[go: up one dir, main page]

CN112114579A - A security measurement method for industrial control system based on attack graph - Google Patents

A security measurement method for industrial control system based on attack graph Download PDF

Info

Publication number
CN112114579A
CN112114579A CN202011043060.3A CN202011043060A CN112114579A CN 112114579 A CN112114579 A CN 112114579A CN 202011043060 A CN202011043060 A CN 202011043060A CN 112114579 A CN112114579 A CN 112114579A
Authority
CN
China
Prior art keywords
node
vulnerability
attack
equipment
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011043060.3A
Other languages
Chinese (zh)
Other versions
CN112114579B (en
Inventor
张耀方
王佰玲
孙云霄
王巍
黄俊恒
辛国栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Institute of Technology Weihai
Original Assignee
Harbin Institute of Technology Weihai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Institute of Technology Weihai filed Critical Harbin Institute of Technology Weihai
Priority to CN202011043060.3A priority Critical patent/CN112114579B/en
Publication of CN112114579A publication Critical patent/CN112114579A/en
Application granted granted Critical
Publication of CN112114579B publication Critical patent/CN112114579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B23/00Testing or monitoring of control systems or parts thereof
    • G05B23/02Electric testing or monitoring
    • G05B23/0205Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
    • G05B23/0259Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
    • G05B23/0275Fault isolation and identification, e.g. classify fault; estimate cause or root of failure
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Landscapes

  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明涉及一种基于攻击图的工业控制系统安全度量方法,该方法包括:获取工控网络拓扑结构信息,对特定工控系统的设备进行探测,掌握工控网络内的设备信息,并且对设备关联情况进行分析;针对工控网络内设备的探测结果,对设备漏洞信息进行收集;根据拓扑结构和设备漏洞信息,基于图数据库的方法以图形化格式存储格式,采用节点和关系表示图结构,生成系统攻击图;根据生成的系统攻击图,按照漏洞节点度量、设备节点度量、系统安全度量三个层次,对特定工控系统进行网络安全度量,并对攻击路径进行分析。本方法最大程度的发现潜在威胁,极大缩短工控系统安全度量的分析周期,提高度量的效率,为工控系统的防护工作打下基础。

Figure 202011043060

The invention relates to an industrial control system security measurement method based on an attack graph. The method includes: acquiring industrial control network topology structure information, detecting devices of a specific industrial control system, mastering the device information in the industrial control network, and performing device correlation analysis. Analysis; according to the detection results of the equipment in the industrial control network, the equipment vulnerability information is collected; according to the topology structure and equipment vulnerability information, the method based on the graph database stores the format in a graphical format, and uses nodes and relationships to represent the graph structure to generate a system attack graph ; According to the generated system attack graph, according to three levels of vulnerability node measurement, device node measurement, and system security measurement, network security measurement for a specific industrial control system is carried out, and the attack path is analyzed. The method finds potential threats to the greatest extent, greatly shortens the analysis period of industrial control system security measurement, improves measurement efficiency, and lays a foundation for industrial control system protection work.

Figure 202011043060

Description

一种基于攻击图的工业控制系统安全度量方法A security measurement method for industrial control system based on attack graph

技术领域technical field

本发明涉及一种基于攻击图的工业控制系统安全度量方法,属于网络安全技术领域。The invention relates to an industrial control system security measurement method based on an attack graph, belonging to the technical field of network security.

背景技术Background technique

近年来,工业控制系统逐渐向信息化发展,不仅引入了互联网中多样化方法,同时也给工控系统带来了多方面的攻击威胁。高度信息化的工业控制系统需要面对网络环境的变化,以及网络组件对系统的潜在影响。针对工业控制系统运行环境复杂化,攻击方式多样化的问题,提出一种基于攻击图的工业控制系统安全度量方法,通过整合漏洞与拓扑信息,展示工控系统的潜在攻击路径,可视化安全度量过程,为后续系统安全分析提供数据支撑,保护关键任务资产免受潜在威胁源的侵害。In recent years, industrial control systems have gradually developed towards informatization, which not only introduces diversified methods in the Internet, but also brings various attack threats to industrial control systems. Highly information-based industrial control systems need to face changes in the network environment and the potential impact of network components on the system. Aiming at the complex operating environment of industrial control systems and the diversification of attack methods, a security measurement method for industrial control systems based on attack graphs is proposed. Provide data support for subsequent system security analysis and protect mission-critical assets from potential threat sources.

例如,中国专利文献CN110533754A提供了一种基于大规模工控网络的交互式攻击图展示系统及展示方法,展示系统包括json文件构造模块、网络拓扑生成模块、场景漫游处理模块、攻击图生成模块和交互事件处理模块;该方法从攻击目标出发,逆向生成攻击图,极大地降低了攻击图的复杂性和可用性。攻击图展示系统中采用交互形式,允许用户通过点击切换攻击目标,生成基于确定目标的实时关键攻击路径,极大地提高了攻击图的可视化管理。便于安全运维人员和安全分析人员的网络安全分析评估,可以有效地帮助网络安全事件处理人员对网络攻击路径进行及早识别和关键点防御。中国专利文献CN108156114A提供了一种电力信息物理系统网络攻击图的关键节点确定方法及装置,所述方法包括:分别获取攻击图中的所有节点的至少一种特征值;分别确定所述特征值的权重;根据所述至少一种特征值以及所述权重从所述所有节点中确定关键节点。通过获取攻击图中的所有节点的至少一种特征值,可以量化出各节点的重要程度;通过确定各个特征值的权重,可以对特征值进行权衡;最终根据特征值以及相应权重,从所有节点中确定关键节点,将所有节点进行综合考虑,由此从多方面多维度全方位地实现对系统攻击图的关键节点识别,解决了攻击图安全防护侧重点不确定的问题。中国专利文献CN108629474A公开了一种基于攻击图模型的流程安全评估方法,该方法包括如下步骤:根据安全控制系统的安全属性进行安全节点设计;将设计好的节点根据业务流程逻辑形成一个流程方案;以建立树状图的方式实现流程方案的设计;对设计好的流程方案进行评估建模,评估计算生成评估结论;流程方案评价包括建立流程安全评价体系、可靠性评价体系和运行效率评价体系,并基于这三个评价体系指标的评估值,通过综合评分模型给出系统综合评价结果;根据安全薄弱节点的重要程度、可实现性和复杂程度参数等级,给出针对当前流程方案的优化策略。该方法解决了人为干预带来的不确定性,提高了安全评估结果的准确性、可靠性和高效性。For example, Chinese patent document CN110533754A provides an interactive attack graph display system and display method based on a large-scale industrial control network. The display system includes a json file construction module, a network topology generation module, a scene roaming processing module, an attack graph generation module and an interactive attack graph. Event processing module; this method starts from the attack target and generates the attack graph in reverse, which greatly reduces the complexity and availability of the attack graph. The attack graph display system adopts an interactive form, allowing users to switch attack targets by clicking, and generate real-time critical attack paths based on the determined targets, which greatly improves the visual management of attack graphs. It is convenient for network security analysis and evaluation of security operation and maintenance personnel and security analysts, and can effectively help network security incident handlers to identify network attack paths early and defend key points. Chinese patent document CN108156114A provides a method and device for determining key nodes in a network attack graph of a power information physical system. The method includes: respectively acquiring at least one feature value of all nodes in the attack graph; Weight; determining a key node from all the nodes according to the at least one characteristic value and the weight. By obtaining at least one eigenvalue of all nodes in the attack graph, the importance of each node can be quantified; by determining the weight of each eigenvalue, the eigenvalues can be weighed; finally, according to the eigenvalue and the corresponding weight, all nodes The key nodes are determined in the system, and all nodes are considered comprehensively, so as to realize the identification of key nodes in the system attack graph from multiple aspects and dimensions, and solve the problem of uncertainty in the security protection focus of the attack graph. Chinese patent document CN108629474A discloses a process security assessment method based on an attack graph model, the method includes the following steps: designing a security node according to the security attribute of the security control system; forming a process scheme according to the business process logic of the designed node; The design of the process scheme is realized by establishing a tree diagram; the evaluation model of the designed process scheme is carried out, and the evaluation calculation is performed to generate an evaluation conclusion; the process scheme evaluation includes the establishment of a process safety evaluation system, a reliability evaluation system and an operation efficiency evaluation system. And based on the evaluation values of these three evaluation system indicators, the comprehensive evaluation results of the system are given through the comprehensive scoring model; according to the parameter level of the importance, achievability and complexity of the weak security nodes, the optimization strategy for the current process scheme is given. The method solves the uncertainty caused by human intervention, and improves the accuracy, reliability and efficiency of safety assessment results.

目前,针对工业控制系统的安全度量方法较少,缺乏具有系统全局性的安全度量方案,并且其无法考虑系统设备之间的脆弱性关系。由于工业控制系统拓扑结构较为复杂,并且度量中安全指标的选择及量化较为困难,目前安全度量方案多以定性分析为主。因此,为了解决工控系统的安全量化的全局性度量,亟需设计一种工控系统全局性度量的安全度量方法。At present, there are few security measurement methods for industrial control systems, lacking a system-wide security measurement scheme, and it cannot consider the vulnerability relationship between system devices. Due to the complexity of the industrial control system topology and the difficulty in selecting and quantifying the security indicators in the measurement, the current security measurement schemes are mostly based on qualitative analysis. Therefore, in order to solve the global measurement of the security quantification of the industrial control system, it is urgent to design a security measurement method for the global measurement of the industrial control system.

发明内容SUMMARY OF THE INVENTION

针对现有技术的不足,本发明提供一种基于工控系统攻击图的安全度量方法,攻击图以图结构表示工控系统受攻击过程的详细信息,本方法综合考虑工控系统设备的特殊层次结构及其脆弱性和依赖关系,建立设备与漏洞之间、设备与设备之间的关联模型,展示可能的攻击路径,最终本方法将攻击路径与攻击图中各项指标结合起来,能够实现工控系统全局性的安全度量。In view of the shortcomings of the prior art, the present invention provides a security measurement method based on an industrial control system attack graph. The attack graph represents the detailed information of the attacked process of the industrial control system in a graph structure. The method comprehensively considers the special hierarchical structure of the industrial control system equipment and its Vulnerability and dependencies, establish the correlation model between devices and vulnerabilities, and between devices, and show possible attack paths. Finally, this method combines the attack paths with the indicators in the attack graph, which can realize the globalization of the industrial control system. security measure.

术语解释:Terminology Explanation:

1、CVE-NVD(Common Vulnerabilities and Exposures-National VulnerabilityDatabase),共同脆弱性和风险暴露—国家脆弱性数据库。1. CVE-NVD (Common Vulnerabilities and Exposures-National Vulnerability Database), Common Vulnerability and Risk Exposure-National Vulnerability Database.

2、CNNVD(China National Vulnerability Database of InformationSecurity),中国国家信息安全脆弱性数据库。2. CNNVD (China National Vulnerability Database of Information Security), China National Information Security Vulnerability Database.

3、ICS(Industrial control system)Vulnerability Database,工业控制系统漏洞数据库。3. ICS (Industrial control system) Vulnerability Database, industrial control system vulnerability database.

4、CWE(Common Weakness Enumeration),常见弱点枚举。4. CWE (Common Weakness Enumeration), an enumeration of common weaknesses.

5、CAPEC(Common Attack Pattern Enumeration and Classification),可用攻击模式枚举和分类。5. CAPEC (Common Attack Pattern Enumeration and Classification), which can be used to enumerate and classify attack patterns.

6、可利用率,表示此漏洞被成功利用达到攻击效果的概率。6. Availability, indicating the probability that this vulnerability is successfully exploited to achieve the attack effect.

7、漏洞危害,表示漏洞成功利用后所带来的影响严重程度。7. Vulnerability hazard, indicating the severity of the impact after the vulnerability is successfully exploited.

本发明的技术方案如下:The technical scheme of the present invention is as follows:

一种基于攻击图的工业控制系统安全度量方法,包括以下步骤:An attack graph-based security measurement method for industrial control systems, comprising the following steps:

步骤一,获取工控网络拓扑结构信息,对特定工控系统的设备进行探测,掌握工控网络内的设备信息,并且对设备关联情况进行分析;Step 1: Acquire industrial control network topology information, detect devices of a specific industrial control system, master device information in the industrial control network, and analyze device associations;

步骤二,针对工控网络内设备的探测结果,对设备漏洞信息进行收集;Step 2, according to the detection result of the equipment in the industrial control network, collect equipment vulnerability information;

步骤三,根据拓扑结构和设备漏洞信息,基于图数据库的方法以图形化格式存储格式,采用节点和关系表示图结构,生成系统攻击图;Step 3: According to the topology structure and equipment vulnerability information, the method based on the graph database stores the format in a graphical format, and uses nodes and relationships to represent the graph structure to generate a system attack graph;

步骤四,根据生成的系统攻击图,按照漏洞节点度量、设备节点度量、系统安全度量三个层次,对特定工控系统进行网络安全度量,并对攻击路径进行分析。Step 4: According to the generated system attack graph, according to three levels of vulnerability node measurement, device node measurement, and system security measurement, network security measurement is performed on a specific industrial control system, and the attack path is analyzed.

优选的,步骤一中,采用GRASSMARLIN工具获取工控网络拓扑结构信息。Preferably, in step 1, the GRASSMARLIN tool is used to obtain the industrial control network topology information.

优选的,步骤一中,获取工控网络拓扑结构信息包括系统设计文档中的拓扑规划、系统配置以及安全设备的访问控制规则;根据系统设计文档以及安全设备的访问控制规则,读取系统设备间的连接关系并进行提取,以还原系统拓扑结构。Preferably, in step 1, acquiring the industrial control network topology information includes topology planning, system configuration, and access control rules of security devices in the system design document; Connect relationships and extract to restore system topology.

优选的,步骤一中,对特定工控系统的设备进行探测,是指采用GRASSMARLIN工具对工控系统拓扑进行实时监控,以探测新加入工控系统的设备,且GRASSMARLIN工具采用被动探测方式实现对探测系统进行的信息收集,降低探测过程对工控系统中设备工作状态造成的影响。Preferably, in step 1, detecting the equipment of a specific industrial control system refers to using the GRASSMARLIN tool to monitor the topology of the industrial control system in real time, so as to detect the equipment newly added to the industrial control system, and the GRASSMARLIN tool adopts a passive detection method to realize the detection of the detection system. It can collect information and reduce the impact of the detection process on the working status of the equipment in the industrial control system.

优选的,步骤一中,掌握工控网络内的设备信息,是指读取系统设计文档和系统配置文件中的设备信息,对设备类型、设备型号、系统版本进行提取,作为后续设备漏洞信息获取的数据依据。Preferably, in step 1, grasping the device information in the industrial control network refers to reading the device information in the system design document and the system configuration file, extracting the device type, device model, and system version, as the subsequent device vulnerability information obtained. Data basis.

优选的,步骤一中,对设备关联情况进行分析,是指根据从系统设计文档、系统配置文件以及安全设备的访问控制规则处获取的系统拓扑信息,对设备间的关联关系进行格式化处理,统一定义设备间的连接关系为link,A link B表示设备A存在到设备B的链路,A可以访问B,link为有向关系。Preferably, in step 1, the analysis of the association of the devices refers to formatting the association between the devices according to the system topology information obtained from the system design document, the system configuration file and the access control rules of the security device, The connection relationship between devices is uniformly defined as link, A link B indicates that device A has a link to device B, A can access B, and link is a directed relationship.

优选的,GRASSMARLIN工具对工控系统拓扑进行实时监控的过程中,其探测结果以XML格式存储,通过低频率定期读取GRASSMARLIN工具探测结果,对更新的设备进行关系提取,将新加入设备添加至系统,并且更新与新设备有信息交互的系统设备,将源IP与目的IP同组的连接关系简化,去除冗余数据,以实现系统拓扑的动态获取;同时,针对原有数据和更新数据,按照探测的顺序进行拓扑数据排序。Preferably, in the process of real-time monitoring of the industrial control system topology by the GRASSMARLIN tool, the detection results are stored in XML format, and the detection results of the GRASSMARLIN tool are periodically read at a low frequency, and the relationship is extracted for the updated devices, and the newly added devices are added to the system. , and update the system equipment that has information interaction with the new equipment, simplify the connection relationship between the source IP and the destination IP in the same group, and remove redundant data to achieve dynamic acquisition of the system topology; at the same time, for the original data and updated data, according to The order of the probes is used to sort the topological data.

优选的,步骤二中,对设备漏洞信息进行收集包括漏洞信息库构建及设备漏洞获取;Preferably, in step 2, the collection of device vulnerability information includes the construction of a vulnerability information database and the acquisition of device vulnerabilities;

漏洞信息库构建包括漏洞信息采集及漏洞信息处理;漏洞信息采集以CVE-NVD漏洞库为主体,CNNVD、ICS Vulnerability Database为拓展安全库,CWE、CAPEC为漏洞关联信息库,来构建安全知识库,将采集的漏洞信息存储至MySQL数据库中;漏洞信息处理以CNNVD和CVE漏洞知识库为主体,对导入MySQL数据库中的所有漏洞信息进行匹配、关联,引入CWE作为弱点描述和弱点分类以及利用性判别的依据,并结合CAPEC,描述利用漏洞进行攻击的前提、技术储备、方式和造成后果;The construction of vulnerability information database includes vulnerability information collection and vulnerability information processing; vulnerability information collection is mainly based on CVE-NVD vulnerability database, CNNVD and ICS Vulnerability Database are extended security databases, and CWE and CAPEC are vulnerability correlation information databases to build a security knowledge base. The collected vulnerability information is stored in the MySQL database; the vulnerability information processing takes the CNNVD and CVE vulnerability knowledge base as the main body, matches and correlates all the vulnerability information imported into the MySQL database, and introduces CWE as the vulnerability description and vulnerability classification and utilization discrimination The basis for the attack, combined with CAPEC, describe the premise, technical reserves, methods and consequences of exploiting vulnerabilities;

设备漏洞获取采用扫描工具对系统设备进行漏洞扫描,根据已获取的系统设备信息,对扫描工具进行配置,完成设备漏洞信息的扫描;然后根据扫描获取到的设备漏洞信息,将设备与漏洞进行关联表示,一个设备可关联一个或多个漏洞,定义设备与漏洞的连接关系为has_vul_at,DEVICE1 has_vul_at VUL1表示该设备1存在编号为VUL1的漏洞;将设备漏洞信息与漏洞信息库中信息进行匹配,每一个漏洞都可获得“CNNVD描述-CVE漏洞编号-CWE弱点报告-CAPEC攻击方法-CVSS评分”的原子攻击模板,为后续攻击图的生成提供输入数据。Device vulnerability acquisition: Use scanning tools to scan system devices for vulnerabilities, configure the scanning tools according to the acquired system device information, and complete the scanning of device vulnerability information; and then associate devices with vulnerabilities according to the device vulnerability information obtained by scanning. Indicates that a device can be associated with one or more vulnerabilities, and the connection relationship between the device and the vulnerability is defined as has_vul_at, DEVICE1 has_vul_at VUL1 indicates that the device 1 has a vulnerability numbered VUL1; the device vulnerability information is matched with the information in the vulnerability information database, each A vulnerability can obtain the atomic attack template of "CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score", which provides input data for the generation of subsequent attack graphs.

优选的,步骤三中,攻击图中的节点包括设备节点以及漏洞节点;Preferably, in step 3, the nodes in the attack graph include device nodes and vulnerability nodes;

设备节点信息包含了设备漏洞所在的服务信息、开放端口信息和IP信息,设备节点信息作为设备节点的属性,设备节点信息采用五元组即设备IP、设备名称、存在漏洞的服务、服务协议、服务端口进行描述;The device node information includes the service information, open port information and IP information where the device vulnerability is located. The device node information is used as the attribute of the device node. The service port is described;

漏洞节点信息包含原子攻击规则中的CVE\CNNVD编号、CWE分类、提权能力标识和CVSS评分,漏洞节点信息作为节点属性集成在以漏洞ID为标识的漏洞节点上,漏洞节点信息采用四元组即漏洞ID、漏洞编号、漏洞类型、漏洞评分进行描述;The vulnerability node information includes the CVE\CNNVD number, CWE classification, privilege escalation capability identifier and CVSS score in the atomic attack rule. The vulnerability node information is integrated as a node attribute on the vulnerability node identified by the vulnerability ID, and the vulnerability node information uses a quadruple. That is, the vulnerability ID, vulnerability number, vulnerability type, and vulnerability score are described;

根据网络拓扑分析以及漏洞信息收集的结果,对数据进行预处理,总结为设备信息表、漏洞信息表、设备关系表,作为攻击图生成算法的输入。According to the results of network topology analysis and vulnerability information collection, the data is preprocessed and summarized into a device information table, a vulnerability information table, and a device relationship table, which are used as the input of the attack graph generation algorithm.

优选的,步骤三中,生成系统攻击图,是基于Neo4j图数据库生成攻击图,遵循属性图模型来存储和管理数据,攻击图中的节点用于表示实体,关系用于表示实体间的连接;用设备信息表和漏洞信息表填充攻击图的节点属性,用设备关系表填充节点关系,选定起始节点和目标节点,经过多次遍历生成攻击图。Preferably, in step 3, generating a system attack graph is to generate an attack graph based on a Neo4j graph database, and follow the attribute graph model to store and manage data, where nodes in the attack graph are used to represent entities, and relationships are used to represent connections between entities; Fill the node attributes of the attack graph with the device information table and the vulnerability information table, fill the node relationship with the device relationship table, select the starting node and the target node, and generate the attack graph after multiple traversal.

优选的,步骤四中,漏洞节点度量根据扫描的设备漏洞信息对漏洞节点的可利用率以及漏洞危害进行量化;漏洞节点可利用性由CAPEC库中“攻击可能性”字段定义,将攻击可能性的{低,中,高}量化表示为{0.3,0.6,0.9},分数低表示被攻击可能性低,分数高表示被攻击可能性高;漏洞节点的危害分数采用通用安全漏洞评分系统CVSS的漏洞评估分数,满分为10分,分数越高,漏洞危害越大,分数越低,漏洞危害越小。Preferably, in step 4, the vulnerability node metric quantifies the availability and vulnerability damage of the vulnerability node according to the scanned device vulnerability information; the exploitability of the vulnerability node is defined by the "attack possibility" field in the CAPEC library, and the attack possibility is The quantification of {low, medium, high} is expressed as {0.3, 0.6, 0.9}, a low score indicates a low possibility of being attacked, and a high score indicates a high possibility of being attacked; the damage score of the vulnerability node adopts the general security vulnerability scoring system CVSS Vulnerability evaluation score, the full score is 10 points, the higher the score, the greater the vulnerability damage, the lower the score, the smaller the vulnerability damage.

优选的,步骤四中,设备节点度量根据设备节点被攻击概率以及设备节点危险分数进行量化;Preferably, in step 4, the device node metric is quantified according to the probability of the device node being attacked and the risk score of the device node;

a.设备节点被攻击概率a. The probability of the device node being attacked

针对每个设备节点相连的漏洞节点,根据其可利用率计算设备节点的被攻击概率,如式Ⅰ:For the vulnerable node connected to each device node, the attack probability of the device node is calculated according to its availability, as shown in formula I:

Figure BDA0002707200260000051
Figure BDA0002707200260000051

其中,Uself表示本设备节点的被攻击概率,ui表示与该设备节点相连的第i个漏洞节点的可利用率,k表示与该设备节点相连的所有漏洞节点数,与设备节点相连的漏洞节点数量越多,该设备节点的被攻击概率越高;Among them, U self represents the attack probability of the device node, ui represents the availability of the i-th vulnerable node connected to the device node, k represents the number of all vulnerable nodes connected to the device node, and the number of vulnerable nodes connected to the device node The greater the number of vulnerable nodes, the higher the probability of the device node being attacked;

b.设备节点危险分数b. Device Node Hazard Score

以相连漏洞节点的可利用率为依据,对漏洞节点进行加权危害计算,得到设备节点的危险分数,如式Ⅱ:Based on the availability of the connected vulnerable nodes, weighted damage calculation is performed on the vulnerable nodes to obtain the risk score of the device node, as shown in formula II:

Figure BDA0002707200260000052
Figure BDA0002707200260000052

其中,Rself表示本设备节点的危险分数,ui、uj表示与该设备节点相连的第i、j个漏洞节点的可利用率,ri表示与该设备节点相连的第i个漏洞节点的漏洞危害。Among them, R self represents the risk score of the device node, ui and u j represent the availability of the i-th and j-th vulnerability nodes connected to the device node, and ri represents the i -th vulnerability node connected to the device node. vulnerability hazards.

优选的,步骤四中,系统安全度量包括起始节点度量和非起始节点度量;Preferably, in step 4, the system security metric includes a starting node metric and a non-starting node metric;

a.起始节点度量a. Start Node Metrics

由于起始节点已获取权限,其不存在被攻击情况,所以起始设备节点的被攻击概率默认为1,表示以获取该设备全部权限,由于起始节点无前向节点,入度为0,因此,起始节点的危险分数等于本节点的自身危险分数;Since the starting node has obtained the permission, it is not attacked, so the attack probability of the starting device node is 1 by default, which means to obtain all the permissions of the device. Since the starting node has no forward node, the in-degree is 0. Therefore, the risk score of the starting node is equal to the own risk score of this node;

b.非起始节点度量b. Non-starting node metrics

非起始节点在考虑本节点相连漏洞节点的同时,还要结合上层设备节点的被攻击概率和设备危险分数,计算上层设备节点与本层设备节点的累积被攻击概率,以及设备危险分数,系统安全度量根据多层累积的设备节点的危险分数计算获得;When the non-starting node considers the vulnerable nodes connected to this node, it also combines the attack probability of the upper-layer device node and the device risk score to calculate the cumulative attack probability of the upper-layer device node and the device node of this layer, as well as the device risk score. The system The safety metric is calculated according to the hazard scores of equipment nodes accumulated in multiple layers;

非起始节点的被攻击概率计算如式Ⅲ:The attack probability of the non-initial node is calculated as formula III:

Figure BDA0002707200260000061
Figure BDA0002707200260000061

其中,di表示该节点入度,Um表示与该设备节点相连的第m个上层节点的被攻击概率;本度量方法考虑了节点的入度,以及上层节点被攻击概率对本层节点的影响,节点入度越大,节点被攻击概率越大;上层节点被攻击概率越大,本层节点被攻击概率越大;Among them, d i represents the in-degree of the node, and U m represents the attack probability of the m-th upper-layer node connected to the device node; this measurement method considers the in-degree of the node and the impact of the attack probability of the upper-layer node on the node at this layer , the greater the in-degree of the node, the greater the probability of the node being attacked; the greater the probability of the upper node being attacked, the greater the probability of the node being attacked;

非起始节点的危险分数计算如式Ⅳ:The risk score of non-initial nodes is calculated as formula IV:

Figure BDA0002707200260000062
Figure BDA0002707200260000062

其中,Um、Un表示与该设备节点相连的第m、n个上层节点的被攻击概率,Rm表示与该设备节点相连的第m个上层节点的危险分数;Among them, U m and U n represent the attack probability of the m-th and n-th upper-layer nodes connected to the device node, and R m represents the risk score of the m-th upper-layer node connected to the device node;

非起始节点的危险分数计算考虑了上层节点被攻击概率对本层节点的影响,同时对上级节点的危险分数进行累积计算,节点入度越大,节点危险分数越大;上层节点被攻击概率越大,本层节点危险分数越大;上层节点的危险分数越大,本层节点的危险分数越大,最后目标节点的危险分数Rdest经过多层攻击路径累积计算得到。The risk score calculation of non-initial nodes takes into account the impact of the attack probability of the upper node on the node at this layer, and at the same time, the risk score of the upper node is cumulatively calculated. The greater the in-degree of the node, the greater the node risk score; The larger the risk score of the node in this layer is, the larger the risk score of the node in the upper layer is, the larger the risk score of the node in this layer is, and finally the risk score R dest of the target node is calculated through the multi-layer attack path cumulative calculation.

优选的,步骤四中,攻击路径包括嵌套路径和并列路径;结合系统安全度量值对关键攻击路径进行定量分析,分析过程中引入资产价值指标进行度量,资产价值由节点出入度以及资产重要性共同决定,资产重要性指标从1-10为资产划分十个等级,10为非常重要,1为非常不重要;同时,根据目前攻击图中出现的节点出入度数,以最高出入度为准,对其余出入度做归一化处理,起始节点和目标节点的出入度默认为1,不做降权处理,最后资产价值由资产重要性及出入度的乘积获得,如式Ⅴ:Preferably, in step 4, the attack paths include nested paths and parallel paths; quantitatively analyze the key attack paths in combination with the system security metric value, and introduce asset value indicators to measure during the analysis process. It is jointly decided that the asset importance index is divided into ten grades from 1-10, 10 is very important, 1 is very unimportant; at the same time, according to the in-out degree of nodes appearing in the current attack graph, the highest in-out degree shall prevail. The remaining in-out degrees are normalized. The in-out degrees of the starting node and the target node are set to 1 by default, and no weight reduction is performed. The final asset value is obtained by multiplying the asset importance and the in-out degree, as shown in formula V:

Pvalue=Psignificance*dio (Ⅴ)P value = P significance *d io (V)

其中,Pvalue表示资产价值,Psignificance表示资产重要性,dio表示经过归一化处理的节点出入度;Among them, P value represents asset value, P significance represents asset importance, and dio represents the normalized node in-out degree;

a.嵌套路径分析a. Nested Path Analysis

嵌套路径的路径集合中节点不包括共同起始节点,对于此种情况的关键路径进行选择,计算如下:The nodes in the path set of nested paths do not include common starting nodes. For the critical path selection in this case, the calculation is as follows:

Figure BDA0002707200260000071
Figure BDA0002707200260000071

其中,Pathsign为路径关键指数,Uj表示路径集合中第j个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;嵌套路径的关键路径以攻击跳数为主要计算依据,一般情况下攻击跳数较少的路径为关键路径,只有当中间跳节点被攻击率及危险分数都较大时,攻击跳数较多的路径才可能成为关键路径;Among them, Path sign is the key index of the path, U j represents the attack probability of the jth device node in the path set, R i represents the risk score of the ith device node in the path set, and P valuei represents the ith device node in the path set. The key path of the nested path is calculated based on the number of attack hops. In general, the path with less attack hops is the key path. Only when the attack rate and danger score of the intermediate hop nodes are large, the attack Only paths with more hops may become critical paths;

b.并列路径分析b. Parallel path analysis

并列攻击路径的路径集合表示为除去共同起始节点与终止节点的N个并列节点,对于此种情况的关键路径进行选择,计算如下:The path set of the parallel attack path is expressed as N parallel nodes except the common starting node and the ending node. For the selection of the critical path in this case, the calculation is as follows:

Pathsign=max{Ui*Ri*Pvaluei}i=(1,2,...k) (Ⅶ)Path sign =max{U i *R i *P valuei }i=(1, 2,...k) (VII)

Ui表示路径集合中第i个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;最终,关键路径的选择通过比较N个并列路径的关键指数获得;U i represents the attack probability of the ith device node in the path set, R i represents the risk score of the ith device node in the path set, and P valuei represents the asset value of the ith device node in the path set; The selection is obtained by comparing the key indices of N parallel paths;

综合嵌套路径及并列路径的分析结果,通过量化指标对多条路径的重要性进行计算,得出关键攻击路径。Synthesizing the analysis results of nested paths and parallel paths, and calculating the importance of multiple paths through quantitative indicators, the key attack paths are obtained.

一种服务器,包括:A server that includes:

一个或多个处理器;one or more processors;

存储装置,其上存储有一个或多个程序,a storage device on which one or more programs are stored,

当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述的基于攻击图的工业控制系统安全度量方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the above-mentioned attack graph-based industrial control system security measurement method.

一种计算机可读介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时实现上述的基于攻击图的工业控制系统安全度量方法。A computer-readable medium having a computer program stored thereon, wherein the computer program implements the above-mentioned attack graph-based security measurement method for an industrial control system when executed by a processor.

本发明的技术特点和有益效果:Technical characteristics and beneficial effects of the present invention:

1、本发明以CVE-NVD为主体,以CNNVD、ICS Vulnerability Database为拓展安全库,以CWE、CAPEC为漏洞关联信息库,共同构建一个整体的安全知识库。同时结合多种工具扫描结果,将孤立数据进行筛选、关联、融合,生成适用于工业控制系统的攻击图,并分层度量系统安全性,以提供决策支持和态势感知。本方法根据漏洞依赖性,将网络威胁与工控系统设备相关联,最大程度的发现潜在威胁,极大缩短工控系统安全度量的分析周期,提高度量的效率,为工控系统的防护工作打下基础。1. The present invention uses CVE-NVD as the main body, CNNVD and ICS Vulnerability Database as the extended security database, and CWE and CAPEC as the vulnerability correlation information database to jointly build an overall security knowledge base. At the same time, combined with the scanning results of various tools, the isolated data is filtered, correlated, and fused to generate an attack graph suitable for industrial control systems, and hierarchically measure system security to provide decision support and situational awareness. The method associates network threats with industrial control system equipment according to vulnerability dependencies, discovers potential threats to the greatest extent, greatly shortens the analysis cycle of industrial control system security measurement, improves measurement efficiency, and lays a foundation for industrial control system protection.

2、本方法提出一种基于攻击图的工业控制系统安全度量方法,通过利用资产探测、漏洞扫描、漏洞利用、基于图数据的攻击图生成以及分层安全度量等技术,能够将系统攻击路径可视化,并对待测系统的安全性进行度量,为工业控制系统的安全运行提供保障,可涵盖多种漏洞及工控设备类型;可针对任意起点和攻击目标生成攻击图;可为进一步的系统分析提供数据支撑。实用范围包括支持工业控制系统中针对任意攻击起点和攻击目标攻击图的生成,以及对工控系统安全性的度量,为工控系统的安全分析提供数据支撑,应用前景十分广泛。2. This method proposes an attack graph-based security measurement method for industrial control systems, which can visualize the system attack path by using technologies such as asset detection, vulnerability scanning, vulnerability exploitation, graph data-based attack graph generation, and hierarchical security metrics. , and measure the security of the system under test to provide guarantee for the safe operation of the industrial control system, which can cover a variety of vulnerabilities and industrial control equipment types; can generate attack graphs for any starting point and attack target; can provide data for further system analysis support. The practical scope includes supporting the generation of attack graphs for any attack starting point and attack target in the industrial control system, as well as the measurement of the security of the industrial control system, providing data support for the security analysis of the industrial control system, and has a wide range of application prospects.

附图说明Description of drawings

图1为基于攻击图的安全度量方法架构图;Figure 1 is an architecture diagram of a security measurement method based on an attack graph;

图2为工业控制系统拓扑结构示意图;Fig. 2 is a schematic diagram of the topology structure of an industrial control system;

图3为攻击模版的漏洞信息关联示意图;Fig. 3 is the vulnerability information association schematic diagram of attack template;

图4为攻击图生成算法流程图;Fig. 4 is the flow chart of attack graph generation algorithm;

图5为攻击图生成示意图;Figure 5 is a schematic diagram of attack graph generation;

图6为攻击路径示意图,其中(a)图为嵌套攻击路径示意图,(b)图为并列攻击路径示意图;6 is a schematic diagram of an attack path, wherein (a) is a schematic diagram of a nested attack path, and (b) is a schematic diagram of a parallel attack path;

具体实施方式Detailed ways

下面通过实施例并结合附图对本发明做进一步说明,但不限于此。The present invention will be further described below with reference to the embodiments and the accompanying drawings, but is not limited thereto.

实施例1:Example 1:

本实施例提供一种基于攻击图的工业控制系统安全度量方法,包括以下四个步骤,本方法的整体架构示意如图1所示:This embodiment provides an attack graph-based security measurement method for an industrial control system, including the following four steps, and a schematic diagram of the overall architecture of the method is shown in FIG. 1 :

步骤一,获取工控网络拓扑结构信息,对特定工控系统(即要进行安全度量的目标工控系统)的设备进行探测,掌握工控网络内的设备信息,并且对设备关联情况进行分析;Step 1: Obtain the industrial control network topology information, detect the equipment of a specific industrial control system (that is, the target industrial control system for which security measurement is to be performed), master the device information in the industrial control network, and analyze the device association;

第一步是基础,主要获取目标工控系统的设备在整个工控网络内的自身信息及关联信息情况;The first step is the foundation, mainly to obtain the information and related information of the equipment of the target industrial control system in the entire industrial control network;

步骤二,针对工控网络内设备的探测结果,即步骤一中特定工控系统的设备信息及关联情况,对设备漏洞信息进行收集;In step 2, according to the detection result of the device in the industrial control network, that is, the device information and related situation of the specific industrial control system in step 1, the device vulnerability information is collected;

步骤三,根据拓扑结构和设备漏洞信息,基于图数据库的方法以图形化格式存储格式,采用节点和关系表示图结构,生成系统攻击图;Step 3: According to the topology structure and equipment vulnerability information, the method based on the graph database stores the format in a graphical format, and uses nodes and relationships to represent the graph structure to generate a system attack graph;

步骤四,根据生成的系统攻击图,按照漏洞节点度量、设备节点度量、系统安全度量三个层次,对特定工控系统进行网络安全度量,并对攻击路径进行分析。Step 4: According to the generated system attack graph, according to three levels of vulnerability node measurement, device node measurement, and system security measurement, network security measurement is performed on a specific industrial control system, and the attack path is analyzed.

具体而言,步骤一中,用GRASSMARLIN工具获取工控网络拓扑结构,获取的工控网络拓扑结构信息包括系统设计文档中的拓扑规划、系统配置以及安全设备的访问控制规则;根据系统设计文档以及安全设备的访问控制规则,读取系统设备间的连接关系并进行提取,以还原系统拓扑结构。同时,读取系统设计文档和系统配置文件中的设备信息,对设备类型、设备型号、系统版本进行提取,作为设备漏洞信息获取的数据依据。Specifically, in step 1, use the GRASSMARLIN tool to obtain the industrial control network topology, and the obtained industrial control network topology information includes the topology planning, system configuration, and access control rules of the security equipment in the system design document; access control rules, read the connection relationship between system devices and extract them to restore the system topology. At the same time, the device information in the system design document and system configuration file is read, and the device type, device model, and system version are extracted as the data basis for obtaining device vulnerability information.

另外,针对工业控制系统脆弱性、实时性的特点,同时采用GRASSMARLIN工具对工控系统拓扑进行实时监控,以探测新加入工控系统的设备(其最终目的是要实现系统攻击图的动态更新),且GRASSMARLIN工具采用被动探测方式实现对探测系统进行的信息收集,降低探测过程对工控系统中设备工作状态造成的影响。即图1中所示拓扑信息收集。In addition, in view of the vulnerability and real-time characteristics of the industrial control system, the GRASSMARLIN tool is used to monitor the topology of the industrial control system in real time to detect new devices added to the industrial control system (the ultimate purpose is to realize the dynamic update of the system attack graph), and The GRASSMARLIN tool uses passive detection to collect information on the detection system, reducing the impact of the detection process on the working state of the equipment in the industrial control system. That is, the topology information collection shown in Figure 1.

GRASSMARLIN工具对工控系统拓扑进行实时监控的过程中,其探测结果以XML格式存储,通过低频率定期(具体情况要根据每个系统的特殊性来判断,由技术人员设定)读取GRASSMARLIN工具探测结果,对更新的设备进行关系提取,将新加入设备添加至系统,并且更新与新设备有信息交互的系统设备,将源IP与目的IP同组的连接关系简化,去除冗余数据,以实现系统拓扑的动态获取;同时,针对原有数据和更新数据,按照探测的顺序进行拓扑数据排序。In the process of real-time monitoring of the industrial control system topology by the GRASSMARLIN tool, the detection results are stored in XML format, and the detection results of the GRASSMARLIN tool are read regularly at a low frequency (the specific situation should be judged according to the particularity of each system and set by the technicians). As a result, the relationship is extracted for the updated device, the newly added device is added to the system, and the system device that has information interaction with the new device is updated, the connection relationship between the source IP and the destination IP in the same group is simplified, and redundant data is removed to achieve Dynamic acquisition of system topology; at the same time, for the original data and updated data, the topology data is sorted according to the order of detection.

掌握工控网络内的设备信息,是指读取系统设计文档和系统配置文件中的设备信息,对设备类型、设备型号、系统版本进行提取,作为后续设备漏洞信息获取的数据依据。Mastering the device information in the industrial control network refers to reading the device information in the system design document and system configuration file, extracting the device type, device model, and system version, as the data basis for subsequent device vulnerability information acquisition.

对设备关联情况进行分析,是指根据从系统设计文档、系统配置文件以及安全设备的访问控制规则处获取的系统拓扑信息,对设备间的关联关系进行格式化处理,统一定义设备间的连接关系为link,A link B表示设备A存在到设备B的链路,A可以访问B,link为有向关系。The analysis of device associations refers to formatting the association relationships between devices according to the system topology information obtained from system design documents, system configuration files, and access control rules of security devices, and uniformly defining the connection relationships between devices. For link, A link B indicates that device A has a link to device B, A can access B, and link is a directed relationship.

步骤二中,对设备漏洞信息进行收集包括漏洞信息库构建及设备漏洞获取;In step 2, the collection of device vulnerability information includes the construction of a vulnerability information database and the acquisition of device vulnerabilities;

漏洞信息库构建包括漏洞信息采集及漏洞信息处理,漏洞信息采集以CVE-NVD漏洞库为主体,CNNVD、ICS Vulnerability Database为拓展安全库,CWE、CAPEC为漏洞关联信息库,来构建安全知识库,将采集的漏洞信息(漏洞库里的漏洞信息)存储至MySQL数据库中;漏洞信息处理以CNNVD和CVE漏洞知识库为主体,对导入漏洞信息库(即MySQL数据库)中的所有漏洞信息进行匹配、关联,引入CWE作为弱点描述和弱点分类以及利用性判别的依据,并结合CAPEC,描述利用漏洞进行攻击的前提、技术储备、方式和造成后果;The construction of vulnerability information database includes vulnerability information collection and vulnerability information processing. Vulnerability information collection is mainly based on CVE-NVD vulnerability database, CNNVD and ICS Vulnerability Database are extended security databases, and CWE and CAPEC are vulnerability correlation information databases to build a security knowledge base. The collected vulnerability information (vulnerability information in the vulnerability database) is stored in the MySQL database; the vulnerability information processing takes the CNNVD and CVE vulnerability knowledge bases as the main body, and matches all the vulnerability information imported into the vulnerability information database (that is, the MySQL database). Correlation, introducing CWE as the basis for vulnerability description, vulnerability classification and exploitability discrimination, combined with CAPEC, describing the premise, technical reserve, method and consequences of exploiting vulnerabilities;

采集的漏洞信息内容项包括:漏洞名称、CNNVD编号、基本分数、CVE编号、危害等级、漏洞类型、漏洞发布时间、漏洞更新时间、威胁类型、厂商、漏洞描述、解决方案、受影响实体、补丁、CWE编号、CWE名称、弱点描述、其余相关弱点、弱点引入方式、弱点应用影响、相关攻击方式、攻击可能性、攻击领域、攻击机制、先决条件、所需技能。The collected vulnerability information content items include: vulnerability name, CNNVD number, basic score, CVE number, hazard level, vulnerability type, vulnerability release time, vulnerability update time, threat type, vendor, vulnerability description, solution, affected entity, patch , CWE number, CWE name, description of the weakness, other related weaknesses, the method of introducing the weakness, the application impact of the weakness, the related attack method, the attack possibility, the attack domain, the attack mechanism, the prerequisites, and the required skills.

攻击模版的漏洞信息关联示意图如图3所示。以CVE-NVD漏洞知识库为主体,根据CNNVD漏洞详情页中的信息填充漏洞名称、CNNVD编号、CVE编号、危害等级、漏洞类型、漏洞发布时间、漏洞更新时间、威胁类型、厂商、漏洞描述、解决方案、受影响实体、补丁。每一个CNNVD漏洞编号都对应着一个CVE编号,根据CVE编号可以关联到CVE漏洞页中的漏洞信息。CVE漏洞页中会提供着关联的CWE编号,以此链接至CWE安全事件库。常见弱点枚举CWE根据弱点分类,对于每一个CWE编号都提供了该弱点的描述。根据获取的弱点描述其余相关弱点、弱点引入方式、弱点应用影响、相关攻击方式,以漏洞为核心填充漏洞的利用条件、利用方式以及攻击结果。同时相关攻击方式中包含的多个CAPEC编号,根据CAPEC页面所提供的攻击可能性、攻击领域、攻击机制、先决条件、所需技能的攻击信息,完成攻击模板中攻击先决条件、以及攻击所需技能的补充。此外,为了给出具体漏洞的可行性分析和严重性判断,可通过CVE编号关联至CVSS,CVSS提供了每个漏洞的严重性分级和危险分数判定。完成多个漏洞信息库的信息整合和关联。The schematic diagram of the vulnerability information association of the attack template is shown in Figure 3. Taking the CVE-NVD vulnerability knowledge base as the main body, fill in the vulnerability name, CNNVD number, CVE number, hazard level, vulnerability type, vulnerability release time, vulnerability update time, threat type, manufacturer, vulnerability description, Solutions, Affected Entities, Patches. Each CNNVD vulnerability number corresponds to a CVE number, which can be associated with the vulnerability information in the CVE vulnerability page according to the CVE number. The CVE vulnerability page will provide the associated CWE number to link to the CWE security event database. Common Weakness Enumeration CWEs are categorized according to the vulnerability, and for each CWE number a description of the vulnerability is provided. According to the acquired weaknesses, describe the remaining related weaknesses, the method of introducing the weaknesses, the application impact of the weaknesses, and the related attack methods, and fill in the exploit conditions, exploit methods, and attack results of the vulnerabilities with the vulnerabilities as the core. At the same time, for the multiple CAPEC numbers contained in the related attack methods, according to the attack possibility, attack domain, attack mechanism, prerequisites, and required skills attack information provided on the CAPEC page, complete the attack prerequisites and attack requirements in the attack template. Supplementary skills. In addition, in order to give the feasibility analysis and severity judgment of specific vulnerabilities, it can be linked to CVSS through the CVE number, and CVSS provides the severity classification and risk score judgment of each vulnerability. Complete the information integration and correlation of multiple vulnerability information bases.

设备漏洞获取采用开源扫描工具(如Nessus、OpenVAS等)和工控厂商的定制化扫描工具对系统设备进行漏洞扫描,根据已获取的系统设备信息,对扫描工具进行配置,完成设备漏洞信息的扫描;相比于传统网络,工业控制系统面临更加严格的安全性需求,进行设备漏洞扫描时要考虑工控设备的脆弱性。针对工业控制系统敏感性的特点,依据设备类型的不同,对工控设备的漏洞扫描和通用互联网设备的漏洞扫描采取不同扫描手段。针对工控系统设备,漏洞扫描以低频率进行,而对通用互联网设备以高频率进行扫描,多频率的扫描方案可以降低注入探测数据报送将增加网络的负荷和探测给工控设备带来的风险,同时保证了设备漏洞信息获取的实时性。Device vulnerability acquisition: Use open source scanning tools (such as Nessus, OpenVAS, etc.) and customized scanning tools of industrial control manufacturers to scan system devices for vulnerabilities, and configure the scanning tools according to the acquired system device information to complete the scanning of device vulnerability information; Compared with traditional networks, industrial control systems face more stringent security requirements, and the vulnerability of industrial control devices should be considered when scanning for device vulnerabilities. According to the sensitivity characteristics of industrial control systems, different scanning methods are adopted for vulnerability scanning of industrial control equipment and vulnerability scanning of general Internet devices according to different types of equipment. For industrial control system equipment, vulnerability scanning is performed at low frequency, while general Internet equipment is scanned at high frequency. The multi-frequency scanning scheme can reduce the risk of increasing network load and detection to industrial control equipment by injecting detection data and reporting. At the same time, the real-time performance of device vulnerability information acquisition is ensured.

然后根据扫描获取到的设备漏洞信息,将设备与漏洞进行关联表示,一个设备可关联一个或多个漏洞,定义设备与漏洞的连接关系为has_vul_at,DEVICE1 has_vul_atVUL1表示该设备1存在编号为VUL1的漏洞;将设备漏洞信息与漏洞信息库中信息进行匹配,每一个漏洞都可获得“CNNVD描述-CVE漏洞编号-CWE弱点报告-CAPEC攻击方法-CVSS评分”的原子攻击模板,为后续攻击图的生成提供输入数据。如图3所示。Then, according to the device vulnerability information obtained by scanning, the device and the vulnerability are associated to indicate that a device can be associated with one or more vulnerabilities, and the connection relationship between the device and the vulnerability is defined as has_vul_at, DEVICE1 has_vul_atVUL1 indicates that the device 1 has a vulnerability numbered VUL1 ; Match the device vulnerability information with the information in the vulnerability information database, and each vulnerability can obtain an atomic attack template of "CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score" for the generation of subsequent attack graphs Provide input data. As shown in Figure 3.

步骤三中,攻击图包含节点和边,边即为可攻击路径,攻击图中的节点包括设备节点以及漏洞节点;In step 3, the attack graph includes nodes and edges, the edges are the attackable paths, and the nodes in the attack graph include device nodes and vulnerable nodes;

设备节点信息包含了设备漏洞所在的服务信息、开放端口信息和IP信息,设备节点信息作为设备节点的属性,设备节点信息采用五元组即设备IP、设备名称、存在漏洞的服务、服务协议、服务端口进行描述;The device node information includes the service information, open port information and IP information where the device vulnerability is located. The device node information is used as the attribute of the device node. The service port is described;

漏洞节点信息包含原子攻击规则中的CVE\CNNVD编号、CWE分类、提权能力标识和CVSS评分,漏洞节点信息作为节点属性集成在以漏洞ID为标识的漏洞节点上,漏洞节点信息采用四元组即漏洞ID、漏洞编号、漏洞类型、漏洞评分进行描述;The vulnerability node information includes the CVE\CNNVD number, CWE classification, privilege escalation capability identifier and CVSS score in the atomic attack rule. The vulnerability node information is integrated as a node attribute on the vulnerability node identified by the vulnerability ID, and the vulnerability node information uses a quadruple. That is, the vulnerability ID, vulnerability number, vulnerability type, and vulnerability score are described;

根据网络拓扑分析以及漏洞信息收集的结果,对数据进行预处理,总结为设备信息表、漏洞信息表、设备关系表,作为攻击图生成算法的输入。如下表所示,其中,设备关系表中,“Y”代表设备具有连接关系,“-”代表设备间不具有连接关系。According to the results of network topology analysis and vulnerability information collection, the data is preprocessed and summarized into a device information table, a vulnerability information table, and a device relationship table, which are used as the input of the attack graph generation algorithm. As shown in the following table, in the device relationship table, "Y" means that the device has a connection relationship, and "-" means that there is no connection relationship between the devices.

表一:设备信息表Table 1: Equipment Information Table

Figure BDA0002707200260000111
Figure BDA0002707200260000111

表二:漏洞信息表Table 2: Vulnerability Information Table

Figure BDA0002707200260000121
Figure BDA0002707200260000121

表三:设备关系表Table 3: Equipment relationship table

Figure BDA0002707200260000122
Figure BDA0002707200260000122

步骤三中,生成系统攻击图,是基于Neo4j图数据库生成攻击图,遵循属性图模型来存储和管理数据,攻击图中的节点用于表示实体,关系用于表示实体间的连接;用设备信息表和漏洞信息表填充攻击图的节点属性,用设备关系表填充节点关系,选定起始节点和目标节点,经过多次遍历生成攻击图。In step 3, the system attack graph is generated, which is based on the Neo4j graph database to generate the attack graph, and follows the attribute graph model to store and manage data. The nodes in the attack graph are used to represent entities, and the relationship is used to represent the connection between entities; the device information is used to represent the connection between entities. The table and vulnerability information table fill the node attributes of the attack graph, use the device relationship table to fill the node relationship, select the starting node and the target node, and generate the attack graph after multiple traversal.

以上述三个表中的数据作为攻击图生成算法的输入,算法流程图如图4所示。首先,向Neo4j图数据库中导入设备信息、漏洞信息、设备关系和漏洞匹配情况。根据原子攻击规则模型,判别不符合模型利用的漏洞节点,以及不符合攻击条件的设备节点。去除不在攻击目标路线上的设备以及孤立漏洞节点。最终限定攻击者和目标,返回当前图数据库中信息,构建针对该系统的攻击图。Taking the data in the above three tables as the input of the attack graph generation algorithm, the algorithm flow chart is shown in Figure 4. First, import device information, vulnerability information, device relationship and vulnerability matching into the Neo4j graph database. According to the atomic attack rule model, the vulnerability nodes that do not meet the model utilization and the device nodes that do not meet the attack conditions are identified. Remove devices that are not in the target route and orphaned vulnerable nodes. Finally, the attackers and targets are defined, the information in the current graph database is returned, and an attack graph against the system is constructed.

以图5工业控制系统为例,限定起始节点为MES系统主机,目标节点为PLC1,生成攻击图,包括17个节点和19条边。由于MES系统PC3包括两个可利用漏洞,此攻击图共包含12条攻击路径。Taking the industrial control system in Figure 5 as an example, the starting node is defined as the MES system host, and the target node is PLC1, and an attack graph is generated, including 17 nodes and 19 edges. Since the MES system PC3 includes two exploitable vulnerabilities, this attack graph contains a total of 12 attack paths.

步骤四中,网络安全度量采用分层度量的方式,根据节点种类对工控网络安全进行度量,即漏洞节点度量、设备节点度量、系统安全度量。漏洞节点附加属性分为两种:可利用率和漏洞危害。可利用率表示此漏洞被成功利用达到攻击效果的概率。漏洞危害表示漏洞成功利用后所带来的影响严重程度。设备节点附加属性也分为两种:被攻击概率和设备危险分数。被攻击概率与设备相连的漏洞节点的可利用率相关,表示该设备被攻击成功的概率。设备危险分数与设备相连的漏洞节点的可利用率及漏洞危害相关,表示设备被攻击成功后所带来的影响程度。In step 4, the network security measurement adopts a hierarchical measurement method, and measures the security of the industrial control network according to the node type, that is, the vulnerability node measurement, the equipment node measurement, and the system security measurement. There are two additional attributes of vulnerability nodes: availability and vulnerability hazards. Availability indicates the probability that this vulnerability is successfully exploited to achieve an attack effect. Vulnerability compromise indicates the severity of the impact of a successful exploit. The additional attributes of device nodes are also divided into two types: attack probability and device risk score. The probability of being attacked is related to the availability of vulnerable nodes connected to the device, indicating the probability that the device is successfully attacked. The device risk score is related to the availability and vulnerability hazards of vulnerable nodes connected to the device, indicating the degree of impact of the device being successfully attacked.

针对节点的计算分为起始节点和非起始节点两类。起始节点仅需考虑与本节点相连的漏洞节点的情况;非起始节点在考虑本节点相连漏洞节点的同时,还要结合上层设备节点的被攻击概率和设备危险分数,系统安全度量根据多层累积的设备节点的危险分数计算获得。Calculations for nodes are divided into two categories: starting nodes and non-starting nodes. The starting node only needs to consider the situation of the vulnerable node connected to this node; the non-starting node should also consider the attack probability of the upper-layer device node and the device risk score while considering the vulnerable node connected to this node. The system security measure is based on multiple factors. The hazard scores of the device nodes accumulated by the layer are calculated.

(1)漏洞节点度量根据扫描的设备漏洞信息对漏洞节点的可利用率以及漏洞危害进行量化;漏洞节点可利用性由CAPEC库中“攻击可能性”字段定义,将攻击可能性的{低,中,高}量化表示为{0.3,0.6,0.9},分数低表示被攻击可能性低,分数高表示被攻击可能性高;漏洞节点的危害分数采用通用安全漏洞评分系统CVSS的漏洞评估分数,满分为10分,分数越高,漏洞危害越大,分数越低,漏洞危害越小。(1) Vulnerable node metrics quantify the availability of vulnerable nodes and vulnerability hazards according to the scanned device vulnerability information; the exploitability of vulnerable nodes is defined by the "attack possibility" field in the CAPEC library, and the attack possibility {low, Medium, high} is quantified as {0.3, 0.6, 0.9}, a low score indicates a low probability of being attacked, and a high score indicates a high probability of being attacked; the hazard score of the vulnerability node adopts the vulnerability assessment score of the general security vulnerability scoring system CVSS, The full score is 10 points, the higher the score, the greater the vulnerability damage, and the lower the score, the smaller the vulnerability damage.

(2)设备节点度量根据设备节点被攻击概率以及设备节点危险分数进行量化;(2) The device node metric is quantified according to the attack probability of the device node and the risk score of the device node;

a.设备节点被攻击概率a. The probability of the device node being attacked

针对每个设备节点相连的漏洞节点,根据其可利用率计算设备节点的被攻击概率,如式Ⅰ:For the vulnerable node connected to each device node, the attack probability of the device node is calculated according to its availability, as shown in formula I:

Figure BDA0002707200260000131
Figure BDA0002707200260000131

其中,Uself表示本设备节点的被攻击概率,ui表示与该设备节点相连的第i个漏洞节点的可利用率,k表示与该设备节点相连的所有漏洞节点数,与设备节点相连的漏洞节点数量越多,该设备节点的被攻击概率越高;Among them, U self represents the attack probability of the device node, ui represents the availability of the i-th vulnerable node connected to the device node, k represents the number of all vulnerable nodes connected to the device node, and the number of vulnerable nodes connected to the device node The greater the number of vulnerable nodes, the higher the probability of the device node being attacked;

b.设备节点危险分数b. Device Node Hazard Score

以相连漏洞节点的可利用率为依据,对漏洞节点进行加权危害计算,得到设备节点的危险分数,如式Ⅱ:Based on the availability of the connected vulnerable nodes, weighted damage calculation is performed on the vulnerable nodes to obtain the risk score of the device node, as shown in formula II:

Figure BDA0002707200260000141
Figure BDA0002707200260000141

其中,Rself表示本设备节点的危险分数,ui、uj表示与该设备节点相连的第i、j个漏洞节点的可利用率,ri表示与该设备节点相连的第i个漏洞节点的漏洞危害。Among them, R self represents the risk score of the device node, ui and u j represent the availability of the i-th and j-th vulnerability nodes connected to the device node, and ri represents the i -th vulnerability node connected to the device node. vulnerability hazards.

(3)系统安全度量包括起始节点度量和非起始节点度量;(3) System security metrics include start node metrics and non-start node metrics;

a.起始节点度量a. Start Node Metrics

由于起始节点已获取权限,其不存在被攻击情况,所以起始设备节点的被攻击概率默认为1,表示以获取该设备全部权限,由于起始节点无前向节点,入度为0,因此,起始节点的危险分数等于本节点的自身危险分数。Since the starting node has obtained the permission, it is not attacked, so the attack probability of the starting device node is 1 by default, which means to obtain all the permissions of the device. Since the starting node has no forward node, the in-degree is 0. Therefore, the risk score of the starting node is equal to the own risk score of this node.

b.非起始节点度量b. Non-starting node metrics

非起始节点在考虑本节点相连漏洞节点的同时,还要结合上层设备节点的被攻击概率和设备危险分数,计算上层设备节点与本层设备节点的累积被攻击概率,以及设备危险分数,系统安全度量根据多层累积的设备节点的危险分数计算获得;When the non-starting node considers the vulnerable nodes connected to this node, it also combines the attack probability of the upper-layer device node and the device risk score to calculate the cumulative attack probability of the upper-layer device node and the device node of this layer, as well as the device risk score. The system The safety metric is calculated according to the hazard scores of equipment nodes accumulated in multiple layers;

非起始节点的被攻击概率计算如式Ⅲ:The attack probability of the non-initial node is calculated as formula III:

Figure BDA0002707200260000142
Figure BDA0002707200260000142

其中,di表示该节点入度,Um表示与该设备节点相连的第m个上层节点的被攻击概率;本度量方法考虑了节点的入度,以及上层节点被攻击概率对本层节点的影响,节点入度越大,节点被攻击概率越大;上层节点被攻击概率越大,本层节点被攻击概率越大;Among them, d i represents the in-degree of the node, and U m represents the attack probability of the m-th upper-layer node connected to the device node; this measurement method considers the in-degree of the node and the impact of the attack probability of the upper-layer node on the node at this layer , the greater the in-degree of the node, the greater the probability of the node being attacked; the greater the probability of the upper node being attacked, the greater the probability of the node being attacked;

非起始节点的危险分数计算如式Ⅳ:The risk score of non-initial nodes is calculated as formula IV:

Figure BDA0002707200260000143
Figure BDA0002707200260000143

其中,Um、Un表示与该设备节点相连的第m、n个上层节点的被攻击概率,Rm表示与该设备节点相连的第m个上层节点的危险分数;Among them, U m and U n represent the attack probability of the m-th and n-th upper-layer nodes connected to the device node, and R m represents the risk score of the m-th upper-layer node connected to the device node;

非起始节点的危险分数度量方法考虑了上层节点被攻击概率对本层节点的影响,同时对上级节点的危险分数进行累积计算,节点入度越大,节点危险分数越大;上层节点被攻击概率越大,本层节点危险分数越大;上层节点的危险分数越大,本层节点的危险分数越大,最后目标节点的危险分数Rdest经过多层攻击路径累积计算得到。The risk score measurement method of non-starting nodes considers the impact of the attack probability of the upper node on the node at this layer, and simultaneously calculates the risk score of the upper node. The greater the in-degree of the node, the greater the risk score of the node; The larger the value, the greater the risk score of the node in this layer; the greater the risk score of the upper node, the greater the risk score of the node in this layer, and finally the risk score R dest of the target node is calculated through the multi-layer attack path cumulative calculation.

步骤四中,攻击路径包括嵌套路径和并列路径;结合系统安全度量值对关键攻击路径进行定量分析,分析过程中引入资产价值指标进行度量,资产价值由节点出入度以及资产重要性共同决定,资产重要性指标从1-10为资产划分十个等级(资产重要性指标需根据专家经验决定),10为非常重要,1为非常不重要;同时,根据目前攻击图中出现的节点出入度数,以最高出入度为准,对其余出入度做归一化处理,起始节点和目标节点的出入度默认为1,不做降权处理,以图6所示的攻击图为例,出入度={2,5},进行归一化处理后,出入度为5的节点变为1,出入度为2的节点变为0.4。最后资产价值由资产重要性及出入度的乘积获得,如式Ⅴ:In step 4, the attack paths include nested paths and parallel paths; the key attack paths are quantitatively analyzed in combination with system security metrics, and asset value indicators are introduced to measure during the analysis process. The asset importance index is divided into ten grades from 1 to 10 (the asset importance index needs to be determined according to expert experience), 10 is very important, 1 is very unimportant; at the same time, according to the node in and out degrees appearing in the current attack graph, Take the highest in-out degree as the criterion, and normalize the remaining in-out degrees. The in-out degree of the starting node and the target node is 1 by default, and no weight reduction is performed. Taking the attack graph shown in Figure 6 as an example, the in-out degree = {2, 5}, after normalization, the node with in-out degree 5 becomes 1, and the node with in-out degree 2 becomes 0.4. The final asset value is obtained by multiplying the asset importance and the degree of access, as shown in formula V:

Pvalue=Psignificance*dio (Ⅴ)P value = P significance *d io (V)

其中,Pvalue表示资产价值,Psignificance表示资产重要性,dio表示经过归一化处理的节点出入度;Among them, P value represents asset value, P significance represents asset importance, and dio represents the normalized node in-out degree;

结合以上指标分析攻击图中关键攻击路径。攻击路径中产生分支路径的情况分为两种,一种是嵌套路径分析,另一种是并列路径分析,如图6所示。Combine the above indicators to analyze the key attack paths in the attack graph. There are two types of branch paths in the attack path, one is nested path analysis, and the other is parallel path analysis, as shown in Figure 6.

a.嵌套路径分析a. Nested Path Analysis

如图6中(a)图所示,MES PC1-->MES PC2-->MES PC3的攻击路径中,包含了MESPC1-->MES PC3路径。嵌套路径的路径集合中节点不包括共同起始节点:Path1={MESPC2},Path2={MES PC2,MES PC3},对于此种情况的关键路径进行选择,计算如下:As shown in (a) of Figure 6, the attack path of MES PC1-->MES PC2-->MES PC3 includes the path of MESPC1-->MES PC3. The nodes in the path set of the nested path do not include the common starting node: Path1={MESPC2}, Path2={MES PC2, MES PC3}, for the selection of the critical path in this case, the calculation is as follows:

Figure BDA0002707200260000151
Figure BDA0002707200260000151

其中,Pathsign为路径关键指数,Uj表示路径集合中第j个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;嵌套路径的关键路径以攻击跳数为主要计算依据,一般情况下攻击跳数较少的路径为关键路径,只有当中间跳节点被攻击率及危险分数都较大时,攻击跳数较多的路径才可能成为关键路径,这要根据不同的目标工控系统,并由技术人员依据长期工作经验进行判断;以图6中(a)图为例,根据实际经验,定义MES PC2及MES PC3资产重要性为6,其出入度归一化结果均为0.4。Path1sign=0.9*9.9*2.4=21.384,Path2sign=0.3*0.9*9.9*2.4+0.3*6.9*2.4=11.3832。因此,嵌套攻击路径中的关键路径为Path1,即MES PC1-->MES PC3路径。Among them, Path sign is the key index of the path, U j represents the attack probability of the jth device node in the path set, R i represents the risk score of the ith device node in the path set, and P valuei represents the ith device node in the path set. The key path of the nested path is calculated based on the number of attack hops. In general, the path with less attack hops is the key path. Only when the attack rate and danger score of the intermediate hop nodes are large, the attack A path with a large number of hops may become a critical path, which depends on different target industrial control systems and is judged by technicians based on long-term work experience; taking (a) in Figure 6 as an example, according to actual experience, define MES PC2 and MES PC3 asset importance is 6, and the normalized results of its in-out degree are 0.4. Path1 sign =0.9*9.9*2.4=21.384, Path2 sign =0.3*0.9*9.9*2.4+0.3*6.9*2.4=11.3832. Therefore, the critical path in the nested attack path is Path1, that is, the MES PC1-->MES PC3 path.

b.并列路径分析b. Parallel path analysis

如图6中(b)图所示,数据库服务器-->PLC1的攻击路径中,包含了并列的三条攻击路径:数据库服务器-->操作员站-->PLC1、数据库服务器-->工程师站-->PLC1、数据库服务器-->SCADA系统-->PLC1。并列攻击路径的路径集合表示为除去共同起始节点与终止节点的三个并列节点,Path{操作员站、工程师站、SCADA系统}对于此种情况的关键路径进行选择,计算如下:As shown in (b) of Figure 6, the attack path of database server-->PLC1 includes three parallel attack paths: database server-->operator station-->PLC1, database server-->engineering station -->PLC1, database server -->SCADA system -->PLC1. The path set of the parallel attack path is expressed as three parallel nodes except the common start node and the end node. Path{operator station, engineer station, SCADA system} selects the critical path in this case, and the calculation is as follows:

Pathsign=max{Ui*Ri*Pvaluei}i=(1,2,...k) (Ⅶ)Path sign =max{U i *R i *P valuei }i=(1, 2,...k) (VII)

Ui表示路径集合中第i个设备节点被攻击概率,Ri表示路径集合中第i个设备节点的危险分数,Pvaluei表示路径集合中第i个设备节点的资产价值;最终,关键路径的选择通过比较三个并列路径的关键指数获得;U i represents the attack probability of the ith device node in the path set, R i represents the risk score of the ith device node in the path set, and P valuei represents the asset value of the ith device node in the path set; The selection is obtained by comparing the key indices of the three parallel paths;

以图6中(b)图为例,根据实际经验,定义操作员站资产重要性为8,工程师站资产重要性为7,SCADA系统资产重要性为9,其出入度归一化结果均为0.4。Pathsign=max{0.6*7.8*3.2,0.8*9.8*2.8,0.9*6.9*3.6}=max{14.976,21.952,22.356}。因此,并列攻击路径中的关键路径为Path3,即数据库服务器-->SCADA系统-->PLC1路径。Taking (b) in Figure 6 as an example, according to actual experience, the asset importance of the operator station is defined as 8, the asset importance of the engineer station is 7, and the asset importance of the SCADA system is 9. 0.4. Path sign =max{0.6*7.8*3.2, 0.8*9.8*2.8, 0.9*6.9*3.6}=max{14.976, 21.952, 22.356}. Therefore, the critical path in the parallel attack path is Path3, that is, the path of database server --> SCADA system --> PLC1.

综合嵌套路径及并列路径的分析结果可知,攻击图的一条关键路径为MES PC1-->MES PC3-->数据库服务器-->SCADA系统-->PLC1。通过量化指标对多条路径的重要性进行计算,得出关键攻击路径。综合考虑资产价值、攻击可能性、漏洞危害的系统关键攻击路径能够体现出系统关键部分的安全情况。同时,根据路径得分、设备得分以及漏洞得分可以对系统脆弱点进行准确定位。另外根据漏洞库中提供的漏洞详细信息,能够快速了解漏洞属性,寻找解决方案,为工业控制系统的安全防护工作提供数据支撑。Based on the analysis results of nested paths and parallel paths, it can be seen that a key path of the attack graph is MES PC1-->MES PC3-->Database server-->SCADA system-->PLC1. Calculate the importance of multiple paths through quantitative indicators, and obtain the critical attack path. The critical attack path of the system, which comprehensively considers the asset value, attack possibility, and vulnerability damage, can reflect the security situation of the key parts of the system. At the same time, the vulnerable points of the system can be accurately located according to the path score, device score and vulnerability score. In addition, according to the detailed information of the vulnerabilities provided in the vulnerability database, it is possible to quickly understand the vulnerability attributes, find solutions, and provide data support for the security protection of industrial control systems.

实施例2:Example 2:

一种服务器,包括:A server that includes:

一个或多个处理器;one or more processors;

存储装置,其上存储有一个或多个程序,a storage device on which one or more programs are stored,

当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现实施例1所述的基于攻击图的工业控制系统安全度量方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the attack graph-based industrial control system security measurement method described in Embodiment 1.

实施例3:Example 3:

一种计算机可读介质,其上存储有计算机程序,其中,该计算机程序被处理器执行时实现实施例1所述的基于攻击图的工业控制系统安全度量方法。A computer-readable medium having a computer program stored thereon, wherein, when the computer program is executed by a processor, the attack graph-based industrial control system security measurement method described in Embodiment 1 is implemented.

以上所述,仅为本发明的具体实施方式,本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。The above are only specific embodiments of the present invention, and the protection scope of the present invention is not limited thereto. Any changes or substitutions that can be easily thought of by those skilled in the art within the technical scope disclosed by the present invention are all should be included within the protection scope of the present invention.

Claims (10)

1. An industrial control system security measurement method based on an attack graph is characterized by comprising the following steps:
acquiring topological structure information of an industrial control network, detecting equipment of a specific industrial control system, grasping equipment information in the industrial control network, and analyzing the equipment association condition;
step two, collecting equipment vulnerability information aiming at the detection result of the equipment in the industrial control network;
step three, according to the topological structure and the equipment vulnerability information, storing the format in a graphical format by a graph database-based method, and representing the graph structure by adopting nodes and relations to generate a system attack graph;
and step four, according to the generated system attack graph, performing network security measurement on the specific industrial control system according to three levels of vulnerability node measurement, equipment node measurement and system security measurement, and analyzing an attack path.
2. The attack graph-based industrial control system security measurement method according to claim 1, wherein in the first step, the obtained industrial control network topology structure information includes topology planning, system configuration and access control rules of security devices in a system design document; and reading and extracting the connection relation between the system devices according to the system design document and the access control rule of the safety device so as to restore the topological structure of the system.
3. The attack graph-based industrial control system security measurement method according to claim 1, wherein in the second step, collecting the device vulnerability information comprises building a vulnerability information base and obtaining a device vulnerability;
constructing a vulnerability information base, namely acquiring vulnerability information and processing the vulnerability information; the method comprises the steps that a security knowledge base is constructed by taking a CVE-NVD (composite video and video description) Vulnerability Database as a main body, taking a CNNVD (network video and video communication) and ICS (internet security and environment) Vulnerability Database as an expanded security base and taking a CWE (world wide web Environment) and CAPEC (computer-aided engineering) as Vulnerability association information bases, and collected Vulnerability information is stored into a MySQL (structured query language) Database; the vulnerability information processing takes a CNNVD (conditional network video and video express) and CVE (conditional virtual environment) vulnerability knowledge base as a main body, matches and associates all vulnerability information imported into a MySQL (MySQL query language) database, introduces CWE as a basis for vulnerability description, vulnerability classification and usability judgment, and combines CAPEC (computer aided engineering) to describe the premise, technical reserve, mode and consequences of attacking by utilizing vulnerabilities;
acquiring equipment vulnerabilities by adopting a scanning tool to scan the vulnerabilities of system equipment, and configuring the scanning tool according to the acquired system equipment information to complete scanning of equipment vulnerability information; then, according to the acquired equipment vulnerability information obtained by scanning, associating and representing equipment and vulnerabilities, wherein one piece of equipment can be associated with one or more vulnerabilities, the connection relationship between the equipment and the vulnerabilities is defined as has _ VUL _ at, and DEVICE1 has _ VUL _ at VUL1 indicates that the equipment 1 has the vulnerability with the number of VUL 1; and matching the equipment vulnerability information with information in a vulnerability information base, wherein each vulnerability can obtain an atomic attack template of CNNVD description-CVE vulnerability number-CWE vulnerability report-CAPEC attack method-CVSS score, and input data is provided for generation of a subsequent attack graph.
4. The industrial control system security measurement method based on the attack graph as claimed in claim 1, wherein in step three, the nodes in the attack graph include device nodes and vulnerability nodes;
the equipment node information comprises service information, open port information and IP information of the equipment vulnerability, the equipment node information is used as the attribute of the equipment node, and the equipment node information is described by adopting quintuple, namely equipment IP, equipment name, service with the vulnerability, service protocol and service port;
the vulnerability node information comprises CVE \ CNNVD number, CWE classification, authority-raising capability identification and CVSS score in the atomic attack rule, the vulnerability node information is integrated on a vulnerability node with a vulnerability ID as an identification as a node attribute, and the vulnerability node information is described by adopting four-tuple, namely vulnerability ID, vulnerability number, vulnerability type and vulnerability score;
and preprocessing the data according to the results of network topology analysis and vulnerability information collection, and summarizing the data into an equipment information table, a vulnerability information table and an equipment relation table which are used as the input of an attack graph generation algorithm.
5. The attack graph-based industrial control system security measurement method according to claim 1, wherein in step four, the vulnerability node measurement quantifies the availability of vulnerability nodes and vulnerability hazards according to the scanned device vulnerability information; the availability of the vulnerability nodes is defined by an 'attack possibility' field in a CAPEC library, the { low, medium and high } attack possibility is quantitatively expressed as {0.3, 0.6 and 0.9}, the low score represents the low possibility of attack, and the high score represents the high possibility of attack; and the damage score of the vulnerability node is the vulnerability assessment score of a CVSS (common security vulnerability assessment system), the full score is 10, the higher the score is, the greater the vulnerability damage is, the lower the score is, and the smaller the vulnerability damage is.
6. The attack graph-based industrial control system security measure method of claim 1, wherein in step four, the device node measures are quantified according to the device node attack probability and the device node risk score;
a. probability of attack on device node
Aiming at the vulnerability nodes connected with each equipment node, calculating the attacked probability of the equipment nodes according to the availability, as shown in formula I:
Figure FDA0002707200250000021
wherein, UselfRepresenting the probability of attack, u, of the node of the deviceiThe availability of the ith vulnerability node connected with the equipment node is represented, k represents the number of all vulnerability nodes connected with the equipment node, and the greater the number of vulnerability nodes connected with the equipment node is, the higher the attacked probability of the equipment node is;
b. equipment node risk score
And performing weighted hazard calculation on the vulnerability nodes according to the availability of the connected vulnerability nodes to obtain the risk score of the equipment node, as shown in formula II:
Figure FDA0002707200250000031
wherein R isselfRepresenting the risk score, u, of the node of the planti、ujRepresenting the availability, r, of the ith and j vulnerability nodes connected with the equipment nodeiIndicating the vulnerability hazard of the ith vulnerability node connected with the equipment node.
7. The attack graph-based industrial control system security measure of claim 1 wherein in step four, the system security measures comprise an initial node measure and a non-initial node measure;
a. starting node metric
Since the starting node acquires the authority and has no attacked condition, the attacked probability of the starting device node is defaulted to 1 to represent that all the authority of the device is acquired, and since the starting node has no forward node and the degree of entry is 0, the danger score of the starting node is equal to the self danger score of the node;
b. non-starting node metric
The non-initial node considers the vulnerability node connected with the node, and simultaneously combines the attacked probability and the equipment danger score of the upper layer equipment node, calculates the accumulated attacked probability and the equipment danger score of the upper layer equipment node and the local layer equipment node, and calculates the system safety measurement according to the danger score of the multilayer accumulated equipment nodes;
the attack probability of the non-initial node is calculated as formula III:
Figure FDA0002707200250000032
wherein d isiRepresents the node in degree, UmRepresenting the attacked probability of the mth upper node connected with the equipment node; the measuring method considers the degree of the node and the influence of the attacked probability of the upper node on the node of the current layer, wherein the higher the degree of the node is, the higher the attacked probability of the node is; the higher the attack probability of the upper layer node is, the higher the node of the current layer isThe greater the attack probability;
the risk score for a non-starting node is calculated as formula iv:
Figure FDA0002707200250000033
wherein, Um、UnRepresenting the probability of attack, R, of the m, n upper level nodes connected to the device nodemA danger score representing an mth upper node connected to the equipment node;
the risk score of the non-initial node is calculated by considering the influence of the attack probability of the upper node on the node of the local layer, and meanwhile, the risk score of the upper node is calculated in an accumulated mode, and the greater the node degree of entry is, the greater the node risk score is; the higher the attack probability of the upper-layer node is, the higher the danger score of the node at the current layer is; the larger the danger score of the upper node is, the larger the danger score of the node at the current layer is, and the danger score R of the final target node isdestAnd performing cumulative calculation on the attack paths through multiple layers.
8. The attack graph-based industrial control system security measure method of claim 1, wherein in step four, the attack path comprises a nested path and a parallel path; carrying out quantitative analysis on the key attack path by combining with a system security measurement value, introducing an asset value index to measure in the analysis process, wherein the asset value is jointly determined by the access degree of a node and the asset importance, the asset importance index is divided into ten grades from 1 to 10 for assets, 10 is very important, and 1 is very unimportant; meanwhile, according to the access degrees of the nodes appearing in the current attack graph, the highest access degree is taken as the standard, normalization processing is carried out on the rest access degrees, the access degrees of the initial node and the target node are defaulted to be 1, no weight reduction processing is carried out, and finally the asset value is obtained by the product of the asset importance and the access degree, wherein the formula is V:
Pvalue=Psignificance*dio (Ⅴ)
wherein, PvalueRepresenting asset value, PsignificancePresentation assetImportance of birth, dioRepresenting the node access degree after normalization processing;
a. nested path analysis
Nodes in the path set of the nested paths do not include a common starting node, and the key path in the case is selected as follows:
Figure FDA0002707200250000041
wherein, PathsignIs a path critical index, UjRepresenting the probability of being attacked, R, of the jth device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; the key path of the nested path takes attack hop count as a main calculation basis, the path with less attack hop count is the key path under general conditions, and the path with more attack hop count can be the key path only when the attack rate and the danger score of the intermediate hop node are both larger;
b. parallel path analysis
The path set of the parallel attack path is represented by N parallel nodes excluding the common start node and the common end node, and the key path in this case is selected and calculated as follows:
Pathsign=max{Ui*Ri*Pvaluei} i=(1,2,...k) (Ⅶ)
Uirepresenting the probability of attack, R, of the ith device node in the path setiRepresenting the danger score, P, of the ith device node in the path setvalueiRepresenting the asset value of the ith equipment node in the path set; finally, the selection of the key path is obtained by comparing the key indexes of the N parallel paths;
and synthesizing the analysis results of the nested path and the parallel path, and calculating the importance of the multiple paths through the quantitative indexes to obtain the key attack path.
9. A server, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the attack graph-based industrial control system security measure method of any one of claims 1-8.
10. A computer-readable medium, on which a computer program is stored, wherein the computer program, when executed by a processor, implements the attack graph-based industrial control system security measure method of any one of claims 1 to 8.
CN202011043060.3A 2020-09-28 2020-09-28 A security measurement method for industrial control systems based on attack graph Active CN112114579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011043060.3A CN112114579B (en) 2020-09-28 2020-09-28 A security measurement method for industrial control systems based on attack graph

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011043060.3A CN112114579B (en) 2020-09-28 2020-09-28 A security measurement method for industrial control systems based on attack graph

Publications (2)

Publication Number Publication Date
CN112114579A true CN112114579A (en) 2020-12-22
CN112114579B CN112114579B (en) 2023-07-25

Family

ID=73798243

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011043060.3A Active CN112114579B (en) 2020-09-28 2020-09-28 A security measurement method for industrial control systems based on attack graph

Country Status (1)

Country Link
CN (1) CN112114579B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112904817A (en) * 2021-01-19 2021-06-04 哈尔滨工业大学(威海) Global safety detection system for intelligent manufacturing production line and working method thereof
CN114039862A (en) * 2022-01-10 2022-02-11 南京赛宁信息技术有限公司 Construction method and system of CTF problem solution detection node based on dynamic topology analysis
CN114143109A (en) * 2021-12-08 2022-03-04 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114528552A (en) * 2021-12-31 2022-05-24 北京邮电大学 Security event correlation method based on vulnerability and related equipment
CN114584348A (en) * 2022-02-14 2022-06-03 上海安锐信科技有限公司 Industrial control system network threat analysis method based on vulnerability
CN115061434A (en) * 2022-06-01 2022-09-16 哈尔滨工业大学(威海) A parallel attack path planning system and method for large-scale industrial control scenarios
CN115102743A (en) * 2022-06-17 2022-09-23 电子科技大学 Network security-oriented multi-layer attack graph generation method
CN115118468A (en) * 2022-06-16 2022-09-27 上海谋乐网络科技有限公司 Method and system for providing collaborative support for cyber confrontation attackers
CN115185466A (en) * 2022-07-25 2022-10-14 北京珞安科技有限责任公司 Hierarchical management and control tool and method for mobile storage device
CN115242507A (en) * 2022-07-22 2022-10-25 四川启睿克科技有限公司 Attack graph generation system and method based on set parameter maximum value
CN115514543A (en) * 2022-09-07 2022-12-23 湖北鑫英泰系统技术股份有限公司 A method and system for power network security based on scale-free network
CN116208416A (en) * 2023-03-06 2023-06-02 华能国际电力股份有限公司 Attack link mining method and system for industrial Internet
CN116305170A (en) * 2023-05-16 2023-06-23 北京安帝科技有限公司 Analog testing method, device, equipment and storage medium based on industrial control system
CN116702159A (en) * 2023-08-04 2023-09-05 北京微步在线科技有限公司 Host protection method, device, computer equipment and storage medium
CN117155679A (en) * 2023-09-13 2023-12-01 上海安锐信科技有限公司 A network threat analysis method based on industrial control system data sources
CN119583129A (en) * 2024-11-22 2025-03-07 深圳市景佑宝元科技有限公司 A real-time risk control method and system
WO2025106207A1 (en) * 2023-11-13 2025-05-22 Microsoft Technology Licensing, Llc Attack path discovery engine in a security management system
WO2025186917A1 (en) * 2024-03-06 2025-09-12 日本電気株式会社 Attack path display control device, attack path display control method, and recording medium in which attack path display control program is stored

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050193430A1 (en) * 2002-10-01 2005-09-01 Gideon Cohen System and method for risk detection and analysis in a computer network
US7013395B1 (en) * 2001-03-13 2006-03-14 Sandra Corporation Method and tool for network vulnerability analysis
US20090077666A1 (en) * 2007-03-12 2009-03-19 University Of Southern California Value-Adaptive Security Threat Modeling and Vulnerability Ranking
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network Security Risk Analysis Method Based on Network Node Vulnerability and Attack Information
US20170054751A1 (en) * 2015-08-20 2017-02-23 Cyberx Israel Ltd. Method for mitigation of cyber attacks on industrial control systems
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
CN110533754A (en) * 2019-08-26 2019-12-03 哈尔滨工业大学(威海) Interactive attack graph display systems and methods of exhibiting based on extensive industry control network
EP3644579A1 (en) * 2018-10-26 2020-04-29 Accenture Global Solutions Limited Criticality analysis of attack graphs

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7013395B1 (en) * 2001-03-13 2006-03-14 Sandra Corporation Method and tool for network vulnerability analysis
US20050193430A1 (en) * 2002-10-01 2005-09-01 Gideon Cohen System and method for risk detection and analysis in a computer network
US20090077666A1 (en) * 2007-03-12 2009-03-19 University Of Southern California Value-Adaptive Security Threat Modeling and Vulnerability Ranking
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN104348652A (en) * 2013-08-06 2015-02-11 南京理工大学常熟研究院有限公司 Method and device for evaluating system security based on correlation analysis
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
CN106709613A (en) * 2015-07-16 2017-05-24 中国科学院信息工程研究所 Risk assessment method suitable for industrial control system
US20170054751A1 (en) * 2015-08-20 2017-02-23 Cyberx Israel Ltd. Method for mitigation of cyber attacks on industrial control systems
CN105871882A (en) * 2016-05-10 2016-08-17 国家电网公司 Network Security Risk Analysis Method Based on Network Node Vulnerability and Attack Information
EP3644579A1 (en) * 2018-10-26 2020-04-29 Accenture Global Solutions Limited Criticality analysis of attack graphs
CN110533754A (en) * 2019-08-26 2019-12-03 哈尔滨工业大学(威海) Interactive attack graph display systems and methods of exhibiting based on extensive industry control network

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HUAN WANG; ZHANFANG CHEN; JIANPING ZHAO; XIAOQIANG DI; DAN LIU: "A Vulnerability Assessment Method in Industrial Internet of Things Based on Attack Graph and Maximum Flow", <SPECIAL SECTION ON CONVERGENCE OF SENSOR NETWORKS, CLOUD COMPUTING, AND BIG DATA IN INDUSTRIAL INTERNET OF THING> *
王佳欣,冯毅,由睿: "基于依赖关系图和通用漏洞评分系统的网络安全度量", 《计算机应用》, vol. 39, no. 6 *
赵 松, 吴晨思, 谢卫强, 贾紫艺, 王 鹤, 张玉清: "基于攻击图的网络安全度量研究", 《信息安全学报》, vol. 4, no. 1 *

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112904817B (en) * 2021-01-19 2022-08-12 哈尔滨工业大学(威海) A global safety detection system for intelligent manufacturing production line and its working method
CN112904817A (en) * 2021-01-19 2021-06-04 哈尔滨工业大学(威海) Global safety detection system for intelligent manufacturing production line and working method thereof
CN114143109B (en) * 2021-12-08 2023-11-10 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114143109A (en) * 2021-12-08 2022-03-04 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114528552A (en) * 2021-12-31 2022-05-24 北京邮电大学 Security event correlation method based on vulnerability and related equipment
CN114528552B (en) * 2021-12-31 2023-12-26 北京邮电大学 Security event association method based on loopholes and related equipment
CN114039862A (en) * 2022-01-10 2022-02-11 南京赛宁信息技术有限公司 Construction method and system of CTF problem solution detection node based on dynamic topology analysis
CN114584348A (en) * 2022-02-14 2022-06-03 上海安锐信科技有限公司 Industrial control system network threat analysis method based on vulnerability
CN115061434A (en) * 2022-06-01 2022-09-16 哈尔滨工业大学(威海) A parallel attack path planning system and method for large-scale industrial control scenarios
CN115061434B (en) * 2022-06-01 2024-09-06 哈尔滨工业大学(威海) Attack path parallel planning system and method for large-scale industrial control scene
CN115118468A (en) * 2022-06-16 2022-09-27 上海谋乐网络科技有限公司 Method and system for providing collaborative support for cyber confrontation attackers
CN115102743B (en) * 2022-06-17 2023-08-22 电子科技大学 Multi-layer attack graph generation method for network security
CN115102743A (en) * 2022-06-17 2022-09-23 电子科技大学 Network security-oriented multi-layer attack graph generation method
CN115242507A (en) * 2022-07-22 2022-10-25 四川启睿克科技有限公司 Attack graph generation system and method based on set parameter maximum value
CN115185466B (en) * 2022-07-25 2023-02-28 北京珞安科技有限责任公司 Hierarchical management and control tool and method for mobile storage device
CN115185466A (en) * 2022-07-25 2022-10-14 北京珞安科技有限责任公司 Hierarchical management and control tool and method for mobile storage device
CN115514543A (en) * 2022-09-07 2022-12-23 湖北鑫英泰系统技术股份有限公司 A method and system for power network security based on scale-free network
CN116208416A (en) * 2023-03-06 2023-06-02 华能国际电力股份有限公司 Attack link mining method and system for industrial Internet
CN116305170A (en) * 2023-05-16 2023-06-23 北京安帝科技有限公司 Analog testing method, device, equipment and storage medium based on industrial control system
CN116702159B (en) * 2023-08-04 2023-10-31 北京微步在线科技有限公司 Host protection method, device, computer equipment and storage medium
CN116702159A (en) * 2023-08-04 2023-09-05 北京微步在线科技有限公司 Host protection method, device, computer equipment and storage medium
CN117155679A (en) * 2023-09-13 2023-12-01 上海安锐信科技有限公司 A network threat analysis method based on industrial control system data sources
WO2025106207A1 (en) * 2023-11-13 2025-05-22 Microsoft Technology Licensing, Llc Attack path discovery engine in a security management system
WO2025186917A1 (en) * 2024-03-06 2025-09-12 日本電気株式会社 Attack path display control device, attack path display control method, and recording medium in which attack path display control program is stored
CN119583129A (en) * 2024-11-22 2025-03-07 深圳市景佑宝元科技有限公司 A real-time risk control method and system

Also Published As

Publication number Publication date
CN112114579B (en) 2023-07-25

Similar Documents

Publication Publication Date Title
CN112114579B (en) A security measurement method for industrial control systems based on attack graph
CN110620759B (en) Evaluation method and system of network security event hazard index based on multi-dimensional correlation
CN112100843B (en) A visual analysis method and system for power system security event simulation verification
CN112235283B (en) A network attack assessment method for power industrial control system based on vulnerability description attack graph
Li et al. Analysis framework of network security situational awareness and comparison of implementation methods
CN108306756B (en) A holographic evaluation system based on power data network and its fault location method
CN114723287A (en) Quantitative statistical method for risk formation based on enterprise characteristics and operation behaviors
CN115208684B (en) Hypergraph association-based APT attack clue expansion method and device
CN117411668A (en) Quantitative assessment method and system for network security defense capabilities based on attack surface
CN117792775A (en) APT attack detection method and device based on tracing graph path
CN119697086B (en) Network equipment discovery method
CN118368091A (en) Unknown attack tracing method based on distributed knowledge graph, main node and sub node
CN120074857A (en) Safety monitoring alarm device and method for network security loopholes
CN114338088B (en) Evaluation method and evaluation system for network security level of substation power monitoring system
CN118972172B (en) Cloud environment network security situation awareness method and system
CN119168585A (en) Power distribution data audit method, device, electronic equipment and storage medium
CN118797626A (en) Power grid security control method and system based on twin sandbox
Lehna et al. Fault detection for agents on power grid topology optimization: A comprehensive analysis
CN118377813A (en) Database intelligent screening method based on artificial intelligence and computer equipment
Chen et al. Research on automatic vulnerability mining model based on knowledge graph
Chen et al. Network security situation awareness framework based on knowledge graph
Chen et al. Research on Evaluation Techniques for Security Threat Levels of Critical Information Assets in Power Grids
Atif et al. Cyber-threat analysis for Cyber-Physical Systems: Technical report for Package 4, Activity 3 of ELVIRA project
CN118573583B (en) A cyberspace asset mapping method for power monitoring system
He et al. Research on network configuration verification based on association analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant