Background
Cyber Physical Systems (CPS) are multidimensional complex Systems integrating computer, network and Physical environment, and can realize real-time sensing, dynamic Control and information service of large-scale engineering Systems through organic fusion and deep cooperation of 3C (Communication) technology, and are currently widely applied to the industrial Control fields of electric power, petroleum and petrochemical, nuclear energy and the like. In these typical cyber-physical systems, there are a large number of information processing and network communication subsystems, so that an attacker may use faults in the software and communication components to gain control of the system, interfere with the correct behavior of the system, and thus destroy the critical infrastructure. In recent years, Ukran blackouts and seismograph events can also prove that network security attacks can cause CPS system failures and even endanger national security. Therefore, the safety risk assessment aiming at the CPS system has important theoretical and practical significance.
The existing CPS system security analysis modeling analysis is mainly divided into the following two categories: (1) modeling analysis is carried out on the danger prevention performance of the CPS; (2) and carrying out modeling analysis on the safety of the CPS. Modeling analysis of the criticality of CPS aims to protect the system from accidental faults to avoid danger, and fault tree based techniques are currently most widely used in the industry. And constructing a causal relationship graph of the fault tree from top to bottom according to the logical relationship. However, the method can only perform security analysis of the system, and does not consider system faults introduced by network security attacks in the CPS. Modeling analysis of the security of the CPS aims to protect the system from malicious attacks. The modeling analysis method only focuses on analyzing the network security attack, and does not focus on whether the attack can cause system failure. Therefore, it is necessary to perform safety and security integrated modeling of the CPS, and analyze and evaluate network attacks that can cause system failure.
Disclosure of Invention
The invention aims to provide a Security risk assessment method for an information physical fusion system, which aims to overcome the defects and shortcomings of the prior art, solves the problem that the Security risk assessment of the information physical fusion system is difficult to determine, comprises the influence on the Security (Safety) of the system when the information physical fusion system is attacked by network Security, can deduce the system failure caused by the Security attack of the information physical fusion system, supports the integrated analysis of the Security (Security) and the Security (Safety), supports graphical processing, is convenient to use, and has important practical value.
In order to achieve the purpose, the invention adopts the technical scheme that: it comprises the following steps:
1. constructing a dynamic fault tree of the information physical fusion system;
2. constructing an attack tree model of the information physical fusion system;
3. constructing an attack-fault mapping table;
4. integrating a dynamic fault tree model and an Attack tree model according to an Attack-fault mapping table, and establishing an attach-DFTs model;
5. and based on an Attack-DFTs model, the safety risk assessment of the information physical fusion system is realized.
Preferably, the method for establishing the dynamic fault tree in step 1 includes: firstly, taking a fault state which is most undesirable in an information physical fusion system as a target of logic analysis, namely determining a top event; secondly, finding out all possible direct reasons causing the current fault state, namely determining an intermediate event; thirdly, continuing to search for all possible direct causes causing these intermediate fault events until all component states causing the intermediate events are found, i.e. determining a bottom event; and finally, connecting the top event, the middle event and the bottom event into a tree-shaped logic diagram by adopting a logic gate in the dynamic fault tree to form a dynamic fault tree model of the information physical fusion system.
Preferably, the establishing of the attack tree model in step 2 includes the following steps:
2-1, taking the network threat as a starting point, refining the network threat until a specific behavior state is reached;
2-2, modeling the specific behaviors and states as atomic nodes.
Preferably, the step 3 specifically comprises the following steps:
3-1, numbering all nodes in the dynamic fault tree and recording as eiI is more than or equal to 1 and less than or equal to n, and n represents the total number of nodes in the dynamic fault tree.
3-2, numbering all attack tree vertices, e.g. ATGoaliI is more than or equal to 1 and less than or equal to n, and n represents the total number of the attack trees.
3-3, constructing an attack-fault mapping table according to the corresponding relation between the attack result of the top point in the attack tree and the node in the dynamic fault tree, wherein the table is a three-column table, the title of the first column is a serial number, the title of the second column is attack, the title of the third column is fault, and the corresponding relation between the attack tree model and the dynamic fault tree node is described.
Preferably, the specific modeling step in step 4 is as follows:
4-1, referring to the attack-fault mapping table established in the step (3), finding all attack tree models ATGoal causing system faultsiAnd corresponding dynamic fault tree node eiI is more than or equal to 1 and less than or equal to n, and n represents the total number of nodes in the dynamic fault tree.
4-2, will dynamic fault tree in eiThe subtree of nodes is separated from the dynamic fault tree and is marked as ei_subtree。
4-3, connecting an OR logic gate with two inputs to ei_subtreeTo above, i.e. ei_subtreeAs one input to the OR logic gate.
4-4, mixing ATGoaliAs another input to the OR logic gate in step (4-3).
4-5, will add OR logic gate and ATGoaliConnecting new attack tree of subtree to dynamic fault tree eiThe location of the node.
Preferably, the evaluation process of step 5 is as follows:
5-1, probability distribution is carried out on all events in the attach-DFTs. The specific distribution process comprises the following steps: 01) distributing probability aiming at all the dangerous events, wherein the probability interval is [0,1 ]; 02) a probability rating (Likelihood) is assigned for all security events, with specific values: { low, middle, high }; 03) the probabilities are computed for all intermediate nodes by logic gates. Wherein, the AND gate takes the minimum probability in the child node, or the gate takes the maximum probability in the child node.
5-2, qualitative analysis was performed on the attach-DFTs. In this step, all the cut-ordered sets in the Attack-DFTs can be found with reference to the cut-ordered set generation method of the dynamic fault tree. The attach-DFTs may be converted to an intermediate model I/O automaton or the like at this step, and then qualitative analysis may be performed.
5-3, classifying the MCS for all MCSs from the perspective of safety and security. Specifically, the MCS is divided into a safety MCS, a safety MCS and a mixed MCS, wherein the safety MCS only contains safety events; only security events are contained in the security MCS; the hybrid MCS contains both the safety and the safety events.
And 5-4, calculating the risk parameters of all MCS.
a) For the safety MCS, the probability of occurrence is calculated, and the specific calculation rule is as follows:
i.e. the probability of a critical cut-set is the product of the probabilities of all events occurring in that cut-set, where m is the MCS
iNumber of events in, P (MCS)
i) Represents MCS
iThe probability value of (2).
b) For the safety MCS, calculating the probability level of occurrence thereof, and the specific calculation rule is as follows:
i.e., the level of likelihood of occurrence of a security cut set and the maximum level of occurrence of all events in the cut setSame, wherein m is MCS
iNumber of events in, L (MCS)
i) Represents MCS
iLikelihood class of L (e)
i) Represents an event e
iThe probability of occurrence grade, max represents taking the maximum value;
c) for a mixed MCS, its risk indicator is identified with (P, L), where the calculation rule of probability value of P refers to a in step (5-4) and the calculation rule of likelihood level L refers to b) in step (5-4).
And 5-5, giving a risk evaluation result according to the risk parameters of all the MCS, and giving a suggestion for relieving the danger prevention. From the controllability perspective, the controllability of the safety MCS is the strongest, and the controllability of the hybrid MCS is the worst. Therefore, all MCSs are ordered in the order of safety MCS, mixed MCS and safety MCS, wherein the high probability level is ranked in the front among all safety MCSs; in all mixed MCSs, rank high by L; in all safety MCSs, the high probability values rank in the top. All the MCSs are ordered according to the rule, and the MCS ordered at the top is taken to give an improvement proposal.
In order to analyze the safety risk of the information physical fusion system, the fault modeling of the information physical fusion system is firstly carried out. Constructing a failure causal chain according to typical faults of the cyber-physical system; constructing a network attack model of the information physical fusion system by using an attack tree model; in an information physical fusion system, a physical fault may be caused by a result caused by a network attack, and an attack-fault mapping table is constructed in order to better show the cause-effect relationship between the network attack and the physical fault; and obtaining an extended model Attack-DFTs of the dynamic fault tree, wherein the model enriches the semantics of the Attack tree on the basis of the dynamic fault tree, and the model can be used for determining how the network Attack causes the fault of the information physical fusion system.
After adopting the structure, the invention has the beneficial effects that: the invention relates to a security risk assessment method for an information physical fusion system, which solves the problem that the security risk in the information physical fusion system is difficult to assess, including the problem that the information system is subjected to network attack to cause physical system failure. The method establishes an attack-fault mapping table, and visually and vividly describes the direct relation between the network attack and the fault of the physical system in the information physical fusion system. Meanwhile, the invention carries out comprehensive evaluation on the attack-fault, and can accurately estimate the influence of the network attack on the physical system through the security risk evaluation and provide the improvement suggestion for avoiding the risk.
Detailed Description
The invention will be further described with reference to the accompanying drawings.
Referring to fig. 1-4, the present embodiment includes the following steps:
1. constructing a dynamic fault tree of the information physical fusion system; and constructing a failure causal chain of the information physical fusion system by adopting the dynamic fault tree.
The method specifically comprises the following steps:
the dynamic fault tree establishment method of the information physical fusion system is expressed as follows: firstly, taking a fault state which is most undesirable in an information physical fusion system as a target of logic analysis, namely determining a top event; secondly, finding out all possible direct reasons causing the current fault state, namely determining an intermediate event; thirdly, continuing to search for all possible direct causes causing these intermediate fault events until all component states causing the intermediate events are found, i.e. determining a bottom event; and finally, connecting the top event, the middle event and the bottom event into a tree-shaped logic diagram by adopting a logic gate in the dynamic fault tree to form a dynamic fault tree model of the information physical fusion system.
2. Constructing an attack tree model of the information physical fusion system; constructing an attack model of the information physical fusion system by using the attack tree model; the method specifically comprises the following steps:
2-1, taking the network threat as a starting point, refining the network threat until a specific behavior state is reached;
2-2, modeling the specific behaviors and states as atomic nodes. The atomic node is characterized by adopting the following graph: 21) the vulnerability nodes are represented by ellipses; 22) the operation nodes are represented by hexagons; 23) the predicate nodes are represented by rectangles. The relationship between the atomic nodes is characterized by the following relationship: 221) and relation, namely each child node must be completed to reach the parent node of the upper layer; 222) or relationship, i.e. the upper parent node can be reached as soon as any one child node is completed.
3. Constructing an attack-fault mapping table; constructing an attack-fault mapping table according to the dynamic fault tree and the attack tree; the method specifically comprises the following steps:
3-1 for dynamic fault treesAll nodes (including top node, middle node and leaf node) are numbered and marked as eiI is more than or equal to 1 and less than or equal to n, and n represents the total number of nodes in the dynamic fault tree.
3-2, numbering all attack tree vertices, e.g. ATGoaliI is more than or equal to 1 and less than or equal to n, and n represents the total number of the attack trees.
3-3, constructing an attack-fault mapping table according to the corresponding relation between the attack result of the top point in the attack tree and the node in the dynamic fault tree, wherein the table is a three-column table, the title of the first column is a serial number, the title of the second column is attack, the title of the third column is fault, and the corresponding relation between the attack tree model and the dynamic fault tree node is described
4. Integrating a dynamic fault tree model and an Attack tree model according to an Attack-fault mapping table, and establishing an attach-DFTs model; and integrating the dynamic fault tree and the Attack tree to construct an Attack-DET model according to the Attack-fault mapping table. The method specifically comprises the following steps:
4-1, referring to the attack-fault mapping table established in the step 3, finding all attack tree models ATGoal causing system faultsiAnd corresponding dynamic fault tree node eiI is more than or equal to 1 and less than or equal to n, and n represents the total number of nodes in the dynamic fault tree.
4-2, will dynamic fault tree in eiThe subtree of nodes is separated from the dynamic fault tree and is marked as ei_subtree。
4-3, connecting an OR logic gate with two inputs to ei_subtreeTo above, i.e. ei_subtreeAs one input to the OR logic gate.
4-4, mixing ATGoaliAs another input to the OR logic gate in step 4-3.
4-5, will add OR logic gate and ATGoaliConnecting new attack tree of subtree to dynamic fault tree eiLocation of node
5. And based on an Attack-DFTs model, the safety risk assessment of the information physical fusion system is realized. The method specifically comprises the following steps:
5-1, probability distribution is carried out on all events in the attach-DFTs. The specific distribution process comprises the following steps: 1) distributing probability aiming at all the dangerous events, wherein the probability interval is [0,1 ]; 2) a probability rating (Likelihood) is assigned for all security events, with specific values: { low, middle, high }; 3) the probabilities are computed for all intermediate nodes by logic gates. Wherein, the AND gate takes the minimum probability in the child node, or the gate takes the maximum probability in the child node.
5-2, qualitative analysis was performed on the attach-DFTs. In this step, all the Cut-ordered sets in the attach-DFTs can be found with reference to the MCS (minimum Cut sequence) generation method of the dynamic fault tree. The attach-DFTs may be converted to an intermediate model I/O automaton or the like at this step, and then qualitative analysis may be performed.
5-3, classifying the MCS for all MCSs from the perspective of safety and security. Specifically, the MCS is divided into a safety MCS, a safety MCS and a mixed MCS, wherein the safety MCS only contains safety events; only security events are contained in the security MCS; the hybrid MCS contains both the safety and the safety events.
And 5-4, calculating the risk parameters of all MCS.
a) For the safety MCS, the probability of occurrence is calculated, and the specific calculation rule is as follows:
i.e. the probability of a critical cut-set is the product of the probabilities of all events occurring in that cut-set, where m is the MCS
iNumber of events in, P (MCS)
i) Represents MCS
iThe probability value of (2).
b) For the safety MCS, calculating the probability level of occurrence thereof, and the specific calculation rule is as follows:
i.e., the probability level of occurrence of a security cut set is the same as the maximum level of occurrence of all events in the cut set, where m is the MCS
iNumber of events in, L (MCS)
i) Represents MCS
iLikelihood class of L (e)
i) Represents an event e
iThe probability of occurrence grade, max represents taking the maximum value;
c) for a mixed MCS, its risk indicator is identified with (P, L), where the calculation rule of probability value of P refers to a in step (5-4) and the calculation rule of likelihood level L refers to b) in step (5-4).
And 5-5, giving a risk evaluation result according to the risk parameters of all the MCS, and giving a suggestion for relieving the danger prevention. From the controllability perspective, the controllability of the safety MCS is the strongest, and the controllability of the hybrid MCS is the worst. Therefore, all MCSs are ordered in the order of safety MCS, mixed MCS and safety MCS, wherein the high probability level is ranked in the front among all safety MCSs; in all mixed MCSs, rank high by L; in all safety MCSs, the high probability values rank in the top. All the MCSs are ordered according to the rule, and the MCS ordered at the top is taken to give an improvement proposal. For example: if a safety MCS exists, namely the system fault only depends on external influence and does not depend on the fault of an internal component, a corresponding countermeasure is added in the system for avoiding the fault; in the hybrid MCS, a security event and a security event exist at the same time, and occurrence of the security event can be alleviated by reducing the probability of the security event.
The above description is only for the purpose of illustrating the technical solutions of the present invention and not for the purpose of limiting the same, and other modifications or equivalent substitutions made by those skilled in the art to the technical solutions of the present invention should be covered within the scope of the claims of the present invention without departing from the spirit and scope of the technical solutions of the present invention.