CN112114579A - Industrial control system safety measurement method based on attack graph - Google Patents

Industrial control system safety measurement method based on attack graph Download PDF

Info

Publication number
CN112114579A
CN112114579A CN202011043060.3A CN202011043060A CN112114579A CN 112114579 A CN112114579 A CN 112114579A CN 202011043060 A CN202011043060 A CN 202011043060A CN 112114579 A CN112114579 A CN 112114579A
Authority
CN
China
Prior art keywords
node
vulnerability
equipment
attack
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011043060.3A
Other languages
Chinese (zh)
Other versions
CN112114579B (en
Inventor
张耀方
王佰玲
孙云霄
王巍
黄俊恒
辛国栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology Weihai
Original Assignee
Harbin Institute of Technology Weihai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology Weihai filed Critical Harbin Institute of Technology Weihai
Priority to CN202011043060.3A priority Critical patent/CN112114579B/en
Publication of CN112114579A publication Critical patent/CN112114579A/en
Application granted granted Critical
Publication of CN112114579B publication Critical patent/CN112114579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Abstract

The invention relates to an attack graph-based industrial control system security measurement method, which comprises the following steps: acquiring topological structure information of an industrial control network, detecting equipment of a specific industrial control system, mastering equipment information in the industrial control network, and analyzing the equipment association condition; collecting equipment vulnerability information aiming at a detection result of equipment in the industrial control network; according to the topological structure and the equipment vulnerability information, a graph database-based method stores a format in a graphical format, and a node and relationship representation graph structure is adopted to generate a system attack graph; and according to the generated system attack graph, performing network security measurement on the specific industrial control system according to three levels of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path. The method finds potential threats to the maximum extent, greatly shortens the analysis period of the safety measurement of the industrial control system, improves the measurement efficiency, and lays a foundation for the protection work of the industrial control system.

Description

Industrial control system safety measurement method based on attack graph
Technical Field
The invention relates to an industrial control system security measurement method based on an attack graph, and belongs to the technical field of network security.
Background
In recent years, industrial control systems gradually develop towards informatization, so that not only are diversified methods introduced in the internet, but also various attack threats are brought to industrial control systems. Highly information-based industrial control systems need to face changes in the network environment, as well as potential impact of network components on the system. Aiming at the problems of complicated operating environment and diversified attack modes of an industrial control system, the method for measuring the safety of the industrial control system based on the attack graph is provided, the potential attack path of the industrial control system is displayed by integrating the loophole and the topological information, the safety measurement process is visualized, data support is provided for subsequent system safety analysis, and the key task assets are protected from being damaged by potential threat sources.
For example, chinese patent document CN110533754A provides an interactive attack graph display system and a display method based on a large-scale industrial control network, where the display system includes a json file construction module, a network topology generation module, a scene roaming processing module, an attack graph generation module, and an interactive event processing module; the method starts from an attack target, and reversely generates the attack graph, thereby greatly reducing the complexity and the usability of the attack graph. The attack graph display system adopts an interactive form, allows a user to switch attack targets by clicking, generates a real-time key attack path based on the determined targets, and greatly improves the visual management of the attack graph. The network security analysis and evaluation of security operation and maintenance personnel and security analysis personnel are facilitated, and the network security event processing personnel can be effectively helped to identify the network attack path and defend key points as early as possible. Chinese patent document CN108156114A provides a method and an apparatus for determining key nodes of a network attack graph of a power information physical system, where the method includes: respectively acquiring at least one characteristic value of all nodes in an attack graph; respectively determining the weight of the characteristic value; and determining a key node from all the nodes according to the at least one characteristic value and the weight. The importance degree of each node can be quantified by acquiring at least one characteristic value of all nodes in the attack graph; the characteristic values can be weighed by determining the weight of each characteristic value; and finally, determining key nodes from all the nodes according to the characteristic values and the corresponding weights, and comprehensively considering all the nodes, thereby realizing the key node identification of the system attack graph from multiple aspects and multiple dimensions in an all-around manner and solving the problem that the security protection focus of the attack graph is uncertain. Chinese patent document CN108629474A discloses a flow security assessment method based on an attack graph model, which includes the following steps: designing a safety node according to the safety attribute of the safety control system; forming a flow scheme by the designed nodes according to the business flow logic; the design of the flow scheme is realized in a mode of establishing a tree diagram; evaluating and modeling the designed flow scheme, and evaluating and calculating to generate an evaluation conclusion; the process scheme evaluation comprises the steps of establishing a process safety evaluation system, a reliability evaluation system and an operation efficiency evaluation system, and providing a system comprehensive evaluation result through a comprehensive scoring model based on evaluation values of indexes of the three evaluation systems; and giving an optimization strategy aiming at the current flow scheme according to the importance degree, realizability and complexity parameter level of the security weak node. The method solves the uncertainty caused by human intervention, and improves the accuracy, reliability and high efficiency of the safety evaluation result.
At present, the safety measurement method for the industrial control system is less, a safety measurement scheme with system global property is lacked, and the vulnerability relation between system devices cannot be considered. Because the topological structure of the industrial control system is complex and the selection and quantification of the safety indexes in the measurement are difficult, the current safety measurement scheme mainly takes qualitative analysis as a main part. Therefore, in order to solve the global measure of the safety quantization of the industrial control system, it is necessary to design a safety measure method of the global measure of the industrial control system.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a safety measurement method based on an attack graph of an industrial control system, wherein the attack graph represents the detailed information of the attacked process of the industrial control system in a graph structure, the method comprehensively considers the special hierarchical structure of the industrial control system equipment and the vulnerability and dependency relationship thereof, establishes a correlation model between equipment and a vulnerability and between equipment and displays a possible attack path, and finally combines the attack path with each index in the attack graph to realize the global safety measurement of the industrial control system.
Interpretation of terms:
1. CVE-NVD (Common vitamins and Exposuers-National Vulnerability Database), Common Vulnerability and risk exposure-National Vulnerability Database.
2. Cnnvd (chinese National continuity Database of Information security), china National Information security Vulnerability Database.
3. Ics (industrial control system) Vulnerability Database, industrial control system Vulnerability Database.
4. Cwe (common Weakness enumeration), common vulnerability enumeration.
5. CAPEC (common Attack Pattern execution and Classification), may be enumerated and classified with Attack patterns.
6. Availability, which represents the probability that the vulnerability is successfully exploited to achieve the effect of the attack.
7. Vulnerability damage, which represents the severity of the impact brought by the successful utilization of the vulnerability.
The technical scheme of the invention is as follows:
an industrial control system security measurement method based on an attack graph comprises the following steps:
acquiring topological structure information of an industrial control network, detecting equipment of a specific industrial control system, grasping equipment information in the industrial control network, and analyzing the equipment association condition;
step two, collecting equipment vulnerability information aiming at the detection result of the equipment in the industrial control network;
step three, according to the topological structure and the equipment vulnerability information, storing the format in a graphical format by a graph database-based method, and representing the graph structure by adopting nodes and relations to generate a system attack graph;
and step four, according to the generated system attack graph, performing network security measurement on the specific industrial control system according to three levels of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path.
Preferably, in the first step, GRASSMARLIN tools are used to obtain the industrial control network topology information.
Preferably, in the first step, the obtained industrial control network topology structure information includes topology planning, system configuration and access control rules of the safety equipment in the system design document; and reading and extracting the connection relation between the system devices according to the system design document and the access control rule of the safety device so as to restore the topological structure of the system.
Preferably, in the step one, the detection of the device of the specific industrial control system means that an GRASSMARLIN tool is used to perform real-time monitoring on the topology of the industrial control system so as to detect the device newly added to the industrial control system, and the GRASSMARLIN tool uses a passive detection mode to realize information collection on the detection system, so that the influence of the detection process on the working state of the device in the industrial control system is reduced.
Preferably, in the first step, the step of mastering the device information in the industrial control network refers to reading the device information in the system design document and the system configuration file, and extracting the device type, the device model and the system version to be used as a data basis for acquiring subsequent device vulnerability information.
Preferably, in the step one, analyzing the device association condition refers to formatting the association relationship between the devices according to system topology information obtained from a system design document, a system configuration file, and an access control rule of the security device, where the connection relationship between the devices is uniformly defined as link, a link B indicates that the device a has a link to the device B, a can access B, and the link is a directed relationship.
Preferably, in the process of real-time monitoring of the industrial control system topology by the GRASSMARLIN tool, the detection result is stored in an XML format, the detection result of the tool is periodically read GRASSMARLIN at low frequency, the relationship of updated equipment is extracted, newly added equipment is added to the system, system equipment with information interaction with the new equipment is updated, the connection relationship between the source IP and the target IP in the same group is simplified, and redundant data is removed, so that dynamic acquisition of the system topology is realized; meanwhile, the topology data is sequenced according to the detection sequence aiming at the original data and the updated data.
Preferably, in the second step, collecting the equipment vulnerability information comprises building a vulnerability information base and acquiring the equipment vulnerability;
constructing a vulnerability information base, namely acquiring vulnerability information and processing the vulnerability information; the method comprises the steps that a security knowledge base is constructed by taking a CVE-NVD (composite video and video description) Vulnerability Database as a main body, taking a CNNVD (network video and video communication) and ICS (internet security and environment) Vulnerability Database as an expanded security base and taking a CWE (world wide web Environment) and CAPEC (computer-aided engineering) as Vulnerability association information bases, and collected Vulnerability information is stored into a MySQL (structured query language) Database; the vulnerability information processing takes a CNNVD (conditional network video and video express) and CVE (conditional virtual environment) vulnerability knowledge base as a main body, matches and associates all vulnerability information imported into a MySQL (MySQL query language) database, introduces CWE as a basis for vulnerability description, vulnerability classification and usability judgment, and combines CAPEC (computer aided engineering) to describe the premise, technical reserve, mode and consequences of attacking by utilizing vulnerabilities;
acquiring equipment vulnerabilities by adopting a scanning tool to scan the vulnerabilities of system equipment, and configuring the scanning tool according to the acquired system equipment information to complete scanning of equipment vulnerability information; then, according to the acquired equipment vulnerability information obtained by scanning, associating and representing equipment and vulnerabilities, wherein one piece of equipment can be associated with one or more vulnerabilities, the connection relationship between the equipment and the vulnerabilities is defined as has _ VUL _ at, and DEVICE1 has _ VUL _ at VUL1 indicates that the equipment 1 has the vulnerability with the number of VUL 1; and matching the equipment vulnerability information with information in a vulnerability information base, wherein each vulnerability can obtain an atomic attack template of CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score, and input data is provided for generation of a subsequent attack graph.
Preferably, in step three, the nodes in the attack graph include device nodes and vulnerability nodes;
the equipment node information comprises service information, open port information and IP information of the equipment vulnerability, the equipment node information is used as the attribute of the equipment node, and the equipment node information is described by adopting quintuple, namely equipment IP, equipment name, service with the vulnerability, service protocol and service port;
the vulnerability node information comprises CVE \ CNNVD number, CWE classification, authority-raising capability identification and CVSS score in the atomic attack rule, the vulnerability node information is integrated on a vulnerability node with a vulnerability ID as an identification as a node attribute, and the vulnerability node information is described by adopting four-tuple, namely vulnerability ID, vulnerability number, vulnerability type and vulnerability score;
and preprocessing the data according to the results of network topology analysis and vulnerability information collection, and summarizing the data into an equipment information table, a vulnerability information table and an equipment relation table which are used as the input of an attack graph generation algorithm.
Preferably, in the third step, generating a system attack graph, namely generating the attack graph based on the Neo4j graph database, and storing and managing data according to the attribute graph model, wherein nodes in the attack graph are used for representing entities, and relationships are used for representing connections between the entities; and filling node attributes of the attack graph by using the equipment information table and the vulnerability information table, filling node relations by using the equipment relation table, selecting an initial node and a target node, and generating the attack graph through multiple traversals.
Preferably, in the fourth step, the vulnerability node measurement quantifies the availability of the vulnerability node and vulnerability hazards according to the scanned equipment vulnerability information; the availability of the vulnerability nodes is defined by an 'attack possibility' field in a CAPEC library, the { low, medium and high } attack possibility is quantitatively expressed as {0.3, 0.6 and 0.9}, the low score represents the low possibility of attack, and the high score represents the high possibility of attack; and the damage score of the vulnerability node is the vulnerability assessment score of a CVSS (common security vulnerability assessment system), the full score is 10, the higher the score is, the greater the vulnerability damage is, the lower the score is, and the smaller the vulnerability damage is.
Preferably, in the fourth step, the device node measurement is quantified according to the attacked probability of the device node and the danger score of the device node;
a. probability of attack on device node
Aiming at the vulnerability nodes connected with each equipment node, calculating the attacked probability of the equipment nodes according to the availability, as shown in formula I:
Figure BDA0002707200260000051
wherein, UselfRepresenting the probability of attack, u, of the node of the deviceiThe availability of the ith vulnerability node connected with the equipment node is represented, k represents the number of all vulnerability nodes connected with the equipment node, and the greater the number of vulnerability nodes connected with the equipment node is, the higher the attacked probability of the equipment node is;
b. equipment node risk score
And performing weighted hazard calculation on the vulnerability nodes according to the availability of the connected vulnerability nodes to obtain the risk score of the equipment node, as shown in formula II:
Figure BDA0002707200260000052
wherein R isselfRepresenting the risk score, u, of the node of the planti、ujRepresenting the availability, r, of the ith and j vulnerability nodes connected with the equipment nodeiIndicating the vulnerability hazard of the ith vulnerability node connected with the equipment node.
Preferably, in step four, the system security metric includes an initial node metric and a non-initial node metric;
a. starting node metric
Since the starting node acquires the authority and has no attacked condition, the attacked probability of the starting device node is defaulted to 1 to represent that all the authority of the device is acquired, and since the starting node has no forward node and the degree of entry is 0, the danger score of the starting node is equal to the self danger score of the node;
b. non-starting node metric
The non-initial node considers the vulnerability node connected with the node, and simultaneously combines the attacked probability and the equipment danger score of the upper layer equipment node, calculates the accumulated attacked probability and the equipment danger score of the upper layer equipment node and the local layer equipment node, and calculates the system safety measurement according to the danger score of the multilayer accumulated equipment nodes;
the attack probability of the non-initial node is calculated as formula III:
Figure BDA0002707200260000061
wherein d isiRepresents the node in degree, UmRepresenting the attacked probability of the mth upper node connected with the equipment node; the measuring method considers the degree of the node and the influence of the attacked probability of the upper node on the node of the current layer, wherein the higher the degree of the node is, the higher the attacked probability of the node is; the higher the attack probability of the upper-layer node is, the higher the attack probability of the node at the current layer is;
the risk score for a non-starting node is calculated as formula iv:
Figure BDA0002707200260000062
wherein, Um、UnRepresenting the probability of attack, R, of the m, n upper level nodes connected to the device nodemA danger score representing an mth upper node connected to the equipment node;
the risk score of the non-initial node is calculated by considering the influence of the attack probability of the upper node on the node of the local layer, and meanwhile, the risk score of the upper node is calculated in an accumulated mode, and the greater the node degree of entry is, the greater the node risk score is; the higher the attack probability of the upper-layer node is, the higher the danger score of the node at the current layer is; the larger the danger score of the upper node is, the larger the danger score of the node at the current layer is, and the danger score R of the final target node isdestAnd performing cumulative calculation on the attack paths through multiple layers.
Preferably, in step four, the attack path includes a nested path and a parallel path; carrying out quantitative analysis on the key attack path by combining with a system security measurement value, introducing an asset value index to measure in the analysis process, wherein the asset value is jointly determined by the access degree of a node and the asset importance, the asset importance index is divided into ten grades from 1 to 10 for assets, 10 is very important, and 1 is very unimportant; meanwhile, according to the access degrees of the nodes appearing in the current attack graph, the highest access degree is taken as the standard, normalization processing is carried out on the rest access degrees, the access degrees of the initial node and the target node are defaulted to be 1, no weight reduction processing is carried out, and finally the asset value is obtained by the product of the asset importance and the access degree, wherein the formula is V:
Pvalue=Psignificance*dio (Ⅴ)
wherein, PvalueRepresenting asset value, PsignificanceRepresenting asset importance, dioRepresenting the node access degree after normalization processing;
a. nested path analysis
Nodes in the path set of the nested paths do not include a common starting node, and the key path in the case is selected as follows:
Figure BDA0002707200260000071
wherein, PathsignIs a path critical index, UjRepresenting the probability of being attacked, R, of the jth device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; the key path of the nested path takes attack hop count as a main calculation basis, the path with less attack hop count is the key path under general conditions, and the path with more attack hop count can be the key path only when the attack rate and the danger score of the intermediate hop node are both larger;
b. parallel path analysis
The path set of the parallel attack path is represented by N parallel nodes excluding the common start node and the common end node, and the key path in this case is selected and calculated as follows:
Pathsign=max{Ui*Ri*Pvaluei}i=(1,2,...k) (Ⅶ)
Uirepresenting the probability of attack, R, of the ith device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; finally, the selection of the key path is obtained by comparing the key indexes of the N parallel paths;
and synthesizing the analysis results of the nested path and the parallel path, and calculating the importance of the multiple paths through the quantitative indexes to obtain the key attack path.
A server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the attack graph-based industrial control system security measure method described above.
A computer-readable medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the attack graph-based industrial control system security measure method described above.
The invention has the technical characteristics and beneficial effects that:
1. the method takes the CVE-NVD as a main body, takes the CNNVD and the ICS Vulnerability Database as an expanded security library, and takes the CWE and the CAPEC as Vulnerability association information libraries to jointly construct an integral security knowledge base. Meanwhile, screening, associating and fusing isolated data by combining scanning results of various tools to generate an attack graph suitable for an industrial control system, and measuring the security of the system in a layering manner to provide decision support and situation perception. According to the method, the network threat and the industrial control system equipment are associated according to the vulnerability dependency, the potential threat is found to the maximum extent, the analysis period of the safety measurement of the industrial control system is greatly shortened, the measurement efficiency is improved, and a foundation is laid for the protection work of the industrial control system.
2. The method provides an industrial control system safety measurement method based on an attack graph, by utilizing the technologies of asset detection, vulnerability scanning, vulnerability utilization, attack graph generation based on graph data, layered safety measurement and the like, the system attack path can be visualized, the safety of a system to be measured is measured, the safety operation of the industrial control system is guaranteed, and various vulnerabilities and industrial control equipment types can be covered; an attack graph can be generated aiming at any starting point and attack target; data support may be provided for further system analysis. The practical range comprises the generation of attack graphs aiming at any attack starting point and attack target in the industrial control system, and the measurement of the safety of the industrial control system, and the data support is provided for the safety analysis of the industrial control system, so that the application prospect is very wide.
Drawings
FIG. 1 is a security metric architecture diagram based on an attack graph;
FIG. 2 is a schematic diagram of an industrial control system topology;
FIG. 3 is a schematic diagram of vulnerability information association of an attack template;
FIG. 4 is a flow chart of an attack graph generation algorithm;
FIG. 5 is a schematic diagram of attack graph generation;
FIG. 6 is a schematic diagram of attack paths, wherein (a) is a schematic diagram of nested attack paths and (b) is a schematic diagram of parallel attack paths;
Detailed Description
The present invention will be further described by way of examples, but not limited thereto, with reference to the accompanying drawings.
Example 1:
the embodiment provides an attack graph-based industrial control system security measurement method, which comprises the following four steps, and the overall architecture of the method is schematically shown in fig. 1:
acquiring topological structure information of an industrial control network, detecting equipment of a specific industrial control system (namely a target industrial control system to be subjected to security measurement), grasping equipment information in the industrial control network, and analyzing the equipment association condition;
the first step is a basis, which mainly obtains the self information and the associated information condition of the equipment of the target industrial control system in the whole industrial control network;
step two, collecting equipment vulnerability information according to the detection result of the equipment in the industrial control network, namely the equipment information and the association condition of the specific industrial control system in the step one;
step three, according to the topological structure and the equipment vulnerability information, storing the format in a graphical format by a graph database-based method, and representing the graph structure by adopting nodes and relations to generate a system attack graph;
and step four, according to the generated system attack graph, performing network security measurement on the specific industrial control system according to three levels of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path.
Specifically, in the first step, an GRASSMARLIN tool is used to obtain an industrial control network topology structure, and the obtained industrial control network topology structure information includes topology planning, system configuration and access control rules of security equipment in a system design document; and reading and extracting the connection relation between the system devices according to the system design document and the access control rule of the safety device so as to restore the topological structure of the system. And simultaneously, reading equipment information in a system design document and a system configuration file, and extracting the equipment type, the equipment model and the system version to be used as a data basis for acquiring equipment vulnerability information.
In addition, aiming at the characteristics of vulnerability and real-time performance of the industrial control system, the GRASSMARLIN tool is adopted to monitor the topology of the industrial control system in real time so as to detect the equipment newly added into the industrial control system (the final purpose is to realize the dynamic update of the system attack diagram), and the GRASSMARLIN tool adopts a passive detection mode to realize the information collection of the detection system, so that the influence of the detection process on the working state of the equipment in the industrial control system is reduced. I.e. the topology information collection shown in fig. 1.
GRASSMARLIN in the process of real-time monitoring of the industrial control system topology by the tool, the detection result is stored in XML format, the GRASSMARLIN tool detection result is read regularly at low frequency (the specific situation is judged according to the specificity of each system and is set by technical staff), the relationship of updated equipment is extracted, newly added equipment is added to the system, the system equipment with information interaction with the new equipment is updated, the connection relationship between the source IP and the target IP in the same group is simplified, and redundant data is removed, so as to realize the dynamic acquisition of the system topology; meanwhile, the topology data is sequenced according to the detection sequence aiming at the original data and the updated data.
The step of mastering the equipment information in the industrial control network refers to reading the equipment information in a system design document and a system configuration file, and extracting the equipment type, the equipment model and the system version to be used as a data basis for acquiring subsequent equipment vulnerability information.
Analyzing the association condition of the equipment, namely formatting the association relationship among the equipment according to system topology information acquired from a system design document, a system configuration file and an access control rule of the safety equipment, uniformly defining the connection relationship among the equipment as link, wherein A link B represents that the equipment A has a link to the equipment B, A can access B, and the link is in a directed relationship.
Step two, collecting the equipment vulnerability information, including vulnerability information base construction and equipment vulnerability acquisition;
the method comprises the steps of constructing a Vulnerability information base, wherein the Vulnerability information base comprises the steps of Vulnerability information acquisition and Vulnerability information processing, the Vulnerability information acquisition takes a CVE-NVD (composite video environment) Vulnerability Database as a main body, a CNNVD (network video recorder) and an ICS (internet communications network) continuity Database as an expanded security base, a CWE (computer-controlled enterprise) and a CAPEC (computer-aided engineering control) as Vulnerability association information bases to construct a security knowledge base, and the acquired Vulnerability information (Vulnerability information in the Vulnerability base) is stored in a MySQL (structured query language) Database; the vulnerability information processing takes a CNNVD (conditional access network virtualization) and CVE (composite virtual environment) vulnerability knowledge base as a main body, matches and associates all vulnerability information imported into a vulnerability information base (namely a MySQL (structured query language) database), introduces CWE (CWE) as a basis for vulnerability description, vulnerability classification and usability judgment, and combines CAPEC (computer aided engineering) to describe the premise, technical reserve, mode and consequences of attacking by utilizing vulnerabilities;
the collected vulnerability information content items include: vulnerability name, CNNVD number, basic score, CVE number, hazard level, vulnerability type, vulnerability publishing time, vulnerability updating time, threat type, manufacturer, vulnerability description, solution, affected entity, patch, CWE number, CWE name, vulnerability description, other related vulnerabilities, vulnerability introduction mode, vulnerability application influence, related attack mode, attack possibility, attack field, attack mechanism, prerequisite and required skill.
Fig. 3 shows a schematic diagram of vulnerability information association of an attack template. And filling a vulnerability name, a CNNVD number, a CVE number, a hazard grade, a vulnerability type, vulnerability release time, vulnerability update time, a threat type, a manufacturer, vulnerability description, a solution, an affected entity and a patch according to information in a CNNVD vulnerability detail page by taking the CVE-NVD vulnerability knowledge base as a main body. Each CNNVD vulnerability number corresponds to a CVE number, and vulnerability information in the CVE vulnerability page can be related according to the CVE number. The CVE vulnerability page provides an associated CWE number that is linked to the CWE security event library. Common vulnerability enumeration CWEs provide a description of the vulnerability for each CWE number according to the vulnerability classification. And describing other related vulnerabilities, a vulnerability introduction mode, vulnerability application influence and a related attack mode according to the acquired vulnerabilities, and filling the vulnerability using conditions, a vulnerability using mode and an attack result by taking the vulnerability as a core. Meanwhile, a plurality of CAPEC numbers contained in the relevant attack mode complete the attack preconditions in the attack template and the supplement of the skills required for the attack according to the attack possibility, the attack field, the attack mechanism, the preconditions and the attack information of the required skills provided by the CAPEC page. Furthermore, to give a feasibility analysis and severity determination for a particular vulnerability, it may be linked to the CVSS by CVE number, which provides a severity rating and risk score determination for each vulnerability. And finishing information integration and association of a plurality of vulnerability information bases.
Acquiring equipment vulnerabilities by adopting an open source scanning tool (such as Nessus, OpenVAS and the like) and a customized scanning tool of an industrial control manufacturer to scan vulnerabilities of system equipment, and configuring the scanning tool according to the acquired system equipment information to complete scanning of equipment vulnerability information; compared with the traditional network, the industrial control system faces stricter safety requirements, and vulnerability of industrial control equipment needs to be considered when equipment vulnerability scanning is carried out. Aiming at the characteristics of sensitivity of an industrial control system, different scanning means are adopted for vulnerability scanning of industrial control equipment and vulnerability scanning of general internet equipment according to different equipment types. Aiming at industrial control system equipment, vulnerability scanning is carried out at low frequency, general internet equipment is scanned at high frequency, the multi-frequency scanning scheme can reduce the risk that the load of a network is increased and the risk brought to the industrial control equipment by detection due to injection detection data report, and meanwhile, the real-time property of obtaining vulnerability information of the equipment is ensured.
Then, according to the acquired equipment vulnerability information obtained by scanning, associating and representing equipment and vulnerabilities, wherein one piece of equipment can be associated with one or more vulnerabilities, the connection relationship between the equipment and the vulnerabilities is defined as has _ VUL _ at, and DEVICE1 has _ VUL _ at VUL1 indicates that the equipment 1 has the vulnerability with the number of VUL 1; and matching the equipment vulnerability information with information in a vulnerability information base, wherein each vulnerability can obtain an atomic attack template of CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score, and input data is provided for generation of a subsequent attack graph. As shown in fig. 3.
In the third step, the attack graph comprises nodes and edges, wherein the edges are attack paths, and the nodes in the attack graph comprise equipment nodes and vulnerability nodes;
the equipment node information comprises service information, open port information and IP information of the equipment vulnerability, the equipment node information is used as the attribute of the equipment node, and the equipment node information is described by adopting quintuple, namely equipment IP, equipment name, service with the vulnerability, service protocol and service port;
the vulnerability node information comprises CVE \ CNNVD number, CWE classification, authority-raising capability identification and CVSS score in the atomic attack rule, the vulnerability node information is integrated on a vulnerability node with a vulnerability ID as an identification as a node attribute, and the vulnerability node information is described by adopting four-tuple, namely vulnerability ID, vulnerability number, vulnerability type and vulnerability score;
and preprocessing the data according to the results of network topology analysis and vulnerability information collection, and summarizing the data into an equipment information table, a vulnerability information table and an equipment relation table which are used as the input of an attack graph generation algorithm. In the device relationship table, "Y" represents that devices have a connection relationship, and "-" represents that devices do not have a connection relationship.
Table one equipment information table
Figure BDA0002707200260000111
Table two: vulnerability information table
Figure BDA0002707200260000121
Third table equipment relation table
Figure BDA0002707200260000122
In the third step, generating a system attack graph, namely generating the attack graph based on the Neo4j graph database, and storing and managing data according to the attribute graph model, wherein nodes in the attack graph are used for representing entities, and relationships are used for representing connections among the entities; and filling node attributes of the attack graph by using the equipment information table and the vulnerability information table, filling node relations by using the equipment relation table, selecting an initial node and a target node, and generating the attack graph through multiple traversals.
The data in the three tables are used as the input of the attack graph generation algorithm, and the flow chart of the algorithm is shown in fig. 4. First, device information, vulnerability information, device relationships, and vulnerability matching are imported into a Neo4j graph database. And judging vulnerability nodes which do not accord with the utilization of the model and equipment nodes which do not accord with the attack conditions according to the atomic attack rule model. And removing the equipment which is not on the attack target route and the isolated vulnerability nodes. Finally, defining the attacker and the target, returning the information in the current graph database, and constructing an attack graph aiming at the system.
Taking the industrial control system of fig. 5 as an example, the starting node is defined as the MES system host, the target node is defined as the PLC1, and an attack graph is generated, which includes 17 nodes and 19 edges. Since MES system PC3 includes two available vulnerabilities, the attack graph contains a total of 12 attack paths.
In the fourth step, the network security measurement adopts a layered measurement mode, and measures the industrial control network security according to the node types, namely vulnerability node measurement, equipment node measurement and system security measurement. The additional attributes of the vulnerability nodes are divided into two types: availability and vulnerability hazards. The availability represents the probability that the vulnerability is successfully exploited to the effect of the attack. Vulnerability hazards represent the severity of the impact brought by the successful exploitation of a vulnerability. The device node additional attributes are also classified into two types: the probability of being attacked and the equipment hazard score. The attacked probability is related to the availability of the vulnerability nodes connected with the equipment and represents the successful probability of the equipment being attacked. The equipment danger score is related to the availability of the vulnerability nodes connected with the equipment and vulnerability damage, and represents the influence degree brought by the successful attack of the equipment.
The computation for a node is divided into two categories, an initial node and a non-initial node. The starting node only needs to consider the condition of the vulnerability node connected with the node; the non-initial node considers the vulnerability node connected with the node, and simultaneously combines the attacked probability and the equipment danger score of the upper-layer equipment node, and the system security measure is obtained by calculation according to the danger score of the multilayer accumulated equipment node.
(1) The vulnerability node measurement quantifies the availability of the vulnerability nodes and vulnerability hazards according to the scanned equipment vulnerability information; the availability of the vulnerability nodes is defined by an 'attack possibility' field in a CAPEC library, the { low, medium and high } attack possibility is quantitatively expressed as {0.3, 0.6 and 0.9}, the low score represents the low possibility of attack, and the high score represents the high possibility of attack; and the damage score of the vulnerability node is the vulnerability assessment score of a CVSS (common security vulnerability assessment system), the full score is 10, the higher the score is, the greater the vulnerability damage is, the lower the score is, and the smaller the vulnerability damage is.
(2) The equipment node measurement is quantized according to the attacked probability of the equipment node and the danger score of the equipment node;
a. probability of attack on device node
Aiming at the vulnerability nodes connected with each equipment node, calculating the attacked probability of the equipment nodes according to the availability, as shown in formula I:
Figure BDA0002707200260000131
wherein, UselfRepresenting the probability of attack, u, of the node of the deviceiThe availability of the ith vulnerability node connected with the equipment node is represented, k represents the number of all vulnerability nodes connected with the equipment node, and the greater the number of vulnerability nodes connected with the equipment node is, the higher the attacked probability of the equipment node is;
b. equipment node risk score
And performing weighted hazard calculation on the vulnerability nodes according to the availability of the connected vulnerability nodes to obtain the risk score of the equipment node, as shown in formula II:
Figure BDA0002707200260000141
wherein R isselfRepresenting the risk score, u, of the node of the planti、ujRepresenting the availability, r, of the ith and j vulnerability nodes connected with the equipment nodeiIndicating the vulnerability hazard of the ith vulnerability node connected with the equipment node.
(3) The system security metric comprises an initial node metric and a non-initial node metric;
a. starting node metric
Since the starting node has acquired the authority, there is no attacked situation, so the attacked probability of the starting device node is defaulted to 1, which indicates to acquire all the authority of the device, and since the starting node has no forward node and the degree of entry is 0, the danger score of the starting node is equal to the self danger score of the node.
b. Non-starting node metric
The non-initial node considers the vulnerability node connected with the node, and simultaneously combines the attacked probability and the equipment danger score of the upper layer equipment node, calculates the accumulated attacked probability and the equipment danger score of the upper layer equipment node and the local layer equipment node, and calculates the system safety measurement according to the danger score of the multilayer accumulated equipment nodes;
the attack probability of the non-initial node is calculated as formula III:
Figure BDA0002707200260000142
wherein d isiRepresents the node in degree, UmRepresenting the attacked probability of the mth upper node connected with the equipment node; the measuring method considers the degree of the node and the influence of the attacked probability of the upper node on the node of the current layer, wherein the higher the degree of the node is, the higher the attacked probability of the node is; the higher the attack probability of the upper-layer node is, the higher the attack probability of the node at the current layer is;
the risk score for a non-starting node is calculated as formula iv:
Figure BDA0002707200260000143
wherein, Um、UnRepresenting the probability of attack, R, of the m, n upper level nodes connected to the device nodemA danger score representing an mth upper node connected to the equipment node;
the risk score measurement method of the non-initial node considers the influence of the attacked probability of the upper node on the node of the local layer, and meanwhile, the risk score of the upper node is cumulatively calculated, and the larger the node degree of entry is, the larger the node risk score is; the higher the attack probability of the upper-layer node is, the higher the danger score of the node at the current layer is; the larger the danger score of the upper node is, the larger the danger score of the node at the current layer is, and the danger score R of the final target node isdestAnd performing cumulative calculation on the attack paths through multiple layers.
In the fourth step, the attack path comprises a nested path and a parallel path; carrying out quantitative analysis on the key attack path by combining with a system security measurement value, introducing an asset value index to measure in the analysis process, wherein the asset value is jointly determined by the node access degree and the asset importance, the asset importance index is divided into ten grades for assets from 1 to 10 (the asset importance index is determined according to expert experience), 10 is very important, and 1 is very unimportant; meanwhile, according to the number of node accesses appearing in the current attack graph, normalization processing is performed on the remaining accesses with the highest access as the standard, the accesses of the initial node and the target node default to 1, and no power reduction processing is performed, taking the attack graph shown in fig. 6 as an example, the accesses are {2, 5}, after normalization processing is performed, the node with the access 5 becomes 1, and the node with the access 2 becomes 0.4. Finally, the asset value is obtained by the product of the asset importance and the in-out degree, as shown in formula V:
Pvalue=Psignificance*dio (Ⅴ)
wherein, PvalueRepresenting asset value, PsignificanceRepresenting asset importance, dioRepresenting the node access degree after normalization processing;
and analyzing the key attack path in the attack graph by combining the indexes. The case of generating a branch path in an attack path is divided into two types, one is a nested path analysis, and the other is a parallel path analysis, as shown in fig. 6.
a. Nested path analysis
As shown in fig. 6 (a), the attack path from MES PC1 to MES PC2 to MES PC3 includes the path from MES PC1 to MES PC 3. Nodes in the path set of nested paths do not include a common start node: path1 { MES PC2}, Path2 { MES PC2, MES PC3}, the key Path for this case is chosen as follows:
Figure BDA0002707200260000151
wherein, PathsignIs a path critical index, UjRepresenting the probability of being attacked, R, of the jth device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; the key path of the nested path takes attack hop number as the main calculation basis, generallyUnder the condition, the path with less attack hop count is a key path, and the path with more attack hop count can be the key path only when the attack rate and the danger score of the intermediate hop node are both larger, so that the judgment is carried out according to different target industrial control systems and long-term working experience by technical staff; taking the graph (a) in FIG. 6 as an example, according to practical experience, the importance of assets in MES PC2 and MES PC3 was defined as 6, and the results of the in/out normalization were both 0.4. Path1sign=0.9*9.9*2.4=21.384,Path2sign0.3 × 0.9 × 9.9 × 2.4+0.3 × 6.9 × 2.4 ═ 11.3832. Thus, the critical Path in the nested attack Path is Path1, MES PC1->MES PC3 path.
b. Parallel path analysis
As shown in fig. 6 (b), the attack path of the database server "> PLC1 includes three attack paths in parallel: database server PLC1, database server engineer station PLC1, database server SCADA system PLC 1. The Path set of the parallel attack paths is represented as three parallel nodes excluding the common start node and end node, and the Path { operator station, engineer station, SCADA system } selects the key Path for this case, as follows:
Pathsign=max{Ui*Ri*Pvaluei}i=(1,2,...k) (Ⅶ)
Uirepresenting the probability of attack, R, of the ith device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; finally, the selection of the critical path is obtained by comparing the critical indexes of the three parallel paths;
taking the graph (b) in fig. 6 as an example, according to practical experience, the importance of the assets of the operator station is defined as 8, the importance of the assets of the engineer station is defined as 7, the importance of the assets of the SCADA system is defined as 9, and the normalized results of the access degrees are all 0.4. PathsignMax {0.6 × 7.8 × 3.2, 0.8 × 9.8 × 2.8, 0.9 × 6.9 × 3.6} ═ max {14.976,21.952,22.356 }. Thus, the critical Path in the parallel attack Path is Path3, database Server->SCADA system->PLC1 path.
By combining the analysis results of the nested path and the parallel path, a critical path of the attack graph is MES PC1, MES PC3, database server, SCADA system and PLC 1. And calculating the importance of the multiple paths through the quantization indexes to obtain the key attack path. The system key attack path comprehensively considering asset value, attack possibility and vulnerability can embody the safety condition of the key part of the system. Meanwhile, the vulnerability of the system can be accurately positioned according to the path score, the equipment score and the vulnerability score. In addition, according to vulnerability detailed information provided in the vulnerability library, vulnerability attributes can be rapidly known, solutions are found, and data support is provided for safety protection work of the industrial control system.
Example 2:
a server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the attack graph-based industrial control system security measure method of embodiment 1.
Example 3:
a computer-readable medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the attack graph-based industrial control system security measure method of embodiment 1.
The above description is only for the specific embodiments of the present invention, and the protection scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the protection scope of the present invention.

Claims (10)

1. An industrial control system security measurement method based on an attack graph is characterized by comprising the following steps:
acquiring topological structure information of an industrial control network, detecting equipment of a specific industrial control system, grasping equipment information in the industrial control network, and analyzing the equipment association condition;
step two, collecting equipment vulnerability information aiming at the detection result of the equipment in the industrial control network;
step three, according to the topological structure and the equipment vulnerability information, storing the format in a graphical format by a graph database-based method, and representing the graph structure by adopting nodes and relations to generate a system attack graph;
and step four, according to the generated system attack graph, performing network security measurement on the specific industrial control system according to three levels of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path.
2. The attack graph-based industrial control system security measurement method according to claim 1, wherein in the first step, the obtained industrial control network topology structure information includes topology planning, system configuration and access control rules of security devices in a system design document; and reading and extracting the connection relation between the system devices according to the system design document and the access control rule of the safety device so as to restore the topological structure of the system.
3. The attack graph-based industrial control system security measurement method according to claim 1, wherein in the second step, collecting the device vulnerability information comprises building a vulnerability information base and obtaining a device vulnerability;
constructing a vulnerability information base, namely acquiring vulnerability information and processing the vulnerability information; the method comprises the steps that a security knowledge base is constructed by taking a CVE-NVD (composite video and video description) Vulnerability Database as a main body, taking a CNNVD (network video and video communication) and ICS (internet security and environment) Vulnerability Database as an expanded security base and taking a CWE (world wide web Environment) and CAPEC (computer-aided engineering) as Vulnerability association information bases, and collected Vulnerability information is stored into a MySQL (structured query language) Database; the vulnerability information processing takes a CNNVD (conditional network video and video express) and CVE (conditional virtual environment) vulnerability knowledge base as a main body, matches and associates all vulnerability information imported into a MySQL (MySQL query language) database, introduces CWE as a basis for vulnerability description, vulnerability classification and usability judgment, and combines CAPEC (computer aided engineering) to describe the premise, technical reserve, mode and consequences of attacking by utilizing vulnerabilities;
acquiring equipment vulnerabilities by adopting a scanning tool to scan the vulnerabilities of system equipment, and configuring the scanning tool according to the acquired system equipment information to complete scanning of equipment vulnerability information; then, according to the acquired equipment vulnerability information obtained by scanning, associating and representing equipment and vulnerabilities, wherein one piece of equipment can be associated with one or more vulnerabilities, the connection relationship between the equipment and the vulnerabilities is defined as has _ VUL _ at, and DEVICE1 has _ VUL _ at VUL1 indicates that the equipment 1 has the vulnerability with the number of VUL 1; and matching the equipment vulnerability information with information in a vulnerability information base, wherein each vulnerability can obtain an atomic attack template of CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score, and input data is provided for generation of a subsequent attack graph.
4. The industrial control system security measurement method based on the attack graph as claimed in claim 1, wherein in step three, the nodes in the attack graph include device nodes and vulnerability nodes;
the equipment node information comprises service information, open port information and IP information of the equipment vulnerability, the equipment node information is used as the attribute of the equipment node, and the equipment node information is described by adopting quintuple, namely equipment IP, equipment name, service with the vulnerability, service protocol and service port;
the vulnerability node information comprises CVE \ CNNVD number, CWE classification, authority-raising capability identification and CVSS score in the atomic attack rule, the vulnerability node information is integrated on a vulnerability node with a vulnerability ID as an identification as a node attribute, and the vulnerability node information is described by adopting four-tuple, namely vulnerability ID, vulnerability number, vulnerability type and vulnerability score;
and preprocessing the data according to the results of network topology analysis and vulnerability information collection, and summarizing the data into an equipment information table, a vulnerability information table and an equipment relation table which are used as the input of an attack graph generation algorithm.
5. The attack graph-based industrial control system security measurement method according to claim 1, wherein in step four, the vulnerability node measurement quantifies the availability of vulnerability nodes and vulnerability hazards according to the scanned device vulnerability information; the availability of the vulnerability nodes is defined by an 'attack possibility' field in a CAPEC library, the { low, medium and high } attack possibility is quantitatively expressed as {0.3, 0.6 and 0.9}, the low score represents the low possibility of attack, and the high score represents the high possibility of attack; and the damage score of the vulnerability node is the vulnerability assessment score of a CVSS (common security vulnerability assessment system), the full score is 10, the higher the score is, the greater the vulnerability damage is, the lower the score is, and the smaller the vulnerability damage is.
6. The attack graph-based industrial control system security measure method of claim 1, wherein in step four, the device node measures are quantified according to the device node attack probability and the device node risk score;
a. probability of attack on device node
Aiming at the vulnerability nodes connected with each equipment node, calculating the attacked probability of the equipment nodes according to the availability, as shown in formula I:
Figure FDA0002707200250000021
wherein, UselfRepresenting the probability of attack, u, of the node of the deviceiThe availability of the ith vulnerability node connected with the equipment node is represented, k represents the number of all vulnerability nodes connected with the equipment node, and the greater the number of vulnerability nodes connected with the equipment node is, the higher the attacked probability of the equipment node is;
b. equipment node risk score
And performing weighted hazard calculation on the vulnerability nodes according to the availability of the connected vulnerability nodes to obtain the risk score of the equipment node, as shown in formula II:
Figure FDA0002707200250000031
wherein R isselfRepresenting the risk score, u, of the node of the planti、ujRepresenting the availability, r, of the ith and j vulnerability nodes connected with the equipment nodeiIndicating the vulnerability hazard of the ith vulnerability node connected with the equipment node.
7. The attack graph-based industrial control system security measure of claim 1 wherein in step four, the system security measures comprise an initial node measure and a non-initial node measure;
a. starting node metric
Since the starting node acquires the authority and has no attacked condition, the attacked probability of the starting device node is defaulted to 1 to represent that all the authority of the device is acquired, and since the starting node has no forward node and the degree of entry is 0, the danger score of the starting node is equal to the self danger score of the node;
b. non-starting node metric
The non-initial node considers the vulnerability node connected with the node, and simultaneously combines the attacked probability and the equipment danger score of the upper layer equipment node, calculates the accumulated attacked probability and the equipment danger score of the upper layer equipment node and the local layer equipment node, and calculates the system safety measurement according to the danger score of the multilayer accumulated equipment nodes;
the attack probability of the non-initial node is calculated as formula III:
Figure FDA0002707200250000032
wherein d isiRepresents the node in degree, UmRepresenting the attacked probability of the mth upper node connected with the equipment node; the measuring method considers the degree of the node and the influence of the attacked probability of the upper node on the node of the current layer, wherein the higher the degree of the node is, the higher the attacked probability of the node is; the higher the attack probability of the upper layer node is, the higher the node of the current layer isThe greater the attack probability;
the risk score for a non-starting node is calculated as formula iv:
Figure FDA0002707200250000033
wherein, Um、UnRepresenting the probability of attack, R, of the m, n upper level nodes connected to the device nodemA danger score representing an mth upper node connected to the equipment node;
the risk score of the non-initial node is calculated by considering the influence of the attack probability of the upper node on the node of the local layer, and meanwhile, the risk score of the upper node is calculated in an accumulated mode, and the greater the node degree of entry is, the greater the node risk score is; the higher the attack probability of the upper-layer node is, the higher the danger score of the node at the current layer is; the larger the danger score of the upper node is, the larger the danger score of the node at the current layer is, and the danger score R of the final target node isdestAnd performing cumulative calculation on the attack paths through multiple layers.
8. The attack graph-based industrial control system security measure method of claim 1, wherein in step four, the attack path comprises a nested path and a parallel path; carrying out quantitative analysis on the key attack path by combining with a system security measurement value, introducing an asset value index to measure in the analysis process, wherein the asset value is jointly determined by the access degree of a node and the asset importance, the asset importance index is divided into ten grades from 1 to 10 for assets, 10 is very important, and 1 is very unimportant; meanwhile, according to the access degrees of the nodes appearing in the current attack graph, the highest access degree is taken as the standard, normalization processing is carried out on the rest access degrees, the access degrees of the initial node and the target node are defaulted to be 1, no weight reduction processing is carried out, and finally the asset value is obtained by the product of the asset importance and the access degree, wherein the formula is V:
Pvalue=Psignificance*dio (Ⅴ)
wherein, PvalueRepresenting asset value, PsignificancePresentation assetImportance of birth, dioRepresenting the node access degree after normalization processing;
a. nested path analysis
Nodes in the path set of the nested paths do not include a common starting node, and the key path in the case is selected as follows:
Figure FDA0002707200250000041
wherein, PathsignIs a path critical index, UjRepresenting the probability of being attacked, R, of the jth device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; the key path of the nested path takes attack hop count as a main calculation basis, the path with less attack hop count is the key path under general conditions, and the path with more attack hop count can be the key path only when the attack rate and the danger score of the intermediate hop node are both larger;
b. parallel path analysis
The path set of the parallel attack path is represented by N parallel nodes excluding the common start node and the common end node, and the key path in this case is selected and calculated as follows:
Pathsign=max{Ui*Ri*Pvaluei} i=(1,2,...k) (Ⅶ)
Uirepresenting the probability of attack, R, of the ith device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; finally, the selection of the key path is obtained by comparing the key indexes of the N parallel paths;
and synthesizing the analysis results of the nested path and the parallel path, and calculating the importance of the multiple paths through the quantitative indexes to obtain the key attack path.
9. A server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the attack graph-based industrial control system security measure method of any one of claims 1-8.
10. A computer-readable medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the attack graph-based industrial control system security measure method of any one of claims 1 to 8.
CN202011043060.3A 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph Active CN112114579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011043060.3A CN112114579B (en) 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011043060.3A CN112114579B (en) 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph

Publications (2)

Publication Number Publication Date
CN112114579A true CN112114579A (en) 2020-12-22
CN112114579B CN112114579B (en) 2023-07-25

Family

ID=73798243

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011043060.3A Active CN112114579B (en) 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph

Country Status (1)

Country Link
CN (1) CN112114579B (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112904817A (en) * 2021-01-19 2021-06-04 哈尔滨工业大学(威海) Global safety detection system for intelligent manufacturing production line and working method thereof
CN114039862A (en) * 2022-01-10 2022-02-11 南京赛宁信息技术有限公司 CTF problem solution detection node construction method and system based on dynamic topology analysis
CN114143109A (en) * 2021-12-08 2022-03-04 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114528552A (en) * 2021-12-31 2022-05-24 北京邮电大学 Security event correlation method based on vulnerability and related equipment
CN114584348A (en) * 2022-02-14 2022-06-03 上海安锐信科技有限公司 Industrial control system network threat analysis method based on vulnerability
CN115061434A (en) * 2022-06-01 2022-09-16 哈尔滨工业大学(威海) Attack path parallel planning system and method for large-scale industrial control scene
CN115102743A (en) * 2022-06-17 2022-09-23 电子科技大学 Network security-oriented multi-layer attack graph generation method
CN115185466A (en) * 2022-07-25 2022-10-14 北京珞安科技有限责任公司 Hierarchical management and control tool and method for mobile storage device
CN115242507A (en) * 2022-07-22 2022-10-25 四川启睿克科技有限公司 Attack graph generation system and method based on set parameter maximum value
CN116305170A (en) * 2023-05-16 2023-06-23 北京安帝科技有限公司 Analog testing method, device, equipment and storage medium based on industrial control system
CN116702159A (en) * 2023-08-04 2023-09-05 北京微步在线科技有限公司 Host protection method, device, computer equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050193430A1 (en) * 2002-10-01 2005-09-01 Gideon Cohen System and method for risk detection and analysis in a computer network
US7013395B1 (en) * 2001-03-13 2006-03-14 Sandra Corporation Method and tool for network vulnerability analysis
US20090077666A1 (en) * 2007-03-12 2009-03-19 University Of Southern California Value-Adaptive Security Threat Modeling and Vulnerability Ranking
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
US20170054751A1 (en) * 2015-08-20 2017-02-23 Cyberx Israel Ltd. Method for mitigation of cyber attacks on industrial control systems
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
CN110533754A (en) * 2019-08-26 2019-12-03 哈尔滨工业大学(威海) Interactive attack graph display systems and methods of exhibiting based on extensive industry control network
EP3644579A1 (en) * 2018-10-26 2020-04-29 Accenture Global Solutions Limited Criticality analysis of attack graphs

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7013395B1 (en) * 2001-03-13 2006-03-14 Sandra Corporation Method and tool for network vulnerability analysis
US20050193430A1 (en) * 2002-10-01 2005-09-01 Gideon Cohen System and method for risk detection and analysis in a computer network
US20090077666A1 (en) * 2007-03-12 2009-03-19 University Of Southern California Value-Adaptive Security Threat Modeling and Vulnerability Ranking
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
US20170054751A1 (en) * 2015-08-20 2017-02-23 Cyberx Israel Ltd. Method for mitigation of cyber attacks on industrial control systems
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network-security-risk analysis method based on network node vulnerability and attack information
EP3644579A1 (en) * 2018-10-26 2020-04-29 Accenture Global Solutions Limited Criticality analysis of attack graphs
CN110533754A (en) * 2019-08-26 2019-12-03 哈尔滨工业大学(威海) Interactive attack graph display systems and methods of exhibiting based on extensive industry control network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAN WANG; ZHANFANG CHEN; JIANPING ZHAO; XIAOQIANG DI; DAN LIU: "A Vulnerability Assessment Method in Industrial Internet of Things Based on Attack Graph and Maximum Flow", <SPECIAL SECTION ON CONVERGENCE OF SENSOR NETWORKS, CLOUD COMPUTING, AND BIG DATA IN INDUSTRIAL INTERNET OF THING> *
王佳欣,冯毅,由睿: "基于依赖关系图和通用漏洞评分系统的网络安全度量", 《计算机应用》, vol. 39, no. 6 *
赵 松, 吴晨思, 谢卫强, 贾紫艺, 王 鹤, 张玉清: "基于攻击图的网络安全度量研究", 《信息安全学报》, vol. 4, no. 1 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112904817A (en) * 2021-01-19 2021-06-04 哈尔滨工业大学(威海) Global safety detection system for intelligent manufacturing production line and working method thereof
CN112904817B (en) * 2021-01-19 2022-08-12 哈尔滨工业大学(威海) Global safety detection system for intelligent manufacturing production line and working method thereof
CN114143109A (en) * 2021-12-08 2022-03-04 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114143109B (en) * 2021-12-08 2023-11-10 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114528552A (en) * 2021-12-31 2022-05-24 北京邮电大学 Security event correlation method based on vulnerability and related equipment
CN114528552B (en) * 2021-12-31 2023-12-26 北京邮电大学 Security event association method based on loopholes and related equipment
CN114039862A (en) * 2022-01-10 2022-02-11 南京赛宁信息技术有限公司 CTF problem solution detection node construction method and system based on dynamic topology analysis
CN114584348A (en) * 2022-02-14 2022-06-03 上海安锐信科技有限公司 Industrial control system network threat analysis method based on vulnerability
CN115061434A (en) * 2022-06-01 2022-09-16 哈尔滨工业大学(威海) Attack path parallel planning system and method for large-scale industrial control scene
CN115102743B (en) * 2022-06-17 2023-08-22 电子科技大学 Multi-layer attack graph generation method for network security
CN115102743A (en) * 2022-06-17 2022-09-23 电子科技大学 Network security-oriented multi-layer attack graph generation method
CN115242507A (en) * 2022-07-22 2022-10-25 四川启睿克科技有限公司 Attack graph generation system and method based on set parameter maximum value
CN115185466B (en) * 2022-07-25 2023-02-28 北京珞安科技有限责任公司 Hierarchical management and control tool and method for mobile storage device
CN115185466A (en) * 2022-07-25 2022-10-14 北京珞安科技有限责任公司 Hierarchical management and control tool and method for mobile storage device
CN116305170A (en) * 2023-05-16 2023-06-23 北京安帝科技有限公司 Analog testing method, device, equipment and storage medium based on industrial control system
CN116702159A (en) * 2023-08-04 2023-09-05 北京微步在线科技有限公司 Host protection method, device, computer equipment and storage medium
CN116702159B (en) * 2023-08-04 2023-10-31 北京微步在线科技有限公司 Host protection method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN112114579B (en) 2023-07-25

Similar Documents

Publication Publication Date Title
CN112114579B (en) Industrial control system safety measurement method based on attack graph
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
CN112100843A (en) Visual analysis method and system for power system safety event simulation verification
CN110909811A (en) OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system
CN107491694B (en) Method for quantitative evaluation SCADA system information security fragility
CN108921301A (en) A kind of machine learning model update method and system based on self study
CN106600115A (en) Intelligent operation and maintenance analysis method for enterprise information system
CN106778210B (en) Industrial control system function safety verification method based on immune learning
CN111787011A (en) Intelligent analysis and early warning system, method and storage medium for security threat of information system
CN114039758A (en) Network security threat identification method based on event detection mode
Chen et al. A security, privacy and trust methodology for IIoT
CN112906764A (en) Communication safety equipment intelligent diagnosis method and system based on improved BP neural network
CN115225336B (en) Network environment-oriented vulnerability availability computing method and device
Bao et al. Research on information security situation awareness system based on big data and artificial intelligence technology
CN117434912B (en) Method and system for monitoring production environment of non-woven fabric product
CN116668105A (en) Attack path reasoning system combined with industrial control safety knowledge graph
CN116886329A (en) Quantitative index optimization method for industrial control system safety
Yu et al. Knowledge reasoning of transmission line component detection using CRITIC and TOPSIS approaches
CN114338088A (en) Evaluation algorithm and evaluation system for network security level of transformer substation power monitoring system
GB2537243A (en) Method and system for causal analysis of operational outcomes
Lamp et al. ExSol: Collaboratively assessing cybersecurity risks for protecting energy delivery systems
Chen et al. Network Security Situation Awareness Framework based on Knowledge Graph
Feng et al. Design and Implementation of an Early Warning System Based on the Risk Measurement Model
Tian et al. Application of Knowledge Graph in Fault Prediction of Power Transformers
Lu et al. Evaluating Indicator Weights for Satellite Internet Security Assessment: an Approach to Combining Rough Set with Fuzzy Hierarchical Analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant