面向工控系统漏洞的多维属性评估

计算机工程与科学 ›› 2023, Vol. 45 ›› Issue (02): 261-268.

• 计算机网络与信息安全 • 上一篇下一篇

面向工控系统漏洞的多维属性评估

李彤彤1,3，王诗蕊2，张耀方1,3，王佰玲1,3，王子博1,3，刘红日1,4

（1.哈尔滨工业大学(威海)计算机科学与技术学院,山东威海 264209；2.国家工业信息安全发展研究中心,北京 100040；
3.哈尔滨工业大学网络空间安全学院,黑龙江哈尔滨 150001;
4.威海天之卫网络空间安全科技有限公司，山东威海 264209）

收稿日期:2022-03-01 修回日期:2022-09-02 接受日期:2023-02-25 出版日期:2023-02-25 发布日期:2023-02-15
基金资助:
国防基础科研计划（JCKY2019608B001）

Multi-dimensional attribute analysis of industrial control system vulnerability

LI Tong-tong1,3,WANG Shi-rui2,ZHANG Yao-fang1,3，WANG Bai-ling1,3,WANG Zi-bo1,3,LIU Hong-ri1,4

(1.School of Computer Science and Technology,Harbin Institute of Technology(Weihai),Weihai 264209;
2.China Industrial Control Systems Cyber Emergency Response Team,Beijing 100040;
3.School of Cyberspace Science,Harbin Institute of Technology,Harbin 150001;
4.Weihai Cyberguard Technologies Co.,Ltd.,Weihai 264209,China)

Received:2022-03-01 Revised:2022-09-02 Accepted:2023-02-25 Online:2023-02-25 Published:2023-02-15

摘要/Abstract

摘要： 针对工业控制系统漏洞风险评估角度较为单一且与工控环境联系不紧密问题，提出了面向工业控制系统漏洞的多维属性评估方法。首先，建立了漏洞有效性、风险类别属性判别模板，同时定义漏洞风险程度多维评价指标。其次，提出基于ernieCat的风险程度预测模型，使用漏洞文本描述及漏洞内在评价属性作为融合特征预测漏洞的严重性、危害性以及可利用性等级。结合工业控制系统设备层级关键信息与漏洞风险等级情况，建立多维度量化指标，对工业控制系统漏洞的危害程度进行量化评估。最后，通过实验验证ernieCat模型应用在漏洞风险程度预测方面的优越性。

关键词: 工控系统漏洞, 属性判别, ERNIE模型, 风险评价指标, 量化评估

Abstract: In order to solve the problem that the industrial control system vulnerability risk assessment is simple and not closely related to the industrial control environment, a multi-dimensional attri- bute analysis method of industrial control system vulnerability is proposed. Firstly, a template for discriminating vulnerability attack effectiveness and risk category attributes is established, and multi- dimensional evaluation indicators for the degree of risk vulnerability are defined. Secondly, an automat- ed prediction model of risk level based on ernieCat is proposed, which uses the fusion features of vulnerability text descriptions and the intrinsic evaluation attributes of vulnerabilities to predict the seriousness level, hazard level and exploitability level of industrial vulnerabilities. Besides, this paper combines device-level critical information of industrial control system with vulnerability-level risk situations, and establishes multi-dimensional quantitative evaluation indicators to quantitatively assess the risk hazard level for industrial control system vulnerabilities. Experimental results show that the ernieCat model is superior for predicting vulnerability risk level.

Key words: industrial control system vulnerability, discrimination of attribute, ERNIE model, risk assessment metrics, quantitative assessment

李彤彤, 王诗蕊, 张耀方, 王佰玲, 王子博, 刘红日, . 面向工控系统漏洞的多维属性评估[J]. 计算机工程与科学, 2023, 45(02): 261-268.

LI Tong-tong, WANG Shi-rui, ZHANG Yao-fang, WANG Bai-ling, WANG Zi-bo, LIU Hong-ri, . Multi-dimensional attribute analysis of industrial control system vulnerability[J]. Computer Engineering & Science, 2023, 45(02): 261-268.

参考文献［19］

［1］	Shi Le-yi,Zhu Hong-qiang,Liu Yi-hao, et al.Intrusion detection of industrial control system based on correlation information entropy and CNN-BiLSTM［J］.Journal of Computer Research and Development,2019,56(11):2330-2338.（in Chinese）
［2］	Thomas R J, Chothia T. Learning from vulnerabilities- categorising,understanding and detecting weaknesses in industrial control systems［M］∥Computer Security.Cham:Springer,2020:100-116.
［3］	Zhang Z Y, Han X, Liu Z Y,et al.ERNIE:Enhanced language representation with informative entities［C］∥Proc of the 57th Annual Meeting of the Association for Computational Linguistics,2019:1441-1451.
［4］	Prokhorenkova L,Gusev G,Vorobev A,et al.CatBoost:Unbiased boosting with categorical features［C］∥Proc of the 32nd International Conference on Neural Information Processing Systems,2018:6639-6649.
［5］	Liao Xiao-feng,Wang Yong-ji,Fan Xiu-bin,et al. National security vulnerability database classification based on an LDA topic model［J］.Journal of Tsinghua University(Science and Technology),2012,52(10):1351-1355.（in Chinese）
［6］	Qu Long-yu, Jia Yi-zhen,Hao Yong-le.Automatic classification of vulnerabilities based on CNN and text semantics［J］.Journal of Beijing Institute of Technology,2019,39(7):738-742.（in Chinese）
［7］	Guo Zheng-bin,Zhang Yang-sen,Jiang Yu-ru. Feature vector optimization method for text classification［J］.Application Research of Computers,2017,34(8):2299-2302.（in Chinese）
［8］	Lei Ke-nan,Zhang Yu-Qing,Wu Chen-si,et al. A system for scoring the exploitability of vulnerability based types［J］.Journal of Computer Research and Development 2017,54(10):2296-2309.（in Chinese）
［9］	Kudjo P K,Chen J,Mensah S,et al.The effect of Bellwether analysis on software vulnerability severity prediction models［J］.Software Quality Journal,2020,28(4):1413-1446.
［10］	Fang Y,Liu Y,Huang C,et al.FastEmbed:Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm［J］.PLoS One,2020,15(2):e0228439.
［11］	Feutrill A, Ranathunga D,Yarom Y,et al.The effect of common vulnerability scoring system metrics on vulnerability exploit delay［C］∥Proc of 2018 6th International Symposium on Computing and Networking,2018:1-10.
［12］	Sharma R, Sibal R, Sabharwal S. Software vulnerability prioritization using vulnerability description［J］.International Journal of System Assurance Engineering and Management,2021,12(1):58-64.
［13］	Cherdantseva Y,Burnap P,Blyth A,et al.A review of cyber security risk assessment methods for SCADA systems［J］.Computers & Security,2016,56:1-27.
［14］	Xi Rong-rong,Yun Xiao-chun,Zhang Yong-zheng,et al.An improved quantitative evaluation method for network secu- rity［J］.Chinese Journal of Computers,2015,38(4):749-758.（in Chinese）
［15］	Liu X,Shahidehpour M,Li Z,et al.Power system risk assessment in cyber attacks considering the role of protection systems［J］.IEEE Transactions on Smart Grid,2016,8(2):572-580.
［16］	Tao Yao-dong, Jia Xin-tong,Wu Yun-kun. Industrial control system vulnerability risk assessment method ［J］.Journal of Chinese Computer Systems,2020,41(3):603-609.（in Chinese）
［17］	Chen Q, Bao L, Li L, et al. Categorizing and predicting invalid vulnerabilities on common vulnerabilities and exposures［C］∥Proc of 2018 25th Asia-Pacific Software Engineering Conference,2018:345-354.
［18］	Alaparthi S,Mishra M.BERT:A sentiment analysis odyssey［J］.Journal of Marketing Analytics,2021,9(2):118-126.
［19］	Jia Chi-qian,Feng Dong-qin. Security evaluation for industrial control system based on fuzzy analytic hierarchy process［J］.Journal of Zhejiang University(Applied Physics & Engineering),2016,50(4):759-765.（in Chinese）
［20］	Zhang Y, Wallace B.A sensitivity analysis of (and practitioners guide to) convolutional neural networks for sentence classification［J］.arXiv:1510.03820,2015.
	附中文参考文献:
［1］	石乐义, 朱红强, 刘祎豪, 等.基于相关信息熵和CNN- BiLSTM的工业控制系统入侵检测［J］.计算机研究与发展,2019,56(11):2330-2338.
［5］	廖晓锋,王永吉,范修斌,等.基于LDA主题模型的安全漏洞分类［J］.清华大学学报(自然科学版),2012,52(10):1351-1355.
［6］	曲泷玉,贾依真,郝永乐.结合CNN和文本语义的漏洞自动分类方法［J］.北京理工大学学报,2019,39(7):738-742.
［7］	郭正斌,张仰森,蒋玉茹.一种面向文本分类的特征向量优化方法［J］.计算机应用研究,2017,34(8):2299-2302.
［8］	雷柯楠,张玉清,吴晨思,等.基于漏洞类型的漏洞可利用性量化评估系统［J］.计算机研究与发展,2017,54(10):2296-2309.
［14］	席荣荣,云晓春,张永铮,等.一种改进的网络安全态势量化评估方法［J］.计算机学报,2015,38(4):749-758.
［16］	陶耀东,贾新桐,吴云坤.一种工业控制系统漏洞风险评估方法［J］.小型微型计算机系统,2020,41(3):603-609.
［19］	贾驰千,冯冬芹.基于模糊层次分析法的工控系统安全评估［J］.浙江大学学报(工学版),2016,50(4):759-765.

面向工控系统漏洞的多维属性评估

Multi-dimensional attribute analysis of industrial control system vulnerability

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献［19］

相关文章 0

编辑推荐

Metrics

本文评价

面向工控系统漏洞的多维属性评估

Multi-dimensional attribute analysis of industrial control system vulnerability

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献 ［19］

相关文章 0

编辑推荐

Metrics

本文评价

参考文献［19］