Argus：基于多源数据驱动的工控安全态势感知系统

doi:10.11959/j.issn.2096-0271.2023051

Abstract

Abstract:

Industrial control system (ICS) is the brain of national industrial manufacturing and civil infrastructure.However, the security risks associated with ICS have become increasingly prominent, making it a significant target for cybersecurity protection.This paper proposed a solution for the issues associated with ICS security data dispersion and delayed threat perception.Specifically, the paper presented a multi-source data-driven ICS security situational awareness system named Argus, which incorporated an awareness chain for ICS security.Furthermore, the paper developed autonomous situational awareness technologies for ICS security, such as stateless high-speed device scanning, precise threat intelligence extraction, and suspicious attack behavior detection, to achieve multi-channel and three-dimensional ICS security monitoring and situational awareness.The experimental results indicated that, compared with conventional ICS situational awareness methods, the perception accuracy of the Argus system has improved by over 10%, with efficiency improvements by two orders of magnitude.Additionally, Argus allows for proactive warning and mitigation of potential security risks.

Key words: industrial control system, multi-source data fusion, situation awareness, threat intelligence

CLC Number:

TP311

Tianchen ZHU, Jun ZHAO, Bo LI, Jianxin LI. Argus: multi-source data-driven industrial control security situational awareness system[J]. Big Data Research, 2023, 9(4): 98-115.

Figures/Tables 18

References 23

[1]	BHAMARE D , ZOLANVARI M , ERBAD A ,et al. Cybersecurity for industrial control systems:a survey[J]. Computers＆ Security, 2020,89:101677.
[2]	周明, 吕世超, 游建舟 ,等. 工业控制系统安全态势感知技术研究[J]. 信息安全学报, 2022,7(2): 101-119.
	ZHOU M , LYU S C , YOU J Z ,et al. A comprehensive survey of security situational aware-ness on industrial control systems[J]. Journal of Cyber Security, 2022,7(2): 101-119.
[3]	FENG C , LI T T , CHANA D . Multilevel anomaly detection in industrial control systems via package signatures and LSTM networks[C]// Proceedings of 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Piscataway:IEEE Press, 2017: 261-272.
[4]	MUNA A L H , MOUSTAFA N , SITNIKOVA E . Identification of malicious activities in industrial Internet of Things based on deep learning models[J]. Journal of Information Security and Applications, 2018,41: 1-11.
[5]	CHANG C P , HSU W C , LIAO I E . Anomaly detection for industrial control systems using K-means and convolutional autoencoder[C]// Proceedings of 2019 International Conference on Software,Telecommunications and Computer Networks (SoftCOM). Piscataway:IEEE Press, 2019: 1-6.
[6]	DEMERTZIS K , ILIADIS L , BOUGOUDIS I . Gryphon:a semi-supervised anomaly detection system based on one-class evolving spiking neural network[J]. Neural Computing and Applications, 2020,32(9): 4303-4314.
[7]	PRIYANGA S , KRITHIVASAN K , PRAVINRAJ S ,et al. Detection of cyberattacks in industrial control systems using enhanced principal component analysis and hypergraphbased convolution neural network (EPCAHG-CNN)[J]. IEEE Transactions on Industry Applications, 2020,56(4): 4394-4404.
[8]	DOSHI K , YILMAZ Y , ULUDAG S . Timely detection and mitigation of stealthy DDoS attacks via IoT networks[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(5): 2164-2176.
[9]	KHAN I A , KESHK M , PI D C ,et al. Enhancing IIoT networks protection:a robust security model for attack detection in Internet industrial control systems[J]. Ad Hoc Networks, 2022,134:102930.
[10]	ISO. Electrical and electronic components and general system aspects:ISO/TC 22/SC 32[S]. 2021.
[11]	SCHLETTE D , CASELLI M , PERNUL G . A comparative study on cyber threat intelligence:the security incident response perspective[J]. IEEE Communications Surveys ＆ Tutorials, 2021,23(4): 2525-2556.
[12]	OASIS. Cyber threat intelligence (CTI):TC.STIX 2.0[S]. 2018.
[13]	HUANG Z , XU W , YU K . Bidirectional LSTM-CRF models for sequence tagging[J]. arXiv preprint, 2015,arXiv:1508.01991.
[14]	ZHENG S C , HAO Y X , LU D Y ,et al. Joint entity and relation extraction based on a hybrid neural network[J]. Neurocomputing, 2017,257: 59-66.
[15]	ZHAO J , LIU X D , YAN Q B ,et al. Multi-attributed heterogeneous graph convolutional network for bot detection[J]. Information Sciences, 2020,537: 380-393.
[16]	SUN Y Z , HAN J W , YAN X F ,et al. Pathsim:meta path-based top-k similarity search in heterogeneous information networks[J]. Proceedings of the VLDB Endowment, 2011,4(11): 992-1003.
[17]	LYON G F . Nmap network scanning:the official Nmap project guide to network discovery and security scanning[M]. Sunnyvale: Insecure, 2009.
[18]	GARCíA S , GRILL M , STIBOREK J ,et al. An empirical comparison of botnet detection methods[J]. Computers ＆Security, 2014,45: 100-123.
[19]	HEARST M A , DUMAIS S T , OSUNA E ,et al. Support vector machines[J]. IEEE Intelligent Systems and Their Applications, 1998,13(4): 18-28.
[20]	DAYA A A , SALAHUDDIN M A , LIMAM N ,et al. A graph-based machine learning approach for bot detection[C]// Proceedings of 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). Piscataway:IEEE Press, 2019: 144-152.
[21]	CHOWDHURY S , KHANZADEH M , AKULA R ,et al. Botnet detection using graph-based feature clustering[J]. Journal of Big Data, 2017,4(1): 1-23.
[22]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv preprint, 2016,arXiv:1609.02907.
[23]	WANG X , JI H Y , SHI C ,et al. Heterogeneous graph attention network[C]// Proceedings of WWW’19:The World Wide Web Conference. New York:ACM Press, 2019: 2022-2032.

Metrics

Recommended 0

No Suggested Reading articles found!

实体类别	详细描述
VEN	VEN实体代表生产软件的厂商，例如Microsoft、Tencent等。在STIX2.0中，该实体对应于Identity
PRO	PRO实体代表厂商生产的软件、硬件产品，例如Word、Office等
VER	VER实体代表产品的版本信息，例如ver3.0、v4.2.0等
MOD	MOD实体代表产品中的某个模块或者产品包含的功能组件，例如插件等
FILE/PATH	FILE/PATH实体代表文件路径或URL超链接地址
FUNC	FUNC实体代表文件中的某个具体函数，例如某个文件中的函数名称、某个模组中的类等
PARAMETER	PARAMETER实体是参数实体。它代表文件中的变量和常量，例如某段代码包含的变量num
ATTACKER	ATTACKER实体代表实行攻击的某个组织、团体或个人
VULTYPE	VULTYPE代表漏洞的分类，例如XSS、Stack Overflow、SQL Injection等
VUL	VUL实体代表具体漏洞名称
PROBLEM	PROBLEM实体代表产品、模组、文件或具体代码中客观存在的可能发生的问题

关系类别	详细描述
OWNERSHIP	OWNERSHIP关系的意义为包含，可表达厂商、产品、版本和组件之间的基本联系
USE	USE关系的意义为使用，可表达黑客团体针对某个软件的攻击路径
TARGET RELATED	TARGET关系的意义为目标，可表达安全威胁和产品的关联点，这是威胁情报关系脉络中最重要的信息
	RELATED 关系意义为相关，可表达不同名称的实体内部联系，进而对比分析出不同安全事件中的更多信息

实体类型	正则规则	抽取示例
VER	(v\|ver\|version)[\.\-]?[\dx]+([\.\-]	“version1.0”
	[\dx]+)*[\.\-]?	“ver1.x”
	[\dx]+([\.\-][\dx]+)+[\.\-]?	“1.5.2”
	[\da-z]{32}	32 位的 commit id
	…	…
VUL	cve-.+	cve-2018-11693
	cwe-.+	cwe-665
	…	…
…	…	…

蜜罐IP	地理位置	采集日志数量/条
114.215.17.58	中国北京	17 356
120.76.53.242	中国杭州	402 068
122.112.235.239	中国杭州	970 783
122.112.235.27	中国杭州	913 285
139.159.221.18	中国深圳	521 352
139.159.221.19	中国深圳	864 532
139.159.221.20	中国深圳	675 277
47.88.212.109	新加坡	4 546 790
47.88.77.143	美国圣马特奥	580 673
47.89.26.43	中国香港	1 124 782

关系编号	对应节点类型	详细信息
R1	源IP地址-目的IP地址	表示从某一源IP地址到某一目的IP地址的连接
R2	源IP地址-协议	表示某一源IP地址通过某一协议发送请求报文
R3	源IP地址-端口号	表示某一源IP地址与其发送请求报文所用端口之间的关系
R4	源IP地址-请求	表示某一源IP地址与其所发送的请求报文之间的关系
R5	源IP地址-应答	表示某一源IP地址与其接收的应答报文之间的关系
R6	目的IP地址-协议	表示某一目的IP地址通过某一协议接收请求报文
R7	目的IP地址-端口号	表示某一目的IP地址与其接收请求报文所用端口之间的关系
R8	目的IP地址-请求	表示某一目的IP地址与其所接收的请求报文之间的关系
R9	目的IP地址-应答	表示某一目的IP地址与其发送的应答报文之间的关系
R10	协议-端口号	表示某一协议利用某一端口进行工作

Argus: multi-source data-driven industrial control security situational awareness system

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 18

References 23

Related Articles 15

Metrics

Recommended 0

对应节点类型	解释
源IP地址-目的IP地址-源IP地址	表示两个源IP地址访问了同一个目的IP地址
源IP地址-协议-源IP地址	表示两个源IP地址使用了相同的协议
源IP地址-端口号-源IP地址	表示两个源IP地址使用了相同的端口
源IP地址-端口-目的IP地址-端口-源IP地址	表示两个源IP地址通过相同的端口访问了同一个目的IP地址
源IP地址-目的IP地址-应答-目的IP地址-源IP地址	表示两个源IP地址通过访问不同的目的IP地址产生了同一应答
…	…

方法	发包速率
传统全连接端口扫描^[17]	9~14 kbit/s
Argus系统	1 000~1 200 kbit/s

字段	值
时间	2019-12-2 19:00:51
漏洞	CVE-2019-7481
厂商	SonicWall
端口	80/TCP
IP地址	192.185.18.204
DNS	neogenomes.com
文件/路径	GET/court/PlaintNote_12545_copy.zip
端口	443/tcp
IP地址	81.4.123.67
DNS	onion1.host:443
文件/路径	GET/temper/PGPClient.exe
端口	443/tcp
IP地址	168.235.98.160
DNS	onion1.pw
文件/路径	POST/blog/index.php
…	…

字段	值
时间	2023-03-21
漏洞	Heap-Based Buffer Overflow
厂商	Rockwell Automation
设备	ThinManagerThinServer
	6.x - 10.x
	11.0.0 - 11.0.5
	11.1.0 - 11.1.5
版本	11.2.0 - 11.2.6
	12.0.0 - 12.0.4
	12.1.0 - 12.1.5
	13.0.0 - 13.0.1
文件/路径	ThinServer.exe
…	…

方法		CTU-13数据集			蜜罐数据集
方法	准确率	召回率	F1	准确率	召回率	F1
SVM	84.14	85.32	84.73	82.36	84.21	83.27
Graph-ML	92.31	87.50	88.48	91.04	89.37	90.20
Graph-Cluster	94.17	92.36	93.26	93.21	92.72	92.96
GCN	92.54	91.85	92.20	92.16	91.45	91.80
HAN	93.43	91.89	92.65	93.14	92.81	92.97
Argus系统	92.65	93.47	93.06	93.68	97.71	95.65
提升比例	-1.61%	+1.20%	-0.21%	+0.58%	+5.28%	+2.88%

源IP	类型	OID	功能
85.105.*.*	Get	1.2.6.1.2.1.1.1	未知
	Get	1.3.6.1	获取OID的描述性信息
	GetNext	1.3.6.1.2.1.1.1	获取SNMP MIB-2的描述性信息
	GetNext	1.3.6.1.2.1.1.2	获取SNMP MIB-2的OID信息
	GetNext	1.3.6.1.2.1.1.5	获取SNMP MIB-2的主机名称
…	…	…	…

[1]	Yang AN, Jianwei SUN, Qian LI, Yongshun GONG. Urban traffic flow prediction based on the multisource heterogeneous spatio-temporal data fusion [J]. Big Data Research, 2023, 9(4): 69-82.
[2]	Yida LIU, Xiaoou DING, Hongzhi WANG, Donghua YANG. Research on iterative data cleaning of human-computer interaction [J]. Big Data Research, 2023, 9(4): 59-68.
[3]	Hongrun REN, Yangyong ZHU. Data pipeline model: exploration of the overthe-counter form of streaming data [J]. Big Data Research, 2023, 9(3): 15-28.
[4]	Weijun GAO, Kai WANG. Research on public welfare donation traceability system based on consortium blockchains [J]. Big Data Research, 2023, 9(3): 150-167.
[5]	Chaoran LUO, Yun MA, Xiang JING, Gang HUANG. Internet of data: a solution for dataspace infrastructure and its technical challenges [J]. Big Data Research, 2023, 9(2): 110-121.
[6]	Xiangquan GUI, Zhili GUO, Yi YANG, Bingfeng QIN. Tourism points exchange system design based on blockchain technology [J]. Big Data Research, 2023, 9(2): 147-162.
[7]	Yazhen YE, Yangyong ZHU. Data-Commerce-Ecosystem: data goods, data businessman and data commerce [J]. Big Data Research, 2023, 9(1): 111-125.
[8]	Lingli ZHANG, Qikai CHU, Guijuan WANG, Weihan ZHANG, Hui PU, Zhenjin SONG, Yadong WU. Text sentiment visual analysis technology and its application in humanities [J]. Big Data Research, 2022, 8(6): 56-73.
[9]	Aili LI, Zishuai ZHANG, Yin LIN, Qiuju WANG, Jianan YANG, Weicheng MENG, Yanfeng ZHANG. Research on emotion monitoring of public based on social network big data [J]. Big Data Research, 2022, 8(6): 105-126.
[10]	Zhengxun XIA, Jianfei TANG, Shengmei LUO, Yan ZHANG. Exploration and practice of trusted AI governance framework [J]. Big Data Research, 2022, 8(4): 145-164.
[11]	Yazhen YE, Yangyong ZHU. BoxedData: a data product form based on databox [J]. Big Data Research, 2022, 8(3): 15-25.
[12]	Qifeng TANG, Zhiqing SHAO, Yazhen YE. Authenticating and licensing architecture of data rights in data trade [J]. Big Data Research, 2022, 8(3): 40-53.
[13]	Feng ZHI, Feng TIAN, Ruofan ZHAO. Classification of big data in metrology [J]. Big Data Research, 2022, 8(1): 60-72.
[14]	Yongfeng WANG, Zhiguang CHEN. A survey of persistent index data structures on non-volatile memory [J]. Big Data Research, 2021, 7(6): 78-88.
[15]	Jinfeng MA, Kaifeng RAO, Ruonan LI, Jing ZHANG, Hua ZHENG. Research on the integration of water environment model and big data technology [J]. Big Data Research, 2021, 7(6): 103-119.