CN111262829A - Virus of industrial control network and propagation model system thereof - Google Patents
Virus of industrial control network and propagation model system thereof Download PDFInfo
- Publication number
- CN111262829A CN111262829A CN201911416757.8A CN201911416757A CN111262829A CN 111262829 A CN111262829 A CN 111262829A CN 201911416757 A CN201911416757 A CN 201911416757A CN 111262829 A CN111262829 A CN 111262829A
- Authority
- CN
- China
- Prior art keywords
- virus
- layer
- module
- network
- industrial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a virus of an industrial control network and a propagation model system thereof, which is characterized in that the system comprises a demand layer, a model layer, a stability analysis layer and a result layer; the demand layer comprises an information security module, a PLC and SCADA module, a key industrial network module and a dynamic module for virus propagation; the model layer comprises a graphic representation module and a mathematical representation module; the stability analysis layer is responsible for stability analysis of the virus and a propagation model thereof in a national key infrastructure industrial network; the result layer is responsible for numerical solution of a differential equation set; the mathematical representation module describes Stuxnet virus and a propagation model thereof in a national key infrastructure industrial network. The invention can deal with the security threat to the national key infrastructure industrial network caused by using the USB to transmit the virus.
Description
Technical Field
The invention relates to the technical field of industrial control computers, network security, computer viruses, network management and automatic control, in particular to a virus of an industrial control network and a propagation model system thereof.
Background
The key industrial network is used for the safety management and operation and maintenance of national key infrastructure, and whether the national key infrastructure industry is safe or not relates to the big affairs of the national civilization. However, today's national key infrastructure industry network security still relies on earlier designed proprietary communication protocols and isolation from the Internet.
Disclosure of Invention
In order to solve the above technical problems, the present invention provides a virus of an industrial control network and a propagation model system thereof, which is designed specifically for an industrial control network, such as APT virus named Stuxnet, and propagates the virus of Stuxnet and the like to a computer or an industrial control computer connected to a key infrastructure industrial network (composed of industrial controllers) isolated from the Internet through a removable storage medium USB, thereby causing a security threat to the national key infrastructure industrial network.
The system is characterized by comprising a demand layer, a model layer, a stability analysis layer and a result layer;
the demand layer comprises an information security module, a PLC and SCADA module, a key industrial network module and a dynamic module for virus propagation;
the model layer comprises a graphic representation module and a mathematical representation module;
the stability analysis layer is responsible for stability analysis of the virus and a propagation model thereof in a national key infrastructure industrial network;
the result layer is responsible for numerical solution of a differential equation set;
further, the mathematical representation module describes a model of Stuxnet virus and its propagation in the national key infrastructure industrial network, and comprises the following differential equation system:
the relevant initial conditions are as follows:
the invention has the technical effects that:
the invention provides a virus of an industrial control network and a propagation model system thereof, which is characterized by comprising a demand layer, a model layer, a stability analysis layer and a result layer; the demand layer comprises an information security module, a PLC and SCADA module, a key industrial network module and a dynamic module for virus propagation; the model layer comprises a graphic representation module and a mathematical representation module; the stability analysis layer is responsible for stability analysis of the virus and a propagation model thereof in a national key infrastructure industrial network; the result layer is responsible for numerical solution of a differential equation set; the mathematical representation module describes Stuxnet virus and a propagation model thereof in a national key infrastructure industrial network. The invention can deal with the security threat to the national key infrastructure industrial network caused by using the USB to transmit the virus.
Drawings
FIG. 1 is a schematic diagram of an architecture of a virus and its propagation model system of an industrial control network;
FIG. 2 is a Stuxnet transmission diagram of a virus and its transmission model system for an industrial control network;
FIG. 3 is a schematic diagram of the Stuxnet components of a virus and its propagation model system for an industrial control network;
FIG. 4 is a schematic diagram of a method for Stuxnet attack targeting of viruses and their transmission model system for an industrial control network;
FIG. 5 is a schematic diagram of a mathematical representation of a system of viruses and their propagation models for an industrial control network and their locations in the system;
FIG. 6 is a diagrammatic representation of a virus and its propagation model system for an industrial control network.
Detailed Description
The invention is described in further detail below with reference to the figures and examples:
FIG. 1 is a schematic diagram of an architecture of a virus and its propagation model system of an industrial control network, the virus model system of the industrial control network is characterized in that the system comprises a demand layer, a model layer, a stability analysis layer and a result layer;
the demand layer comprises an information security module, a PLC and SCADA module, a key industrial network module and a dynamic module for virus propagation;
the model layer comprises a graphic representation module and a mathematical representation module;
the stability analysis layer is responsible for stability analysis of the virus and a propagation model thereof in a national key infrastructure industrial network;
the result layer is responsible for numerical solution of a differential equation set;
further, the requirement layer, that is, the requirements of the virus and its propagation model in the national key infrastructure industrial network, relates to multiple aspects of information security, PLC and SCADA, key industrial network and virus propagation:
in recent years, cyber threat behaviors in the form of viruses, malware, trojan horses, stealing information or blacking out customer accounts, etc. have increasingly occurred in a variety of complex and technological ways. Countries and people are accumulating network resources and protecting the security of industrial networks by issuing new policies and developing new products in an optimal way. Due to the automation of industrial and economic processes, the world economy and security depend on the secure connection of the Internet (Internet) and intranets (Intranet). The frequent occurrence of international conflicts poses a serious threat to the system security, financial market, critical information and critical assets of competitors. Networks have now been the target of well-designed network attacks, particularly with regard to events that disrupt internal system security and spyware critical information, often through internal system vulnerabilities, and exploitation of "zero-day" vulnerabilities of software or hardware. A "zero day" vulnerability is a vulnerability that any software or hardware may exploit in the real world before disclosing and providing any patches. Due to the fact that the industry is 4.0, the industrial automation level is improved, various devices are required to have automation functions, the use of software is greatly increased, and therefore the requirement for the reliability of software codes is improved. Poor software programming methods and weak software testing methods fail to detect bugs in the code, which may compromise the entire system and easily become a prey of hackers. The price estimate for a valuable "zero day" vulnerability development may exceed $ 100,000. It is very common to find new BUGs in known software, for example, during 2009-2012, over 400 BUGs were found in the Firefox browser and about 800 BUGs were found in the Chrome browser. The rapidly growing 'zero-day' development market requires deep and detailed system design and understanding of the malicious code propagation mechanism;
in the early 90 s of the 20 th century, the process control mechanisms designed for managing national key infrastructure systems such as power grids, power plants, ferrous metallurgy, petroleum machinery, radar, water monitoring and the like mostly adopt special hardware and protocols, which make the whole process simple, but also make the system vulnerable to hackers. In 2007, 3 months, the national laboratory of Edahoe in America carries out an aurora vulnerability test, and an attacker can remotely control a high-voltage circuit breaker and destroy a generator by rapidly opening and closing the circuit breaker. On 25.1 month in 2003, 12:30 am, eastern standard time in the united states, malicious program Slammer started to exploit the vulnerability of Microsoft SQL server, which in as little as 10 minutes infected approximately 7500 servers worldwide, resulting in a half day interruption of the internet in korea. The operators of industrial process control operations consider their systems to be less vulnerable to virus attacks, firstly because their industrial process control systems are isolated from the Internet, and secondly because proprietary communication protocols are used. However, telecommunications carriers are beginning to replace outdated old hardware with new hardware to implement open protocols, in the process, few control systems are not connected to the Internet, which makes the scene vulnerable to hackers;
removable storage media, such as USB (Universal Serial Bus), play an important role in bridging the gap between isolated national critical infrastructure networks and commercial networks. The ease of use and connectivity enhance the role of removable storage media in transferring data and viruses to computers connected to critical infrastructure networks (comprised of industrial controllers) that are isolated from the Internet. Stuxnet is a 500 kbyte worm virus, the most complex virus written mainly for industrial control systems, which can be spread using multiple dimensions, but is most notoriously USB devices in this respect. The internal design of Stuxnet has the characteristics of strong concealment and high complexity;
the behavior of these malicious codes is performed by epidemiological models of virus transmission. Implementing control policies for these complex malicious code is very difficult due to aspects such as obtaining the location of a legitimate system process, obtaining administrative privileges, the ability to inject infectious code in a system dynamic link library, and eliminating tracking;
stuxnet virus possesses all the attributes of complex computer viruses and can attack victims with "zero-day" vulnerabilities. Advances in Internet (Internet) technology have posed a significant threat and challenge to the security of the national critical infrastructure that exists with these vulnerabilities. Therefore, it is hopeful to analyze the dynamic behavior of these malicious codes in detail and to develop effective control strategies to overcome their corruption. Mathematical modeling of malicious code provides a platform for deep understanding of problems and provides a flexible, stable, robust approach to control strategies. In this regard, mathematicians, biologists and computer scientists have introduced the concept of models for analyzing the behavior of different malicious epidemic viruses critically, these analysis methods including malware propagation models in mobile computer devices, random behavior analysis models, theoretical evaluation methods of virus models, discontinuous anti-virus strategies in computer virus models, network topology models, etc.;
designing a mathematical model to analyze the behavior of Stuxnet-type viruses; the Stuxnet-type virus is a very elaborate code that captures the name of the first digital weapon in news and the sound name is a magpie in an industrial web attack on the national key infrastructure. The application focuses on designing a mathematical model describing the propagation and attack of Stuxnet in an industrial network environment and its impact on the national key infrastructure managed by the industrial personal computer. Stuxnet is an apt (advance presistantthread) type network attack that uses unusual methods to attack resources in order to access critical information without discovery, and has special control and elimination arrangements. Typical APT-type attacks establish different connection points to attack the victim and ensure that when the network attack fails at any point, the evidence of the occurrence of APT is removed without removing the reentry path, the attacker can continue and control of the target system can be easily regained. The virus model described herein takes into account several attack vectors, such as infection propagation due to infected hosts and infected removable storage media, which are further infected by other infection vectors, such as email, network, file, application bugs, infected media, supply chain paralysis, or human intelligence and spoofing. Therefore, the resource mitigation strategy of APT organization is a challenging area of network security. There have been few studies observing the effect of removable media USB on worm propagation, but in these existing studies, in addition to the simplified models and the behaviour of the models theoretically verified without using real data, these models have not been linked to the standard industrial computer scenario.
Stuxnet is a complex computer virus, mainly aiming at industrial control network system, using four 'zero-day' bugs to attack, and able to hide itself and not attacked by anti-virus program. In one embodiment, as shown in FIG. 2, Stuxnet uses two stolen digital certificates to show that it is a legitimate program, thus giving in-depth insight into systems such as the target Siemens monitoring And Data Acquisition (Supervisory Control And Data Acquisition SCADA). Stuxnet was discovered in 6 months 2010 and was used to attack the iran nuclear enrichment plant enterprise of natnz. The irantatz facility includes centrifuges in a cascade fashion, where the output of one centrifuge is piped through the input of a second centrifuge, and so on Stuxnet has several malicious modules built into it, making it a complex network weapon. The virus utilizes four 'zero-day' vulnerability functions to change a system library, attacks a SCADA (supervisory control and data acquisition) system of Siemens Germany, installs a signature driver, hides the existence of the signature driver, clears a log, runs a Remote Procedure Call (RPC) (remote procedure call) server, communicates with a control center of the RPC server and updates a version.
Components of the virus as shown in fig. 3, in one embodiment, Stuxnet virus is spread across the national critical infrastructure industrial network through an infected USB connected to the system, further attacking the network by exploiting different vulnerabilities after infecting the first computer. The ultimate goal of the virus is a machine connected to the centrifuge, which is managed by a Programmable Logic Controller (PLC) of a special purpose computer. Typically, these computers are not connected to the Internet and typically operate in a standalone industrial environment. Thus, Stuxnet uses other transmission methods over USB to reach the target computer.
USB-caused vulnerabilities are common, for example, in 2009 26% of our country's infections were caused by USB malware that utilizes windows auto-run functionality. Different Stuxnet versions use different vulnerability attacks, and the latest version uses Windows LNK vulnerability; inf file vulnerability using autorun, Stuxnet searches for target Siemens WinCC (an interface for controlling SCADA system) by connecting to SQL database using hard-coded password, and uploads infected version as shown in fig. 4; then, Stuxnet propagates in the network through network sharing, windows spooler MS 10-061 "zero day" vulnerabilities, server message block SMB for file sharing, MS 08-067 "zero day" vulnerabilities, and the like. Stuxnet infects programs in the SCADA project of Simatic, Siemens, which was turned on in infected computers. Stuxnet updates the old version on the local network using a built-in peer-to-peer network (peer to peer P2P). Each replica starts the remote procedure call service RPC and listens for connections, and all connected nodes update themselves. Stuxnet also attempts to contact the command and control server by sending data in encrypted form. Stuxnet is not really harmful to the average user, but is a targeted agent, the Siemens PLC. Viruses hide themselves from the operator by installing rootkits on infected computers and programmable logic controllers. The Stuxnet attack destroys 1000 of 5000 centrifuges in the irantaz plant. Similar cyber attacks have changed greatly over the years in criminal and terrorist entities and countries as weapons, and they can be used not only to collect information, but also to destroy national critical infrastructure;
further, the mathematical representation module, as shown in fig. 5, gives the necessary description of the mathematical model of the industrial network virus. Dividing the total node N (t) into susceptible nodes, infected nodes and damaged nodes, which are respectively represented by S (t), I (t) and P (t). The medium susceptible to USB infection and the medium infected by USB are respectively usedAnddenotes, N = S + I + P and U =+. In this configuration, all non-infected computers (networked or standalone) fall within the scope of the perceptible computer. An infected computer is a computer that is infected due to network sharing or by connecting a removable storage device (i.e., USB). Corrupted computers are those that are temporarily unable to perform the desired function and are therefore removed from the installation program. The removable storage media that are susceptible to infection are those that are virus-free but may become infected objects if connected to an infected node. Because of the weak firmware security and plug-and-play functionality of USB devices, infected removable storage media are a major source of spread of infection in networks. Is provided withIn order for the new computer to arrive,is movableThe arrival of the storage device(s) is,in order to control the rate of damage caused by viral infection to a computer connected to a programmable logic controller,andrespectively, the infection transfer rates from the infected computer to the computer susceptible to infection on the network, and from the infected removable device to the computer susceptible to infection, the natural removal (death/aging) rates of the computer and removable device from the network, respectivelyAndand (4) showing. In the Internet protocol version 4 (IPv 4) scheme, the probability of finding a vulnerable computer on the network is S ≦(total number of computers in IPv4 is). Removable storage devices are a major source of virus spread in the niche national key infrastructure industrial network, they can close the niche, providing predators with a prey-targeted environment;
the present application models computer viruses and their transmission, particularly Stuxnet viruses in national critical infrastructure industrial networks through removable storage media and infected computers.
Further, the graphical representation module, as shown in fig. 6, gives a flow chart of Stuxnet virus and its data in the national key infrastructure industrial network propagation model;
further, the mathematical representation module describes a model of Stuxnet virus and its propagation in the national key infrastructure industrial network, and comprises the following differential equation system:
the relevant initial conditions are as follows:
wherein the arrival rate of the new node is usedIndicating mortality rate byIs shown byIndicating the arrival rate of the new removable storage device,indicating its removal rate. Thus, the net rate of change of the total node is=And=given that the latter may be positive, zero or negative. Solving equation set (2) yields:
equation (1) can be simplified as follows:
wherein:
when equation (3) is used in system (4), there is a restriction system as an element:
the above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; all equivalent changes and modifications made according to the present invention are considered to be covered by the scope of the present invention.
Claims (2)
1. The virus model system of the industrial control network is characterized by comprising a demand layer, a model layer, a stability analysis layer and a result layer;
the demand layer comprises an information security module, a PLC and SCADA module, a key industrial network module and a dynamic module for virus propagation;
the model layer comprises a graphic representation module and a mathematical representation module;
the stability analysis layer is responsible for stability analysis of the virus and a propagation model thereof in a national key infrastructure industrial network;
the result layer is responsible for numerical solution of a differential equation set;
the mathematical expression module describes Stuxnet virus and a propagation model thereof in a national key infrastructure industrial network, and comprises the following differential equation sets:
the relevant initial conditions are as follows:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911416757.8A CN111262829A (en) | 2019-12-31 | 2019-12-31 | Virus of industrial control network and propagation model system thereof |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201911416757.8A CN111262829A (en) | 2019-12-31 | 2019-12-31 | Virus of industrial control network and propagation model system thereof |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111262829A true CN111262829A (en) | 2020-06-09 |
Family
ID=70953937
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201911416757.8A Pending CN111262829A (en) | 2019-12-31 | 2019-12-31 | Virus of industrial control network and propagation model system thereof |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111262829A (en) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
CN109543301A (en) * | 2018-11-22 | 2019-03-29 | 苏州健雄职业技术学院 | A kind of network security attacks prototype modeling method based on Industry Control |
-
2019
- 2019-12-31 CN CN201911416757.8A patent/CN111262829A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
CN109543301A (en) * | 2018-11-22 | 2019-03-29 | 苏州健雄职业技术学院 | A kind of network security attacks prototype modeling method based on Industry Control |
Non-Patent Citations (1)
Title |
---|
ZAHEER MASOOD等: "Design of a mathematical model for the Stuxnet virus in a network of critical control infrastructure", 《COMPUTERS & SECURITY》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Tuptuk et al. | Security of smart manufacturing systems | |
Nazir et al. | Assessing and augmenting SCADA cyber security: A survey of techniques | |
Alanazi et al. | SCADA vulnerabilities and attacks: A review of the state‐of‐the‐art and open issues | |
US9256739B1 (en) | Systems and methods for using event-correlation graphs to generate remediation procedures | |
KR101057432B1 (en) | System, method, program and recording medium for detection and blocking the harmful program in a real-time throught behavior analysis of the process | |
Masood et al. | Design of a mathematical model for the Stuxnet virus in a network of critical control infrastructure | |
CN111181926B (en) | Security device based on mimicry defense idea and operation method thereof | |
Jain et al. | Defending against internet worms using honeyfarm | |
Vignau et al. | The evolution of IoT Malwares, from 2008 to 2019: Survey, taxonomy, process simulator and perspectives | |
Grégio et al. | Ontology for malware behavior: A core model proposal | |
Grégio et al. | Toward a taxonomy of malware behaviors | |
Kumar et al. | APT attacks on industrial control systems: A tale of three incidents | |
Grammatikakis et al. | Understanding and mitigating banking trojans: From zeus to emotet | |
Umar et al. | Mitigating sodinokibi ransomware attack on cloud network using software-defined networking (SDN) | |
Zhang et al. | A multi-step attack detection model based on alerts of smart grid monitoring system | |
AL-Dahasi et al. | Attack tree model for potential attacks against the scada system | |
CN112242991A (en) | System and method for correlating events to detect information security incidents | |
KR20110131627A (en) | Apparatus for detecting malicious code using structure and characteristic of file, and terminal thereof | |
CN111262829A (en) | Virus of industrial control network and propagation model system thereof | |
Li et al. | Research on attack mechanism of network intrusion in industrial control system | |
Martínez Martínez et al. | MalSEIRS: Forecasting malware spread based on compartmental models in epidemiology | |
Lau et al. | Securing supervisory control and data acquisition control systems | |
Reti et al. | Deep down the rabbit hole: On references in networks of decoy elements | |
Lamb | Advanced Malware and Nuclear Power: Past Present and Future. | |
Hirata et al. | INTERCEPT+: SDN support for live migration-based honeypots |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200609 |
|
RJ01 | Rejection of invention patent application after publication |