面向工控系统漏洞的多维属性评估

计算机工程与科学 ›› 2023, Vol. 45 ›› Issue (02): 261-268.

• 计算机网络与信息安全 • 上一篇下一篇

面向工控系统漏洞的多维属性评估

李彤彤1,3，王诗蕊2，张耀方1,3，王佰玲1,3，王子博1,3，刘红日1,4

（1.哈尔滨工业大学(威海)计算机科学与技术学院,山东威海 264209；2.国家工业信息安全发展研究中心,北京 100040；
3.哈尔滨工业大学网络空间安全学院,黑龙江哈尔滨 150001;
4.威海天之卫网络空间安全科技有限公司，山东威海 264209）

收稿日期:2022-03-01 修回日期:2022-09-02 接受日期:2023-02-25 出版日期:2023-02-25 发布日期:2023-02-15
基金资助:
国防基础科研计划（JCKY2019608B001）

Multi-dimensional attribute analysis of industrial control system vulnerability

LI Tong-tong1,3,WANG Shi-rui2,ZHANG Yao-fang1,3，WANG Bai-ling1,3,WANG Zi-bo1,3,LIU Hong-ri1,4

(1.School of Computer Science and Technology,Harbin Institute of Technology(Weihai),Weihai 264209;
2.China Industrial Control Systems Cyber Emergency Response Team,Beijing 100040;
3.School of Cyberspace Science,Harbin Institute of Technology,Harbin 150001;
4.Weihai Cyberguard Technologies Co.,Ltd.,Weihai 264209,China)

Received:2022-03-01 Revised:2022-09-02 Accepted:2023-02-25 Online:2023-02-25 Published:2023-02-15

摘要/Abstract

摘要： 针对工业控制系统漏洞风险评估角度较为单一且与工控环境联系不紧密问题，提出了面向工业控制系统漏洞的多维属性评估方法。首先，建立了漏洞有效性、风险类别属性判别模板，同时定义漏洞风险程度多维评价指标。其次，提出基于ernieCat的风险程度预测模型，使用漏洞文本描述及漏洞内在评价属性作为融合特征预测漏洞的严重性、危害性以及可利用性等级。结合工业控制系统设备层级关键信息与漏洞风险等级情况，建立多维度量化指标，对工业控制系统漏洞的危害程度进行量化评估。最后，通过实验验证ernieCat模型应用在漏洞风险程度预测方面的优越性。

关键词: 工控系统漏洞, 属性判别, ERNIE模型, 风险评价指标, 量化评估

Abstract: In order to solve the problem that the industrial control system vulnerability risk assessment is simple and not closely related to the industrial control environment, a multi-dimensional attri- bute analysis method of industrial control system vulnerability is proposed. Firstly, a template for discriminating vulnerability attack effectiveness and risk category attributes is established, and multi- dimensional evaluation indicators for the degree of risk vulnerability are defined. Secondly, an automat- ed prediction model of risk level based on ernieCat is proposed, which uses the fusion features of vulnerability text descriptions and the intrinsic evaluation attributes of vulnerabilities to predict the seriousness level, hazard level and exploitability level of industrial vulnerabilities. Besides, this paper combines device-level critical information of industrial control system with vulnerability-level risk situations, and establishes multi-dimensional quantitative evaluation indicators to quantitatively assess the risk hazard level for industrial control system vulnerabilities. Experimental results show that the ernieCat model is superior for predicting vulnerability risk level.

Key words: industrial control system vulnerability, discrimination of attribute, ERNIE model, risk assessment metrics, quantitative assessment

李彤彤, 王诗蕊, 张耀方, 王佰玲, 王子博, 刘红日, . 面向工控系统漏洞的多维属性评估[J]. 计算机工程与科学, 2023, 45(02): 261-268.

LI Tong-tong, WANG Shi-rui, ZHANG Yao-fang, WANG Bai-ling, WANG Zi-bo, LIU Hong-ri, . Multi-dimensional attribute analysis of industrial control system vulnerability[J]. Computer Engineering & Science, 2023, 45(02): 261-268.

面向工控系统漏洞的多维属性评估

Multi-dimensional attribute analysis of industrial control system vulnerability

PDF

可视化

摘要/Abstract

引用本文

使用本文

相关文章 0

编辑推荐

Metrics

本文评价