CN113810365B - Method and system for establishing automobile information security attack tree model - Google Patents
Method and system for establishing automobile information security attack tree model Download PDFInfo
- Publication number
- CN113810365B CN113810365B CN202110876045.5A CN202110876045A CN113810365B CN 113810365 B CN113810365 B CN 113810365B CN 202110876045 A CN202110876045 A CN 202110876045A CN 113810365 B CN113810365 B CN 113810365B
- Authority
- CN
- China
- Prior art keywords
- attack tree
- attack
- entering
- next step
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/147—Network analysis or design for predicting network behaviour
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02T—CLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
- Y02T10/00—Road transport of goods or passengers
- Y02T10/10—Internal combustion engine [ICE] based vehicles
- Y02T10/40—Engine management systems
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and a system for establishing an automobile information security attack tree model, which comprises the following steps: s1, establishing an automobile information security attack tree model system; s2, predicting behavior of an attacker and possibility of attack occurrence through three hypothesis condition principles; s3, confirming a target to establish an attack tree root node through three element conditions; s4, determining an attack tree shape unit according to three principle conditions; s5, carrying out overall inspection through an attack tree model inspection and cutting unit, and evaluating the reasonability of leaf nodes according to each attack scene; and S6, verifying the model through a Monte Carlo verification unit. The method and the system for establishing the automobile information security attack tree model provide a systematic and understandable method for organizing information and supporting the reliability of the conclusion for automobile information security engineers, and particularly provide non-experts for approving or refusing risk analysis research suggestions.
Description
Technical Field
The invention belongs to the field of automobile information security, and particularly relates to a method and a system for establishing an automobile information security attack tree model.
Background
With the development and application of technologies such as mobile internet, big data, artificial intelligence and cloud computing, the aspects that the automobile can be attacked by hackers are greatly increased, and each connection path of each sensing, control and computing unit is likely to be utilized by hackers due to the existence of security holes, so that the automobile can be attacked and controlled. The attack surface of the automobile is huge, but the problem of how to systematically identify the information security attack which the intelligent networked automobile may be subjected to is not mature. With the increasing improvement of hacker technical means and the easy acquireability of automatic attack tools, the network attack events are more frequent and complicated, and the requirements of prevention and maintenance work corresponding to the network attack events are higher and higher. Therefore, an appropriate analysis model is required to simulate the network attack behavior so as to evaluate the security degree of the system and guide the routine maintenance and active prevention of the system.
An attack tree is a graphical tree-structure model to describe the way a system may be corrupted or destroyed. The attack tree serving as a network intrusion modeling tool can reasonably evaluate and manage attack risks and scientifically predict behavior of an attacker, so that an effective security solution and a preventable risk mitigation decision are provided for engineers.
However, in general, the existing research lacks systematicness and integrity when analyzing by using the attack tree, and is difficult to effectively utilize the attack tree. However, in the prior art, the method is used for calculating the occurrence probability of the security event, and how to establish the automobile information security attack tree model by the system is not solved.
Disclosure of Invention
In view of this, the present invention aims to provide a method and a system for building an automobile information security attack tree model, so as to build theoretical bases and steps of an attack tree, and simultaneously, to build an attack tree modeling system so as to solve the problems of lack of normalization, correlation, traceability and simplicity when building the attack tree.
In order to achieve the purpose, the technical scheme of the invention is realized as follows:
a method for establishing an automobile information security attack tree model comprises the following steps:
s1, establishing an automobile information security attack tree model system;
s2, predicting behavior of an attacker and possibility of attack occurrence through three hypothesis condition principles;
s3, establishing an attack tree root node by confirming the target through three element conditions;
s4, determining an attack tree shape unit according to three principle conditions;
s5, carrying out overall inspection through an attack tree model inspection and cutting unit, and evaluating the reasonability of leaf nodes according to each attack scene;
and S6, verifying the model through a Monte Carlo verification unit.
Further, the system for establishing the automobile information security attack tree model in the step S1 includes an attack tree model initial condition checking unit, an attack tree root node generating unit, an attack tree shape determining unit, an attack tree model checking and clipping unit and a monte carlo verifying unit, wherein the attack tree model initial condition checking unit is sequentially in signal connection with the attack tree root node generating unit, the attack tree shape determining unit, the attack tree model checking and clipping unit and the monte carlo verifying unit, and the attack tree model initial condition checking unit, the attack tree root node generating unit, the attack tree shape determining unit, the attack tree model checking and clipping unit and the monte carlo verifying unit are all located in the upper computer.
Further, the attack tree model initial condition checking unit comprises the following steps:
a1, transmitting an input signal to a starting module, and transmitting the input signal to the next step by the starting module;
a2, verifying whether the input signals have initial conditions for establishing an attack tree, if so, carrying out the next step, otherwise, switching the next input signal, and re-entering the step A1;
a3, judging whether the input signal meets three assumed conditions, if so, carrying out the next step, otherwise, directly entering an ending module;
and A4, after receiving the input signal in the step A3, the establishing module establishes the attack tree, enters an ending module after the processing, and transmits the processing data to the attack tree root node generating unit.
Further, the attack tree root node generating unit includes the following steps:
b1, a starting module receives the processing data of the step A4 and transmits the processing data to the next step;
b2, after the receiving module receives the processing data, establishing an attack tree root node through a confirmation target, and transmitting the attack tree root node to the next step;
b3, after receiving the attack tree root node, the judging module judges whether the attack tree root node meets three element conditions, if so, the next step is carried out, otherwise, the judging module directly enters the ending module;
and B4, the establishing module attacks the tree root node from the perspective of an attacker after receiving the attack tree root node in the step B3, enters an ending module after the processing, and transmits the processing data to the determined attack tree-shaped unit.
Further, the determining the attack tree shape unit comprises the following steps:
c1, a starting module receives the processing data in the step B4, determines a root node at the top of the attack tree, and transmits the root node at the top of the attack tree to the next step;
c2, after receiving the root node at the top of the attack tree, the determining module expands the root of the attack tree by branching, logically decomposes according to each option of an attacker, determines the shapes of the tree and the leaves through an attack scene, and transmits the determination result to the next step;
c3, after the judging module receives the determining result, judging whether the shape of the attack tree meets three principles, if so, carrying out the next step, otherwise, directly entering an ending module;
and C4, after receiving the attack tree shape, the receiving unit determines the attack tree shape, enters an ending module and transmits the attack tree shape to the attack tree model checking and clipping unit.
Further, the attack tree model checking and clipping unit comprises the following steps:
d1, a starting module receives the attack tree shape in the step C4 and transmits the attack tree shape to the next step;
d2, after receiving the shape of the attack tree, the evaluation module evaluates the reasonability of each leaf node of the attack tree and transmits the evaluation result to the next step;
d3, after receiving the evaluation result, the checking module integrally checks the correctness of the attack tree model and transmits the checking result to the next step;
and D4, after receiving the checking result, the clipping unit clips the unachievable leaf nodes, reserves the realizable leaf nodes into the ending module, and transmits the realizable leaf nodes to the Monte Carlo verification unit.
Further, the monte carlo verification unit includes the following steps:
e1, a starting module receives the leaf nodes in the step D4 and transmits the leaf nodes to the next step;
e2, after receiving the leaf nodes, the attack module simulates the attack leaf nodes by using a Monte Carlo method to obtain an attack tree model, and transmits the attack tree model to the next step;
and E3, after receiving the attack tree model, the verification module verifies the attack tree model by analyzing the correct shape of the model and investigating factors influencing the model, and enters an ending module.
Further, the three hypothetical conditions in step S2 include the following steps:
s21, judging whether the assumed condition of a certain leakage in the system of the defender is met, if so, entering the next step, and if not, entering the step S21 again;
s22, judging whether the assumed condition that a threat person can benefit from implementing the attack is met, if so, entering the next step, and if not, entering the step S21 again;
and S23, judging whether the assumed condition that the threat person has to have enough available resources to utilize the vulnerability of the defender is met, if so, entering the next step, and if not, entering the step S21 again.
Further, the three element conditions in step S3 include the steps of:
s31, judging whether the element conditions of the attack motivation are met, if so, entering the next step, and if not, entering the step S31 again;
s32, judging whether the element conditions of all necessary capabilities are met when the attacker takes action, if so, entering the next step, and if not, entering the step S31 again;
and S33, judging whether the element conditions of the implementation method are met, if so, entering the next step, and if not, entering the step S31 again.
Further, the three principle conditions in step S4 include the following steps:
s41, judging whether the principle condition of the minimum node principle is met, if so, entering the next step, and if not, entering the step S41 again;
s42, judging whether the principle condition of the left-to-right principle of the AND node is met, if so, entering the next step, AND if not, re-entering the step S41;
s43, judging whether the principle condition of the resource required by the attacker is met, if so, entering the next step, and if not, entering the step S41 again.
Compared with the prior art, the method and the system for establishing the automobile information security attack tree model have the following advantages:
(1) The method and the system for establishing the automobile information security attack tree model provide a systematic and understandable way for organizing information for automobile information security engineers and an effective method for supporting the reliability of the conclusion, and particularly provide non-experts for approving or refusing risk analysis research suggestions.
(2) According to the method and the system for establishing the automobile information security attack tree model, the Monte Carlo method is used for verifying the model, small-probability events which are not representative statistically can be analyzed, and convincing evidence is provided according to the attack tree model, so that the deployment strategy can be proved to be capable of preventing extremely destructive results.
(3) The automobile information security attack tree model building system can describe and predict how, where and by whom an attack is to be initiated. By taking into account the impact of the attack on the defenders in the analysis, the priority of the active defense measures is determined and the internal resources of the organization are optimized.
(4) The system for establishing the attack tree model of the automobile information security is dynamic and comprises a checking and cutting module and a verification module so as to adapt to the situation that the protected system changes, and the attack tree model established by the method can be used for easily finding out which architecture is changed most effectively.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, serve to explain the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic overall flow chart of a method and a system for establishing an automobile information security attack tree model according to an embodiment of the present invention;
FIG. 2 is a schematic view of a method for establishing an automobile information security attack tree model and a flow of a system attack tree model initial condition checking unit according to an embodiment of the present invention;
FIG. 3 is a schematic flow chart of a method for building an automobile information security attack tree model and a system attack tree root node generation unit according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart of a unit for determining an attack tree shape according to the method and system for establishing an automobile information security attack tree model in the embodiment of the present invention;
FIG. 5 is a schematic flow chart of a method for building an automobile information security attack tree model and a system attack tree model checking and clipping unit according to an embodiment of the present invention;
fig. 6 is a schematic flow chart of a method for establishing an automobile information security attack tree model and a system monte carlo verification unit according to an embodiment of the present invention.
Detailed Description
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
In the description of the present invention, it is to be understood that the terms "center", "longitudinal", "lateral", "up", "down", "front", "back", "left", "right", "vertical", "horizontal", "top", "bottom", "inner", "outer", and the like, indicate orientations or positional relationships based on those shown in the drawings, and are used only for convenience in describing the present invention and for simplicity in description, and do not indicate or imply that the referenced devices or elements must have a particular orientation, be constructed and operated in a particular orientation, and thus, are not to be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate a number of the indicated technical features. Thus, a feature defined as "first," "second," etc. may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless otherwise specified.
In the description of the present invention, it should be noted that, unless otherwise explicitly specified or limited, the terms "mounted," "connected," and "connected" are to be construed broadly, e.g., as meaning either a fixed connection, a removable connection, or an integral connection; can be mechanically or electrically connected; they may be connected directly or indirectly through intervening media, or they may be interconnected between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art through specific situations.
The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
As shown in fig. 1 to 6, a method for establishing an automobile information security attack tree model includes the following steps:
s1, establishing an automobile information security attack tree model system; in order to establish a system of an automobile information security attack tree model, the attack tree model initial condition checking unit can firstly predict the behavior of an attacker and the possibility of attack when the attack tree model aiming at the automobile information security is established. The target can be confirmed by the attack tree root node generation unit, and the attack tree root node is established, wherein the target is different according to the analyzed system type and also different according to the purpose of an attacker. The attack scene is combed by determining the attack tree shape unit, the shape of the tree is determined, after a root node at the top of the attack tree is established, the root of the attack tree model branches downwards, and the attack tree model is expanded through bifurcation and more branches. Through the attack tree model checking and clipping unit, after the automobile information security attack tree model is established, an overall check can be performed to verify the correctness of the model, and meanwhile, the reasonability of the leaf nodes is evaluated according to each attack scene and the needed resources corresponding to the attack scene. And finally, verifying the automobile information security attack tree model through a Monte Carlo verification unit.
S2, predicting behavior of an attacker and possibility of attack occurrence through three hypothesis condition principles;
s3, confirming a target to establish an attack tree root node through three element conditions;
s4, determining an attack tree shape unit according to three principle conditions; the car information security attack tree is a simplified model representing a complex realistic risk factor, and the accuracy of understanding potential drivers depends on many factors, including the time and effort spent studying them. The attack tree analysis contains information about the specific defender's opponents, as well as the benefits they will receive from attacking the specific defender;
s5, carrying out overall inspection through the attack tree model inspection and cutting unit, and evaluating the reasonability of the leaf node according to each attack scene;
and S6, verifying the model through a Monte Carlo verification unit.
A car information security attacks the tree model and builds the system, attack the tree model and builds the system and includes attacking the tree model initial condition inspection unit, attack the root node generating element, confirm and attack the tree form unit, attack the tree model and check and cut out the unit and Monte Carlo verification unit in step S1, the said attacks the tree model initial condition inspection unit and signal connection to attacking the root node generating element, confirming and attacking the tree form unit, attacking the tree model and checking and cutting out the unit and Monte Carlo verification unit sequentially, the said attacks the tree model initial condition inspection unit, attacks the root node generating element, confirms that attacks the tree form unit, attacks the tree model and checks and cuts out the unit and Monte Carlo verification unit and all locates in the host computer, include analyzing the risk assessment tactics from the attacker ' S perspective specifically, in order to reflect the attacker ' S characteristic and then understand the interaction between the system that needs to be protected and the attacker from the defender ' S attention angle; the steps and methods of constructing the car information security attack tree model are designed to understand all the different ways in which the system may be attacked in order to later design countermeasures to thwart these attacks.
The attack tree model initial condition checking unit comprises the following steps:
a1, transmitting an input signal to a starting module, and transmitting the input signal to the next step by the starting module;
a2, verifying whether the input signals have initial conditions for establishing an attack tree, if so, carrying out the next step, otherwise, switching the next input signal, and re-entering the step A1;
a3, judging whether the input signal meets three assumed conditions, if so, carrying out the next step, otherwise, directly entering an ending module;
and A4, after receiving the input signal in the step A3, the establishing module establishes the attack tree, enters an ending module after the processing, and transmits the processing data to the attack tree root node generating unit.
Wherein the car information security attack tree is a simplified model representing complex realistic risk factors, the attack tree analysis containing information about specific defender opponents and the benefits they would receive from attacking specific defenders. All models, including the attack tree, will crash if used beyond its limits. In most cases, assumptions need to be made based on existing best information. Of course, the accuracy of the analysis will be limited by the correctness of the assumptions. The conclusion obtained by the attack tree risk assessment scheme should be subjected to realistic check and compared with the results of other methods, and the attack tree model initial condition checking unit comprises three conditions so as to predict the behavior of an attacker and the possibility of attack occurrence:
a. the defender's system must have a hole;
b. a threat, would benefit from implementing an attack;
c. the threat must have sufficient available resources to exploit the defender's vulnerability.
The attack tree root node generation unit includes the steps of:
b1, a starting module receives the processing data of the step A4 and transmits the processing data to the next step;
b2, after the receiving module receives the processing data, establishing an attack tree root node through a confirmation target, and transmitting the attack tree root node to the next step;
b3, after receiving the attack tree root node, the judging module judges whether the attack tree root node meets three element conditions, if so, the next step is carried out, otherwise, the judging module directly enters the ending module;
and B4, the establishing module attacks the tree root node from the perspective of an attacker after receiving the attack tree root node in the step B3, enters an ending module after the processing, and transmits the processing data to the determined attack tree-shaped unit.
The attack tree root node represents the overall target of the attacker and is also the target that the defender wishes to prevent in general. In order to simplify the attack tree model as much as possible, it is important to determine the root node of the attack tree. The targets will vary depending on the type of system being analyzed and will also vary depending on the purpose of the attacker. The targets will vary depending on the type of system being analyzed and will also vary depending on the purpose of the attacker. In other words, if someone has an incentive to conduct hostile behavior and they have all the necessary capabilities, they can then reasonably expect an attack. To launch a successful attack, more than just an incentive is needed. An attacker must possess a variety of resources to perform an attack. These resources include money, time, technical capabilities, and tolerance to the consequences that an attack may produce. Three factors may be considered from the perspective of the attacker in validating the target to establish the attack tree root node:
a. to launch a successful attack, the attack motivation is first needed, which is a further refinement of the previous step of initially checking for conditional threats that would benefit from implementing the attack;
b. secondly, the attacker has all necessary capabilities such as money, skills and the like when taking action;
c. finally, we consider what an attacker wants to implement and the way it is implemented.
The method for determining the attack tree shape unit comprises the following steps:
c1, a starting module receives the processing data in the step B4, determines a root node at the top of the attack tree, and transmits the root node at the top of the attack tree to the next step;
c2, after receiving the root node at the top of the attack tree, the determining module expands the root of the attack tree by branching, logically decomposes according to each option of an attacker, determines the shapes of the tree and the leaves through an attack scene, and transmits the determination result to the next step;
c3, after the judging module receives the determining result, judging whether the shape of the attack tree meets three principles, if so, carrying out the next step, otherwise, directly entering an ending module;
and C4, after receiving the attack tree shape, the receiving unit determines the attack tree shape, enters an ending module and transmits the attack tree shape to the attack tree model checking and clipping unit.
The unit for determining the shape of the attack tree needs to determine the shape of the tree by combing the attack scene. Attackers typically use many different approaches to achieve a high level of goal, and attack trees show a logical breakdown of the various options available to an adversary. The lowest level of the tree, the leaf nodes, describes the operations that a potential adversary performs with certain vulnerabilities in system defense. By performing an attack related to one or more leaf level events, an attacker can achieve a root level goal. Each minimal combination of leaf-level events is referred to as an attack scenario. These events are carefully selected to satisfy the tree and/or the logic. This combination is minimal because if any leaf events are missed in the attack scenario, the underlying goal cannot be achieved. The tree and leaf shapes are determined by the attack scenario. The following three principles need to be followed in determining the attack tree shape:
a. each object is represented by a separate node, and breaking tasks and objects into smaller components can continue to any desired level. But breaking up higher level events into smaller, more precisely defined events can continue almost indefinitely. Therefore, the minimum leaf node needs to be defined when the automobile information security attack tree model is established, namely, the description of the task is accurate enough to enable a person skilled in the art to execute the activity without continuously decomposing the task;
b. a parent node is called an AND node if all of the subtasks under the parent node must be implemented to achieve this goal. When the shape of the tree is determined, defining that the child nodes need to be arranged step by step according to the sequence from left to right so as to embody the realization of all AND nodes;
c. the leaf nodes represent all direct interactions between the attacker and defender system, and the resources required by the attacker are also considered when considering the leaf nodes, mainly considering technical capacity, time and economic cost.
The attack tree model checking and clipping unit comprises the following steps:
d1, a starting module receives the attack tree shape in the step C4 and transmits the attack tree shape to the next step;
d2, after receiving the shape of the attack tree, the evaluation module evaluates the reasonability of each leaf node of the attack tree and transmits an evaluation result to the next step;
d3, after receiving the evaluation result, the checking module integrally checks the correctness of the attack tree model and transmits the checking result to the next step;
and D4, after receiving the checking result, the clipping unit clips the unachievable leaf nodes, reserves the realizable leaf nodes into the ending module, and transmits the realizable leaf nodes to the Monte Carlo verification unit.
The attack tree model checking and clipping unit is used for carrying out an integral check on the model after the automobile information security attack tree model is built so as to verify the correctness of the model, meanwhile, the reasonability of the leaf nodes is evaluated according to each attack scene and the needed resources corresponding to the attack scene, and scenes with resource requirements larger than the capability of an attacker can be safely eliminated from consideration because the realization is impossible. Tailoring provides defenders with a quick estimate of the size of their security issues by eliminating attack scenarios that exceed the capabilities of a particular attacker. The tailoring should not treat each resource of the attacker in isolation, but should take into account the combined cost of all resources required for one attack by the attacker and the extent to which the attacker is willing to spend the amount of resources in order to meet its attack objectives. The rest of the attack is feasible.
The Monte Carlo verification unit comprises the following steps:
e1, a starting module receives the leaf nodes in the step D4 and transmits the leaf nodes to the next step;
e2, after receiving the leaf nodes, the attack module simulates the attack leaf nodes by using a Monte Carlo method to obtain an attack tree model, and transmits the attack tree model to the next step;
and E3, after receiving the attack tree model, the verification module verifies the attack tree model by analyzing the correct shape of the model and investigating factors influencing the model, and enters an ending module.
The Monte Carlo verification unit verifies the model by using a Monte Carlo (Monte Carlo) method: the establishment of the attack tree model can describe all possible attack modes aiming at one attack target, and all the situations cannot occur and are verified one by one in practice, so that the established attack tree model can be verified through a large number of random samples by using a Monte Carlo analysis method. A form of monte carlo analysis may also be used to investigate which child nodes become active in a given trial and which child node's attack scenario is most likely to occur first.
The three assumption conditions in step S2 include the following steps:
s21, judging whether the assumed condition of a certain leakage in the system of the defender is met, if so, entering the next step, and if not, entering the step S21 again;
s22, judging whether the assumed condition that a threat person can benefit from implementing the attack is met, if so, entering the next step, and if not, entering the step S21 again;
and S23, judging whether the assumed condition that the threat person must have enough available resources to utilize the loophole of the defender is met, if so, entering the next step, and if not, entering the step S21 again.
Attack tree model initial condition checking unit: all models include attack trees, which if used beyond their limits, will not achieve the desired effect. Proper attack analysis requires that we first examine these three conditions in order to predict the behavior of the attacker and the likelihood of an attack occurring, thereby building an attack tree model. When the attack tree model for automobile information security is established, an initial condition checking unit is needed to verify whether initial conditions for establishing the attack tree are met. The checking unit needs to satisfy three assumptions, namely: a. the defender's system must have a hole; b. the threat may benefit from implementing the attack; c. the threat must have sufficient available resources to exploit the defender's vulnerability.
The three element conditions in step S3 include the steps of:
s31, judging whether the element conditions of the attack motivation are met, if so, entering the next step, and if not, entering the step S31 again;
s32, judging whether element conditions with all necessary capabilities are met when the attacker takes action, and if so, entering the next step or not, and if not, re-entering the step S31;
and S33, judging whether the element conditions of the implementation method are met, if so, entering the next step, and if not, entering the step S31 again.
The attack tree root node generating unit establishes an attack tree root node by confirming the target: as a mathematical model of a tree structure, an attack tree needs to include a top-level root node. After the initial condition checking unit passes through the attack tree model, a root node of the automobile information security attack tree needs to be established, and the root node represents the overall target of an attacker. It is important to determine the root node of the attack tree, and if the target is carefully chosen, a system can usually be completely analyzed with a single attack tree. The targets will vary depending on the type of system being analyzed and will also vary depending on the purpose of the attacker. Furthermore, for analysis purposes, we should assume that anyone who can benefit from a successful attack should be treated as a potential threat factor and any group of unknown intentions may launch the attack.
Three factors can be considered from the perspective of an attacker when confirming that a target establishes an attack tree root node, namely, a. To launch a successful attack, an attack motivation is needed firstly, which is further refinement of the benefit of initially checking condition threats from implementing the attack; b. secondly, the attacker has all necessary capabilities such as money, skills and the like when taking action; c. finally, we consider what the attacker wants to implement and the way it is implemented.
The three principle conditions in step S4 include the following steps:
s41, judging whether the principle condition of the minimum node principle is met, if so, entering the next step, and if not, entering the step S41 again;
s42, judging whether the principle condition of the left-to-right principle of the AND node is met, if so, entering the next step, AND if not, entering the step S41 again;
s43, judging whether the principle condition of the resource required by the attacker is met, if so, entering the next step, and if not, entering the step S41 again.
Determining the shape of the tree by combing attack scenes: after a root node at the top of the attack tree is established, the root of the attack tree model branches downward, expanding through bifurcations and more branches. The attack tree shows a logical breakdown of the various options available to an adversary. By performing an attack related to one or more leaf level events, an attacker can achieve a root level goal. Each minimal combination of leaf-level events is referred to as an attack scenario. These events are carefully selected to satisfy the tree and/or the logic. This combination is minimal because if any leaf events are missed in the attack scenario, the underlying goal cannot be achieved. The tree and leaf shapes are determined by the attack scenario.
The automobile information security attack tree model building method and system provided by the patent define three principles in the module and the step of determining the shape of the tree:
a. each object is represented by a separate node, and breaking tasks and objects into smaller components can continue to any desired level. But breaking up higher level events into smaller, more precisely defined events can continue almost indefinitely. This patent defines a minimum leaf node, i.e., the description of the task is sufficiently accurate that a person skilled in the art can perform the activity without continuing to decompose;
b. a parent node is called an AND node if all of the subtasks under the parent node must be implemented to achieve this goal. When the shape of the tree is determined, defining that the child nodes need to be arranged step by step according to the sequence from left to right so as to embody the realization of all AND nodes;
c. the leaf nodes represent all direct interactions between the attacker and defender system, and the resources required by the attacker are also considered when considering the leaf nodes, mainly considering technical capacity, time and economic cost.
The attack tree model checking and clipping unit in step S5: after the automobile information security attack tree model is established, an overall check is needed to verify the correctness of the model, meanwhile, the reasonability of the leaf nodes is evaluated according to each attack scene and the needed resources corresponding to the attack scene, and the scenes with resource requirements larger than the capability of an attacker can be safely eliminated from consideration because the realization is impossible. Tailoring provides defenders with a quick estimate of the size of their security issues by eliminating attack scenarios that exceed the capabilities of a particular attacker. The tailoring should not treat each resource of the attacker in isolation, but should take into account the combined cost of all resources required for one attack by the attacker and the extent to which the attacker is willing to spend the amount of resources in order to meet its attack objectives.
The monte carlo verification unit in step S5: the model was validated using the Monte Carlo (Monte Carlo) method: the attack tree model can be established to describe all possible attack modes aiming at an attack target, all the situations cannot be generated and verified one by one in practice, so that the established attack tree model can be verified through a large number of random samples by using a Monte Carlo analysis method. A form of monte carlo analysis may also be used to investigate which child nodes become active in a given trial and which child node's attack scenario is most likely to occur first.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (4)
1. A method for establishing an automobile information security attack tree model is characterized by comprising the following steps: the method comprises the following steps:
s1, establishing an automobile information security attack tree model system;
s2, predicting behavior of an attacker and possibility of attack occurrence through three hypothesis condition principles;
s3, establishing an attack tree root node by confirming the target through three element conditions;
s4, determining an attack tree shape unit according to three principle conditions;
s5, carrying out overall inspection through an attack tree model inspection and cutting unit, and evaluating the reasonability of leaf nodes according to each attack scene;
s6, verifying the model through a Monte Carlo verification unit;
the automobile information security attack tree model establishing system in the step S1 comprises an attack tree model initial condition checking unit, an attack tree root node generating unit, an attack tree shape determining unit, an attack tree model checking and cutting unit and a Monte Carlo verification unit, wherein the attack tree model initial condition checking unit is sequentially connected with the attack tree root node generating unit, the attack tree shape determining unit, the attack tree model checking and cutting unit and the Monte Carlo verification unit in a signal mode;
the attack tree model initial condition checking unit comprises the following steps:
a1, transmitting an input signal to a starting module, and transmitting the input signal to the next step by the starting module;
a2, verifying whether the input signals have initial conditions for establishing an attack tree, if so, carrying out the next step, otherwise, switching the next input signal, and re-entering the step A1;
a3, judging whether the input signal meets three assumed conditions, if so, performing the next step, otherwise, directly entering an ending module;
a4, after receiving the input signal of the step A3, the establishing module establishes an attack tree, enters an ending module after processing, and transmits processing data to an attack tree root node generating unit;
the attack tree root node generation unit includes the steps of:
b1, a starting module receives the processing data of the step A4 and transmits the processing data to the next step;
b2, after the receiving module receives the processing data, establishing an attack tree root node through a confirmation target, and transmitting the attack tree root node to the next step;
b3, after receiving the attack tree root node, the judging module judges whether the attack tree root node meets three element conditions, if so, the next step is carried out, otherwise, the judging module directly enters the ending module;
b4, the establishing module receives the attack tree root node in the step B3 and then attacks the tree root node from the attacker, the processing enters the ending module, and the processing data is transmitted to the unit for determining the attack tree shape;
the method for determining the attack tree shape unit comprises the following steps:
c1, a starting module receives the processing data in the step B4, determines a root node at the top of the attack tree, and transmits the root node at the top of the attack tree to the next step;
c2, after receiving the root node at the top of the attack tree, the determining module expands the root of the attack tree by branching, logically decomposes according to each option of an attacker, determines the shapes of the tree and the leaves through an attack scene, and transmits the determination result to the next step;
c3, after the judging module receives the determining result, judging whether the shape of the attack tree meets three principles, if so, carrying out the next step, otherwise, directly entering an ending module;
c4, after receiving the attack tree shape, the receiving unit determines the attack tree shape, enters an ending module, and transmits the attack tree shape to an attack tree model checking and clipping unit;
the attack tree model checking and clipping unit comprises the following steps:
d1, a starting module receives the attack tree shape in the step C4 and transmits the attack tree shape to the next step;
d2, after receiving the shape of the attack tree, the evaluation module evaluates the reasonability of each leaf node of the attack tree and transmits an evaluation result to the next step;
d3, after receiving the evaluation result, the checking module integrally checks the correctness of the attack tree model and transmits the checking result to the next step;
d4, after receiving the checking result, the clipping unit clips the unachievable leaf nodes, reserves the achievable leaf nodes to enter an ending module, and transmits the achievable leaf nodes to the Monte Carlo verification unit;
the Monte Carlo verification unit comprises the following steps:
e1, a starting module receives the leaf nodes in the step D4 and transmits the leaf nodes to the next step;
e2, after receiving the leaf nodes, the attack module simulates the attack leaf nodes by using a Monte Carlo method to obtain an attack tree model, and transmits the attack tree model to the next step;
and E3, after receiving the attack tree model, the verification module verifies the attack tree model by analyzing the correct shape of the model and investigating factors influencing the model, and enters an ending module.
2. The method for building the automobile information security attack tree model according to claim 1, characterized in that: the three assumption conditions in step S2 include the following steps:
s21, judging whether the assumed condition of a certain leakage in the system of the defender is met, if so, entering the next step, and if not, entering the step S21 again;
s22, judging whether the assumed condition that a threat person can benefit from attack implementation is met, if so, entering the next step, and if not, entering the step S21 again;
and S23, judging whether the assumed condition that the threat person must have enough available resources to utilize the loophole of the defender is met, if so, entering the next step, and if not, entering the step S21 again.
3. The method for building the automobile information security attack tree model according to claim 1, characterized in that: the three element conditions in step S3 include the steps of:
s31, judging whether the element conditions of the attack motivation are met, if so, entering the next step, and if not, entering the step S31 again;
s32, judging whether element conditions with all necessary capabilities are met when the attacker takes action, and if so, entering the next step or not, and if not, re-entering the step S31;
and S33, judging whether the element conditions of the implementation method are met, if so, entering the next step, and if not, entering the step S31 again.
4. The method for building the automobile information security attack tree model according to claim 1, characterized in that: the three principle conditions in step S4 include the following steps:
s41, judging whether the principle condition of the minimum node principle is met, if so, entering the next step, and if not, entering the step S41 again;
s42, judging whether the principle condition of the left-to-right principle of the AND node is met, if so, entering the next step, AND if not, re-entering the step S41;
and S43, judging whether the principle condition of the resource required by the attacker is met, if so, entering the next step, and if not, entering the step S41 again.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110876045.5A CN113810365B (en) | 2021-07-30 | 2021-07-30 | Method and system for establishing automobile information security attack tree model |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110876045.5A CN113810365B (en) | 2021-07-30 | 2021-07-30 | Method and system for establishing automobile information security attack tree model |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113810365A CN113810365A (en) | 2021-12-17 |
| CN113810365B true CN113810365B (en) | 2023-04-07 |
Family
ID=78942724
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110876045.5A Active CN113810365B (en) | 2021-07-30 | 2021-07-30 | Method and system for establishing automobile information security attack tree model |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113810365B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115484105B (en) * | 2022-09-19 | 2024-02-02 | 北京犬安科技有限公司 | Modeling method and device for attack tree, electronic equipment and readable storage medium |
| CN116669037B (en) * | 2023-07-20 | 2023-10-13 | 北京邮电大学 | Intelligent network-connected automobile safety assessment method, device and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222317A (en) * | 2007-11-29 | 2008-07-16 | 哈尔滨工程大学 | Depth-first attack drawing generating method |
| CN109117637A (en) * | 2018-07-03 | 2019-01-01 | 北京航空航天大学 | Intelligent network connection information of vehicles security incident probability of happening appraisal procedure and system based on Attack Tree |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8353045B2 (en) * | 2009-06-29 | 2013-01-08 | Bugra Karabey | Method and tool for information security assessment that integrates enterprise objectives with vulnerabilities |
-
2021
- 2021-07-30 CN CN202110876045.5A patent/CN113810365B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101222317A (en) * | 2007-11-29 | 2008-07-16 | 哈尔滨工程大学 | Depth-first attack drawing generating method |
| CN109117637A (en) * | 2018-07-03 | 2019-01-01 | 北京航空航天大学 | Intelligent network connection information of vehicles security incident probability of happening appraisal procedure and system based on Attack Tree |
Non-Patent Citations (8)
| Title |
|---|
| "Attack tree based cyber security analysis of nuclear digital instrumentation and control systems";Khand P A;《Nucleus》;20090430;全文 * |
| "The use of attack trees in assessing vulnerabilities in SCADA systems";BYRES E J 等;《Proceedings of the international infrastructure survivability workshop citeseer》;20041231;全文 * |
| 一种改进的基于扩展攻击树模型的木马检测方法;陈燕红等;《计算机应用与软件》;20160815(第08期);全文 * |
| 基于FAHP和攻击树的信息系统安全风险评估;任秋洁等;《电子技术应用》;20180806(第08期);全文 * |
| 基于攻击树模型的数字化控制系统信息安全分析;孙卓等;《上海交通大学学报》;20191228;全文 * |
| 基于攻击树的核电厂DCS系统信息安全脆弱性分析;赵庆等;《南华大学学报(自然科学版)》;20180630(第03期);全文 * |
| 基于模糊层次分析法的攻击树模型;吕宗平等;《计算机工程与设计》;20180616(第06期);全文 * |
| 面向SCADA的网络攻击对电力系统可靠性的影响;丁明等;《电力系统保护与控制》;20180601(第11期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113810365A (en) | 2021-12-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113810365B (en) | Method and system for establishing automobile information security attack tree model | |
| Straub | Modeling attack, defense and threat trees and the cyber kill chain, att&ck and stride frameworks as blackboard architecture networks | |
| CN112118272B (en) | Network attack and defense deduction platform based on simulation experiment design | |
| Kiennert et al. | A survey on game-theoretic approaches for intrusion detection and response optimization | |
| Kavak et al. | Simulation for cybersecurity: state of the art and future directions | |
| CN110430190A (en) | Duplicity system of defense, construction method and full link based on ATT&CK defend implementation method | |
| WO2011017566A1 (en) | System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy | |
| EP3958152B1 (en) | Attack scenario simulation device, attack scenario generation system, and attack scenario generation method | |
| Futoransky et al. | Building computer network attacks | |
| Saydjari | Engineering trustworthy systems: A principled approach to cybersecurity | |
| Kulik et al. | A framework for threat-driven cyber security verification of iot systems | |
| KR20180121459A (en) | Method and apparatus for security investment based on evaluating security risks | |
| CN112104514A (en) | Multi-view network attack and defense simulation system | |
| CN111368302A (en) | Automatic threat detection method based on attacker attack strategy generation | |
| Almasizadeh et al. | Mean privacy: A metric for security of computer systems | |
| Tripathi et al. | Model based security verification of Cyber-Physical System based on Petrinet: A case study of Nuclear power plant | |
| CN112926055A (en) | Virus attack defense method based on time probability attack graph | |
| CN114329484A (en) | Target network security risk automatic assessment method, device, equipment and medium | |
| CN117610026B (en) | Honey point vulnerability generation method based on large language model | |
| Abri et al. | Markov decision process for modeling social engineering attacks and finding optimal attack strategies | |
| Khalil et al. | Threat modeling of industrial control systems: A systematic literature review | |
| Rodriguez-Bermejo et al. | Evaluation methodology for mission-centric cyber situational awareness capabilities | |
| Kumar et al. | Analyzing advanced persistent threats using game theory: A critical literature review | |
| Catta et al. | A game theoretic approach to attack graphs | |
| Shao et al. | Multistage attack–defense graph game analysis for protection resources allocation optimization against cyber attacks considering rationality evolution |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |