CN112114579B - Industrial control system safety measurement method based on attack graph - Google Patents

Industrial control system safety measurement method based on attack graph Download PDF

Info

Publication number
CN112114579B
CN112114579B CN202011043060.3A CN202011043060A CN112114579B CN 112114579 B CN112114579 B CN 112114579B CN 202011043060 A CN202011043060 A CN 202011043060A CN 112114579 B CN112114579 B CN 112114579B
Authority
CN
China
Prior art keywords
node
vulnerability
attack
equipment
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011043060.3A
Other languages
Chinese (zh)
Other versions
CN112114579A (en
Inventor
张耀方
王佰玲
孙云霄
王巍
黄俊恒
辛国栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology Weihai
Original Assignee
Harbin Institute of Technology Weihai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology Weihai filed Critical Harbin Institute of Technology Weihai
Priority to CN202011043060.3A priority Critical patent/CN112114579B/en
Publication of CN112114579A publication Critical patent/CN112114579A/en
Application granted granted Critical
Publication of CN112114579B publication Critical patent/CN112114579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to an industrial control system safety measurement method based on an attack graph, which comprises the following steps: acquiring topology structure information of an industrial control network, detecting equipment of a specific industrial control system, grasping equipment information in the industrial control network, and analyzing the association condition of the equipment; aiming at the detection result of equipment in the industrial control network, collecting equipment vulnerability information; according to the topological structure and the equipment vulnerability information, storing the format in a graphical format by a method based on a graph database, and generating a system attack graph by representing the graph structure by adopting nodes and relations; according to the generated system attack graph, network security measurement is carried out on a specific industrial control system according to three layers of vulnerability node measurement, equipment node measurement and system security measurement, and an attack path is analyzed. The method can find potential threat to the greatest extent, greatly shorten analysis period of safety measurement of the industrial control system, improve measurement efficiency and lay foundation for protection work of the industrial control system.

Description

Industrial control system safety measurement method based on attack graph
Technical Field
The invention relates to an industrial control system security measurement method based on an attack graph, and belongs to the technical field of network security.
Background
In recent years, the industrial control system gradually develops to informatization, not only introduces diversified methods in the Internet, but also brings various attack threats to the industrial control system. Highly informative industrial control systems need to be faced with changes in the network environment, as well as the potential impact of network components on the system. Aiming at the problems of complicated operating environment and diversified attack modes of the industrial control system, the industrial control system safety measurement method based on the attack graph is provided, potential attack paths of the industrial control system are displayed through integrating vulnerability and topology information, a visual safety measurement process is provided, data support is provided for subsequent system safety analysis, and critical task assets are protected from being damaged by potential threat sources.
For example, chinese patent document CN110533754a provides an interactive attack graph display system and a display method based on a large-scale industrial control network, where the display system includes a json file construction module, a network topology generation module, a scene roaming processing module, an attack graph generation module and an interaction event processing module; the method starts from the attack target and reversely generates the attack graph, thereby greatly reducing the complexity and usability of the attack graph. The attack graph display system adopts an interactive mode, allows a user to switch the attack target by clicking, generates a real-time key attack path based on the determined target, and greatly improves the visual management of the attack graph. The network security analysis and evaluation of security operation and maintenance personnel and security analysis personnel are facilitated, and network security event processing personnel can be effectively helped to recognize a network attack path as early as possible and defend key points. The Chinese patent document CN108156114A provides a key node determining method and device of a network attack graph of a power information physical system, wherein the method comprises the following steps: respectively obtaining at least one characteristic value of all nodes in the attack graph; respectively determining the weights of the characteristic values; and determining key nodes from all the nodes according to the at least one characteristic value and the weight. The importance degree of each node can be quantified by acquiring at least one characteristic value of all nodes in the attack graph; the weight of each characteristic value is determined, so that the characteristic values can be weighted; and finally, determining key nodes from all the nodes according to the characteristic values and the corresponding weights, and comprehensively considering all the nodes, so that the key node identification of the system attack graph is realized in multiple dimensions and directions from multiple aspects, and the problem that the security protection emphasis of the attack graph is uncertain is solved. The Chinese patent document CN108629474A discloses a process safety assessment method based on an attack graph model, which comprises the following steps: designing a safety node according to the safety attribute of the safety control system; forming a flow scheme by the designed nodes according to the business flow logic; realizing the design of a flow scheme in a mode of establishing a tree diagram; performing evaluation modeling on the designed flow scheme, and performing evaluation calculation to generate an evaluation conclusion; the process scheme evaluation comprises the steps of establishing a process safety evaluation system, a reliability evaluation system and an operation efficiency evaluation system, and giving a system comprehensive evaluation result through a comprehensive scoring model based on evaluation values of the three evaluation system indexes; and according to the importance degree, the realizability and the complexity degree parameter grade of the security weak node, giving an optimization strategy aiming at the current flow scheme. The method solves the uncertainty caused by human intervention, and improves the accuracy, reliability and high efficiency of the safety evaluation result.
Currently, security metrics for industrial control systems are few, lack security metrics schemes with system global, and fail to take into account vulnerability relationships between system devices. Because the topology structure of the industrial control system is complex, and the selection and quantification of the safety indexes in the measurement are difficult, the current safety measurement scheme mainly comprises qualitative analysis. Therefore, in order to solve the global measurement of the security quantization of the industrial control system, it is needed to design a security measurement method of the global measurement of the industrial control system.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a safety measurement method based on an attack graph of an industrial control system, wherein the attack graph represents detailed information of an attack process of the industrial control system in a graph structure.
Term interpretation:
1. CVE-NVD (Common Vulnerabilities and Exposures-National Vulnerability Database), common vulnerability and risk exposure-national vulnerability database.
2. CNNVD (China National Vulnerability Database of Information Security), national information security vulnerability database of China.
3. ICS (Industrial control system) Vulnerability Database, industrial control system vulnerability database.
4. CWE (Common Weakness Enumeration), a common vulnerability enumeration.
5. CAPEC (Common Attack Pattern Enumeration and Classification), attack pattern enumeration and classification may be used.
6. Availability represents the probability that the vulnerability is successfully exploited to reach the attack effect.
7. Vulnerability harm represents the severity of the impact caused by the successful utilization of the vulnerability.
The technical scheme of the invention is as follows:
an industrial control system safety measurement method based on an attack graph comprises the following steps:
step one, acquiring topology structure information of an industrial control network, detecting equipment of a specific industrial control system, grasping equipment information in the industrial control network, and analyzing the association condition of the equipment;
step two, collecting equipment vulnerability information aiming at the detection result of equipment in the industrial control network;
thirdly, storing a format in a graphical format by a method based on a graph database according to the topological structure and the equipment vulnerability information, and generating a system attack graph by representing the graph structure by adopting nodes and relations;
And fourthly, according to the generated system attack graph, carrying out network security measurement on the specific industrial control system according to three layers of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path.
Preferably, in the first step, GRASSMARLIN tools are used to obtain topology information of the industrial control network.
Preferably, in the first step, the obtaining industrial control network topology information includes topology planning, system configuration and access control rules of the security device in a system design document; and reading the connection relation between the system devices and extracting according to the system design document and the access control rule of the safety device so as to restore the system topology structure.
Preferably, in the first step, the detection of the equipment of the specific industrial control system means that the GRASSMARLIN tool is adopted to monitor the topology of the industrial control system in real time so as to detect the equipment newly added into the industrial control system, and the GRASSMARLIN tool adopts a passive detection mode to realize information collection of the detection system, so that the influence of the detection process on the working state of the equipment in the industrial control system is reduced.
Preferably, in the first step, the step of grasping the device information in the industrial control network refers to reading the device information in the system design document and the system configuration file, and extracting the device type, the device model and the system version as the data basis for acquiring the subsequent device vulnerability information.
Preferably, in the first step, the analysis of the device association condition refers to formatting the association relationship between devices according to the system topology information obtained from the system design document, the system configuration file and the access control rule of the security device, where an a link B indicates that a link exists between the device a and the device B, and the a can access the B, and the link is a directed relationship.
Preferably, in the process of monitoring the industrial control system topology in real time by the GRASSMARLIN tool, the detection result is stored in an XML format, the detection result of the tool is periodically read GRASSMARLIN through low frequency, the relation extraction is carried out on the updated equipment, the newly added equipment is added to the system, the system equipment with information interaction with the new equipment is updated, the connection relation of the same group of source IP and destination IP is simplified, redundant data is removed, and the dynamic acquisition of the system topology is realized; meanwhile, aiming at original data and updated data, topological data ordering is carried out according to the detection sequence.
Preferably, in the second step, collecting the device vulnerability information includes constructing a vulnerability information base and acquiring the device vulnerability;
the loophole information base construction comprises loophole information acquisition and loophole information processing; the vulnerability information collection takes a CVE-NVD vulnerability database as a main body, CNNVD and ICS Vulnerability Database are expansion security libraries, CWE and CAPEC are vulnerability association information libraries to construct a security knowledge base, and the collected vulnerability information is stored in a MySQL database; the vulnerability information processing takes CNNVD and CVE vulnerability knowledge base as main bodies, matches and associates all vulnerability information imported into MySQL database, introduces CWE as the basis of vulnerability description and vulnerability classification and availability discrimination, and combines CAPEC to describe the premise, technical reserve, mode and caused result of attack by utilizing vulnerability;
The device vulnerability acquisition adopts a scanning tool to scan the vulnerability of the system device, and the scanning tool is configured according to the acquired system device information to complete the scanning of the device vulnerability information; then according to the DEVICE vulnerability information obtained by scanning, carrying out association representation on the DEVICE and the vulnerability, wherein one DEVICE can be associated with one or more vulnerabilities, the connection relation between the DEVICE and the vulnerability is defined as has_vul_at, and the DEVICE1 has_vul_at_VUL1 represents that the DEVICE1 has the vulnerability with the number VUL 1; matching the device vulnerability information with information in a vulnerability information base, and obtaining an atomic attack template of CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score by each vulnerability, thereby providing input data for the generation of subsequent attack graphs.
Preferably, in the third step, the nodes in the attack graph include device nodes and vulnerability nodes;
the device node information comprises service information, open port information and IP information of the device vulnerability, the device node information is used as the attribute of the device node, and the device node information is described by adopting five-tuple, namely device IP, device name, service with the vulnerability, service protocol and service port;
The vulnerability node information comprises CVE\CNNVD numbers, CWE classification, authority-raising capability identifiers and CVSS scores in the atomic attack rules, is integrated on vulnerability nodes marked by vulnerability IDs as node attributes, and is described by four tuples, namely vulnerability IDs, vulnerability numbers, vulnerability types and vulnerability scores;
preprocessing data according to the network topology analysis and the vulnerability information collection result, and summarizing the data into a device information table, a vulnerability information table and a device relation table which are used as inputs of an attack graph generation algorithm.
Preferably, in the third step, a system attack graph is generated, which is based on a Neo4j graph database, and data is stored and managed according to an attribute graph model, wherein nodes in the attack graph are used for representing entities, and relationships are used for representing connection between the entities; and filling node attributes of the attack graph by using the equipment information table and the vulnerability information table, filling node relations by using the equipment relation table, selecting a starting node and a target node, and generating the attack graph through multiple times of traversal.
Preferably, in the fourth step, the vulnerability node measures and quantifies the availability of the vulnerability node and the vulnerability hazard according to the scanned vulnerability information of the device; vulnerability node availability is defined by an "attack probability" field in the CAPEC library, the { low, medium, high } quantification of the attack probability is represented as {0.3,0.6,0.9}, a low score indicates a low possibility of being attacked, and a high score indicates a high possibility of being attacked; the vulnerability score of the vulnerability node adopts the vulnerability assessment score of the CVSS, which is fully divided into 10 scores, and the higher the score is, the larger the vulnerability hazard is, the lower the score is, and the lower the vulnerability hazard is.
Preferably, in the fourth step, the equipment node metric is quantified according to the probability of the equipment node being attacked and the equipment node risk score;
a. probability of device node being attacked
Aiming at the vulnerability node connected with each equipment node, calculating the attack probability of the equipment node according to the availability ratio of the vulnerability node, wherein the attack probability is as shown in the formula I:
wherein U is self Representing the probability of being attacked by the node of the device, u i The method comprises the steps that the availability of an ith vulnerability node connected with the equipment node is represented, k represents the number of all vulnerability nodes connected with the equipment node, and the more the number of vulnerability nodes connected with the equipment node is, the higher the attack probability of the equipment node is;
b. device node risk score
And (3) carrying out weighted hazard calculation on the vulnerability nodes based on the availability of the connected vulnerability nodes to obtain the hazard score of the equipment nodes, wherein the hazard score is as shown in a formula II:
wherein R is self Representing the risk score of the equipment node, u i 、u j Indicating the availability of the ith and jth vulnerability nodes connected with the equipment node, and r i Represents the vulnerability of the ith vulnerability node connected to the device node.
Preferably, in the fourth step, the system security metrics include a start node metric and a non-start node metric;
a. start node metric
Since the starting node has acquired the authority and no attacked condition exists, the attacked probability of the starting equipment node defaults to 1 to represent that all the authorities of the equipment are acquired, and since the starting node has no forward node, the ingress degree is 0, and therefore the danger score of the starting node is equal to the own danger score of the starting node;
b. non-originating node metrics
The non-initial node calculates the accumulated attacked probability of the upper layer equipment node and the local layer equipment node and the equipment risk score by combining the attacked probability and the equipment risk score of the upper layer equipment node while considering the vulnerability node connected with the local node, and the system security measure is obtained according to the calculation of the risk score of the multi-layer accumulated equipment node;
the attack probability of the non-initial node is calculated as shown in the formula III:
wherein d i Indicating the node degree of entry, U m Representing the probability of being attacked by the mth upper node connected with the equipment node; the method considers the degree of node incidence and the influence of the attack probability of the upper layer node on the node of the layer, and the larger the node incidence is, the larger the attack probability of the node is; the greater the probability of being attacked by the upper layer node, the greater the probability of being attacked by the local layer node;
the risk score for the non-initiating node is calculated as formula IV:
Wherein U is m 、U n Representing the probability of being attacked by the m, n-th upper node connected with the equipment node, R m Representing a risk score of an mth upper node connected to the equipment node;
the risk score of the non-initial node is calculated by considering the influence of the attack probability of the upper node on the node of the layer, and meanwhile, the risk score of the upper node is calculated in a cumulative way, and the greater the node incidence, the greater the node risk score; the greater the probability of the upper node being attacked, the greater the risk score of the node of the layer; the greater the risk score of the upper node is, the greater the risk score of the present node is, and finally the risk score R of the target node is dest And the method is obtained through multi-layer attack path accumulation calculation.
Preferably, in the fourth step, the attack path includes a nested path and a parallel path; carrying out quantitative analysis on a key attack path by combining a system safety metric value, introducing an asset value index to measure in the analysis process, wherein the asset value is determined by node access degree and asset importance, the asset importance index divides the assets into ten grades from 1 to 10, 10 is very important, and 1 is very unimportant; meanwhile, according to the node access degree appearing in the current attack graph, the highest access degree is used as the standard, the other access degrees are normalized, the access degree of the initial node and the target node is defaulted to be 1, the weight reduction processing is not carried out, and finally the asset value is obtained by the product of the asset importance and the access degree, as shown in the formula V:
P value =P significance *d io (Ⅴ)
Wherein P is value Representing asset value, P significance Representing asset importance, d io Representing the node access degree after normalization processing;
a. nested path analysis
Nodes in the path set of the nested paths do not comprise a common starting node, and the key paths in the case are selected and calculated as follows:
wherein, path sign U as a path key index j Represents the attack probability of the j-th device node in the path set, R i Representing the risk score, P, of the ith device node in the path set valuei Representing asset value of an ith device node in the path set; the key path of the nested path takes the attack hop count as a main calculation basis, and the path with fewer attack hop counts is generally the key path, and the path with more attack hop counts can become the key path only when the attack rate and the danger score of the intermediate hop node are larger;
b. parallel path analysis
The path set of parallel attack paths is represented as N parallel nodes excluding common start node and end node, and the key paths for this case are selected as follows:
Path sign =max{U i *R i *P valuei }i=(1,2,...k) (Ⅶ)
U i representing the probability of an ith device node in a path set being attacked, R i Representing the risk score, P, of the ith device node in the path set valuei Representing asset value of an ith device node in the path set; finally, the selection of the critical path is obtained by comparing the critical indexes of the N parallel paths;
and synthesizing analysis results of the nested paths and the parallel paths, and calculating the importance of the paths through the quantization indexes to obtain the key attack path.
A server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the attack graph-based industrial control system security metrics method described above.
A computer readable medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the attack graph-based industrial control system security metric method described above.
The invention has the technical characteristics and beneficial effects that:
1. the invention takes CVE-NVD as a main body, CNNVD and ICS Vulnerability Database as expansion security libraries and CWE and CAPEC as vulnerability association information libraries to jointly construct an integral security knowledge base. And meanwhile, screening, correlating and fusing the isolated data by combining with a plurality of tool scanning results to generate an attack graph suitable for an industrial control system, and measuring the system safety in a layering manner so as to provide decision support and situation awareness. According to the method, the network threat is associated with the industrial control system equipment according to the vulnerability dependency, the potential threat is discovered to the greatest extent, the analysis period of the industrial control system safety measurement is greatly shortened, the measurement efficiency is improved, and a foundation is laid for the protection work of the industrial control system.
2. The method provides an industrial control system security measurement method based on an attack graph, by utilizing technologies such as asset detection, vulnerability scanning, vulnerability utilization, graph data-based attack graph generation, layered security measurement and the like, a system attack path can be visualized, security of a system to be tested is measured, security operation of the industrial control system is guaranteed, and various vulnerabilities and industrial control equipment types can be covered; an attack graph can be generated aiming at any starting point and any attack target; data support may be provided for further system analysis. The practical range comprises supporting the generation of attack graphs aiming at any attack starting point and attack target in the industrial control system and the measurement of the safety of the industrial control system, and providing data support for the safety analysis of the industrial control system, and has wide application prospect.
Drawings
FIG. 1 is a diagram of a security metric method architecture based on an attack graph;
FIG. 2 is a schematic diagram of an industrial control system topology;
FIG. 3 is a schematic diagram of vulnerability information association of an attack template;
FIG. 4 is a flowchart of an attack graph generation algorithm;
FIG. 5 is an attack graph generation schematic;
FIG. 6 is a schematic view of an attack path, wherein (a) is a nested attack path schematic view and (b) is a parallel attack path schematic view;
Detailed Description
The invention will now be further illustrated by way of example, but not by way of limitation, with reference to the accompanying drawings.
Example 1:
the embodiment provides an industrial control system security measurement method based on an attack graph, which comprises the following four steps, wherein the overall architecture of the method is schematically shown in fig. 1:
step one, acquiring topology structure information of an industrial control network, detecting equipment of a specific industrial control system (namely a target industrial control system to be subjected to safety measurement), grasping equipment information in the industrial control network, and analyzing equipment association conditions;
the first step is the foundation, mainly obtain the self information and relevant information situation of the apparatus of the goal industrial control system in the whole industrial control network;
step two, collecting equipment vulnerability information aiming at the detection result of equipment in the industrial control network, namely equipment information and association conditions of a specific industrial control system in the step one;
thirdly, storing a format in a graphical format by a method based on a graph database according to the topological structure and the equipment vulnerability information, and generating a system attack graph by representing the graph structure by adopting nodes and relations;
and fourthly, according to the generated system attack graph, carrying out network security measurement on the specific industrial control system according to three layers of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path.
Specifically, in the first step, an industrial control network topology structure is acquired by using a GRASSMARLIN tool, and the acquired industrial control network topology structure information comprises topology planning, system configuration and access control rules of safety equipment in a system design document; and reading the connection relation between the system devices and extracting according to the system design document and the access control rule of the safety device so as to restore the system topology structure. Meanwhile, equipment information in a system design document and a system configuration file is read, and equipment types, equipment models and system versions are extracted to be used as data bases for acquiring equipment vulnerability information.
In addition, aiming at the characteristics of vulnerability and instantaneity of the industrial control system, the GRASSMARLIN tool is adopted to monitor the topology of the industrial control system in real time so as to detect equipment newly added into the industrial control system (the final purpose is to realize the dynamic update of a system attack graph), and the GRASSMARLIN tool adopts a passive detection mode to realize the information collection of the detection system, so that the influence of the detection process on the working state of the equipment in the industrial control system is reduced. I.e. the topology information collection shown in fig. 1.
In the process of monitoring the topology of the industrial control system in real time, GRASSMARLIN tools store detection results in an XML format, read GRASSMARLIN the detection results of the tools periodically at low frequency (the specific situation is to be judged according to the specificity of each system and is set by technicians), extract the relation of updated equipment, add new added equipment to the system, update the system equipment with information interaction with the new equipment, simplify the connection relation of the same group of source IP and destination IP, and remove redundant data so as to realize the dynamic acquisition of the topology of the system; meanwhile, aiming at original data and updated data, topological data ordering is carried out according to the detection sequence.
The step of mastering the equipment information in the industrial control network is to read the equipment information in the system design document and the system configuration file, extract the equipment type, the equipment model and the system version, and use the extracted equipment type, the equipment model and the system version as data basis for obtaining subsequent equipment vulnerability information.
Analyzing the association condition of the devices, namely formatting the association relation among the devices according to system topology information acquired from system design documents, system configuration files and access control rules of the security devices, uniformly defining the connection relation among the devices as link, wherein A link B represents a link from the device A to the device B, the A can access the B, and the link is a directed relation.
Step two, collecting equipment vulnerability information, including constructing a vulnerability information base and acquiring equipment vulnerabilities;
the vulnerability information base construction comprises vulnerability information collection and vulnerability information processing, wherein the vulnerability information collection takes a CVE-NVD vulnerability base as a main body, CNNVD and ICS Vulnerability Database are expansion security bases, CWE and CAPEC are vulnerability association information bases to construct a security knowledge base, and collected vulnerability information (vulnerability information in the vulnerability base) is stored in a MySQL database; the vulnerability information processing uses CNNVD and CVE vulnerability knowledge base as main bodies, matches and associates all vulnerability information imported into the vulnerability information base (namely MySQL database), introduces CWE as the basis of vulnerability description and vulnerability classification and availability discrimination, and combines CAPEC to describe the premise, technical reserve, mode and result of attack by utilizing the vulnerability;
The collected vulnerability information content items comprise: vulnerability names, CNNVD numbers, basic scores, CVE numbers, hazard classes, vulnerability types, vulnerability release time, vulnerability update time, threat types, vendors, vulnerability descriptions, solutions, affected entities, patches, CWE numbers, CWE names, vulnerability descriptions, remaining related vulnerabilities, vulnerability introduction manners, vulnerability application influences, related attack manners, attack possibilities, attack areas, attack mechanisms, preconditions, required skills.
A vulnerability information association diagram of the attack template is shown in FIG. 3. And filling the vulnerability name, the CNNVD number, the CVE number, the hazard level, the vulnerability type, the vulnerability release time, the vulnerability update time, the threat type, the manufacturer, the vulnerability description, the solution, the affected entity and the patch according to the information in the CNNVD vulnerability detail page by taking the CVE-NVD vulnerability knowledge base as a main body. Each CNNVD vulnerability number corresponds to a CVE number, according to which vulnerability information in a CVE vulnerability page may be associated. The CVE vulnerability pages are provided with associated CWE numbers to link to the CWE security event library. Common vulnerability enumeration CWE are classified by vulnerability, and a description of the vulnerability is provided for each CWE number. And describing other relevant vulnerabilities, vulnerability introduction modes, vulnerability application influences and relevant attack modes according to the acquired vulnerabilities, and filling the utilization conditions, the utilization modes and attack results of the vulnerabilities with the vulnerabilities as cores. Meanwhile, a plurality of CAPEC numbers contained in the relevant attack modes finish the attack preconditions in the attack templates and the supplement of the skills required by the attacks according to the attack possibility, the attack field, the attack mechanism, the preconditions and the attack information of the required skills provided by the CAPEC pages. Furthermore, to give a feasibility analysis and severity determination for a particular vulnerability, the CVSS may be associated by a CVE number, which provides a severity rating and risk score determination for each vulnerability. And finishing information integration and association of a plurality of vulnerability information libraries.
The method comprises the steps that equipment vulnerability acquisition adopts an open source scanning tool (such as Nessus, openVAS and the like) and a customized scanning tool of an industrial control manufacturer to perform vulnerability scanning on system equipment, and the scanning tool is configured according to acquired system equipment information to complete scanning of equipment vulnerability information; compared with the traditional network, the industrial control system faces stricter security requirements, and vulnerability of industrial control equipment is considered when equipment vulnerability scanning is carried out. Aiming at the sensitivity characteristic of the industrial control system, different scanning means are adopted for the vulnerability scanning of the industrial control equipment and the vulnerability scanning of the universal internet equipment according to the different equipment types. Aiming at industrial control system equipment, vulnerability scanning is performed at low frequency, and general Internet equipment is scanned at high frequency, and the multi-frequency scanning scheme can reduce the risk that network load and detection are increased by injecting detection data report to industrial control equipment, and simultaneously ensures the instantaneity of equipment vulnerability information acquisition.
Then according to the DEVICE vulnerability information obtained by scanning, carrying out association representation on the DEVICE and the vulnerability, wherein one DEVICE can be associated with one or more vulnerabilities, the connection relation between the DEVICE and the vulnerability is defined as has_vul_at, and the DEVICE1 has_vul_at_VUL1 represents that the DEVICE1 has the vulnerability with the number VUL 1; matching the device vulnerability information with information in a vulnerability information base, and obtaining an atomic attack template of CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score by each vulnerability, thereby providing input data for the generation of subsequent attack graphs. As shown in fig. 3.
In the third step, the attack graph comprises nodes and edges, wherein the edges are the attacked paths, and the nodes in the attack graph comprise equipment nodes and vulnerability nodes;
the device node information comprises service information, open port information and IP information of the device vulnerability, the device node information is used as the attribute of the device node, and the device node information is described by adopting five-tuple, namely device IP, device name, service with the vulnerability, service protocol and service port;
the vulnerability node information comprises CVE\CNNVD numbers, CWE classification, authority-raising capability identifiers and CVSS scores in the atomic attack rules, is integrated on vulnerability nodes marked by vulnerability IDs as node attributes, and is described by four tuples, namely vulnerability IDs, vulnerability numbers, vulnerability types and vulnerability scores;
preprocessing data according to the network topology analysis and the vulnerability information collection result, and summarizing the data into a device information table, a vulnerability information table and a device relation table which are used as inputs of an attack graph generation algorithm. As shown in the following table, in the device relation table, "Y" represents that devices have a connection relation, and "-" represents that devices do not have a connection relation.
List one equipment information list
And (II) table: vulnerability information table
TABLE three Equipment relationship List
Generating a system attack graph, namely generating the attack graph based on a Neo4j graph database, storing and managing data according to an attribute graph model, wherein nodes in the attack graph are used for representing entities, and the relationship is used for representing the connection between the entities; and filling node attributes of the attack graph by using the equipment information table and the vulnerability information table, filling node relations by using the equipment relation table, selecting a starting node and a target node, and generating the attack graph through multiple times of traversal.
The data in the three tables are used as the input of the attack graph generation algorithm, and the algorithm flow chart is shown in fig. 4. Firstly, importing equipment information, vulnerability information, equipment relation and vulnerability matching conditions into a Neo4j graph database. And judging the vulnerability nodes which do not accord with the model utilization and the equipment nodes which do not accord with the attack conditions according to the atomic attack rule model. And removing devices which are not on the attack target route and isolated vulnerability nodes. And finally limiting an attacker and a target, returning information in a current graph database, and constructing an attack graph aiming at the system.
Taking the industrial control system of fig. 5 as an example, defining an initial node as an MES system host, and a target node as a PLC1, generating an attack graph including 17 nodes and 19 edges. Since the MES system PC3 includes two exploitable vulnerabilities, the attack graph contains a total of 12 attack paths.
And step four, network security measurement adopts a layered measurement mode, and industrial control network security is measured according to node types, namely vulnerability node measurement, equipment node measurement and system security measurement. The vulnerability node additional attributes fall into two categories: availability and vulnerability hazards. Availability represents the probability that the vulnerability is successfully exploited to reach the effect of the attack. Vulnerability hazards represent the severity of the impact that results after a vulnerability is successfully exploited. The device node additional attributes are also divided into two types: attack probability and device risk score. The probability of being attacked is related to the availability of the vulnerability node connected with the device, and represents the probability of the device being attacked successfully. The equipment danger score is related to the availability of vulnerability nodes connected with the equipment and vulnerability hazards, and represents the influence degree brought by the equipment after the equipment is successfully attacked.
The computation for a node is divided into two categories, a starting node and a non-starting node. The initial node only needs to consider the situation of the vulnerability node connected with the initial node; the non-initial node considers the vulnerability node connected with the node, and combines the attack probability and the equipment risk score of the upper equipment node, and the system security metric is obtained according to the calculation of the risk score of the multi-layer accumulated equipment node.
(1) The vulnerability node measures the availability of the vulnerability node according to the scanned device vulnerability information and quantifies vulnerability hazards; vulnerability node availability is defined by an "attack probability" field in the CAPEC library, the { low, medium, high } quantification of the attack probability is represented as {0.3,0.6,0.9}, a low score indicates a low possibility of being attacked, and a high score indicates a high possibility of being attacked; the vulnerability score of the vulnerability node adopts the vulnerability assessment score of the CVSS, which is fully divided into 10 scores, and the higher the score is, the larger the vulnerability hazard is, the lower the score is, and the lower the vulnerability hazard is.
(2) The equipment node measurement is quantified according to the equipment node attack probability and the equipment node risk score;
a. probability of device node being attacked
Aiming at the vulnerability node connected with each equipment node, calculating the attack probability of the equipment node according to the availability ratio of the vulnerability node, wherein the attack probability is as shown in the formula I:
wherein U is self Representing the probability of being attacked by the node of the device, u i The method comprises the steps that the availability of an ith vulnerability node connected with the equipment node is represented, k represents the number of all vulnerability nodes connected with the equipment node, and the more the number of vulnerability nodes connected with the equipment node is, the higher the attack probability of the equipment node is;
b. Device node risk score
And (3) carrying out weighted hazard calculation on the vulnerability nodes based on the availability of the connected vulnerability nodes to obtain the hazard score of the equipment nodes, wherein the hazard score is as shown in a formula II:
/>
wherein R is self Representing the risk score of the equipment node, u i 、u j Indicating the availability of the ith and jth vulnerability nodes connected with the equipment node, and r i Represents the vulnerability of the ith vulnerability node connected to the device node.
(3) The system security metrics include a start node metric and a non-start node metric;
a. start node metric
Since the starting node has acquired the authority and no attacked condition exists, the attacked probability of the starting equipment node defaults to 1 to represent that all the authorities of the equipment are acquired, and since the starting node has no forward node, the ingress degree is 0, and therefore the danger score of the starting node is equal to the own danger score of the starting node.
b. Non-originating node metrics
The non-initial node calculates the accumulated attacked probability of the upper layer equipment node and the local layer equipment node and the equipment risk score by combining the attacked probability and the equipment risk score of the upper layer equipment node while considering the vulnerability node connected with the local node, and the system security measure is obtained according to the calculation of the risk score of the multi-layer accumulated equipment node;
The attack probability of the non-initial node is calculated as shown in the formula III:
wherein d i Indicating the node degree of entry, U m Representing the probability of being attacked by the mth upper node connected with the equipment node; the method considers the degree of node incidence and the influence of the attack probability of the upper layer node on the node of the layer, and the larger the node incidence is, the larger the attack probability of the node is; the greater the probability of being attacked by the upper layer node, the greater the probability of being attacked by the local layer node;
the risk score for the non-initiating node is calculated as formula IV:
wherein U is m 、U n Representing the probability of being attacked by the m, n-th upper node connected with the equipment node, R m Representing a risk score of an mth upper node connected to the equipment node;
the risk score measurement method of the non-initial node considers the influence of the attack probability of the upper node on the node of the layer, and simultaneously carries out accumulated calculation on the risk score of the upper node, wherein the greater the node incidence, the greater the node risk score; the greater the probability of the upper node being attacked, the greater the risk score of the node of the layer; the greater the risk score of the upper node is, the greater the risk score of the present node is, and finally the risk score R of the target node is dest And the method is obtained through multi-layer attack path accumulation calculation.
In the fourth step, the attack path comprises a nested path and a parallel path; carrying out quantitative analysis on a key attack path by combining a system safety metric value, introducing an asset value index to measure in the analysis process, wherein the asset value is determined by node access degree and asset importance, the asset importance index divides the assets into ten levels from 1 to 10 (the asset importance index is determined according to expert experience), and 10 is very important, and 1 is very unimportant; meanwhile, according to the node access degree appearing in the current attack graph, the highest access degree is taken as the standard, the other access degrees are normalized, the access degree of the initial node and the target node is defaulted to be 1, the weight reduction processing is not performed, the attack graph shown in fig. 6 is taken as an example, the access degree= {2,5}, after the normalization processing, the node with the access degree of 5 is changed to be 1, and the node with the access degree of 2 is changed to be 0.4. Finally, the asset value is obtained by multiplying the asset importance and the access degree, as shown in formula V:
P value =P significance *d io (Ⅴ)
wherein P is value Representing asset value, P significance Representing asset importance, d io Representing the node access degree after normalization processing;
and analyzing a key attack path in the attack graph by combining the indexes. The case of creating a branch path in an attack path is divided into two types, one is nested path analysis and the other is parallel path analysis, as shown in fig. 6.
a. Nested path analysis
As shown in fig. 6 (a), the attack path of MES PC1- > MES PC2- > MES PC3 includes the MES PC1- > MES PC3 path. Nodes in the path set of the nested paths do not include a common start node: path1= { MES PC2}, path2= { MES PC2, MES PC3}, the critical Path for this case is selected, calculated as follows:
wherein, path sign U as a path key index j Represents the attack probability of the j-th device node in the path set, R i Representing the risk score, P, of the ith device node in the path set valuei Representing asset value of an ith device node in the path set; the key path of the nested path takes the attack hop count as a main calculation basis, the path with fewer attack hop counts is generally the key path, and the path with more attack hop counts can become the key path only when the attack rate and the danger score of the intermediate hop node are larger, so that the key path is judged according to different target industrial control systems and by technicians according to long-term working experience; taking the graph (a) in fig. 6 as an example, according to practical experience, the asset importance of the MES PC2 and the MES PC3 is defined as 6, and the input and output degree normalization results are all 0.4.Path1 sign =0.9*9.9*2.4=21.384,Path2 sign =0.3×0.9×9.9×2.4+0.3×6.9×2.4= 11.3832. Thus, the critical Path in the nested attack Path is Path1, MES PC 1-) >MES PC3 path.
b. Parallel path analysis
As shown in fig. 6 (b), the attack path of the database server — > PLC1 includes three parallel attack paths: database server- > operator station- > PLC1, database server- > engineer station- > PLC1, database server- > SCADA system- > PLC1. The Path set of parallel attack paths is represented as three parallel nodes excluding common start and end nodes, and Path { operator station, engineer station, SCADA system } selects a critical Path for this case, calculated as follows:
Path sign =max{U i *R i *P valuei }i=(1,2,...k) (Ⅶ)
U i representing the probability of an ith device node in a path set being attacked, R i Representing the risk score, P, of the ith device node in the path set valuei Representing asset value of an ith device node in the path set; finally, the selection of the critical path is obtained by comparing the critical indexes of the three parallel paths;
taking the diagram (b) in fig. 6 as an example, according to practical experience, the operator station asset importance is defined as 8, the engineer station asset importance is 7, the scada system asset importance is 9, and the access degree normalization results are all 0.4.Path (Path) sign =max {0.6×7.8×3.2,0.8×9.8×2.8,0.9×6.9×3.6} = max {14.976,21.952,22.356}. Therefore, the critical Path in the parallel attack Path is Path3, namely the database server- >SCADA system->PLC1 path.
The analysis results of the nested path and the parallel path are comprehensive, and one key path of the attack graph is MES PC1- > MES PC3- > database server- > SCADA system- > PLC1. And calculating the importance of the multiple paths through the quantization indexes to obtain a key attack path. The system key attack path comprehensively considering the asset value, the attack possibility and the vulnerability hazard can embody the security condition of the key part of the system. Meanwhile, the vulnerable points of the system can be accurately positioned according to the path scores, the equipment scores and the vulnerability scores. In addition, according to the detailed information of the loopholes provided in the loopholes library, the attribute of the loopholes can be quickly known, a solution is found, and data support is provided for the safety protection work of the industrial control system.
Example 2:
a server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the attack graph-based industrial control system security metrics method of embodiment 1.
Example 3:
a computer readable medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the attack graph-based industrial control system security metric method of embodiment 1.
The above description is merely illustrative of the present invention, and the present invention is not limited thereto, and any changes or substitutions easily contemplated by those skilled in the art within the technical scope of the present invention should be included in the scope of the present invention.

Claims (9)

1. An industrial control system safety measurement method based on an attack graph is characterized by comprising the following steps:
step one, acquiring topology structure information of an industrial control network, detecting equipment of a specific industrial control system, grasping equipment information in the industrial control network, and analyzing the association condition of the equipment;
step two, collecting equipment vulnerability information aiming at the detection result of equipment in the industrial control network;
thirdly, storing a format in a graphical format by a method based on a graph database according to the topological structure and the equipment vulnerability information, and generating a system attack graph by representing the graph structure by adopting nodes and relations;
fourthly, according to the generated system attack graph, carrying out network security measurement on a specific industrial control system according to three layers of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path; the equipment node measurement is quantified according to the attack probability of the equipment node and the equipment node danger score;
a. Probability of device node being attacked
Aiming at the vulnerability node connected with each equipment node, calculating the attack probability of the equipment node according to the availability ratio of the vulnerability node, wherein the attack probability is as shown in the formula I:
wherein U is self Representing the probability of being attacked by the node of the device, u i The method comprises the steps that the availability of an ith vulnerability node connected with the equipment node is represented, k represents the number of all vulnerability nodes connected with the equipment node, and the more the number of vulnerability nodes connected with the equipment node is, the higher the attack probability of the equipment node is;
b. device node risk score
And (3) carrying out weighted hazard calculation on the vulnerability nodes based on the availability of the connected vulnerability nodes to obtain the hazard score of the equipment nodes, wherein the hazard score is as shown in a formula II:
wherein R is self Representing the risk score of the equipment node, u i 、u j Indicating the availability of the ith and jth vulnerability nodes connected with the equipment node, and r i Represents the vulnerability of the ith vulnerability node connected to the device node.
2. The attack graph-based industrial control system security measurement method according to claim 1, wherein in the first step, the obtaining of the industrial control network topology information includes topology planning, system configuration and access control rules of the security device in a system design document; and reading the connection relation between the system devices and extracting according to the system design document and the access control rule of the safety device so as to restore the system topology structure.
3. The attack graph-based industrial control system security measurement method according to claim 1, wherein in the second step, collecting the device vulnerability information comprises vulnerability information base construction and device vulnerability acquisition;
the loophole information base construction comprises loophole information acquisition and loophole information processing; the vulnerability information collection takes a CVE-NVD vulnerability database as a main body, CNNVD and ICS Vulnerability Database are expansion security libraries, CWE and CAPEC are vulnerability association information libraries to construct a security knowledge base, and the collected vulnerability information is stored in a MySQL database; the vulnerability information processing takes CNNVD and CVE vulnerability knowledge base as main bodies, matches and associates all vulnerability information imported into MySQL database, introduces CWE as the basis of vulnerability description and vulnerability classification and availability discrimination, and combines CAPEC to describe the premise, technical reserve, mode and caused result of attack by utilizing vulnerability;
the device vulnerability acquisition adopts a scanning tool to scan the vulnerability of the system device, and the scanning tool is configured according to the acquired system device information to complete the scanning of the device vulnerability information; then according to the DEVICE vulnerability information obtained by scanning, carrying out association representation on the DEVICE and the vulnerability, wherein one DEVICE can be associated with one or more vulnerabilities, the connection relation between the DEVICE and the vulnerability is defined as has_vul_at, and the DEVICE1 has_vul_at_VUL1 represents that the DEVICE1 has the vulnerability with the number VUL 1; matching the device vulnerability information with information in a vulnerability information base, and obtaining an atomic attack template of CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score by each vulnerability, thereby providing input data for the generation of subsequent attack graphs.
4. The method for measuring the security of an industrial control system based on an attack graph according to claim 1, wherein in the third step, the nodes in the attack graph comprise equipment nodes and vulnerability nodes;
the device node information comprises service information, open port information and IP information of the device vulnerability, the device node information is used as the attribute of the device node, and the device node information is described by adopting five-tuple, namely device IP, device name, service with the vulnerability, service protocol and service port;
the vulnerability node information comprises CVE\CNNVD numbers, CWE classification, authority-raising capability identifiers and CVSS scores in the atomic attack rules, is integrated on vulnerability nodes marked by vulnerability IDs as node attributes, and is described by four tuples, namely vulnerability IDs, vulnerability numbers, vulnerability types and vulnerability scores;
preprocessing data according to the network topology analysis and the vulnerability information collection result, and summarizing the data into a device information table, a vulnerability information table and a device relation table which are used as inputs of an attack graph generation algorithm.
5. The attack graph-based industrial control system security measurement method according to claim 1, wherein in the fourth step, the vulnerability node measurement quantifies the availability of vulnerability nodes and vulnerability hazards according to scanned device vulnerability information; vulnerability node availability is defined by an "attack probability" field in the CAPEC library, the { low, medium, high } quantification of the attack probability is represented as {0.3,0.6,0.9}, a low score indicates a low possibility of being attacked, and a high score indicates a high possibility of being attacked; the vulnerability score of the vulnerability node adopts the vulnerability assessment score of the CVSS, which is fully divided into 10 scores, and the higher the score is, the larger the vulnerability hazard is, the lower the score is, and the lower the vulnerability hazard is.
6. The attack graph-based industrial control system security metric method of claim 1, wherein in step four, the system security metrics include a starting node metric and a non-starting node metric;
a. start node metric
Since the starting node has acquired the authority and no attacked condition exists, the attacked probability of the starting equipment node defaults to 1 to represent that all the authorities of the equipment are acquired, and since the starting node has no forward node, the ingress degree is 0, and therefore the danger score of the starting node is equal to the own danger score of the starting node;
b. non-originating node metrics
The non-initial node calculates the accumulated attacked probability of the upper layer equipment node and the local layer equipment node and the equipment risk score by combining the attacked probability and the equipment risk score of the upper layer equipment node while considering the vulnerability node connected with the local node, and the system security measure is obtained according to the calculation of the risk score of the multi-layer accumulated equipment node;
the attack probability of the non-initial node is calculated as shown in the formula III:
wherein d i Indicating the node degree of entry, U m Representing the probability of being attacked by the mth upper node connected with the equipment node; the method considers the degree of node incidence and the influence of the attack probability of the upper layer node on the node of the layer, and the larger the node incidence is, the larger the attack probability of the node is; the greater the probability of being attacked by the upper layer node, the greater the probability of being attacked by the local layer node;
The risk score for the non-initiating node is calculated as formula IV:
wherein U is m 、U n Representing the probability of being attacked by the m, n-th upper node connected with the equipment node, R m Representing a risk score of an mth upper node connected to the equipment node;
the risk score of the non-initial node is calculated by considering the influence of the attack probability of the upper node on the node of the layer, and meanwhile, the risk score of the upper node is calculated in a cumulative way, and the greater the node incidence, the greater the node risk score; the greater the probability of the upper node being attacked, the greater the risk score of the node of the layer; the greater the risk score of the upper node is, the greater the risk score of the present node is, and finally the risk score R of the target node is dest And the method is obtained through multi-layer attack path accumulation calculation.
7. The method for measuring the safety of an industrial control system based on an attack graph according to claim 1, wherein in the fourth step, the attack path comprises a nested path and a parallel path; carrying out quantitative analysis on a key attack path by combining a system safety metric value, introducing an asset value index to measure in the analysis process, wherein the asset value is determined by node access degree and asset importance, the asset importance index divides the assets into ten grades from 1 to 10, 10 is very important, and 1 is very unimportant; meanwhile, according to the node access degree appearing in the current attack graph, the highest access degree is used as the standard, the other access degrees are normalized, the access degree of the initial node and the target node is defaulted to be 1, the weight reduction processing is not carried out, and finally the asset value is obtained by the product of the asset importance and the access degree, as shown in the formula V:
P value =P significance *d io (Ⅴ)
Wherein P is value Representing asset value, P significance Representing asset importance, d io Representing the node access degree after normalization processing;
a. nested path analysis
Nodes in the path set of the nested paths do not comprise a common starting node, and the key paths in the case are selected and calculated as follows:
wherein, path sign U as a path key index j Represents the attack probability of the j-th device node in the path set, R i Representing the risk score, P, of the ith device node in the path set valuei Representing asset value of an ith device node in the path set; the key path of the nested path takes the attack hop count as a main calculation basis, and the path with fewer attack hop counts is generally the key path, and the path with more attack hop counts can become the key path only when the attack rate and the danger score of the intermediate hop node are larger;
b. parallel path analysis
The path set of parallel attack paths is represented as N parallel nodes excluding common start node and end node, and the key paths for this case are selected as follows:
Path sign =max{U i *R i *P valuei } i=(1,2,...k) (Ⅶ)
U i representing the probability of an ith device node in a path set being attacked, R i Representing the risk score, P, of the ith device node in the path set valuei Representing asset value of an ith device node in the path set; finally, the selection of the critical path is obtained by comparing the critical indexes of the N parallel paths;
and synthesizing analysis results of the nested paths and the parallel paths, and calculating the importance of the paths through the quantization indexes to obtain the key attack path.
8. A server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the attack graph-based industrial control system security metrics method of any of claims 1-7.
9. A computer readable medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the attack graph-based industrial control system security metric method of any of claims 1-7.
CN202011043060.3A 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph Active CN112114579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011043060.3A CN112114579B (en) 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011043060.3A CN112114579B (en) 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph

Publications (2)

Publication Number Publication Date
CN112114579A CN112114579A (en) 2020-12-22
CN112114579B true CN112114579B (en) 2023-07-25

Family

ID=73798243

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011043060.3A Active CN112114579B (en) 2020-09-28 2020-09-28 Industrial control system safety measurement method based on attack graph

Country Status (1)

Country Link
CN (1) CN112114579B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112904817B (en) * 2021-01-19 2022-08-12 哈尔滨工业大学(威海) Global safety detection system for intelligent manufacturing production line and working method thereof
CN114143109B (en) * 2021-12-08 2023-11-10 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114528552B (en) * 2021-12-31 2023-12-26 北京邮电大学 Security event association method based on loopholes and related equipment
CN114039862B (en) * 2022-01-10 2022-04-26 南京赛宁信息技术有限公司 CTF problem solution detection node construction method and system based on dynamic topology analysis
CN114584348A (en) * 2022-02-14 2022-06-03 上海安锐信科技有限公司 Industrial control system network threat analysis method based on vulnerability
CN115061434A (en) * 2022-06-01 2022-09-16 哈尔滨工业大学(威海) Attack path parallel planning system and method for large-scale industrial control scene
CN115102743B (en) * 2022-06-17 2023-08-22 电子科技大学 Multi-layer attack graph generation method for network security
CN115242507A (en) * 2022-07-22 2022-10-25 四川启睿克科技有限公司 Attack graph generation system and method based on set parameter maximum value
CN115185466B (en) * 2022-07-25 2023-02-28 北京珞安科技有限责任公司 Hierarchical management and control tool and method for mobile storage device
CN116305170A (en) * 2023-05-16 2023-06-23 北京安帝科技有限公司 Analog testing method, device, equipment and storage medium based on industrial control system
CN116702159B (en) * 2023-08-04 2023-10-31 北京微步在线科技有限公司 Host protection method, device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7013395B1 (en) * 2001-03-13 2006-03-14 Sandra Corporation Method and tool for network vulnerability analysis
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
EP3644579A1 (en) * 2018-10-26 2020-04-29 Accenture Global Solutions Limited Criticality analysis of attack graphs

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6952779B1 (en) * 2002-10-01 2005-10-04 Gideon Cohen System and method for risk detection and analysis in a computer network
US8392997B2 (en) * 2007-03-12 2013-03-05 University Of Southern California Value-adaptive security threat modeling and vulnerability ranking
CN103368976B (en) * 2013-07-31 2015-03-04 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
EP3065076A1 (en) * 2015-03-04 2016-09-07 Secure-Nok AS System and method for responding to a cyber-attack-related incident against an industrial control system
CN106709613B (en) * 2015-07-16 2020-11-27 中国科学院信息工程研究所 Risk assessment method applicable to industrial control system
US10015188B2 (en) * 2015-08-20 2018-07-03 Cyberx Israel Ltd. Method for mitigation of cyber attacks on industrial control systems
CN105871882B (en) * 2016-05-10 2019-02-19 国家电网公司 Network security risk analysis method based on network node fragility and attack information
CN110533754A (en) * 2019-08-26 2019-12-03 哈尔滨工业大学(威海) Interactive attack graph display systems and methods of exhibiting based on extensive industry control network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7013395B1 (en) * 2001-03-13 2006-03-14 Sandra Corporation Method and tool for network vulnerability analysis
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
EP3644579A1 (en) * 2018-10-26 2020-04-29 Accenture Global Solutions Limited Criticality analysis of attack graphs

Also Published As

Publication number Publication date
CN112114579A (en) 2020-12-22

Similar Documents

Publication Publication Date Title
CN112114579B (en) Industrial control system safety measurement method based on attack graph
CN109347801B (en) Vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph
US20080082380A1 (en) Method for evaluating system risk
CN112910859B (en) Internet of things equipment monitoring and early warning method based on C5.0 decision tree and time sequence analysis
CN111083126A (en) Expert knowledge base-based penetration test risk assessment method and model
Swinnen et al. A process deviation analysis–a case study
CN111787011B (en) Intelligent analysis and early warning system, method and storage medium for security threat of information system
CN108921301A (en) A kind of machine learning model update method and system based on self study
CN112100843A (en) Visual analysis method and system for power system safety event simulation verification
CN106778210B (en) Industrial control system function safety verification method based on immune learning
CN114723287A (en) Quantitative statistical method for risk formation based on enterprise characteristics and operation behaviors
CN114039758A (en) Network security threat identification method based on event detection mode
CN114091034A (en) Safety penetration testing method and device, electronic equipment and storage medium
CN111798162A (en) Risk monitoring method and device based on neural network
CN116861446A (en) Data security assessment method and system
CN115225336B (en) Network environment-oriented vulnerability availability computing method and device
CN112906764A (en) Communication safety equipment intelligent diagnosis method and system based on improved BP neural network
CN114884831B (en) Network asset ordering method and device for network space mapping system
CN111723217A (en) Engineering construction management robot control system, management method and robot
CN114511429A (en) Geological disaster danger level assessment method and device
CN117421735A (en) Mining evaluation method based on big data vulnerability mining
CN117240522A (en) Vulnerability intelligent mining method based on attack event model
CN116248393A (en) Intranet data transmission loophole scanning device and system
CN116886329A (en) Quantitative index optimization method for industrial control system safety
CN110995747A (en) Distributed storage security analysis method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant