CN112114579B - A security measurement method for industrial control systems based on attack graph - Google Patents
A security measurement method for industrial control systems based on attack graph Download PDFInfo
- Publication number
- CN112114579B CN112114579B CN202011043060.3A CN202011043060A CN112114579B CN 112114579 B CN112114579 B CN 112114579B CN 202011043060 A CN202011043060 A CN 202011043060A CN 112114579 B CN112114579 B CN 112114579B
- Authority
- CN
- China
- Prior art keywords
- node
- vulnerability
- attack
- information
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0259—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
- G05B23/0275—Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
技术领域Technical Field
本发明涉及一种基于攻击图的工业控制系统安全度量方法,属于网络安全技术领域。The invention relates to an industrial control system security measurement method based on an attack graph, and belongs to the technical field of network security.
背景技术Background Art
近年来,工业控制系统逐渐向信息化发展,不仅引入了互联网中多样化方法,同时也给工控系统带来了多方面的攻击威胁。高度信息化的工业控制系统需要面对网络环境的变化,以及网络组件对系统的潜在影响。针对工业控制系统运行环境复杂化,攻击方式多样化的问题,提出一种基于攻击图的工业控制系统安全度量方法,通过整合漏洞与拓扑信息,展示工控系统的潜在攻击路径,可视化安全度量过程,为后续系统安全分析提供数据支撑,保护关键任务资产免受潜在威胁源的侵害。In recent years, industrial control systems have gradually developed towards informatization, which not only introduced diversified methods in the Internet, but also brought multiple attack threats to industrial control systems. Highly informatized industrial control systems need to face changes in the network environment and the potential impact of network components on the system. In view of the complexity of the operating environment of industrial control systems and the diversification of attack methods, a security measurement method for industrial control systems based on attack graphs is proposed. By integrating vulnerability and topology information, the potential attack paths of industrial control systems are displayed, and the security measurement process is visualized, which provides data support for subsequent system security analysis and protects mission-critical assets from potential threat sources.
例如,中国专利文献CN110533754A提供了一种基于大规模工控网络的交互式攻击图展示系统及展示方法,展示系统包括json文件构造模块、网络拓扑生成模块、场景漫游处理模块、攻击图生成模块和交互事件处理模块;该方法从攻击目标出发,逆向生成攻击图,极大地降低了攻击图的复杂性和可用性。攻击图展示系统中采用交互形式,允许用户通过点击切换攻击目标,生成基于确定目标的实时关键攻击路径,极大地提高了攻击图的可视化管理。便于安全运维人员和安全分析人员的网络安全分析评估,可以有效地帮助网络安全事件处理人员对网络攻击路径进行及早识别和关键点防御。中国专利文献CN108156114A提供了一种电力信息物理系统网络攻击图的关键节点确定方法及装置,所述方法包括:分别获取攻击图中的所有节点的至少一种特征值;分别确定所述特征值的权重;根据所述至少一种特征值以及所述权重从所述所有节点中确定关键节点。通过获取攻击图中的所有节点的至少一种特征值,可以量化出各节点的重要程度;通过确定各个特征值的权重,可以对特征值进行权衡;最终根据特征值以及相应权重,从所有节点中确定关键节点,将所有节点进行综合考虑,由此从多方面多维度全方位地实现对系统攻击图的关键节点识别,解决了攻击图安全防护侧重点不确定的问题。中国专利文献CN108629474A公开了一种基于攻击图模型的流程安全评估方法,该方法包括如下步骤:根据安全控制系统的安全属性进行安全节点设计;将设计好的节点根据业务流程逻辑形成一个流程方案;以建立树状图的方式实现流程方案的设计;对设计好的流程方案进行评估建模,评估计算生成评估结论;流程方案评价包括建立流程安全评价体系、可靠性评价体系和运行效率评价体系,并基于这三个评价体系指标的评估值,通过综合评分模型给出系统综合评价结果;根据安全薄弱节点的重要程度、可实现性和复杂程度参数等级,给出针对当前流程方案的优化策略。该方法解决了人为干预带来的不确定性,提高了安全评估结果的准确性、可靠性和高效性。For example, Chinese patent document CN110533754A provides an interactive attack graph display system and display method based on a large-scale industrial control network. The display system includes a json file construction module, a network topology generation module, a scene roaming processing module, an attack graph generation module and an interactive event processing module; the method starts from the attack target and reversely generates the attack graph, which greatly reduces the complexity and usability of the attack graph. The attack graph display system adopts an interactive form, allowing users to switch attack targets by clicking, and generate real-time key attack paths based on the determined targets, which greatly improves the visual management of the attack graph. It is convenient for security operation and maintenance personnel and security analysts to conduct network security analysis and evaluation, and can effectively help network security incident handlers to identify network attack paths early and defend key points. Chinese patent document CN108156114A provides a method and device for determining key nodes of a network attack graph of an electric power information-physical system, the method comprising: respectively obtaining at least one characteristic value of all nodes in the attack graph; respectively determining the weight of the characteristic value; and determining the key node from all the nodes according to the at least one characteristic value and the weight. By obtaining at least one characteristic value of all nodes in the attack graph, the importance of each node can be quantified; by determining the weight of each characteristic value, the characteristic value can be weighed; finally, according to the characteristic value and the corresponding weight, the key node is determined from all nodes, and all nodes are comprehensively considered, thereby realizing the identification of the key nodes of the system attack graph from multiple aspects and dimensions, and solving the problem of uncertainty in the focus of attack graph security protection. Chinese patent document CN108629474A discloses a process safety assessment method based on an attack graph model, which includes the following steps: designing security nodes according to the security attributes of the security control system; forming a process plan with the designed nodes according to the business process logic; realizing the design of the process plan by establishing a tree diagram; evaluating and modeling the designed process plan, and generating an evaluation conclusion through evaluation calculation; the process plan evaluation includes establishing a process safety evaluation system, a reliability evaluation system and an operation efficiency evaluation system, and based on the evaluation values of the indicators of these three evaluation systems, a comprehensive evaluation result of the system is given through a comprehensive scoring model; according to the importance, feasibility and complexity parameter level of the security weak nodes, an optimization strategy for the current process plan is given. This method solves the uncertainty caused by human intervention and improves the accuracy, reliability and efficiency of safety assessment results.
目前,针对工业控制系统的安全度量方法较少,缺乏具有系统全局性的安全度量方案,并且其无法考虑系统设备之间的脆弱性关系。由于工业控制系统拓扑结构较为复杂,并且度量中安全指标的选择及量化较为困难,目前安全度量方案多以定性分析为主。因此,为了解决工控系统的安全量化的全局性度量,亟需设计一种工控系统全局性度量的安全度量方法。At present, there are few security measurement methods for industrial control systems, lack of system-wide security measurement solutions, and they cannot consider the vulnerability relationship between system devices. Due to the complex topology of industrial control systems and the difficulty in selecting and quantifying security indicators in measurement, current security measurement solutions are mostly based on qualitative analysis. Therefore, in order to solve the global measurement of security quantification of industrial control systems, it is urgent to design a security measurement method for global measurement of industrial control systems.
发明内容Summary of the invention
针对现有技术的不足,本发明提供一种基于工控系统攻击图的安全度量方法,攻击图以图结构表示工控系统受攻击过程的详细信息,本方法综合考虑工控系统设备的特殊层次结构及其脆弱性和依赖关系,建立设备与漏洞之间、设备与设备之间的关联模型,展示可能的攻击路径,最终本方法将攻击路径与攻击图中各项指标结合起来,能够实现工控系统全局性的安全度量。In view of the shortcomings of the prior art, the present invention provides a security measurement method based on an industrial control system attack graph. The attack graph uses a graph structure to represent detailed information on the attack process of the industrial control system. The method comprehensively considers the special hierarchical structure of the industrial control system equipment and its vulnerabilities and dependencies, establishes an association model between equipment and vulnerabilities, and between equipment, and displays possible attack paths. Finally, the method combines the attack path with the various indicators in the attack graph, and can achieve global security measurement of the industrial control system.
术语解释:Terminology explanation:
1、CVE-NVD(Common Vulnerabilities and Exposures-National VulnerabilityDatabase),共同脆弱性和风险暴露—国家脆弱性数据库。1. CVE-NVD (Common Vulnerabilities and Exposures-National Vulnerability Database), Common Vulnerabilities and Risk Exposures-National Vulnerability Database.
2、CNNVD(China National Vulnerability Database of InformationSecurity),中国国家信息安全脆弱性数据库。2. CNNVD (China National Vulnerability Database of Information Security), China National Information Security Vulnerability Database.
3、ICS(Industrial control system)Vulnerability Database,工业控制系统漏洞数据库。3. ICS (Industrial control system) Vulnerability Database, industrial control system vulnerability database.
4、CWE(Common Weakness Enumeration),常见弱点枚举。4. CWE (Common Weakness Enumeration), common weakness enumeration.
5、CAPEC(Common Attack Pattern Enumeration and Classification),可用攻击模式枚举和分类。5. CAPEC (Common Attack Pattern Enumeration and Classification), available attack pattern enumeration and classification.
6、可利用率,表示此漏洞被成功利用达到攻击效果的概率。6. Exploitability: It indicates the probability that this vulnerability can be successfully exploited to achieve the attack effect.
7、漏洞危害,表示漏洞成功利用后所带来的影响严重程度。7. Vulnerability hazard, which indicates the severity of the impact caused by successful exploitation of the vulnerability.
本发明的技术方案如下:The technical solution of the present invention is as follows:
一种基于攻击图的工业控制系统安全度量方法,包括以下步骤:A security measurement method for industrial control systems based on attack graphs includes the following steps:
步骤一,获取工控网络拓扑结构信息,对特定工控系统的设备进行探测,掌握工控网络内的设备信息,并且对设备关联情况进行分析;Step 1: Obtain the topological structure information of the industrial control network, detect the equipment of a specific industrial control system, grasp the equipment information in the industrial control network, and analyze the equipment association situation;
步骤二,针对工控网络内设备的探测结果,对设备漏洞信息进行收集;Step 2: Based on the detection results of the devices in the industrial control network, collect device vulnerability information;
步骤三,根据拓扑结构和设备漏洞信息,基于图数据库的方法以图形化格式存储格式,采用节点和关系表示图结构,生成系统攻击图;Step 3: Based on the topological structure and device vulnerability information, the graph database method is used to store the information in a graphical format, and the graph structure is represented by nodes and relationships to generate a system attack graph;
步骤四,根据生成的系统攻击图,按照漏洞节点度量、设备节点度量、系统安全度量三个层次,对特定工控系统进行网络安全度量,并对攻击路径进行分析。Step 4: Based on the generated system attack graph, network security measurement is performed on the specific industrial control system at three levels: vulnerability node measurement, device node measurement, and system security measurement, and the attack path is analyzed.
优选的,步骤一中,采用GRASSMARLIN工具获取工控网络拓扑结构信息。Preferably, in step one, the GRASSMARLIN tool is used to obtain the industrial control network topology information.
优选的,步骤一中,获取工控网络拓扑结构信息包括系统设计文档中的拓扑规划、系统配置以及安全设备的访问控制规则;根据系统设计文档以及安全设备的访问控制规则,读取系统设备间的连接关系并进行提取,以还原系统拓扑结构。Preferably, in step one, the industrial control network topology information is obtained, including the topology planning in the system design document, the system configuration, and the access control rules of the security equipment; according to the system design document and the access control rules of the security equipment, the connection relationship between the system equipment is read and extracted to restore the system topology.
优选的,步骤一中,对特定工控系统的设备进行探测,是指采用GRASSMARLIN工具对工控系统拓扑进行实时监控,以探测新加入工控系统的设备,且GRASSMARLIN工具采用被动探测方式实现对探测系统进行的信息收集,降低探测过程对工控系统中设备工作状态造成的影响。Preferably, in step one, detecting the equipment of a specific industrial control system means using the GRASSMARLIN tool to monitor the industrial control system topology in real time to detect equipment newly added to the industrial control system, and the GRASSMARLIN tool uses a passive detection method to collect information on the detection system, thereby reducing the impact of the detection process on the working status of the equipment in the industrial control system.
优选的,步骤一中,掌握工控网络内的设备信息,是指读取系统设计文档和系统配置文件中的设备信息,对设备类型、设备型号、系统版本进行提取,作为后续设备漏洞信息获取的数据依据。Preferably, in step one, grasping the device information within the industrial control network refers to reading the device information in the system design documents and system configuration files, extracting the device type, device model, and system version as the data basis for subsequent acquisition of device vulnerability information.
优选的,步骤一中,对设备关联情况进行分析,是指根据从系统设计文档、系统配置文件以及安全设备的访问控制规则处获取的系统拓扑信息,对设备间的关联关系进行格式化处理,统一定义设备间的连接关系为link,A link B表示设备A存在到设备B的链路,A可以访问B,link为有向关系。Preferably, in step one, analyzing the device association situation refers to formatting the association relationship between devices based on the system topology information obtained from the system design document, system configuration file and access control rules of the security device, and uniformly defining the connection relationship between devices as link, A link B means that device A has a link to device B, A can access B, and link is a directed relationship.
优选的,GRASSMARLIN工具对工控系统拓扑进行实时监控的过程中,其探测结果以XML格式存储,通过低频率定期读取GRASSMARLIN工具探测结果,对更新的设备进行关系提取,将新加入设备添加至系统,并且更新与新设备有信息交互的系统设备,将源IP与目的IP同组的连接关系简化,去除冗余数据,以实现系统拓扑的动态获取;同时,针对原有数据和更新数据,按照探测的顺序进行拓扑数据排序。Preferably, during the process of real-time monitoring of the industrial control system topology by the GRASSMARLIN tool, its detection results are stored in XML format. The GRASSMARLIN tool detection results are read regularly at a low frequency, and relationships are extracted for updated devices. The newly added devices are added to the system, and the system devices that interact with the new devices are updated. The connection relationship between the source IP and the destination IP in the same group is simplified, and redundant data is removed to achieve dynamic acquisition of the system topology. At the same time, the topological data is sorted in the order of detection for the original data and the updated data.
优选的,步骤二中,对设备漏洞信息进行收集包括漏洞信息库构建及设备漏洞获取;Preferably, in step 2, collecting device vulnerability information includes building a vulnerability information database and acquiring device vulnerabilities;
漏洞信息库构建包括漏洞信息采集及漏洞信息处理;漏洞信息采集以CVE-NVD漏洞库为主体,CNNVD、ICS Vulnerability Database为拓展安全库,CWE、CAPEC为漏洞关联信息库,来构建安全知识库,将采集的漏洞信息存储至MySQL数据库中;漏洞信息处理以CNNVD和CVE漏洞知识库为主体,对导入MySQL数据库中的所有漏洞信息进行匹配、关联,引入CWE作为弱点描述和弱点分类以及利用性判别的依据,并结合CAPEC,描述利用漏洞进行攻击的前提、技术储备、方式和造成后果;The construction of vulnerability information database includes vulnerability information collection and vulnerability information processing; vulnerability information collection is based on CVE-NVD vulnerability database, CNNVD and ICS Vulnerability Database as extended security database, CWE and CAPEC as vulnerability association information database, to build security knowledge base, and store the collected vulnerability information in MySQL database; vulnerability information processing is based on CNNVD and CVE vulnerability knowledge database, matching and associating all vulnerability information imported into MySQL database, introducing CWE as the basis for weakness description, weakness classification and exploitability judgment, and combining with CAPEC to describe the premise, technical reserve, method and consequences of exploiting vulnerabilities;
设备漏洞获取采用扫描工具对系统设备进行漏洞扫描,根据已获取的系统设备信息,对扫描工具进行配置,完成设备漏洞信息的扫描;然后根据扫描获取到的设备漏洞信息,将设备与漏洞进行关联表示,一个设备可关联一个或多个漏洞,定义设备与漏洞的连接关系为has_vul_at,DEVICE1 has_vul_at VUL1表示该设备1存在编号为VUL1的漏洞;将设备漏洞信息与漏洞信息库中信息进行匹配,每一个漏洞都可获得“CNNVD描述-CVE漏洞编号-CWE弱点报告-CAPEC攻击方法-CVSS评分”的原子攻击模板,为后续攻击图的生成提供输入数据。Device vulnerability acquisition uses a scanning tool to scan system devices for vulnerabilities. According to the acquired system device information, the scanning tool is configured to complete the scanning of device vulnerability information. Then, based on the device vulnerability information obtained from the scan, the device and the vulnerability are associated. A device can be associated with one or more vulnerabilities. The connection relationship between the device and the vulnerability is defined as has_vul_at. DEVICE1 has_vul_at VUL1 indicates that device 1 has a vulnerability numbered VUL1. The device vulnerability information is matched with the information in the vulnerability information library. For each vulnerability, an atomic attack template of "CNNVD description-CVE vulnerability number-CWE weakness report-CAPEC attack method-CVSS score" can be obtained to provide input data for the generation of subsequent attack graphs.
优选的,步骤三中,攻击图中的节点包括设备节点以及漏洞节点;Preferably, in step 3, the nodes in the attack graph include device nodes and vulnerability nodes;
设备节点信息包含了设备漏洞所在的服务信息、开放端口信息和IP信息,设备节点信息作为设备节点的属性,设备节点信息采用五元组即设备IP、设备名称、存在漏洞的服务、服务协议、服务端口进行描述;The device node information includes the service information, open port information and IP information where the device vulnerability is located. The device node information is the attribute of the device node. The device node information is described by a five-tuple, namely, the device IP, device name, the service with the vulnerability, the service protocol, and the service port.
漏洞节点信息包含原子攻击规则中的CVE\CNNVD编号、CWE分类、提权能力标识和CVSS评分,漏洞节点信息作为节点属性集成在以漏洞ID为标识的漏洞节点上,漏洞节点信息采用四元组即漏洞ID、漏洞编号、漏洞类型、漏洞评分进行描述;Vulnerability node information includes the CVE\CNNVD number, CWE classification, privilege escalation capability identification and CVSS score in the atomic attack rule. Vulnerability node information is integrated as a node attribute on the vulnerability node identified by the vulnerability ID. Vulnerability node information is described using a four-tuple, namely vulnerability ID, vulnerability number, vulnerability type and vulnerability score.
根据网络拓扑分析以及漏洞信息收集的结果,对数据进行预处理,总结为设备信息表、漏洞信息表、设备关系表,作为攻击图生成算法的输入。According to the results of network topology analysis and vulnerability information collection, the data is preprocessed and summarized into device information table, vulnerability information table, and device relationship table as the input of the attack graph generation algorithm.
优选的,步骤三中,生成系统攻击图,是基于Neo4j图数据库生成攻击图,遵循属性图模型来存储和管理数据,攻击图中的节点用于表示实体,关系用于表示实体间的连接;用设备信息表和漏洞信息表填充攻击图的节点属性,用设备关系表填充节点关系,选定起始节点和目标节点,经过多次遍历生成攻击图。Preferably, in step three, a system attack graph is generated based on a Neo4j graph database, and the property graph model is followed to store and manage data. The nodes in the attack graph are used to represent entities, and the relationships are used to represent the connections between entities. The node attributes of the attack graph are filled with the device information table and the vulnerability information table, and the node relationships are filled with the device relationship table. The starting node and the target node are selected, and the attack graph is generated after multiple traversals.
优选的,步骤四中,漏洞节点度量根据扫描的设备漏洞信息对漏洞节点的可利用率以及漏洞危害进行量化;漏洞节点可利用性由CAPEC库中“攻击可能性”字段定义,将攻击可能性的{低,中,高}量化表示为{0.3,0.6,0.9},分数低表示被攻击可能性低,分数高表示被攻击可能性高;漏洞节点的危害分数采用通用安全漏洞评分系统CVSS的漏洞评估分数,满分为10分,分数越高,漏洞危害越大,分数越低,漏洞危害越小。Preferably, in step 4, the vulnerability node measurement quantifies the exploitability of the vulnerability node and the vulnerability hazard according to the scanned device vulnerability information; the exploitability of the vulnerability node is defined by the "attack possibility" field in the CAPEC library, and the attack possibility {low, medium, high} is quantified as {0.3, 0.6, 0.9}, a low score indicates a low possibility of attack, and a high score indicates a high possibility of attack; the hazard score of the vulnerability node adopts the vulnerability assessment score of the Common Vulnerability Scoring System CVSS, with a full score of 10 points, the higher the score, the greater the vulnerability hazard, and the lower the score, the smaller the vulnerability hazard.
优选的,步骤四中,设备节点度量根据设备节点被攻击概率以及设备节点危险分数进行量化;Preferably, in step 4, the device node metric is quantified according to the probability of the device node being attacked and the device node risk score;
a.设备节点被攻击概率a. Probability of device nodes being attacked
针对每个设备节点相连的漏洞节点,根据其可利用率计算设备节点的被攻击概率,如式Ⅰ:For each vulnerable node connected to a device node, the attack probability of the device node is calculated based on its availability, as shown in Formula I:
其中,Uself表示本设备节点的被攻击概率,ui表示与该设备节点相连的第i个漏洞节点的可利用率,k表示与该设备节点相连的所有漏洞节点数,与设备节点相连的漏洞节点数量越多,该设备节点的被攻击概率越高;Among them, U self represents the attack probability of the device node, ui represents the availability of the i-th vulnerable node connected to the device node, and k represents the number of all vulnerable nodes connected to the device node. The more vulnerable nodes connected to the device node, the higher the attack probability of the device node.
b.设备节点危险分数b. Device node risk score
以相连漏洞节点的可利用率为依据,对漏洞节点进行加权危害计算,得到设备节点的危险分数,如式Ⅱ:Based on the availability of the connected vulnerable nodes, weighted hazard calculation is performed on the vulnerable nodes to obtain the risk score of the device node, as shown in Formula II:
其中,Rself表示本设备节点的危险分数,ui、uj表示与该设备节点相连的第i、j个漏洞节点的可利用率,ri表示与该设备节点相连的第i个漏洞节点的漏洞危害。Among them, R self represents the risk score of the device node, ui and u j represent the availability of the i-th and j-th vulnerable nodes connected to the device node, and ri represents the vulnerability hazard of the i-th vulnerable node connected to the device node.
优选的,步骤四中,系统安全度量包括起始节点度量和非起始节点度量;Preferably, in step 4, the system security metric includes a starting node metric and a non-starting node metric;
a.起始节点度量a. Starting node measurement
由于起始节点已获取权限,其不存在被攻击情况,所以起始设备节点的被攻击概率默认为1,表示以获取该设备全部权限,由于起始节点无前向节点,入度为0,因此,起始节点的危险分数等于本节点的自身危险分数;Since the starting node has obtained the permission, it is not under attack, so the attack probability of the starting device node is 1 by default, indicating that all permissions of the device are obtained. Since the starting node has no forward node and the in-degree is 0, the danger score of the starting node is equal to the danger score of the node itself;
b.非起始节点度量b. Non-starting node metrics
非起始节点在考虑本节点相连漏洞节点的同时,还要结合上层设备节点的被攻击概率和设备危险分数,计算上层设备节点与本层设备节点的累积被攻击概率,以及设备危险分数,系统安全度量根据多层累积的设备节点的危险分数计算获得;When considering the vulnerable nodes connected to the non-starting node, the non-starting node also needs to combine the attack probability and device risk score of the upper-layer device nodes to calculate the cumulative attack probability and device risk score of the upper-layer device nodes and the device nodes of the current layer. The system security metric is calculated based on the risk scores of the multi-layer accumulated device nodes.
非起始节点的被攻击概率计算如式Ⅲ:The attack probability of non-starting nodes is calculated as follows:
其中,di表示该节点入度,Um表示与该设备节点相连的第m个上层节点的被攻击概率;本度量方法考虑了节点的入度,以及上层节点被攻击概率对本层节点的影响,节点入度越大,节点被攻击概率越大;上层节点被攻击概率越大,本层节点被攻击概率越大;Among them, d i represents the node in-degree, U m represents the attack probability of the mth upper-layer node connected to the device node; this measurement method takes into account the node in-degree and the impact of the upper-layer node attack probability on the current-layer node. The larger the node in-degree, the greater the probability of the node being attacked; the greater the upper-layer node attack probability, the greater the probability of the current-layer node being attacked;
非起始节点的危险分数计算如式Ⅳ:The risk score of non-starting nodes is calculated as shown in Formula IV:
其中,Um、Un表示与该设备节点相连的第m、n个上层节点的被攻击概率,Rm表示与该设备节点相连的第m个上层节点的危险分数;Wherein, U m and Un represent the attack probability of the mth and nth upper nodes connected to the device node, and R m represents the risk score of the mth upper node connected to the device node;
非起始节点的危险分数计算考虑了上层节点被攻击概率对本层节点的影响,同时对上级节点的危险分数进行累积计算,节点入度越大,节点危险分数越大;上层节点被攻击概率越大,本层节点危险分数越大;上层节点的危险分数越大,本层节点的危险分数越大,最后目标节点的危险分数Rdest经过多层攻击路径累积计算得到。The calculation of the danger score of non-starting nodes takes into account the impact of the probability of the upper-level nodes being attacked on the nodes at this level, and at the same time accumulates the danger scores of the upper-level nodes. The larger the node in-degree, the greater the node danger score; the greater the probability of the upper-level node being attacked, the greater the danger score of the node at this level; the greater the danger score of the upper node, the greater the danger score of the node at this level. Finally, the danger score R dest of the target node is obtained through cumulative calculation of multiple layers of attack paths.
优选的,步骤四中,攻击路径包括嵌套路径和并列路径;结合系统安全度量值对关键攻击路径进行定量分析,分析过程中引入资产价值指标进行度量,资产价值由节点出入度以及资产重要性共同决定,资产重要性指标从1-10为资产划分十个等级,10为非常重要,1为非常不重要;同时,根据目前攻击图中出现的节点出入度数,以最高出入度为准,对其余出入度做归一化处理,起始节点和目标节点的出入度默认为1,不做降权处理,最后资产价值由资产重要性及出入度的乘积获得,如式Ⅴ:Preferably, in step 4, the attack path includes a nested path and a parallel path; the key attack path is quantitatively analyzed in combination with the system security metric value, and the asset value index is introduced in the analysis process for measurement. The asset value is determined by the node in-degree and the asset importance. The asset importance index is divided into ten levels from 1 to 10 for assets, 10 for very important, and 1 for very unimportant; at the same time, according to the node in-degree appearing in the current attack graph, the highest in-degree is taken as the standard, and the remaining in-degrees are normalized. The in-degree of the starting node and the target node is defaulted to 1, and no weight reduction is performed. Finally, the asset value is obtained by the product of the asset importance and the in-degree, as shown in Formula V:
Pvalue=Psignificance*dio (Ⅴ)P value =P significance *d io (Ⅴ)
其中,Pvalue表示资产价值,Psignificance表示资产重要性,dio表示经过归一化处理的节点出入度;Among them, P value represents the asset value, P significance represents the asset importance, and d io represents the normalized node in-degree;
a.嵌套路径分析a. Nested Path Analysis
嵌套路径的路径集合中节点不包括共同起始节点,对于此种情况的关键路径进行选择,计算如下:The nodes in the path set of the nested path do not include the common starting node. For this case, the key path is selected and calculated as follows:
其中,Pathsign为路径关键指数,Uj表示路径集合中第j个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;嵌套路径的关键路径以攻击跳数为主要计算依据,一般情况下攻击跳数较少的路径为关键路径,只有当中间跳节点被攻击率及危险分数都较大时,攻击跳数较多的路径才可能成为关键路径;Among them, Path sign is the path critical index, Uj represents the probability of the jth device node in the path set being attacked, Ri represents the risk score of the i-th device node in the path set, and Pvaluei represents the asset value of the i-th device node in the path set; the critical path of the nested path is mainly calculated based on the number of attack hops. Generally, the path with fewer attack hops is the critical path. Only when the attack rate and risk score of the intermediate hop node are large, the path with more attack hops may become the critical path;
b.并列路径分析b. Parallel Path Analysis
并列攻击路径的路径集合表示为除去共同起始节点与终止节点的N个并列节点,对于此种情况的关键路径进行选择,计算如下:The path set of the parallel attack path is represented by N parallel nodes excluding the common starting node and ending node. The critical path for this case is selected and calculated as follows:
Pathsign=max{Ui*Ri*Pvaluei}i=(1,2,...k) (Ⅶ)Path sign =max{U i *R i *P valuei }i=(1, 2,...k) (Ⅶ)
Ui表示路径集合中第i个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;最终,关键路径的选择通过比较N个并列路径的关键指数获得;U i represents the probability of attack of the i-th device node in the path set, R i represents the risk score of the i-th device node in the path set, and P valuei represents the asset value of the i-th device node in the path set; finally, the selection of the critical path is obtained by comparing the critical indexes of N parallel paths;
综合嵌套路径及并列路径的分析结果,通过量化指标对多条路径的重要性进行计算,得出关键攻击路径。Based on the analysis results of nested paths and parallel paths, the importance of multiple paths is calculated through quantitative indicators to obtain the key attack paths.
一种服务器,包括:A server, comprising:
一个或多个处理器;one or more processors;
存储装置,其上存储有一个或多个程序,a storage device having one or more programs stored thereon,
当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述的基于攻击图的工业控制系统安全度量方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the above-mentioned industrial control system security measurement method based on the attack graph.
一种计算机可读介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时实现上述的基于攻击图的工业控制系统安全度量方法。A computer-readable medium stores a computer program, wherein the computer program implements the above-mentioned industrial control system security measurement method based on attack graph when executed by a processor.
本发明的技术特点和有益效果:Technical features and beneficial effects of the present invention:
1、本发明以CVE-NVD为主体,以CNNVD、ICS Vulnerability Database为拓展安全库,以CWE、CAPEC为漏洞关联信息库,共同构建一个整体的安全知识库。同时结合多种工具扫描结果,将孤立数据进行筛选、关联、融合,生成适用于工业控制系统的攻击图,并分层度量系统安全性,以提供决策支持和态势感知。本方法根据漏洞依赖性,将网络威胁与工控系统设备相关联,最大程度的发现潜在威胁,极大缩短工控系统安全度量的分析周期,提高度量的效率,为工控系统的防护工作打下基础。1. The present invention takes CVE-NVD as the main body, CNNVD and ICS Vulnerability Database as the extended security library, and CWE and CAPEC as the vulnerability association information library to jointly build an overall security knowledge base. At the same time, combined with the scanning results of multiple tools, the isolated data is screened, associated, and integrated to generate an attack graph suitable for industrial control systems, and the system security is measured in layers to provide decision support and situational awareness. According to the vulnerability dependency, this method associates network threats with industrial control system equipment, discovers potential threats to the greatest extent, greatly shortens the analysis cycle of industrial control system security measurement, improves the efficiency of measurement, and lays the foundation for the protection of industrial control systems.
2、本方法提出一种基于攻击图的工业控制系统安全度量方法,通过利用资产探测、漏洞扫描、漏洞利用、基于图数据的攻击图生成以及分层安全度量等技术,能够将系统攻击路径可视化,并对待测系统的安全性进行度量,为工业控制系统的安全运行提供保障,可涵盖多种漏洞及工控设备类型;可针对任意起点和攻击目标生成攻击图;可为进一步的系统分析提供数据支撑。实用范围包括支持工业控制系统中针对任意攻击起点和攻击目标攻击图的生成,以及对工控系统安全性的度量,为工控系统的安全分析提供数据支撑,应用前景十分广泛。2. This method proposes a security measurement method for industrial control systems based on attack graphs. By using technologies such as asset detection, vulnerability scanning, vulnerability exploitation, attack graph generation based on graph data, and hierarchical security measurement, it can visualize the system attack path and measure the security of the system under test, providing protection for the safe operation of industrial control systems. It can cover a variety of vulnerabilities and industrial control equipment types; it can generate attack graphs for any starting point and attack target; and it can provide data support for further system analysis. The practical scope includes supporting the generation of attack graphs for any attack starting point and attack target in industrial control systems, as well as measuring the security of industrial control systems, providing data support for security analysis of industrial control systems, and has a very broad application prospect.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1为基于攻击图的安全度量方法架构图;Figure 1 is a diagram of the architecture of the attack graph-based security measurement method;
图2为工业控制系统拓扑结构示意图;Figure 2 is a schematic diagram of the topological structure of an industrial control system;
图3为攻击模版的漏洞信息关联示意图;FIG3 is a schematic diagram of vulnerability information association of an attack template;
图4为攻击图生成算法流程图;Figure 4 is a flow chart of the attack graph generation algorithm;
图5为攻击图生成示意图;Figure 5 is a schematic diagram of attack graph generation;
图6为攻击路径示意图,其中(a)图为嵌套攻击路径示意图,(b)图为并列攻击路径示意图;FIG6 is a schematic diagram of an attack path, wherein (a) is a schematic diagram of a nested attack path, and (b) is a schematic diagram of a parallel attack path;
具体实施方式DETAILED DESCRIPTION
下面通过实施例并结合附图对本发明做进一步说明,但不限于此。The present invention will be further described below by way of embodiments in conjunction with the accompanying drawings, but is not limited thereto.
实施例1:Embodiment 1:
本实施例提供一种基于攻击图的工业控制系统安全度量方法,包括以下四个步骤,本方法的整体架构示意如图1所示:This embodiment provides an industrial control system security measurement method based on an attack graph, which includes the following four steps. The overall architecture of this method is shown in FIG1 :
步骤一,获取工控网络拓扑结构信息,对特定工控系统(即要进行安全度量的目标工控系统)的设备进行探测,掌握工控网络内的设备信息,并且对设备关联情况进行分析;Step 1: Obtain the topological structure information of the industrial control network, detect the equipment of a specific industrial control system (i.e., the target industrial control system to be security-measured), grasp the equipment information in the industrial control network, and analyze the equipment association;
第一步是基础,主要获取目标工控系统的设备在整个工控网络内的自身信息及关联信息情况;The first step is the foundation, which mainly obtains the target industrial control system's equipment's own information and related information in the entire industrial control network;
步骤二,针对工控网络内设备的探测结果,即步骤一中特定工控系统的设备信息及关联情况,对设备漏洞信息进行收集;Step 2: Based on the detection results of the devices in the industrial control network, i.e., the device information and related information of the specific industrial control system in step 1, collect the device vulnerability information;
步骤三,根据拓扑结构和设备漏洞信息,基于图数据库的方法以图形化格式存储格式,采用节点和关系表示图结构,生成系统攻击图;Step 3: Based on the topological structure and device vulnerability information, the graph database method is used to store the information in a graphical format, and the graph structure is represented by nodes and relationships to generate a system attack graph;
步骤四,根据生成的系统攻击图,按照漏洞节点度量、设备节点度量、系统安全度量三个层次,对特定工控系统进行网络安全度量,并对攻击路径进行分析。Step 4: Based on the generated system attack graph, network security measurement is performed on the specific industrial control system at three levels: vulnerability node measurement, device node measurement, and system security measurement, and the attack path is analyzed.
具体而言,步骤一中,用GRASSMARLIN工具获取工控网络拓扑结构,获取的工控网络拓扑结构信息包括系统设计文档中的拓扑规划、系统配置以及安全设备的访问控制规则;根据系统设计文档以及安全设备的访问控制规则,读取系统设备间的连接关系并进行提取,以还原系统拓扑结构。同时,读取系统设计文档和系统配置文件中的设备信息,对设备类型、设备型号、系统版本进行提取,作为设备漏洞信息获取的数据依据。Specifically, in step 1, the GRASSMARLIN tool is used to obtain the industrial control network topology structure. The obtained industrial control network topology structure information includes the topology planning, system configuration and access control rules of security devices in the system design documents; according to the system design documents and the access control rules of security devices, the connection relationship between system devices is read and extracted to restore the system topology structure. At the same time, the device information in the system design documents and system configuration files is read, and the device type, device model and system version are extracted as the data basis for obtaining device vulnerability information.
另外,针对工业控制系统脆弱性、实时性的特点,同时采用GRASSMARLIN工具对工控系统拓扑进行实时监控,以探测新加入工控系统的设备(其最终目的是要实现系统攻击图的动态更新),且GRASSMARLIN工具采用被动探测方式实现对探测系统进行的信息收集,降低探测过程对工控系统中设备工作状态造成的影响。即图1中所示拓扑信息收集。In addition, in view of the vulnerability and real-time characteristics of industrial control systems, the GRASSMARLIN tool is used to monitor the industrial control system topology in real time to detect new devices added to the industrial control system (the ultimate goal is to achieve dynamic updates of the system attack graph), and the GRASSMARLIN tool uses a passive detection method to collect information on the detection system, reducing the impact of the detection process on the working status of the equipment in the industrial control system. That is, the topology information collection shown in Figure 1.
GRASSMARLIN工具对工控系统拓扑进行实时监控的过程中,其探测结果以XML格式存储,通过低频率定期(具体情况要根据每个系统的特殊性来判断,由技术人员设定)读取GRASSMARLIN工具探测结果,对更新的设备进行关系提取,将新加入设备添加至系统,并且更新与新设备有信息交互的系统设备,将源IP与目的IP同组的连接关系简化,去除冗余数据,以实现系统拓扑的动态获取;同时,针对原有数据和更新数据,按照探测的顺序进行拓扑数据排序。When the GRASSMARLIN tool performs real-time monitoring of the industrial control system topology, its detection results are stored in XML format. The detection results of the GRASSMARLIN tool are read at a low frequency and regularly (the specific situation depends on the particularity of each system and is set by the technical staff). The relationship of the updated equipment is extracted, the newly added equipment is added to the system, and the system equipment that has information interaction with the new equipment is updated. The connection relationship between the source IP and the destination IP in the same group is simplified, and redundant data is removed to realize dynamic acquisition of the system topology. At the same time, the topological data of the original data and the updated data are sorted according to the order of detection.
掌握工控网络内的设备信息,是指读取系统设计文档和系统配置文件中的设备信息,对设备类型、设备型号、系统版本进行提取,作为后续设备漏洞信息获取的数据依据。Mastering the device information within the industrial control network means reading the device information in the system design documents and system configuration files, extracting the device type, device model, and system version as the data basis for subsequent device vulnerability information acquisition.
对设备关联情况进行分析,是指根据从系统设计文档、系统配置文件以及安全设备的访问控制规则处获取的系统拓扑信息,对设备间的关联关系进行格式化处理,统一定义设备间的连接关系为link,A link B表示设备A存在到设备B的链路,A可以访问B,link为有向关系。Analyzing device associations means formatting the associations between devices based on system topology information obtained from system design documents, system configuration files, and access control rules of security devices. The connection relationships between devices are uniformly defined as links. A link B means that device A has a link to device B, and A can access B. Link is a directed relationship.
步骤二中,对设备漏洞信息进行收集包括漏洞信息库构建及设备漏洞获取;In step 2, the device vulnerability information is collected, including the construction of the vulnerability information database and the acquisition of device vulnerabilities;
漏洞信息库构建包括漏洞信息采集及漏洞信息处理,漏洞信息采集以CVE-NVD漏洞库为主体,CNNVD、ICS Vulnerability Database为拓展安全库,CWE、CAPEC为漏洞关联信息库,来构建安全知识库,将采集的漏洞信息(漏洞库里的漏洞信息)存储至MySQL数据库中;漏洞信息处理以CNNVD和CVE漏洞知识库为主体,对导入漏洞信息库(即MySQL数据库)中的所有漏洞信息进行匹配、关联,引入CWE作为弱点描述和弱点分类以及利用性判别的依据,并结合CAPEC,描述利用漏洞进行攻击的前提、技术储备、方式和造成后果;The construction of vulnerability information database includes vulnerability information collection and vulnerability information processing. Vulnerability information collection is based on CVE-NVD vulnerability database, CNNVD and ICS Vulnerability Database are extended security databases, CWE and CAPEC are vulnerability association information databases, to build a security knowledge base, and store the collected vulnerability information (vulnerability information in the vulnerability database) in MySQL database; vulnerability information processing is based on CNNVD and CVE vulnerability knowledge databases, matching and associating all vulnerability information imported into the vulnerability information database (i.e. MySQL database), introducing CWE as the basis for weakness description, weakness classification and exploitability judgment, and combining with CAPEC to describe the premise, technical reserves, methods and consequences of exploiting vulnerabilities;
采集的漏洞信息内容项包括:漏洞名称、CNNVD编号、基本分数、CVE编号、危害等级、漏洞类型、漏洞发布时间、漏洞更新时间、威胁类型、厂商、漏洞描述、解决方案、受影响实体、补丁、CWE编号、CWE名称、弱点描述、其余相关弱点、弱点引入方式、弱点应用影响、相关攻击方式、攻击可能性、攻击领域、攻击机制、先决条件、所需技能。The collected vulnerability information content items include: vulnerability name, CNNVD number, basic score, CVE number, hazard level, vulnerability type, vulnerability release time, vulnerability update time, threat type, manufacturer, vulnerability description, solution, affected entity, patch, CWE number, CWE name, weakness description, other related weaknesses, weakness introduction method, weakness application impact, related attack method, attack possibility, attack field, attack mechanism, prerequisites, and required skills.
攻击模版的漏洞信息关联示意图如图3所示。以CVE-NVD漏洞知识库为主体,根据CNNVD漏洞详情页中的信息填充漏洞名称、CNNVD编号、CVE编号、危害等级、漏洞类型、漏洞发布时间、漏洞更新时间、威胁类型、厂商、漏洞描述、解决方案、受影响实体、补丁。每一个CNNVD漏洞编号都对应着一个CVE编号,根据CVE编号可以关联到CVE漏洞页中的漏洞信息。CVE漏洞页中会提供着关联的CWE编号,以此链接至CWE安全事件库。常见弱点枚举CWE根据弱点分类,对于每一个CWE编号都提供了该弱点的描述。根据获取的弱点描述其余相关弱点、弱点引入方式、弱点应用影响、相关攻击方式,以漏洞为核心填充漏洞的利用条件、利用方式以及攻击结果。同时相关攻击方式中包含的多个CAPEC编号,根据CAPEC页面所提供的攻击可能性、攻击领域、攻击机制、先决条件、所需技能的攻击信息,完成攻击模板中攻击先决条件、以及攻击所需技能的补充。此外,为了给出具体漏洞的可行性分析和严重性判断,可通过CVE编号关联至CVSS,CVSS提供了每个漏洞的严重性分级和危险分数判定。完成多个漏洞信息库的信息整合和关联。The vulnerability information association diagram of the attack template is shown in Figure 3. Based on the CVE-NVD vulnerability knowledge base, the vulnerability name, CNNVD number, CVE number, hazard level, vulnerability type, vulnerability release time, vulnerability update time, threat type, manufacturer, vulnerability description, solution, affected entity, and patch are filled in according to the information in the CNNVD vulnerability details page. Each CNNVD vulnerability number corresponds to a CVE number, and the CVE number can be associated with the vulnerability information in the CVE vulnerability page. The CVE vulnerability page will provide the associated CWE number, which is linked to the CWE security event library. Common Weakness Enumeration CWE classifies weaknesses and provides a description of the weakness for each CWE number. Based on the acquired weaknesses, the remaining related weaknesses, the way to introduce the weaknesses, the impact of the weaknesses on the application, and the related attack methods are described, and the vulnerability exploitation conditions, exploitation methods, and attack results are filled in with the vulnerability as the core. At the same time, the multiple CAPEC numbers contained in the relevant attack methods are used to complete the attack prerequisites in the attack template and the skills required for the attack based on the attack information of the attack possibility, attack field, attack mechanism, prerequisites, and required skills provided on the CAPEC page. In addition, in order to provide a feasibility analysis and severity judgment of a specific vulnerability, the CVE number can be associated with CVSS, which provides a severity rating and risk score for each vulnerability. The information integration and association of multiple vulnerability information repositories is completed.
设备漏洞获取采用开源扫描工具(如Nessus、OpenVAS等)和工控厂商的定制化扫描工具对系统设备进行漏洞扫描,根据已获取的系统设备信息,对扫描工具进行配置,完成设备漏洞信息的扫描;相比于传统网络,工业控制系统面临更加严格的安全性需求,进行设备漏洞扫描时要考虑工控设备的脆弱性。针对工业控制系统敏感性的特点,依据设备类型的不同,对工控设备的漏洞扫描和通用互联网设备的漏洞扫描采取不同扫描手段。针对工控系统设备,漏洞扫描以低频率进行,而对通用互联网设备以高频率进行扫描,多频率的扫描方案可以降低注入探测数据报送将增加网络的负荷和探测给工控设备带来的风险,同时保证了设备漏洞信息获取的实时性。Equipment vulnerability acquisition uses open source scanning tools (such as Nessus, OpenVAS, etc.) and customized scanning tools of industrial control manufacturers to scan system equipment for vulnerabilities. According to the acquired system equipment information, the scanning tool is configured to complete the scanning of equipment vulnerability information. Compared with traditional networks, industrial control systems face more stringent security requirements. When performing equipment vulnerability scanning, the vulnerability of industrial control equipment must be considered. In view of the sensitivity of industrial control systems, different scanning methods are adopted for vulnerability scanning of industrial control equipment and general Internet equipment according to different equipment types. For industrial control system equipment, vulnerability scanning is performed at a low frequency, while general Internet equipment is scanned at a high frequency. The multi-frequency scanning scheme can reduce the injection of detection data reporting, which will increase the network load and the risk of detection to industrial control equipment, while ensuring the real-time acquisition of equipment vulnerability information.
然后根据扫描获取到的设备漏洞信息,将设备与漏洞进行关联表示,一个设备可关联一个或多个漏洞,定义设备与漏洞的连接关系为has_vul_at,DEVICE1 has_vul_atVUL1表示该设备1存在编号为VUL1的漏洞;将设备漏洞信息与漏洞信息库中信息进行匹配,每一个漏洞都可获得“CNNVD描述-CVE漏洞编号-CWE弱点报告-CAPEC攻击方法-CVSS评分”的原子攻击模板,为后续攻击图的生成提供输入数据。如图3所示。Then, according to the device vulnerability information obtained through scanning, the device and the vulnerability are associated. A device can be associated with one or more vulnerabilities. The connection relationship between the device and the vulnerability is defined as has_vul_at. DEVICE1 has_vul_atVUL1 indicates that the device 1 has a vulnerability numbered VUL1. The device vulnerability information is matched with the information in the vulnerability information library. Each vulnerability can obtain an atomic attack template of "CNNVD description-CVE vulnerability number-CWE weakness report-CAPEC attack method-CVSS score", which provides input data for the generation of subsequent attack graphs. As shown in Figure 3.
步骤三中,攻击图包含节点和边,边即为可攻击路径,攻击图中的节点包括设备节点以及漏洞节点;In step 3, the attack graph contains nodes and edges. The edges are attackable paths. The nodes in the attack graph include device nodes and vulnerability nodes.
设备节点信息包含了设备漏洞所在的服务信息、开放端口信息和IP信息,设备节点信息作为设备节点的属性,设备节点信息采用五元组即设备IP、设备名称、存在漏洞的服务、服务协议、服务端口进行描述;The device node information includes the service information, open port information and IP information where the device vulnerability is located. The device node information is the attribute of the device node. The device node information is described by a five-tuple, namely, the device IP, device name, the service with the vulnerability, the service protocol, and the service port.
漏洞节点信息包含原子攻击规则中的CVE\CNNVD编号、CWE分类、提权能力标识和CVSS评分,漏洞节点信息作为节点属性集成在以漏洞ID为标识的漏洞节点上,漏洞节点信息采用四元组即漏洞ID、漏洞编号、漏洞类型、漏洞评分进行描述;Vulnerability node information includes the CVE\CNNVD number, CWE classification, privilege escalation capability identification and CVSS score in the atomic attack rule. Vulnerability node information is integrated as a node attribute on the vulnerability node identified by the vulnerability ID. Vulnerability node information is described using a four-tuple, namely vulnerability ID, vulnerability number, vulnerability type and vulnerability score.
根据网络拓扑分析以及漏洞信息收集的结果,对数据进行预处理,总结为设备信息表、漏洞信息表、设备关系表,作为攻击图生成算法的输入。如下表所示,其中,设备关系表中,“Y”代表设备具有连接关系,“-”代表设备间不具有连接关系。According to the results of network topology analysis and vulnerability information collection, the data is preprocessed and summarized into a device information table, a vulnerability information table, and a device relationship table as the input of the attack graph generation algorithm. As shown in the following table, in the device relationship table, "Y" represents that the devices have a connection relationship, and "-" represents that the devices do not have a connection relationship.
表一:设备信息表Table 1: Equipment information table
表二:漏洞信息表Table 2: Vulnerability information table
表三:设备关系表Table 3: Equipment relationship table
步骤三中,生成系统攻击图,是基于Neo4j图数据库生成攻击图,遵循属性图模型来存储和管理数据,攻击图中的节点用于表示实体,关系用于表示实体间的连接;用设备信息表和漏洞信息表填充攻击图的节点属性,用设备关系表填充节点关系,选定起始节点和目标节点,经过多次遍历生成攻击图。In step three, the system attack graph is generated based on the Neo4j graph database, which follows the property graph model to store and manage data. The nodes in the attack graph are used to represent entities, and the relationships are used to represent the connections between entities. The node attributes of the attack graph are filled with the device information table and the vulnerability information table, and the node relationships are filled with the device relationship table. The start node and the target node are selected, and the attack graph is generated after multiple traversals.
以上述三个表中的数据作为攻击图生成算法的输入,算法流程图如图4所示。首先,向Neo4j图数据库中导入设备信息、漏洞信息、设备关系和漏洞匹配情况。根据原子攻击规则模型,判别不符合模型利用的漏洞节点,以及不符合攻击条件的设备节点。去除不在攻击目标路线上的设备以及孤立漏洞节点。最终限定攻击者和目标,返回当前图数据库中信息,构建针对该系统的攻击图。The data in the above three tables are used as the input of the attack graph generation algorithm. The algorithm flow chart is shown in Figure 4. First, import device information, vulnerability information, device relationships, and vulnerability matching into the Neo4j graph database. According to the atomic attack rule model, identify the vulnerability nodes that do not conform to the model exploitation and the device nodes that do not meet the attack conditions. Remove devices that are not on the attack target route and isolated vulnerability nodes. Finally, limit the attacker and target, return the information in the current graph database, and build an attack graph for the system.
以图5工业控制系统为例,限定起始节点为MES系统主机,目标节点为PLC1,生成攻击图,包括17个节点和19条边。由于MES系统PC3包括两个可利用漏洞,此攻击图共包含12条攻击路径。Taking the industrial control system in Figure 5 as an example, the starting node is limited to the MES system host and the target node is PLC1, and an attack graph is generated, including 17 nodes and 19 edges. Since the MES system PC3 contains two exploitable vulnerabilities, this attack graph contains a total of 12 attack paths.
步骤四中,网络安全度量采用分层度量的方式,根据节点种类对工控网络安全进行度量,即漏洞节点度量、设备节点度量、系统安全度量。漏洞节点附加属性分为两种:可利用率和漏洞危害。可利用率表示此漏洞被成功利用达到攻击效果的概率。漏洞危害表示漏洞成功利用后所带来的影响严重程度。设备节点附加属性也分为两种:被攻击概率和设备危险分数。被攻击概率与设备相连的漏洞节点的可利用率相关,表示该设备被攻击成功的概率。设备危险分数与设备相连的漏洞节点的可利用率及漏洞危害相关,表示设备被攻击成功后所带来的影响程度。In step 4, network security measurement adopts a hierarchical measurement method to measure the industrial control network security according to the node type, namely vulnerability node measurement, device node measurement, and system security measurement. There are two types of additional attributes of vulnerability nodes: exploitability and vulnerability damage. The exploitability indicates the probability that this vulnerability can be successfully exploited to achieve the attack effect. The vulnerability damage indicates the severity of the impact caused by the successful exploitation of the vulnerability. There are also two types of additional attributes of device nodes: attack probability and device risk score. The attack probability is related to the exploitability of the vulnerability node connected to the device, indicating the probability of the device being successfully attacked. The device risk score is related to the exploitability and vulnerability damage of the vulnerability node connected to the device, indicating the degree of impact caused by the successful attack on the device.
针对节点的计算分为起始节点和非起始节点两类。起始节点仅需考虑与本节点相连的漏洞节点的情况;非起始节点在考虑本节点相连漏洞节点的同时,还要结合上层设备节点的被攻击概率和设备危险分数,系统安全度量根据多层累积的设备节点的危险分数计算获得。The calculation for nodes is divided into two categories: starting nodes and non-starting nodes. The starting node only needs to consider the vulnerability nodes connected to the node; the non-starting node not only considers the vulnerability nodes connected to the node, but also combines the attack probability and device risk score of the upper-layer device nodes. The system security metric is calculated based on the risk scores of the multi-layer accumulated device nodes.
(1)漏洞节点度量根据扫描的设备漏洞信息对漏洞节点的可利用率以及漏洞危害进行量化;漏洞节点可利用性由CAPEC库中“攻击可能性”字段定义,将攻击可能性的{低,中,高}量化表示为{0.3,0.6,0.9},分数低表示被攻击可能性低,分数高表示被攻击可能性高;漏洞节点的危害分数采用通用安全漏洞评分系统CVSS的漏洞评估分数,满分为10分,分数越高,漏洞危害越大,分数越低,漏洞危害越小。(1) Vulnerability node measurement quantifies the exploitability of vulnerability nodes and the vulnerability hazard based on the scanned device vulnerability information; the exploitability of vulnerability nodes is defined by the "attack probability" field in the CAPEC library, and the attack probability {low, medium, high} is quantified as {0.3, 0.6, 0.9}. A low score indicates a low possibility of attack, and a high score indicates a high possibility of attack; the hazard score of the vulnerability node adopts the vulnerability assessment score of the Common Vulnerability Scoring System (CVSS), with a full score of 10. The higher the score, the greater the vulnerability hazard, and the lower the score, the smaller the vulnerability hazard.
(2)设备节点度量根据设备节点被攻击概率以及设备节点危险分数进行量化;(2) The device node metric is quantified based on the probability of the device node being attacked and the device node risk score;
a.设备节点被攻击概率a. Probability of device nodes being attacked
针对每个设备节点相连的漏洞节点,根据其可利用率计算设备节点的被攻击概率,如式Ⅰ:For each vulnerable node connected to a device node, the attack probability of the device node is calculated based on its availability, as shown in Formula I:
其中,Uself表示本设备节点的被攻击概率,ui表示与该设备节点相连的第i个漏洞节点的可利用率,k表示与该设备节点相连的所有漏洞节点数,与设备节点相连的漏洞节点数量越多,该设备节点的被攻击概率越高;Among them, U self represents the attack probability of the device node, ui represents the availability of the i-th vulnerable node connected to the device node, and k represents the number of all vulnerable nodes connected to the device node. The more vulnerable nodes connected to the device node, the higher the attack probability of the device node.
b.设备节点危险分数b. Device node risk score
以相连漏洞节点的可利用率为依据,对漏洞节点进行加权危害计算,得到设备节点的危险分数,如式Ⅱ:Based on the availability of the connected vulnerable nodes, weighted hazard calculation is performed on the vulnerable nodes to obtain the risk score of the device node, as shown in Formula II:
其中,Rself表示本设备节点的危险分数,ui、uj表示与该设备节点相连的第i、j个漏洞节点的可利用率,ri表示与该设备节点相连的第i个漏洞节点的漏洞危害。Among them, R self represents the risk score of the device node, ui and u j represent the availability of the i-th and j-th vulnerable nodes connected to the device node, and ri represents the vulnerability hazard of the i-th vulnerable node connected to the device node.
(3)系统安全度量包括起始节点度量和非起始节点度量;(3) System security metrics include starting node metrics and non-starting node metrics;
a.起始节点度量a. Starting node measurement
由于起始节点已获取权限,其不存在被攻击情况,所以起始设备节点的被攻击概率默认为1,表示以获取该设备全部权限,由于起始节点无前向节点,入度为0,因此,起始节点的危险分数等于本节点的自身危险分数。Since the starting node has obtained the permission, it is not under attack, so the attack probability of the starting device node defaults to 1, indicating that all permissions of the device are obtained. Since the starting node has no forward node and the in-degree is 0, the danger score of the starting node is equal to the danger score of the node itself.
b.非起始节点度量b. Non-starting node metrics
非起始节点在考虑本节点相连漏洞节点的同时,还要结合上层设备节点的被攻击概率和设备危险分数,计算上层设备节点与本层设备节点的累积被攻击概率,以及设备危险分数,系统安全度量根据多层累积的设备节点的危险分数计算获得;When considering the vulnerable nodes connected to the non-starting node, the non-starting node also needs to combine the attack probability and device risk score of the upper-layer device nodes to calculate the cumulative attack probability and device risk score of the upper-layer device nodes and the device nodes of the current layer. The system security metric is calculated based on the risk scores of the multi-layer accumulated device nodes.
非起始节点的被攻击概率计算如式Ⅲ:The attack probability of non-starting nodes is calculated as follows:
其中,di表示该节点入度,Um表示与该设备节点相连的第m个上层节点的被攻击概率;本度量方法考虑了节点的入度,以及上层节点被攻击概率对本层节点的影响,节点入度越大,节点被攻击概率越大;上层节点被攻击概率越大,本层节点被攻击概率越大;Among them, d i represents the node in-degree, U m represents the attack probability of the mth upper-layer node connected to the device node; this measurement method takes into account the node in-degree and the impact of the upper-layer node attack probability on the current-layer node. The larger the node in-degree, the greater the probability of the node being attacked; the greater the upper-layer node attack probability, the greater the probability of the current-layer node being attacked;
非起始节点的危险分数计算如式Ⅳ:The risk score of non-starting nodes is calculated as shown in Formula IV:
其中,Um、Un表示与该设备节点相连的第m、n个上层节点的被攻击概率,Rm表示与该设备节点相连的第m个上层节点的危险分数;Wherein, U m and Un represent the attack probability of the mth and nth upper nodes connected to the device node, and R m represents the risk score of the mth upper node connected to the device node;
非起始节点的危险分数度量方法考虑了上层节点被攻击概率对本层节点的影响,同时对上级节点的危险分数进行累积计算,节点入度越大,节点危险分数越大;上层节点被攻击概率越大,本层节点危险分数越大;上层节点的危险分数越大,本层节点的危险分数越大,最后目标节点的危险分数Rdest经过多层攻击路径累积计算得到。The danger score measurement method for non-starting nodes takes into account the impact of the probability of upper-level nodes being attacked on the nodes at this level, and at the same time accumulates the danger scores of the upper-level nodes. The larger the node in-degree, the greater the node danger score; the greater the probability of upper-level nodes being attacked, the greater the danger score of the nodes at this level; the greater the danger score of the upper node, the greater the danger score of the nodes at this level. Finally, the danger score R dest of the target node is obtained through cumulative calculation of multiple layers of attack paths.
步骤四中,攻击路径包括嵌套路径和并列路径;结合系统安全度量值对关键攻击路径进行定量分析,分析过程中引入资产价值指标进行度量,资产价值由节点出入度以及资产重要性共同决定,资产重要性指标从1-10为资产划分十个等级(资产重要性指标需根据专家经验决定),10为非常重要,1为非常不重要;同时,根据目前攻击图中出现的节点出入度数,以最高出入度为准,对其余出入度做归一化处理,起始节点和目标节点的出入度默认为1,不做降权处理,以图6所示的攻击图为例,出入度={2,5},进行归一化处理后,出入度为5的节点变为1,出入度为2的节点变为0.4。最后资产价值由资产重要性及出入度的乘积获得,如式Ⅴ:In step 4, the attack path includes nested paths and parallel paths; the key attack paths are quantitatively analyzed in combination with the system security metric value. The asset value index is introduced in the analysis process for measurement. The asset value is determined by the node in-degree and the asset importance. The asset importance index is divided into ten levels from 1 to 10 (the asset importance index needs to be determined based on expert experience), 10 is very important, and 1 is very unimportant; at the same time, according to the node in-degree appearing in the current attack graph, the highest in-degree is taken as the standard, and the remaining in-degrees are normalized. The in-degree of the starting node and the target node is 1 by default, and no weight reduction is performed. Taking the attack graph shown in Figure 6 as an example, the in-degree = {2, 5}, after normalization, the node with an in-degree of 5 becomes 1, and the node with an in-degree of 2 becomes 0.4. Finally, the asset value is obtained by the product of the asset importance and the in-degree, as shown in Formula V:
Pvalue=Psignificance*dio (Ⅴ)P value =P significance *d io (Ⅴ)
其中,Pvalue表示资产价值,Psignificance表示资产重要性,dio表示经过归一化处理的节点出入度;Among them, P value represents the asset value, P significance represents the asset importance, and d io represents the normalized node in-degree;
结合以上指标分析攻击图中关键攻击路径。攻击路径中产生分支路径的情况分为两种,一种是嵌套路径分析,另一种是并列路径分析,如图6所示。Combined with the above indicators, the key attack paths in the attack graph are analyzed. There are two situations in which branch paths are generated in the attack path: one is nested path analysis and the other is parallel path analysis, as shown in Figure 6.
a.嵌套路径分析a. Nested Path Analysis
如图6中(a)图所示,MES PC1-->MES PC2-->MES PC3的攻击路径中,包含了MESPC1-->MES PC3路径。嵌套路径的路径集合中节点不包括共同起始节点:Path1={MESPC2},Path2={MES PC2,MES PC3},对于此种情况的关键路径进行选择,计算如下:As shown in Figure 6 (a), the attack path of MES PC1-->MES PC2-->MES PC3 includes the path of MESPC1-->MES PC3. The nodes in the path set of the nested path do not include the common starting node: Path1 = {MESPC2}, Path2 = {MES PC2, MES PC3}. For this case, the key path is selected and calculated as follows:
其中,Pathsign为路径关键指数,Uj表示路径集合中第j个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;嵌套路径的关键路径以攻击跳数为主要计算依据,一般情况下攻击跳数较少的路径为关键路径,只有当中间跳节点被攻击率及危险分数都较大时,攻击跳数较多的路径才可能成为关键路径,这要根据不同的目标工控系统,并由技术人员依据长期工作经验进行判断;以图6中(a)图为例,根据实际经验,定义MES PC2及MES PC3资产重要性为6,其出入度归一化结果均为0.4。Path1sign=0.9*9.9*2.4=21.384,Path2sign=0.3*0.9*9.9*2.4+0.3*6.9*2.4=11.3832。因此,嵌套攻击路径中的关键路径为Path1,即MES PC1-->MES PC3路径。Among them, Path sign is the path critical index, Uj represents the probability of the jth device node in the path set being attacked, Ri represents the risk score of the ith device node in the path set, and Pvaluei represents the asset value of the ith device node in the path set; the critical path of the nested path is mainly calculated based on the number of attack hops. Generally, the path with fewer attack hops is the critical path. Only when the attack rate and risk score of the intermediate hop node are both large, the path with more attack hops may become the critical path. This depends on different target industrial control systems and is judged by technicians based on long-term work experience; taking Figure 6 (a) as an example, according to actual experience, the asset importance of MES PC2 and MES PC3 is defined as 6, and their in-degree normalization results are both 0.4. Path1 sign = 0.9*9.9*2.4 = 21.384, Path2 sign = 0.3*0.9*9.9*2.4+0.3*6.9*2.4 = 11.3832. Therefore, the key path in the nested attack path is Path1, that is, the MES PC1-->MES PC3 path.
b.并列路径分析b. Parallel Path Analysis
如图6中(b)图所示,数据库服务器-->PLC1的攻击路径中,包含了并列的三条攻击路径:数据库服务器-->操作员站-->PLC1、数据库服务器-->工程师站-->PLC1、数据库服务器-->SCADA系统-->PLC1。并列攻击路径的路径集合表示为除去共同起始节点与终止节点的三个并列节点,Path{操作员站、工程师站、SCADA系统}对于此种情况的关键路径进行选择,计算如下:As shown in Figure 6 (b), the attack path of database server -> PLC1 includes three parallel attack paths: database server -> operator station -> PLC1, database server -> engineer station -> PLC1, and database server -> SCADA system -> PLC1. The path set of parallel attack paths is represented by three parallel nodes excluding the common starting node and ending node. Path {operator station, engineer station, SCADA system} selects the critical path for this case and is calculated as follows:
Pathsign=max{Ui*Ri*Pvaluei}i=(1,2,...k) (Ⅶ)Path sign =max{U i *R i *P valuei }i=(1, 2,...k) (Ⅶ)
Ui表示路径集合中第i个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;最终,关键路径的选择通过比较三个并列路径的关键指数获得;U i represents the probability of attack of the i-th device node in the path set, R i represents the risk score of the i-th device node in the path set, and P valuei represents the asset value of the i-th device node in the path set; finally, the selection of the critical path is obtained by comparing the critical indexes of the three parallel paths;
以图6中(b)图为例,根据实际经验,定义操作员站资产重要性为8,工程师站资产重要性为7,SCADA系统资产重要性为9,其出入度归一化结果均为0.4。Pathsign=max{0.6*7.8*3.2,0.8*9.8*2.8,0.9*6.9*3.6}=max{14.976,21.952,22.356}。因此,并列攻击路径中的关键路径为Path3,即数据库服务器-->SCADA系统-->PLC1路径。Taking Figure 6 (b) as an example, based on actual experience, the asset importance of the operator station is defined as 8, the asset importance of the engineer station is defined as 7, and the asset importance of the SCADA system is defined as 9, and the normalized results of their in-degrees are all 0.4. Path sign = max{0.6*7.8*3.2, 0.8*9.8*2.8, 0.9*6.9*3.6} = max{14.976, 21.952, 22.356}. Therefore, the key path in the parallel attack path is Path 3, that is, the database server-->SCADA system-->PLC1 path.
综合嵌套路径及并列路径的分析结果可知,攻击图的一条关键路径为MES PC1-->MES PC3-->数据库服务器-->SCADA系统-->PLC1。通过量化指标对多条路径的重要性进行计算,得出关键攻击路径。综合考虑资产价值、攻击可能性、漏洞危害的系统关键攻击路径能够体现出系统关键部分的安全情况。同时,根据路径得分、设备得分以及漏洞得分可以对系统脆弱点进行准确定位。另外根据漏洞库中提供的漏洞详细信息,能够快速了解漏洞属性,寻找解决方案,为工业控制系统的安全防护工作提供数据支撑。Based on the analysis results of nested paths and parallel paths, it can be seen that a key path of the attack graph is MES PC1-->MES PC3-->Database server-->SCADA system-->PLC1. The importance of multiple paths is calculated through quantitative indicators to obtain the key attack path. The key attack path of the system that comprehensively considers asset value, attack possibility, and vulnerability hazards can reflect the security status of the key parts of the system. At the same time, the system's vulnerabilities can be accurately located based on the path score, device score, and vulnerability score. In addition, based on the vulnerability details provided in the vulnerability library, it is possible to quickly understand the vulnerability attributes and find solutions, providing data support for the security protection of industrial control systems.
实施例2:Embodiment 2:
一种服务器,包括:A server, comprising:
一个或多个处理器;one or more processors;
存储装置,其上存储有一个或多个程序,a storage device having one or more programs stored thereon,
当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现实施例1所述的基于攻击图的工业控制系统安全度量方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the industrial control system security measurement method based on the attack graph described in Example 1.
实施例3:Embodiment 3:
一种计算机可读介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时实现实施例1所述的基于攻击图的工业控制系统安全度量方法。A computer-readable medium having a computer program stored thereon, wherein the computer program, when executed by a processor, implements the industrial control system security measurement method based on an attack graph as described in Example 1.
以上所述,仅为本发明的具体实施方式,本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。The above description is only a specific implementation mode of the present invention, and the protection scope of the present invention is not limited thereto. Any changes or substitutions that can be easily thought of by any technician familiar with the technical field within the technical scope disclosed by the present invention should be covered within the protection scope of the present invention.
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011043060.3A CN112114579B (en) | 2020-09-28 | 2020-09-28 | A security measurement method for industrial control systems based on attack graph |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011043060.3A CN112114579B (en) | 2020-09-28 | 2020-09-28 | A security measurement method for industrial control systems based on attack graph |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112114579A CN112114579A (en) | 2020-12-22 |
| CN112114579B true CN112114579B (en) | 2023-07-25 |
Family
ID=73798243
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011043060.3A Active CN112114579B (en) | 2020-09-28 | 2020-09-28 | A security measurement method for industrial control systems based on attack graph |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112114579B (en) |
Families Citing this family (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112904817B (en) * | 2021-01-19 | 2022-08-12 | 哈尔滨工业大学(威海) | A global safety detection system for intelligent manufacturing production line and its working method |
| CN114143109B (en) * | 2021-12-08 | 2023-11-10 | 安天科技集团股份有限公司 | Visual processing method, interaction method and device for attack data |
| CN114528552B (en) * | 2021-12-31 | 2023-12-26 | 北京邮电大学 | Security event association method based on loopholes and related equipment |
| CN114039862B (en) * | 2022-01-10 | 2022-04-26 | 南京赛宁信息技术有限公司 | CTF problem solution detection node construction method and system based on dynamic topology analysis |
| CN114584348A (en) * | 2022-02-14 | 2022-06-03 | 上海安锐信科技有限公司 | Industrial control system network threat analysis method based on vulnerability |
| CN115061434B (en) * | 2022-06-01 | 2024-09-06 | 哈尔滨工业大学(威海) | Attack path parallel planning system and method for large-scale industrial control scene |
| CN115118468A (en) * | 2022-06-16 | 2022-09-27 | 上海谋乐网络科技有限公司 | Method and system for providing collaborative support for cyber confrontation attackers |
| CN115102743B (en) * | 2022-06-17 | 2023-08-22 | 电子科技大学 | Multi-layer attack graph generation method for network security |
| CN115242507A (en) * | 2022-07-22 | 2022-10-25 | 四川启睿克科技有限公司 | Attack graph generation system and method based on set parameter maximum value |
| CN115185466B (en) * | 2022-07-25 | 2023-02-28 | 北京珞安科技有限责任公司 | Hierarchical management and control tool and method for mobile storage device |
| CN115514543B (en) * | 2022-09-07 | 2024-12-27 | 湖北鑫英泰系统技术股份有限公司 | Electric power network security method and system based on scaleless network |
| CN116208416A (en) * | 2023-03-06 | 2023-06-02 | 华能国际电力股份有限公司 | Attack link mining method and system for industrial Internet |
| CN116305170A (en) * | 2023-05-16 | 2023-06-23 | 北京安帝科技有限公司 | Analog testing method, device, equipment and storage medium based on industrial control system |
| CN116702159B (en) * | 2023-08-04 | 2023-10-31 | 北京微步在线科技有限公司 | Host protection method, device, computer equipment and storage medium |
| US20250159016A1 (en) * | 2023-11-13 | 2025-05-15 | Microsoft Technology Licensing, Llc | Attack path discovery engine in a security management system |
| CN119583129A (en) * | 2024-11-22 | 2025-03-07 | 深圳市景佑宝元科技有限公司 | A real-time risk control method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7013395B1 (en) * | 2001-03-13 | 2006-03-14 | Sandra Corporation | Method and tool for network vulnerability analysis |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| EP3644579A1 (en) * | 2018-10-26 | 2020-04-29 | Accenture Global Solutions Limited | Criticality analysis of attack graphs |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6952779B1 (en) * | 2002-10-01 | 2005-10-04 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
| US8392997B2 (en) * | 2007-03-12 | 2013-03-05 | University Of Southern California | Value-adaptive security threat modeling and vulnerability ranking |
| CN103368976B (en) * | 2013-07-31 | 2015-03-04 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
| EP3065076A1 (en) * | 2015-03-04 | 2016-09-07 | Secure-Nok AS | System and method for responding to a cyber-attack-related incident against an industrial control system |
| CN106709613B (en) * | 2015-07-16 | 2020-11-27 | 中国科学院信息工程研究所 | A Risk Assessment Method for Industrial Control Systems |
| US10015188B2 (en) * | 2015-08-20 | 2018-07-03 | Cyberx Israel Ltd. | Method for mitigation of cyber attacks on industrial control systems |
| CN105871882B (en) * | 2016-05-10 | 2019-02-19 | 国家电网公司 | Network security risk analysis method based on network node vulnerability and attack information |
| CN110533754A (en) * | 2019-08-26 | 2019-12-03 | 哈尔滨工业大学(威海) | Interactive attack graph display systems and methods of exhibiting based on extensive industry control network |
-
2020
- 2020-09-28 CN CN202011043060.3A patent/CN112114579B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7013395B1 (en) * | 2001-03-13 | 2006-03-14 | Sandra Corporation | Method and tool for network vulnerability analysis |
| CN104348652A (en) * | 2013-08-06 | 2015-02-11 | 南京理工大学常熟研究院有限公司 | Method and device for evaluating system security based on correlation analysis |
| EP3644579A1 (en) * | 2018-10-26 | 2020-04-29 | Accenture Global Solutions Limited | Criticality analysis of attack graphs |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112114579A (en) | 2020-12-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112114579B (en) | A security measurement method for industrial control systems based on attack graph | |
| CN110620759B (en) | Evaluation method and system of network security event hazard index based on multi-dimensional correlation | |
| CN109347801B (en) | A vulnerability exploitation risk assessment method based on multi-source word embedding and knowledge graph | |
| CN112100843B (en) | A visual analysis method and system for power system security event simulation verification | |
| CN114723287A (en) | Quantitative statistical method for risk formation based on enterprise characteristics and operation behaviors | |
| CN110659814A (en) | A method and system for risk assessment of power grid operations based on entropy weight method | |
| CN105045251A (en) | Demand analysis and integration method for function safety and information safety of industrial control system | |
| CN113658715A (en) | Safety barrier management method and system for ship navigation risk management and control | |
| CN117829291B (en) | Whole-process consultation knowledge integrated management system and method | |
| CN111798162A (en) | Risk monitoring method and device based on neural network | |
| CN118153240A (en) | Power grid short-circuit parameter library construction method based on short-circuit capacity measurement technology | |
| CN118862059A (en) | A safety assessment system and method based on data hazard source identification | |
| CN116346405A (en) | Network security operation and maintenance capability evaluation system and method based on data statistics | |
| CN114338088B (en) | Evaluation method and evaluation system for network security level of substation power monitoring system | |
| CN114298558B (en) | Electric power network safety research and judgment system and research and judgment method thereof | |
| Tse et al. | Risks facing smart city information security in Hangzhou | |
| Gordan et al. | A serious game conceptual approach to protect critical infrastructure resilience in smart cities | |
| Atif et al. | Cyber-threat analysis for Cyber-Physical Systems: Technical report for Package 4, Activity 3 of ELVIRA project | |
| Li et al. | Analytic model and assessment framework for data quality evaluation in state grid | |
| CN118396382B (en) | Modeling method and system for power data external service danger | |
| CN114124526B (en) | Threat complexity analysis method combining multi-level and entropy weight method | |
| CN110334925A (en) | Mouth part first-aid repair operation risk identification method | |
| CN114978575B (en) | Security level determination method for medical networking equipment | |
| Feng et al. | Design and Implementation of an Early Warning System Based on the Risk Measurement Model | |
| Chen et al. | Research on Evaluation Techniques for Security Threat Levels of Critical Information Assets in Power Grids |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |