A method for multi-dimensional evaluation of b5g industrial internet security
By constructing a multi-dimensional assessment method that includes security incident hit rate, security level, and system security health index, the problem that traditional measurement systems cannot adapt to the characteristics of B5G industrial internet is solved. This enables a comprehensive and objective assessment of the security status of B5G industrial internet and a comprehensive analysis of its protection capabilities, thereby improving system security and production stability.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIHANG UNIV
- Filing Date
- 2023-11-01
- Publication Date
- 2026-06-05
AI Technical Summary
Existing B5G industrial internet security measurement systems are more applicable to traditional internet, ignoring the characteristics and security requirements of B5G industrial internet. They lack scientific quantitative analysis methods, resulting in overly subjective assessment results that fail to accurately reflect changes in security status and the complexity of attack methods.
This paper proposes a multi-dimensional method for evaluating the security of B5G industrial internet. By constructing calculation and analysis models for security incident hit rate, security level, and system security health index, and combining the Purdue model and attack/threat sample library, multi-dimensional security measurements are performed, including security incident hit rate assessment, security level assessment, and system security health index assessment.
It enables a comprehensive and objective assessment of the security status of B5G industrial internet, identifies potential threats, evaluates defense capabilities, and provides a comprehensive analysis of the system's integrated security detection and protection capabilities, thereby improving the security and production stability of B5G industrial internet.
Smart Images

Figure CN117749406B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the interdisciplinary field of Internet security and industrial control, and specifically relates to a method for multi-dimensionally evaluating the security of B5G industrial Internet. Background Technology
[0002] B5G Industrial Internet is a new type of infrastructure, application model, and industrial ecosystem that deeply integrates next-generation information and communication technologies with the industrial economy. Through comprehensive connection of people, machines, things, and systems, it builds a brand-new manufacturing and service system covering the entire industrial chain and value chain, providing a way to realize industrialization and even industrial digitalization, networking, and intelligence. It is an important cornerstone of the Fourth Industrial Revolution.
[0003] Scenario construction is a way to formally represent a real-world system. B5G Industrial Internet applications are diverse and complex, targeting different industries and playing a crucial role in production, management, and services. Given this complexity, formally representing the real-world system through scenario construction is a necessary foundation for cybersecurity measurement. Common control systems and equipment in the B5G Industrial Internet environment include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Human-Machine Interfaces (HMIs), and Programmable Logic Controllers (PLCs), which have complex and different functions in industrial processes. In practical applications, these commonly used system devices often contain multiple components and are used in combination. Scenario construction, referring to the formal representation of the real-world system, is the basis for security measurement. In practical application environments, these commonly used system devices often contain multiple components and are used in combination. To facilitate subsequent measurement and analysis, each system component is treated as an independent node in the network during scenario construction.
[0004] Monitoring and data acquisition (SCADA) systems enable production and scheduling control of geographically dispersed equipment. Based on local data feedback, management personnel can execute automated or manual operations. SCADA systems typically consist of a group of different types of industrial control system equipment. A SCADA system can be viewed as the sum of all the independent control and communication components that make up the entire industrial control system. Different application areas have different requirements for SCADA; typical examples include power transmission and distribution systems, water supply systems, and natural gas pipeline transportation systems.
[0005] Distributed control systems are used for industrial process control, enabling centralized management by operators to control distributed I / O nodes in large facilities.
[0006] Human-machine interface (HMI) is the medium for exchanging information between humans and computers. It typically uses a keyboard or touchscreen display to graphically depict production control processes, allowing operators to achieve point-to-point control by inputting commands for specific components. From an attacker's perspective, to gain control of the graphical display of automated control points on the HMI, the attacker will first focus their attention on this device.
[0007] A programmable logic controller (PLC) consists of a microprocessor, memory, input / output units, an editor, and a power supply. PLCs vary in size and function, and are widely used in factory environments, including for switching logic control, analog closed-loop control, digital intelligent control, and data acquisition and monitoring. While PLCs can provide operational control for discrete processes, unlike monitoring and data acquisition systems or distributed control systems, PLCs primarily provide closed-loop control without manual intervention. The PLC itself is a significant attack target; attackers can use it as a springboard to hop between networks.
[0008] Cybersecurity measurement is a crucial means of addressing and preventing cybersecurity vulnerabilities. Security managers can gain a comprehensive and in-depth understanding of system security status through cybersecurity assessments. In different application environments, by using corresponding indicators and standards, they can judge the current security status of the network and adjust the deployment of devices within the network to prevent attacks. Article 38 of the Cybersecurity Law explicitly states that operators of critical information infrastructure should conduct network security and risk assessments at least once a year. From the perspective of the urgency of B5G industrial internet cybersecurity measurement, security measurement involves all participants in the network. Security measurement helps managers better understand network security. Without security measurement, every link and aspect of the entire industrial production lifecycle may be affected. Cybersecurity measurement is the process of identifying, understanding, and assessing network system risks, and is an important component of network risk management. Administrators can use security measurement analysis to understand the vulnerabilities of various types of devices in the network and then take corresponding mitigation measures for different devices. From the perspective of the necessity of B5G industrial internet cybersecurity measurement, cybersecurity measurement can be divided into qualitative and quantitative types. Currently, qualitative cybersecurity measurement relies on subjective judgment and is greatly influenced by human factors such as operator experience. Currently, there is a lack of suitable models and indicators for quantitative measurement of B5G industrial internet network security. Therefore, how to accurately assess network security in industrial application scenarios is a current research hotspot. To help managers better understand network system security from a holistic perspective and formulate protective measures, the development of security measurement science is imperative.
[0009] For B5G industrial internet security requirements, confidentiality, integrity, and availability—traditional IT security principles—still hold value in B5G industrial internet environments. However, in practice, these are easily limited by the demands of industrial scenarios. On the other hand, while the security priority in traditional IT environments is confidentiality, integrity, and availability, the priority in B5G industrial internet environments is the opposite: availability, integrity, and confidentiality, while ensuring business continuity. Due to the unique characteristics of industrial scenarios, a relatively different approach to security measurement is needed. The primary characteristic of industrial production environments is that production stability and continuity are prioritized over general security. B5G industrial internet security measurement encompasses asset discovery, vulnerability scanning, and configuration checks, aiming to identify various vulnerabilities in the environment, including known security vulnerabilities, security configurations, and operational risks. During the measurement process, it is crucial to ensure that B5G industrial internet security measurement is isolated from the B5G industrial internet production environment to avoid negatively impacting it. Secondly, B5G industrial internet security measurement must collect data on detected attack events and anomalies. Finally, B5G industrial internet security measurement must be able to assess the occurrence and recovery of attacks. In response to the characteristics and requirements of the B5G Industrial Internet mentioned above, the main capabilities a B5G Industrial Internet security measurement system needs to possess include identification, data collection, knowledge base, quantification, and visualization. Identification includes information such as equipment type, hardware / software version, and manufacturer in the industrial production environment. Data collection encompasses both static data (such as assets and vulnerabilities) and dynamic data (such as attack activity, anomalies, and equipment recovery status). The knowledge base in this paper refers to the vulnerability database required for in-depth analysis and evaluation of the network environment during security measurement. To facilitate users' measurement of the B5G Industrial Internet network security status, quantitative analysis based on the collected data is necessary. Simultaneously, visualization allows users to more intuitively associate threatened assets with business attributes, facilitating subsequent equipment management.
[0010] Cybersecurity metrics are a crucial systematic methodology for assessing and resolving industrial cybersecurity issues. Currently, the most widely recognized international security standard is IEC 62443, whose Purdue Enterprise Reference Architecture model is widely accepted by industrial security standards and is used as a key concept for network segmentation in industrial control systems. Based on this, various cybersecurity metrics have been proposed domestically and internationally, primarily measuring aspects such as personnel, security risks, and network status. However, during the assessment process, many metrics are difficult to quantify and require manual evaluation by operators.
[0011] In network system state measurement, numerous global measurement models have been proposed and are gradually developing. Alarm correlation analysis models collect data from different sources from security devices, link attack behaviors through correlation analysis engines, reconstruct attack paths, reproduce attack scenarios, and then formulate defense strategies to ensure network system security. Random models can describe in detail the connection relationships between devices and the activities existing in the network. Graph-based network vulnerability analysis methods use attack information, attacker profiles, and network information to generate attack graphs, thereby analyzing the risks faced by assets in the network and the potential consequences of successful attacks. The analytic hierarchy process (AHP) can break down complex problems into different levels. These network system state measurement models provide the foundation for network security measurement methods.
[0012] In the research of network security measurement methods, HU et al. conducted correlation analysis on network systems to understand their security status and defense capabilities. KONG combined fuzzy hierarchical analysis and information entropy to determine measurement indicators and their populations, achieving global network security measurement. Gu Zhaojun et al., based on the entropy weight method to determine indicator weights, incorporated the indicators into a BP neural network to build a model, and obtained measurement results after training. Hu Changzhen proposed differential manifolds and, using homeomorphic transformations and differential geometry principles, proposed a method for calculating network behavior functions and behavioral utility, and used this to evaluate network attack and defense confrontation. However, current network security measurement systems are more applicable to the traditional Internet, ignoring the potential differences between industrial networks and them. Therefore, it is necessary to find a more efficient and comprehensive security measurement method for B5G industrial Internet. Summary of the Invention
[0013] This invention addresses the problem that current B5G industrial internet security measurement systems are largely applicable to traditional internet and neglect the characteristics and security requirements of B5G industrial internet. It proposes a multi-dimensional system for measuring B5G industrial internet security. By establishing a calculation and analysis model for security event hit rate, security level, and system security based on a health index, multi-dimensional security measurement of the B5G industrial internet is achieved. The purpose of this invention is to improve the security of B5G industrial internet through multi-dimensional security measurement, thereby ensuring efficient and safe production.
[0014] This invention proposes a method for multi-dimensionally evaluating the security of B5G industrial internet, comprising the following steps:
[0015] Select B5G industrial internet application scenarios;
[0016] Analyze the security risk elements and requirements of B5G industrial internet;
[0017] Construct a security measurement index system for B5G industrial internet, including security incident hit rate, security level, and system security health index;
[0018] Construct a B5G industrial internet attack / threat sample library, including exploitable vulnerability identification, risk analysis, sample size determination, sample library sampling, and attack library establishment.
[0019] Conduct multi-dimensional network security measurements for B5G industrial internet, including security incident hit rate assessment, security level assessment, system security health index assessment, and comprehensive analysis.
[0020] Based on the above solution, the specific requirements for selecting B5G industrial internet application scenarios and analyzing B5G industrial internet security risk factors are as follows:
[0021] Extract and analyze indicators for the operation and environment of B5G industrial internet;
[0022] The security incident hit rate is used to measure data stream tampering, abnormal network traffic, and the number of vulnerabilities.
[0023] The security level is used to measure attack / threat protectability, network vulnerability, and security operation.
[0024] The system security health index is calculated from the security incident hit rate and security level, and is used to measure the network's comprehensive security protection capabilities.
[0025] Based on the above scheme, the sample size is determined as follows:
[0026] The attack / threat sample size was determined using a coverage adequacy test scheme method.
[0027] The formula for calculating the sample size based on coverage adequacy is:
[0028]
[0029]
[0030] In the formula, n i R is the number of samples assigned to the i-th attack / threat pattern. i R0 is the risk value of the i-th attack / threat pattern, n is the sample size, and m is the total number of attack / threat patterns covered.
[0031] Calculate and compare the minimum sample size;
[0032] The formula for calculating the minimum sample size for a given confidence level is:
[0033]
[0034] In the formula, n' is the minimum sample size, q1 is the minimum acceptable pass rate, and c is the confidence level, which is determined according to the actual situation.
[0035] After determining the sample size, the risk values of each determined attack / threat candidate sample are statistically analyzed, and the values are reasonably divided into four categories: catastrophic, major, general, and minor based on the specific results of the risk values.
[0036] The proportion of each type of sample in the candidate sample library is calculated, and stratified sampling is used to select attack / threat samples to ensure that the required samples can be selected according to the proportion of each risk category.
[0037] The specific formula for calculating the sample size is as follows:
[0038]
[0039] In the formula, n represents the total number of samples to be drawn, N i Let n represent the number of samples in the i-th category, and N represent the total number of samples obtained from the statistics. i This represents the number of samples to be drawn from the i-th category.
[0040] Based on the above scheme, the security incident hit rate assessment is specifically as follows:
[0041] The study evaluates the application of B5G industrial internet in attack / threat pattern detection and identifies undetected attack / threat patterns.
[0042] Analyze the effectiveness of attack / threat detection and estimate the security incident hit rate;
[0043] The point estimation formula for the security incident hit rate index is as follows:
[0044]
[0045] In the formula, S is the security event hit rate, S i S represents the risk value of suffering the i-th attack. ej Let n be the risk value of the attack when the system responds to the j-th attack, and n be the total number of attacks / threats. e The number of attacks / threats that can be detected by the system and elicit a response;
[0046] The formula for calculating the confidence interval of the security incident hit rate index is as follows:
[0047]
[0048]
[0049] In the formula, n is the total number of attacks / threats. e S represents the number of attacks / threats that can be detected by the system and elicit a response. L S is the lower confidence limit for two-sided confidence. U This is the upper limit of confidence for both sides. c, where is the confidence level.
[0050] Based on the above scheme, the security assessment process is as follows:
[0051] Establish a vulnerability sample set, determine the sample size based on the principle of coverage sufficiency, and make a judgment by comparing the parameter estimates with the indicators;
[0052] Specify the defense and protection capability testing outline, and describe the candidate vulnerability sample set, vulnerability attack operation procedure requirements, and defense and protection capability testing requirements;
[0053] Design vulnerability attack operation procedures, and clarify the specific operation procedures for simulating attacks and reversing attacks on each vulnerability sample in the vulnerability sample set;
[0054] Conduct tests, record the original system diagnostic output information before, after and after the vulnerability attack, and perform data analysis and evaluation.
[0055] Based on the above scheme, the point estimation formula for the safety index is as follows:
[0056]
[0057] In the formula, P is the estimated safety point value, P i P represents the risk value of the attack when the system suffers the i-th attack and generates a response. kj Let n be the risk value of the attack when the system activates its defenses after suffering the j-th attack. e n represents the number of attacks / threats that can be detected by the system and elicit a response. d The number of attacks / threats that can trigger system defenses;
[0058] The formula for calculating the confidence interval of the safety index is:
[0059]
[0060]
[0061] In the formula, n e n represents the number of attacks / threats that can be detected by the system and elicit a response. d P represents the number of attacks / threats that can trigger system defenses. L P is the lower confidence limit for two-sided confidence. U For two-sided confidence limits, c , where is the confidence level.
[0062] Based on the above scheme, a system security health index analysis is conducted using security incident hit rate and security indicators. The calculation formula is as follows:
[0063]
[0064] Where S is the estimated hit rate of security incidents, and P is the estimated security level. max P represents the theoretical maximum hit rate of security incidents. max S represents the theoretical maximum value of the safety factor. max With P max The default value is 1.
[0065] Based on the above scheme, the system safety and health index analysis is performed on a two-dimensional coordinate axis, where the x-axis represents the estimated hit rate of security events and the y-axis represents the estimated safety level point. The coordinate range is (0,1). The position of the (x,y) point represents the relative strength of the security event detection hit rate and protection capability of the B5G industrial internet security system. The coordinate system is classified according to the horizontal and vertical coordinate values to characterize security systems with different characteristics. The ratio of the product of the horizontal and vertical coordinate values to the product of the maximum values of the horizontal and vertical coordinates is the system safety and health index, which represents the comprehensive strength of the security protection capability.
[0066] The beneficial effects of this invention are:
[0067] This invention proposes a multi-dimensional security measurement system for B5G industrial internet, which has the following innovations and effects compared with existing technologies:
[0068] 1. In this invention, a simulation scenario is constructed by combining the Purdue model. Based on the characteristics of B5G industrial internet interconnection, diverse industry applications, and high security and confidentiality, the application requirements, equipment functions, and component security assessment requirements of B5G industrial internet are analyzed. An index system for B5G industrial internet security measurement is constructed, and a coordinate system analysis method for security event hit rate, security level, and system health index is proposed.
[0069] 2. In this invention, firstly, a comprehensive risk analysis is conducted on each part of the critical information system using the event tree method to identify all possible attacks / threats and their potential impact, forming an attack / threat candidate sample library. Secondly, attack / threat samples are extracted from the candidate sample library using risk value classification and stratified sampling methods to establish an attack / threat sample library that meets the requirements. The number of attack / threat samples to be extracted is determined, and stratified sampling is performed according to the proportion of different risk categories to establish an attack / threat sample library that meets the requirements.
[0070] 3. A method for calculating the security event hit rate in B5G industrial internet security metrics is proposed. The security event hit rate is obtained by evaluating and studying the application of B5G industrial internet in attack / threat pattern detection, identifying undetected attack / threat patterns, and analyzing the attack / threat detection effect.
[0071] 4. A calculation method for B5G industrial internet security assessment is proposed. First, preparation for defense and protection capability testing is conducted, establishing a vulnerability sample set and determining the sample size based on the principle of coverage sufficiency. Decisions are made by comparing parameter estimates with indicators. Second, a defense and protection capability testing outline is specified, outlining the candidate vulnerability sample set, vulnerability attack procedure requirements, and defense and protection capability testing requirements. Then, vulnerability attack procedures are designed, clarifying the specific procedures for simulating attacks and reversals for each vulnerability sample in the sample set. Afterwards, testing is implemented, recording the original system diagnostic output information before, after, and after vulnerability attacks, and conducting data analysis and evaluation. The results are analyzed, and adjustments are made to the design based on feedback, with repeated experiments.
[0072] 5. A method for calculating the system health index and conducting comprehensive security analysis in B5G Industrial Internet is proposed. A B5G Industrial Internet security measurement coordinate system is established with the security event hit rate on the x-axis and the security level on the y-axis. The system is then divided into four categories for analysis by defining the coordinate range. The ratio of the product of the x and y coordinate values to the product of the maximum values on both axes is used as the system health index, characterizing the comprehensive security detection and protection capabilities of the B5G Industrial Internet system. The advantages of the B5G Industrial Internet security measurement system described in this invention compared to traditional network security measurement systems are mainly as follows:
[0073]
[0074]
[0075]
[0076] Attached Figure Description
[0077] The present invention includes the following figures:
[0078] Figure 1 Diagram illustrating the interconnection relationships within the B5G Industrial Internet system;
[0079] Figure 2 Schematic diagram of B5G industrial internet security measurement index system;
[0080] Figure 3 Flowchart for building an attack / threat sample library;
[0081] Figure 4 Schematic diagram of risk value calculation principle;
[0082] Figure 5 Example diagram of a risk value proportional stratified sampling model;
[0083] Figure 6 Safety assessment flowchart;
[0084] Figure 7 System security comprehensive analysis coordinate diagram;
[0085] Figure 8 A schematic diagram of the structure of the B5G Industrial Internet Security Measurement System. Detailed Implementation
[0086] To make the objectives, advantages, and features of the present invention more apparent, the following description is provided in conjunction with the appendix. Figure 1-8 The present invention will be further described in detail below with reference to specific embodiments.
[0087] The specific steps of the multi-dimensional assessment method for B5G industrial internet security proposed in this invention are as follows:
[0088] Step 1: Research on network security measurement index system. This step mainly includes scenario selection and requirements analysis, from which a B5G industrial internet security measurement index system is extracted.
[0089] As attached Figure 1 As shown, the first step is scenario selection. B5G Industrial Internet application scenarios are diverse and complex. This analysis focuses on common needs across different industries in production, management, and services. In the manufacturing process, B5G Industrial Internet is used for data collection and analysis, real-time monitoring of production scenarios, and intelligent process optimization. In management and maintenance, it is used to establish data interaction, manpower allocation, and customer management. In industrial collaboration, it is used to achieve supply and demand response, resource allocation, and collaborative optimization. Commonly used control systems and equipment include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), Human-Machine Interfaces (HMIs), and Programmable Logic Controllers (PLCs). Referring to the Purdue model and typical industrial control networks, a detailed analysis of the B5G Industrial Internet network environment and the interconnection relationships of various systems is conducted. The second step is requirements analysis.
[0090] Traditional B5G industrial internet security measurement systems lack scientific evaluation indicators, employing static metrics that fail to accurately reflect changes in security status. They neglect qualitative factors such as the impact of security incidents and the complexity of attack methods. Furthermore, relying on scoring values lacks scientific quantitative analysis methods for measuring the security of B5G industrial internet systems, resulting in overly subjective evaluation methods and numerous shortcomings in reflecting security risks and guiding security decision-making. To cover the security risk elements of B5G industrial internet, a B5G industrial internet security measurement system is constructed. This system builds a security measurement indicator framework from three perspectives: security incident hit rate, security level, and system security health. Based on objective data, evaluation indicators are calculated using models to evaluate B5G industrial internet systems. (See attached image) Figure 2As shown, the system's security health depends on a comprehensive calculation and analysis of the security incident hit rate and security level. The security incident hit rate is mainly related to data stream tampering, abnormal network traffic, and the number of vulnerabilities; the security level is mainly related to attack / threat protectability, network vulnerability, and secure operation.
[0091] Step Two: As attached Figure 3 As shown, the attack / threat sample library construction mainly includes exploitable vulnerability identification, risk analysis, sample size determination, sample library sampling, and attack library establishment.
[0092] Exploitable Vulnerability Identification: Attacks are closely related to vulnerabilities present on nodes. Common Vulnerability Disclosures (CVEs) are dictionaries of vulnerabilities identified for specific codebases (such as software applications or open libraries). Detailed information about a vulnerability can be obtained through its unique CVE ID identifier. The U.S. National Vulnerability Database (NVD) provides a large amount of publicly accessible vulnerability management data. The standards used are based on the Security Content Automation Protocol (SCAP). The NVD analyzes each CVE after its release and provides extensive vulnerability information such as vulnerability descriptions, exploitability metrics, and impact metrics. The specific elements included in the exploitability and impact metrics are shown in the table below.
[0093]
[0094] If the attack vector's metric value is "network," it indicates that the vulnerable component is bound to the network stack, and the attacker's path traverses OSI Layer 3. If the attack vector's metric value is "adjacent network," it indicates that the vulnerable component is bound to the network stack, but the attack is limited to the same shared physical network and cannot operate outside the OSI Layer 3 boundary. If the attack vector's metric value is "local," it indicates that the vulnerable component is not bound to the network stack, and the attacker's path is achieved through read / write execution capabilities.
[0095] If the attack vector's metric value is physical, it indicates that the attacker needs to actually touch or manipulate the vulnerable component.
[0096] A low attack complexity metric indicates the absence of specialized access conditions, allowing attackers to successfully exploit vulnerable components multiple times. A high attack complexity metric indicates that successful attacks are not easily accomplished; attackers must prepare or perform specific actions against vulnerable components.
[0097] If the metric value for permission requirements is zero, it indicates that the attacker does not need to obtain any settings or files to carry out the attack.
[0098] A low metric value for permission requirements indicates that an attacker needs basic user privileges. A high metric value indicates that an attacker needs permissions to perform critical controls on the vulnerable component.
[0099] If the user interaction metric is "none," it indicates that the vulnerable system can be exploited without any user interaction. If the user interaction metric is "needed," it indicates that successful exploitation of the vulnerability requires some action from the user before the vulnerability can be exploited.
[0100] If the scope's metric value is fixed, it indicates that the vulnerable component and the affected component are the same component. If the scope's metric value changes, it indicates that the vulnerable component and the affected component are not the same component, and the exploited vulnerability can affect resources beyond the vulnerable component.
[0101] If the confidentiality metric is zero, it indicates that the confidentiality within the affected component has not been compromised. If the confidentiality metric is low, it indicates a loss of some confidentiality. If the confidentiality metric is high, it indicates a complete loss of confidentiality, and an attacker can obtain information from the component.
[0102] If the integrity metric is zero, it indicates that the integrity within the affected component has not been compromised. If the integrity metric is low, it indicates that an attacker can modify the data, but the modification may not meet the attacker's expectations.
[0103] If the integrity metric is high, it indicates that the integrity has been completely destroyed.
[0104] If the availability metric is zero, it indicates that there is no impact on the availability within the affected component. If the availability metric is low, it indicates that the attack will cause performance degradation or disrupt resource availability. If the availability metric is high, it indicates that availability is completely lost.
[0105] The following table shows the results of searching for corresponding vulnerabilities on NVD using keywords from commonly used control systems:
[0106] Keywords Vulnerability search results SCADA 333 DCS 140 SHMI 260 PLC 272
[0107] As attached Figure 4As shown, the B5G Industrial Internet risk value described in this article is used to describe the probability of a security incident occurring and the degree of its impact on the system when subjected to an attack / threat. According to GB / T 20984-2022 "Information Security Risk Assessment Methods," the risk value can be calculated from the probability of a security incident occurring and the losses caused by it. The probability of a security incident occurring is calculated based on threat assignment and vulnerability assessment; the losses caused by a security incident are calculated based on asset value and the degree of impact. The risk value can be calculated using the following formula:
[0108] R = R(L(T,Av),F(Vc,Di))
[0109] Where L represents the probability of a security incident occurring, F represents the loss caused by a security incident, T represents the threat value, Av represents the ease with which a vulnerability can be exploited, Vc represents the asset value, and Di represents the degree of impact.
[0110] For threat assignment, threat frequency can generally be used to quantify the threat, as shown in the table below:
[0111]
[0112] The ease with which a vulnerability can be exploited is used to quantify system vulnerabilities. Typical quantification results are shown in the table below:
[0113] grade logo definition 5 Very high Even after control measures are implemented, vulnerabilities can still be easily exploited. 4 high Once control measures are implemented, vulnerabilities are more easily exploited. 3 medium After control measures are implemented, the vulnerability is generally not easily exploited. 2 Low Once control measures are implemented, vulnerabilities are difficult to exploit. 1 Very low Once control measures are implemented, the vulnerability is virtually impossible to exploit.
[0114] Unit asset value is the result of a comprehensive analysis and quantification of an asset's importance, confidentiality, integrity, availability, etc., and is generally shown in the table below:
[0115]
[0116] The degree of impact refers to the extent to which a security incident caused by the exploitation of a vulnerability results in a significant damage to asset value. The general values are shown in the table below:
[0117] grade logo definition 5 Very high If the vulnerability is exploited, it could cause particularly significant damage to the assets. 4 high If vulnerabilities are exploited, they could cause significant damage to assets. 3 medium If vulnerabilities are exploited, they will cause general damage to assets. 2 Low If the vulnerability is exploited, it will cause less damage to the assets. 1 Very low If vulnerabilities are exploited, the damage to assets will be negligible.
[0118] Sample Size Determination: Faced with attack / threat data from the B5G Industrial Internet, the first step is to conduct a comprehensive risk analysis of each component of the critical information system using the event tree method. This identifies all potential attacks / threats and determines their potential impact, forming a candidate sample library for attacks / threats. Secondly, parameter estimation methods are used to extract attack / threat samples from the candidate library, establishing a sample library that meets the requirements. During the extraction process, the number of attack / threat samples to be extracted is determined through constant-number testing, minimum acceptable value testing, and coverage adequacy testing. The total sample size is then determined by comprehensively considering these factors, and stratified sampling is performed according to the risk value ratio to establish a sample library that meets the requirements.
[0119] In parameter estimation calculation methods, the following methods can be used to determine the attack / threat sample size;
[0120] Regarding the attack / threat sample size, this application adopts the coverage adequacy test scheme method to determine the attack / threat sample size. The principle is to ensure that the constructed attack / threat sample library can fully cover all units and attack / threat patterns in the B5G Industrial Internet, thereby achieving the requirement of comprehensively evaluating its security protection capabilities. The sample size calculation formula based on coverage adequacy is as follows:
[0121]
[0122]
[0123] In the formula, n i R is the number of samples assigned to the i-th attack / threat pattern. i R0 is the risk value of the i-th attack / threat pattern, n is the sample size, and m is the total number of attack / threat patterns covered.
[0124] To prevent the determined sample size from being too small and failing to meet the evaluation requirements, a minimum sample size calculation and comparison should be performed. The formula for calculating the minimum sample size for a given confidence level C is as follows:
[0125]
[0126] Where n′ is the minimum sample size and q1 is the minimum acceptable pass rate.
[0127] Once the sample size is determined, the risk value of each identified attack / threat candidate sample can be calculated, and the values can be reasonably divided into four categories: catastrophic, major, minor, and significant. The proportion of each risk category in the candidate sample pool is calculated, and then stratified sampling is used to select attack / threat samples, ensuring that the required samples are selected according to the proportion of each risk category. The specific formula for calculating the sample size is as follows:
[0128]
[0129] Where n represents the total number of attack / threat samples to be extracted, n i This represents the number of samples to be drawn in stratified sampling of the i-th category. N represents the total number of candidate samples obtained from the statistical analysis. i This represents the number of samples in the i-th category out of the total sample size. The stratified sampling model is shown in the attached diagram. Figure 5 As shown.
[0130] The existing attack / threat sample library cannot meet the relevant requirements of this application regarding risk value calculation. Therefore, based on the above calculation process, vulnerability information in the NVD library is compiled to design an attack / threat library. The header information of the attack / threat library is shown in the table below:
[0131]
[0132] Step 3: Multi-dimensional network security measurement of B5G industrial internet. This step mainly includes three aspects: security incident hit rate assessment, security level assessment, and system security health index assessment to measure the security of B5G industrial internet in multiple dimensions.
[0133] This study assesses the application of B5G industrial internet in attack / threat pattern detection, identifies undetected attack / threat patterns, analyzes the effectiveness of attack / threat detection, and estimates the security incident hit rate. The point estimation formula for the security incident hit rate is shown below; where S is the security incident hit rate, S... i Let n be the risk value of suffering the i-th attack, and n be the total number of attacks / threats. e The number of attacks / threats that can be detected by the system and elicit a response, S i S represents the risk value of suffering the i-th attack. ej The risk value (S) of the attack when the system receives the j-th attack and generates a response. ej For the j-th system, this represents the attack risk value at the time of the system's response to an attack.
[0134]
[0135] The formula for calculating the confidence interval of the security incident hit rate index is shown below, where n is the total number of attacks / threats. ne s represents the number of responses after an attack / threat. L For the two-sided confidence lower limit, s U is the upper limit of confidence for both sides, and c is the confidence level.
[0136]
[0137]
[0138] Traditional B5G industrial internet security measurement systems employ a composite inspection-based security assessment approach. Relying on static composite inspections, this approach fails to comprehensively capture attack threats, neglects attack countermeasures, and presents an overly idealized assessment that is disconnected from real-world attack scenarios. Furthermore, traditional measurement methods do not consider multiple levels of attack threats, such as system availability and physical device operation, limiting system security to data confidentiality and failing to comprehensively assess potential risks. This patent proposes a red team / blue team-based security assessment process, designing a vulnerability exploitation program to perform security assessments on B5G industrial internet systems. The process is detailed in the attached document. Figure 6 As shown. First, prepare defense and protection capability tests, establish a vulnerability sample set, determine the sample size based on the principle of coverage sufficiency, and make a judgment by comparing parameter estimates with indicators. Second, specify the defense and protection capability test outline, specifying information such as the candidate vulnerability sample set, vulnerability attack operation procedures, and defense and protection capability test requirements. Design vulnerability attack operation procedures, clarifying the specific operation procedures for simulating attacks and reversals for each vulnerability sample in the vulnerability sample set. Then, conduct tests, record the original system diagnostic output information before, after, and after vulnerability attacks, and perform data analysis and evaluation. Analyze the results, adjust the design based on feedback, and repeat the experiment.
[0139] Security assessment investigates the coverage of B5G industrial internet defense models by attacks / threats, identifies uncovered defense models, analyzes the effectiveness of attack / threat defenses, identifies existing problems, and estimates the security level. The point estimation formula for the security index is as follows: where P is the point estimate value of the security parameter. i Let P be the risk value of the attack when the system suffers the i-th attack and generates a response. i For the i-th system, which suffers an attack and generates a response, P represents the corresponding attack risk value at the time of the system's response. kj Let P be the risk value of the attack when the system is subjected to the j-th attack and its defenses are activated. kj For the j-th system subjected to an attack and defense is initiated, the corresponding attack risk value at the time the defense is initiated, n e n represents the number of attacks / threats that can be detected by the system and elicit a response. d The number of attacks / threats that can trigger system defenses;
[0140]
[0141] The formula for calculating the confidence interval of the safety index is as follows, where n e n represents the number of attacks / threats that can be detected by the system and elicit a response. dn is the number of attacks / threats that can trigger system defenses. e n d P L P is the lower confidence limit for two-sided confidence. U is the upper limit of confidence for both sides, and c is the confidence level.
[0142]
[0143]
[0144] The formula for calculating the system safety and health index is as follows:
[0145]
[0146] Where S is the estimated hit rate of security incidents, and P is the estimated security level. max P represents the theoretical maximum hit rate of security incidents. max S represents the theoretical maximum value of the safety factor. max With P max The default value is 1. The estimated value of the system security health index is the ratio of the product of the estimated system security event hit rate and the estimated security level to the product of the theoretical maximum value of the system security event hit rate and the theoretical maximum value of the security level. It can be used to measure the comprehensive capability of system security detection and security protection under the influence of attacks / threats.
[0147] As attached Figure 7 As shown, a coordinate system can be used to comprehensively analyze the three parameters. The security event hit rate is represented by the x-axis, and the security level by the y-axis, with both x and y axes ranging from (0,1). Based on the x and y value ranges, the coordinate values can be divided into four blocks, each representing a characteristic of a B5G industrial internet security system. Based on the coordinate system block corresponding to a particular system's (x,y) value, it can be categorized for easier subsequent adjustments and updates. The locations and definitions of each block are shown in the table below:
[0148] Block location The range corresponding to (x,y) Block characteristics Top left <![CDATA[x<x0,y>y0]]> Low incident hit rate; high level of security Bottom left <![CDATA[x<x0,y<y0]]> Low security incident hit rate, high security level Top right <![CDATA[x>x0,y>y0]]> High security incident hit rate, high level of security Bottom right <![CDATA[x>x0, y<y0]]> High incident hit rate, low security level
[0149] Where x0 is the standard value of the security event hit rate and y0 is the standard value of the security level. x0 and y0 can be selected according to the actual application scenario. Generally, x0 = 0.85 and y0 = 0.85 are selected.
[0150] Traditional B5G industrial internet security measurement systems only evaluate individual dimensions of the B5G industrial internet system, without considering the overall security protection effect. They primarily employ rule-based network security assessment methods or combine existing assessment standards or expert experience to conduct network security ratings. The security measurement system proposed in this patent, while fully considering the security assessment of each dimension, incorporates the comprehensive security detection and protection capabilities of the B5G industrial internet, adopting a multi-dimensional B5G industrial internet security measurement system. (Appendix) Figure 8 This is a schematic diagram of the B5G Industrial Internet Security Measurement System, illustrating the entire process from risk value calculation to sample extraction, sample library establishment, and finally, the establishment of a security measurement index system.
[0151] The above embodiments are only used to illustrate the present invention and are not intended to limit the present invention. Those skilled in the art can make various changes and modifications without departing from the essence and scope of the present invention. Therefore, all equivalent technical solutions also fall within the scope of the present invention. The scope of patent protection of the present invention should be defined by the claims.
[0152] The contents not described in detail in this specification are existing technologies known to those skilled in the art.
Claims
1. A method for multi-dimensionally evaluating the security of B5G industrial internet, characterized in that, Includes the following steps: Step 1: Select a B5G industrial internet application scenario; Step 2: Analyze the security risk elements and requirements of B5G industrial internet; Step 3: Construct a B5G industrial internet security measurement index system, including security incident hit rate, security level, and system security health index; Step 4: Construct a B5G industrial internet attack / threat sample library, including exploitable vulnerability identification, risk analysis, sample size determination, sample library sampling, and attack library establishment; Step 5: Conduct multi-dimensional network security measurements for B5G industrial internet, including security incident hit rate assessment, security level assessment, system security health index assessment, and comprehensive analysis; The sample size is determined specifically as follows: The attack / threat sample size is determined using a coverage adequacy test scheme method; the sample size calculation formula based on coverage adequacy is as follows: ; ; In the formula, For the first The number of samples allocated to each attack / threat pattern. For the first Risk value for each attack / threat pattern As the benchmark risk value, For sample size, To cover the total number of attack / threat patterns; Through formula To perform minimum sample size calculations and comparisons; In the formula, To minimize the sample size, This represents the minimum acceptable pass rate. The confidence level is determined based on the actual situation. After determining the sample size, the risk values of each determined attack / threat candidate sample are statistically analyzed, and the values are reasonably divided into four categories: catastrophic, major, general, and minor based on the specific results of the risk values. To determine the proportion of each of the above sample types in the candidate sample pool, a stratified sampling method was used, employing the formula... Perform attack / threat sample selection to ensure that the required samples can be selected according to the proportion of each risk category; In the formula, n represents the total number of samples to be drawn. Indicates the first The number of samples in each category, where N represents the total number of samples obtained from the statistics. Indicates the first The number of samples to be drawn from each category.
2. The method for multi-dimensional evaluation of B5G industrial internet security according to claim 1, characterized in that, The specific requirements for selecting B5G industrial internet application scenarios and analyzing B5G industrial internet security risk factors are as follows: Extract and analyze indicators for the operation and environment of B5G industrial internet; The security incident hit rate is used to measure data stream tampering, abnormal network traffic, and the number of vulnerabilities. The security level is used to measure attack / threat protectability, network vulnerability, and security operation. The system security health index is calculated from the security incident hit rate and security level, and is used to measure the network's comprehensive security protection capabilities.
3. The method for multi-dimensional evaluation of B5G industrial internet security according to claim 1, characterized in that, The security incident hit rate assessment specifically includes: The study evaluates the application of B5G industrial internet in attack / threat pattern detection and identifies undetected attack / threat patterns. Analyze the effectiveness of attack / threat detection using formulas. Perform point estimation calculations for the security incident hit rate index; In the formula, To improve the hit rate of security incidents, For suffering the first The risk value of an attack. Let be the risk value of the attack when the system receives the j-th attack and generates a response. Total number of attacks / threats The number of attacks / threats that can be detected by the system and elicit a response; The formula for calculating the confidence interval of the security incident hit rate index is as follows: ; ; In the formula, Total number of attacks / threats The number of attacks / threats that can be detected by the system and elicit a response. This is the lower confidence limit for both sides. This is the upper limit of confidence for both sides. , where is the confidence level.
4. The method for multi-dimensional evaluation of B5G industrial internet security according to claim 1, characterized in that, The security assessment process is as follows: Establish a vulnerability sample set, determine the sample size based on the principle of coverage sufficiency, and make a judgment by comparing the parameter estimates with the indicators; Specify the defense and protection capability testing outline, and describe the candidate vulnerability sample set, vulnerability attack operation procedure requirements, and defense and protection capability testing requirements; Design vulnerability attack operation procedures, and clarify the specific operation procedures for simulating attacks and reversing attacks on each vulnerability sample in the vulnerability sample set; Conduct tests, record the original system diagnostic output information before, after and after the vulnerability attack, and perform data analysis and evaluation.
5. The method for multi-dimensional evaluation of B5G industrial internet security according to claim 1, characterized in that, The specific safety index assessment is as follows: Through formula Calculate the point estimate of the safety index. In the formula, For the safety point estimate, For the first The risk value of the attack when the system generates a response. Let be the risk value of the attack when the system activates its defenses after suffering the j-th attack. The number of attacks / threats that can be detected by the system and elicit a response. This refers to the number of attacks / threats that can trigger system defenses; the formula for calculating the confidence interval of the security index is: ; ; In the formula, The number of attacks / threats that can be detected by the system and elicit a response. The number of attacks / threats that can trigger system defenses. This is the lower confidence limit for both sides. For two-sided confidence limits, , where is the confidence level.
6. The method for multi-dimensional evaluation of B5G industrial internet security according to claim 1, characterized in that, The system safety and health index is analyzed using security incident hit rate and security level indicators. The calculation formula is as follows: ; in, S This is an estimate of the security incident hit rate. P This is a safety estimate. This represents the theoretical maximum hit rate for security incidents. The maximum theoretical value of safety. and The default value is 1.
7. The method for multi-dimensional evaluation of B5G industrial internet security according to claim 6, characterized in that, The system safety and health index analysis is performed on a two-dimensional coordinate axis, where the x-axis represents the estimated hit rate of security events and the y-axis represents the estimated safety level point. The coordinate range is (0,1). The position of the (x,y) point represents the relative strength of the security event detection hit rate and protection capability of the B5G industrial internet security system. The coordinate system is classified according to the horizontal and vertical coordinate values to represent safety systems with different characteristics; The ratio of the product of the horizontal and vertical coordinate values to the product of the maximum values of the horizontal and vertical coordinates is the system safety and health index, which represents the overall strength of the safety protection capability.