Method and system for evaluating vulnerability threat degree of power monitoring system equipment
1. A method of assessing a power monitoring system device vulnerability threat level, the method comprising:
determining a network attack path aiming at key equipment of a power monitoring system, extracting attack behaviors according to the network attack path, and determining a network attack behavior difficulty coefficient by combining attacker skills and attack object configuration evaluation;
determining the success probability of the network attack under a specific attack cost according to the difficulty coefficient of the network attack behavior;
and determining the vulnerability threat degree of the network attack on the key equipment of the power monitoring system according to the success probability and the network attack behavior difficulty coefficient.
2. The method of claim 1, wherein determining a network attack behavior difficulty coefficient comprises:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
3. The method of claim 2, wherein the hierarchical structure model establishes a target layer with a difficulty coefficient of network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
4. The method of claim 1, the determination of the probability of success of the cyber attack comprising: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
5. The method according to claim 1, wherein the determining of the vulnerability threat level of the power monitoring system key device to the network attack includes: determining the key equipment of the power monitoring system related to the network attack path, establishing the incidence relation between the attack path and the key equipment of the power monitoring system related to the network attack path according to the success probability and the difficulty coefficient of the network attack behavior, and determining the vulnerability threat degree of the key equipment of the power monitoring system suffering from the network attack according to the incidence relation.
6. A system for assessing a power monitoring system device vulnerability threat level, the system comprising:
the difficulty coefficient determination module is used for determining a network attack path aiming at key equipment of the power monitoring system, extracting attack behaviors according to the network attack path, and determining a difficulty coefficient of the network attack behaviors by combining the skill of an attacker and configuration evaluation of an attack object;
the probability calculation module is used for determining the success probability of the network attack under the specific attack cost according to the network attack behavior difficulty coefficient;
and the threat degree evaluation module is used for determining the vulnerability threat degree of the power monitoring system key equipment subjected to the network attack according to the success probability and the network attack behavior difficulty coefficient.
7. The system of claim 6, the determining a network attack behavior difficulty coefficient, comprising:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
8. The system of claim 7, wherein the hierarchical model establishes a target layer with a difficulty coefficient of network attack behavior as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
9. The system of claim 6, the determination of the probability of success of the cyber attack comprising: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
10. The system according to claim 6, wherein the determining of the vulnerability threat level of the power monitoring system key device to the network attack includes: determining the key equipment of the power monitoring system related to the network attack path, establishing the incidence relation between the attack path and the key equipment of the power monitoring system related to the network attack path according to the success probability and the difficulty coefficient of the network attack behavior, and determining the vulnerability threat degree of the key equipment of the power monitoring system suffering from the network attack according to the incidence relation.
Background
In recent years, network attack cases aiming at industrial control systems are frequently sent worldwide, the network attack has the characteristics of strong concealment, large damage range, difficult responsibility confirmation and the like, and the network security risk level of the industrial control systems is gradually increased along with the gradual maturity of various network attack methods and means.
The electric power system is used as an important basic industry for supporting the development of the economic society and guaranteeing the basic livelihood, the electric energy accounts for increasing in the terminal energy consumption of the modern society, the dependence degree of each industry on the electric power supply is continuously deepened, the influence of the power failure event on the normal production and life is more serious, under the new trend of high integration development of current energy and digital revolution, the interaction boundary of a power grid and a network is continuously expanded and extended, the number of intelligent terminals which are connected into the power grid at present exceeds 5 hundred million, the risk that the power grid is attacked by the network is gradually accumulated, the network attack with various forms, organization and conspiracy becomes the outstanding security threat of the power system at present, a plant station monitoring system, a dispatching center monitoring system, an interactive control terminal, intelligent electric equipment and the like can become the objects of the network attack, and further the safe and stable operation of the primary power system is damaged.
The computer field generally adopts vulnerability to describe the security degree of a distributed system, the power monitoring system can be regarded as a typical distributed computer control system, the network attack behavior is a utilization process of the vulnerability of the power monitoring system, and the purpose of operating and controlling primary power system equipment is finally achieved, at present, for relevant research of vulnerability analysis of the power monitoring system, the defects are mainly reflected in the following three aspects:
(1) a qualitative evaluation method based on engineering experience is usually adopted, and evaluation indexes which can be quantitatively described are lacked;
(2) when vulnerability evaluation is carried out, the type of the measuring factor is single only aiming at the configuration condition of the system;
(3) in addition, conventional vulnerability assessment is less considered for attackers, generally embodied as not considering attacker skill level evaluation factors, neglecting the relative concept of system vulnerability when specific attackers are oriented, and being incapable of meeting the rationality and accuracy requirements of vulnerability threat assessment, therefore, how to consider the configuration condition of an attack object and the skill level of the attacker, thereby ensuring the rationality of the vulnerability threat assessment of the power monitoring system, and having important guiding significance for accurately mastering the importance degree of network assets of the power monitoring system and the protection and deployment priority of equipment.
Disclosure of Invention
In view of the above problems, the present invention provides a method for evaluating the vulnerability threat level of a power monitoring system device, comprising:
determining a network attack path aiming at key equipment of a power monitoring system, extracting attack behaviors according to the network attack path, and determining a network attack behavior difficulty coefficient by combining attacker skills and attack object configuration evaluation;
determining the success probability of the network attack under a specific attack cost according to the difficulty coefficient of the network attack behavior;
and determining the vulnerability threat degree of the network attack on the key equipment of the power monitoring system according to the success probability and the network attack behavior difficulty coefficient.
Optionally, determining the difficulty coefficient of the network attack behavior includes:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
Optionally, the hierarchical structure model establishes a target layer by taking the difficulty coefficient of the network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
Optionally, the determining of the success probability of the network attack includes: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
Optionally, determining the vulnerability threat degree of the power monitoring system key device suffering from network attack specifically includes: determining the key equipment of the power monitoring system related to the network attack path, establishing the incidence relation between the attack path and the key equipment of the power monitoring system related to the network attack path according to the success probability and the difficulty coefficient of the network attack behavior, and determining the vulnerability threat degree of the key equipment of the power monitoring system suffering from the network attack according to the incidence relation.
The invention also provides a system for evaluating the vulnerability threat degree of the power monitoring system equipment, which comprises the following steps:
the difficulty coefficient determination module is used for determining a network attack path aiming at key equipment of the power monitoring system, extracting attack behaviors according to the network attack path, and determining a difficulty coefficient of the network attack behaviors by combining the skill of an attacker and configuration evaluation of an attack object;
the probability calculation module is used for determining the success probability of the network attack under the specific attack cost according to the network attack behavior difficulty coefficient;
and the threat degree evaluation module is used for determining the vulnerability threat degree of the power monitoring system key equipment subjected to the network attack according to the success probability and the network attack behavior difficulty coefficient.
Optionally, determining the difficulty coefficient of the network attack behavior includes:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
Optionally, the hierarchical structure model establishes a target layer by taking the difficulty coefficient of the network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
Optionally, the determining of the success probability of the network attack includes: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
Optionally, determining the vulnerability threat degree of the power monitoring system key device suffering from network attack specifically includes: determining the key equipment of the power monitoring system related to the network attack path, establishing the incidence relation between the attack path and the key equipment of the power monitoring system related to the network attack path according to the success probability and the difficulty coefficient of the network attack behavior, and determining the vulnerability threat degree of the key equipment of the power monitoring system suffering from the network attack according to the incidence relation.
According to the invention, under the conditions of specific attacker skill and power monitoring system configuration, the comprehensive difficulty coefficient of the network attack behavior is obtained by calculation, and technical reference is provided for quantitatively evaluating the difficulty degree of the attack behavior.
The invention calculates the success probability of each network attack path under the specific attack cost, and provides a quantitative basis for comparing and measuring the attack difficulty degrees of different paths.
The method quantitatively evaluates the vulnerability threat degree of the key equipment involved in the network attack path, and the evaluation result can provide a technical basis for determining the importance degree of the network assets and the protection and deployment priority of the equipment.
Drawings
FIG. 1 is a flow chart of the method of the present invention;
FIG. 2 is a diagram of a hierarchy model of the method of the present invention;
FIG. 3 is a diagram of a hierarchical model of a substation monitoring system according to the method of the present invention;
fig. 4 is a schematic diagram of the system of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the embodiments described herein, which are provided for complete and complete disclosure of the present invention and to fully convey the scope of the present invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, the same units/elements are denoted by the same reference numerals.
Unless otherwise defined, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Further, it will be understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
The invention provides a method for evaluating the vulnerability threat degree of equipment of a power monitoring system, which comprises the following steps of:
firstly, based on a network attack path, analyzing and extracting attack behaviors and carrying out difficulty evaluation on the network attack behaviors.
And then, comprehensively considering the flow and the behavior difficulty of the attack path, and calculating the success probability of the network attack under the specific attack cost.
And finally, evaluating the vulnerability threat degree of the key equipment of the power monitoring system related to the attack path by combining the attack success probability and the behavior difficulty evaluation.
(1) And solving the comprehensive difficulty coefficient of the network attack behavior as follows:
the method combines the characteristics of a network attack scene and a distributed system vulnerability assessment method, considers that an analytic hierarchy process and an approximate ideal solution ordering process are adopted to realize the quantitative analysis of the attack behavior difficulty, and comprises the following specific steps:
1) constructing a hierarchical structure model for comprehensive difficulty evaluation of network attack behaviors;
the hierarchical structure model for the comprehensive difficulty evaluation of the network attack behavior is composed of four levels, namely a target layer, a criterion layer, an index layer and a behavior layer, as shown in fig. 2, wherein the calculated comprehensive difficulty coefficient of the attack behavior is a target and is independently used as an element of the target layer; attacker skills and important configuration items of an attack object closely related to the comprehensive difficulty system are reference criteria for determining the difficulty coefficient, and form criteria layer elements together; specific index items required to be obtained when the skill of an attacker and the configuration condition of an attack object are evaluated, such as specific skill mastered by the attacker and specific configuration conditions of the attack object, are developed, so that index layer elements are formed together, and a basis is provided for quantitative analysis criterion layer elements; each attack behavior forms the bottom behavior layer element and aims to explain the attack difficulty relation between each attack behavior and the index layer element.
The model constructs the overall relation between the network attack behaviors and various factors related to the network attack behaviors, and finally obtains the comprehensive difficulty coefficient indexes of the behaviors through layered one-by-one analysis.
2) Constructing a judgment matrix;
according to the comparison condition of the mutual importance degree of different factors of the criterion layer, the expert scoring opinion is solicited, and a judgment matrix A (m +1 order) of the criterion layer to the target layer is constructed according to the expert scoring opinion, wherein AijIndicating the degree of importance of the index i relative to the index j. Similarly, constructing judgment matrixes B0(n order), B1(p order), B2(q order), … … and Bm (r order) of the index layer for the skill of the attacker and the configuration items 1-m of the attack object in the criterion layer.
3) Solving and judging the maximum eigenvector of the matrix and checking consistency;
the maximum eigenvalues and eigenvectors W of the judgment matrixes A, B0, B1, B2, … … and Bm are respectively obtainedA、WB0、WB1、WB2、……、WBm. BySince the judgment matrix is a judgment based on expert experience, the inconsistency is inevitable, but the inconsistency needs to be within a certain range to be acceptable. The consistency check is a method for inspecting and judging the degree of inconsistency. The consistency check index CI is defined as follows:
wherein n is the order of the judgment matrix, λmaxIs the maximum eigenvalue, and when identical, CI is 0. When the random consensus is inconsistent, generally, the larger n is, the worse the consistency is, so that an average random consensus index RI and a random consensus ratio CR are introduced:
the average random consistency index RI is obtained by randomly constructing n-order positive and inverse matrix, and when a sufficiently large subsample is taken, the maximum eigenvalue average value lambda is obtainedaveAnd then calculating to obtain RI, wherein each order corresponds to an RI value. The introduction of RI overcomes the defect that the consistency check index CI is increased along with the increase of the matrix order to a certain extent. When consistency judgment is carried out, if the random consistency ratio CR is less than 0.1, inconsistency is considered to be acceptable; if CR is greater than or equal to 0.1, the inconsistency is considered unacceptable, and the judgment matrix needs to be modified.
4) Calculating a weight vector of the index layer element relative to the target layer element;
the weight vector of the index layer elements to the target layer elements is:
W=[WB0,WB1,WB2,……,WBm]×WA (4)
5) constructing a decision matrix of the behavior layer elements to the index layer elements;
constructing decision matrix C ═ for t index layer elements of s behaviorsij) Where t is n + p + q + r, i is 1, 2, … …, s, j is 1, 2, … …, t, cijAssigning a value to the difficulty of breaking the jth index for the ith behavior, wherein the greater the difficulty is, the cijThe larger the value.
Normalizing the decision matrix to form a normalized matrix D, wherein:
6) constructing a weighted standardized decision matrix;
weighted normalized decision matrix Zij=Wj×DijWherein W isjIs the jth element of W.
7) Calculating a comprehensive attack difficulty coefficient of each behavior;
calculating a positive ideal solution Z + and a negative ideal solution Z-according to an approximate ideal solution sorting method, wherein:
the distance between each behavior attack difficulty coefficient and the positive and negative ideal solutions is as follows:
calculating ideal solution closeness, and calculating to obtain an attack comprehensive difficulty coefficient of each behavior by combining the difficulty average value in the decision matrix:
wherein the content of the first and second substances,
(2) and solving the attack success probability of the attack path as follows:
referring to a reliability calculation method, defining a success probability function of a certain attack behavior as follows:
wherein C is the equivalent attack cost that an attacker can pay, C is the equivalent attack cost required by the implementation of the attack behavior, and the larger p (C) is, the higher the probability of success of the behavior is represented.
Combining with the attack path diagram analysis, when the number n of the attack behaviors contained in a certain path is more than or equal to 2, the probability of completing the whole process of the certain attack path is as follows:
(3) solving the vulnerability threat assessment coefficient of the power monitoring system equipment as follows:
based on the attack path diagram, constructing an incidence relation diagram of the attack behavior and the power monitoring system equipment, and calculating a vulnerability threat assessment coefficient of the power monitoring system equipment i according to the incidence relation diagram as follows:
where j is the attack path that needs to pass through device i, PSjFor the attack success probability of the path, DIobjI is a comprehensive attack difficulty coefficient of the attack path j with the device i as an attack object. The larger the number n of attack paths passing through a device, the higher the success probability PSjLarger, DIobjThe smaller i, the larger the vulnerability threat assessment factor for the device.
Taking a certain typical substation monitoring system adopting the IEC 61850 standard as an example, based on network attack path analysis, the vulnerability threats of the key devices related to 6 attack paths under specific configuration conditions are evaluated, and the attack behaviors included in the combed 6 attack paths are shown in Table 1:
TABLE 1
The functions provided by the device are marked in the table and correspond to logical nodes in the IEC 61850 standard. A device is an attack object, but it is the function of the device that is actually attacked. And the right side is the attack behavior number contained in the attack path, and a hierarchical structure model for comprehensive difficulty evaluation of the network attack behavior of the transformer substation monitoring system is constructed and is shown in fig. 3.
And (3) comparing the mutual importance degrees of the elements by adopting a reciprocal 1-9 scaling method, constructing a judgment matrix A of the criterion layer to the target layer and judgment matrices B0-B4 of the index layer to the criterion layer, calculating the maximum eigenvalue and the corresponding eigenvector, and carrying out consistency check.
When a judgment matrix is constructed, the importance degrees among all elements are compared fully, and reasonable assignment is carried out according to a measurement result, taking the judgment matrix A as an example, the evaluation matrix A assigns values to the comparison condition of the importance degrees among 5 indexes such as attacker skills, network environment, target objects and the like by fully soliciting expert opinions, for example, A11The attacker skill index and the self-measure value are 1 (the diagonal elements of the matrix are the index and the self-measure value are both 1), A12Assuming that the degree of importance of the attacker skill relative to the network environment is about 3 times that of the network environment when the target layer elements are evaluated, a is12The value is 3; similarly, the assignment of other matrix elements is completed according to the above rules, and in addition, in order to avoid the phenomenon of serious inconsistency in the measurement process, consistency check needs to be performed on the judgment matrix.
The calculation results are as follows:
λAmax=5.0723
λB0max=2.0
λB1max=2.0
λB2max=3.0092
λB3max=3.0183
λB4max=3.0183
the consistency test is performed on the matrix, and according to the statistical calculation result, the RI value is shown in table 2:
TABLE 2
n
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
RI
0
0
0.58
0.90
1.12
1.24
1.32
1.41
1.45
1.49
1.52
1.54
1.56
1.58
1.59
1.59
1.61
1.61
1.62
1.63
The results of the consistency check are shown in table 3, and the judgment matrices all pass the consistency check.
TABLE 3
The weight vector of the calculated index layer elements to the target layer elements is:
W=[0.0693 0.2079 0.0785 0.0393 0.1435 0.0790 0.2608 0.0099 0.0113 0.0260 0.0091 0.0238 0.0416]T
the decision matrix of behavior layer elements to index layer elements is constructed as follows:
the decision matrix is normalized to form a normalized matrix as follows:
the weighted normalized decision matrix is calculated as follows:
the positive ideal solution Z + and the negative ideal solution Z-are respectively:
Z+=[0.0423 0.1085 0.0419 0.0187 0.0487 0.0276 0.1284 0.0047 0.0049 0.0122 0.0040 0.0103 0.0149]
Z-=[0.0106 0.0310 0.0105 0.0070 0.0348 0.0215 0.0482 0.0009 0.0014 0.0061 0.0020 0.0051 0.0085]
the distance between each behavior attack difficulty coefficient and the positive and negative ideal solutions is as follows:
d+=[0.0871 0.0905 0.1120 0.0520 0.0976 0.0384 0.1010 0.0864 0.1088 0.0762 0.0606]
d-=[0.0405 0.0387 0.0164 0.0913 0.0278 0.0996 0.0344 0.0391 0.0207 0.0473 0.0686]
calculating ideal solution closeness, and calculating to obtain an attack comprehensive difficulty coefficient of each behavior by combining the difficulty average value in the decision matrix as follows:
DI ═ 1.51411.24500.42153.08641.10724.71711.11321.46160.58911.65052.5722, the attack success probability of each attack path was calculated (assuming that the attack cost c is 1), as shown in table 4:
TABLE 4
The calculated secondary system equipment vulnerability threat assessment coefficient is shown in table 5:
TABLE 5
The calculation result shows that the evaluation coefficient of the vulnerability threat of the telecontrol workstation is the lowest, the attack difficulty is the highest, because the longitudinal encryption authentication device is needed when the equipment is invaded from the dispatching master station, the invasion difficulty is increased, the intelligent terminal is the equipment which directly sends action signals to the primary equipment, and each attack path needs to pass through the equipment, therefore, the vulnerability threat coefficient is the highest through comprehensive evaluation, the evaluation result is compared and analyzed, and the calculation result of the method is basically consistent with the equipment vulnerability qualitative cognitive result based on engineering experience.
The present invention further provides a system 200 for evaluating the vulnerability threat level of a power monitoring system device, as shown in fig. 4, including:
the difficulty coefficient determining module 201 is configured to determine a network attack path for a key device of the power monitoring system, extract an attack behavior according to the network attack path, and determine a difficulty coefficient of the network attack behavior by combining an attacker skill and an attack object configuration evaluation;
the probability calculation module 202 determines the success probability of the network attack under a specific attack cost according to the difficulty coefficient of the network attack behavior;
and the threat degree evaluation module 203 determines the vulnerability threat degree of the power monitoring system key equipment suffering from the network attack according to the success probability and the network attack behavior difficulty coefficient.
The determining the difficulty of the network attack behavior comprises the following steps:
according to the network attack path, a hierarchical structure model for evaluating difficulty of network attack behaviors is constructed, and the hierarchical structure model comprises: a target layer, a criterion layer, an index layer and a behavior layer;
determining the mutual importance degree of different factors in the criterion layer, and constructing a judgment matrix of the criterion layer to the target layer;
determining the mutual importance degree of different factors in the index layer, and constructing a judgment matrix of the index layer to the criterion layer;
acquiring the maximum eigenvalue and eigenvector of the judgment matrix, and performing consistency check on the judgment matrix;
if the consistency check is passed, determining a weight vector of the index layer element relative to the target layer element according to the maximum feature vector;
establishing a decision matrix of the behavior layer elements to the index layer elements;
establishing a weighted standardized decision matrix according to the decision matrix and the weight vector of the index layer element to the target layer element;
and determining the difficulty coefficient of the network attack behavior through the weighted normalized decision matrix.
The hierarchical structure model establishes a target layer by taking the difficulty coefficient of network attack behavior calculation as a target element; establishing a criterion layer by taking the attacker skill of the network attack behavior and the important configuration items of the attack object as reference criterion elements; aiming at the evaluation index elements of the skill of an attacker and the configuration condition of an attack object, establishing an index layer; and establishing a behavior layer by taking each behavior of the network attack behavior as a behavior element.
The determination of the success probability of the network attack comprises the following steps: and determining a success probability function of any one-time network attack behavior according to the reliability calculation method and the network attack behavior difficulty coefficient, and determining the success probability of the network attack according to the success probability function.
The method comprises the following steps of determining the vulnerability threat degree of the power monitoring system key equipment suffering from network attack, specifically: determining the key equipment of the power monitoring system related to the network attack path, establishing the incidence relation between the attack path and the key equipment of the power monitoring system related to the network attack path according to the success probability and the difficulty coefficient of the network attack behavior, and determining the vulnerability threat degree of the key equipment of the power monitoring system suffering from the network attack according to the incidence relation.
According to the invention, under the conditions of specific attacker skill and power monitoring system configuration, the comprehensive difficulty coefficient of the network attack behavior is obtained by calculation, and technical reference is provided for quantitatively evaluating the difficulty degree of the attack behavior.
The invention calculates the success probability of each network attack path under the specific attack cost, and provides a quantitative basis for comparing and measuring the attack difficulty degrees of different paths.
The method quantitatively evaluates the vulnerability threat degree of the key equipment involved in the network attack path, and the evaluation result can provide a technical basis for determining the importance degree of the network assets and the protection and deployment priority of the equipment.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the application can be implemented by adopting various computer languages, such as object-oriented programming language Java and transliterated scripting language JavaScript.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
