CN113486352B - Industrial control network-oriented quantitative evaluation method and system for influence of multi-mode attack mode on state of industrial control system - Google Patents
Industrial control network-oriented quantitative evaluation method and system for influence of multi-mode attack mode on state of industrial control system Download PDFInfo
- Publication number
- CN113486352B CN113486352B CN202110698293.5A CN202110698293A CN113486352B CN 113486352 B CN113486352 B CN 113486352B CN 202110698293 A CN202110698293 A CN 202110698293A CN 113486352 B CN113486352 B CN 113486352B
- Authority
- CN
- China
- Prior art keywords
- state
- industrial control
- control system
- attack
- type variable
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Abstract
The invention relates to a method and a system for quantitatively evaluating the influence of an industrial control system state by a multi-mode attack mode facing an industrial control network, which comprises the following steps: (1) performing primary description and extraction on state characteristics, namely an industrial control system state data set, and acquiring state data segmentation points; (2) clustering the state features; (3) constructing a state transition probability graph; (4) and quantitatively evaluating the influence of the system state based on the abnormal features and the damage degree indexes. The method is oriented to various industrial control network attack strategies, and the actual state changes of the system in the attack implementation stage and the attack termination stage are quantitatively evaluated by taking the state abnormity characteristics as main indexes, so that the problem that the influence of various attack strategies on the system state is difficult to accurately evaluate is solved. The invention provides an evaluation formula of the influence of the attack strategy on the system state, and evaluates and analyzes the state abnormal characteristics and the threat damage degree in a correlation manner to obtain an evaluation result which is more consistent with the influence of the actual state.
Description
Technical Field
The invention relates to a method and a system for quantitatively evaluating the influence of an industrial control system state by a multi-mode attack mode facing an industrial control network, belonging to the technical field of information security.
Background
The possibility of attack exists in the engineer station, the Human Machine Interface (HMI), the control equipment, the sensor, the controlled equipment and other components in the industrial control network and the communication network between the components. The study work of students on the problem of influence of physical attack, man-in-the-middle attack, denial-of-service attack, hidden attack and the like on the industrial control network starts earlier. In 2009 Yu established a method to describe an attack threat model using attacks on command u and attacks on sensor parameters y, the way of denial of service attacks and man-in-the-middle attacks was performed, and the impact of different attack modes on each parameter was verified by analyzing the graph in a specific chemical reactor system. Krotofil's empirical analysis of the problem of challenges associated with the tennessee ismann process facing cyber-physical attacks investigates the impact on sensors in performing integrity attacks and denial of service attacks, proving that the resilience of process systems under cyber-physical attacks can be improved using process-known security analysis. Chen studied against data tampering attacks and analyzed the associated line graphs. The Liu combined with the network-power modeling and simulation test bed analyzed the effects of three different network events on the physical grid and displayed the results using a linear graph. Urbin quantifies the influence of hidden attacks, and provides a detection method for reducing the influence of the attacks. The above work mostly adopts observation methods to research the influence of attacks on the system state, and a quantitative evaluation method is lacked.
The work on the impact of semantic attacks on systems has only been of interest in recent years: li provides an attack influence ranking model aiming at the logic attack of the error sequence in the semantic attack, and evaluates the influence degree of the attack mode on the industrial control system by adopting three indexes of influence duration, distance from normal behavior, damage degree and the like, and the method ignores the relevance among the indexes; the method is characterized in that the Tian predicts the influence of the attack of a network physical system on the system by using a random mixed physical model based on the Bayesian network, describes an industrial control system by using a discrete time linear time invariant system, analyzes, reasons and calculates the change of variables in the system from a theoretical angle, and in actual production activities, the accuracy of the system state is influenced by the conditions of physical equipment abrasion, communication delay and the like; from the angle of the attacked node, Cui divides the attack into simultaneous attack, sequence attack and combined attack, provides a network-physical fault model, and researches the influence caused by the attacks from the theoretical angle.
The research of attack influence evaluation has important theoretical value and practical significance for identifying attack intentions, the research work of the scholars promotes the development of the equipment state influence analysis work under semantic attack, and the research under the specific safe attack and defense shooting range environment is relatively rare.
However, under the attack of the industrial control network, the equipment is in multiple stages of 'normal operation → attack progress → attack end', the state change characteristics in each stage are various, and the evaluation and analysis of the state characteristic change of each stage of the system under different attack strategies are lacked in the existing attack influence research work. In the existing semantic attack influence related research, the correlation evaluation and analysis between state abnormal characteristics and threat damage degree are lacked.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a quantitative evaluation method for the influence of an industrial control network-oriented multi-mode attack mode on the state of an industrial control system.
The invention also provides a system for quantitatively evaluating the influence of the multi-mode attack mode facing the industrial control network on the state of the industrial control system.
The invention realizes the description of the equipment state transition and the transition probability by constructing a state transition probability chart, and constructs a quantitative evaluation formula by taking the state abnormity type (state existence abnormity, state transition abnormity, state duration abnormity, state transition frequency abnormity and the like) as an index to realize the quantitative evaluation of the system state influence.
Interpretation of terms:
1. industrial control network: the industrial control network is a short name of industrial control network, is a network technology in the automatic control field developed in recent years, and is a product combining computer network, communication technology and automatic control technology. The industrial control network adapts to the development trend and the requirement of an enterprise information integration system and a management control integration system, is an extension of IT technology in the automatic control field, and is a local area network in the automatic control field. At present, industrial control networks comprise field buses, industrial Ethernet, industrial wireless networks and the like. The fieldbus refers to a data bus for digital, serial, and multipoint communication between field devices installed in a manufacturing or process area and automation devices in a control room, as defined by the international electrotechnical commission IEC61158 standard. Industrial ethernet is an ethernet technology applied to the field of industrial control, and is technically compatible with commercial ethernet (i.e., IEEE 802.3 standard), but the actual products and applications are completely different. The method is mainly characterized in that when a common commercial Ethernet product is designed, the requirements of an industrial field cannot be met in the aspects of material selection, product strength, applicability, instantaneity, interoperability, reliability, anti-interference performance, intrinsic safety and the like.
2. The industrial control system is a short name of an Industrial Control System (ICS). The industrial control system is a general name of various control systems including a supervisory control and data acquisition System (SCADA), a Distributed Control System (DCS) and the like, and is a brain and a central nerve of national key infrastructure of energy industries such as electric power, petroleum and petrochemical industry, nuclear energy and the like, traffic industries such as aviation, railway, highway and the like, urban public facility industries such as water treatment, subway and the like.
3. When the industrial control system is in normal operation, a state characteristic set is obtained and is called as a normal state characteristic set; when the industrial control system is attacked, a state characteristic set is obtained and is called as an attack state characteristic set, and if the state belongs to the attack state characteristic set but does not exist in the normal state characteristic set, the state is considered to be an abnormal state.
4. The delay is abnormal and the duration of the state is referred to as the delay of the state. When the industrial control system is in normal operation, a state characteristic set is obtained and is called as a normal state characteristic set; when the industrial control system is under attack, a state feature set is obtained and called as an attack state feature set, when the equipment state is an abnormal state, a state closest to the abnormal state is searched in a normal state feature set, and if the weight of the time delay of the abnormal state in the closest distance exceeds a threshold value, the state is considered as a time delay abnormal state.
5. Converting abnormity, and when the industrial control system is in normal operation, obtaining a state characteristic set, namely a normal state characteristic set; when the industrial control system is attacked, a state feature set is obtained and is called an attack state feature set. If a and b exist in both the normal state feature set and the attack state feature set, and if a and b are adjacent in the attack state feature set but other states exist between a and b in the normal state feature set, the state a is considered to be a transition exception when the state a is transitioned to the state b.
6. The frequency is abnormal, and when the industrial control system is in normal operation, a state characteristic set is obtained and is called as a normal state characteristic set; when the industrial control system is attacked, a state feature set is obtained and is called an attack state feature set. If the state a and the state b exist in both the normal state feature set and the attack state feature set, the transition from the state a to the state b is a normal transition, but the transition frequency of the state a to the state b calculated in the attack state feature set is smaller than or exceeds the transition frequency calculated in the normal state feature set, and the frequency anomaly is called.
7. Water distribution system raw state dataset: the water distribution system adopted by the invention simulates and constructs an SCADA (supervisory control and data acquisition) system of urban water affairs. The raw state data set of the system includes: data acquisition time, water level of the water tank 1, water level of the water tank 2, water level of the water tank 3, water pipe 1 switch (open 1; closed 0), water pipe 2 switch (open 1; closed 0), valve 1 switch (open 1; closed 0), valve 2 switch (open 1; closed 0), and the like.
The technical scheme of the invention is as follows:
a quantitative evaluation method for influence of an industrial control network-oriented multi-mode attack mode on the state of an industrial control system comprises the following steps:
(1) performing primary description and extraction on state characteristics, namely an industrial control system state data set, and acquiring state data segmentation points;
(2) clustering the state features;
(3) constructing a state transition probability graph;
(4) and quantitatively evaluating the influence of the system state based on the abnormal features and the damage degree indexes.
According to the invention, the specific implementation process of the step (1) comprises the following steps:
A. the method comprises the following steps of performing preliminary description on an industrial control system state data set, namely:
the industrial control system state data set is expressed as DS ═ CM, D, TDS },
TDS represents a time period, wherein TDSiIndicating a specific time, i ═ 1,2, … nt;ntIs the number of moments, and is also the length of the time period TDS;
CM denotes a set of continuous type variables in the industrial control system within the TDS period,
representing a continuous type variable, n, in an industrial control system during a TDS time periodcIs the number of continuous type variables; d represents a discrete type variable set in the industrial control system in the TDS time period,
representing a variable of discrete type, n, in an industrial control system within a TDS time perioddIs the number of discrete type variables;
therefore, the temperature of the molten metal is controlled,
respectively indicate correspondence in tdsjContinuous type variables and discrete type variables collected at any moment;
B. extracting the state data set of the industrial control system, namely:
data in CM were z-score normalized using formula (i):
in the formula (I), the compound is shown in the specification,
niis ciThe number of the elements in (A) and (B),
obtaining a new continuous state data set by formula (I)
C. Acquiring state data segmentation points, comprising:
a. traversing the discrete type variable set D, and when the discrete variables in the discrete type variable set D are changed, putting the serial numbers of the discrete variables which start to be changed into a discrete type variable division point list (disList);
b. traverse the new continuous state data set C', calculate Δ cci=c′i+1-c′i,Δcci+1=c′i+2-c′i+1If Δ cciNot less than 0 and Δ cci+1<0, or Δ cci<0 and Δ cci+1If the value is more than or equal to 0, putting i into a continuous type variable division point list consList;
c. merging the data in the disList and the consList to obtain the sPTs;
d. traversing the discist, for each element dPt, performing operations e through f as follows:
e. finding the element before dPt from the sPts, denoted pPt, and finding pPt corresponding continuous type variable index in the consList, denoted cIdx, in the new continuous variable data set
In (c), finding the continuous variable corresponding to cIdx, and recording the continuous variable as c'cIdxC 'is shown by formula (I)'cIdxIs a length ntC 'is judged according to the time sequence of (1)'cIdxIn (b), the obtained product is located at [ pPt, dPt ]]If the number of the variables in the interval is 1, pPt is deleted from the sPTs, otherwise, operation f is carried out;
f. finding the element index after dPt from the sPts, denoted as nIdx, and when nIdx is less than the total number of sPts, looping through the following operations f-1 to f-3; otherwise, exiting the loop;
f-1, finding the element value corresponding to the nIdx in the sPTs, and marking as nPt;
f-2, finding nPt corresponding continuous variable index in the consList, and recording as cIdx;
f-3, judging a continuous type variable c'cIdxIn (b), the obtained product is located at [ dPt, nPt ]]If the number of the variables in the interval is 1 or 2, nPt is deleted from the sPTs, otherwise, the loop is exited;
D. the characteristic extraction means that:
g. traversing each element Pt in sPTsiAnd element Pt behind iti+1Calculating Δ PT per time slicei=Pti+1-PtiThe number of the time slices is set as mt(ii) a Will be delta PTiIs marked as
i=1,2,…,mtThen form a new time slice set
h、Traverse each time slice
Set of all discrete variables after time slicing
Wherein the content of the first and second substances,
is in time slices
The discrete type variable set collected in the system and all continuous type variable sets after time slice division are recorded as
Is shown in time slice
The continuous type variable set collected in the system;
as can be seen from the time slice division process of steps A-C, in time slices
The discrete type variables in are identical
Representing time slices
Any one set of discrete variables in
Of a particular element, and therefore, use
To represent
At this time, the process of the present invention,
i. for each time slice
Computing
Where j is ∈ [1, n ]c],i∈[1,mt];
Is in time slices
The maximum value in the set of continuous type variables acquired,
is in time slices
Minimum value in the continuous type variable set collected;
representing sets of continuous variables
In time slice
The slope of (d);
j. obtaining a device state feature description set which is finally expressed as
Wherein
The device state feature set is the final set obtained through the steps a-j
The state data is equipment state data directly acquired from an industrial control system, is input data of the step A, and is a data source for acquiring state characteristic data.
Further preferably, the specific implementation process of step a includes:
a-1, setting i to 1;
a-2. judging that i ═ ndWhether the information is established or not, if so, exiting; otherwise, performing step a-3;
a-3. judgment of di=di+1If the result is true, if the result is false, putting i +1 into a discrete type variable division point list (disList), and performing the step a-4; if yes, directly performing the step a-4;
and a-4, adding 1 to i, and executing the step a-2.
Preferably, in the step (2), the clustering of the state features includes:
k. initializing elements in a device state profile set
Wherein j is equal to [1, m ]t]The corresponding cluster number set Clrs is null, and the radius expansion threshold rTred belongs to [0.02,0.1 ]]The radius extension range rRange ∈ [ 2 ]1.05,1.35];
l, from
Selecting the point with the maximum distance from all the points as a first central point, and putting the first central point into a central point set Cts;
m, calculating
The minimum distance between other elements in the set and each element in the central point is formed into a set dList;
n, selecting an element iCtr corresponding to the maximum distance in the dList, and adding the iCtr into the Cts;
o, setting the updated flag to be true;
and p, when the flag is true, repeating the following steps from p-1 to p-5, otherwise, exiting:
p-1, assigning flag to false;
p-2. traversal
Each element in (1)
i=1,..,mtFrom Cts, find and
recording the index of the element with the minimum distance as c, and recording the minimum distance minDist and c;
p-3. if Clrs [ i ] is not equal to c, Clrs [ i ] is equal to c, flag is assigned to true, and step p-4 is performed; otherwise, directly executing the step p-4;
p-4. update center points in Cts to
The mean of all elements belonging to the cluster;
p-5. performing p-5-1 to p-5-2 for each element Cts [ j ] in Cts:
p-5-1.Rs[j]is composed of
All elements in (1) belonging to cluster j and center point Cts [ j]Maximum value of (d);
p-5-2. if Rs [ j ] ═ 0, then Rs [ j ] ═ 0+ rThrd is calculated, otherwise Rs [ j ] ═ 0 × rRange;
using the above clustering method, pair
After clustering, forming a new state feature set by taking various central points as states
msIs the number of clusters.
More preferably, the radius expansion threshold rtord is 0.06 and the radius expansion range rRange is 1.2.
It is further preferred that the first and second liquid crystal compositions,
at any two points
The distance between
The formula (II) is shown as the following formula:
according to the invention, the specific implementation process of the step (3) is as follows:
the state transition probability map is represented as G ═ { V, p (tr) }1,v2,…,vnThe vertex set in the state transition probability graph, namely the new state feature set S generated in the step (2), is represented; TR ═ { TRi→j,i,j∈[1,n]},TRi→jRepresenting slave state viTo state vjThe transfer relationship of (1); wherein: p (TR) { P (TR)i→j),i,j∈V},
Representing slave state viTo state vjIn which num (TR)i→j) Is TRi→jNumber of state transitions, num (tr) Σi,j∈Vnum(TRi→j) The sum of all state transition times;
the state stored in the new state feature set S generated in the step (2)
Is a vertex V in the state transition probability map, according to
Generates a transition probability set p (tr) based on the transition relationships between the states.
Preferably, in step (4), the attack impact quantitative evaluation method based on the abnormal feature and damage degree index fusion analysis quantitatively evaluates the system state impact, and the specific implementation process is as follows:
in the attack influence quantitative evaluation method based on the abnormal feature and damage degree index fusion analysis, aiming at different continuous category variables such as temperature, humidity, height and the like, the weights corresponding to the damage degrees of the industrial control system states are recorded as Weit,
satisfies the following conditions:
quantitative evaluation of state anomalies, time delay anomalies, conversion anomalies, frequency anomalies was performed using the following formulas:
when the system is in normal operation, a state data set DS is obtainednor={CMnor,Dnor,TDSnorAnd (c), each item corresponds to the normal state industrial control system state data set DS ═ CM, D, TDS one to one, and the steps a to p are executed to obtain a state feature set
msnorIs the number of normal clusters, each term of which is associated with
One to one correspondence according to SnorObtained state probability graph Gnor={Vnor,Pnor(TRnor) Each item of the state probability map is in one-to-one correspondence with a state probability map G { V, P (TR) } obtained when the system operates normally;
when the system is under attack, the state data set DS is acquiredatt={CMatt,Datt,TDSattAnd (c), each item corresponds to the normal state industrial control system state data set DS ═ CM, D, TDS one to one, and the steps a to p are executed to obtain a state feature set
msattIs the number of clusters, each term of which is associated with
One to one correspondence according to SattObtained state probability graph Gatt={Vatt,Patt(TRatt) Each item of the state probability map is in one-to-one correspondence with a state probability map G { V, P (TR) } obtained when the system operates normally;
setting:
wherein the content of the first and second substances,
is a continuous type variable characteristic of the variable,
the characteristics of the variables of the discrete type are represented,
representing the time slice after the division;
in the formula (III), the compound represented by the formula (III),
does not exist in the set SnorIn a direction of
Variable characteristics of medium discrete type and
the discrete type variables are characterized identically.
The stateless quantitative evaluation formula is shown as formula (IV):
in the formula (IV), EVALNoIndicating a stateless quantitative evaluation value for the evaluation,
to represent
And
the maximum value of the middle time slice,
to represent
And
the smallest of the medium time slices,
to represent
And
the corresponding index in (a) is the maximum value of the continuous type variable of j,
to represent
And
the corresponding index in (1) is the minimum value of the continuous type variable of j;
is provided with
Wherein d iswit(. is a time delay characteristic weight calculation formula, τdrtRepresenting the threshold value set by the state proportion of the time delay feature, S'drtIs a set of state delay anomaliesThe body is defined as follows:
in the formula (V), ndIs the number of discrete type variables, siDenotes SattIn a certain state, sjDenotes SnorIn a certain state, eduDist(s)i,sj) Denotes si,sjThe distance between the two or more of the two or more,
is siThe corresponding kth discrete-type variable value,
is sjThe corresponding kth discrete-type variable value,
is siThe corresponding value of the i-th consecutive type variable in (a),
is sjThe corresponding value of the i-th consecutive type variable in (a),
is siThe time slice in the middle time slice is,
is sjA middle time slice;
representing a state transition exception set, and meeting the following conditions:
denotes SnorIn a certain state, state transition relation
Present in TRattIn (1), however,
not present in TRnorPerforming the following steps;
according to the state
Recent state
Finding a normal state feature set SnorNeutralization of
The nearest state features are respectively recorded as
The quantitative evaluation formulas of the time delay abnormity and the conversion abnormity are respectively shown as formulas (VI) and (VII):
in formulae (VI) and (VII), EVALDrtRepresents the quantitative evaluation value of the time delay abnormity,
to represent
The time slice in (1) is set,
to represent
The middle index is a continuous type variable value of j,
to represent
The middle index is the continuous type variable value of j.
EVALTransAn abnormal quantitative evaluation value indicating a state transition relation,
to represent
The time slice in (1) is set,
to represent
The time slice in (1) is set,
to represent
The middle index is a continuous type variable value of j,
to represent
The middle index is a continuous type variable value of j;
is provided with
Is a status feature
To the direction of
The abnormal frequency of the transition is such that,
and
is already present in SnorIs also present in SattIs in a certain state of (a) or (b),
if the frequency is a normal conversion frequency corresponding to the state conversion, the conversion frequency abnormality quantitative evaluation formula is defined as formula (VIII):
in the formula (VIII), EVALFreqIt represents a quantitative evaluation value of the abnormal frequency,
to represent
The time slice in (1) is set,
to represent
The time slice of (1);
the final quantitative evaluation formula of the influence of the attack on the state of the industrial control system is shown as the formula (IX):
VANC=EVALNo+EVALDrt+EVALTrans+EVALFreq(Ⅸ)
finally obtaining VANC through the formula (IX), wherein the VANC is the sum of quantitative evaluation of four abnormal conditions including no state, time delay abnormality, conversion abnormality and conversion probability abnormality.
A multi-mode attack mode based on an industrial control network has a quantitative evaluation system for the influence of the state of an industrial control system, which comprises a state data primary description and extraction unit, a clustering unit, a state transition probability graph construction unit and a quantitative evaluation unit;
the state data preliminary description and extraction unit is used for executing the step (1); the clustering unit is used for executing the step (2); the state transition probability map construction unit is used for executing the step (3); the quantitative evaluation unit is used for executing the step (4).
The invention has the beneficial effects that:
1. the method is oriented to various industrial control network attack strategies, and the actual state changes of the system in the attack implementation stage and the attack termination stage are quantitatively evaluated by taking the state abnormity characteristics as main indexes, so that the problem that the influence of various attack strategies on the system state is difficult to accurately evaluate is solved.
2. The invention provides an evaluation formula of the influence of the attack strategy on the system state, and evaluates and analyzes the state abnormal characteristics and the threat damage degree in a correlation manner to obtain an evaluation result which is more consistent with the influence of the actual state.
3. The invention is used for detecting the abnormity of information security events and various industrial control networks.
Drawings
FIG. 1 is a schematic flow chart of the present invention for generating a state transition probability map from raw state data sets:
FIG. 2 is a flow chart of the quantitative evaluation method of the influence of the multi-mode attack mode facing the industrial control network on the state of the industrial control system according to the invention;
fig. 3 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 1 during normal operation and under attack in the embodiment;
fig. 4 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 2 during normal operation and under attack in the embodiment;
fig. 5 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 3 during normal operation and under attack in the embodiment;
fig. 6 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 4 in normal operation and in attack in the embodiment;
fig. 7 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 5 in normal operation and in attack in the embodiment;
FIG. 8 is a schematic structural diagram of a quantitative evaluation system for the influence of the multi-mode attack mode of the industrial control network on the state of the industrial control system according to the present invention;
FIG. 9 is a flow chart illustrating the quantitative evaluation of the influence of the system status according to the present invention.
Detailed Description
The invention is further defined in the following, but not limited to, the figures and examples in the description.
Example 1
A quantitative evaluation method for influence of an industrial control network-oriented multi-mode attack mode on the state of an industrial control system comprises the following steps:
(1) performing primary description and extraction on state characteristics, namely an industrial control system state data set, and acquiring state data segmentation points;
(2) clustering the state features;
(3) constructing a state transition probability graph;
(4) and quantitatively evaluating the influence of the system state based on the abnormal features and the damage degree indexes.
The flow of generating a state transition probability map from a raw state data set is shown in fig. 1.
The flow of the quantitative evaluation method for the influence of the multi-mode attack mode facing the industrial control network on the state of the industrial control system is shown in fig. 2, and comprises the following steps:
firstly, when the industrial control system normally operates, the industrial control system starts to collect state original data, and after the system operates for 720 hours, the state data collection is finished, wherein the collected data set is called a normal state data set.
Next, five attack data sets are collected according to the following attack data set collection description procedures, respectively. And according to attack starting time and attack ending time, 5 attack data sets are divided into corresponding attack progress phase data sets and attack ending phase data sets respectively.
Then, inputting the normal state data set into the state transition probability map generation flow, generating a normal state transition probability map, inputting the attack progress stage data set and the attack end stage data set corresponding to each attack data set into the state transition probability map generation flow, and generating 5 groups of attack progress stage state transition probability maps and attack end stage state transition probability maps.
And finally, taking the normal state transition probability graph and each group of attack progress stage state transition probability graphs and the attack end stage state transition probability graph as input, and calculating attack progress stage state influence values and attack end stage state influence values by using a state influence quantitative evaluation formula.
Example 2
The method for quantitatively evaluating the influence of the multi-mode attack mode facing the industrial control network on the state of the industrial control system, which is described in the embodiment 1, is characterized in that:
the specific implementation process of the step (1) comprises the following steps:
A. the method comprises the following steps of performing preliminary description on an industrial control system state data set, namely:
the industrial control system state data set is expressed as DS ═ CM, D, TDS },
TDS represents a time period, wherein TDSiIndicating a specific time, i ═ 1,2, … nt;ntIs the number of moments, and is also the length of the time period TDS;
CM denotes a set of continuous type variables in the industrial control system within the TDS period,
representing a continuous type variable, n, in an industrial control system during a TDS time periodcIs the number of continuous type variables; d represents a discrete type variable set in the industrial control system in the TDS time period,
representing a variable of discrete type, n, in an industrial control system within a TDS time perioddIs the number of discrete type variables;
therefore, the temperature of the molten metal is controlled,
respectively indicate correspondence in tdsjContinuous type variables and discrete type variables collected at any moment;
B. extracting the state data set of the industrial control system, namely:
data in CM were z-score normalized using formula (i):
in the formula (I), the compound is shown in the specification,
niis ciThe number of the elements in (A) and (B),
obtaining a new continuous state data set by formula (I)
C. Acquiring state data segmentation points, comprising:
a. traversing the discrete type variable set D, and when the discrete variables in the discrete type variable set D are changed, putting the serial numbers of the discrete variables which start to be changed into a discrete type variable division point list (disList);
b. traverse the new continuous state data set C', calculate Δ cci=c′i+1-c′i,Δcci+1=c′i+2-c′i+1If Δ cciNot less than 0 and Δ cci+1<0, or Δ cci<0 and Δ cci+1If the value is more than or equal to 0, putting i into a continuous type variable division point list consList;
c. merging the data in the disList and the consList to obtain the sPTs;
d. traversing the discist, for each element dPt, performing operations e through f as follows:
e. finding the element before dPt from the sPts, denoted pPt, and finding pPt corresponding continuous type variable index in the consList, denoted cIdx, in the new continuous variable data set
In (c), finding the continuous variable corresponding to cIdx, and recording the continuous variable as c'cIdxC 'is shown by formula (I)'cIdxIs a length ntC 'is judged according to the time sequence of (1)'cIdxIn (b), the obtained product is located at [ pPt, dPt ]]If the number of the variables in the interval is 1, pPt is deleted from the sPTs, otherwise, operation f is carried out;
f. finding the element index after dPt from the sPts, denoted as nIdx, and when nIdx is less than the total number of sPts, looping through the following operations f-1 to f-3; otherwise, exiting the loop;
f-1, finding the element value corresponding to the nIdx in the sPTs, and marking as nPt;
f-2, finding nPt corresponding continuous variable index in the consList, and recording as cIdx;
f-3, judging a continuous type variable c'cIdxIn (b), the obtained product is located at [ dPt, nPt ]]If the number of the variables in the interval is 1 or 2, nPt is deleted from the sPTs, otherwise, the loop is exited;
D. the characteristic extraction means that:
g. traversing each element Pt in sPTsiAnd element Pt behind iti+1Calculating Δ PT per time slicei=Pti+1-PtiThe number of the time slices is set as mt(ii) a Will be delta PTiIs marked as
i=1,2,…,mtThen form a new time slice set
h. Traverse each time slice
Set of all discrete variables after time slicing
Wherein the content of the first and second substances,
is in time slices
The discrete type variable set collected in the system and all continuous type variable sets after time slice division are recorded as
Is shown in time slice
The continuous type variable set collected in the system;
as can be seen from the time slice division process of steps A-C, in time slices
The discrete type variables in are identical
Representing time slices
Any one set of discrete variables in
Of a particular element, and therefore, use
To represent
At this time, the process of the present invention,
i. for each time slice
Computing
Where j is ∈ [1, n ]c],i∈[1,mt];
Is in time slices
The maximum value in the set of continuous type variables acquired,
is in time slices
Minimum value in the continuous type variable set collected;
representing sets of continuous variables
In time slice
The slope of (d);
j. obtaining a device state feature description set which is finally expressed as
Wherein
The device state feature set is the final set obtained through the steps a-j
The state data is equipment state data directly acquired from an industrial control system, is input data of the step A, and is a data source for acquiring state characteristic data.
The specific implementation process of the step a comprises the following steps:
a-1, setting i to 1;
a-2. judging that i ═ ndWhether the information is established or not, if so, exiting; otherwise, performing step a-3;
a-3. judgment of di=di+1If the result is true, if the result is false, putting i +1 into a discrete type variable division point list (disList), and performing the step a-4; if yes, directly performing the step a-4;
and a-4, adding 1 to i, and executing the step a-2.
In the step (2), clustering is carried out on the state characteristics, and the specific steps comprise:
k. initializing elements in a device state profile set
Wherein j is equal to [1, m ]t]The corresponding cluster number set Clrs is empty, the radius expansion threshold rtord is 0.06, and the radius expansion range rRange is 1.2;
l, from
Selecting the point with the maximum distance from all the points as a first central point, and putting the first central point into a central point set Cts;
m, calculating
The minimum distance between other elements in the set and each element in the central point is formed into a set dList;
n, selecting an element iCtr corresponding to the maximum distance in the dList, and adding the iCtr into the Cts;
o, setting the updated flag to be true;
and p, when the flag is true, repeating the following steps from p-1 to p-5, otherwise, exiting:
p-1, assigning flag to false;
p-2. traversal
Each element in (1)
i=1,..,mtFrom Cts, find and
recording the index of the element with the minimum distance as c, and recording the minimum distance minDist and c;
p-3. if Clrs [ i ] is not equal to c, Clrs [ i ] is equal to c, flag is assigned to true, and step p-4 is performed; otherwise, directly executing the step p-4;
p-4. update center points in Cts to
The mean of all elements belonging to the cluster;
p-5. performing p-5-1 to p-5-2 for each element Cts [ j ] in Cts:
p-5-1.Rs[j]is composed of
All elements in (1) belonging to cluster j and center point Cts [ j]Maximum value of (d);
p-5-2. if Rs [ j ] ═ 0, then Rs [ j ] ═ 0+ rThrd is calculated, otherwise Rs [ j ] ═ 0 × rRange;
using the above clustering method, pair
After clustering, forming a new state feature set by taking various central points as states
msIs the number of clusters.
the specific implementation process of the step (3) is as follows:
the state transition probability map is represented as G ═ { V, p (tr) }1,v2,…,vnThe vertex set in the state transition probability graph, namely the new state feature set S generated in the step (2), is represented; TR ═ { TRi→j,i,j∈[1,n]},TRi→jRepresenting slave state viTo state vjThe transfer relationship of (1); wherein: p (TR) { P (TR)i→j),i,j∈V},
Representing slave state viTo state vjIn which num (TR)i→j) Is TRi→jNumber of state transitions, num (tr) Σi,j∈Vnum(TRi→j) The sum of all state transition times;
the state stored in the new state feature set S generated in the step (2)
Is a vertex V in the state transition probability map, according to
Generates a transition probability set p (tr) based on the transition relationships between the states.
For example, after performing steps a-j, a set is obtained
Wherein the content of the first and second substances,
For any two adjacent features
And
the corresponding cluster center point is
The corresponding cluster center point is
Then a state transition between two adjacent state sets is considered to exist, then
And
there is a state transition between, then, if
And
is not equal, then can get
Self-growth 1; otherwise, no processing is performed. According to the above principle, traverse
All adjacent features obtain their corresponding features in S, update the state transition set TR and its corresponding state transition times, and finally use the state transition probability calculation formula:
all transition probabilities are calculated, and all state transition probabilities constitute a set of transition probabilities p (tr).
In the step (4), the attack influence quantitative evaluation method based on the abnormal characteristic and damage degree index fusion analysis carries out quantitative evaluation on the influence of the system state, and the specific implementation process is as follows:
in the attack influence quantitative evaluation method based on the abnormal feature and damage degree index fusion analysis, aiming at different continuous category variables such as temperature, humidity, height and the like, the weights corresponding to the damage degrees of the industrial control system states are recorded as Weit,
satisfies the following conditions:
quantitative evaluation of state anomalies, time delay anomalies, conversion anomalies, frequency anomalies was performed using the following formulas:
when the system is in normal operation, a state data set DS is obtainednor={CMnor,Dnor,TDSnorAnd (c), each item corresponds to the normal state industrial control system state data set DS ═ CM, D, TDS one to one, and the steps a to p are executed to obtain a state feature set
msnorIs the number of normal clusters, each term of which is associated with
One to one correspondence according to SnorObtained state probability graph Gnor={Vnor,Pnor(TRnor) Each item of the state probability map is in one-to-one correspondence with a state probability map G { V, P (TR) } obtained when the system operates normally;
when the system is under attack, the state data set DS is acquiredatt={CMatt,Datt,TDSattAnd (c), each item corresponds to the normal state industrial control system state data set DS ═ CM, D, TDS one to one, and the steps a to p are executed to obtain a state feature set
msattIs the number of clusters, each term of which is associated with
One to one correspondence according to SattObtained state probability graph Gatt={Vatt,Patt(TRatt) Each item of the state probability map is in one-to-one correspondence with a state probability map G { V, P (TR) } obtained when the system operates normally;
setting:
wherein the content of the first and second substances,
is a continuous type variable characteristic of the variable,
the characteristics of the variables of the discrete type are represented,
representing the time slice after the division;
in the formula (III), the compound represented by the formula (III),
does not exist in the set SnorIn a direction of
Variable of medium discrete typeFeatures and
the discrete type variables are characterized identically.
The stateless quantitative evaluation formula is shown as formula (IV):
in the formula (IV), EVALNoIndicating a stateless quantitative evaluation value for the evaluation,
to represent
And
the maximum value of the middle time slice,
to represent
And
the smallest of the medium time slices,
to represent
And
the corresponding index in (a) is the maximum value of the continuous type variable of j,
to represent
And
the corresponding index in (1) is the minimum value of the continuous type variable of j;
is provided with
Wherein d iswit(. is a time delay characteristic weight calculation formula, τdrtRepresenting the threshold value set by the state proportion of the time delay feature, S'drtThe state delay anomaly set is specifically defined as follows:
in the formula (V), ndIs the number of discrete type variables, siDenotes SattIn a certain state, sjDenotes SnorIn a certain state, eduDist(s)i,sj) Denotes si,sjThe distance between the two or more of the two or more,
is siThe corresponding kth discrete-type variable value,
is sjThe corresponding kth discrete-type variable value,
is siThe corresponding value of the i-th consecutive type variable in (a),
is sjThe corresponding value of the i-th consecutive type variable in (a),
is siThe time slice in the middle time slice is,
is sjA middle time slice;
representing a state transition exception set, and meeting the following conditions:
denotes SnorIn a certain state, state transition relation
Present in TRattIn (1), however,
not present in TRnorPerforming the following steps;
according to the state
Recent state
Finding a normal state feature set SnorNeutralization of
The nearest state features are respectively recorded as
The quantitative evaluation formulas of the time delay abnormity and the conversion abnormity are respectively shown as formulas (VI) and (VII):
in formulae (VI) and (VII), EVALDrtRepresents the quantitative evaluation value of the time delay abnormity,
to represent
The time slice in (1) is set,
to represent
The middle index is a continuous type variable value of j,
to represent
The middle index is the continuous type variable value of j.
EVALTransAn abnormal quantitative evaluation value indicating a state transition relation,
to represent
The time slice in (1) is set,
to represent
The time slice in (1) is set,
to represent
The middle index is a continuous type variable value of j,
to represent
The middle index is a continuous type variable value of j;
is provided with
Is a status feature
To the direction of
The abnormal frequency of the transition is such that,
and
is already present in SnorIs also present in SattIs in a certain state of (a) or (b),
if the frequency is a normal conversion frequency corresponding to the state conversion, the conversion frequency abnormality quantitative evaluation formula is defined as formula (VIII):
in the formula (VIII), EVALFreqIt represents a quantitative evaluation value of the abnormal frequency,
to represent
The time slice in (1) is set,
to represent
The time slice of (1);
the final quantitative evaluation formula of the influence of the attack on the state of the industrial control system is shown as the formula (IX):
VANC=EVALNo+EVALDrt+EVALTrans+EVALFreq(Ⅸ)
finally obtaining VANC through the formula (IX), wherein the VANC is the sum of quantitative evaluation of four abnormal conditions including no state, time delay abnormality, conversion abnormality and conversion probability abnormality.
The flow of quantitative assessment of the impact of system conditions is shown in figure 9. The method comprises the following steps:
traversing each vertex in the state transition probability graph of the attack stage, judging whether the vertex exists in a vertex set of the normal state transition probability graph or not, if not, adopting a formula (III) to calculate a vertex which is closest to the vertex and is positioned in the vertex set of the normal state transition probability graph, substituting the two states into a formula (IV) to calculate a stateless quantitative evaluation value, adopting a formula (V) to calculate a weight corresponding to the time delay in the state, if the weight is greater than a threshold value, adopting a formula (VI) to calculate a time delay abnormal quantitative evaluation value, otherwise, entering the last step; if the state transition exists in the vertex set of the normal state transition probability graph, judging whether the state transition taking the node as a tail node in the transition set of the attack stage state transition graph exists in the transition set of the normal state transition probability graph or not, and if the state transition does not exist, calculating a conversion abnormity quantitative evaluation value by adopting a formula (VII); otherwise, judging whether the corresponding conversion frequency is the same as the corresponding frequency in the normal state transition probability chart or not, if so, calculating the abnormal evaluation value of the conversion frequency by adopting a formula (VIII), otherwise, entering the last step; finally, the final evaluation value is calculated using formula (IX).
The embodiment performs attack and evaluation tests on a water treatment industrial control safety target range platform combining virtuality and reality. The adopted attack methods are 5, which are respectively as follows: a. tampering with the data attack that the sensor sends to the controller; b. tampering with corresponding state data attacks in the controller data register; c. sending a control command to the field controlled equipment by the controller for tampering, and shortening command execution time; d. tampering the sensor equipment below a threshold value to change the control command, and hiding the tampering behavior to an engineer station through replay attack; e tampering with the sensor data to keep it at a steady level.
Starting timing from system starting, wherein attack proceeding phases respectively set by the attack modes a, b and d occur between 20 hours and 24 hours, and the corresponding attack ending phase is a time period after 24 hours; collecting data from the start of the system, wherein 34560 pieces of data are collected, and 2881 pieces of data are collected in the attack stage; the attack progress stage set by the attack mode c occurs between 303 hours and 43 minutes and 307 hours and 43 minutes, and the corresponding attack end stage is a time period after 307 hours and 43 minutes. Collecting data from the start of the system, wherein 225182 pieces of data are collected, and 2881 pieces of data are collected in the attack stage; the attack progress stage set by the attack mode e occurs between 20 hours and 24 hours, and the corresponding attack end stage is a period after 24 hours; collecting data from the start of the system, and collecting data 20160 strips in total, wherein 2881 pieces of data are occupied in the attack stage; the above five attack modes generate 5 data sets, which are denoted as data sets 1,2, 3, 4 and 5.
The data set description is shown in table 1:
TABLE 1
The results of the evaluation of five data sets by the method of the present invention are shown in table 2:
TABLE 2
Parameters involved in the influence degree calculation were selected: the weights Weit [0.45,0.45 and 0.1] corresponding to the damage degree of the T1, T2 and T3 to the state of the industrial control system, the radius expansion threshold rtord in the state feature clustering parameters is 0.06, and the radius expansion range rRange is 1.2.
Fig. 3 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 1 during normal operation and under attack in the embodiment; fig. 4 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 2 during normal operation and under attack in the embodiment; fig. 5 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 3 during normal operation and under attack in the embodiment; fig. 6 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 4 in normal operation and in attack in the embodiment; fig. 7 is a schematic diagram illustrating a comparison between the states of the continuous variables T1, T2, and T3 collected in the corresponding industrial control system in the data set 5 in normal operation and in attack in the embodiment; in fig. 3-fig. 7, the attack starting time and the attack ending time are respectively divided by vertical dashed lines, between which is the attack progress phase continuous type variable T1, T2 and T3 compare the change under attack in the case of no attack, and the second dashed line is followed by the change under attack in the case of no attack in the case of 3 continuous type variables under attack.
The results shown in table 2 are substantially identical to the continuous variables shown in fig. 3 to 7 in comparison with the attack progress stage, the attack end stage and the normal operation stage. For example, fig. 3 and 4 show that the attack end phase and the attack absence have no change in the above 3 continuous variables, and table 2 shows that in the attack modes a and b, the influence degree of the attack end phase is 0, and the influence degree of the attack end phase of the data sets 3 and 4 is obviously higher than that of the data set 5. As shown by comparing fig. 3-7, the impact should be minimal for data set 2 corresponding to fig. 4 during the attack phase, while data set 3 corresponding to fig. 5 has significantly higher impact during the attack phase than the other several data sets, consistent with the data shown in table 2. The evaluation result which is more consistent with the influence of the actual state is obtained.
Example 3
A system for quantitatively evaluating the influence of an industrial control network-oriented multi-mode attack mode on the state of an industrial control system is disclosed, as shown in FIG. 8, and is used for realizing the method for quantitatively evaluating the influence of the industrial control network-oriented multi-mode attack mode on the state of the industrial control system in the embodiment 1 or 2, and the method comprises a state data primary description and extraction unit, a clustering unit, a state transition probability graph construction unit and a quantitative evaluation unit;
the state data preliminary description and extraction unit is used for executing the step (1); the clustering unit is used for executing the step (2); the state transition probability map construction unit is used for executing the step (3); the quantitative evaluation unit is used for executing the step (4).
Claims (8)
1. A quantitative evaluation method for influence of an industrial control network-oriented multi-mode attack mode on the state of an industrial control system is characterized by comprising the following steps:
(1) performing primary description and extraction on state characteristics, namely an industrial control system state data set, and acquiring state data segmentation points;
(2) clustering the state features;
(3) constructing a state transition probability graph;
(4) quantitatively evaluating the influence of the system state based on the abnormal features and the damage degree indexes; the specific implementation process comprises the following steps:
in the attack influence quantitative evaluation method based on the abnormal characteristic and damage degree index fusion analysis, weights corresponding to the state damage degrees of the industrial control system for different continuous type variables are marked as Weit,
satisfies the following conditions:
quantitative evaluation of state anomalies, time delay anomalies, conversion anomalies, frequency anomalies was performed using the following formulas:
when the system is in normal operation, a state data set DS is obtainednor={CMnor,Dnor,TDSnorAnd (c), each item corresponds to the normal state industrial control system state data set DS ═ CM, D, TDS one to one, and the steps a to p are executed to obtain a state feature set
msnorIs the number of normal clusters, each term of which is associated with
One to one correspondence according to SnorObtained state probability graph Gnor={Vnor,Pnor(TRnor) Each item of the state probability map is in one-to-one correspondence with a state probability map G { V, P (TR) } obtained when the system operates normally;
when the system is under attack, the state data set DS is acquiredatt={CMatt,Datt,TDSattAnd (c), each item corresponds to the normal state industrial control system state data set DS ═ CM, D, TDS one to one, and the steps a to p are executed to obtain a state feature set
msattIs the number of clusters, each term of which is associated with
One to one correspondence according to SattObtained state probability graph Gatt={Vatt,Patt(TRatt) Each item of the state probability map is in one-to-one correspondence with a state probability map G { V, P (TR) } obtained when the system operates normally;
setting:
wherein the content of the first and second substances,
is a continuous type variable characteristic of the variable,
the characteristics of the variables of the discrete type are represented,
representing the time slice after the division;
in the formula (III), the compound represented by the formula (III),
does not exist in the set SnorIn a direction of
Variable characteristics of medium discrete type and
the discrete type variable characteristics are the same;
the stateless quantitative evaluation formula is shown as formula (IV):
in the formula (IV), EVALNoIndicating a stateless quantitative evaluation value for the evaluation,
to represent
And
the maximum value of the middle time slice,
to represent
And
the smallest of the medium time slices,
to represent
And
the corresponding index in (a) is the maximum value of the continuous type variable of j,
to represent
And
the corresponding index in (1) is the minimum value of the continuous type variable of j;
is provided with
Wherein d iswit(. is a time delay characteristic weight calculation formula, τdrtRepresenting the threshold value set by the state proportion of the time delay feature, S'drtThe state delay anomaly set is specifically defined as follows:
in the formula (V), ndIs the number of discrete type variables, siDenotes SattIn a certain state, sjDenotes SnorIn a certain state, eduDist(s)i,sj) Denotes si,sjThe distance between the two or more of the two or more,
is siThe corresponding kth discrete-type variable value,
is sjThe corresponding kth discrete-type variable value,
is siThe corresponding value of the i-th consecutive type variable in (a),
is sjThe corresponding value of the i-th consecutive type variable in (a),
is siThe time slice in the middle time slice is,
is sjA middle time slice;
according to the state
Recent state
Finding a normal state feature set SnorNeutralization of
The nearest state features are respectively recorded as
The quantitative evaluation formulas of the time delay abnormity and the conversion abnormity are respectively shown as formulas (VI) and (VII):
in formulae (VI) and (VII), EVALDrtRepresents the quantitative evaluation value of the time delay abnormity,
to represent
The time slice in (1) is set,
to represent
The middle index is a continuous type variable value of j,
to represent
The middle index is a continuous type variable value of j;
EVALTransan abnormal quantitative evaluation value indicating a state transition relation,
to represent
The time slice in (1) is set,
to represent
The time slice in (1) is set,
to represent
The middle index is a continuous type variable value of j,
to represent
The middle index is a continuous type variable value of j;
is provided with
Is a status feature
To the direction of
The abnormal frequency of the transition is such that,
and
is already present in SnorIs also present in SattIs in a certain state of (a) or (b),
if the frequency is a normal conversion frequency corresponding to the state conversion, the conversion frequency abnormality quantitative evaluation formula is defined as formula (VIII):
in the formula (VIII), EVALFreqIt represents a quantitative evaluation value of the abnormal frequency,
to represent
The time slice in (1) is set,
to represent
The time slice of (1);
the final quantitative evaluation formula of the influence of the attack on the state of the industrial control system is shown as the formula (IX):
VANC=EVALNo+EVALDrt+EVALTrans+EVALFreq(Ⅸ)
finally obtaining VANC through the formula (IX), wherein the VANC is the sum of quantitative evaluation of four abnormal conditions including no state, time delay abnormality, conversion abnormality and conversion probability abnormality.
2. The method for quantitatively evaluating the influence of the multi-mode attack mode on the state of the industrial control system, which is oriented to the industrial control network, according to claim 1, is characterized in that the specific implementation process of the step (1) comprises the following steps:
A. the method comprises the following steps of performing preliminary description on an industrial control system state data set, namely:
the industrial control system state data set is expressed as DS ═ CM, D, TDS },
TDS represents a time period, wherein TDSiIndicating a specific time, i ═ 1,2, … nt;ntIs the number of moments, and is also the length of the time period TDS;
CM denotes a set of continuous type variables in the industrial control system within the TDS period,
representing a continuous type variable, n, in an industrial control system during a TDS time periodcIs the number of continuous type variables; d represents a discrete type variable set in the industrial control system in the TDS time period,
representing a variable of discrete type, n, in an industrial control system within a TDS time perioddIs the number of discrete type variables;
therefore, the temperature of the molten metal is controlled,
respectively indicate correspondence in tdsjContinuous type variables and discrete type variables collected at any moment;
B. extracting the state data set of the industrial control system, namely:
data in CM were z-score normalized using formula (i):
in the formula (I), the compound is shown in the specification,
niis ciThe number of the elements in (A) and (B),
obtaining a new continuous state data set by formula (I)
C. Acquiring state data segmentation points, comprising:
a. traversing the discrete type variable set D, and when the discrete variables in the discrete type variable set D are changed, putting the serial numbers of the discrete variables which start to be changed into a discrete type variable division point list (disList);
b. traverse the new continuous state data set C', calculate Δ cci=c′i+1-c′i,Δccr+1=c′i+2-c′i+1If Δ cciNot less than 0 and Δ cci+1<0, or Δ cci<0 and Δ cci+1If the value is more than or equal to 0, putting i into a continuous type variable division point list consList;
c. merging the data in the disList and the consList to obtain the sPTs;
d. traversing the discist, for each element dPt, performing operations e through f as follows:
e. finding the element before dPt from the sPts, denoted pPt, and finding pPt corresponding continuous type variable index in the consList, denoted cIdx, in the new continuous variable data set
In (c), finding the continuous variable corresponding to cIdx, and recording the continuous variable as c'cIdxJudging c'cIdxIn (b), the obtained product is located at [ pPt, dPt ]]If the number of the variables in the interval is 1, pPt is deleted from the sPTs, otherwise, operation f is carried out;
f. finding the element index after dPt from the sPts, denoted as nIdx, and when nIdx is less than the total number of sPts, looping through the following operations f-1 to f-3; otherwise, exiting the loop;
f-1, finding the element value corresponding to the nIdx in the sPTs, and marking as nPt;
f-2, finding nPt corresponding continuous variable index in the consList, and recording as cIdx;
f-3, judging a continuous type variable c'cIdxIn (b), the obtained product is located at [ dPt, nPt ]]If the number of the variables in the interval is 1 or 2, nPt is deleted from the sPTs, otherwise, the loop is exited;
D. the characteristic extraction means that:
g. traversing each element Pt in sPTsiAnd element Pt behind iti+1Calculating Δ PT per time slicei=Pti+1-PtiThe number of the time slices is set as mt(ii) a Will be delta PTiIs marked as
A new set of time slices is formed
h. Traverse each time slice
Set of all discrete variables after time slicing
Wherein the content of the first and second substances,
is in time slices
Inner postThe collected discrete type variable set and all continuous type variable sets after time slice division are recorded as
Is shown in time slice
The continuous type variable set collected in the system;
in time slice
The discrete type variables in are identical
Representing time slices
Any one set of discrete variables in
Of a particular element, and therefore, use
To represent
At this time, the process of the present invention,
i. for each time slice
Computing
Where j is ∈ [1, n ]3],i∈[1,mt];
Is in time slices
The maximum value in the set of continuous type variables acquired,
is in time slices
Minimum value in the continuous type variable set collected;
representing sets of continuous variables
In time slice
The slope of (d);
j. obtaining a device state feature description set which is finally expressed as
Wherein
3. The method for quantitatively evaluating the influence of the multi-mode attack mode on the state of the industrial control system, which is oriented to the industrial control network, according to claim 2, is characterized in that the specific implementation process of the step a comprises the following steps:
a-1, setting i to 1;
a-2. judging that i ═ ndWhether the information is established or not, if so, exiting; otherwise, performing step a-3;
a-3. judgment of di=di+1If the result is true, if the result is false, putting i +1 into a discrete type variable division point list (disList), and performing the step a-4; if yes, directly performing the step a-4;
and a-4, adding 1 to i, and executing the step a-2.
4. The method for quantitatively evaluating the influence of the multi-mode attack mode on the state of the industrial control system, which is oriented to the industrial control network, according to claim 3, is characterized in that in the step (2), the state features are clustered, and the specific steps comprise:
k. initializing elements in a device state profile set
Wherein j is equal to [1, m ]t]The corresponding cluster number set Clrs is null, and the radius expansion threshold rTred belongs to [0.02,0.1 ]]The radius extension range rRange is in the range of [1.05,1.35 ]];
l, from
Selecting the point with the maximum distance from all the points as a first central point, and putting the first central point into a central point set Cts;
m, calculating
The minimum distance between other elements in the set and each element in the central point is formed into a set dList;
n, selecting an element iCtr corresponding to the maximum distance in the dList, and adding the iCtr into the Cts;
o, setting the updated flag to be true;
and p, when the flag is true, repeating the following steps from p-1 to p-5, otherwise, exiting:
p-1, assigning flag to false;
p-2. traversal
Each element in (1)
Finding the sum from Cts
Recording the index of the element with the minimum distance as c, and recording the minimum distance minDist and c;
p-3. if Clrs [ i ] is not equal to c, Clrs [ i ] is equal to c, flag is assigned to true, and step p-4 is performed; otherwise, directly executing the step p-4;
p-4. update center points in Cts to
The mean of all elements belonging to the cluster;
p-5. performing p-5-1 to p-5-2 for each element Cts [ j ] in Cts:
p-5-1.Rs[j]is composed of
All elements in (1) belonging to cluster j and center point Cts [ j]Maximum value of (d);
p-5-2. if Rs [ j ] ═ 0, then Rs [ j ] ═ 0+ rThrd is calculated, otherwise Rs [ j ] ═ 0 × rRange;
using the above clustering method, pair
After clustering, forming a new state feature set by taking various central points as states
msIs the number of clusters.
5. The method as claimed in claim 4, wherein the radius expansion threshold rtord is 0.06 and the radius expansion range rRange is 1.2.
6. The method for quantitatively evaluating the influence of the multi-mode attack mode facing the industrial control network on the state of the industrial control system according to claim 4,
at any two points
The distance between
The formula (II) is shown as the following formula:
7. the method for quantitatively evaluating the influence of the multi-mode attack mode on the state of the industrial control system, which is oriented to the industrial control network, according to claim 4, is characterized in that the specific implementation process of the step (3) is as follows:
the state transition probability map is represented as G ═ { V, p (tr) }1,v2,…,vnThe vertex set in the state transition probability graph, namely the new state feature set S generated in the step (2), is represented; TR ═ { TRi→j,i,j∈[1,n]},TRi→jRepresenting slave state viTo state vjThe transfer relationship of (1); wherein: p (TR) { P (TR)i→j),i,j∈V},
Representing slave state viTo state vjIn which num (TR)i→j) Is TRi→jNumber of state transitions, num (tr) Σi,j∈Vnum(TRi→j) The sum of all state transition times;
the state stored in the new state feature set S generated in the step (2)
Is a vertex V in the state transition probability map, according to
Generates a transition probability set p (tr) based on the transition relationships between the states.
8. A quantitative evaluation system for the influence of the multi-mode attack mode facing the industrial control network on the state of the industrial control system is used for realizing the quantitative evaluation method for the influence of the multi-mode attack mode facing the industrial control network on the state of the industrial control system according to any one of claims 1 to 7, and is characterized by comprising a state data primary description and extraction unit, a clustering unit, a state transition probability graph construction unit and a quantitative evaluation unit; the state data preliminary description and extraction unit is used for executing the step (1); the clustering unit is used for executing the step (2); the state transition probability map construction unit is used for executing the step (3); the quantitative evaluation unit is used for executing the step (4).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110698293.5A CN113486352B (en) | 2021-06-23 | 2021-06-23 | Industrial control network-oriented quantitative evaluation method and system for influence of multi-mode attack mode on state of industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110698293.5A CN113486352B (en) | 2021-06-23 | 2021-06-23 | Industrial control network-oriented quantitative evaluation method and system for influence of multi-mode attack mode on state of industrial control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113486352A CN113486352A (en) | 2021-10-08 |
| CN113486352B true CN113486352B (en) | 2022-02-11 |
Family
ID=77935946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110698293.5A Active CN113486352B (en) | 2021-06-23 | 2021-06-23 | Industrial control network-oriented quantitative evaluation method and system for influence of multi-mode attack mode on state of industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113486352B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114338236B (en) * | 2022-03-01 | 2022-05-13 | 四川省商投信息技术有限责任公司 | Firewall intrusion data analysis method and device |
| CN114884694B (en) * | 2022-04-06 | 2023-05-30 | 北京北卡星科技有限公司 | Industrial control network security risk assessment method based on hierarchical modeling |
| CN115033893B (en) * | 2022-08-11 | 2022-12-02 | 创思(广州)电子科技有限公司 | Information vulnerability data analysis method of improved clustering algorithm |
| CN115859630B (en) * | 2022-12-07 | 2023-06-16 | 南京师范大学 | Electric traffic coupling network vulnerability assessment method based on probability map |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331072A (en) * | 2014-10-28 | 2015-02-04 | 冶金自动化研究设计院 | Information security risk assessment method oriented to typical metallurgy process control system |
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| CN111552973A (en) * | 2020-06-02 | 2020-08-18 | 奇安信科技集团股份有限公司 | Method and device for risk assessment of equipment, electronic equipment and medium |
| CN112235283A (en) * | 2020-10-10 | 2021-01-15 | 南方电网科学研究院有限责任公司 | Vulnerability description attack graph-based network attack evaluation method for power engineering control system |
| CN112261042A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | Anti-seepage system based on attack hazard assessment |
| CN112367331A (en) * | 2020-11-18 | 2021-02-12 | 简和网络科技(南京)有限公司 | Real-time processing system and method for denial of service attack based on running state of computer system |
| CN112861364A (en) * | 2021-02-23 | 2021-05-28 | 哈尔滨工业大学(威海) | Industrial control system equipment behavior modeling method and device based on state delay transition diagram secondary annotation |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11121952B2 (en) * | 2018-10-17 | 2021-09-14 | Cisco Technology, Inc. | Device health assessment data summarization using machine learning |
| CN112291239B (en) * | 2020-10-29 | 2021-09-07 | 东北大学 | Network physical model facing SCADA system and intrusion detection method thereof |
-
2021
- 2021-06-23 CN CN202110698293.5A patent/CN113486352B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104331072A (en) * | 2014-10-28 | 2015-02-04 | 冶金自动化研究设计院 | Information security risk assessment method oriented to typical metallurgy process control system |
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| CN111552973A (en) * | 2020-06-02 | 2020-08-18 | 奇安信科技集团股份有限公司 | Method and device for risk assessment of equipment, electronic equipment and medium |
| CN112235283A (en) * | 2020-10-10 | 2021-01-15 | 南方电网科学研究院有限责任公司 | Vulnerability description attack graph-based network attack evaluation method for power engineering control system |
| CN112261042A (en) * | 2020-10-21 | 2021-01-22 | 中国科学院信息工程研究所 | Anti-seepage system based on attack hazard assessment |
| CN112367331A (en) * | 2020-11-18 | 2021-02-12 | 简和网络科技(南京)有限公司 | Real-time processing system and method for denial of service attack based on running state of computer system |
| CN112861364A (en) * | 2021-02-23 | 2021-05-28 | 哈尔滨工业大学(威海) | Industrial control system equipment behavior modeling method and device based on state delay transition diagram secondary annotation |
Non-Patent Citations (3)
| Title |
|---|
| 《一种改进的网络安全态势量化评估方法》;席荣荣等;《计算机学报》;20150430;第38卷(第4期);第749-758页 * |
| 《基于故障的系统安全风险分析与评估方法研究》;刘学敏;《中国博士学位论文全文数据库(工程科技I辑)》;20151115;第B026-1页 * |
| 《针对网络攻击的配电网信息物理系统风险量化评估》;张宇航等;《电力系统自动化》;20191110;第43卷(第21期);第12-22页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113486352A (en) | 2021-10-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113486352B (en) | Industrial control network-oriented quantitative evaluation method and system for influence of multi-mode attack mode on state of industrial control system | |
| CN111596604B (en) | Intelligent fault diagnosis and self-healing control system and method for engineering equipment based on digital twinning | |
| CN112202736B (en) | Communication network anomaly classification method based on statistical learning and deep learning | |
| CN108564254B (en) | Power distribution equipment state visualization platform based on big data | |
| CN105203876B (en) | It is a kind of to utilize support vector machines and the transformer online monitoring state evaluating method of correlation analysis | |
| CN114429153B (en) | Gear box increment fault diagnosis method and system based on life learning | |
| CN105425768B (en) | A kind of second power equipment monitoring device and method | |
| CN105467971B (en) | A kind of second power equipment monitoring system and method | |
| CN103728507A (en) | Grid fault diagnosis method based on data mining | |
| CN110570012B (en) | Storm-based power plant production equipment fault early warning method and system | |
| CN106682835B (en) | Data-driven complex electromechanical system service quality state evaluation method | |
| CN103425874B (en) | A kind of Space Vehicle Health appraisal procedure based on profust reliability theory | |
| CN111652479A (en) | Data driving method for dynamic security assessment of power system | |
| CN106096789A (en) | A kind of based on machine learning techniques can be from the abnormal industry control security protection of perception and warning system | |
| CN117196159A (en) | Intelligent water service partition metering system based on Internet big data analysis | |
| CN110022313B (en) | Polymorphic worm feature extraction and polymorphic worm identification method based on machine learning | |
| CN113708350B (en) | Cloud edge cooperation-based power distribution area heavy overload abnormality judgment method and system | |
| CN116853056A (en) | Charging pile intelligent management system based on data analysis | |
| CN116206499A (en) | Power equipment scene simulation method and device for power grid maintenance training | |
| CN103337000B (en) | A kind of safe monitoring and pre-alarming method of oil-gas gathering and transportation system | |
| CN105469644A (en) | Flight conflict resolution method and flight conflict resolution device | |
| CN115864644A (en) | Relay protection device state evaluation method, system, equipment and medium | |
| CN113159503B (en) | Remote control intelligent safety evaluation system and method | |
| CN106326278A (en) | Data exception judgment method and device | |
| CN114266370A (en) | Method and system for generating fault handling plan of power grid equipment in typhoon meteorological environment on line and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |