KR20210089332A - Cyber defense system and control method - Google Patents

Abstract

The present invention relates to a method for predicting and responding to a cyber attack and, more specifically, to a cyber defense system which can strengthen the system's cyber resilience and mission capability against an enemy attack using Bayesian networks, and a control method. The cyber defense system according to an embodiment of the present invention comprises: a relationship setting module which identifies a plurality of assets, a plurality of tasks, and a plurality of missions participating in a virtual battle environment according to a battle scenario, and establishes a relationship between assets and tasks; a Bayesian network generation module which generates a Bayesian network using the relationship set in the relationship setting module and calculates a conditional probability table value between respective variables included in the generated Bayesian network; an inference module which assumes a specific task as a failure in the Bayesian network generated by the generation module and infers the impact of each asset; and an execution module which performs countermeasures against assets based on the result inferred by the inference module.

Description

Cyber defense system and control method

The present invention relates to a method for predicting and responding to a cyber attack, and more particularly, to a cyber defense system and control method that can enhance the cyber resilience and mission performance of a system from an enemy attack using a Bayesian network.

The content described in this section merely provides background information for the present embodiment and does not constitute the prior art.

Every system has a mission that the system has, and the system and the components that make up the system are linked to each other to achieve the mission. And cyber resilience refers to the ability of a system to continuously achieve its intended mission even if it is subjected to a cyber attack. In other words, cyber resilience can also be referred to as the ability of a system to protect it from all expected and unexpected threats when it operates in cyberspace.

As an example, cyber threats exist everywhere in modern times, including personal computers, mobile terminals, home network systems, and corporate network systems. In particular, in modern warfare, the issue of cyber threats is very important enough to be expressed as cyber warfare, and protecting the military cyber system from enemy attacks in the military cyber operation environment has become the most important part for the state to protect the people from the enemy. Therefore, cyber resilience that can protect systems from cyber threats is very important anywhere, whether it is at home, in society, in the military, or in the country.

Moreover, as the importance of Defense Modeling and Simulation (DM&S) has recently emerged, Korea is also interested in building and utilizing a defense simulation system. Defense simulation is increasing its usefulness as a scientific and objective means throughout national defense, such as power evaluation, weapon system acquisition analysis, combat experiment, and unit training. Recently, the Navy’s Cheonghae model, the joint battlefield model model, and the Army’s combat service support Research related to the development of simulation models such as models is in progress.

In other words, unlike the past of operating an actual system in conducting tests and training in a military operating environment, modern times use distributed simulation for testing and training.

At the same time, High Level Architecture (HLA), a common simulation architecture to support interoperability and reusability of various simulation applications, appeared, and System), virtual (a system in which a real person operates the equipment of a simulated platform in a simulation environment), and configuration (a system in which a virtual person performs the activities of a virtual object in a virtual environment) are configured through a distributed environment Numerous efforts are being made to provide high-quality combat training through improved interoperability between assets and assets.

Conventional cyber systems and cyber resilience have only inferred damage to missions through observed asset damage and predicted damage assessment. However, in the modern society where cyber warfare problems are increasing, it is necessary to conduct various cyber warfare training and technology verification, and to increase cyber resilience accordingly.

Therefore, the present invention proposes a system capable of not only understanding the relationship between assets, tasks, and missions operated in a cyber system, but also increasing mission performance capability and cyber resilience of the system.

Patent Registration No. 10-1502397 (Title of the invention: Simulation system and method for simulation battle effect analysis for weapon system)

Accordingly, an object of the present invention is to provide a cyber defense system and control method capable of enhancing the cyber resilience and mission performance capability of a system from an enemy attack using a Bayesian network.

Another object of the present invention is to create a Bayesian network for assets, tasks, and mission relationships, infer a failure probability using the generated Bayesian network, and analyze failure factors and assets for a specific task to perform supplementation. To provide a cyber defense system and control method.

Another object of the present invention is to provide a cyber defense system and control method capable of analyzing a cause of failure for a mission and assigning priorities to assets providing the cause in the order in which preemptive measures are required.

In order to solve the above technical problems, the cyber defense system according to an embodiment of the present invention identifies a plurality of assets, a plurality of tasks, and a plurality of tasks participating in a virtual battle environment according to a battle scenario, and identifies the assets and tasks, a relationship setting module for establishing a relationship between a task and a mission; a Bayesian network generation module for generating a Bayesian network using the relationship set in the relationship setting module, and calculating a conditional probability table value between each variable included in the generated Bayesian network; an inference module that assumes a specific task as a failure in the Bayesian network generated by the generation module and infers the impact of each asset; And it is characterized in that it comprises a performance module for performing a countermeasure for the asset based on the inferred result in the inference module.

Preferably, in the calculation of the conditional probability value of each variable of the generation module, an asset performing the same function and a task performing the same function in the Bayesian network are set as one end relation group, and at least one of the assets tied to the end relation group is selected. If the asset is in the executable state, it does not affect the performance of the task related to the asset, and if at least one task among the tasks tied to the end relation group is in the executable state, it does not affect the performance of the task related to the task do.

Preferably, the conditional probability value calculation of each variable of the generation module is calculated by Equation 1 below.

Equation 1

Preferably, the inference module is characterized by using Bayes theorem.

Preferably, the relationship setting module is characterized in that an edge having an end relationship between an asset and a task and a task and a task and an edge having an OR relationship are set, and the probability of each edge is set.

Preferably, the execution module determines a priority based on the inferred result, and performs an action on the asset according to the determined priority.

In order to solve the above technical problems, a control method of a cyber defense system according to an embodiment of the present invention identifies a plurality of assets, a plurality of tasks, and a plurality of tasks participating in a virtual battle environment according to a battle scenario, a relationship setting step of establishing a relationship between a task and a task, and a task and a task; A Bayesian network generation step of generating a Bayesian network using the relationship set in the relationship setting step, and calculating a conditional probability table value between each variable included in the generated Bayesian network; an inference step of assuming a specific task as a failure in the Bayesian network generated in the generation step, and inferring the impact of each asset; and an execution step of performing a countermeasure for the asset based on the result inferred in the reasoning step.

Preferably, in the calculation of the conditional probability value of each variable in the generation step, an asset performing the same function and a task performing the same function in the Bayesian network are set as one end relation group, and at least one of the assets tied to the end relation group is selected. If the asset is in the executable state, it does not affect the performance of the task related to the asset, and if at least one task among the tasks tied to the end relation group is in the executable state, it does not affect the performance of the task related to the task do.

Preferably, the calculation of the probability value of each variable in the generating step is characterized in that it is calculated by Equation 1 below.

Equation 1

Preferably, the reasoning step is characterized by using Bayes theorem.

Preferably, the relationship setting step is characterized in that an edge having an end relationship between an asset and a task, and a task and a task and an edge having an OR relationship are set, and the probability of each edge is set.

Preferably, the performing step is characterized in that the priority is determined based on the inferred result, and the action is performed on the asset according to the determined priority.

The cyber defense system and control method according to the present invention can implement a cyber defense system and control method capable of enhancing the cyber resilience and mission performance capability of the system from an enemy attack using a Bayesian network.

The present invention creates a Bayesian network for asset, task, and mission relationship, infers a failure probability using the generated Bayesian network, analyzes failure factors and assets for a specific task, and performs supplementation on the asset. It is possible.

The present invention analyzes the cause of failure for a mission, and gives priority to the assets providing the cause in the order in which preemptive measures are required, so that it is possible to strengthen quick resilience and the ability to perform the mission.

1 illustrates an overall configuration module of a cyber defense system according to an embodiment of the present invention.
2 shows an exemplary diagram of the Bayesian network generating module 200 according to an embodiment of the present invention.
3 shows a partial exemplary diagram of a Bayesian network with an AND relationship group according to an embodiment of the present invention.
4 shows an exemplary diagram of a conditional probability value table of a Bayesian network according to an embodiment of the present invention.
5 is a Bayesian network for an embodiment of inferring an asset that has provided a cause for the mission failure when it is assumed that the mission M1 has failed in the present invention.
6 shows an embodiment of each node in which the assets, tasks, and missions of FIG. 5 are applied to the cyber defense system of the present invention.
7 shows the extent to which each of the assets A1 to A14 affects the failure of the mission M1 when the mission M1 fails and is observed to be true T in the embodiment implemented in FIG. 5 . An example calculated by the probability value of (T) is shown.

Hereinafter, the embodiments disclosed in the present specification will be described in detail with reference to the accompanying drawings, but the same or similar components are assigned the same reference numerals regardless of reference numerals, and overlapping descriptions thereof will be omitted. The suffixes "part" and "group", "module" and "part", "unit" and "part", "device" and "system", "terminal" and "node" for components used in the description below. and "digital walkie-talkie" are given or mixed in consideration of the ease of writing the specification, and do not have distinct meanings or roles by themselves.

In addition, in describing the embodiments disclosed in the present specification, if it is determined that detailed descriptions of related known technologies may obscure the gist of the embodiments disclosed in the present specification, the detailed description thereof will be omitted. In addition, the accompanying drawings are only for easy understanding of the embodiments disclosed in the present specification, and the technical spirit disclosed herein is not limited by the accompanying drawings, and all changes included in the spirit and scope of the present invention , should be understood to include equivalents or substitutes.

Terms including an ordinal number, such as first, second, etc., may be used to describe various elements, but the elements are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

When a component is referred to as being “connected” or “connected” to another component, it is understood that the other component may be directly connected or connected to the other component, but other components may exist in between. it should be On the other hand, when it is mentioned that a certain element is "directly connected" or "directly connected" to another element, it should be understood that the other element does not exist in the middle.

The singular expression includes the plural expression unless the context clearly dictates otherwise.

In the present application, terms such as "comprises" or "have" are intended to designate that a feature, number, step, operation, component, part, or combination thereof described in the specification exists, but one or more other features It should be understood that this does not preclude the existence or addition of numbers, steps, operations, components, parts, or combinations thereof.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. It is apparent to those skilled in the art that the present invention may be embodied in other specific forms without departing from the spirit and essential characteristics of the present invention.

1 illustrates an overall configuration module of a cyber defense system according to an embodiment of the present invention.

The cyber defense system of the present invention basically includes a relationship setting module 100 that is equipped with computer hardware and software functions, identifies assets, tasks, and missions, and establishes relationships between elements.

Here, an asset can be defined as a configuration, process, application, program, etc. of all hardware components connected in the military operating environment and other system operating environments. And a task is a hardware and software configuration performed through one or more assets, and a task can be defined as a hardware and software configuration performed through one or more tasks.

The relationship setting module 100 identifies assets, tasks, and missions as a whole of the cyber defense system, and sets the relationship between assets and tasks and between tasks and tasks. As an example, the relationship setting module 100 identifies a plurality of assets, a plurality of tasks, and a plurality of missions participating in the virtual combat environment according to a battle scenario in a military operation environment, and sets the relationship between the assets and the tasks, and the tasks and the missions. do. One form of such an asset, task, and mission is illustrated in FIG. 6 .

The relationship setting module 100 sets an edge having an end relationship between an asset and a task, a task and a mission, and an edge having an OR relationship, and sets the probability of each edge. The configuration of setting the end edge and the or edge of the relationship setting module 100 and setting the probability of each edge is made by the system operator and is an initial setting value. For this purpose, although not illustrated, the cyber defense system of the present invention includes a user interface and a display device for displaying input information, inference result information, and the like. And the end edge, or edge, probability value of each edge, etc. set in the relationship setting module 100 infer the influence of the asset, which will be described later, and control such as change, update, addition, etc. can be made based on this.

The present invention includes a Bayesian network generation module 200 that generates a Bayesian network using the relationship set in the relationship setting module 100 . The generation module 200 calculates a conditional probability table value between variables included in the Bayesian network. Here, the variable represents all the components constituting the Bayesian network. In other words, a variable is every asset, every task, every mission.

In order to calculate the conditional probability table value of each variable of the generation module 200, assets having the same components and performing the same function in the Bayesian network are set as one end relation group. Since all the assets tied to the end relationship group perform the same function, if at least one asset is in an executable state, it has no effect on the performance of tasks related to the asset. Of course, it is under the premise that one asset is sufficient for multiple assets having the same function to perform a task.

Similarly, for calculating the conditional probability table value of each variable of the generation module 200, a task having the same components and performing the same function in the Bayesian network is set as one end relation group. Since the tasks bound to the end relationship group all perform the same function, if at least one task is in the operable state, it has no effect on the task performance related to the task. Of course, under the premise that one task is sufficient for a plurality of tasks having the same function to perform the task.

The conditional probability value calculation of each variable of the generating module 200 is calculated by Equation 1 to be described later.

The present invention includes an inference module 300 that utilizes the Bayesian network generation module 200 to infer the failure probability of an asset when a major mission fails. In the inference module 300 , it is assumed that the mission for which cyber resilience is requested has virtually failed, and the failure probability of the asset is inferred in that situation. The inference module 300 uses the known Bayes theorem.

The present invention includes a policy performing module 400 capable of analyzing major factors and assets that can fail a specific task through the reasoning module 300 and performing supplementation on the corresponding assets. The policy execution module 400 allows the asset to be supplemented with priority for the asset having a high probability of failure.

Therefore, the present invention analyzes the cause of failure for a mission, and determines the priority for the asset providing the cause, so that it is possible to identify the asset to be taken in advance, and the asset with a high probability of failure is preferentially assigned to the asset make a complement to

Thereafter, the present invention repeatedly re-executes the inference module 300 and the execution module 400 to continuously perform control to increase cyber resilience.

2 shows an exemplary diagram of the Bayesian network generating module 200 according to an embodiment of the present invention.

As shown, an asset (An), a task (Tn), and a task (Mn) and their relationships are shown. The illustrated Bayesian network is a configuration designed by integrating elements necessary for the present invention by utilizing a general Bayesian network. A mission is accomplished through one or more tasks, and a task is performed through one or more assets.

The edge (connection line) indicates the relationship between the tasks required to perform the task and the assets required to perform the task.

As an example, the assets required to perform the task (T1) are a combination of AND (A1) and (A2), and the assets required to perform the task (T2) are AND (A3) and (A4) ), and (A2) is OR-bonded. Also, the asset required to perform task (T3) is (A4). In addition, the task required to perform the mission (M1) is a configuration that combines (T1, T2, T3) with OR, and the task required to perform the mission (M2) is a configuration that combines (T2, T3) with OR. .

As described above, the relationship between the asset and the task and the relationship between the task and the mission are configured as an OR relationship or an end relationship, which is set in the relationship setting module 100 . In this case, the system operator (expert) identifies the assets, tasks, and missions participating in the virtual battle environment according to the battle scenario through the relationship setting module 100, and sets the relationship.

And the probability of an edge between an asset and a task represents the probability that the task will fail when each asset fails to function. Similarly, the probability of an edge between a task and a task represents the probability that each task will fail when it fails.

For example, the probability that the task T1 will fail is 0.6 when the asset A1 does not function properly, and the probability that the task T1 fails when the asset A2 does not function properly is 0.6. On the other hand, task T2 has a probability of failure of 0.8 when asset A2 fails, and a probability of failure of 0.9 when asset A3 and asset A4 fail, respectively. That is, the probability that the task will fail is variably determined according to each asset, which is preset in the relationship setting module 100 based on the influence of each asset on the task.

Also, if task (T1) does not function properly, the probability of failure of task (M1) is 0.8, and if task (T2) does not function, the probability of failure of task (M1) is 0.6, and task (T3) If this function fails, the probability that the mission (M1) will fail is 0.5. That is, the probability that the task will fail is variably determined according to each task, which is preset in the relationship setting module 100 based on the influence of each task on the task.

As described above, in the Bayesian network generation module 200 of the present invention, based on the setting of the probability and relationship configuration of the edge according to the relationship between the asset, task, task, and asset and task, task and task identified in the relationship setting module 100, Create a Bayesian network.

The relationship setting module 100 establishes a relationship with respect to the number of all cases so as to increase cyber resilience and mission performance capability. The relationship setting, edge probability, etc. of the relationship setting module 100 are set in the initial setting process, and thereafter, even in the operational state of the cyber defense system, it is possible to update based on addition of components or change of influence.

Meanwhile, in the present invention, the states of assets, tasks, and tasks are defined as two states: achievable and non-performable, and the impossible state is defined as true (1) and the achievable state is defined as false (0). This part will be described in detail later with reference to the conditional probability table of FIG. 4 .

3 shows a partial exemplary diagram of a Bayesian network with an AND relationship group according to an embodiment of the present invention.

As shown, assets (An) or tasks (Tn) performing the same function are grouped and displayed. For example, the asset A5 and the asset A6 have the same function 1, and when each of the assets A5 and A6 does not operate normally in performing the task T4, the same value (0.7) has a probability of failure. These two assets (A5 and A6) are defined as a group of end relationships to task (T4).

In addition, assets (A7, A8, A9) have the same function (2), and when each asset (A7, A8, A9) does not operate normally even in performing the task (T4), the failure probability ( 0.8). These three assets (A7, A8, A9) are defined as a group of end relationships to the task (T4).

In the state defined as above, in performing task A4, if asset A5 or asset A6 is in a performable state, it does not affect performance of task A4, and similarly, in performing task A4 The performance of task (A4) is not affected if either asset (A7) or asset (A8) or one of asset (A9) is performable. This relationship of configuration indicates that assets or tasks are duplicated or multiplexed in order to increase system availability when designing a cyber system. In the present invention, this is defined as the concept of an end (AND) edge and an end group.

Next, FIG. 4 shows an exemplary diagram of a conditional probability value table of a Bayesian network according to an embodiment of the present invention.

The illustrated probability table is a probability value for the task T2 illustrated in FIG. 2 . As shown in Fig. 2, the task T2 is constructed from the relationship between the asset A2, the asset A3, and the asset A4. And asset A2 has an OR relationship to task T2, where the edge probability is 0.8. Assets A3 and A4 have an end relationship to task T2, with an edge probability of 0.9 each.

The conditional probability value of each task and task shown in FIG. 4 is calculated by Equation 1 below. Also in the present invention, well-known expressions are used to obtain the conditional probability in the AND relationship and the conditional probability in the OR relationship. However, in the present invention, the calculation is performed using the following Equation 1 in the probability value calculation formula that fuses the AND relationship and the OR relationship, and the probability value calculation through the concept set for the AND group. .

Equation 1

As shown in Equation 1, the probability of the edge belonging to the end (AND) group is calculated, and the probability of the edge belonging to the OR relationship is calculated after viewing it as one node.

As for the end group, as described with reference to FIG. 3 , with respect to the end relationship group having the same function, in a state in which one asset is normally operated, it does not affect the performance of the task having the relationship.

Also, in Equation 1, the value at which the corresponding task will fail using N assets in the end group having the same function is determined as a value multiplied by _{the probability {p(e n )} of the edges of all assets.}

Also, in Equation 1, the value at which the corresponding task will fail by using the OR relationship asset is determined by _{the probability {p(e K )} of the edge of the asset.}

And in Equation 1 _{, when the state of all values Y k} is false (F), the probability value {p(Xi)} is determined to be 0. And in Equation 1, if _{the state of all values (Y k} ) is not false (F), subtract the value multiplied by the probabilities of all edges included in the end group from 1, and also the probability value of the edge of the OR relationship from 1 After subtracting, it is determined by multiplying the two values.

Next, the calculation process of the probability value for the number of each case in the conditional probability table of FIG. 4 is as follows.

First, if the number of probability cases for the assets (A2, A3, A4) is listed, there are 8 types (FFF, FFT, FTF, FTT, TFF, TFT, TTF, TTT) as 2^3. Here, F is defined as a state that can be executed without taking damage, false (0), and T is a state that cannot be executed, defined as true (1).

Looking at the number (FFF) in the first case, all the assets (A2, A3, A4) are in a state in which they can operate normally, so the values for all assets are false (F). In Equation 1, when the values of all assets are false, the probability value {p(Xi)} is set to 0. Therefore, the probability value T that the task T2 will fail is 0, and based on this, the probability value F that the task T2 will succeed becomes 1.

Looking at the number in the second case (FFT) and the number in the third case (FTF), the asset (A2) has a relationship of an ora to the task (T2), and the assets (A3, A4) have an end relationship. In addition, the asset A2 always has a false (F) value that can operate normally, and only one of the assets A3 and A4 in the end relationship has a false (F) value that can operate normally.

Two assets A3 and A4 having an end relationship through the definition of an end relationship group of the present invention do not affect the performance of the task T2 if one is in a state in which normal operation is possible. Therefore, in the second and third cases, the probability T that the task T2 will fail is 0, and based on this, the probability value F that the task T2 will succeed becomes 1.

Looking at the number (FTT) in the fourth case, the asset (A2) has a false (F) value that can operate normally, and the two assets (A3, A4) having an end relationship are true (T) in which normal operation is impossible. have a value

In this case, the assets (A3, A4) having the end relationship have a probability of 0.8 for all edges, and in Equation 1, for the end group relationship components, the edge of all the edges corresponding to all assets (A3, A4). It is determined by multiplying the probability. That is, it is calculated as 0.9 * 0.9 = 0.81, so the probability that the task T2 will fail becomes 0.81. Based on this, the probability value F that the task T2 succeeds in the number of the fourth case is calculated as 1-0.81 = 0.19.

Next, the number in the fifth case (TFF), the number in the sixth case (TFT), and the number in the seventh case (TTF) are the values of true (T) in which an asset (T2) with an OR relationship cannot operate normally. , and two assets (A3 and A4) having an end relationship have a false (F) value in which at least one asset can operate normally.

In this case, the performance of the task T2 from the assets A3 and A4 with the end relationship is not affected, but since the asset A2 with the orphan relationship has a value of true T, the task T2 The probability value T that will fail becomes the probability value of the edge of the asset A2. Accordingly, the probability value T that the task T2 will fail is 0.8, and based on this, the probability value F that the task T2 will succeed is calculated as 1-0.8 = 0.2.

Finally, in the eighth case number (TTT), the asset (A2) in the or relationship has a true value (T), and the assets (A3, A4) in the end relationship also have a value (T) of true.

In this case, referring to Equation 1, the probability of the relationship between the first and end groups is obtained, the probability of the second OR relationship is obtained, and then the third end relationship and the OR relationship are fused. Therefore, the probability that the task (T2) fails from the two assets (A3 and A4) is determined by the multiplied value of all edge values belonging to the end group. That is, 0.9 * 0.9 = 0.81.

It can be seen that the true probability of the edge for the asset (A2) of the following OA relationship is 0.8.

And, in the present invention, the desired probability value is calculated by fusing the calculated end relation value and the OR relation value. Referring back to Equation 1, when the probability value for the asset (A2,A3,A4) is (T,T,T), the probability (F) that the task (T2) will succeed is (the value of the 1-end relationship) * It is calculated as (1- the value of the five relationships) = (1-0.81) * (1-0.8) = 0.19 * 0.2 = 0.038. Based on this, the probability T that the task T2 will fail is calculated as 1-0.038 = 0.962.

As such, when the conditional probability table for all assets, tasks, and tasks is determined under the condition of Equation 1, it is possible to assume failure of the main task of the Bayesian network as an observation value and to infer the influence of the assets.

Next, FIG. 5 configures an embodiment of inferring an asset that provided a cause for the mission failure as a Bayesian network, assuming that the mission M1 has failed in the present invention.

5 shows a Bayesian network constituting the relationship between 14 assets from A1 to A14, five tasks from T1 to T5, and two tasks M1 and M2. The initial attack probability of all assets is set to be equal to 0.3, and the damage propagation probability of the asset and the damage propagation probability of the task are the same as the values displayed on each edge. And between the asset and the task, and between the task and the mission, the construction of an end relationship, an OR relationship, is connected. And assuming that the mission (M1) has failed, the probability that each asset will fail is calculated through the inference probability of a general Bayesian network.

6 shows an embodiment of each node in which the assets, tasks, and missions of FIG. 5 are applied to the cyber defense system of the present invention.

In the illustrated embodiment, the system has two missions, M1 denotes surface-to-air attack defense, and M2 denotes air-to-air attack defense. There are 5 tasks to perform this mission, T1 is air target detection in surface-to-air defense mission, T2 is aerial target shooting down in surface-to-air defense mission, T3 is information sharing, T4 is air target detection in air-to-ground defense mission , T5 stands for aerial target shooting in air-to-ground defense missions. And there are 14 assets supporting this task: A1 and A2 are radar transceivers, A3 are radar signal processors, A4 and A5 are missile launchers, A6 and A7 are tactical data link equipment, and A8 and A9 are tactical data link equipment. , A10 and A11 are radar transceivers, A12 are radar signal processors, and A13 and A14 are missile launchers.

Referring to FIG. 5 applying this embodiment to the Bayesian network, it can be seen that the asset A1 and the asset A2 have the same function as the radar transceiver and are configured as an end relationship in the task T1. And asset A3 is configured in a relationship with task T1 as a configuration of a radar signal processor. And asset A4 and asset A5 are configured as an end relationship to task (T2) as a missile launcher, asset A6 and asset A7 function as tactical data link equipment (1), and assets A8 and asset A9 function as tactical data link equipment ( As 2), task T3 is connected with an end relational structure. And three tasks (T1, T2, T3) are connected to the task (M1) with an OR relational structure.

Also, similarly, assets and tasks are additionally connected to compose mission M2.

That is, multiple assets, multiple tasks, and multiple missions participating in the virtual battle environment are identified according to the tactical scenario, and relationships between assets and tasks and tasks and missions are set as shown in FIG. 6 .

It is assumed that the task M1 obtained as a result of the inference has failed, and the value calculated using the known conditional probability of the known Bayesian network for the probability that each asset has failed is shown in FIG. 7 .

That is, FIG. 7 shows that when the mission M1 fails in the embodiment implemented in FIG. 5 , that is, when the mission M1 is observed to be true T, each of the assets A1 to A14 is true T ) is the value obtained by calculating the probability that Afterwards, it becomes possible to improve the resilience of the cyber defense system by starting with the assets with high probability in the cyber defense system.

On the other hand, referring to FIG. 7 , in which the effect of an asset upon failure for the mission M1 is inferred, by using the known Bayes theorem in the Bayesian network configured in the embodiment of FIG. 5 , the following items can be confirmed.

First, there is no significant difference in the basic probability that each of the assets A1 to A14 configured in FIG. 5 may fail. That is, when it is desired to improve the stability of an asset in order to increase the cyber resilience of the cyber defense system of the present invention with reference only to the embodiment of FIG. 5 , it is not easy to select a priority for the asset to be supplemented. However, assuming that the mission (M1) failed through the known Bayes theorem, and obtaining the failure probability of the assets that would have had an effect on the failure of the mission (M1), it was confirmed that the asset (A3) was significantly higher.

Therefore, it can be confirmed that the cyber defense system of the present invention must first perform the supplementation of the asset A3 in order to increase the cyber resilience of the cyber defense system through such inference. Also, based on the results obtained, the prioritization of asset supplementation can be determined. Therefore, according to the present invention, it becomes possible to select a supplemental priority for an asset to efficiently increase the mission stability of the system.

The above detailed description should not be construed as restrictive in all respects and should be considered as exemplary. The scope of the present invention should be determined by a reasonable interpretation of the appended claims, and all modifications within the equivalent scope of the present invention are included in the scope of the present invention.

100: relationship setting module
200: generation module
300: inference module
400: execution module

Claims (12)

a relationship setting module for identifying a plurality of assets, a plurality of tasks, and a plurality of tasks participating in the virtual battle environment according to a battle scenario, and establishing a relationship between assets and tasks and tasks and tasks;
a Bayesian network generation module for generating a Bayesian network using the relationship set in the relationship setting module, and calculating a conditional probability table value between each variable included in the generated Bayesian network;
an inference module that assumes a specific task as a failure in the Bayesian network generated by the generation module and infers the impact of each asset; and
A cyber defense system including an execution module that performs countermeasures against assets based on the results inferred from the reasoning module.
The method according to claim 1,
In the calculation of the conditional probability value of each variable in the generation module, assets performing the same function and tasks performing the same function in the Bayesian network are set as one end relation group,
If at least one asset among the assets tied to the end relationship group is in a performable state, it does not affect the performance of tasks related to the asset;
A cyber defense system that does not affect the performance of tasks related to tasks when at least one task among tasks bound to the end relation group is in a operable state.
3. The method according to claim 2,
The calculation of the conditional probability value of each variable of the generation module is calculated by Equation 1 below.
Equation 1

4. The method according to claim 3,
The reasoning module is a cyber defense system that uses Bayes theorem.
The method according to claim 1,
The relationship setting module is a cyber defense system that sets an edge with an end relationship between an asset and a task, and an edge with an end relationship between a task and a mission, and an edge with an OR relationship, and sets the probability of each edge.
The method according to claim 1,
The execution module is a cyber defense system that determines priorities based on the inferred results and performs actions on assets according to the determined priorities.
a relationship setting step of identifying a plurality of assets, a plurality of tasks, and a plurality of missions participating in the virtual battle environment according to the battle scenario, and establishing a relationship between the assets and the tasks, and between the tasks;
A Bayesian network generation step of generating a Bayesian network using the relationship set in the relationship setting step, and calculating a conditional probability table value between each variable included in the generated Bayesian network;
an inference step of assuming a specific task as a failure in the Bayesian network generated in the generation step, and inferring the impact of each asset; and
A control method of a cyber defense system comprising an execution step of performing a countermeasure for an asset based on the result inferred in the inference step.
8. The method of claim 7,
In the calculation of the conditional probability value of each variable in the generation stage, assets performing the same function and tasks performing the same function in the Bayesian network are set as one end relation group,
If at least one asset among the assets tied to the end relationship group is in a performable state, it does not affect the performance of tasks related to the asset;
A control method of a cyber defense system that does not affect the performance of a task related to the task when at least one task among tasks bound to the end relation group is in an executable state.
9. The method of claim 8,
The calculation of the probability value of each variable in the generation step is a control method of a cyber defense system calculated by Equation 1 below.
Equation 1

10. The method of claim 9,
The reasoning step is a control method of a cyber defense system using Bayes theorem.
8. The method of claim 7,
In the relationship setting step, an edge with an end relationship between an asset and a task, a task and a mission, and an edge with an OR relationship are set, and the probability of each edge is set. A control method of the cyber defense system.
8. The method of claim 7,
The execution step is a control method of a cyber defense system that determines a priority based on the inferred result, and performs an action on an asset according to the determined priority.

Images