CN114168967A - Industrial control system security situation prediction method and system - Google Patents
Industrial control system security situation prediction method and system Download PDFInfo
- Publication number
- CN114168967A CN114168967A CN202111491381.4A CN202111491381A CN114168967A CN 114168967 A CN114168967 A CN 114168967A CN 202111491381 A CN202111491381 A CN 202111491381A CN 114168967 A CN114168967 A CN 114168967A
- Authority
- CN
- China
- Prior art keywords
- situation
- industrial control
- score
- value
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 37
- 238000011156 evaluation Methods 0.000 claims abstract description 60
- 238000013528 artificial neural network Methods 0.000 claims abstract description 23
- 230000015654 memory Effects 0.000 claims abstract description 16
- 238000013527 convolutional neural network Methods 0.000 claims abstract description 13
- 125000004122 cyclic group Chemical group 0.000 claims abstract description 11
- 238000004590 computer program Methods 0.000 claims description 10
- 230000006870 function Effects 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 8
- 238000010606 normalization Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 230000004913 activation Effects 0.000 claims description 3
- 230000000306 recurrent effect Effects 0.000 claims description 2
- 239000000126 substance Substances 0.000 claims description 2
- 230000008859 change Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 13
- 230000008569 process Effects 0.000 description 7
- 230000008447 perception Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 230000006403 short-term memory Effects 0.000 description 4
- 238000012549 training Methods 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000013210 evaluation model Methods 0.000 description 3
- 230000004927 fusion Effects 0.000 description 3
- 230000007787 long-term memory Effects 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 238000012502 risk assessment Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000295 complement effect Effects 0.000 description 2
- 238000013135 deep learning Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000001537 neural effect Effects 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000013139 quantization Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000009825 accumulation Methods 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008033 biological extinction Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 230000002542 deteriorative effect Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000003909 pattern recognition Methods 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 238000011002 quantification Methods 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Artificial Intelligence (AREA)
- Evolutionary Computation (AREA)
- Computational Linguistics (AREA)
- Molecular Biology (AREA)
- Biophysics (AREA)
- Biomedical Technology (AREA)
- Data Mining & Analysis (AREA)
- Mathematical Physics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application discloses an industrial control network security situation prediction method based on a convolution time sequence neural network, which mainly comprises the following steps: acquiring safety situation evaluation elements used for representing system state information data in an industrial control system, constructing a situation evaluation index system, and calculating to acquire an industrial control safety situation value; acquiring a rule between the situation element and the situation value based on a convolutional neural network model, evaluating the industrial control safety situation, and acquiring a sequence situation evaluation value; and constructing a long-time memory cyclic neural network prediction model by taking the sequence situation evaluation value as an input characteristic, and predicting the safety situation of the industrial control system. The method can quantitatively describe the change situation of the future industrial control network security state and determine the change trend of the future industrial control network security situation.
Description
Technical Field
The application belongs to the technical field of industrial control network security situation awareness, and particularly relates to an industrial control security situation prediction method based on a convolution time sequence neural network.
Background
With the advance of the informatization process of an Industrial Control System (ICS, referred to as Industrial Control System for short), the Industrial Control System gradually goes from the past closed type to the networking of the present day. The industrial control system is mainly composed of various automatic devices and process control components for realizing real-time data acquisition and monitoring functions. Industrial control equipment is widely applied to national important basic industries such as energy, traffic, electric power and the like, and an industrial control system is widely applied to the field of public service, so that the safety problem of the industrial control system is not only related to national basic public safety, but also affects daily life such as clothes, eating and housing of people. The deep fusion of the industrial control system and the internet exposes the industrial control system to a lot of threats and attacks, which have serious influence on the aspects of national security, economic development, social stability and the like, so how to ensure the safety of the information of the industrial control system in the current wave of combining industrialization and informatization is the primary problem to be solved at present.
Situation assessment and situation prediction technology are the key points of situation perception. The evaluation and prediction of the industrial control safety situation can analyze the requirement of the industrial control network safety from the macroscopic, comprehensive and comprehensive angles, provide basis for field operators to take corresponding measures, strengthen the technical means adopted by relevant management departments and networking units for industrial control network safety supervision, and improve the risk analysis capability and emergency handling capability of the industrial control network safety.
Industrialization and informatization in China are in a deep fusion stage at present, and requirements of an industrial control network in the aspects of protection requirements, response time, update period and the like are greatly different from those of the information network, so that the existing information network-oriented security defense theory and technology cannot be directly applied to security defense of the industrial control network. Lack of real-time perception and prediction of the operation state of the industrial control network, namely, the existing attack behavior can not be found, the network operation trend can not be predicted, and the best time for preventing attackers is delayed, which is one of the problems to be solved urgently in the construction work of the safety defense of the industrial control network at present.
The situation perception is that situation factors influencing the state of a target are acquired in a certain specified time and space, the factors are analyzed and sorted, the current state of the target is evaluated, and the state of the target in a future period of time is predicted. Situation awareness is a means for understanding the current situation of the system from a macroscopic perspective, judging whether the system is attacked or not, and predicting the future development trend of the system, so that protection actions are made in advance, and the situation of the system is prevented from further deteriorating. The safety situation of the industrial control network has become a focus of attention in the industrial control industry and academic circles.
The industrial control network security situation perception can be divided into three steps of situation element acquisition, situation evaluation and situation prediction. The situation assessment refers to the steps of refining, fusing and analyzing a large amount of acquired heterogeneous data on the premise of perceiving related network security elements in a certain space-time environment, and quantifying the current network security state according to a specific situation assessment algorithm. The situation prediction is that on the premise that the situation evaluation calculates the network security situation value, the potential threat and risk are found according to a certain prediction method by combining the real-time situation value and the historical situation value, and the network security situation value in a future period of time is calculated, so that the change situation of the future network security state is described quantitatively. Situation prediction is the final purpose of sensing the security situation of the industrial control network. With the continuous development of machine learning and deep learning, many experts attempt to predict network security posture in new areas. The artificial intelligence technology is a key object of research in recent years, the application effect in the aspects of image classification, visualization and the like is remarkable, and the application in the aspect of industrial control network security needs to be continuously explored and innovated.
In the existing research on evaluation and prediction of the safety situation of the industrial control network, compared with situation prediction, the situation evaluation is relatively sufficient, for example, methods such as an analytic hierarchy process based on a mathematical model, an evidence theory reasoning based on knowledge reasoning, a neural network based on pattern recognition and the like have certain practicability in certain aspects. However, in the situation evaluation process, situation index selection, data weighted fusion and the like have strong subjectivity and randomness, and the situation evaluation result has no formal and unified evaluation standard, so that a certain method is difficult to quantitatively evaluate, and the comparison and analysis among various schemes are not facilitated. Compared with situation assessment, situation prediction is more difficult due to the burstiness and the agnostic property of the network operation process, and most of current research exists in the theoretical aspect. In practical application, various optimized machine learning algorithms are often adopted to establish a network security situation prediction model, but most of the models have the problem of lack of precision, and certain optimized measures are required to be adopted to improve the prediction precision.
Disclosure of Invention
Based on the above background, according to a first aspect of the present application, a method for predicting a security situation of an industrial control network based on a convolutional time series neural network is provided, which mainly includes the following steps:
step 1: acquiring an industrial control safety situation evaluation element used for representing system state information data in an industrial control system, constructing a situation evaluation index system, and calculating to acquire an industrial control safety situation value;
step 2: acquiring a rule between the situation elements and the situation values based on a convolutional neural network model, evaluating the industrial control safety situation, and acquiring a sequence situation evaluation value;
and step 3: and (4) taking the sequence situation evaluation value as an input characteristic, constructing a long-time memory cyclic neural network prediction model, and predicting the safety situation of the industrial control system.
Preferably, the situation assessment index system of step 1 comprises 5 primary assessment indexes: asset score, vulnerability score, compliance score, alarm threat score, event threat score; each primary evaluation index comprises a secondary evaluation index: the asset score comprises confidentiality, availability and integrity, the vulnerability score comprises vulnerability severity and vulnerability number, the compliance score comprises compliance grade and compliance number, the alarm threat score comprises alarm grade and alarm number, and the event threat score comprises event grade and event number
Preferably, the quantization formulas of the primary evaluation indexes are respectively:
alarm threat score of (50-c)/10
Event threat score of (50-d)/10
Wherein the content of the first and second substances,
the value ranges of confidentiality, availability and integrity are [1,5 ];
leak holeiThe score represents the score of the ith vulnerability, the score is determined by the severity of the vulnerability, and the value range is [1,5]]A is the number of vulnerabilities;
compliance deviceiThe score represents the score of the ith compliance item, the score is determined by the compliance grade, and the value range is [1,5]]And b is the compliance number;
c is the weighted number of alarm threats, c is the number of emergency alarms multiplied by 10+ high-risk alarms multiplied by 5+ medium-risk alarms multiplied by 2+ low-risk warning multiplied by 1; wherein, 2 dangers are counted at most, 3 dangers are counted at most, 5 dangers are counted at most, and 5 dangers are counted at most;
d is the weighted number of the threat events, and d is the critical event multiplied by 10+ high-risk event multiplied by 5+ medium-risk event multiplied by 2+ low-risk event multiplied by 1; wherein 2 are counted at most to the critical, 3 are counted at most to the high-risk, 5 are counted at most to the well danger, 5 are counted at most to the low-risk.
Preferably, the calculation formula of the industrial control safety situation value is as follows:
asset score x (weight) for industrial control security situationaX vulnerability score + weightbX compliance score + weightcX alarm threat score + weightdX event threat score)
Wherein, weighta、weightb、weightc、weightdWeights for vulnerability score, compliance score, alarm threat score, event threat score, respectively, the sum of which is 1.
Preferably, step 2 constructs a fully-connected convolutional neural network, which consists of 4 fully-connected layers, with an input size of 4, an activation function of PReLU, while adding a Batch Normalization process.
Preferably, step 3 constructs a long-time memory cyclic neural network, the input size of the long-time memory cyclic neural network is 2, the time series of the input situation assessment values are represented, the length of the time series is 2, and the 3 rd situation value is predicted by using the previous 2 situation assessment values.
Preferably, the method adopts the root mean square error as an evaluation index of the situation assessment value, and the calculation formula is
Where RMSE is the root mean square error, yiThe state of the situation values are predicted for the sequence,
the real situation value of the sample sequence is shown, and N is the length of the sequence data.
According to a second aspect of the present application, the present application further comprises a computer readable storage medium having stored thereon one or more computer programs which, when executed by a computer processor, implement the above-described method.
According to a third aspect of the present application, the present application further includes an industrial control system security situation prediction system, including:
a data acquisition calculation unit: acquiring safety situation evaluation elements used for representing system state information data in an industrial control system, constructing a situation evaluation index system, and calculating to acquire an industrial control safety situation value;
sequence situation assessment unit: acquiring a rule between the situation element and the situation value based on a convolutional neural network model, and evaluating the industrial control security situation to acquire a sequence situation evaluation value;
a prediction unit: and constructing a long-time memory cyclic neural network prediction model by taking the sequence situation evaluation value as an input characteristic, and predicting the safety situation of the industrial control system.
The application provides an industrial control network safety situation prediction method based on a convolution time sequence neural network, in the industrial control network, a deep learning convolution neural network, a circulation neural network and situation elements are combined, the situation elements are learned based on the fully-connected convolution neural network, risk score values of assets in the industrial control network, namely industrial control safety situation values, are obtained, then the circulation neural network is memorized based on long and short time to learn the risk score values of the assets in the past period of time, the asset risk score values in the future period of time are predicted, and accordingly the change situation of the safety state of the industrial control network in the future is described quantitatively. The beneficial effects of the method specifically comprise that,
1. the construction of the situation assessment index system refers to the network information security risk assessment specification GB/T20984-;
2. the evaluation of the industrial control safety situation applies the unique network structure of the convolutional neural network and the advantage of weight sharing; the situation evaluation model obtains situation element values by carrying out statistics, quantification and analysis on a plurality of situation perception secondary indexes such as the confidentiality, the availability, the integrity, the vulnerability severity, the vulnerability number, the compliance level, the compliance number, the alarm level, the alarm number, the event level, the event number and the like of assets, and further reflects the current state of the safety situation of the industrial control system by associating the situation element secondary indexes with the safety situation of the industrial control system.
3. The prediction of the industrial control safety situation is applied to the training of a long-time memory cyclic neural network model, and the most possible value of the future situation value is predicted by analyzing the variation trend of the asset situation value in the history. The situation prediction model and the situation evaluation model complement and complement each other. The output of the situation assessment model provides a time sequence of situation values required for prediction for the situation prediction model, and the output of the situation prediction model provides supplement for the accuracy of the situation value result of the situation assessment. By analyzing the situation to evaluate the indexes of the situation elements, the indexes which are possibly risky can be found out, and directions and bases are provided for the next safety processing. With the lapse of time and the accumulation of data, both models can be automatically upgraded, so that the effects of situation assessment and situation prediction are suitable for the constantly changing environment.
Drawings
The accompanying drawings assist in a further understanding of the present application. For convenience of description, only portions related to the related invention are shown in the drawings.
FIG. 1 is a flow diagram of a situation prediction method in an embodiment;
FIG. 2 is a diagram illustrating an overall architecture of a situation prediction method according to an embodiment;
FIG. 3 is a diagram illustrating situation assessment results based on a fully-connected convolutional neural model in an embodiment;
FIG. 4 is a diagram illustrating a situation prediction result based on a long-term and short-term memory recurrent neural network model in an embodiment;
FIG. 5 is a diagram illustrating a situation prediction system in accordance with an embodiment;
FIG. 6 is a block diagram of one type of computer system suitable for use in implementing the electronic device of an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the following drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention.
FIG. 1 is a flow chart of a situation prediction method in an embodiment of the present application; FIG. 2 is an overall architecture diagram of an embodiment of the present application. The algorithm basis of the industrial control safety situation prediction based on the convolution time sequence neural network is a fully-connected convolution model and a cycle time sequence model. The method specifically comprises the following steps:
and S1, obtaining safety situation evaluation elements used for representing system state information data in the industrial control system, constructing a situation evaluation index system, and calculating to obtain an industrial control safety situation value.
The situation elements are obtained by extracting some data capable of representing system state information from the industrial control system, and the index items in the situation evaluation index system are the situation elements to be obtained. In the embodiment, the construction of the situation assessment index system refers to the network information security risk assessment specification GB/T20984 and 2007, the selection of the indexes follows the independence principle, the completeness principle and the scientificity principle, meanwhile, the practical situation of the industrial control equipment is combined, the conditions of operability, easiness in implementation and the like are considered, the five sub-situations of asset scoring, vulnerability scoring, compliance scoring, alarm threat scoring and event threat scoring are finally divided into first-level indexes, then a plurality of second-level situations are selected as second-level indexes on the basis, and the constructed industrial control network security situation index system is shown in the following table.
TABLE 1 Industrial control network safety situation index system
Wherein, each one-level index quantization formula is as follows:
alarm threat score of (50-c)/10
Event threat score of (50-d)/10
In the formula:
the confidentiality is the characteristic of the data, namely the degree of the data which is not provided or leaked to an unauthorized person, process or other entity, the confidentiality has the value range of [1,5], and the larger the value is, the better the confidentiality is;
the availability is the characteristic of data or resources, and an authorized entity can access and use the data or resources as required, the value range of the availability in the invention is [1,5], and the larger the value is, the better the availability is;
integrity refers to the property of ensuring that information and information systems are not subject to unauthorized alteration or destruction. The method comprises data integrity and system integrity, wherein the value range of the integrity is [1,5], and the larger the value is, the better the integrity is;
leak holeiThe score represents the score of the ith vulnerability, the score is determined by the severity of the vulnerability, and the value range is [1,5]]A is the number of vulnerabilities;
compliance deviceiThe score represents the score of the ith compliance item, the score is determined by the compliance grade, and the value range is [1,5]]And b is the compliance number;
c is the weighted number of alarm threats, c is the number of emergency alarms multiplied by 10+ high-risk alarms multiplied by 5+ medium-risk alarms multiplied by 2+ low-risk warning multiplied by 1; wherein, 2 dangers are counted at most, 3 dangers are counted at most, 5 dangers are counted at most, and 5 dangers are counted at most;
d is the weighted number of the threat events, and d is the critical event multiplied by 10+ high-risk event multiplied by 5+ medium-risk event multiplied by 2+ low-risk event multiplied by 1; wherein 2 are counted at most to the critical, 3 are counted at most to the high-risk, 5 are counted at most to the well danger, 5 are counted at most to the low-risk.
The real situation value of the industrial control security situation evaluation model, namely the risk score of a single asset, is composed of an asset score, a vulnerability score, a compliance score, an alarm threat score and an event threat score, and the calculation formula is as follows:
asset score x (weight) for industrial control security situationaX vulnerability score + weightbX compliance score + weightcX alarm threat score + weightdX event threat score),
wherein, weighta、weightb、weightc、weightdWeights for vulnerability score, compliance score, alarm threat score, event threat score, respectively, the sum of which is 1. The specific values can be determined according to actual conditions, and are 0.2, 0.1, 0.3 and 0.4 respectively in the embodiment.
S2, acquiring a rule between the situation elements and the situation values based on the convolutional neural network model, evaluating the industrial control safety situation, and acquiring a sequence situation evaluation value.
And constructing a fully-connected convolutional neural network according to the five situation elements extracted in the S1, and searching a rule between the situation elements and the situation values based on the neural network. The network structure is shown in table 2 as an industrial control security situation network evaluation network structure, the network is composed of 5 full connection layers, the input size is 5, namely five situation essential values, the situation values are used as labels, the activation function is PReLU, and Batch Normalization (Batch Normalization) is added to prevent gradient extinction and explosion of the model. The parameters of the model can be adjusted according to the number of the situation elements and the size of the data volume.
TABLE 2 network structure for evaluating industrial control security situation
According to the extraction mode of the situation elements in the S1, 1000 assets are simulated as training samples and testing samples respectively, and the figure 3 is a comparison graph of actual situation values and evaluation situation values. The method adopts the root mean square error as an evaluation index, and the calculation formula is as follows:
where RMSE is the root mean square error, yiThe state of the situation values are predicted for the sequence,
is the true situation value of the sample sequence, and N is the length of the sequence data. The mean square error of the evaluation result based on the fully connected convolution neural model and the real situation value is 0.2605, and the model can be well fitted with the real situation value.
S3: and constructing a long-time memory cyclic neural network prediction model by taking the sequence situation evaluation value as an input characteristic, and predicting the safety situation of the industrial control system.
Constructing a Long Short-Term Memory (LSTM) cyclic neural network prediction model, wherein the network structure is shown in table 3, the sequence situation evaluation value obtained in S2 is used as an input characteristic, the input size of the network is 2, the time sequence of the input situation evaluation value is represented, the length of the time sequence is 2, the situation value at the 3 rd moment is used as a label, and the prediction model based on the Long-Term Memory and the Short-Term Memory is trained to have the function of predicting the safety situation of the industrial control system. When the predicted situation value is low, the system may have a certain risk at the corresponding moment, and certain safety measures need to be taken.
TABLE 3 safety situation prediction network structure of industrial control system
And (4) performing model training and prediction according to the 1000 simulated training samples and the test samples in the step two to obtain a comparison graph of the actual situation value and the predicted situation value of the situation prediction, which is shown in the figure 4, wherein the RMSE is 0.5471, and the model can better fit the real situation change trend.
The time sequence length can be adjusted according to actual conditions, such as being adjusted to predict the situation value of one week in the future based on the situation evaluation value of one week in the past. Reasonable data dimensionality is beneficial to improving the prediction accuracy.
According to another aspect of the present application, fig. 5 provides a schematic diagram of a safety situation prediction system of an industrial control system. The system comprises a data acquisition computing unit 501, a sequence situation evaluation unit 502 and a prediction unit 503. In a specific embodiment, the configuration data obtaining and calculating unit 501 is configured to obtain an industrial control security situation evaluation element used for representing system status information data in an industrial control system, construct a situation evaluation index system, and calculate and obtain the industrial control security situation value; the configuration sequence situation evaluation unit 502 is used for acquiring a rule between situation elements and situation values based on a convolutional neural network model, evaluating industrial control security situations and acquiring a sequence situation evaluation value; the configuration prediction unit 503 is configured to construct a long-term and short-term memory cyclic neural network prediction model by using the sequence situation evaluation value as an input feature, and perform industrial control system security situation prediction.
In accordance with another aspect of the present application, reference is made to FIG. 6, which illustrates a schematic structural diagram of a computer system 600 suitable for use in implementing the electronic device of embodiments of the present application. The electronic device is only an example and should not bring any limitation to the function and the scope of use of the embodiments of the present application.
As shown in fig. 6, the computer system 600 includes a Central Processing Unit (CPU)601 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM 603, various programs and data necessary for the operation of the system 600 are also stored. The CPU 601, ROM 602, and RAM 603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Liquid Crystal Display (LCD) and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The above-described functions defined in the method of the present application are executed when the computer program is executed by a Central Processing Unit (CPU) 601. It should be noted that the computer readable storage medium of the present application can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable storage medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, or the like, as well as conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present application may be implemented by software or hardware.
As another aspect, the present application also provides a computer-readable storage medium, which may be contained in the electronic device described in the above embodiments; or may exist separately without being assembled into the electronic device. The computer readable storage medium carries one or more programs which, when executed by the electronic device, cause the electronic device to: acquiring an industrial control safety situation evaluation element used for representing system state information data in an industrial control system, constructing a situation evaluation index system, and calculating to acquire an industrial control safety situation value; acquiring a rule between the situation elements and the situation values based on a convolutional neural network model, evaluating the industrial control safety situation, and acquiring a sequence situation evaluation value; and (4) taking the sequence situation evaluation value as an input characteristic, constructing a long-time memory circulation neural network prediction model, and predicting the safety situation of the industrial control system.
While this application has been particularly shown and described with references to preferred embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the application as defined by the appended claims.
Claims (10)
1. A safety situation prediction method for an industrial control system is characterized by comprising the following steps:
step 1: acquiring safety situation evaluation elements used for representing system state information data in an industrial control system, constructing a situation evaluation index system, and calculating to acquire an industrial control safety situation value;
step 2: acquiring a rule between the situation element and the situation value based on a convolutional neural network model, evaluating the industrial control safety situation, and acquiring a sequence situation evaluation value;
and step 3: and constructing a long-time memory cyclic neural network prediction model by taking the sequence situation evaluation value as an input characteristic, and predicting the safety situation of the industrial control system.
2. The industrial control system security situation prediction method of claim 1, wherein the situation assessment index system comprises 5 primary assessment indexes: asset scoring, vulnerability scoring, compliance scoring, alarm threat scoring, event threat scoring; each primary evaluation index comprises a secondary evaluation index: the asset score comprises confidentiality, availability and integrity, the vulnerability score comprises vulnerability severity and vulnerability number, the compliance score comprises compliance grade and compliance number, the alarm threat score comprises alarm grade and alarm number, and the event threat score comprises event grade and event number.
3. The industrial control system safety situation prediction method according to claim 2, wherein the quantitative formulas of the primary evaluation indexes are respectively:
alarm threat score of (50-c)/10
Event threat score of (50-d)/10
Wherein the content of the first and second substances,
the value ranges of confidentiality, availability and integrity are [1,5 ];
leak holeiThe score represents the score of the ith vulnerability, the score is determined by the severity of the vulnerability, and the value range is [1,5]]A is the number of vulnerabilities;
compliance deviceiThe score represents the score of the ith compliance item, the score is determined by the compliance grade, and the value range is [1,5]]And b is the compliance number;
c is the weighted alarm threat quantity, and c is the critical alarm multiplied by 10+ high-risk alarm multiplied by 5+ medium-risk alarm multiplied by 2+ low-risk alarm multiplied by 1; wherein, 2 dangers are counted at most, 3 dangers are counted at most, 5 dangers are counted at most, and 5 dangers are counted at most;
d is the weighted number of the threat events, and d is the critical event multiplied by 10+ high-risk event multiplied by 5+ medium-risk event multiplied by 2+ low-risk event multiplied by 1; wherein 2 are counted at most to the critical, 3 are counted at most to the high-risk, 5 are counted at most to the well danger, 5 are counted at most to the low-risk.
4. The industrial control system safety situation prediction method according to claim 3, wherein the calculation formula of the industrial control safety situation value is as follows:
asset score x (weight) for industrial control security situationaX vulnerability score + weightbX compliance score + weightcX alarm threat score + weightdX event threat score)
Wherein, weighta、weightb、weightc、weightdWeights for vulnerability score, compliance score, alarm threat score, event threat score, respectively, the sum of which is 1.
5. The industrial control system security posture prediction method of claim 3, wherein step 2 constructs a fully-connected convolutional neural network, the fully-connected convolutional neural network is composed of 5 fully-connected layers, the input size is 5, the activation function is PReLU, and Batch Normalization (Batch Normalization) processing is added.
6. The method for predicting the safety situation of the industrial control system according to claim 1, wherein the input size of the long-time memory recurrent neural network is 2, the time series of the input situation assessment values are represented, the length of the time series is 2, and the 3 rd situation value is predicted by using the previous 2 situation assessment values.
7. The method for predicting the safety situation of the industrial control system according to claim 1, wherein the evaluation index of the situation assessment value is root mean square error, and the calculation formula is
Where RMSE is the root mean square error, yiThe state of the situation values are predicted for the sequence,
is the true situation value of the sample sequence, and N is the length of the sequence data.
8. A computer-readable storage medium having one or more computer programs stored thereon, which when executed by a computer processor perform the method of any one of claims 1 to 7.
9. A safety situation prediction system of an industrial control system is characterized by comprising:
a data acquisition calculation unit: acquiring safety situation evaluation elements used for representing system state information data in an industrial control system, constructing a situation evaluation index system, and calculating to acquire an industrial control safety situation value;
sequence situation assessment unit: acquiring a rule between the situation element and the situation value based on a convolutional neural network model, and evaluating the industrial control security situation to acquire a sequence situation evaluation value;
a prediction unit: and constructing a long-time memory cyclic neural network prediction model by taking the sequence situation evaluation value as an input characteristic, and predicting the safety situation of the industrial control system.
10. The industrial control system security situation prediction system of claim 9, wherein the situation assessment index system comprises 5 primary assessment indexes: asset scoring, vulnerability scoring, compliance scoring, alarm threat scoring, event threat scoring; each primary evaluation index comprises a secondary evaluation index: the asset score comprises confidentiality, availability and integrity, the vulnerability score comprises vulnerability severity and vulnerability number, the compliance score comprises compliance grade and compliance number, the alarm threat score comprises alarm grade and alarm number, and the event threat score comprises event grade and event number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111491381.4A CN114168967A (en) | 2021-12-08 | 2021-12-08 | Industrial control system security situation prediction method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111491381.4A CN114168967A (en) | 2021-12-08 | 2021-12-08 | Industrial control system security situation prediction method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114168967A true CN114168967A (en) | 2022-03-11 |
Family
ID=80484390
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111491381.4A Pending CN114168967A (en) | 2021-12-08 | 2021-12-08 | Industrial control system security situation prediction method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114168967A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318783A (en) * | 2022-12-05 | 2023-06-23 | 浙江大学 | Network industrial control equipment safety monitoring method and device based on safety index |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786369A (en) * | 2017-09-26 | 2018-03-09 | 广东电网有限责任公司电力调度控制中心 | Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology |
| CN110233849A (en) * | 2019-06-20 | 2019-09-13 | 电子科技大学 | The method and system of network safety situation analysis |
| CN111371644A (en) * | 2020-02-28 | 2020-07-03 | 山东工商学院 | Multi-domain SDN network traffic situation prediction method and system based on GRU |
| CN113065699A (en) * | 2021-03-22 | 2021-07-02 | 国家电网有限公司 | Electric power information network security situation quantification method based on evolutionary neural network |
-
2021
- 2021-12-08 CN CN202111491381.4A patent/CN114168967A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107786369A (en) * | 2017-09-26 | 2018-03-09 | 广东电网有限责任公司电力调度控制中心 | Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology |
| CN110233849A (en) * | 2019-06-20 | 2019-09-13 | 电子科技大学 | The method and system of network safety situation analysis |
| CN111371644A (en) * | 2020-02-28 | 2020-07-03 | 山东工商学院 | Multi-domain SDN network traffic situation prediction method and system based on GRU |
| CN113065699A (en) * | 2021-03-22 | 2021-07-02 | 国家电网有限公司 | Electric power information network security situation quantification method based on evolutionary neural network |
Non-Patent Citations (2)
| Title |
|---|
| 朱晨飞: "《基于神经网络的网络安全态势评估与预测方法研究》", 信息科技辑, no. 3, 15 March 2012 (2012-03-15), pages 35 - 40 * |
| 肖喜生;龙春;彭凯飞;魏金侠;赵静;冯伟华;陈瑞;: "基于人工智能的安全态势预测技术研究综述", 信息安全研究, no. 06, 4 June 2020 (2020-06-04) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116318783A (en) * | 2022-12-05 | 2023-06-23 | 浙江大学 | Network industrial control equipment safety monitoring method and device based on safety index |
| CN116318783B (en) * | 2022-12-05 | 2023-08-22 | 浙江大学 | Network industrial control equipment safety monitoring method and device based on safety index |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| de Gusmão et al. | Information security risk analysis model using fuzzy decision theory | |
| Tao et al. | The future of artificial intelligence in cybersecurity: A comprehensive survey | |
| CN111787011B (en) | Intelligent analysis and early warning system, method and storage medium for security threat of information system | |
| CN108092985B (en) | Network security situation analysis method, device, equipment and computer storage medium | |
| US20080215576A1 (en) | Fusion and visualization for multiple anomaly detection systems | |
| Hu et al. | Detecting stealthy attacks against industrial control systems based on residual skewness analysis | |
| Mansouri et al. | Metaheuristic neural networks for anomaly recognition in industrial sensor networks with packet latency and jitter for smart infrastructures | |
| US11503075B1 (en) | Systems and methods for continuous compliance of nodes | |
| Gonaygunta | Machine learning algorithms for detection of cyber threats using logistic regression | |
| CN115296933A (en) | Industrial production data risk level assessment method and system | |
| CN114168967A (en) | Industrial control system security situation prediction method and system | |
| Roy et al. | Sok: The mitre att&ck framework in research and practice | |
| Sangaiah et al. | Towards data security assessments using an IDS security model for cyber-physical smart cities | |
| Li et al. | A framework for predicting network security situation based on the improved LSTM | |
| CN115277132B (en) | Network security situation awareness method, device, computer equipment and storage medium | |
| Qu et al. | Instruction detection in scada/modbus network based on machine learning | |
| Sun et al. | Cyber attacks against enterprise networks: characterization, modeling and forecasting | |
| CN116015922A (en) | Network security situation analysis method, device and equipment of electric power Internet of things | |
| Sharma et al. | ICARFAD: a novel framework for improved network security situation awareness | |
| Facchinetti et al. | A statistical approach for assessing cyber risk via ordered response models | |
| Panilov et al. | Methodology of Expert-Agent Cognitive Modeling for Preventing Impact on Critical Information Infrastructure | |
| Tampubolon et al. | Classification of attacks through the type of protocol using data mining | |
| Butt | Cyber data anomaly detection using autoencoder neural networks | |
| Ye et al. | A Hybrid Model of RST and DST with its Application in Intrusion Detection | |
| Li et al. | Research on the Safety Accidents Prediction for Smart Laboratory Based on Statistical Analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |