CN-122021005-A - Industrial Internet attack propagation simulation deduction method, system, medium and product

Abstract

An industrial Internet attack propagation simulation deduction method, system, medium and product relate to the technical field of data processing. In the method, a behavior model library and a device connection map of an instruction sequence are constructed by collecting industrial device data and synchronizing the industrial device data to a preset digital twin model. And injecting attack flow into the digital twin model, and training an attack detector by combining a behavior model library and a device connection map to judge an attack event. And positioning the attack event to the initial node of the device connection map, determining a propagation path through iterative deduction, and generating an attack propagation thermodynamic diagram. And analyzing the high-risk target node in the thermodynamic diagram, tracing the data distortion influence chain and the physical uncontrolled influence chain of the target node, and finally generating an attack propagation simulation deduction report. By implementing the technical scheme provided by the application, the accuracy of industrial Internet attack propagation simulation deduction can be improved.

Inventors

• Bi Wenchong
• LU YONGQIANG
• WANG XIANG

Assignees

• 北京赋乐科技有限公司

Dates

Publication Date

20260512

Application Date

20260121

Claims (10)

1. 1. An industrial internet attack propagation simulation deduction method, which is characterized by comprising the following steps: acquiring equipment data of industrial equipment, and synchronizing the acquired data to a preset digital twin model based on a mapping relation between the acquired data and a virtual entity in the preset digital twin model, wherein the equipment data comprises physical parameters, running states and network flow characteristics; Acquiring an instruction sequence of the preset digital twin model in the running process, and constructing a behavior model library corresponding to the instruction sequence; identifying a dependent link, a data transmission path and a physical control link through interaction data among virtual entities in the preset digital twin model, and constructing a device connection map; Injecting attack flow into the digital twin model to generate simulation data, combining the behavior model library and the equipment connection map to train an attack detector, and judging an attack event according to the detection result of the attack detector; Positioning the determined attack event to an initial node of the equipment connection map, performing iterative deduction on the initial node to determine a plurality of propagation paths, and generating an attack propagation thermodynamic diagram based on each propagation path; screening target nodes with the probability of being attacked larger than a preset probability threshold in the attack propagation thermodynamic diagram; And tracing the data distortion influence chain of the target node upwards along the dependent link, tracing the physical uncontrolled influence chain of the target node downwards along the physical control link, and generating an attack propagation simulation deduction report of the industrial equipment according to the target node, the data distortion influence chain and the physical uncontrolled influence chain.
2. 2. The method of claim 1, wherein the acquiring device data of the industrial device and synchronizing the acquired data to a preset digital twin model based on a mapping relationship of the acquired data to a virtual entity in the preset digital twin model comprises: determining a programmable logic controller, a servo motor and an industrial control protocol state machine associated with the industrial equipment; Collecting a register value of the programmable logic controller and the rotating speed and torque of the servo motor as the physical parameters, and collecting a working mode and a process occupancy rate of the industrial control protocol state machine as the running state; receiving a message header and an industrial control protocol instruction of the industrial equipment as the network flow characteristics; Creating a virtual entity containing attribute fields for the industrial equipment in the preset digital twin model, and establishing the corresponding relation among the physical parameters, the running state and the network flow characteristics and the attribute fields of the virtual entity as the mapping relation; and synchronizing the equipment data to the attribute field of the virtual entity through the mapping relation, and driving the preset digital twin model to operate.
3. 3. The method of claim 1, wherein identifying the dependent link, the data transmission path, and the physical control link, and constructing the device connection map, comprises: Extracting communication messages and instruction calling records among virtual entities in the preset digital twin model from the interaction data; Identifying a data reading request and a control instruction sent by an upper computer virtual entity to a lower controller virtual entity according to the communication message and the instruction call record, and taking a communication link corresponding to the data reading request and a communication link corresponding to the control instruction as the dependent link; Collecting the data flow direction between the virtual entities as the data transmission path; Identifying an actuator-sensor pairing relation of which the moment of sending an action instruction of an actuator virtual entity is earlier than the moment of changing the reading of a sensor virtual entity by analyzing the time stamp of the attribute change of the virtual entity in time sequence, and taking a link corresponding to the actuator-sensor pairing relation as the physical control link; and constructing the equipment connection map based on the dependent link, the data transmission path and the physical control link, wherein map nodes in the equipment connection map correspond to industrial equipment, and map sides correspond to connection relations among virtual entities.
4. 4. The method of claim 1, wherein the injecting attack traffic in the digital twin model to generate simulation data, and training an attack detector in combination with the behavior model library and the device connection graph, and determining an attack event according to a detection result of the attack detector comprises: driving the simulation operation of the preset digital twin model to generate reference data, injecting industrial control protocol vulnerability attack flow, instruction attack flow and transverse movement attack flow into a virtual entity of the preset digital twin model at a preset time node, and collecting operation data after the injection of the attack flow as simulation data; Training an attack detector comprising a plurality of detection modules by using the reference data and the simulation data to obtain abnormal confidence coefficient output by each detection module, wherein the detection modules comprise a flow characteristic detection module, a behavior deviation detection module and a communication abnormal detection module; acquiring the historical recall rate and hit rate of each detection module, and determining the detection weight corresponding to each detection module according to the historical recall rate and hit rate of each detection module; And carrying out weighted calculation on the abnormal confidence coefficient of each detection module based on each detection weight to obtain target confidence coefficient, and judging that an attack event exists when the target confidence coefficient exceeds a preset threshold value.
5. 5. The method of claim 1, wherein the locating the determined attack event to a starting node of the device connection graph, performing iterative deduction on the starting node to determine a plurality of propagation paths, and generating an attack propagation thermodynamic diagram based on each of the propagation paths, comprises: positioning the initial node in the equipment connection map according to the source address of the attack event, and extracting adjacent nodes connected with the initial node along the data transmission path; Extracting the communication frequency and the data sensitivity of connection edges of the adjacent nodes, extracting vulnerability information and service importance of the connection edges of the adjacent nodes, and carrying out weighted fusion on the communication frequency, the data sensitivity, the vulnerability information and the service importance to determine the probability of being knocked into the ground; rejecting the tie nodes with the probability of being tapped less than a reference probability threshold, marking the rest tie nodes as tapped nodes, and generating a plurality of propagation paths from the starting node to each tapped node; the attack propagation thermodynamic diagram is generated based on the probability of being trapped for each tie node in each propagation path.
6. 6. The method of claim 5, wherein locating the originating node in the device connection map based on the source address of the attack event comprises: Extracting a source IP address, a source port and a source equipment identifier associated with the attack event as the source address; Traversing each map node in the equipment connection map, and matching the IP address, port information and equipment identifier marked by each map node with the source address; determining a map node with the matching degree larger than a preset matching degree threshold value as the starting node; when a plurality of map nodes with the matching degree larger than a preset matching degree threshold exist, calculating the time difference between the time stamp of the attack event and the latest activity time corresponding to each map node, and selecting the map node with the smallest time difference as the starting node.
7. 7. The method of claim 1, wherein tracing the data distortion impact chain of the target node up the dependent link, tracing the physical runaway impact chain of the target node down the physical control link, and generating the attack propagation simulation deduction report of the industrial equipment according to the target node, the data distortion impact chain and the physical runaway impact chain comprises: Based on the dependency links, recursively tracing from the target node to upper-layer equipment, identifying upstream equipment nodes for receiving data of the target node, and connecting the upstream equipment nodes in series to form the data distortion influence chain; Based on the physical control link, recursively tracing from the target node to lower-layer equipment, identifying a downstream equipment node controlled by the target node, and connecting the downstream equipment nodes in series to form the physical out-of-control influence link; Injecting abnormal data and error instructions into the target node through the preset digital twin model for simulation verification, and recording service interruption time length of each device in the data distortion influence chain and parameter offset of each device in the physical runaway influence chain; And carrying out structural processing on the data distortion influence chain, the physical uncontrolled influence chain, the service interruption duration and the parameter offset to generate an attack propagation simulation deduction report in a preset format.
8. 8. An industrial internet attack propagation simulation deduction system comprising one or more processors and memory, the memory coupled to the one or more processors, the memory for storing computer program code comprising computer instructions that the one or more processors invoke to cause the industrial internet attack propagation simulation deduction system to perform the method of any of claims 1-7.
9. 9. A computer readable storage medium comprising instructions which, when run on an industrial internet attack propagation simulation deduction system, cause the industrial internet attack propagation simulation deduction system to perform the method according to any one of claims 1-7.
10. 10. A computer program product, characterized in that the computer program product, when run on an industrial internet attack propagation simulation deduction system, causes the industrial internet attack propagation simulation deduction system to perform the method according to any one of claims 1-7.

Description

Industrial Internet attack propagation simulation deduction method, system, medium and product Technical Field The application relates to the technical field of data processing, in particular to an industrial Internet attack propagation simulation deduction method, an industrial Internet attack propagation simulation deduction system, a medium and a product. Background With the development of the industrial age, the industrial internet technology is widely applied in the fields of manufacturing, energy, traffic and the like. The industrial internet realizes the intellectualization and automation of the production process by interconnecting and intercommunicating industrial equipment, a control system, a management system and the like. However, as the networking of industrial equipment increases, the network security threats faced by industrial systems are also becoming increasingly severe. The network attack event suffered by the industrial control system frequently causes the continuous rising of economic loss, and seriously threatens the safe and stable operation of industrial production. At present, the security protection of the industrial Internet mainly adopts traditional network security technologies such as abnormal flow detection, vulnerability scanning and the like. These techniques are typically based on known attack signatures for detection and defense. However, in practical application, because complex dependency relationship exists between internal devices of an industrial system, when an attack event occurs, only existing known attack features are adopted for detection and defense, so that the diffusion trend of the attack is often difficult to be accurately known, the associated influence of each link of the system is ignored, the accuracy of industrial Internet attack propagation simulation deduction is reduced, and the emergency response effect of the security event is poor. Disclosure of Invention The application provides an industrial Internet attack propagation simulation deduction method, an industrial Internet attack propagation simulation deduction system, a medium and a product, which can improve the accuracy of industrial Internet attack propagation simulation deduction. In a first aspect of the present application, there is provided an industrial internet attack propagation simulation deduction method, including: acquiring equipment data of industrial equipment, and synchronizing the acquired data to a preset digital twin model based on a mapping relation between the acquired data and a virtual entity in the preset digital twin model, wherein the equipment data comprises physical parameters, running states and network flow characteristics; Acquiring an instruction sequence of the preset digital twin model in the running process, and constructing a behavior model library corresponding to the instruction sequence; identifying a dependent link, a data transmission path and a physical control link through interaction data among virtual entities in the preset digital twin model, and constructing a device connection map; Injecting attack flow into the digital twin model to generate simulation data, combining the behavior model library and the equipment connection map to train an attack detector, and judging an attack event according to the detection result of the attack detector; Positioning the determined attack event to an initial node of the equipment connection map, performing iterative deduction on the initial node to determine a plurality of propagation paths, and generating an attack propagation thermodynamic diagram based on each propagation path; screening target nodes with the probability of being attacked larger than a preset probability threshold in the attack propagation thermodynamic diagram; And tracing the data distortion influence chain of the target node upwards along the dependent link, tracing the physical uncontrolled influence chain of the target node downwards along the physical control link, and generating an attack propagation simulation deduction report of the industrial equipment according to the target node, the data distortion influence chain and the physical uncontrolled influence chain. By adopting the technical scheme, the device data such as physical parameters, running states and network flow characteristics of the industrial device are synchronized to the preset digital twin model, the device connection map is constructed based on the interactive data among the virtual entities, the complex relations such as dependence links, data transmission paths and physical control links among the internal devices of the industrial system can be comprehensively reflected, meanwhile, the simulation data are generated by injecting attack flow into the digital twin model, the attack detector is trained by combining a behavior model library corresponding to an instruction sequence and the device connection map, the attack event can be found timely, the starting node o