CN113572785B - Honeypot defense method and device for nuclear power control system - Google Patents

Honeypot defense method and device for nuclear power control system Download PDF

Info

Publication number
CN113572785B
CN113572785B CN202110896609.1A CN202110896609A CN113572785B CN 113572785 B CN113572785 B CN 113572785B CN 202110896609 A CN202110896609 A CN 202110896609A CN 113572785 B CN113572785 B CN 113572785B
Authority
CN
China
Prior art keywords
request
target
nuclear power
control system
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110896609.1A
Other languages
Chinese (zh)
Other versions
CN113572785A (en
Inventor
万佳蓉
王绍杰
衣然
霍朝宾
靳方略
荆琛
李政达
周帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
6th Research Institute of China Electronics Corp
Original Assignee
6th Research Institute of China Electronics Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 6th Research Institute of China Electronics Corp filed Critical 6th Research Institute of China Electronics Corp
Priority to CN202110896609.1A priority Critical patent/CN113572785B/en
Publication of CN113572785A publication Critical patent/CN113572785A/en
Application granted granted Critical
Publication of CN113572785B publication Critical patent/CN113572785B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/22Matching criteria, e.g. proximity measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The application provides a honeypot defense method and device for a nuclear power control system, wherein the honeypot defense method comprises the following steps: acquiring a target request of a request source aiming at a nuclear power control system; extracting a target feature vector capable of representing the target request according to the target request; determining a classification index value of the extracted target feature vector; if the target request is determined to be an attack request according to the classification index value, updating a request database based on the target request; and determining the predicted attack behavior aiming at the nuclear power control system by utilizing the updated request database. According to the method, the honey pot is installed on the nuclear power industrial control system to replace the actual interaction between the nuclear power industrial control system and the request source, so that the technical effect of actively defending against hacking is achieved.

Description

Honeypot defense method and device for nuclear power control system
Technical Field
The application relates to the technical field of industrial control safety, in particular to a honeypot defense method and device for a nuclear power control system.
Background
Along with mutual fusion of IT (information technology) and OT (operation technology), an industrial control system slowly changes from a relatively isolated mode to an open mode, and the application of the novel information technology greatly improves the industrial production efficiency, but brings certain risks at the same time. As a new energy supply point in China, the network security of the nuclear power station is important. The application of the digital information technology to nuclear power projects is gradually increased, such as the digital upgrading and transformation of the second generation nuclear power in China and the full digital instrument control technology of the third generation nuclear power at present, once the nuclear power system is subjected to network attack, the normal operation of the system is affected by light weight, and terrible nuclear safety accidents are caused by heavy weight.
The traditional defense technology is insufficient for the nuclear power system to form a safety barrier of the nuclear power station in terms of relatively passive defense, and an active defense means is needed to deal with the damage of an attacker in order to enable a relatively inferior defender in the attack and defense game to master the initiative.
Disclosure of Invention
In view of this, the purpose of this application is to provide a honeypot defense method and device for nuclear power industry control system at least, and this application is through installing the honeypot to nuclear power industry control system, utilizes the honeypot to replace true nuclear power industry control system to interact with the request source, reaches the technical effect that the initiative was defended and is prevented by the hacking. The application mainly comprises the following aspects:
in a first aspect, an embodiment of the present application provides a honeypot defense method for a nuclear power control system, where the honeypot defense method includes: acquiring a target request of a request source aiming at a nuclear power control system; extracting a target feature vector capable of representing the target request according to the target request; determining a classification index value of the extracted target feature vector; if the target request is determined to be an attack request according to the classification index value, updating a request database based on the target request; and determining the predicted attack behavior aiming at the nuclear power control system by utilizing the updated request database.
Optionally, the step of extracting, from the target request, a target feature vector capable of characterizing the target request includes: extracting all characteristic elements for describing the target request from the target request to form a matrix; determining eigenvectors and eigenvalues of the matrix; sorting all the characteristic values in a descending order, and selecting a preset number of characteristic values according to the determined accumulated contribution rate of the characteristic values, wherein the accumulated contribution rate of the preset number of characteristic values is larger than or equal to a characteristic contribution threshold value; and forming a target feature vector by the feature vector corresponding to the selected feature value.
Optionally, the target feature vector includes at least one feature element, wherein the step of determining the classification index value of the extracted target feature vector includes: carrying out normalization processing on each characteristic element in the target characteristic vector; determining a weight value corresponding to each characteristic element, wherein the weight value is obtained according to a pre-trained logistic regression classifier, and the logistic regression classifier is a classifier for classifying the request; and determining a classification index value according to each characteristic element after normalization processing and the corresponding weight value.
Optionally, the step of predicting an attack behaviour for the nuclear power control system using the updated request database comprises: inputting a plurality of data records in the updated request database into a time sequence model to obtain a predicted attack behavior aiming at the nuclear power control system, wherein the predicted attack behavior comprises at least one of the following: and predicting the attack type and attack frequency of the attack.
Optionally, the request database includes a plurality of data records, each data record corresponding to a request, wherein updating the request database based on the target request includes: determining a similarity value of a target data record corresponding to the target request and each data record in the request database; if the similarity value of the target data record and each data record in the request database is not greater than the similarity threshold value, adding the target request and the corresponding target data record into the request database; and if the data record with the similarity value larger than the similarity threshold value exists in the request database, updating the matched data record based on the target data record, wherein the matched data record is the data record with the largest similarity value in the data records with the similarity value larger than the similarity threshold value.
Optionally, the step of determining the predicted attack behaviour for the nuclear power control system using the updated request database comprises: extracting data records with similarity values of the target data records corresponding to the target requests larger than a similarity threshold value from the request database; and inputting the target data record and the extracted data record into a time sequence model to obtain the predicted attack behavior aiming at the nuclear power control system.
Optionally, the honeypot defense method further comprises: if the target request is determined to be an attack request according to the classification index value, determining a prearranged target vulnerability triggered by the attack request, and outputting description information of the target vulnerability to defend against the target vulnerability; and/or, the honeypot defense method further comprises: if the target request is determined to be the attack request according to the classification index value, determining the service requested by the attack request, generating a simulation response corresponding to the service, and sending the simulation response to the request source.
Optionally, the honeypot defense method further comprises: if the target request is determined to be a normal request according to the classification index value, the target request is sent to a request object indicated by the target request, so that a service response corresponding to the target request is generated by the request object and is sent to a request source.
Optionally, the time series model is constructed by: extracting data records similar to the target request from the request database, composing a data set with the target request, and performing stability test on the data set so as to obtain differential times; determining an autoregressive term number and a moving average term number of the data set; constructing a plurality of candidate time sequence models according to the difference times, the autoregressive term number and the moving average term number; and selecting a candidate time sequence model with optimal autoregressive terms and moving average terms from a plurality of candidate time sequence models according to the red pool information criterion and the Bayesian information criterion, and determining the candidate time sequence model as the time sequence model.
In a second aspect, embodiments of the present application further provide a honeypot defense device for a nuclear power control system, the honeypot defense device including: the acquisition module is used for acquiring a target request of a request source aiming at the nuclear power control system; the extraction module is used for extracting target feature vectors capable of representing the target request according to the target request; the classification module is used for determining a classification index value of the extracted target feature vector; the updating module is used for updating the request database based on the target request if the target request is determined to be an attack request according to the classification index value; and the prediction module is used for determining the predicted attack behavior aiming at the nuclear power control system by utilizing the updated request database.
In a third aspect, embodiments of the present application further provide an electronic device, including: a processor, a memory and a bus, the memory storing machine readable instructions executable by the processor, the processor and the memory in communication via the bus when the electronic device is running, the machine readable instructions when executed by the processor performing the steps of the honeypot defense method for a nuclear power control system in the first aspect or any one of the possible implementation manners of the first aspect.
In a fourth aspect, the embodiments of the present application further provide a computer readable storage medium, where a computer program is stored, where the computer program is executed by a processor to perform the steps of the honeypot defense method for a nuclear power control system according to the first aspect or any possible implementation manner of the first aspect.
The embodiment of the application provides a honeypot defense method and device for a nuclear power control system, wherein the honeypot defense method comprises the following steps: acquiring a target request of a request source aiming at a nuclear power control system; extracting feature vectors capable of representing the target request according to the target request; determining a classification index value of the extracted feature vector; if the target request is determined to be an attack request according to the classification index value, updating a request database based on the target request; and determining the predicted attack behavior aiming at the nuclear power control system by utilizing the updated request database. The honey pot is arranged on the nuclear power industrial control system, and the honey pot is used for replacing the real nuclear power industrial control system to interact with the request source, so that the technical effect of actively defending and preventing hacking is achieved.
In order to make the above objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 shows a flowchart of a honeypot defense method for a nuclear power control system according to an embodiment of the present application.
FIG. 2 illustrates a flow chart of steps provided by embodiments of the present application for extracting a target feature vector capable of characterizing a target request from the target request.
Fig. 3 is a flowchart illustrating steps for determining a classification index value of a target feature vector according to an embodiment of the present application.
Fig. 4 is a flowchart illustrating steps for determining predicted attack behavior for a nuclear power control system using an updated request database according to an embodiment of the present application.
Fig. 5 shows a flowchart of the steps for constructing a time series model provided by an embodiment of the present application.
Fig. 6 shows a schematic structural diagram of a honeypot defense device for a nuclear power control system according to an embodiment of the present application.
Fig. 7 shows a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the accompanying drawings in the present application are only for the purpose of illustration and description, and are not intended to limit the protection scope of the present application. In addition, it should be understood that the schematic drawings are not drawn to scale. A flowchart, as used in this application, illustrates operations implemented according to some embodiments of the present application. It should be appreciated that the operations of the flow diagrams may be implemented out of order and that steps without logical context may be performed in reverse order or concurrently. Moreover, one or more other operations may be added to the flow diagrams and one or more operations may be removed from the flow diagrams as directed by those skilled in the art.
In addition, the described embodiments are only some, but not all, of the embodiments of the present application. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
The prior art has the defects that the nuclear power control system does not have the capability of active defense, and is also not provided with a method for predicting attacks in a certain time period in the future, and meanwhile, possible loopholes of the system cannot be known, and when a hacker attacks the nuclear power control system, the nuclear power control system faces to huge potential safety hazards.
Based on this, the embodiment of the application provides a honey pot defense method and device for a nuclear power industrial control system, which is to install a honey pot on the nuclear power industrial control system, and interact with a request source by using the honey pot to replace a real nuclear power industrial control system, so as to achieve the technical effect of actively defending and preventing hacking, and specifically comprises the following steps:
Referring to fig. 1, fig. 1 is a flowchart of a honeypot defense method for a nuclear power control system according to an embodiment of the present application. As shown in fig. 1, the honeypot defense method provided in the embodiment of the application includes the following steps:
s101, acquiring a target request of a request source aiming at a nuclear power control system.
In the embodiment of the application, the honeypot can be arranged in advance for the nuclear power control system, the honeypot is used as a protection barrier of the nuclear power control system, the honeypot serves as a bait, an attacker is attracted to attack the nuclear power control system in the past, after the attacker implements the attack, the attacker can know the attack type of the nuclear power control system through monitoring and analysis, and the latest attack and vulnerability launched by the nuclear power control system can be known at any time, so that the safety protection of the nuclear power control system can be carried out pertinently.
The nuclear power industrial control system can comprise a plurality of industrial control devices, data are transmitted among different industrial control devices through an industrial control protocol, at least one control terminal can be arranged in the nuclear power industrial control system and communicated with the industrial control devices, and a honeypot is installed on one control terminal to comprehensively observe the dynamics of an attacker, so that the arrangement quantity of the honeypots can be reduced, and the most comprehensive protection can be performed with the least resources.
In an alternative example, probes may be deployed at all ports of each industrial control device of the nuclear power industrial control system, and requests from external request sources of all ports are perceived through the probes, for example, TCP (transmission control protocol)/UDP (user datagram protocol) traffic conditions of the ports may be monitored by using detection technologies such as SYN (synchronization sequence number), FIN, TCP Connect, etc., and the probes may scan and record, so as to obtain requests for accessing the ports.
Illustratively, the probe may listen to various network scanning and probing actions, such as password blasting, executing shell scripts, and the like.
As an example, the request source may be a terminal, such as an electronic device like a desktop computer, a notebook computer, a mobile phone, a tablet computer, etc. The operator of the request source may be a hacker, an internal developer, etc., and the target request may include a normal request and an attack request.
Specifically, after the probe acquires the target request initiated by the request, the target request can be redirected into the honeypot by using a redirection technology, the honeypot analyzes the target request and responds to a corresponding request message aiming at the type of the target request, so that the purpose of simulating industrial control equipment and industrial control protocols in the nuclear power control system is achieved, and the technical effect of protecting the nuclear power control system is achieved.
As an example, an industrial control protocol may include: IEC104 (an international standard widely used in industries such as electric power and urban rail transit), modbus/TCP (an industrial field bus protocol standard), S7 (a standard protocol used for communication between siemens S7 series products), DNP3 (distributed network protocol 3), and the like.
S102, extracting a target feature vector capable of representing the target request according to the target request.
Referring to fig. 2, fig. 2 is a flowchart of a step of extracting a target feature vector capable of characterizing a target request according to an embodiment of the present application, including the following steps:
s1021, extracting all characteristic elements for describing the target request from the target request to form a matrix.
As an example, characteristic elements of the target request include, but are not limited to: destination IP, source port, destination port, attack time, number of attacks.
In an alternative embodiment, the feature element may be digitized, for example, the process of digitizing the IP address for the feature element may be: the method comprises the steps of firstly performing binary conversion on the IP address, then performing decimal conversion to obtain data with the characteristic elements being the IP address after digital processing, and executing subsequent processing.
S1022, determining the eigenvectors and eigenvalues of the matrix.
As an example, each feature element of the digitizing process may be formed into an initial matrix, and the formed initial matrix is subjected to gaussian kernel transformation to obtain a kernel matrix, and feature vectors and feature values of the kernel matrix are calculated.
S1023, sorting the characteristic values in a descending order, and selecting the characteristic values of the previous preset number according to the determined accumulated contribution rate of the characteristic values. Here, the cumulative contribution rate of the previous predetermined number of feature values is greater than or equal to the feature contribution threshold.
Specifically, the feature value may be selected by: step a, sorting all the eigenvalues in a descending order (i.e. arranging from large to small), selecting k eigenvalues, step B, calculating the cumulative contribution rate of the k eigenvalues, step C, if the cumulative contribution rate of the k eigenvalues is greater than the eigenvalue threshold, determining the eigenvectors corresponding to the k eigenvalues as the selected predetermined number of eigenvectors, step D, if the cumulative contribution rate of the k eigenvalues is less than the eigenvalue threshold, making k=k+1, and returning to execute step B until the eigenvectors corresponding to the k eigenvalues with the cumulative contribution rate greater than or equal to the eigenvalue threshold are selected. Here, the value range of k is 1 or more and M or less, and M is the total number of all the feature values.
As an example, the cumulative contribution rate of the k eigenvalues may be determined by: and calculating first sum values of the characteristic values of the k characteristic elements, calculating second sum values of the characteristic values of all the characteristic elements, and determining the ratio of the first sum values to the second sum values as the accumulated contribution rate of the k characteristic values. When the accumulated contribution rate is greater than the feature contribution threshold, a predetermined number of feature elements can be selected from all feature elements to replace a plurality of feature elements, so that the effect of reducing the dimension of the feature matrix is achieved, namely, the dimension reduction processing is performed on the target request.
S1024, forming a target feature vector by the feature vector corresponding to the selected feature value.
That is, the obtained feature vector is the feature vector formed by the feature elements of the target request after the dimension reduction processing.
As an example, when the target request is
Figure BDA0003198184800000091
When in use, will->
Figure BDA0003198184800000092
Performing Gaussian kernel transformation to obtain a kernel matrix +.>
Figure BDA0003198184800000093
Obtaining a kernel matrix->
Figure BDA0003198184800000094
Eigenvalue lambda of 1 ,λ 2 ,λ 3 ,…,λ M And feature vector->
Figure BDA0003198184800000095
The feature values are arranged in descending order (i.e., from large to small) to obtain descending order feature valuesλ 1 ′,λ 2 ′,λ 3 ′,…,λ M ' the cumulative contribution rate of the descending order of eigenvalues is calculated by the following formula:
Figure BDA0003198184800000096
in the formula (1), lambda i ' represents the ith eigenvalue after descending order, 1.ltoreq.i.ltoreq.k, k represents the first k eigenvalues in descending order, λ j And j is more than or equal to 1 and less than or equal to M, M represents the number of all the eigenvalues of the core matrix obtained by Gaussian kernel transformation of the target request, t represents the eigenvalue of the eigenvalue, and t can be preset. When the cumulative contribution rate meets the feature contribution threshold value or more, the feature values lambda are arranged in descending order 1 ′,λ 2 ′,λ 3 ′,…,λ k ' corresponding feature vector
Figure BDA0003198184800000097
And forming a target feature vector, and replacing the target feature vector with the target request to achieve the effect of reducing the dimension of the target request.
Returning to fig. 1, S103 determines a classification index value of the extracted target feature vector.
Referring to fig. 3, fig. 3 is a flowchart illustrating steps for determining a classification index value of an extracted target feature vector according to an embodiment of the present application, including the following steps:
s1031, carrying out normalization processing on each characteristic element in the target characteristic vector.
Wherein the target feature vector comprises at least one feature element.
In one example, each feature element may be normalized using a dispersion normalization (min-max normalization), for example, by:
Figure BDA0003198184800000098
in the formula (2), x 1 Represents any characteristic element after normalization processing, x 1 The value of the block [0,1 ]]In, x represents any feature element in the feature vector, x min Representing the minimum value, x, of a plurality of feature elements in a feature vector max Representing the maximum value of the plurality of feature elements in the feature vector.
In another example, each feature element may also be normalized using Z-score normalization, e.g., using the formula for Z-score normalization:
Figure BDA0003198184800000101
in the formula (3), x 1 Represents any characteristic element after normalization processing, x 1 The value of the block [0,1 ]]In this case, x represents any one of the feature elements in the feature vector, μ represents an average value of a plurality of the feature elements in the feature vector, and σ represents a standard deviation of a plurality of the feature elements in the feature vector. The data after Z-score normalization is a standard normal distribution with a mean of 0 and a standard deviation of 1.
And carrying out normalization processing on each characteristic element in the characteristic vector, so that the processing efficiency of subsequent work is improved.
S1032, determining the weight value corresponding to each characteristic element. Here, the weight values are obtained from a pre-trained logistic regression classifier, which is a classifier used to classify the request.
As an example, the trained logistic regression classifier is trained from a request database that includes normal requests and attack requests. Wherein the input of the logistic regression classifier is a target feature vector of the target request (i.e., a predetermined number of feature elements form a feature vector, that is, a feature vector of the target request after the dimension reduction), the input is a classification result for the request, that is, whether the request belongs to a normal request or an attack request, an importance index of each feature element is determined, and a weight value of each feature element is determined based on the importance index. Here, the larger the importance index of a feature element is, the larger the weight value of the feature element is, and the smaller the importance index of the feature element is, the smaller the weight value of the feature element is.
S1033, determining the classification index value according to each feature element after normalization processing and the corresponding weight value.
For example, the classification preprocessing may be performed on each feature element after the normalization processing by the following formula, to obtain classification preprocessing data.
z=ω T ×x 2 (4)
In the formula (4), z represents classification preprocessing data, wherein ω represents a vector composed of weight values corresponding to the respective feature elements, ω T Representing the transposed vector of ω, x 2 Representing a feature vector composed of each feature element after normalization processing.
For example, the classification preprocessing data z may be taken into the following formula to determine a classification index value:
Figure BDA0003198184800000111
in the formula (5), g (z) represents a classification index value of the feature vector, and z represents classification preprocessing data.
Returning to fig. 1, if it is determined that the target request is an attack request according to the classification index value, S104, the request database is updated based on the target request.
Specifically, when the classification index value is greater than the classification preset threshold value, the target request corresponding to the classification index value is considered as an attack request; when the classification index value is smaller than or equal to the classification preset threshold value, the target request corresponding to the classification index value is considered to be a normal request.
For example, the request database may include a plurality of data records, each data record corresponding to a request, and the step of updating the request database based on the target request may be specifically as follows:
And determining the similarity value of the target data record corresponding to the target request and each data record in the request database.
As an example, a proximity classification algorithm (KNN algorithm) may be used to determine similarity between a target data record corresponding to a target request and each data record in the request database, where the KNN algorithm generally measures similarity by using a distance, and commonly uses a euclidean distance.
For example, the Euclidean distance may be calculated by the following formula:
Figure BDA0003198184800000121
in the formula (6), a i Representing the ith characteristic element, b, in the target data record i Represents the i-th characteristic element in any data record in the request database, D represents the Euclidean distance between the target data record corresponding to the target request and the any data record in the request database, and k represents the number of characteristic elements in the target data record corresponding to the target request.
At this time, the similarity value between the target data record corresponding to the target request and each data record in the request database is determined by the euclidean distance D, and the smaller the D value is, the larger the similarity value is, and the larger the D value is, the smaller the similarity value is.
In an alternative example, if the similarity value of the target data record and each data record in the request database is not greater than a similarity threshold, then the target request and the corresponding target data record are added to the request database.
That is, if the similarity value of the target data record and each data record in the request database is not greater than the similarity threshold (i.e., when the D value is greater than the preset threshold), the target request corresponding to the target data record is considered to be dissimilar to each request in the request database, and the target request and the corresponding target data record are added to the request database for updating.
And if the data records with the similarity value larger than the similarity threshold value with the target data records exist in the request database, updating the matched data records based on the target data records. Here, the matching data record may refer to a data record having the largest similarity value among data records having a similarity value larger than the similarity threshold.
That is, if there is a data record in the request database with a similarity value greater than the similarity threshold (i.e., when the D value is not greater than the preset threshold), the target request corresponding to the target data record is considered to be more similar to a part of the requests in the request database, and at this time, the data record with the largest similarity value is selected from the similar data records as the matching data record, and the matching data record is updated by using the target data record.
Here, one data record may include a plurality of attribute items, and the plurality of attribute items may correspond to a plurality of feature elements. That is, the updating of the matching data record may be the updating of the attribute item of the matching data record or the adding of the attribute item of the matching data record. Taking the example that the attribute item includes the attack number, updating the attribute item may refer to adding one to the attack number.
In an alternative example, when there is a data record in the request database that has a similarity to the target data record that is greater than the limit threshold, a human judgment may also be made, that is, the target data record and the data record that is greater than the limit threshold are both provided to the developer to determine whether the two are identical, and if they are considered identical, the target request is not added to the request database.
In a preferred example, the honeypot defense method may further include: if the target request is determined to be the attack request according to the classification index value, determining a prearranged target vulnerability triggered by the attack request, and outputting description information of the target vulnerability to defend against the target vulnerability.
In another preferred embodiment, the honeypot defense method may further include: if the target request is determined to be the attack request according to the classification index value, determining the service requested by the attack request, generating a simulation response corresponding to the service, and sending the simulation response to the request source.
That is, the honeypot acquires the attack request and replaces the nuclear power industrial control system to respond to the attack request, so that the effect of simulating the industrial control equipment and the industrial control protocol of the nuclear power industrial control system is achieved, and the honeypot interacts with the request source for initiating the attack request to protect the real nuclear power industrial control system.
Specifically, the honeypot simulates industrial control equipment and industrial control protocols in a Linux system, and the simulation of the industrial control equipment and the industrial control protocols mainly uses protocol analysis technology to reversely analyze the industrial control protocols. And setting a probe at the port, introducing the received request into the honeypot, analyzing the request by the honeypot, and returning a corresponding response message, thereby completing the simulation function of the industrial control equipment and the industrial control protocol.
The honeypot simulates equipment mainly to real industrial control equipment and software to generate virtual assets, a realistic service environment can be realized among the virtual assets, the decoy capability is enhanced, the judgment of an attacker on a target is interfered, and the attack speed on a real system is slowed down.
In still another preferred embodiment, the above honeypot defense method may further include: if the target request is determined to be a normal request according to the classification index value, the target request is sent to a request object indicated by the target request, so that a service response corresponding to the target request is generated by the request object and is sent to a request source.
Returning to fig. 1, S105 determines, using the updated request database, a predicted attack behavior for the nuclear power control system.
For example, a predicted attack on the nuclear power control system may be determined based on the updated request database and the time series model.
For example, a plurality of data records in the updated request database are input into a time sequence model to obtain a predicted attack behavior for the nuclear power control system. As an example, predicting the attack behavior may include at least one of: and predicting the attack type and attack frequency of the attack.
That is, a plurality of data records in the updated request database are input into the time sequence model for prediction, and the attack type and attack frequency possibly suffered by the kernel electrical control system in a future time period are predicted. The attack frequency may be the number of times that one attack type attacks the nuclear power control system in a future period of time, or the number of times that multiple attack types attack the nuclear power control system.
Wherein predicting the attack behavior may further include: and predicting the IP address and the attack time of the attack.
Referring to fig. 4, fig. 4 is a flowchart of a step of determining a predicted attack behavior for a nuclear power control system by using an updated request database according to an embodiment of the present application, including the following steps:
S1051, extracting the data records with the similarity value larger than the similarity threshold value of the target data records corresponding to the target request from the request database.
In this step, a certain number of data records are screened from the request database by the above-described process for predicting the attack behaviour.
In a preferred embodiment, when the target request is an attack request, attack requests similar to the attack request are screened from the request database, and the similar attack requests are used for carrying out attack behavior prediction.
S1052, inputting the target data record and the extracted data record into a time sequence model to obtain the predicted attack behavior for the nuclear power control system.
In the embodiment of the application, the request database includes normal requests and attack requests, and in the processing flow shown in fig. 4, similar attack requests are screened from the request database to predict attack behaviors, so that the accuracy of predicting attack behaviors aiming at the attack types to which the target requests belong can be improved. Here, after the nuclear power industrial control system is subjected to an attack request of a certain attack type, an attacker is likely to initiate a second attack in a short time, and the above processing flow can be used for effectively predicting.
Referring to fig. 5, fig. 5 is a flowchart of steps for constructing a time series model according to an embodiment of the present application, including the following steps:
the time series model may be an ARIMA (p, q, d) model, for example. Where d is the number of differences, p is the number of autoregressive terms, and q is the number of moving average terms. It should be understood that other models may be used to predict the attack behavior, and the application is not limited thereto.
S201, extracting data records with similarity values larger than a similarity threshold value with a target request from a request database, forming a data set with the target request, and carrying out stability test on the data set so as to obtain difference times.
Specifically, the data set includes a target request and a data record extracted from a request database, wherein a similarity value between the data record and the target request is greater than a similarity threshold, and a recording time of the data record is in a history period before the target request is received.
Specifically, if the data record is determined to be non-stationary after being subjected to stability test, the data record is stabilized by differential stabilization processing, and the value of the differential times d is determined; if the data record is stationary after the stability test, the number of differences d=0.
S202, determining the autoregressive term number and the moving average term number of the data set.
Specifically, each data record in the request database is decomposed according to the trend factors, the random factors and other factors, then an autocorrelation chart and a partial autocorrelation chart corresponding to each data record are obtained, the autocorrelation coefficient and the partial autocorrelation coefficient corresponding to each data record are determined, the value of q is determined according to the Autocorrelation Coefficient (ACF), and the value of p is determined according to the Partial Autocorrelation Coefficient (PACF).
S203, constructing a plurality of candidate time sequence models according to the difference times, the autoregressive terms and the moving average terms.
Here, the above steps S201 to S202 may be repeated to obtain a plurality of difference times, autoregressive terms, and moving average terms, a plurality of sets of difference times, autoregressive terms, and moving average terms are obtained by means of random combination, and a candidate time series model is constructed according to each set of difference times, autoregressive terms, and moving average terms, thereby obtaining a plurality of candidate time series models.
S204, selecting a candidate time sequence model with the optimal autoregressive term number and moving average term number from the plurality of candidate time sequence models according to the red pool information criterion and the Bayesian information criterion, and determining the candidate time sequence model as the time sequence model.
In particular, the red pool information criterion (AIC) provides a criterion that trades off the complexity of the estimation model against the superiority of the fit data, but when the number of samples is too large, overfitting is likely to occur. Therefore, a Bayesian information criterion (BIC criterion) with a relatively larger punishment term is introduced on the basis, and the problem of excessive model complexity caused by excessive model accuracy can be effectively prevented.
In a possible embodiment, the acquired attack request and the predicted attack behavior can be visually displayed in a web page form, so that research and development personnel can grasp and know the form of the nuclear power industrial control system conveniently, and the safety condition of the system is maintained better.
Based on the same application conception, the embodiment of the application also provides a honeypot defense device for the nuclear power control system, which corresponds to the honeypot defense method for the nuclear power control system provided by the embodiment, and because the principle of solving the problem of the device in the embodiment of the application is similar to that of the honeypot defense method for the nuclear power control system of the embodiment of the application, the implementation of the device can be referred to the implementation of the method, and the repetition is omitted.
Referring to fig. 6, fig. 6 is a functional block diagram of a honeypot defense device for a nuclear power control system according to an embodiment of the present application. Among them, the honeypot defense device 10 for nuclear power control system includes: an acquisition module 101, an extraction module 102, a classification module 103, an update module 104 and a prediction module 105.
An obtaining module 101, configured to obtain a target request of a request source for a nuclear power control system; an extracting module 102, configured to extract, according to the target request, a target feature vector capable of characterizing the target request; a classification module 103, configured to determine a classification index value of the extracted target feature vector; an updating module 104, configured to update the request database based on the target request if it is determined that the target request is an attack request according to the classification index value; and the prediction module 105 is used for determining the predicted attack behavior aiming at the nuclear power control system by using the updated request database.
The honeypot system is installed on a host of any one of the industrial control devices in the nuclear power industrial control system in a virtual machine mode, the acquisition module 101 and the extraction module 102 are arranged in the honeypot system, and the classification module 103, the updating module 104 and the prediction module 105 are arranged on another host of the nuclear power industrial control system.
Based on the same application concept, referring to fig. 7, a schematic structural diagram of an electronic device 20 according to an embodiment of the present application is provided, including: processor 201, memory 202, and bus 203, memory 202 storing machine-readable instructions executable by processor 201, which when executed by processor 201 perform the steps of the honeypot defense method for a nuclear power control system as in any of the embodiments described above, when electronic device 20 is in operation, processor 201 and memory 202 communicate via bus 203.
Based on the same application conception, the embodiment of the application also provides a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and the computer program executes the steps of the honeypot defense method for the nuclear power control system provided by the embodiment when being run by a processor.
Specifically, the storage medium can be a general storage medium, such as a mobile disk, a hard disk, and the like, and when the computer program on the storage medium is run, the honeypot defense method for the nuclear power industrial control system can be executed, and the technical effect of actively defending against hacking is achieved by installing a honeypot on the nuclear power industrial control system to replace a real nuclear power industrial control system to interact with a request source.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system and apparatus may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again. In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. The above-described apparatus embodiments are merely illustrative, for example, the division of units is merely a logical function division, and there may be other manners of division in actual implementation, and for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some communication interface, device or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes or substitutions are covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (8)

1. A honeypot defense method for a nuclear power control system, the honeypot defense method comprising:
acquiring a target request of a request source aiming at a nuclear power control system;
extracting a target feature vector capable of representing the target request according to the target request; the target feature vector includes at least one feature element;
normalizing each feature element in the target feature vector; determining a weight value corresponding to each characteristic element, wherein the weight value is obtained according to a pre-trained logistic regression classifier, and the logistic regression classifier is a classifier used for classifying the request; determining a classification index value according to each characteristic element after normalization processing and the corresponding weight value;
if the classification index value is larger than the classification preset threshold value, determining that the target request is an attack request, and updating a request database based on the target request;
Determining a predicted attack behavior aiming at the nuclear power control system by utilizing the updated request database;
wherein, the step of determining the predicted attack behavior for the nuclear power control system by using the updated request database comprises:
extracting data records with similarity values of the target data records corresponding to the target requests larger than a similarity threshold value from a request database;
and inputting the target data record and the extracted data record into a time sequence model to obtain the predicted attack behavior aiming at the nuclear power industrial control system.
2. The honeypot defense method for nuclear power control systems of claim 1 wherein the step of extracting target feature vectors capable of characterizing the target request from the target request comprises:
extracting all characteristic elements for describing the target request from the target request to form a matrix;
determining eigenvectors and eigenvalues of the matrix;
sorting all the characteristic values in a descending order, and selecting a preset number of characteristic values according to the determined accumulated contribution rate of the characteristic values, wherein the accumulated contribution rate of the preset number of characteristic values is larger than or equal to a characteristic contribution threshold value;
And forming the target feature vector by the feature vector corresponding to the selected feature value.
3. The honeypot defense method for nuclear power control systems of claim 1 wherein predicting the attack on the nuclear power control systems using the updated request database comprises:
inputting a plurality of data records in the updated request database into a time sequence model to obtain a predicted attack behavior for the nuclear power industrial control system, wherein the predicted attack behavior comprises at least one of the following: and predicting the attack type and attack frequency of the attack.
4. A honeypot defense method for a nuclear power control system as recited in claim 1 or 3 wherein the request database includes a plurality of data records, each data record corresponding to a request,
wherein updating the request database based on the target request comprises:
determining similarity values of the target data records corresponding to the target request and the data records in the request database;
if the similarity value of the target data record and each data record in the request database is not greater than the similarity threshold value, adding the target request and the corresponding target data record into the request database;
And if the data record with the similarity value larger than the similarity threshold value exists in the request database, updating the matched data record based on the target data record, wherein the matched data record is the data record with the largest similarity value in the data records with the similarity value larger than the similarity threshold value.
5. The honeypot defense method for nuclear power control systems of claim 1, further comprising:
if the target request is determined to be an attack request according to the classification index value, determining a prearranged target vulnerability triggered by the attack request, and outputting description information of the target vulnerability to defend against the target vulnerability;
and/or, the honeypot defense method further comprises:
if the target request is determined to be an attack request according to the classification index value, determining the service requested by the attack request,
and generating a simulation response corresponding to the service and sending the simulation response to the request source.
6. The honeypot defense method for nuclear power control systems of claim 1 further comprising:
And if the target request is determined to be a normal request according to the classification index value, the target request is sent to a request object indicated by the target request, so that a service response corresponding to the target request is generated by the request object and is sent to a request source.
7. A honeypot defense method for nuclear power control systems as recited in claim 3 wherein the time series model is constructed by:
extracting data records similar to the target request from a request database, forming a data set with the target request, and performing stability test on the data set so as to obtain difference times;
determining an autoregressive term number and a moving average term number of the data set;
constructing a plurality of candidate time sequence models according to the difference times, the autoregressive term number and the moving average term number;
and selecting a candidate time sequence model with optimal autoregressive terms and moving average terms from the plurality of candidate time sequence models according to the red pool information criterion and the Bayesian information criterion, and determining the candidate time sequence model as the time sequence model.
8. A honeypot defense device for a nuclear power control system, the honeypot defense device comprising:
The acquisition module is used for acquiring a target request of a request source aiming at the nuclear power control system;
the extraction module is used for extracting a target feature vector capable of representing the target request according to the target request; the target feature vector includes at least one feature element;
the classification module is used for carrying out normalization processing on each characteristic element in the target characteristic vector; determining a weight value corresponding to each characteristic element, wherein the weight value is obtained according to a pre-trained logistic regression classifier, and the logistic regression classifier is a classifier used for classifying the request; determining a classification index value according to each characteristic element after normalization processing and the corresponding weight value;
the updating module is used for updating a request database based on the target request if the classification index value is larger than a classification preset threshold value and the target request is determined to be an attack request;
the prediction module is used for determining the predicted attack behavior aiming at the nuclear power control system by utilizing the updated request database;
the prediction module is specifically configured to:
extracting data records with similarity values of the target data records corresponding to the target requests larger than a similarity threshold value from a request database;
And inputting the target data record and the extracted data record into a time sequence model to obtain the predicted attack behavior aiming at the nuclear power industrial control system.
CN202110896609.1A 2021-08-05 2021-08-05 Honeypot defense method and device for nuclear power control system Active CN113572785B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110896609.1A CN113572785B (en) 2021-08-05 2021-08-05 Honeypot defense method and device for nuclear power control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110896609.1A CN113572785B (en) 2021-08-05 2021-08-05 Honeypot defense method and device for nuclear power control system

Publications (2)

Publication Number Publication Date
CN113572785A CN113572785A (en) 2021-10-29
CN113572785B true CN113572785B (en) 2023-05-30

Family

ID=78170518

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110896609.1A Active CN113572785B (en) 2021-08-05 2021-08-05 Honeypot defense method and device for nuclear power control system

Country Status (1)

Country Link
CN (1) CN113572785B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9825989B1 (en) * 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system
CN108230104A (en) * 2017-12-29 2018-06-29 努比亚技术有限公司 Using category feature generation method, mobile terminal and readable storage medium storing program for executing

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10284570B2 (en) * 2013-07-24 2019-05-07 Wells Fargo Bank, National Association System and method to detect threats to computer based devices and systems
CN107294795A (en) * 2017-08-02 2017-10-24 上海上讯信息技术股份有限公司 A kind of network security situation prediction method and equipment
CN109474625A (en) * 2018-12-25 2019-03-15 北京知道创宇信息技术有限公司 Network safety protection method, device and embedded system
CN110825068A (en) * 2019-09-29 2020-02-21 惠州蓄能发电有限公司 Industrial control system anomaly detection method based on PCA-CNN
CN111818052B (en) * 2020-07-09 2022-07-08 国网山西省电力公司信息通信分公司 CNN-LSTM-based industrial control protocol homologous attack detection method
CN112134854A (en) * 2020-09-02 2020-12-25 北京华赛在线科技有限公司 Method, device, equipment, storage medium and system for defending attack
CN112801233B (en) * 2021-04-07 2021-07-23 杭州海康威视数字技术股份有限公司 Internet of things equipment honeypot system attack classification method, device and equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9825989B1 (en) * 2015-09-30 2017-11-21 Fireeye, Inc. Cyber attack early warning system
CN108230104A (en) * 2017-12-29 2018-06-29 努比亚技术有限公司 Using category feature generation method, mobile terminal and readable storage medium storing program for executing

Also Published As

Publication number Publication date
CN113572785A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
Mendonça et al. Intrusion detection system based on fast hierarchical deep convolutional neural network
KR102480204B1 (en) Continuous learning for intrusion detection
CN111914256B (en) Defense method for machine learning training data under toxic attack
Xie et al. Evaluating host-based anomaly detection systems: A preliminary analysis of adfa-ld
Aborujilah et al. Cloud-based DDoS HTTP attack detection using covariance matrix approach
CN103782303A (en) System and method for non-signature based detection of malicious processes
Ghosh et al. Proposed GA-BFSS and logistic regression based intrusion detection system
Khan et al. An evolutionary multi-hidden Markov model for intelligent threat sensing in industrial internet of things
Sarwar et al. Design of an advance intrusion detection system for IoT networks
Mustapha et al. Detecting DDoS attacks using adversarial neural network
Beaver et al. A learning system for discriminating variants of malicious network traffic
Neethu Adaptive intrusion detection using machine learning
Oreški et al. Genetic algorithm and artificial neural network for network forensic analytics
Harbola et al. Improved intrusion detection in DDoS applying feature selection using rank & score of attributes in KDD-99 data set
CN112287345B (en) Trusted edge computing system based on intelligent risk detection
Škrjanc et al. Evolving cauchy possibilistic clustering and its application to large-scale cyberattack monitoring
CN113572785B (en) Honeypot defense method and device for nuclear power control system
Kumbhar et al. Advance model for ransomware attacking data classification and prediction using ai
Thanthrige Hidden markov model based intrusion alert prediction
Flores et al. Network anomaly detection by continuous hidden markov models: An evolutionary programming approach
CN112948578A (en) DGA domain name open set classification method, device, electronic equipment and medium
Burney et al. Feature deduction and ensemble design of parallel neural networks for intrusion detection system
Carlsson et al. User and Entity Behavior Anomaly Detection using Network Traffic
Trad et al. Assessing the effectiveness of siamese neural networks to mitigate frequent retraining in IoT device identification models
US20230275908A1 (en) Thumbprinting security incidents via graph embeddings

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant