An industrial control network asset identification and vulnerability repair method and system
By combining graph neural networks and reinforcement learning agents with deep learning models, a digital twin profile of industrial control equipment is constructed, which solves the problems of inaccurate asset identification and vulnerability repair being out of touch with the production environment in industrial control networks, and achieves efficient security defense and accurate vulnerability repair.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- HUANENG POWER INT INC
- Filing Date
- 2026-03-31
- Publication Date
- 2026-07-03
AI Technical Summary
In existing industrial control networks, asset identification is inaccurate, vulnerability remediation is detached from the production environment, making it difficult to cope with advanced persistent threats. Traditional port scanning technology cannot distinguish between real and disguised services, static rule bases cannot adapt to the dynamic changes of new industrial control protocols, and multimodal data has not been effectively integrated and analyzed, resulting in incomplete device profiles.
The system employs graph neural networks to detect the relationship between ports and service clusters, combines reinforcement learning agents to generate adaptive detection actions, uses deep learning models to fuse multimodal features, constructs digital twin profiles, and utilizes knowledge graphs and large language models to generate security defense solutions.
It enables accurate identification of industrial control equipment and spoofing services, enhances the security defense capabilities of industrial control networks, provides customized, low-impact defense solutions, and improves the accuracy of asset identification and the effectiveness of defense solutions.
Smart Images

Figure CN122339745A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of industrial control system security technology, specifically relating to a method and system for identifying and repairing vulnerabilities in industrial control network assets. Background Technology
[0002] With the advent of the Internet of Things (IoT) era, industrial control is gradually transforming from traditional stand-alone, LAN-based models to internet-based models, and system architecture is shifting from closed to open and intelligent. This transformation makes remote monitoring, debugging, and software upgrades of industrial control equipment possible, but it also significantly increases the cybersecurity risks faced by industrial control systems. Currently, industrial control networks commonly suffer from core problems such as inaccurate asset identification and delayed vulnerability remediation: traditional port scanning technologies struggle to distinguish between real and spoofed services, and static rule bases cannot adapt to the dynamic changes of new industrial control protocols; vulnerability remediation solutions often deviate from the actual production environment of the equipment and lack consideration for the equipment's critical role in the process flow. More seriously, the multimodal data generated by modern industrial control equipment (such as network traffic, logs, and configuration parameters) has not been effectively integrated and analyzed, resulting in incomplete equipment profiles and difficulty in supporting accurate security decisions. These deficiencies expose serious weaknesses in the defense of industrial control systems against advanced persistent threats, necessitating the establishment of a closed-loop security system that integrates dynamic detection, intelligent analysis, and scenario-based defense. Summary of the Invention
[0003] The purpose of this invention is to overcome the shortcomings of the prior art and provide a method and system for identifying and repairing vulnerabilities in industrial control network assets, so as to solve the problem that industrial control equipment is susceptible to network attacks in the prior art.
[0004] To achieve the above objectives, the present invention employs the following technical solution: A method for identifying and remediating vulnerabilities in industrial control network assets includes the following steps: S1, detects open ports of industrial control equipment and obtains the service cluster corresponding to the port; S2, obtains the association between ports and service clusters through graph neural networks; S3, based on the association between the port and the service cluster, an adaptive detection action is generated by a reinforcement learning agent to send a detection request to the industrial control equipment to collect multimodal data of the industrial control equipment; multimodal feature fusion and matching of the multimodal data are performed by a deep learning model to parse out the detailed attributes of the industrial control equipment, and then construct its digital twin profile. S4, based on digital twin profiles and the associated vulnerabilities of twin profiles in knowledge graphs, combines the role and topological location of industrial control equipment in the production process, and generates security defense and vulnerability remediation schemes for industrial control equipment through a large language model.
[0005] A further improvement of the present invention is that: Preferably, in S1, the service cluster corresponding to the port is obtained through passive traffic analysis.
[0006] Preferably, in S2, the process of establishing the association relationship between ports and service clusters through the graph neural network is as follows: S21, using ports as the initial nodes of the knowledge graph, and based on the common associations between ports and service clusters, obtain the candidate service clusters of ports and the confidence of each service in the service cluster through graph neural networks. S22, Execute the service verification script according to the confidence level, and update the edge weights of the knowledge graph based on the verification results; S23, repeat S22 until the set number of iterations.
[0007] Preferably, in step S21, when obtaining the confidence level of each service, if the confidence level is lower than a set threshold, the service is determined to be a fake service by fingerprint recognition, and the recognition result is injected into the knowledge graph for self-learning.
[0008] Preferably, in S3, based on the association between the port and the service cluster, the process of using a reinforcement learning agent to generate adaptive detection actions and send detection requests to the industrial control equipment to collect multimodal data of the industrial control equipment is as follows: the reinforcement learning agent selects the optimal detection action from the action space according to the current device state and sends a detection request to the target device; the response packet returned by the environment is fed back to the reinforcement learning agent as a reward, and the agent updates the network according to the update strategy; during the detection and update process of the reinforcement learning agent, multimodal data is obtained.
[0009] Preferably, in S3, the process of using a deep learning model to perform multimodal feature fusion and matching on the multimodal data, analyze the attributes of the industrial control equipment, and obtain a digital twin profile is as follows: the deep learning model extracts and fuses multimodal features from the multimodal data, outputs the attributes of the equipment, and forms a digital twin profile of the equipment.
[0010] Preferably, after S4, there is also a process of spatiotemporally associating the digital twin profile of the equipment with physical space information and production process roles, and storing it in a graph database in the form of a knowledge graph.
[0011] An industrial control network asset identification and vulnerability remediation device, comprising: The data acquisition module is used to detect open ports of industrial control equipment and obtain the service clusters corresponding to those ports. The graph neural network module is used to obtain the relationship between ports and service clusters through graph neural networks; The reinforcement learning module, based on the association between the port and the service cluster, uses a reinforcement learning agent to generate adaptive detection actions and sends detection requests to the industrial control equipment to collect multimodal data of the industrial control equipment; it then uses a deep learning model to perform multimodal feature fusion and matching on the multimodal data to parse out the detailed attributes of the industrial control equipment and construct its digital twin profile. The security defense module is used to generate security defense solutions and vulnerability remediation solutions for industrial control equipment based on digital twin profiles and their associated vulnerabilities in knowledge graphs, combined with the role and topological location of industrial control equipment in the production process, through a large language model.
[0012] A computer device includes a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, when the processor executes the computer program, it implements a method for identifying and remediating vulnerabilities in an industrial control network as described in any of the preceding claims.
[0013] A computer-readable storage medium storing a computer program that, when executed by a processor, implements a method for identifying and remediating vulnerabilities in an industrial control network as described in any of the preceding claims.
[0014] Compared with the prior art, the present invention has the following beneficial effects: This invention discloses a method for identifying and patching vulnerabilities in industrial control network assets. By dynamically detecting port service associations, optimizing service verification through graph neural networks, and adaptively collecting multimodal data using reinforcement learning to construct digital twin profiles, combined with knowledge graphs and large language models to generate scenario-based defense solutions, this method solves the problems of inaccurate asset identification and vulnerability patching being out of touch with the production environment in traditional technologies. It has the advantage of improving the network security defense capabilities of industrial control networks. Attached Figure Description
[0015] Figure 1 This is a flowchart of the present invention; Figure 2 This is a block diagram of the present invention. Detailed Implementation
[0016] Hereinafter, the terms "first," "second," "third," and "fourth" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Therefore, a feature defined as "first," "second," "third," or "fourth" may explicitly or implicitly include one or more of that feature.
[0017] The method provided in this application can be applied to mobile phones, tablets, wearable devices, in-vehicle devices, augmented reality (AR) / virtual reality (VR) devices, laptops, and ultra-mobile personal computers. In this application, the specific type of terminal device is not limited to terminal devices such as mobile personal computers (UMPCs), netbooks, and personal digital assistants (PDAs).
[0018] It should be noted that the terms "first," "second," etc., used in the specification and drawings of this invention are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of the invention described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.
[0019] This invention discloses a method for identifying and patching vulnerabilities in industrial control network assets, comprising the following steps: S1, detects open ports of industrial control equipment and obtains the service cluster corresponding to the port; S2, obtains the association between ports and service clusters through graph neural networks; S3, based on the association between the port and the service cluster, an adaptive detection action is generated by a reinforcement learning agent to send a detection request to the industrial control equipment to collect multimodal data of the industrial control equipment; multimodal feature fusion and matching of the multimodal data are performed by a deep learning model to parse out the detailed attributes of the industrial control equipment, and then construct its digital twin profile. S4, based on digital twin profiles and the associated vulnerabilities of twin profiles in knowledge graphs, combines the role and topological location of industrial control equipment in the production process, and generates security defense and vulnerability remediation schemes for industrial control equipment through a large language model.
[0020] Detecting open ports on industrial control equipment refers to identifying the open communication ports of the equipment, which can be achieved using the Nmap network detection tool to discover potential attack surfaces. A service cluster refers to a collection of applications running on a specific port. A graph neural network is a deep learning model that processes graph-structured data. A reinforcement learning agent is a decision-making module based on the Q-learning algorithm, which dynamically optimizes detection actions by designing a state space that includes dimensions such as protocol type and payload length. Multimodal data includes information such as network traffic, device response messages, and protocol interaction sequences. A digital twin profile is a structured representation of device attributes, vulnerability information, and topological relationships. This solution automatically mines port service associations through graph neural networks and combines them with an adaptive detection mechanism of reinforcement learning to effectively identify disguised services and abnormal ports. Compared to asset identification technology based on static fingerprint databases, multimodal feature fusion significantly improves the accuracy of device attribute parsing, and the dynamic update mechanism of the knowledge graph can promptly incorporate new vulnerability information. Through the above technical solutions, this invention can accurately identify disguised services and abnormal ports on industrial control equipment.
[0021] Specifically, in S1, open ports on industrial control equipment are detected, and the corresponding service clusters are predicted based on passive traffic analysis. Passive traffic analysis refers to identifying the association between ports and service clusters by listening to network traffic and parsing data packets without actively sending probe packets to the target device. Specifically, network splitters or mirrored ports can be used to collect traffic data, combined with protocol parsing tools to extract port and service information. This technique avoids additional load on industrial control equipment and reduces the risk of false alarms caused by active probing. In the industrial control network environment, network traffic is collected in real time and input to the traffic analysis module. By parsing fields such as source / destination ports, protocol types, and payload content in the traffic, the mapping relationship between ports and services is extracted. Furthermore, by statistically analyzing the communication frequency and behavior patterns of different service instances on the same port, the topology of the service cluster is constructed. In this process, passive traffic analysis only relies on existing communication data and does not require actively sending probe requests, thus avoiding interference with the normal operation of industrial control equipment.
[0022] In some embodiments of the present invention, in S2, the process of establishing the association relationship between ports and service clusters through the graph neural network is as follows: S21, obtain the candidate service clusters of the port and the confidence of each service in the service cluster through graph neural network; S22, Execute the service verification script according to the confidence level, and update the edge weights of the knowledge graph based on the verification results; S23, repeat S22 until the set number of iterations.
[0023] In this process, after the port is mapped to a node in the knowledge graph, the graph neural network generates candidate service clusters and their confidence levels based on historical port-service association data. Candidate services are sorted from high to low confidence levels, and verification scripts are executed first to confirm service authenticity. Each verification result is fed back to the knowledge graph, and the accuracy of the association is optimized by adjusting edge weights. This process is repeated until a preset iteration threshold is reached, constructing a dynamic service-fingerprint mapping graph. The graph neural network is then used for traversal and inference to accurately identify the service corresponding to the port and its associations. This invention can dynamically optimize the association between ports and service clusters, improving the accuracy of industrial control asset identification, while reducing manual intervention through automated verification scripts.
[0024] In a specific process, the construction of the service-fingerprint dynamic mapping graph and the use of graph neural networks for traversal and inference to accurately identify the service corresponding to the port and its associated relationships are as follows: Using ports as initial nodes in the knowledge graph, a graph neural network algorithm is employed to perform probabilistic inference based on known relationships within the graph (e.g., port A typically corresponds to service X, and service X is typically manufactured by vendor Y), generating a set of candidate services and their confidence levels. The system prioritizes executing the verification script for the service with the highest confidence level and dynamically updates the edge weights in the graph based on the verification results, rapidly converging to the most accurate service identification result through several iterations. When the inference confidence level falls below a threshold, deep web application fingerprinting based on HTTP / HTTPS is initiated, and the identification results are injected back into the knowledge graph, enabling the graph to self-learn and self-evolve.
[0025] In some embodiments of the present invention, in step S21, when obtaining the confidence level of each service, if the confidence level is lower than a set threshold, the service is determined to be a fake service by fingerprint recognition, and the recognition result is injected into the knowledge graph, which then learns by itself based on the recognition result.
[0026] Here, confidence level refers to a quantitative indicator of the credibility of the association between a service cluster and a port. Specifically, it can be implemented using the probability value output by a graph neural network to measure the probability of service authenticity. Fingerprint recognition refers to a comparison technique based on network protocol features or data packet interaction patterns. Specifically, it can be implemented using protocol field parsing and rule base matching algorithms to detect abnormal behavior disguised as legitimate services. Knowledge graph self-learning refers to dynamically adjusting the attributes of graph nodes and edge weights based on newly injected recognition results. Specifically, it can be implemented using incremental graph embedding algorithms, enabling the knowledge graph to continuously optimize the accuracy of service associations. Specifically, when the service confidence level output by the graph neural network is lower than a preset threshold, the fingerprint recognition module will be triggered to perform deep protocol parsing on the target port. By extracting fingerprint information such as TCP / IP protocol interaction features, payload data format, and response latency, it is matched and verified against a pre-set industrial control protocol feature library. If a deviation is detected between the protocol features and the standard service, the service is determined to be a forged service. This determination result will be injected as a new attribute into the corresponding service node of the knowledge graph, and the node vector representation will be updated through a graph convolutional network, thereby optimizing the edge weight calculation process in the subsequent service verification stage. This implementation plan can effectively reduce asset identification errors caused by forged services, enhance the sensitivity of knowledge graphs in detecting abnormal services, thereby improving the reliability of industrial control network asset profile construction and providing an accurate data foundation for subsequent vulnerability remediation.
[0027] In some embodiments of the present invention, in S3, based on the association between the port and the service cluster, the process of using a reinforcement learning agent to generate adaptive detection actions and send detection requests to the industrial control equipment to collect multimodal data of the industrial control equipment is as follows: the reinforcement learning agent selects the optimal detection action from the action space according to the current device state and sends a detection request to the target device; the response packet returned by the environment is fed back to the reinforcement learning agent as a reward, and the agent updates the policy network accordingly; during the detection and update process of the reinforcement learning agent, multimodal data is obtained.
[0028] Specifically, a reinforcement learning agent is an algorithmic module that learns optimal decision-making strategies through interaction with the environment. This can be implemented using deep Q-networks or policy gradient algorithms. Its role is to dynamically adjust probing actions based on device status to optimize data collection efficiency. The action space refers to the set of probing actions the agent can choose, which can include various operation types such as port scanning, protocol probing, and packet injection. Diversification of probing behaviors is achieved by defining discrete or continuous action spaces. The optimal probing action is the action with the highest expected reward calculated based on the current device status and environmental feedback. This can be selected using a value function or policy network, and is used to quickly locate effective data acquisition paths in complex industrial control environments. The policy network is a neural network model used to generate action selection strategies. This can employ convolutional neural networks or recurrent neural network structures, and the network parameters are updated using gradient descent algorithms to improve the adaptability of the probing actions. In the initial stage, the reinforcement learning agent generates probing actions according to a preset strategy, such as sending a handshake request to a specific port of the target device. When a response packet is returned, the system calculates a reward value based on the response status. For example, a positive reward is assigned if the response contains valid service information, and a negative reward is assigned if an abnormal alarm is triggered. The agent updates action selection probabilities through a policy network, for example, prioritizing ports with stable responses for deep scanning after multiple probes. During this process, the system continuously collects the message content, protocol interaction timing, and abnormal behavior characteristics returned by the devices, forming a multimodal dataset containing text, numerical values, and time-series signals. By dynamically adjusting the detection strategy, the system can adapt to heterogeneous environments of different industrial control devices.
[0029] In some embodiments of the present invention, in S3, the process of performing multimodal feature fusion and matching on the multimodal data through a deep learning model, parsing the attributes of the industrial control equipment and obtaining a digital twin profile is as follows: the deep learning model extracts and fuses multimodal features on the multimodal data, outputs the attributes of the equipment, and forms a digital twin profile of the equipment.
[0030] Specifically, multimodal data refers to various types of data collected from industrial control equipment, such as network traffic, protocol messages, device response time, hardware fingerprints, and log information. This can be implemented using distributed probes or embedded sensors to comprehensively reflect the equipment's operating status and potential characteristics. Multimodal feature fusion and matching refers to feature alignment and correlation modeling of heterogeneous data. This can be implemented using graph convolutional networks or autoencoders to eliminate intermodal differences and uncover implicit semantic relationships. Digital twin profiles refer to a set of dynamic device attributes constructed through virtualization technology. This can be implemented using knowledge graphs or attribute relationship trees to describe the device's model, firmware version, protocol type, vulnerability tags, and operating status. After the multimodal data collection from the industrial control equipment is completed, a pre-trained deep learning model is first used to parse the network traffic protocol and extract message features; hardware fingerprints are encoded to generate unique device identifiers; and log information is time-series modeled to analyze abnormal behavior patterns. Subsequently, a cross-modal attention mechanism is used to weight the feature vectors of different modalities, and a fused global representation is generated through feature concatenation. The fused feature vectors are matched with predefined device attribute templates in the knowledge graph for similarity, and finally a detailed list of device attributes is output, such as device manufacturer, operating system version, open service type, firmware version, hardware model, open protocol stack, communication behavior baseline, network role and criticality rating in the production process. Based on the attribute list, a three-dimensional digital twin model containing topological relationships, vulnerability tags and operating status is constructed.
[0031] In a specific example, an adaptive detection engine based on reinforcement learning is used to dynamically optimize the detection strategy through the interaction and iteration between the agent and the environment. This is combined with deep learning for multimodal feature fusion and matching, thereby deeply analyzing device attributes and constructing its digital twin profile. The specific process is as follows: The reinforcement learning agent selects the optimal probe action from the action space based on the current device state and sends a probe request to the target device. The response packet returned by the target device's environment is fed back to the agent as a reward signal, which the agent uses to update its policy network to maximize long-term information acquisition gains. Simultaneously, the deep learning model extracts and fuses features from collected multimodal data such as protocol response packets, passive traffic characteristics, and device communication timing, ultimately outputting comprehensive attributes including device manufacturer, type, firmware version, hardware configuration, open protocol stack, and even potential configuration defects, forming a digital twin profile of the device.
[0032] In some embodiments of this invention, step S4 further includes a process of spatiotemporally associating the digital twin profile of the device with physical space information and production process roles, and storing this association in a graph database in the form of a knowledge graph. After generating security defense and vulnerability remediation schemes, the system binds the attribute data in the device's digital twin profile with physical space coordinates and topological connections, and defines the functional weights of the device based on its role in the production process. Time-series information on device state changes is recorded using timestamps, and a spatiotemporal association matrix is constructed by combining this with spatial topological relationships. Finally, data such as device entities, vulnerability information, production roles, and spatiotemporal coordinates are stored in the graph database as nodes, and edge relationships are used to describe the logical associations between devices, vulnerability propagation paths, and production process dependencies.
[0033] The graph database is either Neo4j or JanusGraph.
[0034] In some embodiments of the present invention, in step S4, based on the parsed digital twin profile of the device and its associated vulnerabilities in the knowledge graph, combined with the key role of the device in the production process and its network topology location, a large language model-driven attack surface inference engine is used to generate a customized, low-impact defense and remediation scheme, and to provide automatically orchestrated remediation scripts and virtual patch recommendations, thereby completing the closed-loop defense of industrial control network assets.
[0035] Furthermore, it can integrate lightweight active detection and full-traffic passive analysis technologies to collaboratively achieve comprehensive perception of device open ports and service behavior.
[0036] This invention discloses a method for industrial control network asset identification and vulnerability remediation. The industrial control network asset identification method, system, equipment, and storage medium described in this invention, through the integration of active probing and passive traffic analysis, construct a panoramic situational awareness capability for the industrial control network, realizing a shift from passive response to proactive prediction. This invention utilizes knowledge graph and graph neural network technologies to transform isolated asset information into an interconnected intelligent knowledge network, achieving not only accurate and efficient service identification but also revealing hidden device dependencies and business logic, laying the foundation for in-depth security analysis. By introducing a reinforcement learning-based adaptive probing engine and deep learning multimodal feature fusion, this invention can autonomously and intelligently perform in-depth analysis of device assets, constructing a comprehensive digital twin profile including static attributes, dynamic behaviors, and business roles, achieving a leap from "list-based" to "profile-based" asset identification. This invention combines a large language model-driven attack surface inference engine, which can generate customized, low-impact closed-loop defense solutions based on the digital twin profile of devices and their key roles in the production process. This achieves a fundamental upgrade from "vulnerability matching" to "risk inference and proactive defense", thereby greatly improving the accuracy and comprehensiveness of asset identification and the effectiveness and foresight of defense solutions while ensuring the stability of industrial control networks.
[0037] The second aspect of this invention discloses an industrial control network asset identification and vulnerability repair device, comprising: The data acquisition module is used to detect open ports of industrial control equipment and obtain the service clusters corresponding to those ports. The graph neural network module is used to obtain the relationship between ports and service clusters through graph neural networks; The reinforcement learning module, based on the association between the port and the service cluster, uses a reinforcement learning agent to generate adaptive detection actions and sends detection requests to the industrial control equipment to collect multimodal data of the industrial control equipment; it then uses a deep learning model to perform multimodal feature fusion and matching on the multimodal data to parse out the detailed attributes of the industrial control equipment and construct its digital twin profile. The security defense module is used to generate security defense solutions and vulnerability remediation solutions for industrial control equipment based on digital twin profiles and their associated vulnerabilities in knowledge graphs, combined with the role and topological location of industrial control equipment in the production process, through a large language model.
[0038] A third aspect of this invention discloses a computer device, which includes a processor and a memory. The memory stores a computer program, which includes program instructions. The processor executes the program instructions stored in the computer storage medium. The processor may be a Central Processing Unit (CPU), or other general-purpose processors, digital signal processors (DSPs), application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. It is the computing and control core of the terminal, suitable for implementing one or more instructions, specifically suitable for loading and executing one or more instructions to achieve a corresponding method flow or corresponding function. This embodiment describes... The processor can be used to implement a method for industrial control network asset identification and vulnerability remediation, including the following steps: S1, probing open ports of industrial control equipment and obtaining the service clusters corresponding to the ports; S2, obtaining the association relationship between ports and service clusters through graph neural networks; S3, based on the association relationship between the ports and service clusters, using reinforcement learning agents to generate adaptive probing actions, sending probing requests to industrial control equipment to collect multimodal data of industrial control equipment; using a deep learning model to perform multimodal feature fusion and matching on the multimodal data to parse the detailed attributes of industrial control equipment, and then constructing its digital twin profile; S4, based on the digital twin profile and the associated vulnerabilities of the twin profile in the knowledge graph, combined with the role and topological location of the industrial control equipment in the production process, generating security defense schemes and vulnerability remediation schemes for the industrial control equipment through a large language model.
[0039] A fourth aspect of this invention discloses a storage medium, specifically a computer-readable storage medium (Memory), which is a memory device in a terminal device used to store programs and data. It is understood that the computer-readable storage medium here can include both the built-in storage medium in the terminal device and extended storage media supported by the terminal device. The computer-readable storage medium provides storage space that stores the terminal's operating system. Furthermore, the storage space also stores one or more instructions suitable for loading and execution by a processor, which can be one or more computer programs (including program code). It should be noted that the computer-readable storage medium here can be high-speed RAM or non-volatile memory, such as at least one disk storage device. One or more instructions stored in a computer-readable storage medium can be loaded and executed by a processor to implement a method for industrial control network asset identification and vulnerability remediation in the above embodiments, including the following steps: S1, detecting open ports of industrial control equipment and obtaining the service clusters corresponding to the ports; S2, obtaining the association relationship between ports and service clusters through graph neural networks; S3, based on the association relationship between the ports and service clusters, using reinforcement learning agents to generate adaptive detection actions, sending detection requests to industrial control equipment to collect multimodal data of industrial control equipment; using a deep learning model to perform multimodal feature fusion and matching on the multimodal data to parse the detailed attributes of industrial control equipment, and then constructing its digital twin profile; S4, based on the digital twin profile and the associated vulnerabilities of the twin profile in the knowledge graph, combined with the role and topological position of the industrial control equipment in the production process, generating a security defense scheme and vulnerability remediation scheme for the industrial control equipment through a large language model.
[0040] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0041] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0042] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0043] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those skilled in the art should understand that modifications or equivalent substitutions can still be made to the specific implementation of the present invention. Any modifications or equivalent substitutions that do not depart from the spirit and scope of the present invention should be covered within the scope of protection of the claims of the present invention.
Claims
1. An industrial control network asset identification and vulnerability repair method, characterized in that, Includes the following steps: S1, detects open ports of industrial control equipment and obtains the service cluster corresponding to the port; S2, obtains the association between ports and service clusters through graph neural networks; S3, based on the association between the port and the service cluster, an adaptive detection action is generated by a reinforcement learning agent to send a detection request to the industrial control equipment to collect multimodal data of the industrial control equipment; multimodal feature fusion and matching of the multimodal data are performed by a deep learning model to parse out the detailed attributes of the industrial control equipment, and then construct its digital twin profile. S4, based on digital twin profiles and the associated vulnerabilities of twin profiles in knowledge graphs, combines the role and topological location of industrial control equipment in the production process, and generates security defense and vulnerability remediation schemes for industrial control equipment through a large language model.
2. The method according to claim 1, wherein, In S1, the service cluster corresponding to the port is obtained through passive traffic analysis.
3. The method for identifying and remediating vulnerabilities in industrial control networks according to claim 1, characterized in that, In S2, the process of establishing the association between ports and service clusters through the graph neural network is as follows: S21, using ports as the initial nodes of the knowledge graph, and based on the common associations between ports and service clusters, obtain the candidate service clusters of ports and the confidence of each service in the service cluster through graph neural networks. S22, Execute the service verification script according to the confidence level, and update the edge weights of the knowledge graph based on the verification results; S23, repeat S22 until the set number of iterations.
4. The method for identifying and remediating vulnerabilities in industrial control networks according to claim 3, characterized in that, S21. When obtaining the confidence level of each service, if the confidence level is lower than the set threshold, the service is determined to be a fake service by fingerprint recognition. The recognition result is then injected into the knowledge graph, and the knowledge graph learns on its own.
5. The method for identifying and remediating vulnerabilities in industrial control network assets according to claim 1, characterized in that, In S3, based on the association between the port and the service cluster, the reinforcement learning agent generates an adaptive detection action and sends a detection request to the industrial control equipment to collect multimodal data of the industrial control equipment. The process is as follows: the reinforcement learning agent selects the optimal detection action from the action space according to the current device state and sends a detection request to the target device. The response packet returned by the environment is fed back as a reward to the reinforcement learning agent, which then updates the policy network accordingly. Multimodal data is obtained during the detection and update process of the reinforcement learning agent.
6. The method for identifying and remediating vulnerabilities in industrial control networks according to claim 1, characterized in that, In S3, the process of using a deep learning model to perform multimodal feature fusion and matching on the multimodal data, analyze the attributes of the industrial control equipment, and obtain a digital twin profile is as follows: the deep learning model extracts and fuses multimodal features from the multimodal data, outputs the attributes of the equipment, and forms a digital twin profile of the equipment.
7. The method for identifying and remediating vulnerabilities in industrial control network assets according to claim 1, characterized in that, S4 also includes the process of spatiotemporally associating the digital twin profile of the equipment with physical space information and production process roles, and storing it in a graph database in the form of a knowledge graph.
8. An industrial control network asset identification and vulnerability repair device, characterized in that, include: The data acquisition module is used to detect open ports of industrial control equipment and obtain the service clusters corresponding to those ports. The graph neural network module is used to obtain the relationship between ports and service clusters through graph neural networks; The reinforcement learning module, based on the association between the port and the service cluster, uses a reinforcement learning agent to generate adaptive detection actions and sends detection requests to the industrial control equipment to collect multimodal data of the industrial control equipment. The multimodal data is fused and matched using a deep learning model to extract detailed attributes of the industrial control equipment and construct its digital twin profile. The security defense module is used to generate security defense solutions and vulnerability remediation solutions for industrial control equipment based on digital twin profiles and their associated vulnerabilities in knowledge graphs, combined with the role and topological location of industrial control equipment in the production process, through a large language model.
9. A computer device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the industrial control network asset identification and vulnerability repair method as described in any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program, characterized in that, When the computer program is executed by the processor, it implements the industrial control network asset identification and vulnerability repair method as described in any one of claims 1 to 7.