An industrial internet vulnerability fingerprint construction method
By collecting security data from multiple sources to construct vulnerability fingerprints, and combining dynamic behavior and static state characteristics, the problem of accuracy and false alarm rate in vulnerability risk identification in the industrial internet is solved, and a unified representation and dynamic update of vulnerability risks are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- 北京中关村实验室
- Filing Date
- 2026-04-20
- Publication Date
- 2026-07-07
Smart Images

Figure CN122053262B_ABST
Abstract
Description
Technical Field
[0001] This application belongs to the field of industrial internet security technology, and specifically relates to a method for constructing industrial internet vulnerability fingerprints. Background Technology
[0002] With the development of the Industrial Internet, the Industrial Internet of Things, and intelligent manufacturing, a large number of industrial entities, such as controllers, edge gateways, industrial servers, human-machine interfaces, sensors, and actuators, are connected to the network, gradually forming an interconnected environment across devices, protocols, and regions in industrial sites. At the same time, the software components, open interfaces, protocol services, and remote maintenance capabilities of industrial entities are constantly increasing, making industrial networks more vulnerable to vulnerability exposure and attack risks.
[0003] Among existing industrial internet security technologies, one type of solution primarily focuses on anomaly behavior detection, such as identifying abnormal activity based on network traffic, protocol characteristics, system calls, or command sequences. This type of solution can detect behavioral anomalies, but it often struggles to further determine whether the anomaly is related to an exploitable vulnerability. Another type of solution focuses on vulnerability knowledge management, such as establishing vulnerability databases, component vulnerability mapping relationships, or vulnerability knowledge graphs. This type of solution can describe what vulnerabilities exist, but it struggles to determine whether the vulnerability is realistically exploitable in conjunction with the current operational state of the industrial entity. A third type of solution obtains attack behavior through honeynets, sandboxes, or simulation environments, but it typically fails to establish a unified correlation with the static state, real-time behavior, and vulnerability conditions of a specific industrial entity.
[0004] The Industrial Internet scenario has distinct characteristics. Whether many behaviors constitute security risks is closely related to the current version of the equipment, its configuration status, the services available, its operating conditions, and the stage of the process. For example, the same set of protocol interactions may be considered abnormal in the automated production stage, but normal maintenance operations in the inspection stage. Therefore, relying solely on existing static vulnerability information or simple abnormal behavior analysis is insufficient to accurately construct the vulnerability risk characteristics of industrial entities. Summary of the Invention
[0005] To address the insufficient accuracy of vulnerability risk detection in existing technologies—namely, the disconnect between abnormal behavior and vulnerability risk, the difficulty in unifying static vulnerabilities with runtime evidence, the high false positive rate in industrial scenarios, and the lack of a verification loop—this application proposes an industrial internet vulnerability fingerprint construction method, including:
[0006] Collect multi-source security data of target industrial internet entities and extract security event features from the multi-source security data. The security event features include dynamic behavior features and static state features.
[0007] When abnormal behavior events are identified based on security event characteristics, candidate vulnerabilities of the target industrial internet entity are obtained based on static state characteristics, and a vulnerability exploitation evidence chain between the abnormal behavior events and the candidate vulnerabilities is constructed to determine the exploitation probability of the candidate vulnerabilities.
[0008] Based on static state characteristics, risk verification is performed on target industrial internet entities to obtain configuration risks, and the degree of exposure is determined based on the logical position of static state characteristics in the network topology.
[0009] The dynamic risk value of the target industrial internet entity is calculated by combining probability with vulnerability scoring, configuration risk, and exposure level.
[0010] Based on security incident characteristics, candidate vulnerabilities, vulnerability exploitation evidence chains, and dynamic risk values, vulnerability fingerprints are constructed for target industrial internet entities.
[0011] As a preferred implementation, the process for identifying abnormal behavioral events includes:
[0012] Based on the characteristics of security incidents, determine the normal behavior model of the target industrial internet entity under the current working conditions;
[0013] The differences between dynamic behavioral characteristics and normal behavioral characteristics in the normal behavior model are calculated.
[0014] If the difference results meet the preset anomaly judgment conditions, an abnormal behavior event is identified.
[0015] As a preferred implementation, the process for identifying abnormal behavioral events further includes:
[0016] Generate context constraint information based on context labels;
[0017] The normal behavior model is determined based on static state characteristics and contextual constraint information.
[0018] As a preferred implementation method, determining the exploit probability of a candidate vulnerability includes:
[0019] The intensity of behavioral abnormality is determined based on the degree to which dynamic behavioral characteristics deviate from the normal behavioral model;
[0020] Dynamic behavioral features are time-series transformed into behavioral feature sequences, and the similarity between the behavioral feature sequences and the code feature sequences of candidate vulnerabilities is obtained. The code feature sequences are obtained by behavioral extraction based on code samples of candidate vulnerabilities.
[0021] The degree to which the conditions for triggering the vulnerability exploitation evidence chain are met by obtaining dynamic behavioral characteristics, and combined with the intensity and similarity of behavioral anomalies, the exploitation probability of candidate vulnerabilities is obtained.
[0022] As a preferred implementation method, the process of obtaining candidate vulnerabilities includes:
[0023] Obtain one or more static status characteristics of the target industrial internet entity, including device type, manufacturer information, model information, firmware version, software version, open ports, enabled services, patch status, authentication configuration, and security baseline status.
[0024] Match static state characteristics with the applicable conditions of each vulnerability entry in the pre-built vulnerability knowledge base;
[0025] Vulnerability entries that meet all or a preset percentage of the criteria are identified as candidate vulnerabilities for the target industrial internet entity.
[0026] As a preferred implementation method, the process of constructing the chain of evidence for vulnerability exploitation includes:
[0027] Read the vulnerability knowledge templates of each candidate vulnerability from the pre-built vulnerability knowledge base. The vulnerability knowledge template includes one or more of the following: vulnerability existence conditions, vulnerability exploitation prerequisites, detection behavior characteristics, exploitation behavior characteristics, and characteristics affecting the results.
[0028] Based on vulnerability knowledge templates, vulnerability evidence is extracted from static state characteristics. Vulnerability evidence includes one or more of the following: existence evidence, exploitation premise evidence, detection evidence, exploitation evidence, and impact evidence.
[0029] Based on the chronological order and logical relationships, abnormal behavior events are sequentially spliced and logically correlated with corresponding candidate vulnerabilities and vulnerability evidence to generate a vulnerability exploitation evidence chain.
[0030] As a preferred implementation method, the configuration risk is identified, including:
[0031] Based on static state characteristics, a safety baseline check is performed to obtain a risk score for each risk item;
[0032] The risk is calculated by weighting each risk score.
[0033] As a preferred implementation method, the process of obtaining dynamic risk values includes:
[0034] By non-linearly activating the exposure level, configuration risk, and exploit probability, the achievable extent of vulnerability exploitation can be obtained.
[0035] The confidence level of the vulnerability exploitation evidence chain is obtained based on the evidence completeness rate and feature matching degree. The evidence completeness rate is the ratio of the number of valid evidence types to the total number of evidence categories. The feature matching degree is obtained by sequence comparison between dynamic behavioral features and exploitation behavioral features in the vulnerability knowledge template.
[0036] Based on the confidence level of the vulnerability exploitation evidence chain, obtain the propagation confidence level and entropy correction value of the vulnerability exploitation evidence chain;
[0037] The vulnerability score, vulnerability exploitability, and propagation confidence are geometrically coupled and nonlinearly modulated using an entropy correction value to obtain a dynamic risk value.
[0038] As a preferred implementation method, the vulnerability fingerprint construction process includes:
[0039] Summarize the dynamic behavior features and static state features respectively, wherein the summarization operation can be implemented using any one of hash digest, encoding mapping or feature compression;
[0040] The evidence chain for vulnerability exploitation is represented in a chain form by extracting key nodes, sequence compression, or structured encoding.
[0041] A vulnerability fingerprint is constructed from the target industrial internet entity identifier, dynamic behavioral feature summary, static state feature summary, candidate vulnerability identifier, chain representation of vulnerability exploitation evidence chain, and dynamic risk value.
[0042] As a preferred implementation, the dynamic behavior characteristics include at least one of protocol type, function code, message direction, and request-response delay.
[0043] Compared with the prior art, the technical solution provided in this application has at least one of the following beneficial effects:
[0044] By collecting multi-source security data from target industrial internet entities, extracting dynamic behavioral features and static state features, and further using both for vulnerability fingerprint construction, this application integrates static state and dynamic behavior to achieve a unified representation of vulnerability risks. This provides a more comprehensive description of the actual security posture of industrial internet entities and improves the completeness of vulnerability risk representation. By associating abnormal behavioral events with candidate vulnerabilities and constructing vulnerability exploitation evidence chains, the interpretability and verifiability of vulnerability identification results are improved, reducing false positive rates. Risk verification is performed based on static state features, and the exposure level is determined by combining the logical location in the network topology. Then, the dynamic risk value is calculated by integrating exploitation probability, vulnerability score, configuration risk, and exposure level. This allows the vulnerability fingerprint to be dynamically updated according to changes in device status, network environment, and attack evidence, making it more suitable for the complex operating scenarios of the industrial internet. By incorporating security event features, vulnerability exploitation evidence chains, and dynamic risk values into the vulnerability fingerprint structure, a unified data foundation is provided for subsequent vulnerability localization, risk classification, verification and handling, and continuous updates, improving the precision of industrial internet security management. This application integrates the static state, dynamic behavior, and vulnerability exploitation evidence of industrial internet entities, improving the accuracy, interpretability, and verifiability of industrial internet vulnerability identification. Attached Figure Description
[0045] Other features, objects, and advantages of this application will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings:
[0046] Figure 1 This is a flowchart of an industrial internet vulnerability fingerprint construction method provided in one embodiment of this application;
[0047] Figure 2 This is a system block diagram of an industrial internet vulnerability fingerprinting system provided in one embodiment of this application;
[0048] Figure 3 This is a schematic diagram of the structure of a computer system used to implement the methods, systems, and electronic devices of this application. Detailed Implementation
[0049] The present application will now be described in further detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the invention. Furthermore, it should be noted that, for ease of description, only the parts relevant to the invention are shown in the accompanying drawings.
[0050] It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other. This application will now be described in detail with reference to the accompanying drawings and embodiments.
[0051] This application provides a method for constructing an industrial internet vulnerability fingerprint. It collects multi-source security data of a target industrial internet entity and extracts security event features from this data. These security event features include dynamic behavioral features and static state features. When abnormal behavioral events are identified based on these security event features, candidate vulnerabilities of the target industrial internet entity are obtained based on the static state features. An exploitation evidence chain between the abnormal behavioral events and the candidate vulnerabilities is constructed to determine the exploit probability of the candidate vulnerabilities. Based on the static state features, a risk check is performed on the target industrial internet entity to obtain configuration risks, and the exposure level is determined based on the logical position of the static state features in the network topology. The dynamic risk value of the target industrial internet entity is calculated based on the exploit probability combined with vulnerability scoring, configuration risks, and exposure level. Finally, a vulnerability fingerprint of the target industrial internet entity is constructed based on the security event features, candidate vulnerabilities, the vulnerability exploitation evidence chain, and the dynamic risk value. This application integrates the static state, dynamic behavior, and vulnerability exploitation evidence of industrial internet entities, improving the accuracy, interpretability, and verifiability of industrial internet vulnerability identification.
[0052] To more clearly explain the industrial internet vulnerability fingerprint construction method of this application, the following will be combined with... Figure 1The steps in the embodiments of this application are described in detail.
[0053] The first embodiment of this application provides a method for constructing industrial internet vulnerability fingerprints, including steps S10-S50, each of which is described in detail below:
[0054] Step S10: Collect multi-source security data of the target industrial internet entity and extract security event features from the multi-source security data. The security event features include dynamic behavior features and static state features.
[0055] Optionally, the target industrial internet entity is a physical object in the industrial production environment that can be sensed, connected, digitized, and participate in intelligent collaboration, such as production equipment and end products. The target industrial internet entity collects its own status data in real time, such as temperature, vibration, and location, as well as operational data, such as power on / off status, runtime, and cumulative energy consumption, through built-in or external sensors, controllers, and network modules, and uploads it to the industrial internet platform.
[0056] In this embodiment of the application, an industrial edge gateway is used as the target industrial internet entity, and the process of constructing its vulnerability fingerprint is described.
[0057] Optionally, multi-source security data may include network communication data (e.g., Modbus / TCP protocol interaction records), device operation data (e.g., CPU / memory utilization), static asset data (e.g., firmware version, open ports), and external vulnerability intelligence data. Network communication data is used to characterize the protocol interaction process of industrial entities, device operation data is used to characterize the resource and service status of industrial entities, static asset data is used to characterize the type, version, and configuration of industrial entities, and external vulnerability intelligence data is used to characterize vulnerability numbers, scope of impact, and exploitation conditions.
[0058] In this embodiment, the collected multi-source security data can be synchronized in time, aligned to entities, and fused to generate security event features. Security event features are structured collections containing multiple fields, for example... .
[0059] As an example, time synchronization can be achieved by using a unified clock source to unify the time of different data sources to the same time base; entity alignment can be achieved by mapping entity identifiers to identify data from different data sources that point to the same industrial entity; and event fusion can be achieved by association and fusion, that is, merging events based on conditions such as time proximity, consistent entity identifiers, consistent protocols, and consistent sessions, merging data from multiple data sources that describe the same security behavior into a single multi-source security data.
[0060] In one embodiment of this application, security event characteristics include dynamic behavior characteristics and static state characteristics.
[0061] Specifically, dynamic behavioral characteristics can be extracted based on communication events, command events, and response events within a preset time window, such as protocol type, function code, message direction, and request / response latency; static state characteristics can be extracted based on information such as device type, manufacturer information, model information, firmware version, software version, open ports, enabled services, patch status, authentication configuration, and security baseline status.
[0062] By integrating the static state characteristics and dynamic behavior characteristics of target industrial internet entities into the analysis framework through security event features, and jointly modeling static state and dynamic behavior, the current state and actual operation behavior of industrial entities can be reflected simultaneously. This avoids judgment bias caused by relying on only a single dimension of information and improves the completeness of vulnerability risk identification.
[0063] Step S20: In the case of identifying abnormal behavior events based on security event characteristics, candidate vulnerabilities of the target industrial internet entity are obtained based on static state characteristics, and a vulnerability exploitation evidence chain between the abnormal behavior events and the candidate vulnerabilities is constructed to determine the exploitation probability of the candidate vulnerabilities.
[0064] Optionally, firstly, the normal behavior model of the target industrial internet entity under the current operating conditions is determined based on the characteristics of the security event. Then, the difference between the dynamic behavior characteristics and the normal behavior characteristics in the normal behavior model is calculated. When the difference result meets the preset anomaly judgment conditions, an abnormal behavior event is identified.
[0065] As one possible implementation method, a normal behavior model matching the corresponding operating conditions is constructed based on the characteristics of security events collected during historical normal operation. This normal behavior model can employ statistical models, clustering models, sequence models, rule models, or combinations thereof to characterize the normal dynamic behavior patterns of target industrial internet entities under a preset operating environment.
[0066] For example, when the equipment is in automatic operation, the normal behavior model is used to characterize behavior patterns such as periodic reporting and fixed control command interaction. The normal behavior model under the corresponding working condition can be constructed by clustering model, statistical model or a combination of both. When using clustering model, each cluster obtained by clustering represents a normal behavior. When using statistical model, the range and / or frequency of normal behavior are described by statistical distributions such as mean, variance, and frequency.
[0067] For example, when the equipment is under maintenance, the normal behavior model is used to characterize behavior patterns such as remote login, configuration reading, and firmware upgrade requests. The normal behavior model under the corresponding working conditions can be constructed by a sequence model, such as at least one of Hidden Markov Model, LSTM Model, and Transformer Sequence Model, to describe the normal instruction sequence and / or normal interaction process.
[0068] For example, when a device is in a standby state, a normal behavior model is used to characterize behavioral patterns such as a small number of heartbeat packets or state keep-alive. A normal behavior model for the corresponding operating condition can be constructed using rule models, statistical models, sequence models, or a combination thereof to describe the types of interactions, frequency of occurrence, and sequence relationships that are allowed to occur in this state.
[0069] When determining the normal behavior model, the static state characteristics of the target industrial internet entity are precisely matched in the model library to find if there is a completely identical static state characteristic. For example, if the target industrial internet entity is an edge gateway and the static state characteristic is version number V2.1, the normal behavior model specifically built for devices such as "V2.1 edge gateway" is searched in the model library. This normal behavior model contains the normal behavior patterns of the device under all possible operating conditions.
[0070] Furthermore, the normal behavior of industrial equipment varies significantly across different operational phases. For example, production involves periodic control commands, while maintenance involves numerous remote configuration and diagnostic commands. Applying a single model to all situations could generate a large number of false alarms. Therefore, in some embodiments, safety event characteristics also include context labels, such as operating states like automatic operation, maintenance, or standby. Accordingly, when constructing a normal behavior model based on historical operational data, it is also necessary to incorporate these context labels.
[0071] When determining the normal behavior model, contextual constraint information is generated based on context labels. The normal behavior model is then determined based on static state characteristics and contextual constraint information, resulting in a highly accurate normal behavior model for a specific device under specific operating conditions. For example, if the target industrial internet entity is an edge gateway, version V2.1, and is in automatic operation mode, then the normal behavior model corresponding to "Edge Gateway-V2.1-Automatic Operation" is invoked. Context labels improve the accuracy of behavior judgment under different operating conditions.
[0072] In some embodiments, if the current security event characteristics do not match the corresponding normal behavior model, the difference between the normal behavior model that is similar to the current state is calculated. If the difference is lower than the difference threshold, the similar normal behavior model is used as the corresponding normal behavior model to avoid false negatives caused by minor matching errors.
[0073] As an example, the edge gateway underwent a minor version upgrade, such as updating the firmware from V2.1.0 to V2.1.1. This update only fixed a few minor bugs, and the core functionality and normal communication behavior of the device remained almost unchanged. Because the version number field changed, the newly calculated static state characteristics differed from the older V2.1.0, thus failing to provide an accurate match.
[0074] The static state features are then converted into a fixed-length binary string using the Locality-Sensitive Hashing (LSH) algorithm. The LSH binary strings corresponding to the static state features of normal behavior models in the model library are traversed, and Hamming distance is calculated between them. The smaller the distance, the lower the dissimilarity. If one or more normal behavior models with Hamming distances less than the dissimilarity threshold are found, they are taken as the normal behavior model corresponding to the current security event feature. As an example, the dissimilarity threshold can be set to 3.
[0075] During model matching, the differences between dynamic behavioral features and normal behavioral features in the normal behavior model are calculated. These differences can be calculated based on feature vector distance, sequence matching distance, or statistical deviation values. When the difference results meet preset anomaly detection criteria, it indicates the presence of an abnormal behavioral event.
[0076] Among them, the preset anomaly judgment condition is the judgment standard for excessive difference. It is set according to the actual working conditions. For example, if Euclidean distance is used as the feature vector distance, then when the Euclidean distance exceeds the preset distance threshold of 3, there is an abnormal event.
[0077] This approach avoids misjudging legitimate behavior caused by switching operating conditions as abnormal behavior, thereby improving the accuracy of detection in industrial scenarios.
[0078] After identifying abnormal behavior events, the vulnerability knowledge base entries corresponding to the target industrial internet entity can be located based on static state characteristics, thereby obtaining candidate vulnerabilities.
[0079] Specifically, it can acquire one or more static status characteristics from device type, manufacturer information, model information, firmware version, software version, open ports, enabled services, patch status, authentication configuration, and security baseline status, and match the static status characteristics with the applicable conditions of each vulnerability entry in the pre-built vulnerability knowledge base, and identify the vulnerability entries that meet all or a preset proportion of the conditions as candidate vulnerabilities of the target industrial internet entity.
[0080] As an example, static state characteristics can be:
[0081] Device Model: Edge Gateway XYZ; Firmware Version: V2.1; Running Software Components: Web Server Component: Component A, Version 3.2; Data Acquisition Engine: Component B, Version 1.8; Remote Management Module: Component C, Version 4.5; Open Services and Ports: Service: Modbus / TCP, Port: 502; Service: Remote Web Management, Port: 443; Key Configuration Status: Remote Management Function: Enabled; Default Password Status: Modified; Security Patch Level: 2025-Q4.
[0082] It should be noted that the pre-built vulnerability knowledge base is a structured and continuously updated global vulnerability database, such as the NVD (National Vulnerability Database). Each vulnerability in the database has a detailed feature profile, such as a general vulnerability scoring system score, impact type, and remediation reference.
[0083] As an example, the vulnerability ID is CVE-2026-12345; the vulnerability name is Component A Remote Code Execution Vulnerability; the affected products are Component A, and the affected versions are 3.0 to 3.5; the exploitation prerequisites are network reachability (the device hosting Component A must have port 443 open), configuration requirements (the device's remote management function must be enabled), and the attack pattern characteristics are: the exploit sends a malicious HTTPS request with a specific format.
[0084] The static state characteristics are matched against the applicable conditions of each vulnerability entry in the vulnerability knowledge base. For example, if the static state characteristics of the edge gateway include running component A, version 3.2, and version 3.2 falls within the affected version range of component A affected by the vulnerability, then the match is successful, satisfying all vulnerability entries within the affected range. If the edge gateway's open services and port list includes port 443, and the remote management function is "enabled" in the edge gateway's critical configuration status, then all vulnerability entries satisfy the exploit prerequisites. At this point, the vulnerability information with vulnerability number CVE-2026-12345 is added as a candidate vulnerability to the edge gateway's newly created candidate vulnerability list.
[0085] In some embodiments, vulnerability entries that meet a preset ratio condition can also be identified as candidate vulnerabilities of the target industrial internet entity. For example, vulnerability entries that meet 90% of the conditions can also be identified as candidate vulnerabilities.
[0086] Understandably, being identified as a candidate vulnerability means that the target industrial internet entity possesses all or a high proportion of the static conditions that could be attacked by the corresponding vulnerability. Although the attack may not necessarily occur, for example, the attacker may not have discovered the target yet, or there may be other firewalls blocking it on the network, the target industrial internet entity is already a high-risk entity.
[0087] Furthermore, a chain of evidence for vulnerability exploitation is constructed between the abnormal behavior events and the candidate vulnerabilities.
[0088] Specifically, vulnerability knowledge templates for each candidate vulnerability are read from a pre-built vulnerability knowledge base. These templates include one or more of the following: vulnerability existence conditions, vulnerability exploitation prerequisites, detection behavior characteristics, exploitation behavior characteristics, and impact characteristics. Based on the vulnerability knowledge templates, vulnerability evidence is extracted from static state characteristics. This evidence includes one or more of the following: existence evidence, exploitation prerequisite evidence, detection evidence, exploitation evidence, and impact evidence.
[0089] As an example, in automatic operation, the normal behavior model of an edge gateway expects only periodic communication between devices. When an HTTPS request from an external IP address is detected and sent to port 443 of the edge gateway, the event is identified as an abnormal behavior event through differential calculation.
[0090] Upon identifying abnormal behavior events, candidate vulnerabilities are determined based on the static state characteristics of the edge gateway. A vulnerability knowledge template is extracted for each candidate vulnerability, forming a feature profile of each vulnerability entry. Further, the static state characteristics are compared and linked with the vulnerability knowledge template to extract vulnerability evidence that satisfies the vulnerability entry. Existence evidence includes the detection of a component or version of the edge gateway that is attacked by a candidate vulnerability. For example, if the static state characteristics of the edge gateway include the running of component A, version 3.2, and this component version falls within the impact range of vulnerability CVE-2026-12345, then the running component and version constitute existence evidence. Additionally, port 443 of the edge gateway is open, and the remote management function of the edge gateway is enabled. The environmental conditions necessary for the exploitation of this candidate vulnerability are met, thus it is exploitable; these environmental conditions constitute the prerequisite evidence for exploitation. Detecting query commands or requests or sending slightly malformed packets and observing the error codes returned by the device indicates the presence of probing attack actions; the identified attack actions constitute the probing evidence. Capturing ongoing real attack behaviors or malicious payloads that match the characteristics of the candidate vulnerability indicates that an attack is occurring; these real attack behaviors or malicious payloads constitute the exploitation evidence. A sudden device interruption, restart, or performance anomaly, such as a sudden spike in CPU usage to 100% or the active sending of a large number of data packets to an unknown address, indicates that the candidate vulnerability has been successfully exploited, and the device state has undergone an unexpected change or negative consequence; this change or negative consequence constitutes the impact evidence.
[0091] Furthermore, based on the chronological order and logical relationships, the abnormal behavior events are sequentially spliced and logically correlated with the corresponding candidate vulnerabilities and vulnerability evidence to generate a vulnerability exploitation evidence chain.
[0092] The core of generating a vulnerability exploitation evidence chain lies in transforming discrete, multi-dimensional security data into an attack path with logical determinism. This process is mainly achieved through the concatenation of temporal features and logical causal relationships.
[0093] In one embodiment of this application, if the obtained evidence includes static attribute evidence, namely existence evidence and exploitation premise evidence, then the static attribute evidence is used as the root node of the vulnerability exploitation evidence chain and bound to the corresponding candidate vulnerability; if the obtained evidence includes dynamic event evidence, namely detection evidence, exploitation evidence and impact evidence, then the dynamic event evidence is used as a child node of the vulnerability exploitation evidence chain and needs to be associated according to time and logical relationship.
[0094] When attacked, abnormal behavior events do not exist in isolation, but exhibit obvious temporal linearity and logical correlation. Therefore, abnormal behavior events of the target industrial internet entity in the same attack context are linearly sorted according to their timestamps to construct a set of attack behaviors. Further, it is determined whether the event sequence in the set of attack behaviors conforms to the exploit logic of the corresponding candidate vulnerability. Through rule matching and causal inference, the events are bound with evidence to form a vulnerability exploitation evidence chain.
[0095] Among them, the same attack context refers to operations against the target industrial Internet initiated from the same source. It can be determined based on the source IP, destination IP, source port, destination port, protocol type, and industrial protocol session identifier. By linearly sorting abnormal behavior events with the same context characteristics according to their timestamps, a set of attack behaviors that reflect the evolution sequence of the attack can be constructed.
[0096] The vulnerability knowledge template for candidate vulnerabilities defines the behavioral characteristic rules necessary to exploit the vulnerability. Anomalous behavioral events from the attack behavior set are matched item by item against the vulnerability knowledge template. The time series set of successfully matched anomalous behavioral events serves as the initial vulnerability exploitation evidence chain. This initial chain preliminarily establishes the mapping relationship between anomalous behavioral events and candidate vulnerabilities.
[0097] Furthermore, in order to eliminate false alarms caused by system noise, accidental failures, or unrelated concurrent operations, a causal inference algorithm is used to verify the internal logical consistency of the initial vulnerability exploitation evidence chain, and to determine whether each abnormal event in the initial vulnerability exploitation evidence chain has a necessary causal relationship in the attack logic.
[0098] In one embodiment of this application, the causal inference model can be a dynamic Bayesian network or Granger causality analysis, which takes the initial vulnerability exploitation evidence chain as input and outputs causal inference results. The causal inference model is used to evaluate whether the abnormal behavior event is induced by the attack behavior that exploits the candidate vulnerability.
[0099] As an example, using the initial vulnerability exploit evidence chain as input, a dynamic Bayesian network is used to construct a structured graph structure or chain-like path from behavioral anomalies with significant causal relationships, eliminate spurious nodes, and obtain causal inference results.
[0100] Furthermore, if static attribute evidence exists, it is used as the root node of the vulnerability exploitation evidence chain and concatenated with the causal inference result to obtain a complete vulnerability exploitation evidence chain; if no static attribute evidence exists and only dynamic event evidence is included, the causal inference result is used as the vulnerability exploitation evidence chain.
[0101] Since the device has just undergone firmware update or downgrade, the static state characteristics have not yet been synchronized, or the vulnerability itself is unknown, resulting in the lack of static attribute evidence. However, significant dynamic event evidence has been detected, indicating that the target industrial internet entity has exhibited behavioral characteristics that conform to the vulnerability exploitation path, and is likely to have a vulnerability. Therefore, the corresponding vulnerability exploitation evidence chain should still be retained.
[0102] By constructing a chain of evidence for vulnerability exploitation, evidence such as device status meeting vulnerability conditions, abnormal behavior conforming to exploitation patterns, and attack paths being reachable can be unified, thereby providing a stronger basis for determining the probability of exploiting candidate vulnerabilities.
[0103] Furthermore, the exploit probability of candidate vulnerabilities is determined based on the vulnerability exploitation evidence chain.
[0104] Specifically, the intensity of behavioral anomalies is determined based on the degree to which dynamic behavioral characteristics deviate from the normal behavioral model; the dynamic behavioral characteristics are time-series converted into behavioral feature sequences, and the similarity between the behavioral feature sequences and the code feature sequences of candidate vulnerabilities is obtained, wherein the code feature sequences are obtained by behavioral extraction based on code samples of candidate vulnerabilities; the degree to which the conditions for triggering the vulnerability exploitation evidence chain by dynamic behavioral characteristics are met is obtained, and the exploitation probability of candidate vulnerabilities is obtained by combining the intensity of behavioral anomalies and similarity.
[0105] In one embodiment of this application, the intensity of behavioral anomaly can be obtained by calculating the degree to which dynamic behavioral features deviate from the normal behavioral features in the corresponding normal behavioral model. For example, the ratio of the Mahalanobis distance between dynamic behavioral features and normal behavioral features to the anomaly threshold can be calculated as the intensity of behavioral anomaly.
[0106] As an example, the method for obtaining the anomaly threshold could be: obtain multiple normal behavioral features from historical data, calculate their center vectors, and then calculate the average Mahalanobis distance between each normal behavioral feature and the center vector, which can be used as the anomaly threshold.
[0107] In another embodiment of this application, the abnormal behavior intensity can be obtained by using a pre-trained isolated forest model to obtain the abnormal path score of dynamic behavior features and normalize it into the abnormal behavior intensity.
[0108] Furthermore, multiple behavioral events generated by the target industrial internet entity within a preset time window are collected, and at least one dynamic behavioral feature is extracted from the protocol type, function code, message direction, request response delay, and return status code corresponding to each behavioral event. The behavioral events are sorted and merged based on timestamps, session identifiers, or transaction identifiers, and the sorted dynamic behavioral features are arranged in the order of occurrence to form a behavioral feature sequence.
[0109] Optionally, in order to improve the consistency of cross-protocol behavior expression, dynamic behavior features can be mapped to unified behavior primitives first, and then a sequence of behavior primitives can be formed in chronological order for similarity matching with the code feature sequence corresponding to the candidate vulnerability.
[0110] Among them, behavioral primitives can be a set of primitives and mapping rules for network interaction, system resources, and device status.
[0111] Specifically, a pre-defined behavioral primitive library is established, including network interaction primitives, system resource primitives, and device status primitives. For each dynamic behavioral event extracted from the target entity, it is converted into a behavioral primitive identifier through table lookup mapping or rule parsing.
[0112] Set a sliding time window T, and sort the behavioral primitives belonging to the same session identifier and falling within the sliding time window T according to their timestamps to form a dynamic behavioral feature sequence of length N. .
[0113] Furthermore, behavioral extraction is performed on the candidate vulnerability exploit program to extract an ordered set of features that characterizes the attack logic and steps of the candidate vulnerability. This ordered set of features includes multiple code feature sequences. M code feature sequence templates targeting the candidate vulnerability are loaded from the vulnerability knowledge base. The weighted longest common subsequence algorithm is used to calculate... and The maximum matching score between the two values is used to normalize the matching score using Min-Max to obtain the similarity value in the [0,1] interval.
[0114] In one embodiment of this application, the proportion of conditions satisfying all exploit conditions in the evidence chain for triggering vulnerability exploitation based on dynamic behavioral characteristics is used as the degree of condition satisfaction in the evidence chain for triggering vulnerability exploitation based on dynamic behavioral characteristics, i.e., the degree of condition satisfaction. .
[0115] Furthermore, by combining the intensity of behavioral anomalies, similarity, and the degree of condition fulfillment, utilization can be calculated. As an example, it can be calculated using the following formula:
[0116] ;
[0117] Where P represents utilization rate, S represents similarity, and A represents the intensity of behavioral anomaly. Weights representing similarity The weights representing the intensity of the behavioral abnormality, and .
[0118] Using the above formula, the degree of condition satisfaction is used as the gating weight, and the intensity of behavioral anomalies and similarity are weighted and summed to obtain the exploit probability value for a specific candidate vulnerability.
[0119] It should be noted that similarity reflects the degree to which the current behavior reproduces the candidate vulnerability, while the intensity of abnormal behavior is the degree to which it deviates from the normal behavior model, but it is not necessarily caused by an attack. By increasing the similarity weight, more attention can be paid to high-certainty threats, thereby improving the reliability of the exploitation results.
[0120] Step S30: Based on the static state characteristics, perform risk verification on the target industrial internet entity, obtain configuration risks, and determine the exposure level based on the logical position of the static state characteristics in the network topology.
[0121] Specifically, a security baseline check can be performed based on static state characteristics to obtain a risk score for each risk item, and the configuration risk can be obtained by weighting the risk scores.
[0122] For example, for risk items such as default passwords, weak authentication, unclosed remote management services, expired patches, and overly lenient access control, corresponding scores can be calculated separately, and the scores of each risk can be weighted to obtain the configuration risk.
[0123] As an example, the verification results based on static asset information and security baselines could be: Default password: If the default password has been changed, then the risk score... If the default password has not been changed, the risk score will be... Patch status: If all applicable patches are installed, then the risk score is [not specified]. If critical patches are missing, the risk score will be adjusted. Insecure protocols: For each predefined list of insecure protocols, such as Telnet and FTP, a risk score is assigned. Increment by 0.2. For example, if Telnet and FTP are enabled simultaneously, then... .
[0124] In other embodiments, risk scoring can also be performed based on the criticality of the patch. To further refine this, for example, if all applicable patches are installed, then the risk score... If non-critical patches are missing, the risk score will be adjusted. If critical patches are missing, the risk score will be adjusted. If multiple critical patches are missing, the risk score will be lower. .
[0125] Furthermore, weights are assigned based on the importance of each risk item, thereby calculating the allocation risk. :
[0126] ;
[0127] in, This represents the risk score for the i-th risk item. This represents the weight of the i-th risk term.
[0128] In one embodiment of this application, the importance of each risk item is determined based on its exploitability and potential destructive power using the Delphi Method or the Analytic Hierarchy Process (AHP), and then weights are assigned accordingly. For example, the absence of a default password will allow an attacker to gain the highest privileges, possessing extremely high ease of exploitation and destructive power, and is assigned the highest weight coefficient, such as 0.5; patch status reflects known vulnerabilities in the device and has potential destructive power, and is assigned a medium-to-high weight coefficient, such as 0.3; the list of insecure protocols mainly involves plaintext risks during data transmission, and its exploitation usually depends on a specific network environment, and is assigned a relatively low weight coefficient, such as 0.2.
[0129] Furthermore, in complex industrial internet scenarios, weights can be dynamically adjusted based on entity attributes. For example, if the entity is a core controller, the weights of the default password and patch status need to be further increased; if the entity is a non-networked sensor, the weights of the default password and patch status can be reduced accordingly; if the entity is exposed to the public network, the importance of insecure protocols will increase significantly, and the corresponding weights need to be increased substantially.
[0130] In this embodiment, the exposure level is determined based on the logical position of static state characteristics in the network topology. For example, when the target industrial internet entity is located in the external exposure layer, can be directly accessed from the office network or the Internet, or is on a multi-level laterally accessible link, its exposure level is set to high; conversely, if the entity is located in a deep isolation zone and the access path is strictly controlled, its exposure level is set to low.
[0131] As an example, an industrial network can be divided into different security domains or levels, with each level having a pre-defined fixed exposure score.
[0132] For example, if the target industrial internet entity is located at the internet boundary in the network topology, such as being directly or through a demilitarized zone (DMZ) connected to the internet, its exposure level is 1; if it is located in the factory office network, such as the layer where the enterprise information management system or office system is located, its exposure level is 0.7; if it is located in the production monitoring layer, such as the layer where the monitoring system is located, its exposure level is 0.4; and if it is located in the field control layer, such as the layer where physical control devices such as programmable logic controllers (PLCs), distributed control systems (DCS), and sensors are located, its exposure level is 0.2.
[0133] By mapping the physical or logical location of target industrial internet entities to a predefined, security-layered risk level table, the attack accessibility of assets is quickly quantified, achieving risk assessment from a macro perspective.
[0134] Step S40: Calculate the dynamic risk value of the target industrial internet entity based on the exploitation probability combined with vulnerability scoring, configuration risk, and exposure level.
[0135] Optionally, the dynamic risk value is a dynamic parameter that changes as new evidence is updated, used to reflect the vulnerability risk status of the target industrial internet entity at the current moment.
[0136] In this embodiment of the application, the vulnerability score, exposure level, and configuration risk are first normalized, for example, by using the Z-Score normalization method.
[0137] Furthermore, the exposure level, configuration risk, and exploitation probability are nonlinearly activated to construct the vulnerability exploitation reachability, so that the risk calculation meets the coupling constraint that the attack chain conditions are indispensable, avoiding the inflated risk and judgment distortion caused by traditional linear weighting.
[0138] As an example, nonlinear activation can be achieved using the hyperbolic tangent function, for instance, by determining the exploit achievability using the following formula. :
[0139] ;
[0140] Where E represents the level of exposure. P represents the configuration risk, and P represents the utilization probability.
[0141] Furthermore, the vulnerability exploitation evidence chain is divided into multiple types of basic evidence nodes, and the ratio of valid evidence nodes to necessary evidence nodes is calculated to obtain the evidence completeness rate. The dynamic behavioral characteristics are matched with the exploitation characteristics in the vulnerability knowledge template to obtain the feature matching degree. The evidence completeness rate and the feature matching degree are multiplied to obtain the confidence of the vulnerability exploitation evidence chain, and then the transmission confidence of the vulnerability exploitation evidence chain is obtained.
[0142] Since the evidence chain for exploiting a vulnerability includes five categories: existence evidence, evidence of prior exploitation, detection evidence, exploitation evidence, and impact evidence, the more types of evidence there are, the more complete the entire evidence chain for exploiting the vulnerability. Therefore, the ratio of valid evidence types to the total number of evidence categories is calculated as the evidence completeness rate, i.e., the evidence completeness rate. ,in, Indicates the types of valid evidence. This represents the total number of evidence types. In this embodiment, there are five types of evidence, which is the total number of evidence types. .
[0143] The dynamic behavioral feature sequence is compared with the standard exploit behavior features in the vulnerability knowledge template. The degree of matching between the actual behavior and the typical vulnerability exploit behavior is calculated to obtain the feature matching degree. The value range is [0,1], where the feature matching degree can be calculated by the Dynamic Time Warping (DTW) algorithm.
[0144] Furthermore, the evidence completeness rate and feature matching degree are fused using a product-like nonlinear method to obtain the confidence level of the vulnerability exploitation evidence chain. .
[0145] As an example, the propagation confidence of a chain of evidence can be constructed using a sigmoid mapping, and the propagation confidence can be determined, for example, by the following formula. :
[0146] .
[0147] Based on the completeness and credibility of the evidence chain for vulnerability exploitation, a transmission confidence level for the evidence chain is constructed to realize a non-linear risk transmission mechanism that suppresses weak evidence and amplifies strong evidence, thereby deeply binding the risk value with the strength of attack evidence and improving the interpretability and credibility of risk assessment.
[0148] Furthermore, based on the confidence level of the evidence chain, the risk uncertainty entropy is calculated, and an entropy correction term is constructed to quantitatively suppress the risk ambiguity caused by insufficient evidence and incomplete information, thereby improving the robustness of dynamic risk calculation.
[0149] As an example, we first calculate the risk uncertainty entropy of the exploit evidence chain. Then calculate the entropy correction value. .
[0150] ;
[0151] .
[0152] Furthermore, the vulnerability score, vulnerability exploitability, and propagation confidence are geometrically coupled and nonlinearly modulated using an entropy correction value to obtain a dynamic risk value. This dynamic risk value can truly reflect the real-time exploitability risk level of the vulnerability under the current network environment, device configuration, attack behavior, and industrial conditions.
[0153] As an example, the dynamic risk value can be calculated using the following formula. :
[0154] ;
[0155] in, This represents the normalized vulnerability score.
[0156] In some embodiments, after coupling the vulnerability score, vulnerability exploitability, and propagation confidence with a geometric mean, the dynamic risk value can be obtained by sequentially applying nonlinear modulation to the operating context constraint coefficient and entropy correction value.
[0157] As an example, the dynamic risk value can be calculated using the following formula. :
[0158] ;
[0159] in, This represents the industrial operating condition context constraint coefficient.
[0160] It should be noted that the industrial operating condition context constraint coefficient is modulated differently based on different operating conditions such as automated production, maintenance, and standby, to address the misjudgment problem caused by differences in operating conditions in industrial scenarios. For example, under automated production conditions, equipment is in continuous operation and critical control states, with low anomaly tolerance and high risk sensitivity. Take 1.3; Under maintenance and repair conditions, the equipment is allowed to perform routine operations such as read / write, remote debugging, and version upgrades. It has a high tolerance for anomalies and a low sensitivity to risks. Take 0.6; In the standby mode, the equipment only retains keep-alive messages and status monitoring, with no actual production interaction. It has the highest tolerance for anomalies and the lowest risk sensitivity. Take 0.4.
[0161] Because the risk formation mechanisms differ across scenarios—for example, in internet-exposed scenarios, the degree of exposure and the probability of exploitation are more critical; in closed industrial control scenarios, configuration risks and specific protocol anomalies are more critical; in confirmed attack scenarios, dynamic behavioral evidence is more critical; and in asset inventory scenarios, static state characteristics are more critical—in some embodiments of this application, a risk calculation model corresponding to the scenario type of the target industrial internet entity can be selected to fuse the probability of exploitation, vulnerability score, configuration risk, and degree of exposure to obtain a dynamic risk value.
[0162] The risk calculation model may include at least one of the following: a weighted summation model, a multiplicative fusion model, or a combination thereof.
[0163] As one possible implementation, the vulnerability score is the Common Vulnerability Scoring System (CVSS) score, with a score range of 0.0-10.0.
[0164] In one embodiment of this application, each scenario can be obtained by fusing the exploitation probability, vulnerability score, configuration risk, and exposure level through a weighted summation model to obtain a dynamic risk value.
[0165] It should be noted that before performing the weighted summation calculation, the parameters are first normalized to unify the dimensions.
[0166] As an example, the dynamic risk value can be calculated using the following formula. :
[0167] ;
[0168] in, The weight representing the level of exposure E, The weights representing the utilization rate P are... Indicates vulnerability score The weight, Indicates configuration risk The weights, and .
[0169] For different scenarios, corresponding weight values are pre-assigned. For example, for internet exposure scenarios, more emphasis is placed on the degree of exposure and the probability of exploitation, and the corresponding weight allocation model is as follows: , , , For closed industrial control scenarios, where the focus is more on configuring risks and baselines, the corresponding weight allocation model is: , , , For static maintenance scenarios, which focus more on static features and vulnerabilities, the corresponding weight allocation model is: , , , .
[0170] Based on static state characteristics and topological location, the system automatically identifies the scenario type of the target industrial internet entity. For example, it determines whether the target industrial internet entity is in an internet-exposed scenario or an industrial control closed scenario by topological location, and whether the target industrial internet entity is in an operational scenario or a static maintenance scenario by operating traffic and connection frequency.
[0171] In one embodiment of this application, in an attack chain scenario, considering the chain-like nature of risk formation—that is, the success of an attack depends on the combined presence of vulnerabilities, exploit tools, exposure levels, and exploitability—a multiplicative model is employed to amplify the cumulative effect of various parameters. This involves normalizing each parameter and then multiplying them to obtain a dynamic risk value. Under this model, if one of the conditions is not met, such as complete non-exposure, the overall attack chain is difficult to trigger, and the dynamic risk value will be significantly reduced.
[0172] In one embodiment of this application, a layered fusion approach can also be adopted, firstly performing local aggregation on the parameters (vulnerability score, configuration risk, exposure level) corresponding to static state characteristics, and then combining them with the parameters (exploitation probability) corresponding to dynamic behavior characteristics to generate dynamic risk values.
[0173] As an example, the dynamic risk value can be calculated using the following formula. :
[0174]
[0175] in, The weight representing the level of exposure E, Indicates vulnerability score The weight, Indicates configuration risk The weights, and .
[0176] In the embodiments of this application, weight , , It can be obtained by pre-assigning scene weights, or by comparing their importance pairwise using the analytic hierarchy process and making the sum of the three equal to 1.
[0177] Vulnerability scores, configuration risks, and exposure levels reflect the potential risks of the target industrial internet entity. Even without an attack, background risks still exist due to the objective existence of vulnerabilities, configuration risks, and exposures. Multiplying the obtained potential risk by the exploit probability determines the dynamic risk value reached by that potential risk. If a vulnerability cannot be exploited, i.e., the exploit probability is extremely low, then even if a potential risk exists, the dynamic risk value remains low. Conversely, if the probability of exploitation is very high, the potential risk is easily activated, and the dynamic risk value increases rapidly.
[0178] Dynamic risk values can reflect the actual risk level of a vulnerability at the current moment, in the current state, and under the current environment, and can be updated in real time as new evidence changes.
[0179] Step S50: Construct the vulnerability fingerprint of the target industrial internet entity based on security event characteristics, candidate vulnerabilities, vulnerability exploitation evidence chains, and dynamic risk values.
[0180] Optionally, a vulnerability fingerprint can be composed of the target industrial internet entity identifier, dynamic behavioral feature summary, static state feature summary, candidate vulnerability identifier, chain representation of vulnerability exploitation evidence chain, and dynamic risk value.
[0181] Specifically, digest operations are performed on dynamic behavioral features and static state features respectively. The digest operation is implemented using any one of hash digest, encoding mapping or feature compression. The vulnerability exploitation evidence chain is represented in a chain by extracting key nodes, sequence compression or structured encoding. The vulnerability fingerprint is constructed from the target industrial internet entity identifier, dynamic behavioral feature digest, static state feature digest, candidate vulnerability identifier, chain representation of vulnerability exploitation evidence chain and dynamic risk value.
[0182] In one embodiment of this application, for static state features, an encoding mapping is used to generate feature vectors. For example, different manufacturers, models, and version numbers are mapped to unique integer codes or One-Hot codes. Bitmap encoding is used for open ports and enabled services to compress state information. Authentication configurations and security baseline states are represented using bi-state (0 / 1) or poly-state discrete values. Further, the encoded feature vectors are processed using a hash digest algorithm, such as SHA-256, to generate a fixed-length digest, or using a feature compression algorithm, such as Linear Discriminant Analysis (LDA), to reduce dimensionality, ultimately forming a static state feature digest.
[0183] In one embodiment of this application, for dynamic behavioral characteristics, sliding window sampling or frequency histogram statistics are used for function code sequences with temporal characteristics and request-response delays. For example, the frequency of occurrence of write instruction function codes per unit time, as well as the mean and variance of response delays, are statistically analyzed. Symbolic representation or hash digest operations are used to compress a continuous, high-frequency message interaction characteristic into a fixed-length dynamic behavioral digest. In this way, even with massive network traffic, the system can identify whether an entity exhibits abnormal protocol interaction behavior through a very short digest.
[0184] In one embodiment of this application, the evidence chain for vulnerability exploitation is first extracted by identifying key nodes. For example, in an industrial scenario, key nodes might include reading device information, attempting buffer overflows, or modifying control logic. The extracted key nodes are then compressed and encoded to form a chain vector with causal relationships. Using symbolic sequences ensures that the temporal and logical dependencies of the attack are preserved, thereby enabling a computable description of complex industrial attack processes.
[0185] After performing dimensionality reduction and compression on the above data, the final vulnerability fingerprint (VF) is generated using the following structured method:
[0186] ;
[0187] in, Indicates the target industrial internet entity identifier. Represents a summary of static state features. This represents a summary of dynamic behavioral characteristics. Indicates a candidate vulnerability identifier. A chain representation of the evidence chain for vulnerability exploitation.
[0188] Dynamic behavioral features and static state features are digested to reduce feature redundancy and form a unified dimension representation; the vulnerability exploitation evidence chain is formed into a chain representation through key node extraction, sequence compression or structured encoding to retain key causal and temporal relationships in the attack process, thereby preserving the key correlations in the attack process and forming a computable and storable structured representation.
[0189] Please see Figure 2 The second embodiment of this application provides an industrial internet vulnerability fingerprint construction system for executing the above-described industrial internet vulnerability fingerprint construction method, comprising: a data acquisition module 100, a candidate vulnerability determination module 200, a potential risk acquisition module 300, a dynamic risk value calculation module 400, and a vulnerability fingerprint construction module 500.
[0190] The data acquisition module 100 is used to collect multi-source security data of the target industrial internet entity and extract security event features from the multi-source security data. The security event features include dynamic behavior features and static state features.
[0191] The candidate vulnerability determination module 200 is used to obtain candidate vulnerabilities of the target industrial internet entity based on static state characteristics when abnormal behavior events are identified based on security event characteristics, and to construct a vulnerability exploitation evidence chain between abnormal behavior events and candidate vulnerabilities to determine the exploitation probability of candidate vulnerabilities.
[0192] The potential risk acquisition module 300 is used to perform risk verification on the target industrial internet entity based on static state characteristics, acquire configuration risks, and determine the degree of exposure based on the logical position of the static state characteristics in the network topology.
[0193] The dynamic risk value calculation module 400 is used to calculate the dynamic risk value of the target industrial internet entity based on the exploitation probability combined with vulnerability scoring, configuration risk and exposure level.
[0194] The vulnerability fingerprinting module 500 is used to construct vulnerability fingerprints of target industrial internet entities based on security event characteristics, candidate vulnerabilities, vulnerability exploitation evidence chains, and dynamic risk values.
[0195] Those skilled in the art will understand that, for the sake of convenience and brevity, the specific working process and related descriptions of the system described above can be found in the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0196] It should be noted that the industrial internet vulnerability fingerprint construction method and system provided in the above embodiments are only illustrative examples of the division of the above functional modules. In practical applications, the above functions can be assigned to different functional modules as needed, that is, the modules or steps in the embodiments of this application can be further decomposed or combined. For example, the modules in the above embodiments can be merged into one module, or further divided into multiple sub-modules to complete all or part of the functions described above. The names of the modules and steps involved in the embodiments of this application are only for distinguishing the various modules or steps and are not considered as an improper limitation of this application.
[0197] A device according to a third embodiment of this application includes:
[0198] At least one processor;
[0199] and a memory communicatively connected to at least one of the processors;
[0200] The memory stores instructions that can be executed by the processor to implement the aforementioned method for constructing industrial internet vulnerability fingerprints.
[0201] A computer-readable storage medium according to a fourth embodiment of this application stores computer instructions that are executed by the computer to implement the above-described method for constructing an industrial internet vulnerability fingerprint.
[0202] A computer program product according to the fifth embodiment of this application, when run on an electronic device, causes the electronic device to execute the above-described method for constructing an industrial internet vulnerability fingerprint.
[0203] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes and related descriptions of the electronic devices, computer-readable storage media, and computer program products described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.
[0204] The following is for reference. Figure 3 It shows a schematic diagram of the structure of a computer system for implementing embodiments of the systems, methods, and electronic devices of this application. Figure 3 The server shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.
[0205] like Figure 3 As shown, the computer system includes a Central Processing Unit (CPU) 301, which can perform various appropriate actions and processes based on programs stored in Read Only Memory (ROM) 302 or programs loaded from storage section 308 into Random Access Memory (RAM) 303. The RAM 303 also stores various programs and data required for system operation. The CPU 301, ROM 302, and RAM 303 are interconnected via a bus 304. An Input / Output (I / O) interface 305 is also connected to the bus 304.
[0206] The following components are connected to I / O interface 305: an input section 306 including a keyboard, mouse, etc.; an output section 307 including a cathode ray tube (CRT), liquid crystal display (LCD), and speakers, etc.; a storage section 308 including a hard disk, etc.; and a communication section 309 including a network interface card such as a LAN (Local Area Network) card and a modem, etc. The communication section 309 performs communication processing via a network such as the Internet. A drive 310 is also connected to I / O interface 305 as needed. Removable media 311, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., are installed on drive 310 as needed so that computer programs read from them can be installed into storage section 308 as needed.
[0207] Specifically, according to embodiments of this application, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this application include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via communication section 309, and / or installed from removable medium 311. When the computer program is executed by central processing unit (CPU) 301, it performs the functions defined in the methods of this application. It should be noted that the computer-readable medium described above in this application can be a computer-readable signal medium or a computer-readable storage medium, or any combination of the two. A computer-readable storage medium can be, for example,, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of computer-readable storage media may include, but are not limited to: electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this application, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this application, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on a computer-readable medium can be transmitted using any suitable medium, including but not limited to: wireless, wire, optical fiber, RF, etc., or any suitable combination thereof.
[0208] Computer program code for performing the operations of this application can be written in one or more programming languages or a combination thereof. These programming languages include object-oriented programming languages such as Java, Smalltalk, and C++, as well as conventional procedural programming languages such as C or similar languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0209] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this application. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0210] The terms “first”, “second”, etc., are used to distinguish similar objects, not to describe or indicate a specific order or sequence.
[0211] The term "comprising" or any other similar term is intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus / device that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent in such process, method, article, or apparatus / device.
[0212] The technical solutions of this application have been described above with reference to the preferred embodiments shown in the accompanying drawings. However, it will be readily understood by those skilled in the art that the scope of protection of this application is obviously not limited to these specific embodiments. Without departing from the principles of this application, those skilled in the art can make equivalent changes or substitutions to the relevant technical features, and the technical solutions after these changes or substitutions will all fall within the scope of protection of this application.
Claims
1. A method for constructing vulnerability fingerprints for the Industrial Internet, characterized in that, include: Collect multi-source security data of target industrial internet entities and extract security event features from the multi-source security data, wherein the security event features include dynamic behavior features and static state features; In the case of identifying abnormal behavior events based on the security event characteristics, candidate vulnerabilities of the target industrial internet entity are obtained according to the static state characteristics, and a vulnerability exploitation evidence chain between the abnormal behavior events and the candidate vulnerabilities is constructed to determine the exploitation probability of the candidate vulnerabilities. Based on the static state characteristics, risk verification is performed on the target industrial internet entity to obtain configuration risks; The degree of exposure is determined based on the logical location of the target industrial internet entity in the network topology; The dynamic risk value of the target industrial internet entity is calculated based on the exploitation probability combined with vulnerability scoring, configuration risk, and exposure level. Based on the security event characteristics, the candidate vulnerabilities, the vulnerability exploitation evidence chain, and the dynamic risk value, a vulnerability fingerprint of the target industrial internet entity is constructed. The process of constructing the evidence chain for the vulnerability exploitation includes: Read the vulnerability knowledge templates of each candidate vulnerability from the pre-built vulnerability knowledge base. The vulnerability knowledge templates include one or more of the following: vulnerability existence conditions, vulnerability exploitation prerequisites, detection behavior characteristics, exploitation behavior characteristics, and characteristics affecting the outcome. Based on the vulnerability knowledge template, vulnerability evidence is extracted from the static state characteristics, wherein the vulnerability evidence includes one or more of the following: existence evidence, exploitation premise evidence, detection evidence, exploitation evidence, and impact evidence. Based on the time sequence and logical relationship, the abnormal behavior events, the candidate vulnerabilities, and the vulnerability evidence are spliced together in time and logically associated to generate the vulnerability exploitation evidence chain; Determining the exploit probability of the candidate vulnerability includes: Based on the characteristics of the security incident, determine the normal behavior model of the target industrial internet entity under the current operating conditions; The intensity of behavioral abnormality is determined based on the degree to which dynamic behavioral characteristics deviate from the normal behavioral model; The dynamic behavioral features are time-series converted into behavioral feature sequences, and the similarity between the behavioral feature sequences and the code feature sequences of the candidate vulnerabilities is obtained, wherein the code feature sequences are obtained by behavioral extraction based on code samples of the candidate vulnerabilities; The degree to which the conditions for triggering the vulnerability exploitation evidence chain based on the dynamic behavioral characteristics are met is obtained, and the exploitation probability of the candidate vulnerability is obtained by combining the abnormality intensity of the behavior and the similarity.
2. The method for constructing an industrial internet vulnerability fingerprint according to claim 1, characterized in that, The process for identifying the abnormal behavior events includes: The difference between the dynamic behavioral characteristics and the normal behavioral characteristics in the normal behavioral model is calculated. If the difference results meet the preset anomaly judgment conditions, an abnormal behavior event is identified.
3. The method for constructing an industrial internet vulnerability fingerprint according to claim 2, characterized in that, The security event characteristics also include context labels, and the process for identifying the abnormal behavior events also includes: Generate context constraint information based on context labels; The normal behavior model is determined based on the static state characteristics and the context constraint information.
4. The method for constructing an industrial internet vulnerability fingerprint according to claim 1, characterized in that, The process of obtaining the candidate vulnerabilities includes: Obtain one or more static state characteristics of the target industrial internet entity, including device type, manufacturer information, model information, firmware version, software version, open ports, enabled services, patch status, authentication configuration, and security baseline status. The static state characteristics are matched with the applicable conditions of each vulnerability entry in the pre-built vulnerability knowledge base; Vulnerability entries that meet all or a preset proportion of the conditions are identified as candidate vulnerabilities of the target industrial internet entity.
5. The method for constructing an industrial internet vulnerability fingerprint according to claim 1, characterized in that, The risks associated with acquiring configuration include: Based on the static state characteristics, a safety baseline check is performed to obtain a risk score for each risk item; The configuration risk is obtained by weighting and calculating the risk scores.
6. The method for constructing an industrial internet vulnerability fingerprint according to claim 1, characterized in that, The process of obtaining the dynamic risk value includes: A non-linear mapping is performed on the exploit probability, and combined with the exposure level and configuration risk, the achievable extent of vulnerability exploitation is obtained; The confidence level of the vulnerability exploitation evidence chain is obtained based on the evidence completeness rate and feature matching degree of the vulnerability exploitation evidence chain. The evidence completeness rate is the ratio of the number of valid evidence types to the total number of evidence categories. The feature matching degree is obtained by sequence comparison between dynamic behavioral features and exploitation behavioral features in the vulnerability knowledge template. Based on the confidence level of the vulnerability exploitation evidence chain, obtain the propagation confidence level and entropy correction value of the vulnerability exploitation evidence chain; The geometric mean of the vulnerability score, the vulnerability exploitability, and the propagation confidence is calculated and nonlinearly modulated using an entropy correction value to obtain a dynamic risk value.
7. The method for constructing an industrial internet vulnerability fingerprint according to claim 1, characterized in that, The process of constructing the vulnerability fingerprint includes: The dynamic behavior features and the static state features are respectively subjected to a digest operation, wherein the digest operation is implemented by any one of hash digest, encoding mapping or feature compression; The vulnerability is represented by a chain of evidence, which is formed by extracting key nodes, compressing sequences, or encoding them in a structured manner. The vulnerability fingerprint is constructed from the target industrial internet entity identifier, dynamic behavior feature summary, static state feature summary, candidate vulnerability identifier, chain representation of vulnerability exploitation evidence chain, and dynamic risk value.
8. The method for constructing an industrial internet vulnerability fingerprint according to claim 1, characterized in that, The dynamic behavior characteristics include at least one of the following: protocol type, function code, message direction, and request-response delay.
9. The method for constructing an industrial internet vulnerability fingerprint according to claim 1, characterized in that, The process of obtaining the intensity of the behavioral anomaly includes: The ratio of the Mahalanobis distance between dynamic behavioral features and normal behavioral features to the abnormality threshold is calculated as the intensity of behavioral abnormality.
10. The method for constructing an industrial internet vulnerability fingerprint according to claim 9, characterized in that, The process of obtaining the abnormal threshold includes: Obtain the center vectors of multiple normal behavioral features from historical data; The average Mahalanobis distance between each normal behavioral feature and the center vector is calculated and used as the anomaly threshold.