工业信息物理系统安全风险动态表现分析量化评估模型

针对当前工业信息物理系统的安全风险评估模型极少考虑系统的动态进程对评估准确性的影响,给出一种工业信息物理系统安全风险动态表现分析量化评估模型.首先,运用贝叶斯网络对攻击在网络层的入侵过程建模,计算网络攻击成功入侵的概率;然后,在攻击成功入侵的前提下,采用卡尔曼状态观测器实时观测被控对象的状态,研究系统的动态表现,定量分析系统的表现损失,从经济损失的角度量化攻击对系统造成的影响,并结合攻击成功入侵的概率,实现对系统安全风险的动态评估.最后,通过Matlab对攻击下沸水发电厂模型的运行状态进行仿真,结果表明所提模型能有效地评估工业信息物理系统的风险.     

基于多阶段网络攻击的网络风险评估方法研究

由于黑客的频繁入侵,对网络信息系统进行风险评估显得日益重要。为了获得对网络系统更实际的风险评估结果,文中引入了一个新的概念:漏洞关联性(VulnerabilityCorrelation),从黑客展开对网络的多阶段攻击入手,利用各种扫描器对网络扫描的大量漏洞信息,构造漏洞关联库,形成多条网络攻击链,从而计算出网络的风险评估值。与其他评估方法相比,论文的方法能更好地体现在面临黑客攻击时网络所存在的风险。     

基于攻击树与CVSS的工业控制系统风险量化评估

针对如何进行工业控制系统(ICS)全面客观的风险量化评估与分析,提出了一种新的ICS风险量化评估方法。该方法首先建立系统攻击树与攻击者模型,然后根据ICS的安全特性利用CVSS对攻击树叶子节点进行综合客观的量化,并给出资产价值损失的复数表达式,结合概率风险评估方法分别计算得到攻击序列、目标节点的风险概率与风险值。最后通过攻击者模型综合攻击序列与攻防两端的分析,提取系统最大风险环节与组件。案例分析表明该方法能减少风险要素量化过程中人为主观因素的影响,得到风险的综合定量描述,并找到系统最大风险环节和最需要防护的组件,从而采取有针对性的防护措施实现合理高效的风险消除和规避,验证了该方法的有效性与可行性。     

一种基于攻击图的漏洞风险评估方法

传统的安全漏洞评估方法只是孤立地对单个漏洞进行评估,评估结果不能反映出漏洞对整个网络的影响程度。针对这个问题,提出了一种新的漏洞风险评估方法。该方法根据攻击图中漏洞间的依赖关系与漏洞的CVSS评分,首先计算出漏洞被利用的可能性与被利用后对整个网络的危害程度,并在此基础上计算出漏洞具有的风险值。由该方法计算出的漏洞风险能够准确地反映出漏洞对整个网络的影响程度,并通过实验证明了该方法的准确性与有效性。     

基于攻击图的分布式网络风险评估方法

对信息系统进行有效的风险评估,选择有效的防范措施,主动防御信息威胁,是解决信息系统安全问题的关键所在。将攻击图模型应用于信息安全的风险评佑。首先针对信息安全风险评佑的不确定性和复杂性,将脆弱点关联技术用于风险评估。其次,针对攻击图所描述的攻击路径对于定量指标的分析缺乏相应的处理能力,而风险因素的指标值具有很大的不确定性等问题,采用攻击路径形成概率对信息安全的风险因素的指标进行量化,对原子攻击成功概率进行预处理,提出了基于攻击图模型的分布式风险评佑方法。该方法充分利用网络系统中各个主机的计算能力,极大地缩短了攻击图生成时间。     

基于攻击图的网络风险计算方法

为了及时发现网络中潜在的攻击威胁、计算网络的潜在风险,提出了一种基于攻击图的网络风险计算方法。通过关联网络中的漏洞建立攻击图、发现潜在的攻击序列和威胁,从而计算网络潜在的风险值。此方法考虑了攻击路径权重和资产权重对网络风险的影响,使计算结果更符合实际情况。实验结果表明,提出的风险计算方法能够准确和有效地计算网络的潜在风险。     

基于贝叶斯攻击图的最优安全防护策略选择模型

目前基于攻击图的网络安全主动防御技术在计算最优防护策略时,很少考虑网络攻击中存在的不确定性因素。为此,提出一种基于贝叶斯攻击图的最优防护策略选择（Optimal Hardening Measures Selection based on Bayesian Attack Graphs,HMSBAG）模型。该模型通过漏洞利用成功概率和攻击成功概率描述攻击行为的不确定性;结合贝叶斯信念网络建立用于描述攻击行为中多步原子攻击间因果关系的概率攻击图,进而评估当前网络风险;构建防护成本和攻击收益的经济学指标及指标量化方法,运用成本-收益分析方法,提出了基于粒子群的最优安全防护策略选择算法。实验验证了该模型在防护策略决策方面的可行性和有效性,有效降低网络安全风险。     

基于生命周期理论的安全漏洞时间风险研究

为合理、科学地识别信息安全风险评估中安全漏洞的真实危害程度,引入安全漏洞生命周期概念,提出安全漏洞的时间风险模型。该模型利用早期报道的攻击事件统计量对安全漏洞进行攻击预测估计,根据结果计算出安全漏洞的攻击热度,结合漏洞攻击技术发展水平对安全漏洞时间维度上的风险进行评估。以Phf漏洞为例进行分析,结果表明,该风险评估模型可以真实、动态地反映出安全漏洞时间 风险。     

基于期望收益率攻击图的网络风险评估研究

随着互联网应用和服务越来越广泛,层出不穷的网络攻击活动导致信息系统的安全面临极大的风险挑战。攻击图作为基于模型的网络安全风险分析技术,有助于发现网络节点间的脆弱性和评估被攻击的危害程度,已被证实是发现和预防网络安全问题的有效方法。攻击图主要分为状态攻击图和属性攻击图,由于状态攻击图存在状态爆炸的问题,研究者大多偏向于基于属性攻击图的网络风险评估研究。针对现有的属性攻击图研究过度依赖网络节点本身脆弱性和原子攻击本质属性进行量化分析,忽略了理性攻击者通常以攻击利益最大化来选择具体的攻击路径,提出了基于期望收益率攻击图的网络风险评估框架和攻击收益率量化模型。所提网络风险评估框架以公开的漏洞资源库、漏洞挖掘系统发现的新漏洞以及与网络攻防相关的大数据为基础数据源,以开源大数据平台为分析工具,挖掘计算攻击成本和攻击收益相关要素;借用经济学中的有关成本、收益以及收益率等概念构建原子攻击期望收益率计算模型;通过构建目标网络的属性攻击图,计算攻击路径上的原子攻击期望收益率,生成所有可能攻击路径的期望收益率列表;以期望目标为出发点,依据特定的优化策略（回溯法、贪心算法、动态规划）展开搜索,得到最大收益率的完整攻击路径,为网络风险评估提供依据。仿真实验结果表明了所提期望收益率攻击图网络风险评估方法的有效性及合理性,能够为发现和预防网络安全问题提供支撑。     

基于攻击图的多Agent网络安全风险评估模型

为了自主保障计算机网络的安全并对网络安全风险进行自动化评估,提出一种基于攻击图的多Agcnt网络安全风险评估模型(Multi-agents Risk Evaluation Model Based on Attack Uraph, MREMBAG)。首先提出网络风险评佑模型,设计了主从Agent的功能架构和关联关系分析流程。利用全局攻击图生成算法,以动态数据信息作为输入,通过主从Agcnt协同分析并构建攻击路径。基于对目标网络的攻击路径、组件、主机、网络的风险指数、漏洞及关联风险指数的计算,获取目标网络的安全风险指标仿真实验结果验证了该评佑方法的可行性和有效性。     

Dependency-based security risk assessment for cyber-physical systems

A cyber-physical attack is a security breach in cyber space that impacts on the physical environment. The number and diversity of such attacks against Cyber-Physical Systems (CPSs) are increasing at impressive rates. In times of Industry 4.0 and Cyber-Physical Systems, providing security against cyber-physical attacks is a serious challenge which calls for cybersecurity risk assessment methods capable of investigating the tight interactions and interdependencies between the cyber and the physical components in such systems. However, existing risk assessment methods do not consider this specific characteristic of CPSs. In this paper, we propose a dependency-based, domain-agnostic cybersecurity risk assessment method that leverages a model of the CPS under study that captures dependencies among the system components. The proposed method identifies possible attack paths against critical components of a CPS by taking an attacker’s viewpoint and prioritizes these paths according to their risk to materialize, thus allowing the defenders to define efficient security controls. We illustrate the workings of the proposed method by applying it to a case study of a CPS in the energy domain, and we highlight the advantages that the proposed method offers when used to assess cybersecurity risks in CPSs.

     

信息物理融合系统网络安全综述

信息物理融合系统（cyber-physical systems， CPS）是集计算、通信和控制于一体的智能系统，实现网络和物理的深度协作和有机融合.目前CPS在关键的基础设施、政府机构等领域发挥着越来越重要的作用.由于物理限制，计算机和网络产生的安全漏洞会导致CPS遭受巨大的破坏，同时还会引起经济损失、社会动乱等连锁反应，所以研究CPS的安全问题对于确保系统安全运行具有重要意义.本文结合国内外的研究现状，概述了CPS安全控制和攻击检测的最新进展.首先本文总结了CPS典型的系统建模以满足对系统性能分析的需要.然后介绍了3种典型的网络攻击，即拒绝服务攻击、重放攻击和欺骗攻击.根据检测方法的类别，对CPS攻击检测的发展进行的概述.此外还讨论了系统的安全控制和状态估计.最后总结和展望了CPS网络安全面临的挑战和未来的研究方向.     

Coordinated cyber‐physical attacks considering DoS attacks in power systems

The smart grid faces a variety of physical and cyber attacks. Coordinated cyber‐physical attacks can cause severer consequences than the single cyber or physical attacks, which can be divided into two categories according to whether the physical attack is stealthy or not. Coordinated cyber‐physical attacks considering DoS attacks are investigated due to the lower cost of DoS attacks. In each category of coordinated cyber‐physical attacks, the mathematical models are derived and suitable methods are adopted to solve the corresponding issue. The experimental simulation demonstrates the potentially damaging effects and threats of this newly proposed attack. It is also presented that this newly proposed attack can use lower attack resources to introduce more catastrophic effects on the power system.     

Cross‐layer security design for encrypted CPS based on modified security signalling game

Recent years have witnessed increasing cyber and physical attacks against encrypted cyber‐physical system (CPS) and the ensuing catastrophic consequences. A modified security signaling game (MSSG) model is proposed for capturing attack‐defense interactions and analyzing the cross‐layer security of encrypted CPS. Cyber real‐time performance and physical control performance are both considered in cross‐layer utility function. Theorems concerning the existence of pure‐strategy and mixed‐strategy perfect Bayesian Nash equilibrium (PBNE) are provided, based on which a cross‐layer security design algorithm is proposed for defender's optimal strategy against potential attacks. A numerical case is studied with the effectiveness of our method being proved.     

A Survey of Cyber Attacks on Cyber Physical Systems: Recent Advances and Challenges

A cyber physical system (CPS) is a complex system that integrates sensing, computation, control and networking into physical processes and objects over Internet. It plays a key role in modern industry since it connects physical and cyber worlds. In order to meet ever-changing industrial requirements, its structures and functions are constantly improved. Meanwhile, new security issues have arisen. A ubiquitous problem is the fact that cyber attacks can cause significant damage to industrial systems, and thus has gained increasing attention from researchers and practitioners. This paper presents a survey of state-of-the-art results of cyber attacks on cyber physical systems. First, as typical system models are employed to study these systems, time-driven and event-driven systems are reviewed. Then, recent advances on three types of attacks, i.e., those on availability, integrity, and confidentiality are discussed. In particular, the detailed studies on availability and integrity attacks are introduced from the perspective of attackers and defenders. Namely, both attack and defense strategies are discussed based on different system models. Some challenges and open issues are indicated to guide future research and inspire the further exploration of this increasingly important area.      

Integrated moving target defense and control reconfiguration for securing Cyber-Physical systems

With the increasingly connected nature of Cyber-Physical Systems (CPS), new attack vectors are emerging that were previously not considered in the design process. Specifically, autonomous vehicles are one of the most at risk CPS applications, including challenges such as a large amount of legacy software, non-trusted third party applications, and remote communication interfaces. With zero day vulnerabilities constantly being discovered, an attacker can exploit such vulnerabilities to inject malicious code or even leverage existing legitimate code to take over the cyber part of a CPS. Due to the tightly coupled nature of CPS, this can lead to altering physical behavior in an undesirable or devastating manner. Therefore, it is no longer effective to reactively harden systems, but a more proactive approach must be taken. Moving target defense (MTD) techniques such as instruction set randomization (ISR), and address space randomization (ASR) have been shown to be effective against code injection and code reuse attacks. However, these MTD techniques can result in control system crashing which is unacceptable in CPS applications since such crashing may cause catastrophic consequences. Therefore, it is crucial for MTD techniques to be complemented by control reconfiguration to maintain system availability in the event of a cyber-attack. This paper addresses the problem of maintaining system and security properties of a CPS under attack by integrating moving target defense techniques, as well as detection, and recovery mechanisms to ensure safe, reliable, and predictable system operation. Specifically, we consider the problem of detecting code injection as well as code reuse attacks, and reconfiguring fast enough to ensure the safety and stability of autonomous vehicle controllers are maintained. By using MTD such as ISR, and ASR, our approach provides the advantage of preventing attackers from obtaining the reconnaissance knowledge necessary to perform code injection and code reuse attacks, making sure attackers can’t find vulnerabilities in the first place. Our system implementation includes a combination of runtime MTD utilizing AES 256 ISR and fine grained ASR, as well as control management that utilizes attack detection, and reconfiguration capabilities. We evaluate the developed security architecture in an autonomous vehicle case study, utilizing a custom developed hardware-in-the-loop testbed.     

Cyber–physical risk assessment for false data injection attacks considering moving target defences

In this paper, we examine the factors that influence the success of false data injection (FDI) attacks in the context of both cyber and physical styles of reinforcement. Existing research considers the FDI attack in the context of the ability to change a measurement in a static system only. However, successful attacks will require first intrusion into a system followed by construction of an attack vector that can bypass bad data detection to cause a consequence (such as overloading). Furthermore, the recent development of moving target defences (MTD) introduces dynamically changing system topology, which is beyond the capability of existing research to assess. In this way, we develop a full service framework for FDI risk assessment. The framework considers both the costs of system intrusion via a weighted graph assessment in combination with a physical, line overload-based vulnerability assessment under the existence of MTD. We present our simulations on a IEEE 14-bus system with an overlain RTU network to model the true risk of intrusion. The cyber model considers multiple methods of entry for the FDI attack including meter intrusion, RTU intrusion and combined style attacks. Post-intrusion, our physical reinforcement model analyses the required level of topology divergence to protect against a branch overload from an optimised attack vector. The combined cyber and physical index is used to represent the system vulnerability against FDIA.

     

离散事件系统框架下信息物理系统攻击问题综述

信息物理系统(cyber physical system, CPS)由受控对象、传感器、执行器、监控器和通信网络组成,通信网络的使用增加了信息物理系统面临外部攻击的风险.鉴于此,综述基于离散事件系统框架处理信息物理系统攻击问题的相关研究工作.首先对信息物理系统进行简要介绍;然后对信息物理系统中的攻击进行分类;最后重点阐述信息物理系统中攻击策略的设计、攻击的检测与防御以及攻击鲁棒性监控器设计的研究现状.     

基于动态故障树的信息物理融合系统风险分析

针对信息物理融合系统（CPS）中的网络安全攻击会导致系统失效的问题，提出一种基于动态故障树的CPS风险建模及分析方法。首先，对动态故障树和攻击树集成建模，构建攻击-动态故障树（Attack-DFTs）模型；然后，分别采用二元决策图和输入输出马尔可夫链给出攻击-动态故障树中的静态子树和动态子树的形式化模型，并在此基础上给出攻击-动态故障树的定性分析方法，即分析网络安全攻击导致系统失效的基本事件路径；最后，通过一个典型的排污系统应用实例对方法的有效性进行验证。案例分析结果表明，所提方法能够分析CPS中由于网络安全攻击导致系统失效的事件序列，有效实现了CPS的综合安全评估。     

基于攻防树的APT风险分析方法

针对目前缺少APT攻击中系统威胁风险评估理论模型的问题,提出了一种基于攻防树的网络攻击风险分析方法。将APT攻击过程分为攻击阶段与防护阶段,定义不同阶段内的参数计算方法,首先通过漏洞收集和攻击事件捕获构建攻击行为节点,并将防护对策映射为防护行为节点;其次形式化定义了漏洞成功利用概率、攻击成本、防护成本和系统损失度等参数,利用ADTool工具生成攻防树和节点参数值;然后引入攻击回报与防护回报的概念,作为系统风险分析的依据;最后构建了基于攻防树的攻击风险分析框架,并通过一个APT攻击实例对框架效果进行了验证。计算结果表明,可通过攻击回报等参数数值的变化评估采取防护对策的效果。该方法对攻防双方策略互相影响的场景描述更加贴近实际,实现了系统威胁风险度分析与防护策略效果评估的目的。