面向大规模工控网络的关键路径分析方法

doi:10.11959/j.issn.2096-109x.2021069

Abstract

Abstract:

In order to solve the problem of high time-consuming and resource-consuming quantitative calculation of large-scale industrial control network attack graphs, a key path analysis method for large-scale industrial control networks was proposed.Firstly, the idea of cut set was used to calculate the key nodes set of Bayesian attack graph by combining the atomic attack income in industrial control network, which solved the problem that the current cut set algorithm only considers the key nodes in graph structure.Secondly, a dynamic updating strategy of Bayesian attack graph which only updated the attack probability of key nodes was proposed to efficiently calculate the attack probability of the whole graph and analyze the key path of attack graph.The experimental results show that the proposed method can not only ensure the reliability of the calculation results of large-scale industrial control attack graphs, but also can significantly reduce the time consumption and have a significant improvement in the calculation efficiency.

Key words: key node, key path, attack graph, Bayesian network, industrial control network

CLC Number:

TP393

Yaofang ZHANG, Zheyu ZHANG, Haikuo QU, Ge ZHANG, Zibo WANG, Bailing WANG. Key path analysis method for large-scale industrial control network[J]. Chinese Journal of Network and Information Security, 2021, 7(6): 31-43.

Figures/Tables 12

References 24

[1]	NOURIAN A , MADNICK S . A systems theoretic approach to the security threats in cyber physical systems applied to Stuxnet[J]. IEEE Transactions on Dependable and Secure Computing, 2018,15(1): 2-13.
[2]	LIANG G Q , WELLER S R , ZHAO J H ,et al. The 2015 Ukraine blackout:implications for false data injection attacks[J]. IEEE Transactions on Power Systems, 2017,32(4): 3317-3318.
[3]	AKBANOV M , VASSILAKIS V G , LOGOTHETIS M D . Ransomware detection and mitigation using software-defined networking:the case of WannaCry[J]. Computers ＆ Electrical Engineering, 2019,76: 111-121.
[4]	ALLADI T , CHAMOLA V , ZEADALLY S . Industrial control systems:cyberattack trends and countermeasures[J]. Computer Communications, 2020,155: 1-8.
[5]	吴晨思, 谢卫强, 姬逸潇 ,等. 网络系统安全度量综述[J]. 通信学报, 2019,40(6): 14-31.
	WU C S , XIE W Q , JI Y X ,et al. Survey on network system secu-rity metrics[J]. Journal on Communications, 2019,40(6): 14-31.
[6]	PHILLIPS C , SWILER L P . A graph-based system for network-vulnerability analysis[C]// Proceedings of the 1998 Workshop on New Security Paradigms - NSPW '98. 1998: 71-79.
[7]	叶子维, 郭渊博, 王宸东 ,等. 攻击图技术应用研究综述[J]. 通信学报, 2017,38(11): 121-132.
	YE Z W , GUO Y B , WANG C D ,et al. Survey on application of at-tack graph technology[J]. Journal on Communications, 2017,38(11): 121-132.
[8]	POOLSAPPASIT N , DEWRI R , RAY I . Dynamic security risk management using Bayesian attack graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2012,9(1): 61-74.
[9]	MU?OZ-GONZáLEZ L , SGANDURRA D , BARRèRE M , ,et al. Exact inference techniques for the analysis of Bayesian attack graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2017,16(2): 231-244.
[10]	杨英杰, 冷强, 常德显 ,等. 基于属性攻击图的网络动态威胁分析技术研究[J]. 电子与信息学报, 2019,41(8): 1838-1846.
	YANG Y J , LENG Q , CHANG D X ,et al. Research on network dynamic threat analysis technology based on attribute attack graph[J]. Journal of Electronics ＆ Information Technology, 2019,41(8): 1838-1846.
[11]	王辉, 王云峰, 王坤福 . 基于贝叶斯推理的攻击路径预测研究[J]. 计算机应用研究, 2015,32(1): 226-231.
	WANG H , WANG Y F , WANG K F . Research on predicting attack path based on Bayesian inference[J]. Application Research of Computers, 2015,32(1): 226-231.
[12]	张少俊, 李建华, 宋珊珊 ,等. 贝叶斯推理在攻击图节点置信度计算中的应用[J]. 软件学报, 2010,21(9): 2376-2386.
	ZHANG S J , LI J H , SONG S S ,et al. Using Bayesian inference for computing attack graph node beliefs[J]. Journal of Software, 2010,21(9): 2376-2386.
[13]	陈小军, 方滨兴, 谭庆丰 ,等. 基于概率攻击图的内部攻击意图推断算法研究[J]. 计算机学报, 2014,37(1): 62-72.
	CHEN X J , FANG B X , TAN Q F ,et al. Inferring attack intent of malicious insider based on probabilistic attack graph model[J]. Chinese Journal of Computers, 2014,37(1): 62-72.
[14]	黄家辉, 冯冬芹, 王虹鉴 . 基于攻击图的工控系统脆弱性量化方法[J]. 自动化学报, 2016,42(5): 792-798.
	HUANG J H , FENG D Q , WANG H J . A method for quantifying vulnerability of industrial control system based on attack graph[J]. Acta Automatica Sinica, 2016,42(5): 792-798.
[15]	罗智勇, 杨旭, 刘嘉辉 ,等. 基于贝叶斯攻击图的网络入侵意图分析模型[J]. 通信学报, 2020,41(9): 160-169.
	LUO Z Y , YANG X , LIU J H ,et al. Network intrusion intention analysis model based on Bayesian attack graph[J]. Journal on Communications, 2020,41(9): 160-169.
[16]	马春光, 汪诚弘, 张东红 ,等. 一种基于攻击意愿分析的网络风险动态评估模型[J]. 计算机研究与发展, 2015,52(9): 2056-2068.
	MA C G , WANG C H , ZHANG D H ,et al. A dynamic network risk assessment model based on attacker's inclination[J]. Journal of Computer Research and Development, 2015,52(9): 2056-2068.
[17]	高梦州, 冯冬芹, 凌从礼 ,等. 基于攻击图的工业控制系统脆弱性分析[J]. 浙江大学学报(工学版), 2014,48(12): 2123-2131.
	GAO M Z , FENG D Q , LING C L ,et al. Vulnerability analysis of industrial control system based on attack graph[J]. Journal of Zhe-jiang University (Engineering Science), 2014,48(12): 2123-2131.
[18]	叶云, 徐锡山, 齐治昌 . 大规模网络中攻击图的节点概率计算方法[J]. 计算机应用与软件, 2011,28(11): 136-139,192.
	YE Y , XU X S , QI Z C . Attack graph's nodes probabilistic compu-ting approach in a large-scale network[J]. Computer Applications and Software, 2011,28(11): 136-139,192.
[19]	刘贞宇, 陈羽中, 郭昆 ,等. 面向网络攻击建模的分布式过程挖掘与图分割方法[J]. 小型微型计算机系统, 2020,41(8): 1732-1740.
	LIU Z Y , CHEN Y Z , GUO K ,et al. Distributed process mining and graph segmentation for network attack modeling[J]. Journal of Chinese Computer Systems, 2020,41(8): 1732-1740.
[20]	吴金宇, 金舒原, 杨智 . 基于网络流的攻击图分析方法[J]. 计算机研究与发展, 2011,48(8): 1497-1505.
	WU J Y , JIN S Y , YANG Z . Analysis of attack graphs based on network flow method[J]. Journal of Computer Research and De-velopment, 2011,48(8): 1497-1505.
[21]	彭武, 胡昌振, 姚淑萍 . 基于攻击路径图的入侵意图识别[J]. 北京理工大学学报, 2010,30(9): 1077-1081.
	PENG W , HU C Z , YAO S P . Intrusive intention recognition based on attack path graph[J]. Transactions of Beijing Institute of Tech-nology, 2010,30(9): 1077-1081.
[22]	Common vulnerability scoring system version 2.0[EB].
[23]	CHEMINOD M , DURANTE L , SENO L ,et al. Detection of attacks based on known vulnerabilities in industrial networked systems[J]. Journal of Information Security and Applications, 2017,34: 153-165.
[24]	CHE Y B , ZHAO Y C , XU J M ,et al. A hierarchical approach for fast calculating minimal cut sets of a microgrid[J]. Mathematical Problems in Engineering, 2017,2017: 1-8.

Metrics

Recommended 0

No Suggested Reading articles found!

影响程度	设备类型
1	文件服务器、HMI
2	OPC服务器
3	SCADA、操作员站、PLC
4	数据库、工程师站

影响因素	指标	等级划分	分值	权重
可利用性	访问向量	本地（L）/相邻网络（A）/网络（N）	0.395/0.646/1.0	0.34
	访问复杂度	高（H）/中等（M）/低（L）	0.35/0.61/0.71	0.33
	身份认证	多个（M）/单个（S）/无（N）	0.45/0.56/0.704	0.33
	资产价值	弱小（L）/一般（M）/严重（H）/重大（S）	0.2/0.55/0.62/0.85	0.4
影响程度	机密性影响	无（N）/部分（P）/完成（C）	0.0/0.275/0.66	0.2
	完整性影响	无（N）/部分（P）/完成（C）	0.0/0.275/0.66	0.2
	可用性影响	无（N）/部分（P）/完成（C）	0.0/0.275/0.66	0.2

设备名称	漏洞编号	访问	脆弱软件	影响因素分值	CVSS2.0漏洞评分
ew2	CVE-2014-5424	远程访问	CCW	{AV:N/AC:L/AU:N}{/DV:H/C:P/I:P/A:P}	7.5
ew1	CVE-2014-8551a	远程访问	TIA Portal	{AV:N/AC:L/AU:N}{/DV:H/C:C/I:C/A:C}	10.0
scada	CVE-2014-8551b	远程访问	WinCC	{AV:N/AC:L/AU:N}{/DV:H/C:C/I:C/A:C}	10.0
historian	CVE-2011-4034	受害设备	Vijeo Historian	{AV:N/AC:M/AU:N}{/DV:S/C:C/I:C/A:C}	9.3
PLC1	CVE-2015-2177	远程访问	SIMATIC S7-300 CPU	{AV:N/AC:L/AU:N}{/DV:H/C:N/I:N/A:C}	7.8
PLC2	CVE-2015-6490	远程访问	Micrologix 1400	{AV:N/AC:L/AU:N}{/DV:H/C:C/I:C/A:C}	10.0
PLC3	CVE-2014-0754	远程访问	SchneiderWeb	{AV:N/AC:L/AU:N}{/DV:H/C:C/I:C/A:C}	10.0
ew1	CVE-2014-6332	受害设备	MS Windows	{AV:N/AC:M/AU:N}{/DV:H/C:C/I:C/A:C}	9.3

设备名称	可访问设备列表
i	Web(Webvul),intranet(MS Windows)
intranet	ew1(TIA Portal, MS Windows),
	ew2(CCW), Web(Webvul)
Web	ew1(TIA Portal, MS Windows),ew2(CCW)
ew1	scada(WinCC),PLC1(SIMATIC S7-300)
ew2	ew1(TIA Portal),scada(WinCC),PLC2(Micrologix 1400)
scada	historian(Vijeo Historian), PLC1(SIMATIC S7-300),
	PLC2 (Micrologix 1400),PLC3(ScheneiderWEB)
historian	PLC1(SIMATIC S7-300), PLC2(Micrologix 1400),
	PLC3 (ScheneiderWEB)
PLC1	scada(WinCC)
PLC2	scada(WinCC)
PLC3	scada(WinCC)

规模	拓扑节点	拓扑边	攻击图节点	攻击图边	本文算法		顶点割集算法^[21]		矩阵割集算法^[24]
规模	拓扑节点	拓扑边	攻击图节点	攻击图边	计算耗时	占用内存	计算耗时	占用内存	计算耗时	占用内存
规模1	13	35	21	40	0.002 448 s	22.1 MB	0.002 472 s	21.9 MB	0.000 855s	21.9 MB
规模2	31	101	59	120	0.008 824 s	22.2 MB	0.008 523 s	22.2 MB	1.547 3 s	22.1 MB
规模3	49	167	97	200	0.017 48 s	22.4 MB	0.034 8 s	22.4 MB	8 167.159 2 s	22.5 MB
规模4	85	299	173	360	0.040 39 s	22.7 MB	475.383 7 s	26.5 MB	—	—
规模5	121	431	249	520	0.071 51 s	23.0 MB	52 h	13.449G	—	—

Key path analysis method for large-scale industrial control network

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 24

Related Articles 6

Metrics

Recommended 0

攻击路径	更新前概率	更新后概率
i→Web→ew1(M)→scada→PLC2	0.260	5.89×10^-2
i→Web→ew1(T)→scada→PLC2	0.201	4.56×10^-2
i→Web→ew2→scada→PLC2	0.166	3.82×10^-3
i→Web→ew2→ew1(T)→scada→PLC2	0.117	1.10×10^-3

规模	攻击图节点	全局更新时间/s	占用内存/MB	部分更新时间/s	占用内存/MB
规模1	21	0.026 88	22.0	0.002 12	22.0
规模2	59	0.077 26	22.1	0.006 28	22.1
规模3	97	0.130 4	22.3	0.010 48	22.3
规模4	173	0.233 35	22.7	0.018 21	22.6
规模5	249	0.332 5	22.9	0.026 15	23.0
规模6	401	0.546 8	23.6	0.042 05	23.5
规模7	553	0.754 8	24.2	0.057 21	24.0
规模8	857	1.157 5	25.3	0.087 92	25.3
规模9	1161	1.573 4	26.8	0.115 1	26.8

[1]	Wenfu LIU, Jianmin PANG, Xin ZHOU, Nan LI, Feng YUE. Research on network risk assessment based on attack graph of expected benefits-rate [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 87-97.
[2]	Jie PAN, Lan YE, He ZHAO, Xinlei ZHANG. Defense strategy of industrial control worm based on SEIPQR model [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 169-175.
[3]	Qiang LENG,Yingjie YANG,Dexian CHANG,Ruixuan PAN,Ying CAI,Hao HU. Dynamic defense decision method for network real-time confrontation [J]. Chinese Journal of Network and Information Security, 2019, 5(6): 58-66.
[4]	Huihu ZHU, Han QIU, Junhu ZHU, Ziyi ZENG. Spreading dynamics based key nodes identification in inter-domain routing system [J]. Chinese Journal of Network and Information Security, 2019, 5(5): 9-20.
[5]	Hao HU, Yuling LIU, Yuchen ZHANG, Hongqi ZHANG. Survey of attack graph based network security metric [J]. Chinese Journal of Network and Information Security, 2018, 4(9): 1-16.
[6]	Yuyang ZHOU, Guang CHENG, Chunsheng GUO. Risk assessment method for network attack surface based on Bayesian attack graph [J]. Chinese Journal of Network and Information Security, 2018, 4(6): 11-22.