CN116305170A - Analog testing method, device, equipment and storage medium based on industrial control system - Google Patents

Analog testing method, device, equipment and storage medium based on industrial control system Download PDF

Info

Publication number
CN116305170A
CN116305170A CN202310545568.0A CN202310545568A CN116305170A CN 116305170 A CN116305170 A CN 116305170A CN 202310545568 A CN202310545568 A CN 202310545568A CN 116305170 A CN116305170 A CN 116305170A
Authority
CN
China
Prior art keywords
attack
industrial control
control system
vulnerability
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310545568.0A
Other languages
Chinese (zh)
Inventor
周磊
张吕军
田野
汪婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Andi Technology Co ltd
Original Assignee
Beijing Andi Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Andi Technology Co ltd filed Critical Beijing Andi Technology Co ltd
Priority to CN202310545568.0A priority Critical patent/CN116305170A/en
Publication of CN116305170A publication Critical patent/CN116305170A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a simulation test method, a device, equipment and a storage medium based on an industrial control system, wherein in the process of attack test, different attack paths in different modes can be generated according to the characteristics and the loopholes of the industrial control system, so that a user can select a proper attack mode and path to simulate attack according to the test requirement, thereby achieving the expected test effect, modeling analysis is not required, the test efficiency is higher in practical operation, and a large number of rapid attack tests are convenient to perform.

Description

Analog testing method, device, equipment and storage medium based on industrial control system
Technical Field
The invention relates to the technical field of computers, in particular to an analog testing method, an analog testing device, analog testing equipment and a storage medium based on an industrial control system.
Background
Industrial control systems are a vital component of industrial facilities, but are vulnerable to attacks from complex networks due to their extremely low security. In order to strengthen the capability of resisting the attack, research and development personnel start to simulate the attack of the industrial control system so as to improve the reliability and the system protection capability of the industrial control system. However, in the existing attack simulation test scheme, the method is relatively simple, the pertinence is weak, and a good test effect cannot be achieved.
Therefore, how to provide an analog testing method with more ideal effect and higher testing efficiency for an industrial control system is a problem to be solved at present.
Disclosure of Invention
In order to solve the problems, the invention provides an analog testing method, an analog testing device, analog testing equipment and a storage medium based on an industrial control system.
In a first aspect of an embodiment of the present invention, there is provided an analog testing method based on an industrial control system, the method including:
acquiring system basic information of a target industrial control system, wherein the system basic information comprises a system topology structure, system asset data and a system communication protocol of the target industrial control system;
obtaining system vulnerability information of a target industrial control system according to the system basic information, wherein the system vulnerability information comprises one or more vulnerabilities, vulnerability loss possibly caused by each vulnerability and association degree of each vulnerability and other vulnerabilities;
obtaining attack paths aiming at all attack targets in a target industrial control system according to the system vulnerability information;
selecting an attack path required by the test to simulate attack on the target industrial control system;
and reading system data of the target industrial control system, and verifying the attack effect of the simulation attack.
Optionally, the step of obtaining the system vulnerability information of the target industrial control system according to the system basic information specifically includes:
inquiring a system vulnerability database storing various vulnerability information according to the system basic information;
and acquiring system vulnerability information matched with the system basic information.
Optionally, the step of obtaining an attack path for each attack target in the target industrial control system according to the system vulnerability information specifically includes:
aiming at each attack target, traversing and searching an attack path required from an attack access node to the attack target and a vulnerability utilized by the attack path respectively;
all possible attack paths for each attack target are obtained.
Optionally, the method further comprises:
calculating attack success probability and attack loss corresponding to each attack path according to the system vulnerability information;
the step of selecting the attack path required by the test to simulate the attack to the target industrial control system specifically comprises the following steps:
according to the attack test requirements, selecting a plurality of attack paths to be matched with the attack test requirements, and performing simulation attack on the target industrial control system.
Optionally, the method further comprises:
and aiming at each attack target, comprehensively considering the attack success probability and the attack loss, and selecting an attack path with the highest attack effect to simulate the attack.
Optionally, the method for calculating the attack effect expectations comprises the following steps:
aiming at vulnerabilities related to attack paths, calculating the probability that each vulnerability is possibly successfully utilized and the association degree between vulnerabilities to obtain attack success probability;
cumulatively summing attack losses caused by each vulnerability being exploited;
and obtaining the expected attack effect through the product calculation of the attack success probability and the attack loss.
Optionally, the method further comprises:
if the system basic information of the target industrial control system is not acquired, detecting based on the type of the system communication protocol used by the target industrial control system, and acquiring the system basic information in a mode of capturing and analyzing the data packet of the target industrial control system.
In a second aspect of the embodiment of the present invention, there is provided an analog testing device based on an industrial control system, the device including:
the information acquisition unit is used for acquiring system basic information of the target industrial control system, wherein the system basic information comprises a system topology structure, system asset data and a system communication protocol of the target industrial control system;
the vulnerability identification unit is used for obtaining system vulnerability information of the target industrial control system according to the system basic information, wherein the system vulnerability information comprises one or more vulnerabilities, vulnerability loss possibly caused by each vulnerability and association degree of each vulnerability and other vulnerabilities;
the path calculation unit is used for obtaining an attack path aiming at each attack target in the target industrial control system according to the system vulnerability information;
the attack simulation unit is used for selecting an attack path required by the test to simulate attack on the target industrial control system;
and the effect verification unit is used for reading the system data of the target industrial control system and verifying the attack effect of the simulation attack.
A third aspect of an embodiment of the present invention provides an apparatus, including:
one or more processors; a memory; one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of the first aspect.
A fourth aspect of an embodiment of the present invention provides a computer readable storage medium, wherein the computer readable storage medium has program code stored therein, the program code being callable by a processor to perform the method according to the first aspect.
The beneficial effects of the invention are as follows:
the invention provides a simulation test method, a device, equipment and a storage medium based on an industrial control system, wherein in the process of attack test, different attack paths in different modes can be generated according to the characteristics and the loopholes of the industrial control system, so that a user can select a proper attack mode and path to simulate attack according to the test requirement, thereby achieving the expected test effect, modeling analysis is not required, the test efficiency is higher in practical operation, and a large number of rapid attack tests are convenient to perform.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a simulation test method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for computing an attack effect expectation according to an embodiment of the present invention;
FIG. 3 is a functional block diagram of an analog test device according to an embodiment of the present invention.
Fig. 4 is a block diagram of an apparatus for performing a simulation test method according to an embodiment of the present application.
Fig. 5 is a block diagram of a computer-readable storage medium storing or carrying program code for implementing a simulation test method according to an embodiment of the present invention.
Reference numerals:
an information acquisition unit 110; a vulnerability recognition unit 120; a path calculation unit 130; an attack simulation unit 140; an effect verification unit 150; the apparatus 300; a processor 310; a memory 320; a computer-readable storage medium 400; program code 410.
Detailed Description
Industrial control systems are a vital component of industrial facilities, but are vulnerable to attacks from complex networks due to their extremely low security. In order to strengthen the capability of resisting the attack, research and development personnel start to simulate the attack of the industrial control system so as to improve the reliability and the system protection capability of the industrial control system. However, in the existing attack simulation test scheme, the method is relatively simple, the pertinence is weak, and a good test effect cannot be achieved.
Therefore, how to provide an analog testing method with more ideal effect and higher testing efficiency for an industrial control system is a problem to be solved at present.
In view of this, the designer designs the simulation test method, device, equipment and storage medium based on the industrial control system, and in the process of the attack test, different attack paths can be generated according to the characteristics and loopholes of the industrial control system, so that a user can select proper attack modes and paths to simulate attack according to the test requirement, thereby achieving the expected test effect, and the invention does not need to specially perform modeling analysis, has higher test efficiency in actual operation, and is convenient for performing a large number of rapid attack tests.
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present invention, it should be noted that, directions or positional relationships indicated by terms such as "top", "bottom", "inner", "outer", etc., are directions or positional relationships based on those shown in the drawings, or those that are conventionally put in use, are merely for convenience in describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like, are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
In the description of the present invention, it should also be noted that, unless explicitly specified and limited otherwise, the terms "disposed," "mounted," "connected," and "connected" are to be construed broadly, and may be, for example, fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention will be understood in specific cases by those of ordinary skill in the art.
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
Referring to fig. 1, an analog testing method according to an embodiment of the invention includes:
step S101, system basic information of a target industrial control system is obtained, wherein the system basic information comprises a system topology structure, system asset data and a system communication protocol of the target industrial control system.
The system basic information corresponds to the basic condition of the target industrial control system, reflects the characteristics of the target industrial control system, and corresponds to different characteristics, wherein different loopholes can exist in the industrial control system.
The acquisition of the basic information of the system can set different modes for different attack test environments. For example, under some scenes, assuming that an attacker has acquired the system basic information of the target industrial control system in advance through some reconnaissance means, the simulation of the scene directly takes the system basic information of the target industrial control system as the known information.
In some scenarios, it is assumed that an attacker is completely unknown to the system basic information of the target industrial control system, or only knows some of the disclosed information. Simulation of such a scenario also requires consideration of the process of information collection by an attacker. In the preferred implementation manner of the embodiment of the invention, if the system basic information of the target industrial control system is not acquired, the system basic information is acquired in a manner of capturing and analyzing the data packet of the target industrial control system based on the type of the system communication protocol used by the target industrial control system. And simulating an attacker to collect system basic information of the target industrial control system by disassembling and analyzing the data packet. Specific collected information includes, but is not limited to: device manufacturer, device type, network protocol, system type and memory map, module name of device, basic hardware information, version, module type, serial number, copyright, network topology, network IP, domain name, software and version thereof, firewall or intrusion detection system, etc. in the system. In the simulation process, the acquisition of the above information is often incomplete, so that the main simulation is an attack test performed in the case where part of the information is acquired.
Step S102, obtaining system vulnerability information of a target industrial control system according to the system basic information, wherein the system vulnerability information comprises one or more vulnerabilities, vulnerability loss possibly caused by each vulnerability and association degree of each vulnerability and other vulnerabilities.
By feeding back the system basic information of the target industrial control system characteristics, the corresponding system vulnerability information can be obtained through scanning. The most common method for acquiring the system vulnerability information is to establish a system vulnerability database, store the characteristic information of different types of system vulnerabilities in the database, and then compare and inquire the characteristic information to acquire the system vulnerability information of the target industrial control system. The specific implementation mode is as follows: inquiring a system vulnerability database storing various vulnerability information according to the system basic information; and acquiring system vulnerability information matched with the system basic information. . The data stored in the system vulnerability database can be updated in real time, and newly discovered vulnerability information is continuously added.
It should be noted that, for different system vulnerabilities, the existence mode, the existence position and the utilization mode of the system vulnerabilities are different, so that when a certain vulnerability is utilized, the corresponding possible loss is different. Meanwhile, due to the relevance of each component part in the system, the relevance can exist among different loopholes, and even some loopholes exist based on other loopholes.
Step S103, obtaining attack paths aiming at all attack targets in the target industrial control system according to the system vulnerability information.
In the target industrial control system, the node with the attack value is taken as an attack target. Because of the different nodes and modes affected by each vulnerability, different vulnerabilities are utilized for different attack targets, and the final attack target can be reached according to a certain attack path. For some attack targets, there may also be multiple different attack paths.
On the basis, as a preferred implementation mode, aiming at each attack target, traversing and searching an attack path required from an attack access node to the attack target and a vulnerability utilized by the attack path respectively; all possible attack paths for each attack target are obtained.
By traversing the search, all possible attack paths for each attack target can be obtained, so that a proper attack path can be selected for testing.
Step S104, selecting an attack path required by the test to simulate attack on the target industrial control system.
During actual testing, according to the tested target, an attack path required by the test corresponding to the target is selected to simulate attack, so that the best simulation effect is obtained, and meanwhile, the testing efficiency is improved.
The standards for selecting the attack path are numerous, including vulnerability quantity utilized by the attack path, attack success probability, node number of the attack path design, loss caused by attack, and the like.
On the basis, the probability of attack success or the loss caused by the attack is generally selected, so that the probability of attack success and the loss of attack corresponding to each attack path can be calculated according to the system vulnerability information before the simulation attack is carried out. And then selecting a plurality of attack paths to be matched with the attack test requirements according to the attack test requirements, and performing simulation attack on the target industrial control system.
In the selection, the selection may be performed by only one of the above-mentioned standards, or may be performed by combining a plurality of standards.
In a preferred embodiment, for each attack target, the attack success probability and the attack loss are comprehensively considered, and the attack path with the highest attack effect expected is selected for simulating the attack.
As a preferred implementation manner of the embodiment of the present invention, as shown in fig. 2, the method for calculating the expected attack effect includes:
step S201, aiming at the vulnerabilities related to the attack path, the probability that each vulnerability is likely to be successfully utilized and the association degree between vulnerabilities are calculated to obtain the attack success probability.
Specifically, assuming that 3 vulnerabilities related to a certain attack path for an attack target are counted as P1, P2 and P3, the calculation formula of the attack success probability P of the attack path is:
P=p1*(w12)p2*(w13+w23)p3
wherein, w12 is the association degree of the first vulnerability to the second vulnerability when the first vulnerability is utilized, w13 is the association degree of the first vulnerability to the third vulnerability when the first vulnerability is utilized, and w23 is the association degree of the second vulnerability to the third vulnerability when the second vulnerability is utilized. It should be noted that the value of the association degree is related to the order of utilizing the corresponding loopholes on the attack path, and represents the influence of the previous loopholes on the subsequent loopholes on the attack path, and when there is no association between the two loopholes, the value is 0. It should be noted that, in different industrial control systems, the probability that the vulnerability may be successfully utilized and the relevance may be different.
Step S202, cumulatively summing attack losses caused by each vulnerability being exploited.
Attack loss caused by utilizing the loopholes can be divided into two types according to the type of loss, wherein one type is equipment loss, namely the loss of equipment logistics level caused by the attack is directly caused, and the loss can be quantified through the actual value of equipment; one type is information loss, which means that an attack causes leakage of data in an industrial control system, and the situation usually does not directly cause loss to the industrial control system, but because the leakage of data may cause loss of profile of owners of the industrial control system, such as enterprises, factories and the like, the loss usually cannot be directly quantified, and a user is required to provide a quantization strategy or quantize the data according to actual situations.
The attack penalty caused by each vulnerability being exploited is the result of the addition of the device penalty and the information penalty. For vulnerabilities that may not cause loss of the corresponding type, the value of the term is 0.
For an attack path that exploits multiple vulnerabilities, the overall resulting attack penalty is the cumulative sum of the attack penalty for each vulnerability.
Continuing with the example above, the overall resulting attack loss L is calculated by:
L=l1+l2+l3
where l1, l2, l3 are each the attack penalty.
In step S203, the expected attack effect is obtained by calculating the product of the attack success probability and the attack loss.
Specifically, the calculation method of the attack effect expectation E of a certain attack path aiming at one attack target is as follows:
E=L*P。
and screening out an attack path with the maximum E value aiming at the attack target, and performing simulation attack.
It should be noted that after determining that the attack path is ready for the simulation attack, a corresponding attack script needs to be generated to implement the simulation attack. There are various ways to obtain the attack script according to the system vulnerability and the attack path, which may be to build a corresponding database, search the attack script with information matching from the database according to the system vulnerability and the attack path, and then directly call. The method can also adopt software or application program providing the attack script generation function, and output the attack script corresponding to the function by the software or application program according to the relevant information input by the system loophole and the attack path.
Step S105, system data of the target industrial control system are read, and the attack effect of the simulated attack is verified.
After the class simulation attack is carried out, the attack effect needs to be verified, and the method generally adopted is to read the system data related to the attack target in the target industrial control system, judge whether the attack successfully obtains the effect or not according to the expression form of the system data, and judge the defending capability of the target industrial control system for the class attack.
In summary, in the simulation test method provided by the embodiment of the invention, in the attack test process, different attack paths in different modes can be generated according to the characteristics and the loopholes of the industrial control system, so that a user can select a proper attack mode and path to simulate attack according to the test requirement, thereby achieving the expected test effect, modeling analysis is not required, the test efficiency is higher in actual operation, and a large number of rapid attack tests are convenient to perform.
As shown in fig. 3, the simulation test device provided by the embodiment of the present invention includes:
an information obtaining unit 110, configured to obtain system basic information of a target industrial control system, where the system basic information includes a system topology structure, system asset data, and a system communication protocol of the target industrial control system;
the vulnerability identification unit 120 is configured to obtain system vulnerability information of a target industrial control system according to the system basic information, where the system vulnerability information includes one or more vulnerabilities, vulnerability loss that may be caused by each vulnerability, and association degree between each vulnerability and other vulnerabilities;
the path calculation unit 130 is configured to obtain an attack path for each attack target in the target industrial control system according to the system vulnerability information;
the attack simulation unit 140 is used for selecting an attack path required by the test to simulate attack on the target industrial control system;
and the effect verification unit 150 is used for reading the system data of the target industrial control system and verifying the attack effect of the simulation attack.
The simulation test device provided by the embodiment of the present invention is used for implementing the simulation test method, so that the specific implementation manner is the same as the above method, and will not be repeated here.
As shown in fig. 4, an embodiment of the present invention provides a block diagram of an apparatus 300. The device 300 may be a smart phone, tablet, electronic book, or the like capable of running an application program device 300. The device 300 in this application may include one or more of the following components: a processor 310, a memory 320, and one or more applications, wherein the one or more applications may be stored in the memory 320 and configured to be executed by the one or more processors 310, the one or more applications configured to perform the method as described in the foregoing method embodiments.
Processor 310 may include one or more processing cores. The processor 310 utilizes various interfaces and lines to connect various portions of the overall device 300, perform various functions of the device 300, and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 320, and invoking data stored in the memory 320. Alternatively, the processor 310 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 310 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for being responsible for rendering and drawing of display content; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 310 and may be implemented solely by a single communication chip.
The Memory 320 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Memory 320 may be used to store instructions, programs, code sets, or instruction sets. The memory 320 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for implementing at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described below, etc. The storage data area may also store data created by the terminal in use (such as phonebook, audio-video data, chat-record data), etc.
As shown in fig. 5, an embodiment of the present invention provides a block diagram of a computer-readable storage medium 400. The computer readable medium has stored therein a program code 410, said program code 410 being callable by a processor for performing the method described in the above method embodiments.
The computer readable storage medium 400 may be an electronic memory such as a flash memory, an EEPROM (electrically erasable programmable read only memory), an EPROM, a hard disk, or a ROM. Optionally, the computer readable storage medium 400 comprises a non-volatile computer readable medium (non-transitory computer-readable storage medium). The computer readable storage medium 400 has storage space for program code 410 that performs any of the method steps described above. These program code 410 can be read from or written to one or more computer program products. Program code 410 may be compressed, for example, in a suitable form.
In summary, the invention provides a simulation test method, a device, equipment and a storage medium based on an industrial control system, which can generate different attack paths according to characteristics and vulnerabilities of the industrial control system in the attack test process, so that a user can select a proper attack mode and path to simulate attack according to test requirements, thereby achieving a desired test effect, and the invention does not need to specially perform modeling analysis, has higher test efficiency in actual operation, and is convenient for performing a large number of rapid attack tests.
In several embodiments disclosed in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Claims (10)

1. The simulation test method based on the industrial control system is characterized by comprising the following steps of:
acquiring system basic information of a target industrial control system, wherein the system basic information comprises a system topology structure, system asset data and a system communication protocol of the target industrial control system;
obtaining system vulnerability information of a target industrial control system according to the system basic information, wherein the system vulnerability information comprises one or more vulnerabilities, vulnerability loss possibly caused by each vulnerability and association degree of each vulnerability and other vulnerabilities;
obtaining attack paths aiming at all attack targets in a target industrial control system according to the system vulnerability information;
selecting an attack path required by the test to simulate attack on the target industrial control system;
and reading system data of the target industrial control system, and verifying the attack effect of the simulation attack.
2. The simulation test method according to claim 1, wherein the step of obtaining the system vulnerability information of the target industrial control system according to the system basic information specifically comprises:
inquiring a system vulnerability database storing various vulnerability information according to the system basic information;
and acquiring system vulnerability information matched with the system basic information.
3. The simulation test method according to claim 1, wherein the step of obtaining an attack path for each attack target in the target industrial control system according to the system vulnerability information specifically comprises:
aiming at each attack target, traversing and searching an attack path required from an attack access node to the attack target and a vulnerability utilized by the attack path respectively;
all possible attack paths for each attack target are obtained.
4. A simulation test method according to claim 3, wherein the method further comprises:
calculating attack success probability and attack loss corresponding to each attack path according to the system vulnerability information;
the step of selecting the attack path required by the test to simulate the attack to the target industrial control system specifically comprises the following steps:
according to the attack test requirements, selecting a plurality of attack paths to be matched with the attack test requirements, and performing simulation attack on the target industrial control system.
5. The simulation test method according to claim 4, wherein the method further comprises:
and aiming at each attack target, comprehensively considering the attack success probability and the attack loss, and selecting an attack path with the highest attack effect to simulate the attack.
6. The simulation test method according to claim 5, wherein the method of calculating the attack effect expectations comprises:
aiming at vulnerabilities related to attack paths, calculating the probability that each vulnerability is possibly successfully utilized and the association degree between vulnerabilities to obtain attack success probability;
cumulatively summing attack losses caused by each vulnerability being exploited;
and obtaining the expected attack effect through the product calculation of the attack success probability and the attack loss.
7. The simulation test method according to claim 1, wherein the method further comprises:
if the system basic information of the target industrial control system is not acquired, detecting based on the type of the system communication protocol used by the target industrial control system, and acquiring the system basic information in a mode of capturing and analyzing the data packet of the target industrial control system.
8. Analog testing device based on industrial control system, characterized by, the device includes:
the information acquisition unit is used for acquiring system basic information of the target industrial control system, wherein the system basic information comprises a system topology structure, system asset data and a system communication protocol of the target industrial control system;
the vulnerability identification unit is used for obtaining system vulnerability information of the target industrial control system according to the system basic information, wherein the system vulnerability information comprises one or more vulnerabilities, vulnerability loss possibly caused by each vulnerability and association degree of each vulnerability and other vulnerabilities;
the path calculation unit is used for obtaining an attack path aiming at each attack target in the target industrial control system according to the system vulnerability information;
the attack simulation unit is used for selecting an attack path required by the test to simulate attack on the target industrial control system;
and the effect verification unit is used for reading the system data of the target industrial control system and verifying the attack effect of the simulation attack.
9. An apparatus, comprising:
one or more processors;
a memory;
one or more applications, wherein the one or more applications are stored in the memory and configured to be executed by the one or more processors, the one or more applications configured to perform the method of any of claims 1-7.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a program code, which is callable by a processor for executing the method according to any one of claims 1-7.
CN202310545568.0A 2023-05-16 2023-05-16 Analog testing method, device, equipment and storage medium based on industrial control system Pending CN116305170A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310545568.0A CN116305170A (en) 2023-05-16 2023-05-16 Analog testing method, device, equipment and storage medium based on industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310545568.0A CN116305170A (en) 2023-05-16 2023-05-16 Analog testing method, device, equipment and storage medium based on industrial control system

Publications (1)

Publication Number Publication Date
CN116305170A true CN116305170A (en) 2023-06-23

Family

ID=86789043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310545568.0A Pending CN116305170A (en) 2023-05-16 2023-05-16 Analog testing method, device, equipment and storage medium based on industrial control system

Country Status (1)

Country Link
CN (1) CN116305170A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019212143A (en) * 2018-06-07 2019-12-12 株式会社日立製作所 Damage prediction method, damage prediction system, and program
JP2020155098A (en) * 2019-03-22 2020-09-24 株式会社日立製作所 Method and system for predicting attack route in computer network
CN112114579A (en) * 2020-09-28 2020-12-22 哈尔滨工业大学(威海) Industrial control system safety measurement method based on attack graph
CN112615836A (en) * 2020-12-11 2021-04-06 杭州安恒信息技术股份有限公司 Industrial control network safety protection simulation system
CN113660296A (en) * 2021-10-21 2021-11-16 中国核电工程有限公司 Method and device for detecting anti-attack performance of industrial control system and computer equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019212143A (en) * 2018-06-07 2019-12-12 株式会社日立製作所 Damage prediction method, damage prediction system, and program
JP2020155098A (en) * 2019-03-22 2020-09-24 株式会社日立製作所 Method and system for predicting attack route in computer network
CN112114579A (en) * 2020-09-28 2020-12-22 哈尔滨工业大学(威海) Industrial control system safety measurement method based on attack graph
CN112615836A (en) * 2020-12-11 2021-04-06 杭州安恒信息技术股份有限公司 Industrial control network safety protection simulation system
CN113660296A (en) * 2021-10-21 2021-11-16 中国核电工程有限公司 Method and device for detecting anti-attack performance of industrial control system and computer equipment

Similar Documents

Publication Publication Date Title
CN111030986B (en) Attack organization traceability analysis method and device and storage medium
CN110474900B (en) Game protocol testing method and device
CN110881050A (en) Security threat detection method and related product
CN107204956B (en) Website identification method and device
CN114915475B (en) Method, device, equipment and storage medium for determining attack path
CN111786947B (en) Attack graph generation method and device, electronic equipment and storage medium
CN114329448A (en) System security detection method and device, electronic equipment and storage medium
CN114598504A (en) Risk assessment method and device, electronic equipment and readable storage medium
US20170150214A1 (en) Method and apparatus for data processing
CN113497807A (en) Method and device for detecting user login risk and computer readable storage medium
CN113079157A (en) Method and device for acquiring network attacker position and electronic equipment
CN116305170A (en) Analog testing method, device, equipment and storage medium based on industrial control system
CN114298699B (en) Method for generating and acquiring non-homogeneous general evidence and device
CN115834231A (en) Honeypot system identification method and device, terminal equipment and storage medium
CN115827379A (en) Abnormal process detection method, device, equipment and medium
CN108959879A (en) Data capture method, device, electronic equipment and the server of application program
CN114301699A (en) Behavior prediction method and apparatus, electronic device, and computer-readable storage medium
CN113139179A (en) Web attack-based analysis method and device
CN114338102A (en) Security detection method and device, electronic equipment and storage medium
CN109560964B (en) Equipment compliance checking method and device
CN112887328A (en) Sample detection method, device, equipment and computer readable storage medium
CN108881151B (en) Joint-point-free determination method and device and electronic equipment
CN111125714A (en) Safety detection method and device and electronic equipment
CN111126503A (en) Training sample generation method and device
CN112906171B (en) Credible collaborative optimization method and simulation platform for comprehensive energy system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20230623

RJ01 Rejection of invention patent application after publication