CN112632555A - Node vulnerability scanning method and device and computer equipment - Google Patents
Node vulnerability scanning method and device and computer equipment Download PDFInfo
- Publication number
- CN112632555A CN112632555A CN202011481027.9A CN202011481027A CN112632555A CN 112632555 A CN112632555 A CN 112632555A CN 202011481027 A CN202011481027 A CN 202011481027A CN 112632555 A CN112632555 A CN 112632555A
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- target
- control system
- information
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 230000015654 memory Effects 0.000 claims description 19
- 230000007123 defense Effects 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 10
- 238000012502 risk assessment Methods 0.000 claims description 6
- 238000012216 screening Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 8
- 238000001514 detection method Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 4
- 230000003044 adaptive effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 239000008186 active pharmaceutical agent Substances 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 101100190618 Arabidopsis thaliana PLC3 gene Proteins 0.000 description 1
- 101100190621 Arabidopsis thaliana PLC4 gene Proteins 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 238000007789 sealing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a scanning method, a device and computer equipment for node vulnerabilities, wherein the scanning method comprises the following steps: acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system; generating a target attack graph according to industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system; respectively calculating the vulnerability risk level of each node in the target industrial control system according to the target attack graph; and determining a vulnerability scanning strategy of the target system according to the vulnerability risk level of each node. By implementing the method, higher safety protection level can be provided for the nodes with high risk level, and the overall safety of the system is improved; the scanning of the low-risk level nodes is reduced, the system resources are saved, and the influence on the normal operation of the system is reduced.
Description
Technical Field
The invention relates to the field of safety protection of an industrial control system of an intelligent power grid, in particular to a method and a device for scanning a node vulnerability and computer equipment.
Background
The electric power industry is an important basic energy industry which is related to national economic development and social stability and is the core of national infrastructure. The electric power engineering control system is a typical Industrial Control System (ICS), is an automatic control system which is composed of a computer and an industrial control component, and has higher requirement on safety when being applied to an intelligent power grid scene; and with the application of the internet technology in the electric power engineering control system, the original relative sealing performance is broken, the connection with the public internet is tighter and tighter, and the attack from the internet is easier to be received. Therefore, many security holes exist in the industrial control system of the smart power grid, effective security precautionary measures are lacked, and once the holes are utilized by lawbreakers to attack, the national economy and politics are seriously affected.
In the existing industrial control system vulnerability scanning technology, there are methods such as an industrial control system vulnerability assessment method based on an attack tree, an industrial control system vulnerability scanning method based on hierarchical detection, and the like. However, the existing vulnerability scanning method adopts the same scanning strategy for each node in the power system, which easily causes the scanning burden of the whole intelligent power grid industrial control system to be too heavy and possibly cannot be borne. And for the equipment with higher risk in the system, the safety protection of enough level is lacked, and the equipment is easier to be attacked by the public internet.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for scanning a node vulnerability, and a computer device, so as to solve the problems that the scanning burden of an industrial control system of an intelligent power grid is too heavy, and a device with high risk lacks sufficient level of security protection, and is more vulnerable to public internet attacks, because the existing vulnerability scanning method applies the same scanning strategy to each node in a power system.
According to a first aspect, an embodiment of the present invention provides a method for scanning a node vulnerability, including: acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system; generating a target attack graph according to the industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system; respectively calculating the vulnerability risk level of each node in the target industrial control system according to the target attack graph; and determining a vulnerability scanning strategy of the target system according to the vulnerability risk level of each node.
With reference to the first aspect, in a first implementation manner of the first aspect, the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, and the network topology information of the target industrial control system are determined through the following processes: acquiring vulnerability information of the industrial control system according to a preset vulnerability database; and determining vulnerability scanning information of the target industrial control system and network topology information of the target industrial control system according to a preset scanning tool and the target industrial control system.
With reference to the first aspect, in a second implementation manner of the first aspect, the generating a target attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, and the network topology information of the target industrial control system includes: generating an initial attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system and the network topology information of the target industrial control system; and carrying out node screening on the initial attack graph to generate a target attack graph.
With reference to the second implementation manner of the first aspect, in a third implementation manner of the first aspect, the performing node screening on the initial attack graph to generate a target attack graph includes: and combining the nodes belonging to the same host in the initial attack graph to generate a target attack graph.
With reference to the first aspect, in a fourth implementation manner of the first aspect, the calculating, according to the target attack graph, vulnerability risk levels of each node in the target industrial control system respectively includes: respectively determining the vulnerability exploited probability and vulnerability exploitation value of each node according to the target attack graph and a preset vulnerability value taking table; determining vulnerability risk values of all nodes according to the vulnerability exploited probability and the vulnerability exploitation value; and respectively determining the vulnerability risk level of each node according to the vulnerability risk value of each node and a preset risk analysis database.
With reference to the fourth implementation manner of the first aspect, in the fifth implementation manner of the first aspect, the determining, according to the target attack graph and a preset vulnerability retrieval table, a vulnerability exploited probability and a vulnerability exploitation value of each node respectively includes: extracting defense strength information, attack cost information and vulnerability occurrence probability information of each node from the target attack graph; determining the vulnerability utilization probability of each node according to the defense strength information, the attack cost information, the vulnerability occurrence probability information and the preset vulnerability value-taking table; extracting actual value information and vulnerability attack mode information of each node from the target attack graph; and determining the vulnerability utilization value of each node according to the actual value information of the vulnerability, the vulnerability attack mode information and the preset vulnerability value-taking table.
With reference to the fourth implementation manner of the first aspect, in a sixth implementation manner of the first aspect, the vulnerability risk value is determined by the following formula:
P=pi×qi,
wherein P represents the vulnerability risk value, PiThe utilization probability of the vulnerability i is represented, and q represents the utilization value of the vulnerability i.
With reference to the first aspect, in a seventh implementation manner of the first aspect, the determining a vulnerability scanning policy of a target system according to the vulnerability risk level of each node includes: determining a scanning period of the vulnerability scanning strategy according to the vulnerability risk level of each node; and/or determining the scanning type of the vulnerability scanning strategy according to the vulnerability risk level of each node.
With reference to the seventh implementation manner of the first aspect, in the sixth implementation manner of the first aspect, the determining, according to the vulnerability risk level of each node, a scanning period of the vulnerability scanning policy includes: when the vulnerability risk level of the node is a first level, setting a first period as a scanning period of the corresponding node; when the vulnerability risk level of the node is a second level, setting a second period as a scanning period of the corresponding node; and when the vulnerability risk level of the node is a third level, setting a third period as a scanning period of the corresponding node, wherein the first period is greater than the second period, and the second period is greater than the third period.
According to a second aspect, an embodiment of the present invention provides a scanning apparatus for a node vulnerability, including: the information acquisition module is used for acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system; the attack graph generation module is used for generating a target attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system and the network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system; the vulnerability risk level determination module is used for respectively calculating vulnerability risk levels of all nodes in the target industrial control system according to the target attack graph; and the scanning strategy determining module is used for determining the vulnerability scanning strategy of the target system according to the vulnerability risk level of each node.
According to a third aspect, an embodiment of the present invention provides a computer device, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform the steps of the method for scanning for node vulnerabilities described in the first aspect or any one of the embodiments of the first aspect.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the method for scanning a node vulnerability described in the first aspect or any one of the implementation manners of the first aspect.
The technical scheme of the invention has the following advantages:
the invention provides a scanning method, a device and computer equipment for node vulnerabilities, wherein the scanning method comprises the following steps: acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system; generating a target attack graph according to industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system; respectively calculating the vulnerability risk level of each node in the target industrial control system according to the target attack graph; and determining a vulnerability scanning strategy of the target system according to the vulnerability risk level of each node.
By implementing the method, the vulnerability risk level of each node in the industrial control system is calculated by combining the target attack graph, so that the corresponding vulnerability scanning strategy is determined according to the vulnerability risk level of each node, different scanning strategies are designed for the nodes with different risk levels, higher safety protection levels can be provided for the nodes with high risk levels, and the overall safety of the system is improved; meanwhile, scanning of low-risk level nodes is reduced, system resources are saved, and influence on normal operation of the system is reduced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a specific example of a scanning method for a node vulnerability in an embodiment of the present invention;
fig. 2 is a flowchart of a specific example of generating a target attack graph in the node vulnerability scanning method in the embodiment of the present invention;
FIG. 3 is a schematic diagram of an optimized attack graph in the scanning method for node vulnerabilities in the embodiment of the present invention;
fig. 4 is a flowchart of a specific example of determining vulnerability risk levels of nodes in the scanning method of node vulnerabilities in the embodiment of the present invention;
fig. 5 is a flowchart of a specific example of determining vulnerability exploitation values of nodes in the scanning method of node vulnerabilities in the embodiment of the present invention;
fig. 6 is a schematic block diagram of a specific example of a scanning apparatus for node vulnerabilities in the embodiment of the present invention;
FIG. 7 is a diagram showing an exemplary embodiment of a computer device.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Related research aiming at the safety of the industrial control system of the intelligent power grid is still in a starting stage, but as a typical industrial control system, the existing research aiming at the industrial control system has reference significance for the safety detection of the power system. In recent years, a plurality of industrial control system vulnerability scanning methods are proposed, such as an industrial control system vulnerability assessment method based on an attack tree, an industrial control system vulnerability scanning method based on hierarchical detection and the like.
However, most of the existing vulnerability scanning methods adopt the same scanning strategy for each node in the power system, which has the following problems: 1. different from an IT system, the industrial control system of the smart power grid has high requirements on service continuity and limited system resources, and cannot bear the excessive scanning overhead brought by the periodic vulnerability scanning strategy of the traditional IT system. 2. The scanning strategy is single, and effective security protection is not provided for the system nodes with high risk levels. The existing vulnerability scanning method adopts the same scanning strategy for each node in the power system, which may cause that the risk level is high, the security protection is lack of enough level, the vulnerability of the system is formed, and the vulnerability is easy to be attacked from the public internet.
The embodiment of the invention provides a method, a device and computer equipment for scanning a node vulnerability, which aim at designing different scanning strategies for nodes with different risk levels and enabling the nodes with high risk levels to be concerned more during vulnerability scanning, aiming at solving the problem that an electric power engineering system has higher requirements on safety but cannot bear excessive scanning overhead.
An embodiment of the present invention provides a method for scanning a node vulnerability, as shown in fig. 1, including:
step S11: acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system;
in this embodiment, the industrial control system vulnerability information may be vulnerability information related to the power industry and the power equipment in a pre-collected published industrial control system vulnerability library, and the industrial control system vulnerability library may be all the industrial control system vulnerability libraries which are published at present; the vulnerability information may include a vulnerability number (e.g., a CNVD number, an NVD label), a vulnerability location position, a vulnerability description, and the like, where the vulnerability description is an outcome description information that may be caused after the vulnerability is utilized.
The vulnerability scanning information of the target industrial control system can be a scanning report generated by scanning the target industrial control system through a scanning tool, the target industrial control system can be an industrial control system in the power industry, specifically, the scanning tool can be a Nessus scanner, the scanning report can describe the vulnerability current situation of the target industrial control system, and specifically, the vulnerability scanning information can be firstly output in an xml format and then converted into an input file of Datalog grammar supported by MulVAL. The network topology information of the target industrial control system can be accessibility among industrial devices in the target system generated by the network topology scanning tool, namely, connection relation among the hosts.
Specifically, vulnerability information related to the power engineering system, vulnerability scanning reports of the target system and network topology information of the target system in the public industrial control system vulnerability library are collected, and support is provided for subsequent attack graph generation.
Step S12: generating a target attack graph according to industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system; in the embodiment, the attack graph is a representation form of system attack behavior in a graph form, and is used for evaluating the vulnerability of the system, namely the vulnerability of each host in the rating target system can be generated through a preset tool; the preset tool can be an adaptive MulVAL engine, and the MulVAL engine is an attack graph automatic generation tool designed based on a logic programming language Datalog and supports outputs in txt, pdf, eps, XML and Graphviz formats. The original MulVAL engine is designed for the IT system; the adaptive MulVAL engine is suitable for the electric power engineering system, the power engineering system authority rule base is redesigned according to the grammar and the rule format supported by the MulVAL inference engine, and the vulnerability condition of the electric power engineering system can be more accurately targeted through the attack graph generated by the adaptive MulVAL engine; the target attack graph can be an attack graph with a host as a node; specifically, the security threat and the attack path existing in the target system can be determined according to the network topology, the host accessibility and the vulnerability scanning report in the target system, and displayed in a graphical mode.
Step S13: respectively calculating the vulnerability risk level of each node in the target industrial control system according to the target attack graph; the vulnerability risk level can be comprehensively determined by the probability of the attacker successfully launching the attack by utilizing the vulnerability and the damage degree of the vulnerability to the system after the attacker successfully launches the attack, and is used for representing the severity degree of the vulnerability; specifically, according to the target attack graph, information related to the vulnerability of each node in the target industrial control system is obtained, and then the vulnerability risk level of each node is determined according to the vulnerability related information.
Step S14: and determining a vulnerability scanning strategy of the target system according to the vulnerability risk level of each node. In this embodiment, the vulnerability scanning policy may include a vulnerability scanning period and a vulnerability scanning method, for example, for a node with a high vulnerability risk level, a strict scanning policy and a shorter scanning period are set, for example, one day may be selected as the scanning period, and at this time, a preset scanning type set in the scanning tool may select a full vulnerability type; for the nodes with low vulnerability risk level, a lightweight scanning strategy and a longer scanning period are designed, for example, three days can be selected as the scanning period, and part of vulnerability types can be selected as preset scanning types in a scanning tool. The vulnerability scanning strategy can also be specifically determined by the actual application scene.
The invention provides a scanning method of a node vulnerability, which comprises the following steps: acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system; generating a target attack graph according to industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system; respectively calculating the vulnerability risk level of each node in the target industrial control system according to the target attack graph; and determining a vulnerability scanning strategy of the target system according to the vulnerability risk level of each node.
By implementing the method, the target attack graph is combined, the vulnerability risk level of each node in the industrial control system is calculated, and then the corresponding vulnerability scanning strategy is determined according to the vulnerability risk level of each node, the fixed scanning period in the traditional vulnerability scanning method is abandoned, the vulnerability risk level of each node is evaluated based on the generated attack graph, different scanning strategies are designed for the nodes with different risk levels, higher security protection level can be provided for the nodes with high risk level, and the overall security of the system is improved; meanwhile, scanning of low-risk level nodes is reduced, system resources are saved, and influence on normal operation of the system is reduced.
As an optional embodiment of the present invention, in step S11, the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, and the network topology information of the target industrial control system may be determined through the following processes:
firstly, acquiring industrial control system vulnerability information according to a preset vulnerability database; in this embodiment, the preset vulnerability database may be a public industrial system vulnerability database, and specifically may include a National Vulnerability Database (NVD), a national information security vulnerability portal (CVE), and a national information security vulnerability sharing platform (CNVD) vulnerability database; acquiring vulnerability related information according to the vulnerability database in the embodiment, wherein the vulnerability related information may be existing vulnerability number information, such as CNVD number information or NVD number information; the actual value information of the vulnerability can be obtained, or the description information of the vulnerability can be obtained, such as the result of the vulnerability being utilized. The vulnerability information of the method provided by the embodiment of the invention is from a plurality of public industrial control system vulnerability libraries, and is comprehensive and strong in coverage.
And secondly, determining vulnerability scanning information of the target industrial control system and network topology information of the target industrial control system according to a preset scanning tool and the target industrial control system. In this embodiment, the preset scanning tool may be a scanning report generator, configured to obtain existing vulnerability information of the target industrial control system; the preset scanning tool can also be a network topology scanning tool and is used for acquiring network topology information of the target industrial control system; specifically, the existing vulnerability information and the network topology information of the target industrial control system are respectively obtained through a scanning report generator and a network topology scanning tool.
As an optional embodiment of the present invention, as shown in fig. 2, in the step S12, the executing process of generating the target attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, and the network topology information of the target industrial control system includes:
step S21: generating an initial attack graph according to industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system; in this embodiment, an initial attack graph of the target industrial control system may be generated according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, the network topology information of the target industrial control system, and the adaptation engine obtained in the above embodiments; the output format of the initial attack graph can be txt, pdf, eps, XML and Graphviz format; the adaptation engine can be generated according to an initial engine and an electric power industry industrial control system, and the initial engine can be an attack graph automatic generation tool, such as MulVAL.
Step S22: and carrying out node screening on the initial attack graph to generate a target attack graph. In this embodiment, the initial attack graph includes more nodes (hosts), and the connection relationship between the nodes is more complicated; the method of the embodiment of the invention generates the target attack graph by merging the nodes belonging to the same host in the initial attack graph, wherein the target attack graph only takes the host as a vertex.
Specifically, as shown in fig. 3, a specific example of the optimized attack graph, that is, a specific example of the target attack graph, is described, for example, an attack case of a "seismic network" electric power engineering system, where an attacker obtains the control authority of the PLC in the target system through a leak in the industrial control system, and then controls the industrial equipment through the directly connected PLC to implement an attack. The optimized attack graph is shown in fig. 3: 11, p1, p2, r1 and r2 represent each host in the target industrial control system, and CNNVD-201007-238 represent vulnerability information of the host 11; CNNVD-201009 and 132 represent vulnerability information of the host p 2; CNNVD-201009 and 132 represent vulnerability information of the host p 1; CNNVD-200810-406 represents the vulnerability information of the host r 2; CNNVD-200810-406 and CNNVD-201007-241 represent vulnerability information of the host r 1; PLC3 and PLC4 are programmable logic controllers in the target system. The optimized attack graph can accurately show the vulnerability information of each host node, and further possible attack paths and attack methods of attackers are obtained. The vulnerability information corresponding to each node is described in the following table, and when the attack target is to destroy the key power generation facility by controlling the PLC, two possible attack paths are provided, which are respectively: l1-r1-PLC2 and l1-r1-PLC3, and the specific vulnerability description information is shown in the following table 1:
TABLE 1
As an optional embodiment of the present invention, in the step S22, the executing process of performing node screening on the initial attack graph to generate the target attack graph includes: and combining the nodes belonging to the same host in the initial attack graph to generate a target attack graph.
According to the scanning method of the node loopholes, provided by the invention, the preset scanning tool is combined to obtain the network topology information and the existing loophole information of the target industrial control system, and the relevant loophole information of the power system in the public loophole library of the industrial control system is selected in advance, so that the method can be more suitable for the industrial control system in the intelligent power grid; the power engineering control system can be scanned more accurately and comprehensively by adapting the original MulVAL attack graph generation engine; specifically, the power engineering system authority rule base is redesigned by combining grammar and rule format information supported by the MulVAL inference engine, so that the produced attack graph can reflect the vulnerability condition of the target power engineering system more accurately.
As an optional embodiment of the present invention, as shown in fig. 4, in the step S13, the executing process of respectively calculating the vulnerability risk level of each node in the target industrial control system according to the target attack graph includes:
step S31: respectively determining the vulnerability exploited probability and vulnerability exploitation value of each node according to the target attack graph and a preset vulnerability value taking table; in this embodiment, the preset vulnerability retrieval table may include a vulnerability exploited probability retrieval table and a vulnerability exploitation value retrieval table; the exploit probability of a vulnerability can represent the probability that an attacker successfully initiates an attack by exploiting the vulnerability; the vulnerability utilization value can represent the damage degree of a vulnerability attacker to a target industrial control system after the vulnerability attacker is successfully utilized to launch attack; specifically, in the target attack graph, each host may be used as a node, and then, according to various information of vulnerabilities included in the target attack graph, the exploit probability and the exploit value of the vulnerabilities of each node are determined.
Step S32: determining vulnerability risk values of all nodes according to the vulnerability exploited probability and the vulnerability exploitation value; in this embodiment, the vulnerability risk value is a node evaluation index, which may indicate a loss to the system after the vulnerability on each node is successfully utilized. Specifically, the vulnerability risk value may be determined according to the following formula:
P=Pi×qi,
wherein P represents a vulnerability risk value, PiThe utilization probability of the vulnerability i is represented, and q represents the utilization value of the vulnerability i.
Specifically, one or more vulnerabilities may exist on one node; when a plurality of vulnerabilities exist on a node, the vulnerability risk value of the node can be determined by the sum of the vulnerability risk values of the vulnerabilities.
Step S33: and respectively determining the vulnerability risk level of each node according to the vulnerability risk value of each node and a preset risk analysis database. In this embodiment, the preset risk analysis database may be a database in which expert analysis opinions are stored, and the vulnerability risk level of each node may be determined according to the vulnerability risk value of each node and the preset risk analysis database. In particular, the vulnerability risk level may include a first risk level, a second risk level, and a third risk level, for example, the first risk level may be a high risk level, the second risk level may be a medium risk level, and the third risk level may be a low risk level.
As an optional embodiment of the present invention, as shown in fig. 5, in the step S31, determining the exploit probability and the exploit value of each node according to the target attack graph and the preset exploit value table respectively includes:
step S41: extracting defense strength information, attack cost information and vulnerability occurrence probability information of each node from a target attack graph;
illustratively, defense strength information DSiThe security mechanism information of the depth defense strategy of the intelligent power grid ICS can be represented, specifically, the intelligent power grid ICS adopts a depth defense system architecture for defense, and therefore the defense strength is related to the security mechanism design under the depth defense strategy. The security mechanism design mainly comprises intrusion detection, industrial firewall deployment, authentication and the like. Intrusion detection and industrial firewall deployment are key technologies for boundary defense of an intelligent power grid ICS, authentication is a key measure for identifying data security of a component, namely, protection strength information is related to authentication mode information, the more authentication modes are deployed in the component, the higher the security is, the stronger the defense strength is, the higher the attack difficulty is, and the lower the vulnerability utilization probability is.
Illustratively, vulnerability occurrence probability information DAiThe number of the loopholes existing in the node is related, the more loopholes above the medium risk level exist in the node, the higher the probability of the loopholes being utilized is; attack cost information ACiThe cost spent by an attacker in the process of attacking a certain node is represented, the attack cost information is related to an attack path attacking the node, the more complex the attack path is, the higher the vulnerability attack cost is, the lower the willingness of the attacker to attack the vulnerability is, namely, the smaller the probability of exploiting the vulnerability is.
Step S42: determining the vulnerability utilization probability of each node according to the defense strength information, the attack cost information, the vulnerability occurrence probability information and a preset vulnerability value-taking table; in this embodiment, the exploit probability refers to the probability that an attacker successfully initiates an attack by using the vulnerability, and the calculation of the index may be related to the defense strength, the vulnerability occurrence probability, and the attack cost; the preset vulnerability retrieval table may include a defense strength information retrieval table, as shown in table 2 below; an attack cost information value table, as shown in table 3 below; the vulnerability occurrence probability information value taking table is shown in the following table 4:
TABLE 2
TABLE 3
TABLE 4
| Attack cost information | Scoring | Description of the invention |
| Is low in | 1 | Is low in |
| In | 2 | In |
| Height of | 3 | Height of |
Calculating the exploit probability of the vulnerability by the following formula:
wherein p isiProbability of being exploited, DS, representing a vulnerability iiInformation on the defense strength of the system network environment in which the vulnerability i is located, DAiIndicating vulnerability occurrence probability, ACiScores corresponding to the attack cost are represented, and the value ranges are all [1, 3]](ii) a Alpha, beta and gamma are the weights of the three factors, and the sum of the weights is 1; the weights can be determined according to the actual application scene of the industrial control system of the smart grid, for example, values of alpha, beta and gamma can be respectively 0.6, 0.3 and 0.1, so that the value range of the node vulnerability utilization probability is [1, 3]]。
Step S43: and extracting actual value information of the vulnerability of each node and vulnerability attack mode information from the target attack graph.
Illustratively, vulnerability actual value information ViThe importance degree of the component where the bug is located in the target ICS of the smart grid can be shown, for example, the value of the PLC is the highest, and the industrial production process is damaged and greatly influenced due to the fact that the PLC directly controls the production process and is controlled by an attacker; vulnerability attack mode information AiMalicious operations which can be performed by an attacker by utilizing the vulnerability can be represented, and the malicious operations comprise control program modification, input and output information tampering, message interception, data stealing, higher authority acquisition and the like. The loss caused by different attack modes is different, and the modification of the control program can directly damage a target system, which is the most serious attack.
Step S44: and determining the vulnerability utilization value of each node according to the actual value information of the vulnerability, the vulnerability attack mode information and a preset vulnerability value-taking table. In this embodiment, the exploit value refers to a degree of damage to the system after the attacker successfully exploits and initiates an attack, and is related to an actual value of a component in which the vulnerability is located in the target system and a vulnerability attack mode, and the exploit value of the vulnerability can be calculated by the following formula:
qi=Vi×Ai,
wherein q isiRepresents the value of exploitation of a vulnerability i, ViRepresenting the actual value information of the node where the vulnerability i is located, AiRepresenting the influence coefficient of the attack mode of the vulnerability i, referring to the requirements in the GB/T36466-2018 industrial control system risk assessment implementation guide, the preset vulnerability value taking table can comprise a vulnerability actual value information value taking table, as shown in the following table 5; the vulnerability attack pattern information value taking table is shown in the following table 6:
TABLE 5
TABLE 6
Therefore, the value range of the vulnerability exploitation value of each node can be [0.6,3 ]; the value range of the leak risk value can be [0.6,9], and the corresponding risk level of the floor drain hole can be determined according to the leak risk value, as shown in the following table 7:
TABLE 7
| Vulnerability risk value P | Node vulnerability risk level |
| (0,3] | Is low in |
| (3,6] | In |
| (6,10] | Height of |
As an optional embodiment of the present invention, in step S14, the determining, according to the vulnerability risk level of each node, an execution process of the vulnerability scanning policy of the target system includes:
determining a scanning period of a vulnerability scanning strategy according to the vulnerability risk level of each node;
and/or determining the scanning type of the vulnerability scanning strategy according to the vulnerability risk level of each node.
Exemplarily, each host is used as a node, and a scanning strategy corresponding to each node is determined according to the vulnerability risk level of each node; specifically, the scanning strategy may include a scanning period and a scanning method, i.e., a scanning type; determining a corresponding scanning type and a scanning period according to the vulnerability risk level of the corresponding node; for example, when it is determined that the node is in the high vulnerability risk level, a relatively comprehensive and strict scanning strategy may be set, for example, the minimum scanning period T may be selected as the scanning period, and the full vulnerability type may be selected from a preset scanning type set in the scanning tool at this time; when the node is determined to be in the low vulnerability risk level, a lightweight scanning strategy may be set, for example, a larger scanning period 3T may be selected as the scanning period, and at this time, a part of vulnerability types may be selected from a preset scanning type set in the scanning tool.
Illustratively, the minimum scan period may be T, and for nodes with high risk levels, the scan period may be T; for nodes with a risk level, the scan period may be 2T; for the nodes with low risk level, the scanning period can be 3T, vulnerability scanning is carried out on the target system according to the determined scanning strategy, and scanning reports are generated regularly.
According to the scanning method for the node vulnerabilities, disclosed by the embodiment of the invention, the determination of the vulnerability risk level of each node and the determination of the corresponding scanning strategy are combined, so that self-adaptive scanning strategies can be provided for nodes with different risk levels, higher-level safety protection can be provided for nodes with high risk levels, the attack probability and the attack success possibility of weak nodes of a system are reduced, and the overall safety level of the system is improved; by designing different scanning strategies and scanning periods for nodes with different risk levels, the scanning resource consumption of the nodes with low risk levels can be reduced while the scanning frequency of high risk levels is not reduced, so that the system resources are effectively saved, the operation of the normal service of the system is not influenced, the light-weight scanning is realized, and the system resources are effectively saved; and designing different scanning strategies including a scanning method and a scanning period for the nodes with different vulnerability risk levels by referring to different risk levels and expert opinion databases. For nodes with high vulnerability risk level, a stricter scanning strategy and a shorter scanning period are designed, for nodes with low vulnerability risk level, a lightweight scanning strategy and a longer scanning period are designed, the system load is reduced, and the nodes are adjusted in real time according to the actual condition of a target system, so that the risk self-adaptive vulnerability scanning of the nodes is realized.
As an optional implementation manner of the present invention, the determining, according to the vulnerability risk level of each node, an execution process of a scanning cycle of the vulnerability scanning policy in the above steps includes:
when the vulnerability risk level of the node is a first level, setting the first period as the scanning period of the corresponding node; when the vulnerability risk level of the node is a second level, setting the second period as the scanning period of the corresponding node; and when the vulnerability risk level of the node is a third level, setting the third period as the scanning period of the corresponding node, wherein the first period is greater than the second period, and the second period is greater than the third period. In this embodiment, the minimum scan period may be T, and for a node with a high risk level, the scan period may be T; for nodes with a risk level, the scan period may be 2T; for nodes with low risk levels, the scan period may be 3T.
An embodiment of the present invention provides a scanning apparatus for a node vulnerability, as shown in fig. 6, including:
the information acquisition module 51 is configured to acquire industrial control system vulnerability information, vulnerability scanning information of a target industrial control system, and network topology information of the target industrial control system; the detailed implementation can be referred to the related description of step S11 in the above method embodiment.
The attack graph generation module 52 is configured to generate a target attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, and the network topology information of the target industrial control system, where the target attack graph is used to represent attack path information between nodes in the target industrial control system; the detailed implementation can be referred to the related description of step S12 in the above method embodiment.
The vulnerability risk level determination module 53 is used for respectively calculating vulnerability risk levels of all nodes in the target industrial control system according to the target attack graph; the detailed implementation can be referred to the related description of step S13 in the above method embodiment.
And a scanning policy determining module 54, configured to determine a vulnerability scanning policy of the target system according to the vulnerability risk level of each node. The detailed implementation can be referred to the related description of step S14 in the above method embodiment.
The invention provides a scanning device of a node vulnerability, which comprises: the information acquisition module 51 is configured to acquire industrial control system vulnerability information, vulnerability scanning information of a target industrial control system, and network topology information of the target industrial control system; the attack graph generation module 52 is configured to generate a target attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, and the network topology information of the target industrial control system, where the target attack graph is used to represent attack path information between nodes in the target industrial control system; the vulnerability risk level determination module 53 is used for respectively calculating vulnerability risk levels of all nodes in the target industrial control system according to the target attack graph; and a scanning policy determining module 54, configured to determine a vulnerability scanning policy of the target system according to the vulnerability risk level of each node.
By implementing the method, the vulnerability risk level of each node in the industrial control system is calculated by combining the target attack graph, so that the corresponding vulnerability scanning strategy is determined according to the vulnerability risk level of each node, different scanning strategies are designed for the nodes with different risk levels, higher safety protection levels can be provided for the nodes with high risk levels, and the overall safety of the system is improved; meanwhile, scanning of low-risk level nodes is reduced, system resources are saved, and influence on normal operation of the system is reduced.
An embodiment of the present invention further provides a computer device, as shown in fig. 7, the computer device may include a processor 61 and a memory 62, where the processor 61 and the memory 62 may be connected by a bus 60 or in another manner, and fig. 7 takes the example of connection by the bus 60 as an example.
The processor 61 may be a Central Processing Unit (CPU). The Processor 61 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 62 is a non-transitory computer readable storage medium, and can be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the method for scanning node vulnerabilities in the embodiment of the present invention. The processor 61 executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory 62, that is, implements the scanning method of the node vulnerability in the above method embodiments.
The memory 62 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 61, and the like. Further, the memory 62 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 62 may optionally include memory located remotely from the processor 61, and these remote memories may be connected to the processor 61 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 62, and when executed by the processor 61, perform a method for scanning for node vulnerabilities as in the embodiment shown in fig. 1.
The details of the computer device can be understood with reference to the corresponding related descriptions and effects in the embodiment shown in fig. 1, and are not described herein again.
The embodiment of the present invention further provides a non-transitory computer readable medium, where the non-transitory computer readable storage medium stores a computer instruction, and the computer instruction is used to enable a computer to execute the method for scanning a node vulnerability described in any one of the above embodiments, where the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviation: HDD), or a Solid-State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
It should be understood that the above examples are only for clarity of illustration and are not intended to limit the embodiments. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. And obvious variations or modifications therefrom are within the scope of the invention.
Claims (12)
1. A method for scanning a node vulnerability includes:
acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system;
generating a target attack graph according to the industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system;
respectively calculating the vulnerability risk level of each node in the target industrial control system according to the target attack graph;
and determining a vulnerability scanning strategy of the target system according to the vulnerability risk level of each node.
2. The method of claim 1, wherein the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system, and the network topology information of the target industrial control system are determined by:
acquiring vulnerability information of the industrial control system according to a preset vulnerability database;
and determining vulnerability scanning information of the target industrial control system and network topology information of the target industrial control system according to a preset scanning tool and the target industrial control system.
3. The method of claim 1, wherein generating a target attack graph according to the industrial control system vulnerability information, vulnerability scanning information of a target industrial control system, and network topology information of the target industrial control system comprises:
generating an initial attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system and the network topology information of the target industrial control system;
and carrying out node screening on the initial attack graph to generate a target attack graph.
4. The method of claim 3, wherein the node screening the initial attack graph to generate a target attack graph comprises:
and combining the nodes belonging to the same host in the initial attack graph to generate a target attack graph.
5. The method according to claim 1, wherein the calculating, according to the target attack graph, vulnerability risk levels of nodes in the target industrial control system respectively comprises:
respectively determining the vulnerability exploited probability and vulnerability exploitation value of each node according to the target attack graph and a preset vulnerability value taking table;
determining vulnerability risk values of all nodes according to the vulnerability exploited probability and the vulnerability exploitation value;
and respectively determining the vulnerability risk level of each node according to the vulnerability risk value of each node and a preset risk analysis database.
6. The method according to claim 5, wherein the determining the exploit probability and the exploit value of each node according to the target attack graph and a preset exploit value table respectively comprises:
extracting defense strength information, attack cost information and vulnerability occurrence probability information of each node from the target attack graph;
determining the vulnerability utilization probability of each node according to the defense strength information, the attack cost information, the vulnerability occurrence probability information and the preset vulnerability value-taking table;
extracting actual value information and vulnerability attack mode information of each node from the target attack graph;
and determining the vulnerability utilization value of each node according to the actual value information of the vulnerability, the vulnerability attack mode information and the preset vulnerability value-taking table.
7. The method of claim 5, wherein the vulnerability risk value is determined by the following formula:
P=pi×qi,
wherein P represents the vulnerability risk value, PiThe utilization probability of the vulnerability i is represented, and q represents the utilization value of the vulnerability i.
8. The method according to claim 1, wherein determining a vulnerability scanning policy of a target system according to the vulnerability risk level of each node comprises:
determining a scanning period of the vulnerability scanning strategy according to the vulnerability risk level of each node;
and/or determining the scanning type of the vulnerability scanning strategy according to the vulnerability risk level of each node.
9. The method according to claim 8, wherein the determining a scanning period of the vulnerability scanning policy according to the vulnerability risk level of each node comprises:
when the vulnerability risk level of the node is a first level, setting a first period as a scanning period of the corresponding node;
when the vulnerability risk level of the node is a second level, setting a second period as a scanning period of the corresponding node;
and when the vulnerability risk level of the node is a third level, setting a third period as a scanning period of the corresponding node, wherein the first period is greater than the second period, and the second period is greater than the third period.
10. A scanning device of a node vulnerability is characterized by comprising:
the information acquisition module is used for acquiring industrial control system vulnerability information, vulnerability scanning information of a target industrial control system and network topology information of the target industrial control system;
the attack graph generation module is used for generating a target attack graph according to the industrial control system vulnerability information, the vulnerability scanning information of the target industrial control system and the network topology information of the target industrial control system, wherein the target attack graph is used for representing attack path information among all nodes in the target industrial control system;
the vulnerability risk level determination module is used for respectively calculating vulnerability risk levels of all nodes in the target industrial control system according to the target attack graph;
and the scanning strategy determining module is used for determining the vulnerability scanning strategy of the target system according to the vulnerability risk level of each node.
11. A computer device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the one processor to cause the at least one processor to perform the steps of the method of scanning for node vulnerabilities of any of claims 1-9.
12. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of scanning for node vulnerabilities according to any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011481027.9A CN112632555A (en) | 2020-12-15 | 2020-12-15 | Node vulnerability scanning method and device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011481027.9A CN112632555A (en) | 2020-12-15 | 2020-12-15 | Node vulnerability scanning method and device and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112632555A true CN112632555A (en) | 2021-04-09 |
Family
ID=75313360
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011481027.9A Pending CN112632555A (en) | 2020-12-15 | 2020-12-15 | Node vulnerability scanning method and device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112632555A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
| CN113824680A (en) * | 2021-07-26 | 2021-12-21 | 北京墨云科技有限公司 | Network security analysis method and device, computer equipment and storage medium |
| CN114039742A (en) * | 2021-09-26 | 2022-02-11 | 北京华云安信息技术有限公司 | Vulnerability management method, system, device and storage medium |
| CN114301647A (en) * | 2021-12-20 | 2022-04-08 | 上海纽盾科技股份有限公司 | Prediction defense method, device and system for vulnerability information in situation awareness |
| CN115333864A (en) * | 2022-10-14 | 2022-11-11 | 北京珞安科技有限责任公司 | Industrial control vulnerability scanning method and system |
| CN116684205A (en) * | 2023-08-03 | 2023-09-01 | 北京立思辰安科技术有限公司 | Method, medium and equipment for obtaining network system abnormality degree |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090113552A1 (en) * | 2007-10-24 | 2009-04-30 | International Business Machines Corporation | System and Method To Analyze Software Systems Against Tampering |
| CN103685258A (en) * | 2013-12-06 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for fast scanning website loopholes |
| CN105681338A (en) * | 2016-03-04 | 2016-06-15 | 西北大学 | Vulnerability exploiting success probability calculation method and network security risk management method |
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| WO2018002484A1 (en) * | 2016-07-01 | 2018-01-04 | Orange | Method and device for monitoring the security of an information system |
| CN109218304A (en) * | 2018-09-12 | 2019-01-15 | 北京理工大学 | A kind of network risks blocking-up method based on attack graph and coevolution |
| CN109302380A (en) * | 2018-08-15 | 2019-02-01 | 全球能源互联网研究院有限公司 | A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system |
| CN109977678A (en) * | 2017-12-28 | 2019-07-05 | 天津市向华生产力促进有限公司 | A kind of system vulnerability methods of risk assessment |
| CN110572409A (en) * | 2019-09-16 | 2019-12-13 | 国家计算机网络与信息安全管理中心 | Industrial Internet security risk prediction method, device, equipment and storage medium |
-
2020
- 2020-12-15 CN CN202011481027.9A patent/CN112632555A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090113552A1 (en) * | 2007-10-24 | 2009-04-30 | International Business Machines Corporation | System and Method To Analyze Software Systems Against Tampering |
| CN103685258A (en) * | 2013-12-06 | 2014-03-26 | 北京奇虎科技有限公司 | Method and device for fast scanning website loopholes |
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| CN105681338A (en) * | 2016-03-04 | 2016-06-15 | 西北大学 | Vulnerability exploiting success probability calculation method and network security risk management method |
| WO2018002484A1 (en) * | 2016-07-01 | 2018-01-04 | Orange | Method and device for monitoring the security of an information system |
| CN109977678A (en) * | 2017-12-28 | 2019-07-05 | 天津市向华生产力促进有限公司 | A kind of system vulnerability methods of risk assessment |
| CN109302380A (en) * | 2018-08-15 | 2019-02-01 | 全球能源互联网研究院有限公司 | A kind of safety protection equipment linkage defense strategy Intelligent Decision-making Method and system |
| CN109218304A (en) * | 2018-09-12 | 2019-01-15 | 北京理工大学 | A kind of network risks blocking-up method based on attack graph and coevolution |
| CN110572409A (en) * | 2019-09-16 | 2019-12-13 | 国家计算机网络与信息安全管理中心 | Industrial Internet security risk prediction method, device, equipment and storage medium |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113824680A (en) * | 2021-07-26 | 2021-12-21 | 北京墨云科技有限公司 | Network security analysis method and device, computer equipment and storage medium |
| CN114039742A (en) * | 2021-09-26 | 2022-02-11 | 北京华云安信息技术有限公司 | Vulnerability management method, system, device and storage medium |
| CN113660296A (en) * | 2021-10-21 | 2021-11-16 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
| CN114301647A (en) * | 2021-12-20 | 2022-04-08 | 上海纽盾科技股份有限公司 | Prediction defense method, device and system for vulnerability information in situation awareness |
| CN114301647B (en) * | 2021-12-20 | 2024-05-10 | 上海纽盾科技股份有限公司 | Method, device and system for predicting and defending vulnerability information in situation awareness |
| CN115333864A (en) * | 2022-10-14 | 2022-11-11 | 北京珞安科技有限责任公司 | Industrial control vulnerability scanning method and system |
| CN115333864B (en) * | 2022-10-14 | 2023-01-10 | 北京珞安科技有限责任公司 | Industrial control vulnerability scanning method and system |
| CN116684205A (en) * | 2023-08-03 | 2023-09-01 | 北京立思辰安科技术有限公司 | Method, medium and equipment for obtaining network system abnormality degree |
| CN116684205B (en) * | 2023-08-03 | 2023-09-29 | 北京立思辰安科技术有限公司 | Method, medium and equipment for obtaining network system abnormality degree |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112632555A (en) | Node vulnerability scanning method and device and computer equipment | |
| CN106790186B (en) | Multi-step attack detection method based on multi-source abnormal event correlation analysis | |
| CN110505241B (en) | Network attack plane detection method and system | |
| US11522902B2 (en) | Reliability calculation apparatus, reliability calculation method and program | |
| Yi et al. | An intelligent communication warning vulnerability detection algorithm based on IoT technology | |
| Kotenko et al. | The CAPEC based generator of attack scenarios for network security evaluation | |
| CN112926055B (en) | Virus attack defending method based on time probability attack graph | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| CN112749097B (en) | Performance evaluation method and device for fuzzy test tool | |
| CN110289995A (en) | Based on the social networks behavior monitoring method and device using attribute attack graph | |
| Canonico et al. | Industrial cyber-physical systems protection: A methodological review | |
| Diao et al. | Dynamic probabilistic risk assessment for electric grid cybersecurity | |
| CN111191230B (en) | Rapid network attack backtracking mining method and application based on convolutional neural network | |
| CN115333806A (en) | Penetration test attack path planning method and device, electronic equipment and storage medium | |
| CN115955329A (en) | Network security protection method, terminal and storage medium | |
| CN114935923A (en) | New energy edge industrial control system vulnerability detection method based on raspberry group | |
| Novoa et al. | A Game-Theoretic Two-Stage Stochastic Programing Model to Protect CPS against Attacks. | |
| CN114039837A (en) | Alarm data processing method, device, system, equipment and storage medium | |
| CN114528552A (en) | Security event correlation method based on vulnerability and related equipment | |
| Liu et al. | SEAG: A novel dynamic security risk assessment method for industrial control systems with consideration of social engineering | |
| Yadav et al. | Vulnerability management in IIoT-based systems: What, why and how | |
| CN114257415B (en) | Network attack defending method, device, computer equipment and storage medium | |
| US20240152604A1 (en) | System and method for automatically generating playbook and verifying validity of playbook based on artificial intelligence | |
| CN115580426B (en) | Threat detection method, system, memory and equipment for 5G power business system | |
| CN111817908B (en) | Node penetration testing method and device based on reinforcement learning and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210409 |