An Advanced Persistent Threat Model of New Power System Based on ATT&CK

doi:10.3969/j.issn.1671-1122.2023.02.004

Abstract

Abstract:

The establishment of a new power system with new energy as the main body has greatly increased the proportion of new energy and multiple load forms. The high proportion of renewable energy and power electronic equipment access, as well as the randomness of the supply side and the demand side, lead to an increase in the attack surface of the power grid. Advanced persistent threat (APT), which tamper or block data, seriously affect grid scheduling and energy consumption. Based on the ATT&CK knowledge base, a kill chain model for APT attacks on new power systems was established. It is difficult to divide the APT attack technology into the kill chain attack stage, resulting in the inability of security personnel to make defense decision-making quickly, a method of dividing APT attack technology stages based on the kill chain model was proposed. The Bert model was used to perform semantic analysis on technical texts, and the attack technologies were automatically divided into their respective stages by training the model. Experimental results show that this method achieves better results than existing models.

Key words: new power system, advanced persistent threat, ATT&CK, attack modeling, Bert model

CLC Number:

TP309

LI Yuancheng, LUO Hao, WANG Qingle, LI Jianbin. An Advanced Persistent Threat Model of New Power System Based on ATT&CK[J]. Netinfo Security, 2023, 23(2): 26-34.

Figures/Tables 9

References 20

[1]	HAN Xueyuan, PASQUIER T, BATES A, et al. UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats[EB/OL]. (2020-01-06)[2022-08-20]. https://doi.org/10.48550/arXiv.2001.01525. doi: https://doi.org/10.48550/arXiv.2001.01525
[2]	KARANTZAS G, PATSAKIS C. An Empirical Assessment of Endpoint Detection and Response Systems Against Advanced Persistent Threats Widely Used Attack Vectors[J]. Journal of Cybersecurity and Privacy, 2021, 1(3): 387-421. doi: 10.3390/jcp1030021 URL
[3]	LIU Jinxin, SHEN Yu, SIMSEK M, et al. A New Realistic Benchmark for Advanced Persistent Threats in Network Traffic[J]. IEEE Networking Letters, 2022, 4(3): 1-8. doi: 10.1109/LNET.2022.3141489 URL
[4]	HOFER-SCHMITZ K, KLEB U, STO-JANOVIC B. The Influences of Feature Sets on the Detection of Advanced Persistent Threats[J]. Electronics, 2021, 10(6): 704-712. doi: 10.3390/electronics10060704 URL
[5]	SIDAHMED B, GHITA B, JAMES C, et al. A Rule Mining-Based Advanced Persistent Threats Detection System[EB/OL]. (2021-05-20)[2022-07-28]. https://doi.org/10.48550/arXiv.2105.10053.
[6]	DONG Jun, LIU Dongran, DOU Xihao, et al. Key Issues and Technical Applications in the Study of Power Markets as the System Adapts to the New Power System in China[J]. Sustainability, 2021, 13(23): 13409-13418. doi: 10.3390/su132313409 URL
[7]	MENG Zijie, CAI Xinlei, ZHU Jinzhou, et al. Study on the Influence of Extreme Weather on Power Grid Operation under New Power System[C]// ACM. 2021 4th International Conference on Algorithms. Engineering. New York: ACM, 2021: 1-6.
[8]	YOON K. Convolutional Neural Networks for Sentence Classification[EB/OL]. (2020-08-23)[2022-08-26]. https://arxiv.org/abs/1408.5882.
[9]	LIU Pengfei, QIU Xipeng, HUANG Xuanjing. Recurrent Neural Network for Text Classification with Multi-Task Learning[EB/OL]. (2016-05-17)[2022-08-21]. https://doi.org/10.48550/arXiv.1605.05101. doi: https://doi.org/10.48550/arXiv.1605.05101
[10]	PAN Yafeng, ZHOU Tianyang, ZHU Junhu, et al. Construction of APT Attack Semantic Rules Based on ATT&CK[J]. Journal of Cyber Security, 2021, 6(3): 77-90.
	潘亚峰, 周天阳, 朱俊虎, 等. 基于ATT&CK的APT攻击语义规则构建[J]. 信息安全学报, 2021, 6(3):77-90.
[11]	MILAJERDI S M, GJOMEMO R, ESHETE B, et al. HOLMES: Real-Time APT Detection Through Correlation of Suspicious Information Flows[C]// IEEE. 2019 IEEE Symposium on Security and Privacy, New York: IEEE, 2019: 1137-1152.
[12]	TOUNSI W, RAIS H. A Survey on Technical Threat Intelligence in the Age of Sophisticated Cyber Attacks[J]. Computers & Security, 2018, 72: 212-233. doi: 10.1016/j.cose.2017.09.001 URL
[13]	DAISUKE M. MITRE ATT&CK Based Evaluation on In-Network Deception Technology for Modernized Electrical Substation Systems[J]. Sustainability, 14(3): 1256-1264.
[14]	XIONG Wenjun, LEGRAND E, ABERG O, et al. Cyber Security Threat Modeling Based on the MITRE Enterprise ATT&CK Matrix[J]. Software and Systems Modeling, 2021, 21: 157-177. doi: 10.1007/s10270-021-00898-7 URL
[15]	KIM Kyoungmin, SHIN Y, LEE Justin, et al. Automatically Attributing Mobile Threat Actors by Vectorized ATT&CK Matrix and Paired Indicator[J]. Sensors, 2021, 21(19): 6522-6532. doi: 10.3390/s21196522 URL
[16]	GEORGIADOU A, MOUZAKITIS S, ASKOUNIS D. Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework[J]. Sensors, 2021, 21(9): 3267-3278. doi: 10.3390/s21093267 URL
[17]	BENITEZANDRADES J A, ALIJA-PEREZ J, VIDAL M, et al. Traditional Machine Learning Models and Bidirectional Encoder Representations From Transformer (BERT)-Based Automatic Classi-Fication of Tweets About Eating Disorders: Algorithm Development and Validation Study[J]. JMIR Medical Informatics, 2022, 10(2): 34492-34503.
[18]	LI Jing, ZHANG Dezheng, WULAMU Aziguli. Chinese Text Classification Based on ERNIE-RNN[C]// IEEE. 2021 2nd International Conference on Electronics. New York: IEEE, 2021: 368-372.
[19]	LIU Shuaiqi, CAO Jiannong, YANG Ruosong, et al. Key Phrase Aware Transformer for Abstractive Summarization[J]. Information Processing and Management, 2022, 59(3): 102913-102923. doi: 10.1016/j.ipm.2022.102913 URL
[20]	LI Hongwei, MAO Hongyan, WANG Jingzi. Part-of-Speech Tagging with Rule-Based Data Preprocessing and Transformer[J]. Electronics, 2021, 11(1): 56-66. doi: 10.3390/electronics11010056 URL

序号	攻击战术	攻击技术
1	侦查识别	42
2	资源开发	38
3	初始访问	19
4	执行	34
5	持久性	109
6	权限提升	96
7	防御规避	170
8	凭证访问	58
9	发现	43
10	横向移动	21
11	收集	37
12	命令与控制	38
13	渗出	17
14	影响	26
	总计	748

序号	杀伤链阶段	攻击技术
1	侦查探测阶段	42
2	武器构建阶段	38
3	载荷投递阶段	19
4	漏洞利用阶段	34
5	安装植入阶段	375
6	探索收集阶段	159
7	命令控制阶段	38
8	目标达成阶段	43
	总计	748

参数	数据	值
词向量维度	Embeding dimension	300
Dropout	Dropout	0.5
学习率	Learning_rate	5×10^-5
mini-batch大小	Batch_size	64
多头注意力	Head_number	5
文本处理长度	Pad_size	200
轮数	Epoch	3

	Bert	transformer	TextCNN	TextRCNN	FastText	DPCNN	TextRNN	TextRNN_Att
P	85.42%	80.96%	79.92%	80.41%	79.06%	81.96%	57.73%	80.32%
R	86.13%	81.63%	80.74%	79.60%	79.98%	81.62%	64.02%	79.03%
F1	85.50	79.14	79.75	79.32	77.91	80.92	58.45	79.31