Research on Traceability Techniques of Anomalous Behavior Correlation Analysis Attacks for Industrial Internet Devices#br#

	#br#

Journal of Information Security Reserach ›› 2024, Vol. 10 ›› Issue (6): 532-.

Previous Articles Next Articles

Research on Traceability Techniques of Anomalous Behavior Correlation Analysis Attacks for Industrial Internet Devices#br#
#br#

Lin Chen, Gang Zhanhui, Wei Yan, Guo Xian, Qu Haikuo, and Wang Chonghua#br#

#br#

(China Industrial Control Systems Cyber Emergency Response Team, Beijing 100040)

Online:2024-06-06 Published:2024-06-06

面向工业互联网设备的异常行为关联分析攻击溯源技术研究

林晨刚占慧韦彦郭娴曲海阔王冲华

(国家工业信息安全发展研究中心北京100040)

通讯作者: 曲海阔硕士，工程师.主要研究方向为工业控制系统安全、工业互联网安全. haikuo_q@163.com
作者简介:林晨硕士，工程师.主要研究方向为网络空间安全、工业互联网安全. linchen0106@outlook.com 刚占慧硕士，工程师.主要研究方向为工业控制系统安全、工业互联网安全. gangzhanhui@163.com 韦彦硕士，工程师.主要研究方向为科研项目管理、工业互联网安全. alimesher@163.com 郭娴博士，正高级工程师.主要研究方向为工业控制系统安全、工业领域网络安全. guoxian@cicscert.org.cn 曲海阔硕士，工程师.主要研究方向为工业控制系统安全、工业互联网安全. haikuo_q@163.com 王冲华博士，正高级工程师.主要研究方向为网络空间安全、工业领域网络与数据安全. wangchonghua@cicscert.org.cn

Abstract

Abstract: In this paper, an attack tracing detection method based on abnormal behavior correlation analysis mapping is proposed to solve the problem of unclear attack mechanism analysis and jump process in industrial control network side and device side under the industrial Internet scenario. The method is based on similarity comparison of abnormal behavior sequences, mapping analysis of abnormal behavior sequences and attack stages, and constructing a complete attack chain by linking the attack association subgraphs between different devices in series. Finally, the effectiveness of the attack detection and traceability method is verified, through constructing a simulation test environment for industrial intelligent devices and realizing the replay reproduction of common industrial device attack behaviors.

Key words: industrial Internet, attack attribution, attack detection, abnormal behavior, security of industrial control system

摘要： 针对工业互联网场景下工控网络侧、设备侧异常行为分析溯源技术攻击过程机理分析不清、跳转流程不明确等问题，提出了一种基于异常行为关联分析映射的攻击溯源检测方法.该方法基于异常行为序列相似度比对、异常行为序列与攻击阶段映射分析，将设备攻击映射情况与网络异常行为进行关联分析，串联不同设备之间的攻击关联子图构建完整攻击链条进行精准溯源.最终，通过构建工业智能设备仿真测试环境，实现常见工业设备攻击行为的重放复现，验证了所提出的攻击检测溯源方法的有效性.

关键词: 工业互联网, 攻击溯源, 攻击检测, 异常行为, 工控安全系统

CLC Number:

TP393

林晨, 刚占慧, 韦彦, 郭娴, 曲海阔, 王冲华, . 面向工业互联网设备的异常行为关联分析攻击溯源技术研究[J]. 信息安全研究, 2024, 10(6): 532-.

References

［1］Alladi T, Chamola V, Zeadally S. Industrial control systems: Cyberattack trends and countermeasures［EBOL］. Computer Communications, 2020［20240424］. https:dblp.orgdbjournalscomcomcomcom155.html#AlladiCZ20［2］卢列文, 路丹舒, 马跃强. 一种虚实结合的工控安全实训靶场平台设计［J］. 信息安全研究, 2024, 10(1): 7580［3］Kumar R, Kumar P, Tripathi R, et al. A distributed intrusion detection system to detect DDoS attacks in blockchainenabled IoT network［EBOL］. Journal of Parallel and Distributed Computing, 2022 ［20240424］. https:dblp.orgdbjournalsjpdcjpdc164.html#Kumar KTGGH22［4］白波, 冯云, 刘宝旭, 等. 基于网络行为的攻击同源分析方法研究［J］. 信息安全学报, 2023, 8(2): 6680［5］Abdo H, Kaouk M, Flaus J M, et al. A safety security risk analysis approach of industrial control systems: A cyber bowtiecombining new version of attack tree with bowtie analysis［EBOL］. 2018［20240424］. https:dblp.orgdbjournalscompseccompsec72.html#AbdoKFM18［6］Masood Z, Samar R, Raja M A Z. Design of a mathematical model for the Stuxnet virus in a network of critical control infrastructure［J］. Computers & Security, 2019, 87: 101565［7］Xiao F, Chen E, Xu Q, et al. ICSTrace: A Malicious IP traceback model for attacking data of the industrial control system［EBOL］. 2021 ［20240424］. https:dblp.orgdbjournalsscnscn2021.html#XiaoCXZ21［8］Zeng J, Chua Z L, Chen Y, et al. Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics［COL］. 2021 ［20240424］. https:dblp.orgdbconfndssndss2021.html［9］杨英杰, 冷强, 常德显, 等. 基于属性攻击图的网络动态威胁分析技术研究［J］. 电子与信息学报, 2019, 41(8): 18381846［10］Nedeljkovic D, Jakovljevic Z. CNN based method for the development of cyberattacks detection algorithms in industrial control systems［J］. Computers & Security, 2022, 114: 102585［11］Bryant B D, Saiedian H. Improving SIEM alert metadata aggregation with a novel killchain based classification model［J］. Computers & Security, 2020, 94: 101817［12］Zhu H, Niu W, Liao X, et al. Attacker traceability on ethereum through graph analysis［J］. Security and Communication Networks, 2022, 2022: 112［13］Kwon Y, Wang Fei, Wang Weihang, et al. MCI: Modelingbased causality inference in audit logging for attack investigation［COL］. ［20240424］. https:dblp.orgdbconfndssndss2021.html［14］Straub J. Modeling attack, defense and threat trees and the cyber kill chain, ATTt&CK and stride frameworks as blackboard architecture networks［C］ Proc of 2020 IEEE Int Conf on Smart Cloud. Piscataway, NJ: IEEE, 2020: 148153［15］潘亚峰, 周天阳, 朱俊虎,等. 基于ATT&CK的APT攻击语义规则构建［J］. 信息安全学报, 2021, 6(3): 7790

[1]	. Research on Industrial Internet Commercial Cryptography Application System#br# #br# [J]. Journal of Information Security Reserach, 2024, 10(6): 519-.
[2]	. Key Technologies and Research Prospects in Multi-step Attack Detection [J]. Journal of Information Security Reserach, 2024, 10(5): 396-.
[3]	. Research on Commercial Cryptography Application to Industrial Internet [J]. Journal of Information Security Reserach, 2023, 9(9): 851-.
[4]	. Detection and Classification Method of Network Attacks Based on Generalized Neural Networks [J]. Journal of Information Security Reserach, 2023, 9(6): 593-.
[5]	. Development Direction of Public Security Data Analysis Based on Involving Cybercrime [J]. Journal of Information Security Reserach, 2023, 9(3): 298-.
[6]	. Analysis of Attack Methods of Ransomware Organizations Based on ATT&CK#br# #br# [J]. Journal of Information Security Reserach, 2023, 9(11): 1054-.
[7]	. [J]. Journal of Information Security Reserach, 2022, 8(6): 554-.
[8]	. [J]. Journal of Information Security Reserach, 2022, 8(6): 595-.
[9]	. Exploration on the Construction of Data Security System of Industrial Internet Platform in Energy Industry [J]. Journal of Information Security Reserach, 2022, 8(4): 386-.
[10]	. Topsec Industrial Intrusion Detection and Audit System [J]. Journal of Information Security Reserach, 2021, 7(E1): 67-.
[11]	. NetSensor Network Traffic Analysis Solution [J]. Journal of Information Security Reserach, 2021, 7(E1): 126-.
[12]	. Research on the Application of Beidou Space-time Information in the Field of Industrial Internet Security [J]. Journal of Information Security Reserach, 2021, 7(10): 989-.
[13]	. Research on Technologies of Windows Malware Detecting Based on Abnormal Behavior in KVM Environment [J]. Journal of Information Security Research, 2020, 6(6): 0-0.
[14]	. Research and Practice of File Upload Vulnerability [J]. Journal of Information Security Research, 2020, 6(2): 151-158.
[15]	. Research on Industrial Internet Security Monitoring Audit and Trend Awareness Technology [J]. Journal of Information Security Research, 2020, 6(11): 0-0.

Research on Traceability Techniques of Anomalous Behavior Correlation Analysis Attacks for Industrial Internet Devices#br#
#br#

面向工业互联网设备的异常行为关联分析攻击溯源技术研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Research on Traceability Techniques of Anomalous Behavior Correlation Analysis Attacks for Industrial Internet Devices#br# #br#

面向工业互联网设备的异常行为关联分析攻击溯源技术研究

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics

Research on Traceability Techniques of Anomalous Behavior Correlation Analysis Attacks for Industrial Internet Devices#br#
#br#