CN115061434A - Attack path parallel planning system and method for large-scale industrial control scene - Google Patents
Attack path parallel planning system and method for large-scale industrial control scene Download PDFInfo
- Publication number
- CN115061434A CN115061434A CN202210615137.2A CN202210615137A CN115061434A CN 115061434 A CN115061434 A CN 115061434A CN 202210615137 A CN202210615137 A CN 202210615137A CN 115061434 A CN115061434 A CN 115061434A
- Authority
- CN
- China
- Prior art keywords
- attack
- information
- graph
- scene
- vulnerability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012800 visualization Methods 0.000 claims abstract description 17
- 238000005192 partition Methods 0.000 claims description 80
- 230000011218 segmentation Effects 0.000 claims description 33
- 238000010586 diagram Methods 0.000 claims description 11
- 238000013138 pruning Methods 0.000 claims description 11
- 238000001514 detection method Methods 0.000 claims description 9
- 238000004880 explosion Methods 0.000 claims description 7
- 238000005516 engineering process Methods 0.000 claims description 6
- HPTJABJPZMULFH-UHFFFAOYSA-N 12-[(Cyclohexylcarbamoyl)amino]dodecanoic acid Chemical compound OC(=O)CCCCCCCCCCCNC(=O)NC1CCCCC1 HPTJABJPZMULFH-UHFFFAOYSA-N 0.000 claims description 3
- 238000005259 measurement Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 abstract description 2
- 230000001419 dependent effect Effects 0.000 abstract 1
- 239000003795 chemical substances by application Substances 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000000638 solvent extraction Methods 0.000 description 5
- 238000013459 approach Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 239000003208 petroleum Substances 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/418—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM]
- G05B19/41865—Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS] or computer integrated manufacturing [CIM] characterised by job scheduling, process planning, material flow
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/30—Nc systems
- G05B2219/32—Operator till task planning
- G05B2219/32252—Scheduling production, machining, job shop
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Manufacturing & Machinery (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
An attack path parallel planning system and method for large-scale industrial control scenes comprise a scene information modeling module, an attack graph generation and visualization module and an attack graph updating module; the scene information modeling module is used for acquiring topology information and vulnerability information and compiling the topology information and the vulnerability information; the attack graph generating and visualizing module is used for acquiring an attack path to generate an attack graph and displaying the attack graph in a graph; the attack graph updating module is used for detecting equipment updating and combining the planned path and the attack path to form the attack graph aiming at the updated planned path, so that the problems that the existing method for generating the attack graph is dependent on the field and the attack graph needs to be generated again when the industrial control scene is changed are solved, and the method can be widely applied to the field of big data processing.
Description
Technical Field
The invention relates to the field of big data processing, in particular to an attack path parallel planning system and method for a large-scale industrial control scene.
Background
The industrial control system is used as a basic information physical system, covers the national key infrastructure industries of electric power, manufacturing, petroleum, chemical industry, traffic operation and the like, and frequently generates safety incidents. The attack graph modeling aiming at the industrial control system is beneficial to safety workers to intuitively perceive the safety condition of the system and improve the safety of the system.
The traditional attack graph describes all possible attack scenarios, the understandability is poor, the minimum attack graph only comprises attack paths which can reach an attack target and can be directly used for security analysis, and all the attack graphs mentioned below refer to the minimum attack graph. The traditional method for generating the attack graph statically encodes domain knowledge and cannot adapt to various industrial control scenes. The attack graph generation method based on the planner carries out attack path Planning by using a Planning Domain Description Language (PDDL) file as input, does not depend on Domain knowledge, and is more efficient and has portability and universality. The PDDL describes specific industrial control scene information, models the information into a planning domain and a problem domain, has expandability, is rich in description category hierarchy, and can flexibly describe different industrial control scenes. In addition, PDDL is used as a planning language, and can perform efficient planning by using the currently developed planner technology.
However, with the advent of the industrial 4.0 era, the integration of intellectualization and industrialization makes it possible for an industrial control system to cooperate with other systems, and at the same time, the scale of devices in the industrial control system becomes larger and larger, but the current attack graph generation method based on a planner has poor performance in a large-scale scene, and a PDDL file describing a large-scale network is difficult to check the correctness of the PDDL file, so that a correct attack graph conforming to the current scene cannot be generated. In addition, when the scene changes, the PDDL file needs to be modified, and the planner needs to be restarted to obtain the attack path, which consumes more resources. Therefore, the large-scale scene is considered to be segmented, and the parallel generation of the attack graph is realized to improve the efficiency. Although the graph partitioning technology based on subnet partition utilizes known subnet information, the graph partitioning technology is convenient in the practical process, but node distribution may be unbalanced, so that the parallel generation performance of the attack graph is poor, and the problem of state combination explosion in the process of generating the attack graph cannot be completely avoided.
Disclosure of Invention
In order to solve the technical problems, the invention provides an attack path parallel planning system and method for a large-scale industrial control scene.
A first aspect of an embodiment of the present application provides an attack path parallel planning system for a large-scale industrial control scenario, including:
the scene information modeling module is used for acquiring and compiling topology information and vulnerability information;
the attack graph generating and visualizing module is used for acquiring an attack path to generate an attack graph and displaying the attack graph in a graph;
and the attack graph updating module is used for detecting equipment updating and combining the planned path and the attack path to form an attack graph aiming at the updated planned path.
Preferably, the scene information modeling module comprises a scene information collection module, a scene information segmentation module and a PDDL modeling module;
the scene information collection module is used for collecting topology information and vulnerability information in the current scene;
the scene information segmentation module is used for dividing the complete scene information into small-scale scenes and searching for intermediate state equipment;
the PDDL modeling module is used for coding the topology information and the vulnerability information of the scene according to a PDDL specification to generate a PDDL file.
Preferably, the scene information collection is specifically realized by the following steps:
aiming at the operation real-time performance of the industrial control system, detecting scene information by adopting various passive detection tools under the condition of not influencing the normal work of the system, acquiring equipment information comprising equipment IP, name, type, manufacturer and model, operating service information comprising service name, service version, service open port and accessibility relation information, storing the accessibility relation information in a relational database, and constructing a scene network topology according to the acquired scene information;
based on the obtained system equipment and service information, a plurality of vulnerability scanning tools are used for scanning the equipment and service under the condition of not influencing the normal work of the system to obtain vulnerability information, information such as CVE-ID and vulnerability name is extracted from the vulnerability information, vulnerability types, pre-conditions and post-conditions of vulnerability utilization are collected from a vulnerability library such as CVE and CNNVD, and the vulnerability types, the pre-conditions and the post-conditions of vulnerability utilization are stored in a relational database.
Preferably, the scene information segmentation includes topology information segmentation and intermediate state device search;
the topology information segmentation utilizes a graph segmentation technology to segment complete scene information into a plurality of small-scale scenes smaller than a topology scale threshold value, and provides a data basis for subsequent attack path parallel planning;
the intermediate state device is a device which divides the topology into layers and is located at a center layer of the topology, the position of the center layer adopts the measurement close to the centrality, the intermediate state device searches for the intermediate state device to divide the scene into two parts, the attack path planning is successively carried out on the two areas subsequently, and the pruning operation is matched, so that the problem of state combination explosion possibly occurring when the attack path planning is carried out on the completed scene is solved.
Preferably, the attack graph generation and visualization module comprises an attack path parallel planning module, an attack path merging module and an attack graph visualization module;
the attack path parallel planning module is used for searching all attack paths under a sub scene in parallel;
the attack path merging module is used for merging all attack paths to generate an attack graph;
and the attack graph visualization module is used for graphically displaying the generated attack graph.
Preferably, the parallel attack path planning is specifically implemented by the following means:
the parallel computing model based on CUDA is used, PDDL files of all partitions are used as input planning attack paths by each agent, the number of the agents is the same as that of the partitions, and a partition attack path generating program executed by each agent relates to four parts of path planning, attack path pruning, PDDL updating and attack path merging.
Preferably, the attack path merging includes attack graph vertex merging and attack graph edge merging.
Preferably, the attack graph visualization is specifically realized by the following means:
reading all vertex IDs and edges from the attack graph; aiming at the vertex information, reading a vertex name, a device ID, a service ID and a CVE-ID from a vertex table according to the vertex ID, reading a device name and a device type from the device table according to the device ID, reading a service name from the service table according to the service ID, and reading a vulnerability name from a vulnerability table according to the CVE-ID; aiming at the edge data, reading a source vertex ID and a target vertex ID in an edge table according to an edge in an attack graph; and then visually displaying the read vertex and edge data of the attack graph.
Preferably, the attack graph updating module comprises a reachability relation updating module and an equipment service vulnerability updating module;
the reachability relation updating module is used for detecting and updating the reachability relation of the equipment;
and the equipment service vulnerability updating module is used for detecting and updating the equipment service vulnerability information.
A second aspect of the present application provides an attack path parallel planning method for a large-scale industrial control scenario, including the following steps:
acquiring topology information and vulnerability information and compiling;
acquiring an attack path to generate an attack graph and displaying the attack graph in a graph;
and detecting equipment updating, and combining the planned path and the attack path to form an attack graph aiming at the updated planned path.
The invention eliminates the dependency of an attack graph generation algorithm on the field by describing the field by using a planning field description language, and simultaneously provides a method for automatically constructing the PDDL file. In order to solve the problem that an attack graph generation algorithm is poor in performance in a large-scale industrial control scene, a graph segmentation algorithm is introduced to divide a large-scale network topology into a small-scale network topology with less resource consumption in the attack graph generation process, and the problem of state combination explosion is relieved by adopting a centrality index segmentation equipment space and combining a pruning strategy in the attack graph generation process. In order to enable safety practitioners to visually observe the attack condition of the industrial control system, the attack graph is displayed in a graphical mode. In addition, the vulnerability and real-time characteristic of the industrial control system are considered, the system information is obtained by adopting a passive detection and scanning tool, various updating strategies are provided aiming at the scene updating situation, and the attack graph is generated or updated under the condition that the normal operation of the industrial control system is not influenced.
Drawings
Fig. 1 is a functional block diagram of an attack path parallel planning system for a large-scale industrial control scenario according to an embodiment of the present application;
fig. 2 is an architecture diagram of an attack path parallel planning system according to an embodiment of the present application;
fig. 3 is a multi-layer data flow diagram of an attack path parallel planning system according to an embodiment of the present application;
fig. 4 is an entity relationship diagram of scene information provided in an embodiment of the present application;
FIG. 5 is a schematic diagram of an intermediate state device location provided in an embodiment of the present application;
fig. 6 is a flowchart of a scene information segmentation function according to an embodiment of the present application;
fig. 7 is a flowchart of an attack path planning procedure according to an embodiment of the present application;
fig. 8 is an entity relationship diagram of an attack graph provided in an embodiment of the present application;
fig. 9 is a schematic view of a visualization result of an attack graph according to an embodiment of the present application;
fig. 10 is a flowchart of updating an attack graph according to an embodiment of the present application;
fig. 11 is a schematic flowchart of an attack path parallel planning method for a large-scale industrial control scenario according to an embodiment of the present application.
Detailed Description
In order to make the technical problems, technical solutions and advantageous effects to be solved by the present application clearer, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
Referring to fig. 1, a functional block diagram of an attack path parallel planning system for a large-scale industrial control scenario according to an embodiment of the present application is shown, for convenience of description, only the relevant parts of the embodiment are shown, and the following details are described below:
in one embodiment, the system for the parallel planning of the attack path facing the large-scale industrial control scene comprises a scene information modeling module, an attack graph generating and visualizing module and an attack graph updating module.
The scene information modeling module comprises an industrial control scene information collection module, a scene information segmentation module and a PDDL modeling module, wherein the industrial control scene information collection module is used for collecting topology and vulnerability information in a current scene, the scene information segmentation module is used for dividing complete scene information into small-scale scenes and searching for intermediate state equipment, and the PDDL modeling module is used for coding the topology information and the vulnerability information of the scene according to PDDL standards to generate a PDDL file.
The attack graph generating and visualizing module comprises an attack path parallel planning module, an attack graph path merging module and an attack graph visualizing module, the attack path parallel planning module is used for searching all attack paths under the sub-scene in parallel by using a plurality of planners, the attack path merging module merges all the attack paths to generate an attack graph, and the attack graph visualizing module displays the generated attack graph in a graph.
The attack graph updating module comprises a reachability relation updating module and an equipment service loophole updating module and is used for planning a path aiming at sub-scene information corresponding to updating when the reachability relation of the equipment or the equipment service loophole information is detected to be updated, and combining the planned path with a previous attack path to form an attack graph.
As shown in fig. 2, the system architecture includes an application layer, a service layer, and a support layer; the application layer interacts with safety practitioners and provides page functions of scene information collection, scene information segmentation, PDDL modeling, attack graph generation and the like. The service layer provides service support for the application layer. The topology detection and vulnerability scanning service supports scene information collection, graph topology information segmentation and intermediate state device service search support scene information segmentation, the PDDL domain and problem file generation service automatically realizes PDDL modeling of scene information, attack graph updating and attack path parallel planning, attack path merging and attack graph visualization service support attack graph generation. The supporting layer provides a bottom layer tool and a data storage support for the service layer and consists of an equipment detection tool, a vulnerability scanning tool, a planner and a database. The device detection tool and the vulnerability scanning tool are used for topology detection and vulnerability scanning services, the planner is used for planning an attack path, and the database is used for storing data.
As shown in fig. 3, the present system data logic is described using a multi-level data flow diagram. Firstly, a safety practitioner sets the scale of a small-scale network as a threshold and an attack target, an industrial control scene information collection process obtains scene information through information collection and leak library matching, a scene information segmentation process reads the scene information and segments the scene information into a plurality of sub-scene information according to the set scale threshold, a PDDL modeling process reads the sub-scene information and models to form a PDDL file, an attack path parallel planning process generates all attack paths under a sub-scene according to the PDDL files, an attack path merging process reads the attack paths and generates an attack graph, and the attack graph is displayed to the safety practitioner in an image form through an attack graph visualization process. And when the scene information is detected to be updated, executing the reachability relation updating or equipment service loophole updating process, inquiring the sub-scene information which is updated, and replanning an attack path for the sub-scene.
In one embodiment, the scene information modeling module is configured to obtain topology information and vulnerability information and compile the topology information and vulnerability information.
Specifically, the industrial control scene information collection module collects topology and vulnerability information in a current scene.
Aiming at the operation real-time performance of the industrial control system, a plurality of passive detection tools are adopted to detect scene information under the condition of not influencing the normal work of the system, the obtained equipment information comprises equipment IP, name, type, manufacturer and model, and the operation service information comprises information such as service name, service version, service open port, accessibility relation and the like and is stored in a relational database. And constructing a scene network topology according to the obtained scene information.
Based on the obtained system equipment and service information, a plurality of vulnerability scanning tools are used for scanning the equipment and service under the condition of not influencing the normal work of the system to obtain vulnerability information, information such as CVE-ID and vulnerability name is extracted from the vulnerability information, vulnerability types, pre-conditions and post-conditions of vulnerability utilization are collected from a vulnerability library such as CVE and CNNVD, and the vulnerability types, the pre-conditions and the post-conditions of vulnerability utilization are stored in a relational database.
Fig. 4 shows a database entity relationship diagram of scenario information, where a network topology includes a plurality of devices and a plurality of device reachability information, 1 or more services run on one device, one service may exist on 1 or more devices, one service may have 1 or more vulnerabilities, and a vulnerability may exist on 1 or more services. The start point flag, attack target flag, intermediate state flag, partition, and layer number in the device table will be introduced in the scene information segmentation function.
The scene information segmentation module divides the complete scene information into small-scale scenes and searches for intermediate state equipment.
In order to relieve state explosion of the attack graph in a large-scale industrial control scene and reduce time consumption in the generation process of the attack graph, obtained scene information is segmented, including topology information segmentation and intermediate state device search. The topology information segmentation technology is used for segmenting complete scene information into a plurality of small-scale scenes smaller than a topology scale threshold value, and a data basis is provided for subsequent attack path parallel planning. The intermediate state device refers to a device which is positioned at a topology center layer (called an intermediate state device layer) after the topology is layered, wherein the position of the center layer adopts the measurement of approaching centrality, and the position of the intermediate state device is shown in fig. 5; the intermediate state device searches for the intermediate state device to divide the scene into two parts, and then performs attack path planning on the two areas successively, and the pruning operation is matched, so that the problem of state combination explosion possibly occurring when the attack path planning is performed in the completed scene is solved. As shown in fig. 6, the scene information segmentation function flowchart firstly determines whether the scene topology size exceeds a topology size threshold, if so, segments the scene topology, and if not, searches for intermediate state devices of the topology.
The scene information segmentation comprises topology segmentation and vulnerability information segmentation. Considering that the edges in the industrial control network topology represent equipment reachability information and the segmentation edges may lose information, a vertex segmentation method is adopted. The streaming graph partitioning method HRDF has better effect in load balance and minimizing cut vertex, so the partition number is determined according to the set scale threshold and the topology scale, the network topology is partitioned by using the HRDF method, and the partition value of each device is stored. And aiming at vulnerability information segmentation, after topology segmentation is finished, partitioning vulnerability information according to partitions of equipment where vulnerabilities are located.
And when the partition or the current topological scale is smaller than the set topological scale threshold value, searching the intermediate state equipment vertex of each partition by utilizing the approximate centrality. The approach centrality quantifies the intuitive center or peripheral position of a vertex in a two-dimensional region based on geodesic distance, defined as
Where u is the vertex to be computed near centrality, V (G) is the set of vertices of the graph, δ (u,v) Is the average shortest distance between vertex u and any other vertex v in the graph. Firstly, setting a layer value for each node, setting vertexes with an in-degree of 0 and an out-degree of 0 as a starting point and an end point respectively for each partition, traversing from the starting point to the end point in a depth-first mode, and setting the layer number of the vertex n as k if the vertex n is reached through k hops from the starting point. A vertex may have different tier values, with the minimum value taken and stored as the tier value for that vertex. While traversing a vertex, the closeness of the vertex to the center is calculated. If the non-traversed vertexes still exist after the depth-first traversal from all the starting points is finished, the vertexes cannot reach the attack target, so that the pruning operation is executed, the vertexes and the connected edges are deleted from the partitions, and the partition information is updated. Will be marked as the start of partition in the device table for the starting point device, andthe entry point entered by the security practitioner is marked as an initial starting point; the endpoint device will be marked in the device table as a zone endpoint and the attack target entered by the security practitioner will be marked as the final endpoint. Then calculating the average approach centrality of each layer of equipment, wherein the high average approach centrality means that all the equipment in the layer is located at the visual center or periphery of the graph more than the equipment in other layers, so all the equipment in the equipment layer with the highest average approach centrality is marked as middle-state equipment; because the partitions are independent of each other, the intermediate state devices of the partitions can be searched simultaneously in a parallel computing mode.
And the PDDL modeling module encodes the topology information and vulnerability information of the scene according to a PDDL specification to generate a PDDL file.
Aiming at the problem of attack path planning, a file conforming to PDDL specification is automatically constructed. And dividing the sub-scene information obtained by division into two areas from a starting point to an intermediate state equipment layer and from the intermediate state equipment layer to a partition end point, and respectively generating corresponding PDDL domain files and problem files. It is assumed that all conditions for the start of each partition have been met. In the aspect of domain file generation, equipment in a scene is converted into a problem entity, service information of the equipment comprises a vulnerability, an open port and predicate logic of which the version is converted into the entity, and vulnerability information comprises a preset condition and an entity state change rule; in the aspect of generating the problem file, the reachability information is converted into an initial condition, and the attack target is converted into an end point. The domain file from the partition starting point to the intermediate state device layer area only contains corresponding device, service and vulnerability information, the problem file only contains corresponding reachability information, and the attack target corresponds to the intermediate state device; the same applies to the domain file from the intermediate state device layer to the partition endpoint region, but the attack target in the problem file corresponds to the partition endpoint.
In one embodiment, the attack graph generation and visualization module is used for acquiring an attack path to generate an attack graph and graphically displaying the attack graph.
Specifically, the attack path parallel planning module is used for searching all attack paths in the sub-scene in parallel.
As shown in fig. 7, using the parallel computing model based on CUDA, each agent plans an attack path with the PDDL file of each partition as input, and the number of agents is the same as the number of partitions. The partition attack path generation program executed by each agent relates to four parts of path planning, attack path pruning, PDDL updating and attack path merging.
The proxy takes a PDDL file from a partition starting point to an intermediate state device layer area as an input, calls a planner to obtain all attack paths from the partition starting point to the intermediate state device layer and stores the attack paths. However, some attack paths may not reach the intermediate state device and thus the attack target, so that pruning operations are performed to prune the attack paths to reduce subsequent consumption. Meanwhile, some intermediate state devices can not be reached by an attack path, so that the intermediate state devices do not participate in the generation of the attack graph, therefore, the attack target marks of the intermediate state devices are modified, the related description of the intermediate state devices is modified in the PDDL file corresponding to the region from the intermediate state device layer to the partition terminal point, and a new PDDL file is generated. And then inputting and planning all attack paths from the intermediate state equipment layer to the partition terminal area by using the new PDDL file as a planner, and pruning the obtained attack paths after the planning is finished. The resulting attack path is stored in the form of a finite sequence of device _ vulnerabilities, < Dev1_ vul1, Dev2_ vul2, Dev3_ vul4, … >, along with information of the partition in which the attack path is located. After planning is finished, combining attack paths from the partition starting point to the intermediate state device layer area and from the intermediate state device layer to the partition end point area according to the intermediate state device, namely combining the attack path end point from the partition starting point to the intermediate state device layer area and two attack paths with the same starting point from the intermediate state device layer to the partition end point area into one attack path.
And the attack path merging module is used for merging all the attack paths to generate an attack graph.
As shown in fig. 8, combining the attack paths of all partitions to form an attack graph of the original scene; an attack graph is composed of a plurality of vertexes and a plurality of edges, wherein the vertexes comprise vertex IDs, equipment information, service information and vulnerability information, and the edges comprise source vertex IDs and target vertex IDs. Therefore, the attack path merging comprises attack graph vertex merging and attack graph edge merging.
For the attack graph vertex, since all the conditions of the partition start point are assumed to be obtained when the PDDL file is constructed, it is necessary to determine whether the conditions of the partition start point can be satisfied. Except the partition where the attack target is located, the end point of one partition is often the starting point of other partitions, that is, the starting point of an attack path of one partition should be the end point of the attack path of other partitions. Thus, determining whether the start point condition is satisfied can be translated into determining whether the start point (except the entry point) of one attack path exists at the end point position in the other attack paths. If the condition is met, adding the starting point into the vertex set of the attack graph, and then adding other vertexes of the involved attack path into the vertex set of the attack graph and carrying out deduplication. When storing the vertex, except storing the vertex name Dev _ vul, adding a unique vertex ID for each element, and adding a device ID, a service ID, and a vulnerability CVE-ID according to the device and vulnerability information in the name.
For the edges of the attack graph, two adjacent vertices of the attack path can be regarded as edges, if Dev1_ vul1 and Dev2_ vul2 are adjacent, a directed edge exists between them, the source vertex of the edge is Dev1_ vul1, and the target vertex is Dev2_ vul 2. And traversing the attack path, and if the source vertex and the target vertex of one edge exist in the vertex set of the attack graph, putting the vertex IDs of the source vertex and the target vertex of the edge into the vertex set of the attack graph.
And the attack graph visualization module is used for graphically displaying the generated attack graph.
In order to visually present the attack graph to the security practitioner, the attack graph data is visualized. All vertex IDs and edges are first read from the attack graph. Aiming at the vertex information, reading a vertex name, a device ID, a service ID and a CVE-ID from a vertex table according to the vertex ID, reading a device name and a device type from the device table according to the device ID, reading a service name from the service table according to the service ID, and reading a vulnerability name from a vulnerability table according to the CVE-ID; and for the edge data, reading the source vertex ID and the destination vertex ID in the edge table according to the edge in the attack graph.
And then, visually displaying the read vertex and edge data of the attack graph, representing the vertex of the attack graph by using an ellipse, displaying the name of the vertex in the ellipse, positioning the edge between the corresponding source vertex and target vertex according to the ID of the vertex, and representing the directed edge between the vertices by using a straight line with an arrow. The device name, device type, service type, CVE-ID, and vulnerability name are exposed in tips form and displayed when the mouse is floated to the vertex, as shown in fig. 9.
In one embodiment, the attack graph updating module is configured to detect an update of the device, and combine the planned path and the attack path to form the attack graph for the updated planned path.
Specifically, the system uses a passive detection tool and a scanning tool to monitor the topology of the industrial control system in real time, and when information changes, an attack graph is updated to reflect the attack condition of the current topology. The attack graph updating is divided into two types of situations of reachability relation change and equipment service and vulnerability change, wherein the reachability relation change can be divided into three types of situations of adding and deleting equipment in the topology and connection change without changing the number of the equipment, as shown in fig. 10; aiming at the change of the equipment service vulnerability, only the middle state equipment of the changed partition needs to be searched again and the PDDL file of the partition is generated.
Aiming at the added devices in the topology, if the partition information of all the devices connected with the added device is the same and the devices are tangent points of the partitions, namely partition starting points or end points, one partition where the connected devices are located is selected for the added device as partition information of the added device at will, and the intermediate state device is searched for the partition again to generate a PDDL file; if the connected devices have devices which are not partition tangent points, the partition information of the newly added device is set to be the same as the partition information of the device, and then the intermediate state device is searched for the partition again to generate a PDDL file. If the partition information of all the devices connected with the newly added device is different, combining the partitions, then dividing the partitions again, wherein the number of the partitions is the same as that of the original partitions, and then searching all the newly generated partitions for the intermediate state device again and generating the PDDL file.
For the deleted equipment in the topology, if the deleted equipment is not a partition tangent point, the intermediate state equipment is searched for the partition again and a PDDL file is generated; if the deleted equipment is a partition tangent point, merging all partitions where the equipment is located, then dividing the partitions again, wherein the number of the partitions is the same as that of the original partitions, and then searching all newly generated partitions for intermediate state equipment again and generating PDDL files.
Aiming at the fact that the number of the topology devices is unchanged and the connection relation is changed, if the connection relation before and after the change is still in the same partition, only the middle state device is searched again aiming at the partition and a PDDL file is generated; if the changed connection relation spans a plurality of partitions, merging all the partitions where the connection relation is located and dividing the partitions again, wherein the number of the partitions is the same as that of the original partitions, and then searching all newly generated partitions for intermediate state equipment again and generating PDDL files.
The above operations can be combined for use, after a new PDDL is generated, a partition attack path generation program is executed on a new PDDL file to obtain new attack paths, the attack paths and the attack paths corresponding to unchanged partitions are combined to generate an updated attack graph, and then visualization is realized.
With the continuous occurrence of the conditions of adding and deleting equipment in the topology, the problem of unbalanced load may occur in the generation process of the attack graph, a relaxation parameter beta is set for the problem, and if the ratio of the maximum equipment number of the subareas to the minimum equipment number of the subareas exceeds beta, the current industrial control scene is re-divided again according to a scale threshold value, and system functions such as PDDL modeling, attack graph generation and visualization are executed.
Referring to fig. 11, a schematic flow chart of an attack path parallel planning method for a large-scale industrial control scenario provided in an embodiment of the present application is shown, and for convenience of description, only parts related to the embodiment are shown, which is detailed as follows:
a second aspect of the present application provides an attack path parallel planning method for a large-scale industrial control scenario, including the following steps:
s101, acquiring topology information and vulnerability information and compiling;
s102, acquiring an attack path to generate an attack graph and displaying the attack graph in a graph;
s103, detecting equipment updating, and combining the planned path and the attack path to form an attack graph aiming at the updated planned path.
It should be noted that, in this embodiment, the method for parallel planning of attack paths for a large-scale industrial control scenario is an embodiment of an implementation method corresponding to the system for parallel planning of attack paths for a large-scale industrial control scenario, and therefore, specific structures of modules in the method for merging and planning of attack paths may refer to the embodiments of fig. 1 to 10, and details are not repeated here.
The invention provides an attack path parallel planning system and method for a large-scale industrial control scene, which automatically construct a PDDL (product description language) file describing the scene; dividing a large-scale industrial control scene into a plurality of small-scale scenes by using a graph partitioning method, relieving the problem of state combination explosion based on centrality indexes and pruning strategies, obtaining attack paths aiming at the small-scale scenes in parallel, generating attack graphs by combining the attack paths and realizing visualization; and finally, analyzing the change condition of the reachability relation and the service loophole, and providing a corresponding attack graph updating strategy to generate or update the attack graph under the condition of not influencing the normal operation of the industrial control system.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. An attack path parallel planning system for a large-scale industrial control scene is characterized by comprising:
the scene information modeling module is used for acquiring topology information and vulnerability information and compiling the topology information and the vulnerability information;
the attack graph generating and visualizing module is used for acquiring an attack path to generate an attack graph and displaying the attack graph in a graph;
and the attack graph updating module is used for detecting equipment updating and combining the planned path and the attack path to form an attack graph aiming at the updated planned path.
2. The system for the parallel planning of the attack path facing the large-scale industrial control scene according to claim 1, wherein the scene information modeling module comprises a scene information collection module, a scene information segmentation module and a PDDL modeling module;
the scene information collection module is used for collecting topology information and vulnerability information in the current scene;
the scene information segmentation module is used for dividing the complete scene information into small-scale scenes and searching for intermediate state equipment;
the PDDL modeling module is used for coding the topology information and the vulnerability information of the scene according to a PDDL specification to generate a PDDL file.
3. The system for parallel planning of attack paths for large-scale industrial control scenes according to claim 2, wherein scene information collection is specifically realized by the following means:
aiming at the operation real-time performance of the industrial control system, detecting scene information by adopting various passive detection tools under the condition of not influencing the normal work of the system, acquiring equipment information comprising equipment IP, name, type, manufacturer and model, operating service information comprising service name, service version, service open port and accessibility relation information, storing the accessibility relation information in a relational database, and constructing a scene network topology according to the acquired scene information;
based on the obtained system equipment and service information, a plurality of vulnerability scanning tools are used for scanning the equipment and service under the condition of not influencing the normal work of the system to obtain vulnerability information, information such as CVE-ID and vulnerability name is extracted from the vulnerability information, vulnerability types, pre-conditions and post-conditions of vulnerability utilization are collected from a vulnerability library such as CVE and CNNVD, and the vulnerability types, the pre-conditions and the post-conditions of vulnerability utilization are stored in a relational database.
4. The system for the parallel planning of the attack path facing the large-scale industrial control scene according to claim 3, wherein the scene information segmentation comprises topology information segmentation and intermediate state device search;
the topology information segmentation utilizes a graph segmentation technology to segment complete scene information into a plurality of small-scale scenes smaller than a topology scale threshold value, and provides a data basis for subsequent attack path parallel planning;
the intermediate state device is a device which is positioned at a central layer of the topology after the topology is layered, the central layer position adopts the measurement close to the centrality, the intermediate state device searches for the intermediate state device to divide the scene into two parts, and then the attack path planning is carried out on the two areas successively, and the pruning operation is matched, so that the problem of state combination explosion possibly occurring when the attack path planning is carried out under the condition of completing the scene is solved.
5. The system for parallel planning of attack paths facing large-scale industrial control scenes as claimed in claim 1, wherein the attack diagram generation and visualization module comprises an attack path parallel planning module, an attack path merging module and an attack diagram visualization module;
the attack path parallel planning module is used for searching all attack paths under a sub scene in parallel;
the attack path merging module is used for merging all attack paths to generate an attack graph;
and the attack graph visualization module is used for graphically displaying the generated attack graph.
6. The system for parallel planning of attack paths for large-scale industrial control scenes according to claim 5, wherein the parallel planning of attack paths is specifically realized by:
the parallel computing model based on CUDA is used, PDDL files of all partitions are used as input planning attack paths by each agent, the number of the agents is the same as that of the partitions, and a partition attack path generating program executed by each agent relates to four parts of path planning, attack path pruning, PDDL updating and attack path merging.
7. The system for parallel planning of attack paths facing large-scale industrial control scenes according to claim 6, wherein the merging of attack paths includes merging of attack graph vertices and merging of attack graph edges.
8. The system for parallel planning of attack paths for large-scale industrial control scenes according to claim 7, wherein the visualization of the attack graph is specifically realized by:
reading all vertex IDs and edges from the attack graph; aiming at the vertex information, reading a vertex name, a device ID, a service ID and a CVE-ID from a vertex table according to the vertex ID, reading a device name and a device type from the device table according to the device ID, reading a service name from the service table according to the service ID, and reading a vulnerability name from a vulnerability table according to the CVE-ID; aiming at the edge data, reading a source vertex ID and a target vertex ID in an edge table according to an edge in an attack graph; and then visually displaying the read vertex and edge data of the attack graph.
9. The system for parallel planning of attack paths facing large-scale industrial control scenes according to claim 1, wherein the attack graph updating module comprises a reachability relation updating module and an equipment service vulnerability updating module;
the reachability relation updating module is used for detecting and updating the reachability relation of the equipment;
and the equipment service vulnerability updating module is used for detecting and updating the equipment service vulnerability information.
10. An attack path parallel planning method for a large-scale industrial control scene is characterized by comprising the following steps:
acquiring topology information and vulnerability information and compiling;
acquiring an attack path to generate an attack graph and displaying the attack graph in a graph;
and detecting equipment updating, and combining the planned path and the attack path to form an attack graph aiming at the updated planned path.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210615137.2A CN115061434A (en) | 2022-06-01 | 2022-06-01 | Attack path parallel planning system and method for large-scale industrial control scene |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210615137.2A CN115061434A (en) | 2022-06-01 | 2022-06-01 | Attack path parallel planning system and method for large-scale industrial control scene |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115061434A true CN115061434A (en) | 2022-09-16 |
Family
ID=83197757
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210615137.2A Pending CN115061434A (en) | 2022-06-01 | 2022-06-01 | Attack path parallel planning system and method for large-scale industrial control scene |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115061434A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011017566A1 (en) * | 2009-08-05 | 2011-02-10 | Core Sdi, Incorporated | System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy |
| CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
| CN110533754A (en) * | 2019-08-26 | 2019-12-03 | 哈尔滨工业大学(威海) | Interactive attack graph display systems and methods of exhibiting based on extensive industry control network |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
-
2022
- 2022-06-01 CN CN202210615137.2A patent/CN115061434A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011017566A1 (en) * | 2009-08-05 | 2011-02-10 | Core Sdi, Incorporated | System and method for extending automated penetration testing to develop an intelligent and cost efficient security strategy |
| CN102447695A (en) * | 2011-11-14 | 2012-05-09 | 中国科学院软件研究所 | Method for identifying key attack path in service system |
| CN110533754A (en) * | 2019-08-26 | 2019-12-03 | 哈尔滨工业大学(威海) | Interactive attack graph display systems and methods of exhibiting based on extensive industry control network |
| CN112114579A (en) * | 2020-09-28 | 2020-12-22 | 哈尔滨工业大学(威海) | Industrial control system safety measurement method based on attack graph |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200342007A1 (en) | Path generation and selection tool for database objects | |
| JP7108039B2 (en) | Visual and execution template recommendations to enable system-wide control and automation of data exploration | |
| Navarrete et al. | Spatial reasoning with rectangular cardinal relations: The convex tractable subalgebra | |
| CN103365886A (en) | Method for querying space events in internet of vehicles and optimizing querier | |
| CN116843028A (en) | Multi-mode knowledge graph construction method, system, storage medium and electronic equipment | |
| US20150112917A1 (en) | Case-based reasoning | |
| Lei et al. | Optimal spatial data matching for conflation: A network flow‐based approach | |
| Kas et al. | An incremental algorithm for updating betweenness centrality and k-betweenness centrality and its performance on realistic dynamic social network data | |
| EP3291102B1 (en) | Bulk validation of spatial topology | |
| CN113569369B (en) | Road network topological graph dividing method, device, medium and equipment | |
| CN113108806A (en) | Path planning method, device, equipment and medium | |
| CN113850675A (en) | Information processing method and device for enterprise transaction relation data | |
| CN115061434A (en) | Attack path parallel planning system and method for large-scale industrial control scene | |
| EP3058519A2 (en) | Case-based reasoning | |
| CN113821550B (en) | Road network topological graph dividing method, device, equipment and computer program product | |
| WO2023108832A1 (en) | Network space map generation method and apparatus, and device and storage medium | |
| Santos et al. | Geo-spatial data mining in the analysis of a demographic database | |
| Liu et al. | A voronoi-based group reverse k farthest neighbor query method in the obstacle space | |
| CN114281668A (en) | Abnormal case generation method, abnormal case generation device, electronic device, and storage medium | |
| US9619765B2 (en) | Monitoring a situation by generating an overall similarity score | |
| US20150112912A1 (en) | Case-based reasoning | |
| US20150112914A1 (en) | Case-based reasoning | |
| Chen et al. | Research on the shortest path Analysis method in Complex Traffic Environment Based on GIS | |
| CN117240305B (en) | Pipe network topology data compression method, device and equipment and readable storage medium | |
| CN117236645B (en) | IT asset management system for data center based on equipment information classification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |