CN115037508B - Multi-step attack modeling method and system for industrial control system - Google Patents
Multi-step attack modeling method and system for industrial control system Download PDFInfo
- Publication number
- CN115037508B CN115037508B CN202210438285.1A CN202210438285A CN115037508B CN 115037508 B CN115037508 B CN 115037508B CN 202210438285 A CN202210438285 A CN 202210438285A CN 115037508 B CN115037508 B CN 115037508B
- Authority
- CN
- China
- Prior art keywords
- attack
- vulnerability
- graph
- equipment
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
A multi-step attack modeling method and system for industrial control system includes performing system topology analysis and system vulnerability processing to generate attack graph; constructing an AND or graph according to the function dependency relationship of each physical component device; generating an AND or attack graph according to the attack graph and the AND or graph; the method and the system expand the AND or attack graph, solve the technical problem of higher complexity of the existing attack modeling method, enable security analysts to master the behavior and the intention of an attacker globally, fully know the current threat situation of an industrial control system, and can be widely applied to the field of big data processing.
Description
Technical Field
The application relates to the field of big data processing, in particular to a multi-step attack modeling method and system for an industrial control system.
Background
The industrial control system is continuously fused with the Internet technology, the original closed environment is gradually broken, and in addition, the original configuration software, communication protocol, programmable logic controller, executor and the like of the industrial control system have security holes. In recent years, security events aimed at an industrial control system often comprehensively utilize a plurality of loopholes to be combined into multi-step attacks, and finally, the normal operation of the physical execution layer equipment of the industrial control system is affected. Therefore, attack modeling is performed on a plurality of vulnerability combination attacks and non-networking devices, so that threat analysts can timely master the security situation in the current environment. Currently, the attack modeling methods for the industrial control system include a traditional attack modeling method, a novel attack modeling method and the like.
The traditional attack modeling method comprises an attack tree method, an attack graph method and the like. The attack tree model displays attack behaviors and results through the root node and the leaf nodes, and a path from the root node to the leaf nodes is an attack path. When complex multi-step attack is analyzed, the attack tree has the defects of huge data structure, low analysis efficiency and the like. The attack graph model can show more complex attack conditions than the attack tree model, can enumerate all possible paths successfully reached by an attacker and realize visualization, and is an important tool for analyzing multi-step combined attack. However, attack graphs are often generated using network reachability relationships, absent non-networked devices that take into account the physical process layers of the industrial control system. In addition, the traditional attack modeling method is often focused on specific information of system vulnerability, and ignores the correlation between the global attack objective and the attack behaviors of an attacker, so that security analysts have certain difficulty in understanding attack scenes.
For recent frequent APT new attacks, a killing chain, an MITRE ATT & CK model, etc. have been proposed successively. The killing chain model displays the target of an attacker and the risk of a protection system from a higher level of abstraction based on the attack life cycle, and is difficult to express specific attack behaviors and specific data, protection measures, configuration resources and the like associated with the specific attack behaviors. The MITRE ATT & CK model describes attacks around tactics, technologies and procedures from abstract purposes, implementation technologies to specific examples on the basis of a killing chain model, and is closer to the behavior of a real attacker. While the MITRE ATT & CK model provides detailed analysis of attack implementation, detailed natural language makes the machine difficult to understand, adding to the complexity of attack analysis to some extent.
Disclosure of Invention
In order to solve the technical problems, the application provides a multi-step attack modeling method and system for an industrial control system.
A first aspect of an embodiment of the present application provides a multi-step attack modeling method for an industrial control system, including:
performing system topology analysis and system vulnerability processing to generate an attack graph;
constructing an AND or graph according to the function dependency relationship of each physical component device;
generating an and or attack graph according to the attack graph and the and or graph;
and expanding the AND or attack graph.
Preferably, the generation of the attack graph is specifically realized by the following ways:
grasping system equipment information and an initial topological structure through system network topology analysis, updating topology information by using a topology scanning and vulnerability scanning tool, and collecting vulnerability information; and extracting pre-and post-conditions of the loopholes, influencing products, attack modes and attack result information according to the security information base, and generating a networking equipment attack graph by adopting a breadth-first search algorithm based on equipment, topology and the loophole information.
Preferably, the system topology analysis is specifically implemented by the following ways:
analyzing system equipment and connection relation thereof in a system design document, obtaining a system topological structure in an initial stage, collecting network information of the equipment, detecting industrial control equipment by using a scanning tool under the condition that normal operation of the system is not affected, and updating the industrial control system topological structure so as to update the attack graph; meanwhile, the equipment IP, the type, the manufacturer and the communication information are extracted and stored according to the scanning result and the configuration file.
Preferably, the system vulnerability processing is specifically implemented by the following ways:
based on the obtained system equipment information and network information, scanning the system by using a vulnerability scanning tool under the condition that the normal operation of the system is not affected, collecting vulnerability information, and extracting and storing vulnerability names, source IP, destination IP, subnets and communication protocol information aiming at communication vulnerabilities; aiming at the device vulnerability information, vulnerability descriptions are collected from a security information source, and vulnerability numbers, vulnerability products, vulnerability types, pre-and post-conditions, attack modes and attack results are extracted from the vulnerability descriptions and stored.
Preferably, the construction of the AND or the graph is realized in the following manner:
and aiming at the non-networking equipment, acquiring physical component equipment information of the PLC, the sensor and the actuator according to a system design document and a configuration file, reading a PLC program, and acquiring a functional dependency relationship construction and or graph among the PLC, the sensor and the actuator.
Preferably, the generation of the and or attack graph is specifically realized by the following ways:
and generating the AND or attack graph by judging whether the control equipment loopholes in the attack graph affect the physical equipment connected in the AND or graph.
Preferably, the attack graph consists of nodes AND directed edges, wherein the nodes comprise device nodes, vulnerability nodes AND intermediate nodes, the corresponding relation between control devices in the attack graph AND control devices in the graph OR the control devices in the graph is firstly determined, then whether the vulnerability attack results of the control devices in the attack graph affect other devices connected with the control devices in the graph OR not is judged, if the vulnerability attack results affect other devices connected with the control devices in the graph OR the control devices in the graph, the affected devices are reserved, the AND nodes OR the OR nodes are converted into the sum OR the edge between the two devices, if the two devices are directly connected with each other, the two logic nodes AND the edge between the two logic nodes are converted into the intermediate nodes, AND the sum OR the edge is added according to the logic nodes, so that the AND/OR attack graph is generated.
Preferably, the extension of the and or attack graph is specifically implemented by the following ways:
and expanding the AND or attack graph by matching vulnerability information and attack information by utilizing the object-oriented attack description.
A second aspect of the present application provides an industrial control system-oriented multi-step attack modeling system comprising:
attack graph generation module: the system topology analysis and system vulnerability processing method is used for carrying out system topology analysis and system vulnerability processing to generate an attack graph;
and or graph construction module: the system is used for constructing an AND or graph according to the function dependency relationship of each physical component device;
and or attack graph generation module: generating an and or attack graph according to the attack graph and the and or graph;
and an expansion module: for expanding the and or attack graph.
The method utilizes vulnerability information to combine an attack graph of networking equipment and an AND or attack graph of non-networking equipment to form an AND or attack graph covering the whole equipment of the industrial control system; describing an ATT & CK matrix knowledge base by using an object-oriented language, and adding attack tactics, technologies and flow information for an and or attack graph to describe multi-step attack information, so that a security analyzer can master the security condition of an industrial control system from the whole world; the object-oriented language description is realized through the attack knowledge, and the extension and generalization can be realized; generating a multi-step attack graph aiming at industrial control system networking equipment and non-networking equipment; attack graphs may be exposed from a more concrete vulnerability level and a more abstract tactical, technology, and flow level.
Drawings
FIG. 1 is a schematic flow chart of a multi-step attack modeling method for an industrial control system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an industrial control system topology according to an embodiment of the present application;
FIG. 3 is an attack graphical illustration provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of an AND/OR topology of an industrial control system according to an embodiment of the present application;
FIG. 5 is a flowchart of generating and/or attacking graphs according to an embodiment of the present application;
FIG. 6 is a schematic representation of AND or attack according to one embodiment of the present application;
FIG. 7 is a diagram of an asset relationship of an industrial control system according to an embodiment of the present application;
FIG. 8 is a diagram showing the correspondence between ATT & CK Matrix and attack class according to an embodiment of the present application;
FIG. 9 is a schematic diagram illustrating an asset attack scenario according to an embodiment of the present application;
FIG. 10 is a vulnerability attack relationship diagram according to an embodiment of the present application;
FIG. 11 is a schematic diagram of an AND or expansion attack path according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a multi-step attack modeling system for an industrial control system according to an embodiment of the present application.
Detailed Description
In order to make the technical problems, technical schemes and beneficial effects to be solved more clear, the application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
Referring to fig. 1, a flow chart of a multi-step attack modeling method for an industrial control system according to an embodiment of the present application is shown, for convenience of explanation, only the portions related to the embodiment are shown, and the detailed description is as follows:
in one embodiment, a multi-step attack modeling method for an industrial control system includes the steps of:
s101: and performing system topology analysis and system vulnerability processing to generate an attack graph.
Specifically, system equipment information and an initial topological structure are mastered through system network topology analysis, topology information is updated by using a topology scanning and vulnerability scanning tool, and vulnerability information is collected; and extracting pre-and post-conditions of the loopholes, influencing products, attack modes and attack result information according to the security information base, and generating a networking equipment attack graph by adopting a breadth-first search algorithm based on equipment, topology and the loophole information.
S1011: system topology analysis
As shown in fig. 2, taking an industrial control system as an example, analyzing system devices and connection relations thereof in a system design document, obtaining a system topology structure in an initial stage, and collecting network information of the devices. Considering that the system may change in the actual production process, various scanning tools can be used to detect the industrial control equipment without affecting the normal operation of the system, and the topology structure of the industrial control system is updated, so that an attack graph described later is updated. Meanwhile, information such as equipment IP, type, manufacturer, communication and the like is extracted and stored according to the scanning result, configuration file and the like.
S1012: system vulnerability handling
Based on the obtained system equipment information and network information, a plurality of vulnerability scanning tools are used for scanning the system without affecting the normal operation of the system, and vulnerability information is collected. Aiming at communication vulnerabilities, extracting and storing information such as vulnerability names, source IP, destination IP, subnets, communication protocols and the like; aiming at the device vulnerability information, vulnerability descriptions are collected from security information sources such as CVE, CNNVD, CWE, CAPEC, and vulnerability numbers, vulnerability products, vulnerability types, pre-and post-conditions, attack modes and attack results are extracted from the vulnerability descriptions and stored.
Wherein, the vulnerability number refers to a CVE number or an abstract vulnerability type; vulnerability products refer to products that have vulnerabilities, such as remote connection services, operating systems, communication protocols, programming software, etc.; the front and rear conditions refer to the conditions of the vulnerability exploitation; the vulnerability type refers to the type of vulnerability; the attack mode is from CAPEC, which means the possible method of exploiting the vulnerability; the attack results refer to the results of exploiting the vulnerability, such as the results of tampering, injection, etc. to destroy the integrity; the consequences of access control disruption, such as rights-lifting; the result of data and file reading destroying confidentiality; denial of service, system crash, etc. undermines the consequences of availability.
S1013: generation of attack graphs
The attack graph consists of nodes and directed edges, wherein the nodes comprise equipment nodes, network nodes and vulnerability nodes, and the edges are directed edges for connecting the nodes and comprise two types of has and reach. Device node describes dev= (device IP, device name, device type, vulnerability set) by device information DEV, vulnerability node describes vulnerabilities= (vulnerability number, vulnerability product, vulnerability type, attack mode, attack result) by vulnerability information vulnerabilities, one device may possess multiple vulnerabilities, directional edges between device node and vulnerability node are defined as has relationship, edges between device and device are defined as reach relationship. Based on the system topology analysis and the device vulnerability processing result, a device information table is shown in table 1, a vulnerability information table is shown in table 2, and a device reachability relation table is shown in table 3, wherein in the device reachability relation table, 1 represents reachability and 0 represents non-reachability.
Table 1 device information table
| Device IP | Device name | Device type | Vulnerability numbering |
| IP1 | PC1 | Host machine | CVE-2020-0662 |
| IP2 | PC2 | Host machine | CVE-2016-10010 |
| IP3 | PC3 | Host machine | CVE-2021-41617 |
| IP4 | Database Server | Database for storing data | CVE-2020-16924 |
| IP5 | OperatorStation | Operator station | CVE-2014-8551 |
| IP6 | Engineer station | Engineer station | CVE-2015-1601 |
| IP7 | SCADA | SCADA | CVE-2018-11453 |
| IP8 | PLC | Control apparatus | CVE-2021-37204 |
TABLE 2 vulnerability information table
TABLE 3-3 device reachability relationship Table
| Device IP | IP1 | IP2 | IP3 | IP4 | IP5 | IP6 | IP7 | IP8 |
| IP1 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 0 |
| IP2 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 0 |
| IP3 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
| IP4 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 |
| IP5 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | 1 |
| IP6 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| IP7 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 |
| IP8 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
And when constructing the attack graph, the attack access point can be selected according to a specific attack scene. According to the method, a PC1 is used as an attack access point, an attack graph containing a plurality of vulnerabilities is constructed by adopting a breadth-first search algorithm, equipment information, vulnerability information and equipment reachability information are read, equipment nodes and vulnerability nodes are added, a has edge is added between the equipment and the vulnerabilities, all reachable nodes of the node are traversed from the PC1, vulnerability information of all reachable nodes is traversed, if the vulnerability post-condition of the current node meets the vulnerability pre-condition of the reachable nodes, a reach edge is added between the two equipment nodes, and the traversed nodes are marked until all nodes are marked. The loops in the graph are processed according to the monotonicity principle, and devices not on the attack path and unutilized vulnerability nodes are deleted. The attack graph generated by the application is schematically shown in fig. 3, wherein the equipment node is identified by the equipment name, and the vulnerability node is identified by the vulnerability number.
S102: and constructing an AND or graph according to the function dependency relationship of each physical component device.
Specifically, for non-networking equipment, physical component equipment information such as a PLC, a sensor, an actuator and the like is obtained according to a system design document and a configuration file, a PLC program is read, and a functional dependency relationship construction and or graph among the PLC, the sensor and the actuator is obtained.
The application will be AND or ANDthe/OR) graph is denoted as g= { V, E }, V denotes a set of nodes v= { N ∈l }, E denotes a set of directed edges connecting nodes e= { E } N,N ∪E N,L ∪E L,N ∪E N,L ∪E L,L Where N represents a set of physical devices such as PLCs, actuators, sensors, etc.; l represents a set of logical connectives AND AND OR; e (E) N,N = { (m, N), m, N e N } is an edge between physical devices, indicating that node N needs node m to provide the required resources to operate normally; e (E) N,L = { (m, N), m e N, N e L } represents that the input of the AND/OR node is node m; e (E) L,N = { (N, m), m e N, N e L } means that m is output from the AND/OR node, AND if N is an OR node, m is normally operated when at least one input of the OR node is satisfied, AND if N is an AND node, m is normally operated when all inputs of the AND node are satisfied; e (E) L,N = { (m, n), m, n∈l } represents a connection between AND/OR nodes.
FIG. 4 is a schematic diagram of an AND/OR topology of an industrial control system, wherein an actuator operates depending on the output of a PLC; there are two ways that a PLC can operate properly, one with the readings of sensor 1 and sensor 2 and the other with the readings of sensor 2 and sensor 3.
S103: and generating an AND or attack graph according to the attack graph and the AND or graph.
Specifically, in an industrial control system, a non-networking device is generally controlled by a control device, so that attack modeling can be performed on a networking device AND the non-networking device according to whether a control device vulnerability affects the function of a physical device connected with the control device vulnerability, namely, an AND/OR attack graph is generated by judging whether the control device vulnerability in the attack graph affects the physical device connected with the control device vulnerability in the AND/OR graph.
The AND/OR attack graph consists of nodes AND directed edges, wherein the nodes comprise equipment nodes, vulnerability nodes AND intermediate nodes, the equipment nodes AND vulnerability node information are shown in tables 1 AND 2, two directly connected AND/OR logic nodes AND edges between the two directly connected AND/OR logic nodes are expressed as intermediate nodes for convenience of description, the edges have no practical significance, the edges comprise has, reach, AND, OR AND execution AND represent starting point equipment of all the edges connected with the edge, the normal operation of the end point equipment of the edge needs to meet the starting point equipment of all the edges connected with the edge, the OR represents the starting point equipment of at least one OR edge connected with the end point equipment needs to meet the normal operation of the end point equipment, AND the execution represents the normal operation of the end point equipment needs to provide normal resources.
FIG. 5 is a flowchart of generating an AND OR attack graph, wherein the corresponding relation between a control device in the attack graph AND the control device in the AND OR attack graph is determined, then whether the vulnerability attack result of the control device in the attack graph affects other devices connected with the control device in the AND OR attack graph is judged, if the vulnerability attack result affects other devices connected with the control device in the AND OR attack graph, the affected devices are reserved, an AND node OR an OR node is converted into an AND OR OR edge between the two devices, if two logic nodes are directly connected between the two devices, the two logic nodes AND the edge between the two logic nodes are converted into an intermediate node, the AND OR edge is added according to the logic nodes, the generated AND/OR attack graph is shown in FIG. 6, the devices are represented by device names, AND the vulnerabilities are represented by vulnerability numbers.
S104: and expanding the AND or attack graph.
Specifically, by utilizing the object-oriented attack description, the and or attack graph is expanded by matching vulnerability information and attack information.
The object of the attack description is first determined to be the industrial asset and the corresponding attack. For common industrial control systems, industrial control assets include industrial control equipment and industrial control networks. Wherein the industrial control devices can be generalized as controllers, I/O servers, safety Instrumented Systems (SIS), historians, engineer stations, control servers, human-machine interfaces, and safety protection devices. Thus, constructing abstract device classes and abstract network classes requires the network to communicate between the devices. The abstract equipment class can be generalized into a general equipment class and an industrial control equipment class, the abstract network class can be generalized into a general network class and an industrial control network class, and the industrial control asset class can be generalized into a controller class, an I/O server class, an SIS class, a historical database class, an engineer station class, a control server class, a man-machine interface class and a safety protection equipment class, wherein each asset class inherits and has an asset description attribute for introducing assets, and the association relation of each asset class is shown in fig. 7.
The attack object is represented by tactics, techniques, and procedures in ATT & CK Matrix. Tactics (Tatics) are represented in ATT & CK Matrix as Matrix names, which refer to the purpose of an attacker's use of technology; technology (Technology) refers to an attack Technology used by an attacker in each box in the tactical column represented in ATT & CK Matrix; a procedure (procedure) is shown in the technology page, referring to a specific process by which an attacker performs a certain technology. The attack class name is determined by tactics, including an initial access class, an execution class, a persistence class, a weighting class, a bypass class, a discovery class, a lateral movement class, a collection class, a control and command class, a suppression response function class, a damage process control class and an influence class, tactics description attributes are added for each attack class to describe tactics, then technologies are added to each attack class as function functions, the flow is used as a return value of the technology functions, and the corresponding relation is shown in fig. 8. At the same time, the objects and operations are extracted from the Description of the technical page, and the technologies are stored in the database together with tactics, wherein the objects refer to the objects for which the technologies are aimed, such as an operating system, and the operations refer to the manners in which the exploit may take, such as tampering.
According to the application relation between the industrial control asset and the technology, the association relation is added for the asset class and the attack class, the asset class can apply the method in the attack class, and a part of class diagrams are shown in fig. 9.
From the perspective of system vulnerabilities, the device has one or more vulnerabilities that may be exploited by one or more attack modes, producing one or more effects on the system; from an attack perspective, an attacker uses one or more attack techniques on the target asset to achieve one or more malicious purposes; the influence of the vulnerability and the purpose of the attacker have a corresponding relationship, and the attack technology and the attack mode also have a corresponding relationship, as shown in fig. 10. Regarding attack patterns and techniques, 112 attack patterns in a CAPEC can directly correspond to the techniques of ATT & CK, and these direct correspondence relationships are stored in a database.
In order to realize the mapping of the loopholes and the attacks, an explloit method is added in the asset class, and attack information corresponding to the loopholes is obtained. The method takes a vulnerability product, a vulnerability type, an attack mode and an attack result in vulnerability information as input, firstly queries whether a corresponding technology exists in a database according to the attack mode, and returns the technical function if the corresponding technology exists; if the vulnerability type and the attack result are not present, the vulnerability type and the attack result are used as operation, technology or tactical fields to query a database table respectively, a corresponding technical name is obtained, a corresponding technical function is returned, and finally flow information is obtained through a return value of the technical function.
AND adding an attack node in the AND/OR attack graph to show multi-step attack information, wherein the attack information is represented by a quadruple ATT= (attack number, tactics, technology, flow), AND the attack number is increased by 1 each time from 1 AND is used for uniquely identifying the attack node information. In addition, an explloit edge is added, indicating that the vulnerability node can be exploited using the attack node. Traversing equipment nodes AND vulnerability nodes in an AND/OR attack graph, finding corresponding asset classes according to equipment types of the equipment nodes, obtaining attack information by utilizing an asset class explloid method for each vulnerability of the equipment nodes, directly adding explloid directed edges between the attack nodes AND the vulnerability nodes if the same attack information exists in the attack graph, adding the attack nodes containing the attack information if the same attack information does not exist, AND adding a record in an attack information table. By using the method, an attack graph is generated, wherein a schematic diagram of one attack path is shown in fig. 11, attack nodes are denoted by attack numbers in fig. 11, and an attack information table is shown in table 4.
Table 4 attack information table
Referring to fig. 12, a schematic structural diagram of a multi-step attack modeling system for an industrial control system according to an embodiment of the present application is shown, for convenience of explanation, only the portions related to the embodiment are shown in detail as follows:
the second aspect of the present application provides a multi-step attack modeling system for an industrial control system, which comprises an attack graph generation module 100, an and or graph construction module 200, an and or attack graph generation module 300 and an expansion module 400.
Attack graph generation module: the system topology analysis and system vulnerability processing method is used for carrying out system topology analysis and system vulnerability processing to generate an attack graph;
and or graph construction module: the system is used for constructing an AND or graph according to the function dependency relationship of each physical component device;
and or attack graph generation module: generating an and or attack graph according to the attack graph and the and or graph;
and an expansion module: for expanding the and or attack graph.
It should be noted that, the multi-step attack modeling system for an industrial control system in this embodiment is an embodiment of a modeling system corresponding to the multi-step attack modeling method for an industrial control system, so for the specific implementation of the software method in each module of the flow routing system, reference may be made to the embodiments of fig. 1 to 11, and detailed descriptions thereof are omitted here.
The method utilizes vulnerability information to combine an attack graph of networking equipment and an AND or attack graph of non-networking equipment to form an AND or attack graph covering the whole equipment of the industrial control system; describing an ATT & CK matrix knowledge base by using an object-oriented language, and adding attack tactics, technologies and flow information for an and or attack graph to describe multi-step attack information, so that a security analyzer can master the security condition of an industrial control system from the whole world; the object-oriented language description is realized through the attack knowledge, and the extension and generalization can be realized; generating a multi-step attack graph aiming at industrial control system networking equipment and non-networking equipment; attack graphs may be exposed from a more concrete vulnerability level and a more abstract tactical, technology, and flow level.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The above embodiments are only for illustrating the technical solution of the present application, and not for limiting the same; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (2)
1. The multi-step attack modeling method for the industrial control system is characterized by comprising the following steps of:
performing system topology analysis and system vulnerability processing to generate an attack graph, wherein the attack graph is realized by the following steps:
grasping system equipment information and an initial topological structure through system network topology analysis, updating topology information by using a topology scanning and vulnerability scanning tool, and collecting vulnerability information; extracting pre-and post-conditions of vulnerabilities, influencing products, attack modes and attack result information according to a security information base, and generating a networking equipment attack graph by adopting a breadth-first search algorithm based on equipment, topology and vulnerability information;
the system topology analysis is realized by the following steps:
analyzing system equipment and connection relation thereof in a system design document, obtaining a system topological structure in an initial stage, collecting network information of the equipment, detecting industrial control equipment by using a scanning tool under the condition that normal operation of the system is not affected, and updating the industrial control system topological structure so as to update the attack graph; meanwhile, extracting and storing equipment IP, type, manufacturer and communication information according to the scanning result and the configuration file;
the system vulnerability processing is specifically realized by the following steps:
based on the obtained system equipment information and network information, scanning the system by using a vulnerability scanning tool under the condition that the normal operation of the system is not affected, collecting vulnerability information, and extracting and storing vulnerability names, source IP, destination IP, subnets and communication protocol information aiming at communication vulnerabilities; aiming at the device vulnerability information, collecting vulnerability descriptions from a security information source, extracting vulnerability numbers, vulnerability products, vulnerability types, pre-post conditions, attack modes and attack results from the vulnerability descriptions and storing the vulnerability numbers, the vulnerability products, the vulnerability types, the pre-post conditions, the attack modes and the attack results;
constructing and or graphs according to the function dependency relationship of each physical component device, and specifically realizing the method by the following steps:
aiming at non-networking equipment, physical component equipment information of a PLC, a sensor and an actuator is obtained according to a system design document and a configuration file, a PLC program is read, and a functional dependency relationship construction and or diagram among the PLC, the sensor and the actuator is obtained;
generating an and or attack graph according to the attack graph and the and or graph, wherein the and or attack graph is realized in the following manner:
generating an AND or attack graph by judging whether the control equipment loopholes in the attack graph affect the physical equipment connected in the AND or graph;
the attack graph consists of nodes AND directed edges, wherein the nodes comprise equipment nodes, vulnerability nodes AND intermediate nodes, the corresponding relation between control equipment in the attack graph AND OR control equipment in the graph is firstly determined, then whether the vulnerability attack result of the control equipment in the attack graph affects other equipment connected with the control equipment in the attack graph OR not is judged, if the vulnerability attack result of the control equipment in the attack graph affects other equipment connected with the control equipment in the attack graph, the affected equipment is reserved, an AND node OR an OR node is converted into an AND OR an OR edge between the two equipment, if the two equipment are directly connected with each other, the two logic nodes AND the edges between the two logic nodes are converted into the intermediate nodes, AND the AND/OR attack graph is generated by adding the AND OR edges according to the logic nodes;
the AND or attack graph is expanded, and the method is realized in the following way:
and expanding the AND or attack graph by matching vulnerability information and attack information by utilizing the object-oriented attack description.
2. The multi-step attack modeling system facing the industrial control system is characterized by comprising an attack graph generating module, an AND or graph constructing module, an AND or attack graph generating module and an expansion module, wherein the attack graph generating module, the AND or graph constructing module, the AND or attack graph generating module and the expansion module cooperatively execute the multi-step attack modeling method according to claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210438285.1A CN115037508B (en) | 2022-04-25 | 2022-04-25 | Multi-step attack modeling method and system for industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210438285.1A CN115037508B (en) | 2022-04-25 | 2022-04-25 | Multi-step attack modeling method and system for industrial control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115037508A CN115037508A (en) | 2022-09-09 |
| CN115037508B true CN115037508B (en) | 2023-08-22 |
Family
ID=83120021
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210438285.1A Active CN115037508B (en) | 2022-04-25 | 2022-04-25 | Multi-step attack modeling method and system for industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115037508B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115801400A (en) * | 2022-11-14 | 2023-03-14 | 北京天融信网络安全技术有限公司 | Automatic permeation method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| CN107566369A (en) * | 2017-09-05 | 2018-01-09 | 中国南方电网有限责任公司超高压输电公司 | A kind of industry control information system information security isolation and defence efficiency evaluation method |
| CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
| CN111193728A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Network security evaluation method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8392997B2 (en) * | 2007-03-12 | 2013-03-05 | University Of Southern California | Value-adaptive security threat modeling and vulnerability ranking |
| US11281806B2 (en) * | 2018-12-03 | 2022-03-22 | Accenture Global Solutions Limited | Generating attack graphs in agile security platforms |
| US20210105293A1 (en) * | 2019-10-07 | 2021-04-08 | Booz Allen Hamilton Inc. | Methods and systems for anomaly detection in a networked control system |
-
2022
- 2022-04-25 CN CN202210438285.1A patent/CN115037508B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106709613A (en) * | 2015-07-16 | 2017-05-24 | 中国科学院信息工程研究所 | Risk assessment method suitable for industrial control system |
| CN107566369A (en) * | 2017-09-05 | 2018-01-09 | 中国南方电网有限责任公司超高压输电公司 | A kind of industry control information system information security isolation and defence efficiency evaluation method |
| CN108810034A (en) * | 2018-08-20 | 2018-11-13 | 杭州安恒信息技术股份有限公司 | A kind of safety protecting method of industrial control system information assets |
| CN111193728A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Network security evaluation method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 《Attack Graph Generation and Visualization for Industrial Control Network》;Zibo Wang etal;《2020 39th Chinese Control Conference (CCC)》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115037508A (en) | 2022-09-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106709613B (en) | Risk assessment method applicable to industrial control system | |
| Kotenko et al. | A cyber attack modeling and impact assessment framework | |
| Kotenko et al. | Attack modeling and security evaluation in SIEM systems | |
| US20090307772A1 (en) | framework for scalable state estimation using multi network observations | |
| US8797876B2 (en) | Identification of underutilized network devices | |
| KR100851521B1 (en) | Cyber Attack System for Vulnerability Assessment and Method Thereof | |
| CN115037508B (en) | Multi-step attack modeling method and system for industrial control system | |
| US20220329617A1 (en) | Method for automatic derivation of attack paths in a network | |
| Rubio et al. | Tracking apts in industrial ecosystems: A proof of concept | |
| Wan et al. | Characteristic insights on industrial cyber security and popular defense mechanisms | |
| CN115098863A (en) | Intelligent contract reentry vulnerability detection method based on static and dynamic analysis | |
| CN114491522A (en) | Method and system for establishing white list of application program | |
| Dietz et al. | Harnessing digital twin security simulations for systematic cyber threat intelligence | |
| Murillo et al. | High-fidelity cyber and physical simulation of water distribution systems. II: Enabling cyber-physical attack localization | |
| Godefroy et al. | Automatic generation of correlation rules to detect complex attack scenarios | |
| Wolf et al. | Adaptive modelling for security analysis of networked control systems | |
| Poorazad et al. | Blockchain and Deep Learning-Based IDS for Securing SDN-Enabled Industrial IoT Environments | |
| Rahim et al. | A formal analysis of moving target defense | |
| Rothmaier et al. | Using Spin and Eclipse for optimized high-level modeling and analysis of computer network attack models | |
| Sen et al. | An approach to abstract multi-stage cyberattack data generation for ml-based ids in smart grids | |
| Sampath et al. | Intrusion detection in software defined networking using genetic algorithm | |
| CN115622796B (en) | Network security linkage response combat map generation method, system, device and medium | |
| Cakmakçı et al. | Central Security Incident Management Platform in Industry 4.0 with Threat Intelligence Interface | |
| Acosta et al. | Automatic data generation and rule creation for network scanning tools | |
| CN114095935B (en) | Attack design generation method in mobile cloud computing scene |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |