基于概率攻击图的工控系统跨域动态安全风险分析方法

doi:10.3969/j.issn.1671-1122.2023.09.008

摘要/Abstract

摘要：

安全风险分析是保障工控系统长周期安全稳定运行的基础，信息物理紧耦合的特点增加了工控系统安全风险的复杂性。针对大规模复杂异构工控系统潜在安全风险精准跨域动态分析评估问题，文章提出一种基于概率攻击图的工控系统跨域动态安全风险分析方法。首先基于知识图谱技术将设备、漏洞和拓扑结构等安全元数据进行语义关联，并通过跨域攻击图生成算法完成跨域攻击图的自动生成；然后基于跨域攻击图将漏洞基本属性和威胁时变特点纳入风险传播概率计算，实现对工控系统跨域动态安全风险的定量分析。实验结果表明，该方法实现了对工控系统的自动化跨域动态安全风险分析，且双层攻击图的表现形式有效提升了安全分析人员对复杂系统分析的便捷性。

关键词: 工控系统, 概率攻击图, 知识图谱, 动态安全风险分析

Abstract:

Security risk analysis is the foundation for ensuring the long-term safe and stable operation of industrial control systems. The characteristics of cyber-physical coupling make the system security risk increase sharply. In order to realize accurate security situation awareness of large-scale industrial control systems, a cross-domain dynamic security risk analysis framework based on probabilistic attack graph was proposed. Firstly, the cross-domain attack graph was automatically generated by cross-domain attack graph generation algorithm based on system security metadata, system topology and association constraints between preconditions and postconditions of vulnerabilities in security knowledge graph. Then, based on the cross-domain attack graph, the basic attributes of vulnerabilities and the time-varying characteristics of threats were incorporated into the risk propagation probability calculation to realize the cross-domain dynamic security risk analysis of industrial control system. The experimental results show that the method realizing the automatic cross-domain dynamic security risk analysis of industrial control systems, and the representation of the two-layer attack graph effectively improves the convenience of security analysts in analyzing complex systems.

Key words: industrial control system, probabilistic attack graph, knowledge graph, dynamic security risk analysis

中图分类号:

TP309

浦珺妍, 李亚辉, 周纯杰. 基于概率攻击图的工控系统跨域动态安全风险分析方法[J]. 信息网络安全, 2023, 23(9): 85-94.

PU Junyan, LI Yahui, ZHOU Chunjie. Cross-Domain Dynamic Security Risk Analysis Method of Industrial Control System Based on Probabilistic Attack Graph[J]. Netinfo Security, 2023, 23(9): 85-94.

图/表 15

图1

表1

图2

表2

图3

图4

图5

表3

表4

表5

图6

图7

图8

图9

表6

参考文献 26

[1]	LI Jiarui, LING Xiaobo, LI Chenxi, et al. Dynamic Network Security Analysis Based on Bayesian Attack Graphs[J]. Computer Science, 2022, 49(3): 62-69. doi: 10.11896/jsjkx.210800107
	李嘉睿, 凌晓波, 李晨曦, 等. 基于贝叶斯攻击图的动态网络安全分析[J]. 计算机科学, 2022, 49(3):62-69. doi: 10.11896/jsjkx.210800107
[2]	FREI S, MAY M, FIEDLER U, et al. Large-Scale Vulnerability Analysis[C]// ACM. 2006 SIGCOMM Workshop on Large-Scale Attack Defense. New York: ACM, 2006: 131-138.
[3]	FRANQUEIRA V N L, VAN KEULEN M. Analysis of the NIST Database Towards the Composition of Vulnerabilities in Attack Scenarios[R]. Holland: University of Twente, TR-CTIT-08-08, 2008.
[4]	GREEN B, KROTOFIL M, ABBASI A. On the Significance of Process Comprehension for Conducting Targeted ICS Attacks[C]// ACM. 2017 Workshop on Cyber-Physical Systems Security and Privacy. New York: ACM, 2017: 57-67.
[5]	ZHANG Kai, LIU Jingju. A Threat Path Generation Method Based on Knowledge Graph[J]. Computer Simulation, 2022, 39(4): 350-356.
	张凯, 刘京菊. 一种基于知识图谱的威胁路径生成方法[J]. 计算机仿真, 2022, 39(4):350-356.
[6]	OU Xinming, GOVINDAVAJHALA S, APPEL A W. MulVAL: A Logic-Based Network Security Analyzer[C]// USENIX. 14th USENIX Security Symposium. Berkley: USENIX, 2005: 113-128.
[7]	INOKUCHI M, OHTA Y, KINOSHITA S, et al. Design Procedure of Knowledge Base for Practical Attack Graph Generation[C]// ACM. 2019 ACM Asia Conference on Computer and Communications Security. New York: ACM, 2019: 594-601.
[8]	YUAN Bintao, PAN Zulie, SHI Fan, et al. An Attack Path Generation Methods Based on Graph Database[C]// IEEE. 4th Information Technology, Networking, Electronic and Automation Control Conference(ITNEC). New York: IEEE, 2020: 1905-1910.
[9]	CHEN Ruiying, CHEN Zemao, WANG Hao. Research on Threat Modeling of Industrial Control Network Based on Attack Graph[J]. Netinfo Security, 2018, 18(10): 70-77.
	陈瑞滢, 陈泽茂, 王浩. 基于攻击图的工控网络威胁建模研究[J]. 信息网络安全, 2018, 18(10):70-77.
[10]	WANG Jinfang, GUO Yuanbo. Distributed Attack Graph Generation Algorithm for Cyber-Physical Systems[EB/OL]. (2023-02-16)[2023-05-10]. http://kns.cnki.net/kcms/detail/21.1106.tp.20230215.1420.010.html.
	王金芳, 郭渊博. 面向物理信息系统的分布式攻击图生成算法[EB/OL]. (2023-02-16)[2023-05-10]. https://kns.cnki.net/kcms/detail//21.1106.tp.20230215.1420.010.html.
[11]	FENG Yanli. Design and Implementation of Attack Graph Generation System for Industrial Control System[D]. Harbin: Harbin Institute of Technology, 2020.
	冯艳丽. 面向工业控制系统的攻击图生成系统设计与实现[D]. 哈尔滨: 哈尔滨工业大学, 2020.
[12]	WANG Shuo, WANG Jianhua, TANG Guangming, et al. Intelligent and Efficient Method for Optimal Penetration Path Generation[J]. Journal of Computer Research and Development, 2019, 56(5): 929-941.
	王硕, 王建华, 汤光明, 等. 一种智能高效的最优渗透路径生成方法[J]. 计算机研究与发展, 2019, 56(5):929-941.
[13]	YE Ziwei, GUO Yuanbo, LI Tao, et al. Extended Attack Graph Generation Method Based on Knowledge Graph[J]. Computer Science, 2019, 46(12): 165-173. doi: 10.11896/jsjkx.190400092
	叶子维, 郭渊博, 李涛, 等. 一种基于知识图谱的扩展攻击图生成方法[J]. 计算机科学, 2019, 46(12):165-173. doi: 10.11896/jsjkx.190400092
[14]	HUANG Jiahui, FENG Dongqin, WANG Hongjian. A Method for Quantifying Vulnerability of Industrial Control System Based on Attack Graph[J]. Acta Automatica Sinica, 2016, 42(5): 792-798.
	黄家辉, 冯冬芹, 王虹鉴. 基于攻击图的工控系统脆弱性量化方法[J]. 自动化学报, 2016, 42(5):792-798.
[15]	ZHANG Chunjie. Research on Information Security Risk Assessment Technology of Industrial Control System Based on Game Theory[D]. Changchun: Changchun University of Technology, 2021.
	张春杰. 基于博弈理论的工控系统信息安全风险评估技术研究[D]. 长春: 长春工业大学, 2021.
[16]	MARIKO F, WATARU M, TAKUHO M, et al. Efficient Industrial Control Systems Risk Assessment Using the Attack Path to the Critical Device[C]// ACM. 3rd International Conference on Management Science and Industrial Engineering. New York: ACM, 2021: 104-110.
[17]	POOLSAPPASIT N, DEWRI R, RAY I. Dynamic Security Risk Management Using Bayesian Attack Graphs[J]. IEEE Transactions on Dependable and Secure Computing, 2012, 9(1): 61-74. doi: 10.1109/TDSC.2011.34 URL
[18]	Forum of Incident Response and Security Teams. Common Vulnerability Scoring System[EB/OL]. [2023-04-25]. https://www.first.org/cvss/v3.1/specification-document.
[19]	GAO Ni, GAO Ling, HE Yiyue, et al. Dynamic Security Risk Assessment Model Based on Bayesian Attack Graph[J]. Journal of Sichuan University: Engineering Science Edition, 2016, 48(1): 111-118.
	高妮, 高岭, 贺毅岳, 等. 基于贝叶斯攻击图的动态安全风险评估模型[J]. 四川大学学报(工程科学版), 2016, 48(1):111-118.
[20]	LI Huan. Research on Dynamic Risk Assessment Method Based on Bayesian Network Attack Diagram[D]. Qinhuangdao: Yanshan University, 2019.
	李欢. 基于贝叶斯网络攻击图的动态风险评估方法研究[D]. 秦皇岛: 燕山大学, 2019.
[21]	KUPPA A, AOUAD L, LE-KHAC N A. Linking CVE’s to MITRE ATT & CK Techniques[C]// ACM. 16th International Conference on Availability, Reliability and Security(ARES). New York: ACM, 2021: 1-12.
[22]	National Institute of Standards and Technology. National Vulnerability Database[EB/OL]. [2023-05-25]. http://www.nvd.nist.gov.
[23]	National Institute of Standards and Technology. Common Platform Enumeration[EB/OL]. [2023-05-25]. https://nvd.nist.gov/products/cpe.
[24]	AKSU M U, BICAKCI K, DILEK M H, et al. Automated Generation of Attack Graphs Using NVD[C]// ACM. 8th ACM Conference on Data and Application Security and Privacy. New York: ACM, 2018: 135-142.
[25]	YADAV G, PAUL K, ALLAKANY A, et al. IoT-PEN: A Penetration Testing Framework for IoT[C]// IEEE. 2020 International Conference on Information Networking(ICOIN). New York: IEEE, 2020: 196-201.
[26]	XIE Anming, CAI Zhuhua, TANG Cong, et al. Evaluating Network Security with Twolayer Attack Graphs[C]// IEEE. 2009 Annual Computer Security Applications Conference. New York: IEEE, 2009: 127-136.

节点名称	节点的属性信息
设备	id号、功能描述、所处区域、概率
软件	id号、功能描述、CPE类型
漏洞	id号、描述信息、CVSS分值、发布时间、前后置条件、概率

类型	条件	处理方式
是否存在CVSS3信息	存在	直接由CVSS3得到利用漏洞所需的权限
是否存在CVSS3信息	不存在	由漏洞的文本描述得到权限
漏洞影响的产品类型	单个	直接由CPE得到漏洞的影响对象
漏洞影响的产品类型	多个	结合实验场景得到影响对象
知识图谱中漏洞是否唯一	不唯一	为每个漏洞节点分别生成前后置条件
知识图谱中漏洞是否唯一	唯一	为唯一的漏洞节点生成前后置条件

源主机	目的主机
MES客户端	Web服务器
Web服务器	MES服务器
MES服务器	PHD服务器
PE用户	Web服务器
MES客户端	MES服务器
PHD服务器	CS-3000的OPC服务器
CS-3000的OPC服务器	PHD服务器
APC服务器	CS-3000的OPC服务器
操作员站	FCS控制站
工程师站	FCS控制站
FCS控制站	操作员站
FCS控制站	工程师站

区域	子区域	设备名称	功能描述	漏洞信息
控制网	横河 CS-3000 DCS	FCS1、FCS2、FCS3	现场总线控制系统	CVE-2022-33939
		OPC服务器	采集工厂的实时数据	CVE-2014-5426
		操作员站	监视工厂运行情况	CVE-2022-24287等
		工程师站	监视运行情况，发送控制指令	CVE-2018-8838等
数采网	—	PHD服务器	主服务器，集中处理和存储来自各装置和各系统的数据	CVE-2016-2280等
数采网	—	APC服务器	先进过程控制	没有漏洞
信息网	—	PE用户	通过浏览器了解现场运行情况	CVE-2018-0851等
		MES客户端	数据访问客户端	CVE-2023-24892等
		Web服务器	提供网页服务	CVE-2023-25690等
		MES服务器	工厂信息管理	CVE-2009-1996等

区域	设备名称	功能描述
现场设备	执行器（valve 1-20）	调节流量、液位等物理变量
现场设备	传感器（sensor 1-21）	获得流量、温度等物理变量的实时数值