CN114448738B - Attack vector generation method and system for industrial control network - Google Patents
Attack vector generation method and system for industrial control network Download PDFInfo
- Publication number
- CN114448738B CN114448738B CN202210373745.7A CN202210373745A CN114448738B CN 114448738 B CN114448738 B CN 114448738B CN 202210373745 A CN202210373745 A CN 202210373745A CN 114448738 B CN114448738 B CN 114448738B
- Authority
- CN
- China
- Prior art keywords
- attack
- data
- industrial control
- vulnerability
- abnormal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Data Mining & Analysis (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Bioinformatics & Cheminformatics (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Evolutionary Computation (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Evolutionary Biology (AREA)
- Bioinformatics & Computational Biology (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses an attack vector generation method and system for an industrial control network, which comprises the steps of monitoring all industrial control equipment under the industrial control network, retrieving and operating the attack vector generation method and system for the industrial control network, wherein the method comprises the steps of monitoring all industrial control equipment under the industrial control network, retrieving and operating abnormal industrial control equipment as abnormal industrial control equipment, and analyzing and acquiring an industrial control protocol matched with the abnormal industrial control equipment; obtaining historical operating data of the abnormal industrial control equipment, and comparing the historical operating data with a preset vulnerability library to obtain a vulnerability comparison result; acquiring an attack model matched with the industrial control protocol from a pre-constructed attack model library, and generating attack data based on the attack type of the attack model and the vulnerability comparison result; the invention carries out dimension reduction on the attack data to generate an attack vector, and has the advantages that: the method and the device realize accurate detection of the device, prevent the condition that the generation quantity of the attack vectors is insufficient or excessive attack vectors are generated, improve the detection efficiency and reduce the detection period.
Description
Technical Field
The invention belongs to the technical field of industrial network security, and particularly relates to an attack vector generation method and system for an industrial control network.
Background
With the arrival of the network information era, the industrial mode of China changes with the earth, the information island mode is thoroughly broken through, enterprises are comprehensively networked, production data is easily summarized and analyzed, the production efficiency is improved, and the national strategy of energy conservation and emission reduction is promoted. The beneficial change brought to the industry by informatization is obvious, but the subsequent network information safety problem causes people to be panic, and various process control systems such as DCS, PLC, SCADA and the like are operated in an industrial network, are often the core of a production system and are responsible for completing basic production control. However, if these control systems are once invaded or damaged, they will affect the industrial production, which may cause significant economic loss to enterprises and even endanger the life safety of production personnel, so in order to ensure the safe operation of the control systems, security personnel need to perform penetration detection on the industrial systems, and provide complete protection services for the systems according to the leaks detected by penetration detection, thereby improving the security of the systems.
The penetration detection mainly comprises the steps that security personnel generate a large number of attack vectors according to a generation rule of attack vectors of the detection target vulnerability type and use the attack vectors one by one to carry out injection type attack detection on injection points, so that the generation of the attack vectors is the most important step of vulnerability detection, and the generation of the attack vectors is directly related to the detection effect;
however, the existing attack vector generation mainly depends on the detection experience of security personnel, if the security personnel experience is insufficient, the generation quantity of the attack vectors is insufficient or incomplete, the result false negative rate is very high, or excessive attack vectors are generated, the detection efficiency may be seriously reduced, and the detection period is too long to influence the detection result by artificially generating the attack vectors through the security personnel for a long time, so that the equipment cannot be accurately detected, and the detection efficiency is seriously influenced.
Disclosure of Invention
In view of the above deficiencies of the prior art, the present application provides an attack vector generation method and system for an industrial control network.
In a first aspect, the present application provides a method for generating an attack vector for an industrial control network, including the following steps:
monitoring all industrial control equipment in an industrial control network, retrieving the industrial control equipment with abnormal operation as abnormal industrial control equipment, and analyzing and acquiring an industrial control protocol matched with the abnormal industrial control equipment;
acquiring historical operating data of the abnormal industrial control equipment, and comparing the historical operating data with a preset leak library to obtain a leak comparison result;
acquiring an attack model matched with the industrial control protocol from a pre-constructed attack model library, and generating attack data based on the attack type of the attack model and the vulnerability comparison result;
and reducing the dimension of the attack data to generate an attack vector.
In some embodiments, in the above method for generating an attack vector for an industrial control network, the monitoring is performed on all industrial control devices in the industrial control network, an industrial control device with abnormal operation is retrieved as an abnormal industrial control device, and an industrial control protocol matched with the abnormal industrial control device is analyzed and obtained, including,
retrieving the industrial control equipment through an equipment retrieval engine to obtain an industrial control equipment retrieval result;
screening the industrial control equipment retrieval result, and removing redundant and miscellaneous data in the industrial control equipment retrieval result to obtain an abnormal industrial control equipment retrieval result;
and analyzing the industrial control protocol of the abnormal industrial control equipment from the retrieval result of the abnormal industrial control equipment, and acquiring the data packet of the abnormal industrial control equipment based on the analyzed industrial control protocol.
In some embodiments, in the above method for generating an attack vector for an industrial control network, before obtaining historical operating data of the abnormal industrial control device and comparing the historical operating data with a preset vulnerability database to obtain a vulnerability comparison result, a step of constructing a vulnerability comparison database is required, including,
acquiring comparison vulnerability data from an existing vulnerability database by using a data interface technology and/or acquiring comparison vulnerability data from an industrial network by using a crawler engine technology;
determining field content corresponding to the comparison vulnerability data;
establishing a comparison vulnerability database storage table according to the field content;
and establishing a comparison vulnerability database comprising the comparison vulnerability data and a comparison vulnerability database storage table.
In some embodiments, in the above method for generating an attack vector for an industrial control network, the obtaining historical operating data of the abnormal industrial control device, and comparing the historical operating data with a preset vulnerability database to obtain a vulnerability comparison result includes,
acquiring historical operating data from the data packet of the abnormal industrial control equipment;
determining the field content of the historical operating data, judging whether the field content of the historical operating data is complete, and if the field content of the historical operating data is incomplete, determining that the historical operating data is data which does not meet the vulnerability standard;
if the historical operation data is complete, comparing the field content of the historical operation data with the field content of the bug in the comparative bug library,
if the historical operating data does not have field contents which are completely the same as the field contents of the bugs in the comparison bug library, the historical operating data does not include equipment bug data;
if the historical operating data has the field content which is completely the same as the field content of the bug in the comparison bug base, extracting the field content which is completely the same as the field content of the bug in the comparison bug base from the historical operating data to be used as the equipment bug data.
In some embodiments, in the above method for generating an attack vector for an industrial control network, the obtaining an attack model matching the industrial control protocol from a pre-constructed attack model library, and generating attack data based on an attack type of the attack model and the vulnerability comparison result includes,
initializing the obtained attack model, and determining an attack type corresponding to the attack model;
and operating the attack model, executing an attack type function in the attack model according to the attack type, processing the equipment vulnerability data, and generating the attack data.
In some embodiments, the above method for generating an attack vector for an industrial control network, operating the attack model, executing an attack type function in the attack model according to an attack type, processing the device vulnerability data, and generating the attack data includes,
and executing a characteristic data field abnormal attack type function in the attack model, replacing a characteristic data field value in the equipment vulnerability data with a preset abnormal value, and generating the attack data.
In some embodiments, the above method for generating an attack vector for an industrial control network, the method executes a feature data field abnormal attack type function in the attack model, replaces a feature data field value in the equipment vulnerability data with a preset abnormal value, and generates the attack data, including,
analyzing the characteristic data field abnormal attack type function to obtain parameters of the characteristic data field abnormal attack type function;
judging whether the parameters comprise an abnormal data list or not;
if yes, replacing the characteristic data field value in the equipment vulnerability data with the value in the abnormal data list to generate the attack data;
if not, extracting the lacking attack data from an attack model database according to the type of the characteristic data field in the equipment vulnerability data, replacing the characteristic data field value in the equipment vulnerability data with the attack data, and generating the attack data.
In some embodiments, the above method for generating an attack vector for an industrial control network, where the attack model is run, an attack type function in the attack model is executed according to an attack type, and the device vulnerability data is processed to generate the attack data, further includes,
executing a context inconsistent attack type function in the attack model, exchanging the position of field content in the equipment vulnerability data, and generating the attack data;
and executing a context inconsistent attack type function in the attack model, filling preset irrelevant data in front of or behind field content in the equipment vulnerability data, and generating the attack data.
In some embodiments, in the attack vector generation method for industrial control networks, the dimensionality reduction of the attack data to generate the attack vector includes,
and performing dimensionality reduction on the attack data through a PCA principal component analysis algorithm, converting the attack data into a uniform vector format, and generating an attack vector.
The application provides an attack vector generation system for an industrial control network, which comprises an equipment monitoring retrieval module, a vulnerability detection module, an attack data generation module and an attack vector generation module;
the equipment monitoring and retrieving module is used for monitoring all industrial control equipment in the industrial control network, retrieving the industrial control equipment with abnormal operation as abnormal industrial control equipment, and analyzing and acquiring an industrial control protocol matched with the abnormal industrial control equipment;
the vulnerability detection module is used for acquiring historical operating data of the abnormal industrial control equipment and comparing the historical operating data with a preset vulnerability library so as to obtain a vulnerability comparison result;
the attack data generation module is used for acquiring an attack model matched with the industrial control protocol from a pre-constructed attack model library and generating attack data based on the attack type of the attack model and the vulnerability comparison result;
and the attack vector generation module is used for reducing the dimension of the attack data to generate an attack vector.
The invention has the beneficial effects that:
the method comprises the steps of firstly monitoring all industrial control equipment under an industrial control network, finding abnormal industrial control equipment and extracting information and data of the abnormal industrial control equipment, then further determining whether the industrial control equipment is attacked and injected with vulnerability data by comparing the abnormal industrial control equipment with a preset vulnerability library, then extracting the vulnerability data according to the information and the data of the abnormal industrial control equipment, processing the vulnerability data by adopting an attack model corresponding to an attack model library, generating attack data, and performing dimensionality reduction on the attack data to obtain attack vector data.
Drawings
FIG. 1 is a general flow diagram of the present invention.
Fig. 2 is a flow chart of device retrieval and data extraction.
FIG. 3 is a flow chart of constructing a comparison vulnerability database.
Fig. 4 is a flowchart of vulnerability detection.
Fig. 5 is a flow chart of generating attack data.
Fig. 6 is a system configuration diagram of the present invention.
Detailed Description
The invention provides an attack vector generation method and device for an industrial control network, which aim at generating an attack vector aiming at the bug data of an abnormal industrial control device, realize the accurate detection of the device, prevent the condition that the generation quantity of the attack vector is insufficient or excessive attack vectors are generated, improve the detection efficiency and reduce the detection period.
The following embodiments are described in further detail with reference to the accompanying drawings, and the following embodiments are only used to more clearly illustrate the technical solutions of the present invention, and should not be taken as limiting the scope of the present invention.
In a first aspect, the present application provides an attack vector generation method for an industrial control network, as shown in fig. 1, including S100: monitoring all industrial control equipment in an industrial control network, retrieving the industrial control equipment with abnormal operation as abnormal industrial control equipment, and analyzing and acquiring an industrial control protocol matched with the abnormal industrial control equipment;
the abnormal industrial control equipment is judged in the following mode: if the industrial control equipment feeds back the operation data to the server, the operation state and the communication result of the industrial control equipment can be analyzed from the current operation data;
if the industrial control equipment does not feed back the operation data to the server, the operation data is judged to be lost, at the moment, the industrial control equipment is directly judged to be abnormal, historical operation data is obtained, and whether the loophole data are injected or not is further judged.
As shown in fig. 2, S110: retrieving the industrial control equipment through an equipment retrieval engine to obtain an industrial control equipment retrieval result;
the equipment retrieval engine is a Shodan engine, and the search syntax of the Shodan engine is shown in the following table:
shodan is a network space search engine used for searching networked devices, and is used for searching all industrial control devices in the current industrial control network in the scheme.
S120: screening the industrial control equipment retrieval result, and removing redundant and miscellaneous data in the industrial control equipment retrieval result to obtain an abnormal industrial control equipment retrieval result;
by performing processing such as deduplication, optimization, integration and the like on the retrieval result of the industrial control equipment, duplicate data, data with poor quality and data of non-abnormal industrial control equipment are deleted, for example: under the condition that the system information of the industrial control equipment is not analyzed, deleting the data; and when the search result of the industrial control equipment does not accord with the industrial control protocol of the industrial control equipment, deleting the data of the industrial control equipment, wherein the retrieved industrial control equipment is non-abnormal industrial control equipment, and deleting the data of the industrial control equipment. And finally, integrating the data to obtain the retrieval result of the abnormal industrial control equipment.
S130: and analyzing the industrial control protocol of the abnormal industrial control equipment from the retrieval result of the abnormal industrial control equipment, and acquiring the data packet of the abnormal industrial control equipment based on the analyzed industrial control protocol.
Under the condition that a transport layer protocol of the abnormal industrial control equipment is a TCP (transmission control protocol), firstly establishing communication connection with an IP (Internet protocol) address and a port number of the industrial control equipment through the TCP, and then inquiring the abnormal industrial control equipment through the communication connection;
and under the condition that the transport layer protocol of the abnormal industrial control equipment is the UDP protocol, the abnormal industrial control equipment is directly inquired without establishing communication connection with the abnormal industrial control equipment.
The industrial control protocol library is established by analyzing different industrial control protocols and classifying and integrating transmission rules of the industrial control protocols, so that the industrial control protocol of the abnormal industrial control equipment can be directly matched with the industrial control protocol library to obtain the industrial control protocol of the abnormal industrial control equipment, and further, equipment information such as a data packet of the abnormal industrial control equipment is obtained.
Before step S200 is executed, as shown in fig. 3, the method further includes a step of constructing a leak library:
d100: acquiring comparison vulnerability data from an existing vulnerability database by using a data interface technology and/or acquiring comparison vulnerability data from an industrial network by using a crawler engine technology;
d200: determining field content corresponding to the comparison vulnerability data;
wherein, the field content of the comparison vulnerability data comprises: a feature field, a field length, a functional code field, and a data field, for example: the characteristic fields are: special characters, special ASCII codes;
the field lengths are: 0xfe,0x00,0x03,0xff,0x7d,0x7f,0x 80;
the function code field is: illegal function code, undefined function code, custom function code or random character;
the data fields are: single character values, null values, illegal data values, random characters, delimiters, formatted strings, very long strings, or directory traversal symbols.
D300: establishing a comparison vulnerability database storage table according to the field content;
after determining the information of the characteristic field, the field length, the functional code field, the data field and the like of the vulnerability database, classifying and integrating the field contents, and designing and comparing a vulnerability database storage table;
d400: and establishing a comparison vulnerability database comprising the comparison vulnerability data and a comparison vulnerability database storage table.
And (4) extracting, cleaning, converting, loading and the like the comparison vulnerability data by using the ETL, normalizing and standardizing the field content of the comparison vulnerability data, and storing the data to form a comparison vulnerability library.
S200: obtaining historical operating data of the abnormal industrial control equipment, and comparing the historical operating data with a preset vulnerability library to obtain a vulnerability comparison result;
as shown in fig. 4, S210: acquiring historical operating data from the data packet of the abnormal industrial control equipment;
because the industrial control device in step S100 feeds back the operation data to the server, the operation state and the communication result of the industrial control device may be analyzed from the current operation data, so that when the operation state and the communication result of the industrial control device are analyzed and found to be abnormal at this time, the current operation data may also be obtained from the data packet as a basis for subsequent vulnerability data determination.
S211: determining the field content of the historical operating data;
and D200, confirming the field contents of the historical operating data according to the method shown in the step D200, and extracting the characteristic field, the field length, the functional code field and the data field.
Judging whether the field content of the historical operating data is complete or not;
if not, go to step S212;
s212: determining that the historical operating data is data which does not meet the vulnerability standard;
if complete, go to step S213;
s213: comparing the field content of the historical operating data with the field content of the bug in the comparative bug library,
if the historical operating data does not have field contents completely identical to the field contents of the bugs in the comparison bug base, executing step S214;
s214: the historical operating data does not include device vulnerability data;
if the historical operating data has the field content which is completely the same as the field content of the bug in the comparison bug library, executing step S215;
s215: and extracting field contents in the historical operating data, which are completely the same as the field contents of the bugs in the comparison bug base, as the equipment bug data.
S300: acquiring an attack model matched with the industrial control protocol from a pre-constructed attack model library, and generating attack data based on the attack type of the attack model and the vulnerability comparison result;
different industrial control devices correspond to different protocols, and when the industrial control devices are attacked, different device vulnerability data also correspond to different attack types, so that attack models are generated in advance according to the industrial control protocols of abnormal industrial control devices and the attack types suffered by the abnormal industrial control devices, namely each attack model corresponds to one industrial control protocol and one attack type respectively, and a plurality of attack models form an attack model library;
acquiring an attack model corresponding to the industrial control protocol and the attack type of the abnormal industrial control equipment from an attack model library according to the corresponding relation between the abnormal industrial control equipment subjected to attack and the attack type and the corresponding relation between the attack model in the attack model library and the industrial control protocol and the attack type group;
the attack model can be constructed based on language scripts such as JavaScript, Python or XML.
As shown in fig. 5, S310: initializing the obtained attack model, and determining an attack type corresponding to the attack model;
wherein, initializing the attack model, the concrete mode is: and verifying the interface functions in the attack model, and determining the attack type corresponding to the attack model according to the definition of the attack type function after all the interface functions are verified.
S320: and operating the attack model, executing an attack type function in the attack model according to an attack type, processing the equipment vulnerability data, and generating the attack data.
Different equipment vulnerability data can also correspond to different attack types, and two attack types are explained below;
abnormal attack of characteristic data field:
executing a characteristic data field abnormal attack type function in the attack model, replacing a characteristic data field value in the equipment vulnerability data with a preset abnormal value, and generating the attack data;
specifically, analyzing the characteristic data field abnormal attack type function to obtain parameters of the characteristic data field abnormal attack type function;
judging whether the parameters comprise an abnormal data list or not;
if yes, replacing the characteristic data field value in the equipment vulnerability data with the value in the abnormal data list to generate the attack data;
if not, extracting the lacking attack data from an attack model database according to the type of the characteristic data field in the equipment vulnerability data, replacing the characteristic data field value in the equipment vulnerability data with the attack data, and generating the attack data.
The method comprises the steps that function interface prompts with abnormal as a key word are taken as a characteristic data field abnormal attack type function interface, the interface is analyzed, whether interface parameters are analyzed continuously or not comprises a specified abnormal data list, when the interface parameters comprise the specified abnormal data list, for example, the characteristic data field value of Siemens is 0500, the characteristic data field value of IEC equipment is 59, at the moment, the characteristic data field value in equipment vulnerability data is replaced by a preset abnormal value, when the interface parameters do not comprise the specified abnormal data list, an attack model database is accessed, and missing attack data are extracted from the database according to the field types to generate complete attack data.
Context anomaly attacks:
executing a context inconsistent attack type function in the attack model, exchanging the position of field content in the equipment vulnerability data, and generating the attack data;
and executing a context inconsistent attack type function in the attack model, filling preset irrelevant data in front of or behind field content in the equipment vulnerability data, and generating the attack data.
Specifically, some fields of field contents in the device vulnerability data are subjected to position exchange, or irrelevant data is filled before and after the field contents, or some field contents are removed, and other modes are used for generating attack data, for example: increasing/decreasing the field length, and exchanging the positions of the function field, the data field and the characteristic field in the field content.
S400: and reducing the dimension of the attack data to generate an attack vector.
And performing dimensionality reduction on the attack data through a PCA (principal component analysis) algorithm, converting the attack data into a uniform vector format, and generating an attack vector.
The PCA principal component analysis method is a most widely used data dimension reduction algorithm. The main idea of PCA is to map n-dimensional features onto k-dimensions, which are completely new orthogonal features, also called principal components, and k-dimensional features reconstructed on the basis of the original n-dimensional features. The task of PCA is to sequentially find a set of mutually orthogonal axes from the original space, and the selection of new axes is strongly related to the data itself. The first new coordinate axis is selected to be the direction with the largest square difference in the original data, the second new coordinate axis is selected to be the plane which is orthogonal to the first coordinate axis and enables the square difference to be the largest, and the third axis is the plane which is orthogonal to the 1 st axis and the 2 nd axis and enables the square difference to be the largest. By analogy, n such coordinate axes can be obtained. With the new axes obtained in this way, we have found that most of the variances are contained in the k preceding axes, and the variances contained in the latter axes are almost 0. Thus, we can ignore the remaining axes and only keep the first k axes containing the most variance. In fact, this is equivalent to only retaining the dimension features containing most variances, and neglecting the feature dimensions containing the variance almost 0, so as to implement the dimension reduction processing on the data features, and the generated attack data is converted into a uniform vector format according to the algorithm, so as to generate the attack vector.
In a second aspect, the present application provides an attack vector generation system for an industrial control network, as shown in fig. 6, including an equipment monitoring and retrieving module, a vulnerability detection module, an attack data generation module, and an attack vector generation module;
the equipment monitoring and retrieving module is used for monitoring all industrial control equipment in the industrial control network, retrieving the industrial control equipment with abnormal operation as abnormal industrial control equipment, and analyzing and acquiring an industrial control protocol matched with the abnormal industrial control equipment;
the vulnerability detection module is used for acquiring historical operating data of the abnormal industrial control equipment and comparing the historical operating data with a preset vulnerability library so as to obtain a vulnerability comparison result;
the attack data generation module is used for acquiring an attack model matched with the industrial control protocol from a pre-constructed attack model library and generating attack data based on the attack type of the attack model and the vulnerability comparison result;
and the attack vector generation module is used for reducing the dimension of the attack data to generate an attack vector.
The above are only preferred embodiments of the present invention, and it should be noted that several modifications and improvements made by those skilled in the art without departing from the technical solution should also be considered as falling within the scope of the claims.
Claims (9)
1. An attack vector generation method for an industrial control network is characterized by comprising the following steps:
monitoring all industrial control equipment under an industrial control network, retrieving the industrial control equipment with abnormal operation as abnormal industrial control equipment, and analyzing and acquiring an industrial control protocol matched with the abnormal industrial control equipment;
obtaining historical operating data of the abnormal industrial control equipment, and comparing the historical operating data with a preset vulnerability library to obtain a vulnerability comparison result;
acquiring an attack model matched with the industrial control protocol from a pre-constructed attack model library, and generating attack data based on the attack type of the attack model and the vulnerability comparison result; wherein the step of generating the attack data comprises: initializing the obtained attack model, and determining an attack type corresponding to the attack model; running the attack model, executing an attack type function in the attack model according to an attack type, processing the equipment vulnerability data, and generating the attack data;
and performing dimension reduction on the attack data to generate an attack vector.
2. The method according to claim 1, wherein the method comprises: the monitoring of all industrial control equipment under the industrial control network, the retrieval of the industrial control equipment with abnormal operation as the abnormal industrial control equipment, the analysis and the acquisition of the industrial control protocol matched with the abnormal industrial control equipment comprise,
retrieving the industrial control equipment through an equipment retrieval engine to obtain an industrial control equipment retrieval result;
screening the industrial control equipment retrieval results, and removing redundant and miscellaneous data in the industrial control equipment retrieval results to obtain abnormal industrial control equipment retrieval results;
and analyzing the industrial control protocol of the abnormal industrial control equipment from the retrieval result of the abnormal industrial control equipment, and acquiring the data packet of the abnormal industrial control equipment based on the analyzed industrial control protocol.
3. The attack vector generation method for industrial control networks according to claim 2, characterized in that: before the historical operating data of the abnormal industrial control equipment is obtained and the historical operating data is compared with a preset leak library so as to obtain a leak comparison result, a step of constructing a leak comparison library is required to be carried out, and the method comprises the following steps of,
acquiring comparison vulnerability data from an existing vulnerability database by using a data interface technology and/or acquiring comparison vulnerability data from an industrial network by using a crawler engine technology;
determining field content corresponding to the comparison vulnerability data;
establishing a comparison vulnerability database storage table according to the field content;
and establishing a comparison vulnerability database comprising the comparison vulnerability data and a comparison vulnerability database storage table.
4. The method for generating the attack vector of the industrial control network according to claim 3, wherein: the historical operation data of the abnormal industrial control equipment is obtained and compared with a preset leak library, so as to obtain a leak comparison result, including,
obtaining historical operating data from the data packet of the abnormal industrial control equipment;
determining the field content of the historical operating data, judging whether the field content of the historical operating data is complete, and if not, determining that the historical operating data is data which does not meet the vulnerability standard;
if the operation data is complete, comparing the field content of the historical operation data with the field content of the vulnerability in the vulnerability comparison library,
if the historical operating data does not have field contents which are completely the same as the field contents of the bugs in the comparison bug base, the historical operating data does not include equipment bug data;
if the historical operating data has the field content which is completely the same as the field content of the bug in the comparison bug base, extracting the field content which is completely the same as the field content of the bug in the comparison bug base from the historical operating data to be used as the equipment bug data.
5. The method of claim 4, wherein the attack vector generation method for industrial control networks comprises: operating the attack model, executing an attack type function in the attack model according to the attack type, processing the equipment vulnerability data and generating the attack data, comprising,
and executing a characteristic data field abnormal attack type function in the attack model, replacing a characteristic data field value in the equipment vulnerability data with a preset abnormal value, and generating the attack data.
6. The method of claim 5, wherein the attack vector generation method for industrial control networks comprises: executing a characteristic data field abnormal attack type function in the attack model, replacing a characteristic data field value in the equipment vulnerability data with a preset abnormal value, and generating the attack data, including,
analyzing the characteristic data field abnormal attack type function to obtain parameters of the characteristic data field abnormal attack type function;
judging whether the parameters comprise an abnormal data list or not;
if yes, replacing the characteristic data field value in the equipment vulnerability data with the value in the abnormal data list to generate the attack data;
if not, extracting the lacking attack data from an attack model database according to the type of the characteristic data field in the equipment vulnerability data, replacing the characteristic data field value in the equipment vulnerability data with the attack data, and generating the attack data.
7. The method for generating the attack vector of the industrial control network according to claim 6, wherein: operating the attack model, executing an attack type function in the attack model according to the attack type, processing the equipment vulnerability data to generate the attack data, and further comprising,
executing a context inconsistent attack type function in the attack model, exchanging the position of field content in the equipment vulnerability data, and generating the attack data;
and executing a context inconsistent attack type function in the attack model, filling preset irrelevant data in front of or behind field content in the equipment vulnerability data, and generating the attack data.
8. The attack vector generation method for industrial control networks according to any one of claims 6 or 7, characterized in that: the dimensionality reduction of the attack data to generate an attack vector includes,
and reducing the dimension of the attack data through a Principal Component Analysis (PCA) algorithm, converting the attack data into a uniform vector format, and generating an attack vector.
9. An attack vector generation system for industrial control networks, characterized in that: the system comprises an equipment monitoring retrieval module, a vulnerability detection module, an attack data generation module and an attack vector generation module;
the equipment monitoring and retrieving module is used for monitoring all industrial control equipment in the industrial control network, retrieving the industrial control equipment with abnormal operation as abnormal industrial control equipment, and analyzing and acquiring an industrial control protocol matched with the abnormal industrial control equipment;
the vulnerability detection module is used for acquiring historical operating data of the abnormal industrial control equipment and comparing the historical operating data with a preset vulnerability library so as to obtain a vulnerability comparison result;
the attack data generation module is used for acquiring an attack model matched with the industrial control protocol from a pre-constructed attack model library and generating attack data based on the attack type of the attack model and the vulnerability comparison result; wherein the step of generating the attack data comprises: initializing the obtained attack model, and determining an attack type corresponding to the attack model; running the attack model, executing an attack type function in the attack model according to an attack type, processing the equipment vulnerability data, and generating the attack data;
and the attack vector generation module is used for reducing the dimension of the attack data to generate an attack vector.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210373745.7A CN114448738B (en) | 2022-04-11 | 2022-04-11 | Attack vector generation method and system for industrial control network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210373745.7A CN114448738B (en) | 2022-04-11 | 2022-04-11 | Attack vector generation method and system for industrial control network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114448738A CN114448738A (en) | 2022-05-06 |
| CN114448738B true CN114448738B (en) | 2022-07-26 |
Family
ID=81360507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210373745.7A Active CN114448738B (en) | 2022-04-11 | 2022-04-11 | Attack vector generation method and system for industrial control network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114448738B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115826542B (en) * | 2023-02-16 | 2023-05-05 | 北京网藤科技有限公司 | Intelligent production regulation and control system and method based on industrial Internet |
| CN116382250B (en) * | 2023-05-24 | 2023-11-28 | 岭东核电有限公司 | Industrial control attack event monitoring and sensing processing method and system and storage medium |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612927B (en) * | 2017-10-13 | 2020-10-13 | 中国电力科学研究院 | Safety detection method for power dispatching automation system |
| CN111741018B (en) * | 2020-07-24 | 2020-12-01 | 中国航空油料集团有限公司 | Industrial control data attack sample generation method and system, electronic device and storage medium |
| CN112202736B (en) * | 2020-09-15 | 2021-07-06 | 浙江大学 | Communication network anomaly classification method based on statistical learning and deep learning |
| CN112565278A (en) * | 2020-12-08 | 2021-03-26 | 浙江国利网安科技有限公司 | Attack capturing method and honeypot system |
| CN113904819A (en) * | 2021-09-27 | 2022-01-07 | 广西师范大学 | Safety system applied to industrial control network |
| CN113660296B (en) * | 2021-10-21 | 2023-04-18 | 中国核电工程有限公司 | Method and device for detecting anti-attack performance of industrial control system and computer equipment |
-
2022
- 2022-04-11 CN CN202210373745.7A patent/CN114448738B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN114448738A (en) | 2022-05-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114448738B (en) | Attack vector generation method and system for industrial control network | |
| CN110909811B (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
| CN111585955B (en) | HTTP request abnormity detection method and system | |
| CN111277570A (en) | Data security monitoring method and device, electronic equipment and readable medium | |
| CN108737410B (en) | Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association | |
| CN111191767B (en) | Vectorization-based malicious traffic attack type judging method | |
| CN114531259B (en) | Attack result detection method, device, system, computer equipment and medium | |
| CN111835777A (en) | Abnormal flow detection method, device, equipment and medium | |
| CN115242438B (en) | Potential victim group positioning method based on heterogeneous information network | |
| CN105376193A (en) | Intelligent association analysis method and intelligent association analysis device for security events | |
| CN114281676A (en) | Black box fuzzy test method and system for industrial control private protocol | |
| CN113285916A (en) | Intelligent manufacturing system abnormal flow detection method and detection device | |
| CN113923003A (en) | Attacker portrait generation method, system, equipment and medium | |
| CN112787875B (en) | Equipment identification method, device and equipment, and storage medium | |
| CN112100626B (en) | Development method for improving source code audit vulnerability hit rate | |
| CN113591073A (en) | Web API security threat detection method and device | |
| CN115913655B (en) | Shell command injection detection method based on flow analysis and semantic analysis | |
| CN115242539B (en) | Network attack detection method and device for power grid information system based on feature fusion | |
| CN115913791A (en) | MDATA dynamic subgraph matching method and system based on incremental query index tree | |
| CN113162904B (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
| CN114510717A (en) | ELF file detection method and device and storage medium | |
| CN114117419A (en) | Template injection attack detection method, device, equipment and storage medium | |
| CN112597498A (en) | Webshell detection method, system and device and readable storage medium | |
| CN112883372A (en) | Cross-site scripting attack detection method and device | |
| CN113055396B (en) | Cross-terminal traceability analysis method, device, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |