network load system vulnerability evaluation method and system based on malicious attack modeling
Goncalves et al. Synthesizing datasets with security threats for vehicular ad-hoc networks
CN108574668A (en) A kind of ddos attack peak flow prediction technique based on machine learning
CN115550069B (en) Intelligent charging system of electric automobile and safety protection method thereof
Qassim et al. Simulating command injection attacks on IEC 60870-5-104 protocol in SCADA system
Li et al. Optimal personalized defense strategy against man-in-the-middle attack
Banik et al. Implementing man-in-the-middle attack to investigate network vulnerabilities in smart grid test-bed
CN114205816A (en) Information security architecture of power mobile Internet of things and use method thereof
CN112995176A (en) Network attack reachability calculation method and device applied to power communication network
Xu et al. Attack identification for software-defined networking based on attack trees and extension innovation methods
Cagalaban et al. Improving SCADA control systems security with software vulnerability analysis
CN116455607A (en) Edge node network protection system and method based on edge calculation
Phiri et al. Petri Net-Based (PN) Cyber Risk Assessment and Modeling for Zambian Smart Grid (SG) ICS and SCADA Systems
Olakanmi et al. Throttle: An efficient approach to mitigate distributed denial of service attacks on software‐defined networks
Tzokatziou et al. Insecure by design: Using human interface devices to exploit SCADA systems
Feng et al. A new scheme of BACnet protocol based on HCPN security evaluation method
Chen et al. Power Grid Bad Data Injection Attack Modeling in PRESTIGE.
Bruschi et al. Ensuring cybersecurity for industrial networks: A solution for ARP-based MITM attacks
Neelap et al. Attack Traffic Generation for Network-based Intrusion Detection System

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant