An attack path planning method and device, electronic equipment and storage medium

By establishing a vulnerability knowledge graph and topology in ICS and combining it with a dynamic replicator model, the target attack path is dynamically filtered, solving the state explosion and convergence problems of path planning in ICS and achieving efficient and adaptive path selection.

CN122348845APending Publication Date: 2026-07-07CHINA ELECTRONICS CORP 6TH RES INST

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CHINA ELECTRONICS CORP 6TH RES INST
Filing Date
2026-04-09
Publication Date
2026-07-07

Smart Images

  • Figure CN122348845A_ABST
    Figure CN122348845A_ABST
Patent Text Reader

Abstract

The application provides a method and device for planning an attack path, electronic equipment and a storage medium. The method comprises: obtaining current network security information of an industrial control network; establishing a vulnerability knowledge graph of the industrial control network based on the network security information; establishing an industrial control network topology based on identity information of a plurality of devices in the industrial control network; determining a set of attack paths based on the vulnerability knowledge graph and the industrial control network topology; iteratively processing each attack path in the set of attack paths using a replicator dynamics model to obtain a path success probability of each attack path; sorting all attack paths according to a preset sorting rule according to the path success probability of each attack path; filtering all sorted attack paths according to a preset filtering condition, and determining the remaining attack paths as target attack paths. The technical solution provided by the application realizes path planning with high convergence, high success rate and dynamic self-adaptation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of cybersecurity technology, and in particular to a method, apparatus, electronic device, and storage medium for planning attack paths. Background Technology

[0002] Industrial control systems (ICS), as the core of critical infrastructure, face increasingly complex attack surfaces. In white-box penetration testing, efficiently generating high-success-rate penetration paths is a core task. Current technologies mainly include static path planning methods and dynamic path planning methods based on Q-learning. Static path planning methods include: path planning combining static attack graph construction (BFS) and vulnerability knowledge graphs, path evaluation based on asset value, dynamic network routing algorithms, and industrial control network latency optimization techniques.

[0003] However, static path planning methods cannot adapt to the dynamic changes in industrial control environments, leading to inefficient path selection or even complete failure. Although dynamic path planning methods based on Q-learning can achieve dynamic adjustment of path selection, the explosion of Q-table dimensions makes them difficult to apply to complex scenarios such as ICS. Summary of the Invention

[0004] In view of this, embodiments of this application provide an attack path planning method, apparatus, electronic device, and storage medium, which achieves highly convergent, highly successful, and dynamically adaptive path planning.

[0005] This application mainly includes the following aspects: In a first aspect, embodiments of this application provide an attack path planning method, the planning method comprising: Obtain current network security information for the industrial control network; Based on the aforementioned network security information, a vulnerability knowledge graph for industrial control networks is established. Establish an industrial control network topology based on the identity information of multiple devices in the industrial control network; Based on vulnerability knowledge graphs and industrial control network topology, a set of attack paths is determined. The replicator dynamic model is used to iterate over each attack path in the attack path set to obtain the success probability of each attack path. Based on the success probability of each attack path, all attack paths are sorted according to a preset sorting rule. All sorted attack paths are filtered according to preset filtering conditions, and the remaining attack paths are determined as target attack paths.

[0006] Furthermore, the step of establishing a vulnerability knowledge graph for industrial control networks based on the network security information includes: Based on the aforementioned network security information, at least one device node, vulnerability node, attack mode node, and protocol node are created. Using a semantic association algorithm, each vulnerable node is associated with its corresponding device node and attack mode node, and each device node is associated with its corresponding protocol node. The edge weight of each associated edge is determined to construct a vulnerability knowledge graph; where the edge weight between a vulnerability node and a device node is the comprehensive vulnerability risk weight, the edge weight between a vulnerability node and an attack mode node is a preset value, and the edge weight between a device node and a protocol node is the protocol type factor corresponding to the protocol security level.

[0007] Furthermore, establishing the industrial control network topology based on the identity information of multiple devices in the industrial control network includes: Based on the Pudu level in the identity information of each device, devices that are lower than the preset Pudu level are filtered out from all devices; Based on the selected devices and the preset merging rules, determine whether to merge the selected devices into one logical network domain; Based on the merged results and the identity information of all devices, an industrial control network topology is established for all devices.

[0008] Furthermore, the determination of the attack path set based on the vulnerability knowledge graph and industrial control network topology includes: Based on the vulnerability knowledge graph and industrial control network topology, a set of initial attack paths is generated, starting with the vulnerable device as the initial attack path. Based on the communication delay time corresponding to each topological edge in the network topology, determine the total communication delay time of each initial attack path in the initial attack path; Initial attack paths with total communication latency less than the corresponding latency threshold will be filtered for communication latency. Based on the vulnerability information corresponding to each remaining initial attack path after communication delay filtering, initial attack paths with the same attack intent are merged. The set of initial attack paths after merging is determined as the attack path set.

[0009] Furthermore, the step of iterating through each attack path in the attack path set using the replicator dynamic model to obtain the success probability of each attack path includes: For each attack path in the attack path set, the fitness of the attack path is determined based on the path edge weights, industrial control real-time factors, and industrial control protocol type factors corresponding to all topological edges on the attack path. The attack path is iterated using the replicator dynamic model, the fitness of the attack path, and the average fitness of all attack paths. Determine the absolute value of the change in the success probability of the current attack path for each attack path; When the absolute value of the change in the success probability of any attack path satisfies the preset convergence condition, the iteration stops, and the success probability of each attack path is obtained.

[0010] Furthermore, the step of filtering all sorted attack paths according to preset filtering conditions and determining the remaining attack paths as target attack paths includes: From all sorted attack paths, attack paths that do not meet the cumulative probability condition are filtered out by probability. Based on the communication delay time corresponding to each topological edge in the network topology, determine the total communication delay time of each initial attack path in the initial attack path; Filter communication delays from the remaining attack paths after probability filtering; The remaining attack paths after filtering communication delays are all identified as target attack paths.

[0011] Furthermore, the planning method also includes: If there are multiple target attack paths, then for each target attack path, the comprehensive penalty coefficient of the target attack path is determined based on the security domain penalty coefficient and cross-domain penalty factor corresponding to the target attack path. Based on the comprehensive penalty coefficient of the target attack path, the success probability of the target attack path is adjusted; After adjusting the success probability of the path, all attack paths targeting multiple targets will be ranked by risk.

[0012] Secondly, embodiments of this application also provide an attack path planning device, the planning device comprising: The acquisition module is used to acquire the current network security information of the industrial control network; The knowledge graph building module is used to build a vulnerability knowledge graph of the industrial control network based on the network security information. The topology creation module is used to create an industrial control network topology based on the identity information of multiple devices in the industrial control network. The path determination module is used to determine the set of attack paths based on the vulnerability knowledge graph and industrial control network topology; The iteration module is used to iterate over each attack path in the attack path set using the replicator dynamic model to obtain the success probability of each attack path. The sorting module is used to sort all attack paths according to the success probability of each attack path and according to a preset sorting rule. The filtering module is used to filter all sorted attack paths according to preset filtering conditions and determine the remaining attack paths as target attack paths.

[0013] Thirdly, embodiments of this application also provide an electronic device, including: a processor, a memory, and a bus. The memory stores machine-readable instructions executable by the processor. When the electronic device is running, the processor communicates with the memory through the bus. The machine-readable instructions are executed by the processor to perform the steps of the attack path planning method described in the first aspect or any possible implementation of the first aspect.

[0014] Fourthly, embodiments of this application also provide a computer-readable storage medium storing a computer program, which, when executed by a processor, performs the steps of the attack path planning method described in the first aspect or any possible implementation of the first aspect.

[0015] This application provides an attack path planning method, apparatus, electronic device, and storage medium, which acquires current network security information of an industrial control network (ICS). Based on the network security information, a vulnerability knowledge graph of the ICS is established. Based on the identity information of multiple devices in the ICS, an ICS topology is established. Based on the vulnerability knowledge graph and the ICS topology, an attack path set is determined. Each attack path in the attack path set is iterated using a replicator dynamic model to obtain the path success probability of each attack path. According to the path success probability of each attack path, all attack paths are sorted according to a preset sorting rule. All sorted attack paths are filtered according to preset filtering conditions, and the remaining attack paths are determined as target attack paths.

[0016] This achieves path planning with high convergence, high success rate, and dynamic self-adaptation.

[0017] To make the above-mentioned objectives, features and advantages of this application more apparent and understandable, preferred embodiments are described below in detail with reference to the accompanying drawings. Attached Figure Description

[0018] To more clearly illustrate the technical solutions of the embodiments of this application, the accompanying drawings used in the embodiments will be briefly introduced below. It should be understood that the following drawings only show some embodiments of this application and should not be regarded as a limitation of the scope. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.

[0019] Figure 1One of the flowcharts for an attack path planning method provided in an embodiment of this application is shown; Figure 2 A second flowchart of an attack path planning method provided in an embodiment of this application is shown; Figure 3 The third flowchart illustrates an attack path planning method provided in an embodiment of this application; Figure 4 The fourth flowchart illustrates an attack path planning method provided in an embodiment of this application. Figure 5 The fifth flowchart illustrates an attack path planning method provided in an embodiment of this application; Figure 6 A flowchart of an attack path planning method provided in an embodiment of this application is shown as sixth of the flowcharts; Figure 7 A schematic diagram of the structure of an attack path planning device provided in an embodiment of this application is shown; Figure 8 A schematic diagram of the structure of an electronic device provided in an embodiment of this application is shown. Detailed Implementation

[0020] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. It should be understood that the drawings in this application are for illustrative and descriptive purposes only and are not intended to limit the scope of protection of this application. Furthermore, it should be understood that the schematic drawings are not drawn to scale. The flowcharts used in this application illustrate operations implemented according to some embodiments of this application. It should be understood that the operations in the flowcharts may not be implemented in sequence, and steps without logical contextual relationships may be reversed or implemented simultaneously. In addition, those skilled in the art, guided by the content of this application, may add one or more other operations to the flowcharts, or remove one or more operations from the flowcharts.

[0021] Furthermore, the described embodiments are merely some, not all, of the embodiments of this application. The components of the embodiments of this application described and illustrated herein can typically be arranged and designed in various different configurations. Therefore, the following detailed description of the embodiments of this application provided in the accompanying drawings is not intended to limit the scope of the claimed application, but merely to illustrate selected embodiments of the application. All other embodiments obtained by those skilled in the art based on the embodiments of this application without inventive effort are within the scope of protection of this application.

[0022] The methods, apparatus, electronic devices, or computer-readable storage media described in this application can be applied to any scenario requiring white-box penetration testing. This application does not limit specific application scenarios, and any scheme using the attack path planning method and apparatus provided in this application is within the protection scope of this application.

[0023] It is worth noting that Industrial Control Systems (ICS), as the core of critical infrastructure, face increasingly complex attack surfaces. In white-box penetration testing, efficiently generating high-success-rate penetration paths is a core task. Current technologies mainly include static path planning methods and dynamic path planning methods based on Q-learning. Static path planning methods include: path planning combining static attack graph construction (BFS) and vulnerability knowledge graphs, path evaluation based on asset value, dynamic network routing algorithms, and industrial control network latency optimization techniques.

[0024] However, static path planning methods cannot adapt to the dynamic changes in industrial control environments, leading to inefficient path selection or even complete failure. Although dynamic path planning methods based on Q-learning can achieve dynamic adjustment of path selection, the explosion of Q-table dimensions makes them difficult to apply to complex scenarios such as ICS. Specifically, (1) Static attack graph construction methods, such as state attack graphs and attack trees, can generate a complete set of attack paths through vulnerability combinations, but cannot respond to changes in vulnerability status in real time; (2) Path planning methods based on breadth-first search (BFS) combine the functions of automatic topology construction and vulnerability scanning of industrial control networks. Although they can systematically explore the network, their path weight calculation is static and lacks dynamic adjustment capabilities; (3) Path evaluation methods based on asset value rely on the system protection layer to generate attack paths and combine asset value to assess risks. However, this method does not quantify the success rate of the path and only performs static sorting based on asset importance; (4) Dynamic network routing algorithms attempt to improve convergence speed by calculating affected nodes. However, this method is mainly applicable to static network topologies and does not consider the dynamic changes in attack path weights; (5) Industrial control network latency optimization technology reduces communication latency through hardware optimization. However, it does not quantify latency parameters into path weights, so it lacks dynamic adjustment capabilities in penetration path planning; (6) Path planning methods based on Q-learning combine attack graphs, HMM models, and Q-learning for path analysis, which is difficult to handle large-scale ICS networks. In summary, existing path planning methods face the following challenges: State explosion problem: In large-scale ICS networks, the number of states in the attack graph grows exponentially, leading to a sharp increase in computational complexity with the number of devices; Poor path convergence: Most path planning methods rely on fixed weights (such as CVSS scoring), ignoring the attacker's learning process, resulting in slow path convergence and low success rate; Lack of industrial control system adaptation: Existing solutions do not fully consider the real-time requirements of ICS, such as device response latency and protocol characteristics. For example, the Modbus TCP protocol requires end-to-end latency of no more than 200 milliseconds, and OPC UA... The time-to-time (TS) is less than 10 milliseconds. These real-time constraints are not included in the path weight calculation, which may cause the planned path to violate the response latency limit of the ICS device, leading to system abnormalities or failures. The computational complexity is high: traditional path planning algorithms, such as Dijkstra's and A* algorithms, have a computational complexity of up to O(n2). For large-scale industrial control networks, these algorithms are difficult to meet the real-time requirements. The real-time risk is high: static path planning methods cannot detect and respond to changes in network latency in real time, which may cause the generated path to fail due to a sudden increase in link latency. It cannot realize the dynamic evolution of attacker strategies: without the introduction of theories such as evolutionary game theory, it is impossible to simulate the attacker's learning process, resulting in a lack of adaptability and evolutionary ability in path selection.

[0025] To address the aforementioned issues, this application proposes an attack path planning method, apparatus, electronic device, and storage medium, achieving highly convergent, high-success-rate, and dynamically adaptive path planning.

[0026] To facilitate understanding of this application, the technical solutions provided in this application will be described in detail below with reference to specific embodiments.

[0027] Please see Figure 1 , Figure 1 This is one of the flowcharts for an attack path planning method provided in an embodiment of this application.

[0028] like Figure 1 As shown in the figure, the attack path planning method provided in this application embodiment includes the following steps: Step S101: Obtain the current network security information of the industrial control network.

[0029] Here, the industrial control network (ICS) is a dedicated computer network used to monitor and control industrial production processes, connecting various industrial automation devices. Network security information includes: identity information, vulnerability information, and attack pattern information.

[0030] Step S102: Based on the network security information, establish a vulnerability knowledge graph for the industrial control network.

[0031] Here, vulnerabilities, devices, and attack patterns are integrated into a unified model through semantic association.

[0032] The following is combined with Figure 2 This section will explain in detail how to establish a vulnerability knowledge graph for industrial control networks based on the aforementioned network security information.

[0033] Please see Figure 2 , Figure 2 This is a second flowchart of an attack path planning method provided in an embodiment of this application.

[0034] like Figure 2 As shown, regarding step S102, in a specific implementation, as an example, the following steps may be included: Step S1021: Based on the network security information, create at least one device node, vulnerability node, attack mode node, and protocol node.

[0035] Here, a device node is an entity of a device in an industrial control network, a vulnerability node is an entity of a known security vulnerability, an attack mode node is an entity of a type of attack method, and a protocol node is an entity of an industrial control communication protocol. Specifically, this step involves: identifying each industrial control device from its identity information and creating a device node. Each device node includes attributes such as IP address, device type, protocol type, and real-time tag (e.g., PLC / SCADA server); extracting each CVE (Common Vulnerabilities and Exposures) vulnerability from the vulnerability information and creating a vulnerability node. Each vulnerability node includes attributes such as CVE number, CVSS (Common Vulnerability Scoring System) base score, and CVE vulnerability description (e.g., CVE-2025-54923, CVSS 8.8); extracting each CAPE (Common Attack Pattern Enumeration) attack pattern from the attack pattern information and creating an attack pattern node. Each attack pattern node includes attributes such as CAPE classification and attack intent tag (e.g., T1059.001 PowerShell execution); and determining the industrial control protocol (e.g., Modbus TCP, OPC) running on the device. (UA, Profinet) Create protocol nodes, each containing attributes such as protocol name, security level, real-time threshold, and authentication / encryption features. Identity information includes: IP address, device type, protocol type, network interface information, and Pudu level. This identity information can be obtained from the fields in each device's MIB using the SNMP protocol. SNMP scans are set to run at preset intervals (e.g., every 2 hours). Vulnerability information is obtained from the CVE database, and attack pattern information is obtained from the CAPE attack pattern library.

[0036] Step S1022: Using a semantic association algorithm, establish association edges between each vulnerable node and its corresponding device node and attack mode node, and establish association edges between each device node and its corresponding protocol node.

[0037] Here, vulnerability-device association matches device nodes with vulnerability nodes based on the affected product field in the vulnerability information (such as the manufacturer and model listed in the CVE vulnerability description); vulnerability-attack mode association is based on a preset mapping table between vulnerability types and CAPE attack modes, and vulnerability nodes are automatically matched with corresponding attack mode nodes; device-protocol association associates the device node with the corresponding protocol node based on the protocol type recorded in the device node.

[0038] Step S1023: Determine the edge weight of each associated edge to construct a vulnerability knowledge graph.

[0039] Here, during the construction of the vulnerability knowledge graph, each associated edge is assigned a weight.

[0040] Specifically, the edge weight between the vulnerable node and the device node is the comprehensive vulnerability risk weight, which represents the risk of the vulnerability on a specific device. As an example, the comprehensive vulnerability risk weight is calculated using formula (1). (1), in, Assuming a comprehensive risk weight for the vulnerability, , , As preset weights, and + + =1, The base score for CVSS, For CVSS timeliness score, The attack pattern success rate is represented by a value from 1 to 5, where 1 indicates a low success rate and 5 indicates a high success rate. The attack pattern success rate is derived from the CAPE classification. The preset weights are determined based on the risk components of industrial control systems and engineering practice experience. As an example... =0.4, =0.3, =0.3. Wherein, The value of 0.4 is intended to preserve the objectivity and consistency of the CVSS score as an industry-standard benchmark. and Each value is set to 0.3 to incorporate a timeliness score and attack pattern success rate, thereby dynamically reflecting the changing risk of vulnerabilities over time and their actual exploitability in heterogeneous industrial control equipment environments. This weighting configuration overcomes the limitations of traditional CVSS scoring in dynamic risk assessment scenarios for industrial control systems.

[0041] The edge weights between vulnerable nodes and attack pattern nodes are preset values. These preset values ​​indicate that the vulnerability can be exploited by a specific attack pattern. For example, the preset value is 1.

[0042] The edge weights between device nodes and protocol nodes are preset protocol type factors corresponding to the protocol security level. Protocol types characterize the security risks of the industrial control protocol used by the target device. Due to significant differences in design age, authentication mechanisms, and encryption strength among different protocols, the difficulty of malicious exploitation varies. This application employs a multi-dimensional scoring method based on protocol security characteristics to construct a protocol type factor mapping. It also allows security experts to fine-tune the above baseline values ​​based on actual network traffic analysis results (such as detecting frequent firewall rule triggering by a certain protocol) to adapt to specific scenarios. As an example, Table 1 shows the mapping table between protocol security levels and protocol type factors. As shown in Table 1, the security level of protocols is evaluated by comprehensively considering the following five dimensions: authentication mechanism, encryption / integrity protection, exploit tool maturity, configuration fault tolerance, and the deployment scenario of the protocol in the industrial control system. Based on these dimensions, common industrial control protocols are divided into four security levels, each with a corresponding protocol type factor.

[0043] Table 1 Mapping Table of Protocol Security Level and Protocol Type Factors

[0044] In this embodiment, the vulnerability knowledge graph is updated in real time. For parameters such as vulnerability status that change slowly, the CVE / CVSS database is synchronized once at a preset interval (e.g., 2 hours) to obtain the latest vulnerability information (including new vulnerabilities, score changes, patch releases, etc.) and update the comprehensive risk weight between vulnerabilities and devices. As an example, taking the release of the CVE-2025-40755 vulnerability patch as an example, the change in comprehensive risk weight is shown in Table 2.

[0045] Table 2 Example of changes in comprehensive risk weights

[0046] In this application, a vulnerability knowledge graph is constructed by integrating multi-source data to address the following two key issues: (1) Heterogeneity of industrial control equipment: Industrial control networks typically contain heterogeneous equipment from multiple vendors, such as Siemens PLCs, Schneider HMIs, Modbus sensors, etc. The exploit paths and real-time constraints of different devices vary significantly. Traditional methods rely solely on static CVSS scoring, which cannot effectively consider protocol differences and device role characteristics. To address this issue, this application uses semantic nodes (including device type, protocol version, security domain, etc.) and semantic edges (including vulnerability-device association, vulnerability-attack mode association, etc.) in the vulnerability knowledge graph to uniformly represent the above differences, thereby providing structured input data for subsequent path evolution. (2) Dynamic risk assessment requirements: The vulnerability status in the industrial control environment is constantly changing, such as the emergence of new vulnerabilities and the repair of known vulnerabilities. Static assessment methods cannot respond to such dynamic changes in real time. To this end, this application employs a dynamic update mechanism for vulnerability knowledge graphs, forming an automated closed loop of "perception—mapping—recalculation—response," enabling dynamic adjustment of comprehensive risk weights and ensuring that path planning always reflects the latest vulnerability status. The vulnerability knowledge graph supports real-time updates of vulnerability information without requiring the reconstruction of the entire attack graph (attack path set).

[0047] Return to reference Figure 1 Step S103: Establish the industrial control network topology based on the identity information of multiple devices in the industrial control network.

[0048] The following is combined with Figure 3 This section will explain in detail how to establish an industrial control network topology based on the identity information of multiple devices in the industrial control network.

[0049] Please see Figure 3 , Figure 3 This is the third flowchart of an attack path planning method provided in an embodiment of this application.

[0050] like Figure 3 As shown, regarding step S103, in a specific implementation, as an example, the following steps may be included: Step S1031: Based on the Pudu level in the identity information of each device, filter out devices that are lower than the preset Pudu level from all devices.

[0051] Here, the Pudu hierarchy refers to the logical hierarchy in the Pudu model. The Pudu model is an international standard reference architecture for layering industrial control systems, which divides the industrial control network into five logical levels, L0-L4. Specifically, L0 level devices include sensors, actuators, smart meters, etc.; L1 level devices include PLCs, RTUs, and controllers, etc.; L3 level devices include historical databases and reporting systems, etc.; and L4 level devices include ERP and MES systems, etc.

[0052] Step S1032: Based on the selected devices and the preset merging rules, determine whether to merge the selected devices into a logical network domain.

[0053] Here, the default merging rule is as follows: when L0-L2 level devices are located in the same IP subnet and there is no industrial firewall in between, they are merged into one logical network domain; when L0-L2 devices span subnets but there is no firewall, they are merged into one logical network domain, and the logical hop count is marked. When there is an industrial firewall between L0-L2 devices, the devices on both sides of the firewall are considered as different logical network domains. For L3 and higher level devices, they are divided according to subnet and routing.

[0054] It should be noted that in actual industrial deployments, the logical layering of the Pudu model differs significantly from the physical network architecture. Specifically, due to system stability, determinism, and historical deployment habits, L0 to L2 level devices are typically connected within the same production network domain. No firewalls or complex routing policies are configured between devices, and they are interconnected via industrial switches, forming a broadcast domain. IP addresses are usually planned within the same subnet segment. L0-L2 level devices are trusted by default, and access control relies primarily on protocol-level logical judgments rather than network-level isolation. Using traditional methods to divide subnets according to Pudu levels, verify connectivity hop-by-hop, and trace physical port connections not only introduces huge computational overhead but also generates numerous invalid attack paths due to ignoring the actual flattened nature of the network. Therefore, this application abstracts L0-L2 level devices into a single logical network domain, within which any device can directly access other devices by default. This logical abstraction is based on the following three design considerations: Attack surface consistency: Within the same domain at the L0-L2 level, once an attacker breaches the boundary, the main obstacle to lateral movement is protocol access control, not network-level isolation. Therefore, abstracting L0-L2 into a single logical network domain accurately reflects the actual attack surface. Scanning efficiency is optimized by avoiding redundant physical hop count probing of the flat network, focusing instead on device identification and protocol semantic inference, significantly improving efficiency. Business semantic alignment: the essence of industrial control system attack paths is a protocol exploitation chain (e.g., modifying PLC logic by writing to Modbus registers), not a network routing chain. Logical abstraction directly aligns with this business semantic, making subsequent attack path construction more closely resemble actual attack scenarios.

[0055] Step S1033: Based on the merging results and the identity information of all devices, establish an industrial control network topology for all devices.

[0056] First, logical network domain boundaries are determined based on the merging results. Devices within the same logical network domain are considered logically reachable by default; different domains isolated by industrial firewalls are treated as independent logical network domains and do not communicate directly. Then, protocol connectivity is verified based on the identity information of each device: for each pair of potentially communicating devices, protocol connectivity is checked. If the two devices share the same communication protocol, the topology edge between them is retained; if the two devices share the same communication protocol but a protocol conversion gateway exists, the topology edge between them is retained and marked as requiring protocol conversion; if the protocols are different and there is no conversion gateway, the topology edge between the two devices is deleted, thus filtering the industrial control network topology edges. Finally, considering attributes such as protocol type and security domain label in the device identity information, a directed graph, i.e., the industrial control network topology, is generated. Here, topology edges represent feasible attack paths from the source device to the target device.

[0057] See again Figure 1 Step S104: Based on the vulnerability knowledge graph and industrial control network topology, determine the set of attack paths.

[0058] The following is combined with Figure 4 This section will explain in detail how to determine the set of attack paths based on vulnerability knowledge graphs and industrial control network topology.

[0059] Please see Figure 4 , Figure 4 This is the fourth flowchart of an attack path planning method provided in an embodiment of this application.

[0060] like Figure 4 As shown, regarding step S104, in a specific implementation, as an example, the following steps may be included: Step S1041: Based on the vulnerability knowledge graph and industrial control network topology, generate a set of initial attack paths, starting with the vulnerable device as the starting point of the initial attack path.

[0061] First, all devices with exploitable vulnerabilities are identified and used as the initial entry point (i.e., the attack starting point). Then, using these vulnerable devices as root nodes, a breadth-first search (BFS) is performed on the industrial control network topology. During the search, each time a device node is encountered, the vulnerability knowledge graph is consulted to determine if the device has an exploitable vulnerability: if it does, the device node is included in the current attack path, and the attack continues to expand to adjacent device nodes; if it does not exist, the expansion stops. In this way, starting from each vulnerable device, all possible node sequences that can exploit the vulnerability at every step are enumerated, forming an initial set of attack paths. As an example, the attack path is SCADA → PLC-1 → Flowmeter.

[0062] Step S1042: Determine the total communication delay time of each initial attack path in the initial attack path based on the communication delay time corresponding to each topological edge in the network topology.

[0063] In this application, during the industrial control network topology generation phase, the communication delay between devices is also detected using the ICMP protocol at preset intervals (e.g., 5 seconds), and the communication delay data is stored in a distributed database. In the industrial control network topology, each topology edge corresponds to a communication delay time. For an attack path consisting of multiple attack edges connected sequentially, when there is no protocol conversion in the attack path, its total communication delay is the sum of the communication delays of all attack edges on the path; when there is a protocol conversion in the attack path, its total communication delay is the sum of the communication delays of all attack edges on the path plus the corresponding conversion delay compensation value. Based on the topology edges, the communication delay time corresponding to the attack edges of the attack path can be determined.

[0064] For an attack path consisting of multiple attack edges connected sequentially, its total communication latency is determined as follows: If there is no protocol conversion in the attack path, the total communication latency is equal to the sum of the communication latency of all attack edges on the attack path; if there is a protocol conversion in the attack path, the total communication latency is equal to the sum of the communication latency of all attack edges on the attack path plus the corresponding protocol conversion latency compensation value. The communication latency corresponding to each attack edge in the attack path can be determined based on the topology edges. For example, an attack path consists of three attack edges connected sequentially, with topology edge latencies of 45ms, 12ms, and 18ms respectively. Since there is no protocol conversion in the path, the total communication latency is 45 + 12 + 18 = 75ms. If there is a Modbus TCP to Modbus RTU protocol conversion in the middle of the path, an additional 0.016ms conversion latency compensation is required, resulting in a total communication latency of 75 + 0.016 = 75.016ms.

[0065] Step S1043: Initial attack paths with total communication delay time less than the corresponding delay threshold are filtered for communication delay.

[0066] Here, the latency threshold refers to the latency threshold corresponding to the device protocol. For example, the latency threshold for Modbus TCP is set to 200ms, and for OPC UA TSN, it is set to 10ms. If the total communication latency of an initial attack path is greater than the latency threshold of the target device protocol, it indicates that the initial attack path may cause control commands to fail or trigger industrial control system anomalies due to timeouts during actual penetration testing. Therefore, this initial attack path is removed from the set to avoid redundancy in subsequent evolution calculations. Conversely, if the total communication latency of an initial attack path is less than or equal to the latency threshold of the target device protocol, the attack path is retained. For example, for a Modbus TCP path from the SCADA server to the flow meter via PLC-1, the latency of each link segment in its initial attack path is 45ms and 250ms, respectively, with a total latency of 295ms, which is greater than the 200ms threshold of the Modbus TCP protocol. Therefore, this initial attack path is filtered out. The above method filters out paths that do not meet real-time requirements in advance, significantly reducing the computational load of invalid paths and providing a more efficient set of attack paths for subsequent dynamic replicator model evolution.

[0067] Step S1044: Based on the vulnerability information corresponding to each remaining initial attack path after communication delay filtering, merge the initial attack paths with the same attack intent.

[0068] It should be noted that after real-time filtering, the remaining set of initial attack paths contains multiple initial attack paths. Although these paths exploit different vulnerabilities (e.g., CVE-2025-40755 weak password vulnerability, CVE-2025-29931 buffer overflow vulnerability), they all ultimately point to the same attack intent (e.g., "gaining control of the PLC"). This application identifies initial attack paths with the same attack pattern by using the relationship between vulnerabilities and attack patterns in a vulnerability knowledge graph. These paths are then determined to be equivalent paths and merged, reducing the computational complexity of the replicator dynamic model evolution and improving the efficiency of evolutionary computation.

[0069] Step S1045: Determine the set of initial attack paths after merging as the attack path set.

[0070] Here, multiple initial attack paths with the same attack intent but exploiting different vulnerabilities are merged into a single virtual path.

[0071] See again Figure 1 In step S105, the replicator dynamic model is used to iterate over each attack path in the attack path set to obtain the success probability of each attack path.

[0072] Here, the replicator dynamic model treats each attack path as a strategy. During evolution, paths with higher fitness (i.e., higher success probability) are replicated, and their selection probability increases accordingly; while paths with lower fitness are eliminated, and their success probability gradually decreases. Through this iterative mechanism, the model eventually converges to the optimal set of attack paths.

[0073] This application introduces the replicator dynamic model from evolutionary game theory into industrial control system penetration path planning. By dynamically evolving the probability distribution of attack paths, it achieves the screening and retention of high success rate paths, while avoiding the problem of Q-table dimension explosion in traditional methods (such as Q-learning).

[0074] The following is combined with Figure 5 This section will explain in detail how to use the replicator dynamic model to iterate over each attack path in the attack path set to obtain the success probability of each attack path.

[0075] Please see Figure 5 , Figure 5 This is the fifth flowchart of an attack path planning method provided in an embodiment of this application.

[0076] like Figure 5 As shown, regarding step S105, in a specific implementation, as an example, the following steps may be included: Step S1051: For each attack path in the attack path set, determine the fitness of the attack path based on the path edge weights, industrial control real-time factors, and industrial control protocol type factors corresponding to all topological edges on the attack path.

[0077] Here, path edge weights are used to characterize the exploitability of vulnerabilities or configuration flaws corresponding to device nodes along the attack path. As an example, the path edge weights of the attack edge... It can be calculated using formula (2).

[0078] (2), in, vulnerability_difficulty This is the normalized value of the CVSS exploitability score (the smaller the value, the easier it is to exploit; values ​​range from 0 to 1). The industrial control system real-time factor characterizes the smoothness of attack payload transmission at the attack edge and is affected by factors such as link latency and security device interception, reflecting the degree to which network topology, firewall policies, and access control lists (ACLs) hinder attack behavior. As an example, the industrial control system real-time factor at the attack edge... It can be calculated using formula (3).

[0079] (3), in, delaye This refers to the communication latency corresponding to the attack edge. To achieve static quantification of attack risk and transform it into the core driving force for the dynamic evolution of the replicator model, enabling the defense system to predict the attacker's strategy shift trend and achieve dynamic defense deployment, this application proposes a fitness factor. The fitness of an attack path is used to characterize the comprehensive probability of an attack path being successfully exploited in the current network environment. The fitness factor is determined by integrating node vulnerability exploitability (…). ωe ), dissemination efficiency ( ψe ) and industrial control protocol type factor ( ICS This overcomes the limitations of traditional single-indicator assessments and can accurately reflect the end-to-end risk level from the IT area to the OT area. Higher fitness indicates that the path is more likely to be selected by attackers and successfully launched. As an example, the... i fitness of attack paths It can be calculated using formula (4).

[0080] (4), Where ∑ represents the th i The sub-fitness of each edge of the attack path is accumulated.

[0081] In this embodiment, the application performs a register mapping table scan on devices involved in cross-brand communication within an industrial control network. The number of register accesses is then counted. total_register_accesses, That is, the total number of register addresses attempted to be accessed during the scan, and the number of times an address mapping mismatch occurred. mismatch _ count This refers to the cumulative number of address mapping errors discovered during the scanning process. Based on the above statistics, the address mapping error rate is calculated using formula (5). error _ rate .

[0082] (5).

[0083] When an attack path involves communication between devices from different brands and its address mapping error rate is greater than a preset error rate (e.g., 5%), it is determined that the attack path has high communication unreliability due to differences in register mapping configuration. Therefore, a penalty factor of a preset value (e.g., 0.8) is applied to the edge weight of the path.

[0084] Step S1052: Iterate the attack path using the replicator dynamic model, the fitness of the attack path, and the average fitness of all attack paths.

[0085] Here, as an example, the equation expression for the replicator dynamic model is shown in formula (6).

[0086] (6), in, For the first i The success probability of each attack path. This represents the average fitness of all paths.

[0087] In this embodiment of the application, the Euler method is used to discretize and solve the dynamic equation of the replicator, which yields formula (7).

[0088] (7), in, This is the iteration step size (e.g., 0.1). For element-wise multiplication, to ensure the validity of the probability distribution (no negative values, sum to 1), this application adopts the softmax normalization mechanism to update formula (7) to formula (8).

[0089] (8).

[0090] In this application, the fitness of each attack path is used as an input parameter to the replicator dynamic model. Before iteration, the application sets the initial time ( The probability of each attack path being selected is set to a uniform distribution, i.e.: x (0) =1 / n l x (0) This represents the probability distribution of each attack path being selected at time t=0. n Let l represent the total number of attack paths, where l represents the number of paths where all elements are 1. n The initialization method uses a column vector. This initialization satisfies the probability normalization condition, meaning all attack paths have the same probability of being selected in the initial state. In each iteration, fitness, as the fitness parameter in the replicator dynamic equation, directly drives the evolution direction of the attack strategy population. In the replicator dynamic equation, fitness determines the growth rate of the strategy corresponding to the attack path in the population. Specifically, if the fitness of an attack path is significantly higher than the average fitness of the population, the proportion of the attack strategy corresponding to that attack path will rapidly increase in the next iteration cycle; conversely, if the fitness of an attack path is significantly lower than or equal to the average fitness, that attack strategy will be eliminated. This mechanism simulates the rational behavior characteristics of attackers who "seek advantage and avoid harm" and concentrate resources to attack weak points.

[0091] Step S1053: Determine the absolute value of the change in the success probability of each attack path.

[0092] Here, for the i-th attack path, the absolute value of the probability change between two adjacent iterations (the t-th and t+1-th iterations) is .

[0093] Step S1054: When the absolute value of the change in the success probability of any attack path satisfies the preset convergence condition, stop the iteration and obtain the success probability of each attack path.

[0094] Here, the preset convergence condition is that the algorithm converges and the iteration terminates when the absolute value of the change in the success probability of any attack path is less than a preset threshold. As an example, the preset threshold... =10 4 The pre-defined convergence condition is based on the payoff comparison mechanism in evolutionary game theory. When the probability fluctuation of a high-success-rate path is sufficiently small (e.g., the maximum change in three consecutive iterations is less than...), the convergence condition is determined by... When the value reaches 0, it indicates that the strategy population has entered an evolutionary stable state.

[0095] See again Figure 1 Step S106: Sort all attack paths according to the success probability of each attack path and according to the preset sorting rules.

[0096] Here, the attack paths are sorted using the quicksort algorithm, which enables efficient sorting output in large-scale industrial control network environments. As an example, the default sorting rule can be from highest to lowest. The sorted results are output in JSON format, with each attack path containing at least the following fields: path ID, path success probability, total communication latency, and a list of device nodes. The sorting results are output at a preset interval (e.g., 5 minutes). The preset interval can be set from 1 minute to 60 minutes.

[0097] Step S107: Filter all sorted attack paths according to preset filtering conditions, and determine the remaining attack paths as target attack paths.

[0098] The following is combined with Figure 6 This section explains in detail how to filter all sorted attack paths according to preset filtering conditions and determine the remaining attack paths as target attack paths.

[0099] Please see Figure 6 , Figure 6 This is a flowchart of a method for planning an attack path provided in an embodiment of this application.

[0100] like Figure 6 As shown, regarding step S107, in a specific implementation, as an example, the following steps may be included: Step S1071: From all sorted attack paths, perform probability filtering on attack paths that do not meet the cumulative probability condition.

[0101] Here, the cumulative probability condition refers to a pre-set probability accumulation threshold (e.g., 60%), used to filter out the minimum number of attack paths whose total success probability reaches the probability accumulation threshold. Specifically, starting with the attack path with the highest probability, the success probabilities of each path are accumulated sequentially until the cumulative probability reaches or exceeds the probability accumulation threshold. The remaining attack paths not included in the cumulative calculation are considered not to meet the cumulative probability condition. For example, if there are 5 attack paths with success probabilities of 0.35, 0.25, 0.20, 0.12, and 0.08, and the cumulative probability threshold is 60%, then the cumulative probability of the first three attack paths is 0.35 + 0.25 + 0.20 = 0.80 ≥ 60%, and the last two attack paths are filtered out. This step quickly eliminates low-value attack paths and filters out high-probability paths, reducing the amount of subsequent computation.

[0102] Step S1072: Perform communication delay filtering on the remaining attack paths after probability filtering.

[0103] Here, because the communication latency is dynamically changing, the latency values ​​used to generate the initial attack path set may no longer be consistent with the current actual state. Therefore, after completing the dynamic evolution of the replicator and obtaining the probability distribution, it is necessary to perform communication latency filtering on the remaining attack paths after probability filtering: that is, to obtain the latest latency time of each attack edge and calculate the total communication latency time of the attack paths. This step eliminates invalid attack paths that violate the hard constraints of real-time performance.

[0104] Step S1073: All remaining attack paths after communication delay filtering are identified as target attack paths.

[0105] Here, the target attack path refers to the critical attack path that users should focus on.

[0106] In the dynamic update mechanism of this application, when the communication latency of an attack edge exceeds a corresponding latency threshold, the real-time factor of that link is immediately set to 0. Since path fitness depends on the real-time factor, the fitness of all attack paths to which that attack edge belongs will decrease significantly. In subsequent dynamic iterations of the replicator, the probability of these attack paths being selected will be suppressed (i.e., rapidly reduced), thus gradually eliminating them.

[0107] In this application, the TCN BPDU (Topology Change Notification Bridge Protocol Data Unit) mechanism in RSTP (Rapid Spanning Tree Protocol) is used to monitor network link status in real time. When a link failure is detected, the system triggers a local path recalculation within 50 milliseconds, updating only the weights of the edges affected by the failure, without performing a full iterative calculation on the entire attack graph.

[0108] In this application, protocol-aware scanning and latency quantization are used to solve the following two key problems: (1) Heterogeneous protocol compatibility problem: Based on the abstraction of L0-L2 level devices into the same logical domain, the connectivity verification of protocol interaction is further used to filter the topology edges. By constructing a "logically reachable topology", the flat deployment characteristics of the industrial control system are retained, and the false alarms of attack paths caused by the traditional full connectivity assumption are avoided, thus achieving a balance between accuracy and efficiency. Industrial control networks usually contain a variety of heterogeneous protocols. This application obtains device information in a unified manner through SNMP / ICMP multi-protocol adaptation scanning, providing basic data for subsequent path evolution. (2) Real-time constraint embedding problem: Traditional attack graph construction methods (such as state attack graphs) regard vulnerability exploitation difficulty and communication latency as static parameters, which cannot dynamically respond to real-time changes in the industrial control environment. To solve this problem, this application adopts a path weight dynamic calculation mechanism (instead of full state update), which significantly improves the convergence speed. At the same time, by introducing a protocol type factor, the differences in vulnerability exploitation difficulty of different protocols are directly quantified, thereby ensuring that the generated attack path can meet the real-time operation requirements of the industrial control system.

[0109] As one possible implementation method, the planning method also includes: Step S11: If there are multiple target attack paths, then for each target attack path, the comprehensive penalty coefficient of the target attack path is determined based on the difference in device security domain level and cross-domain penalty factor corresponding to the target attack path.

[0110] Here, each device belongs to a Pudu hierarchy that corresponds to a security domain level. The security domain penalty coefficient represents the security risk penalty factor for cross-domain paths. As an example, the security domain penalty coefficient... It can be calculated using formula (9).

[0111] (9), in, This refers to the initial security domain level, which is the security domain level of the device at the starting point of the target attack path. The target security domain level refers to the security domain level of the endpoint device (i.e., the target device). Since the difficulty and risk of attacks increase significantly with each security domain boundary crossed in an industrial control network (e.g., from L2 to L1), this application sets a cross-domain penalty factor (e.g., 0.7, a widely used engineering experience value in industrial control system attack and defense practices, representing that the attack success rate decreases by approximately 0.7 with each security domain boundary crossed, influenced by boundary protection strategies; this value can be adjusted within the range of 0.6–0.8 based on actual protection strength). For each cross-domain edge in the path (i.e., the edge where the starting and ending security domain levels differ), its path edge weight is multiplied by the cross-domain penalty factor. The comprehensive penalty coefficient is the product of the security domain penalty coefficient and the cross-domain penalty factor (if the path contains multiple cross-domain edges, it is multiplied by the corresponding number of cross-domain penalty factors). As an example, if the attack path starts at a SCADA server (security domain level L2, level value 3) and ends at a flow meter (security domain level L0, level value 1), the security domain level difference of this attack path is 2, and the calculated security domain penalty coefficient is 0.98. The attack path contains two cross-domain edges (L2→L1 and L1→L0, respectively), each with a penalty factor of 0.7, resulting in a total cross-domain penalty of 0.72 = 4.9. Therefore, the comprehensive penalty coefficient is the product of the security domain penalty coefficient and the total cross-domain penalty: 0.98 × 0.49 = 0.4802. This method ensures that the success probability of the attack path does not significantly decrease due to cross-domain security checks.

[0112] Step S12: Adjust the success probability of the target attack path based on the comprehensive penalty coefficient of the target attack path.

[0113] Here, the product of the comprehensive penalty coefficient and the original path success probability is determined as the adjusted path success probability.

[0114] Step S13: Sort all attack paths targeting multiple targets by risk after adjusting the success probability of the path.

[0115] As an example, suppose the target attack paths include Path-001, Path-002, and Path-003. After adjusting the comprehensive penalty coefficient, the ranking of the attack paths changes as follows: Before adjustment, the original probability ranking is Path-003 > Path-001 > Path-002; after adjustment, Path-001 > Path-002 > Path-003. This is because Path-003 contains two cross-domain edges, while Path-001 and Path-002 each contain only one. According to the cross-domain penalty mechanism of this application, each cross-domain edge is multiplied by a penalty factor of 0.7. Therefore, Path-003 receives a higher degree of penalty, and its success probability after adjustment decreases significantly, leading to a shift in ranking. This example shows that attack paths with more cross-domain edges are subject to greater weight reduction in security domain risk calibration, thus prioritizing paths with fewer instances of same-domain or cross-domain attacks.

[0116] Additionally, after outputting the target attack path, the following processing operations can be included: generating a visual view of the attack graph (a set of attack paths) using graphical tools, highlighting the target attack path in the view; automatically generating a path description document, which includes path descriptions, vulnerability information involved, specific attack steps, and risk assessment results; and generating an optimal penetration test execution plan based on the characteristics of each path, including the vulnerability exploitation sequence, required tools, and precautions. These processing operations provide penetration testers with an intuitive and actionable testing solution.

[0117] This application has the following beneficial effects: (i) High convergence: This application combines the replicator dynamic method of evolutionary game theory with attack graph construction to form a closed-loop optimization architecture of "scanning-modeling-planning". It achieves high convergence and high success rate penetration path planning through dynamic evolutionary path probability distribution. Since the replicator dynamic method only needs to maintain the path probability distribution (computational complexity is O(n log n)... Traditional methods (such as Q-learning) require maintaining a state-action table (with a computational complexity of O(n log n)). Therefore, this invention significantly reduces the number of convergence steps in path planning and improves evolution efficiency. (II) High success rate: Through dynamic evolution of path probability distribution, high-fitness (high success rate) paths are retained and their selection probability is increased, while inefficient paths are naturally eliminated. This mechanism makes the final output key attack path have a higher actual success rate, while reducing subsequent computational redundancy. (III) Dynamic adaptability: This application, through the dynamic update mechanism of the vulnerability knowledge graph, can respond in real time to changes in vulnerability status, sudden increases in network latency, and link failures, without having to rebuild the entire attack graph, significantly improving the real-time response capability of the system. (IV) Industrial control real-time guarantee: This application quantifies the real-time requirements of industrial control protocols into path weight parameters. Through protocol latency threshold filtering and protocol conversion latency compensation, it ensures that the generated penetration path will not affect the normal operation of the industrial control system due to timeout, solving the defect that high success rate paths in traditional methods may violate the real-time constraints of the industrial control system. (V) High computational efficiency: Compared with traditional reinforcement learning methods (such as Q-learning) that require maintaining a high-dimensional Q-table, this invention only needs to maintain the path probability distribution, with a computational complexity of O(n). Meanwhile, through logical domain abstraction, protocol connectivity pruning, and multi-layer filtering mechanisms, the number of invalid paths is significantly reduced, enabling the invention to maintain efficient path planning capabilities in large-scale industrial control networks.

[0118] In summary, this application achieves automated penetration path planning with high convergence, high success rate, dynamic adaptability, and compliance with the real-time requirements of industrial control networks through a closed-loop optimization of "scanning-modeling-planning". This effectively solves key technical problems such as state explosion, slow convergence, and lack of real-time performance in traditional methods.

[0119] This application provides an attack path planning method that achieves automated path planning with high convergence, high success rate, dynamic adaptability, and meets the real-time requirements of industrial control systems.

[0120] Based on the same application concept, this application also provides an attack path planning device corresponding to the attack path planning method provided in the above embodiments. Since the principle of the device in this application to solve the problem is similar to the attack path planning method in the above embodiments of this application, the implementation of the device can refer to the implementation of the method, and the repeated parts will not be described again.

[0121] Please see Figure 7 , Figure 7 This is a schematic diagram of an attack path planning device provided in an embodiment of this application.

[0122] like Figure 7As shown in the figure, the attack path planning device 710 provided in this application embodiment includes: Module 711 is used to acquire the current network security information of the industrial control network; The knowledge graph building module 712 is used to build a vulnerability knowledge graph of the industrial control network based on the network security information. Topology establishment module 713 is used to establish the industrial control network topology based on the identity information of multiple devices in the industrial control network; The path determination module 714 is used to determine the set of attack paths based on the vulnerability knowledge graph and the industrial control network topology; The iteration module 715 is used to iterate over each attack path in the attack path set using the replicator dynamic model to obtain the path success probability of each attack path. The sorting module 716 is used to sort all attack paths according to the success probability of each attack path and according to a preset sorting rule. The filtering module 717 is used to filter all sorted attack paths according to preset filtering conditions and determine the remaining attack paths as target attack paths.

[0123] Furthermore, the map building module 712 is specifically used for: Based on the aforementioned network security information, at least one device node, vulnerability node, attack mode node, and protocol node are created. Using a semantic association algorithm, each vulnerable node is associated with its corresponding device node and attack mode node, and each device node is associated with its corresponding protocol node. The edge weight of each associated edge is determined to construct a vulnerability knowledge graph; where the edge weight between a vulnerability node and a device node is the comprehensive vulnerability risk weight, the edge weight between a vulnerability node and an attack mode node is a preset value, and the edge weight between a device node and a protocol node is the protocol type factor corresponding to the protocol security level.

[0124] Furthermore, the topology establishment module 713 is specifically used for: Based on the Pudu level in the identity information of each device, devices that are lower than the preset Pudu level are filtered out from all devices; Based on the selected devices and the preset merging rules, determine whether to merge the selected devices into one logical network domain; Based on the merged results and the identity information of all devices, an industrial control network topology is established for all devices.

[0125] Furthermore, the path determination module 714 is specifically used for: Based on the vulnerability knowledge graph and industrial control network topology, a set of initial attack paths is generated, starting with the vulnerable device as the initial attack path. Based on the communication delay time corresponding to each topological edge in the network topology, determine the total communication delay time of each initial attack path in the initial attack path; Initial attack paths with total communication latency less than the corresponding latency threshold will be filtered for communication latency. Based on the vulnerability information corresponding to each remaining initial attack path after communication delay filtering, initial attack paths with the same attack intent are merged. The set of initial attack paths after merging is determined as the attack path set.

[0126] Furthermore, the iteration module 715 is specifically used for: For each attack path in the attack path set, the fitness of the attack path is determined based on the path edge weights, industrial control real-time factors, and industrial control protocol type factors corresponding to all topological edges on the attack path. The attack path is iterated using the replicator dynamic model, the fitness of the attack path, and the average fitness of all attack paths. Determine the absolute value of the change in the success probability of the current attack path for each attack path; When the absolute value of the change in the success probability of any attack path satisfies the preset convergence condition, the iteration stops, and the success probability of each attack path is obtained.

[0127] Furthermore, the sorting module is specifically used for: From all sorted attack paths, attack paths that do not meet the cumulative probability condition are filtered out by probability. Based on the communication delay time corresponding to each topological edge in the network topology, determine the total communication delay time of each initial attack path in the initial attack path; Filter communication delays from the remaining attack paths after probability filtering; The remaining attack paths after filtering communication delays are all identified as target attack paths.

[0128] Furthermore, the planning device also includes: The risk ranking module, if there are multiple target attack paths, determines the comprehensive penalty coefficient for each target attack path based on the security domain penalty coefficient and cross-domain penalty factor corresponding to that target attack path; adjusts the path success probability of that target attack path based on the comprehensive penalty coefficient; and ranks all the multiple target attack paths after adjusting the path success probability.

[0129] This application provides an attack path planning device that achieves automated path planning with high convergence, high success rate, dynamic adaptability, and meets the real-time requirements of industrial control systems.

[0130] Please see Figure 8 , Figure 8 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application.

[0131] like Figure 8 As shown, the electronic device 800 includes a processor 810, a memory 820, and a bus 830.

[0132] The memory 820 stores machine-readable instructions executable by the processor 810. When the electronic device 800 is running, the processor 810 and the memory 820 communicate via the bus 830. When the machine-readable instructions are executed by the processor 810, they can perform the operations described above. Figure 1 , Figure 2 , Figure 3 , Figure 4 , Figure 5 The steps of the attack path planning method in the method embodiment shown in Figure 6 are described in detail in the method embodiment, and will not be repeated here.

[0133] This application also provides a computer-readable storage medium storing a computer program, which, when executed by a processor, can perform the above-described actions. Figure 1 , Figure 2 , Figure 3 , Figure 4 , Figure 5 The steps of the attack path planning method in the method embodiment shown in Figure 6 are described in detail in the method embodiment, and will not be repeated here.

[0134] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems and devices described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here. In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods can be implemented in other ways. The device embodiments described above are merely illustrative. For example, the division of units is only a logical functional division; in actual implementation, there may be other division methods. Furthermore, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Another point is that the displayed or discussed mutual coupling or direct coupling or communication connection may be through some communication interfaces; the indirect coupling or communication connection of devices or units may be electrical, mechanical, or other forms.

[0135] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0136] In addition, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit.

[0137] If the aforementioned functions are implemented as software functional units and sold or used as independent products, they can be stored in a processor-executable, non-volatile, computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

[0138] The above are merely specific embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.

Claims

1. A method for planning attack paths, characterized in that, The planning method includes: Obtain current network security information for the industrial control network; Based on the aforementioned network security information, a vulnerability knowledge graph for industrial control networks is established. Establish an industrial control network topology based on the identity information of multiple devices in the industrial control network; Based on vulnerability knowledge graphs and industrial control network topology, a set of attack paths is determined. The replicator dynamic model is used to iterate over each attack path in the attack path set to obtain the success probability of each attack path. Based on the success probability of each attack path, all attack paths are sorted according to a preset sorting rule. All sorted attack paths are filtered according to preset filtering conditions, and the remaining attack paths are determined as target attack paths.

2. The attack path planning method according to claim 1, characterized in that, The process of establishing a vulnerability knowledge graph for industrial control networks based on the aforementioned network security information includes: Based on the aforementioned network security information, at least one device node, vulnerability node, attack mode node, and protocol node are created. Using a semantic association algorithm, each vulnerable node is associated with its corresponding device node and attack mode node, and each device node is associated with its corresponding protocol node. The edge weight of each associated edge is determined to construct a vulnerability knowledge graph; where the edge weight between a vulnerability node and a device node is the comprehensive vulnerability risk weight, the edge weight between a vulnerability node and an attack mode node is a preset value, and the edge weight between a device node and a protocol node is the protocol type factor corresponding to the protocol security level.

3. The attack path planning method according to claim 1, characterized in that, The establishment of the industrial control network topology based on the identity information of multiple devices in the industrial control network includes: Based on the Pudu level in the identity information of each device, devices that are lower than the preset Pudu level are filtered out from all devices; Based on the selected devices and the preset merging rules, determine whether to merge the selected devices into one logical network domain; Based on the merged results and the identity information of all devices, an industrial control network topology is established for all devices.

4. The attack path planning method according to claim 1, characterized in that, The method for determining the attack path set based on vulnerability knowledge graphs and industrial control network topology includes: Based on the vulnerability knowledge graph and industrial control network topology, a set of initial attack paths is generated, starting with the vulnerable device as the initial attack path. Based on the communication delay time corresponding to each topological edge in the network topology, determine the total communication delay time of each initial attack path in the initial attack path; Initial attack paths with total communication latency less than the corresponding latency threshold will be filtered for communication latency. Based on the vulnerability information corresponding to each remaining initial attack path after communication delay filtering, initial attack paths with the same attack intent are merged. The set of initial attack paths after merging is determined as the attack path set.

5. The attack path planning method according to claim 1, characterized in that, The step of iterating through each attack path in the attack path set using the replicator dynamic model to obtain the success probability of each attack path includes: For each attack path in the attack path set, the fitness of the attack path is determined based on the path edge weights, industrial control real-time factors, and industrial control protocol type factors corresponding to all topological edges on the attack path. The attack path is iterated using the replicator dynamic model, the fitness of the attack path, and the average fitness of all attack paths. Determine the absolute value of the change in the success probability of the current attack path for each attack path; When the absolute value of the change in the success probability of any attack path satisfies the preset convergence condition, the iteration stops, and the success probability of each attack path is obtained.

6. The attack path planning method according to claim 4, characterized in that, The step of filtering all sorted attack paths according to preset filtering conditions and determining the remaining attack paths as target attack paths includes: From all sorted attack paths, attack paths that do not meet the cumulative probability condition are filtered out by probability. Based on the communication delay time corresponding to each topological edge in the network topology, determine the total communication delay time of each initial attack path in the initial attack path; Filter communication delays from the remaining attack paths after probability filtering; The remaining attack paths after filtering communication delays are all identified as target attack paths.

7. The attack path planning method according to claim 1, characterized in that, The planning method also includes: If there are multiple target attack paths, then for each target attack path, the comprehensive penalty coefficient of the target attack path is determined based on the security domain penalty coefficient and cross-domain penalty factor corresponding to the target attack path. Based on the comprehensive penalty coefficient of the target attack path, the success probability of the target attack path is adjusted; After adjusting the success probability of the path, all attack paths targeting multiple targets will be ranked by risk.

8. An attack path planning device, characterized in that, The planning device includes: The acquisition module is used to acquire the current network security information of the industrial control network; The knowledge graph building module is used to build a vulnerability knowledge graph of the industrial control network based on the network security information. The topology creation module is used to create an industrial control network topology based on the identity information of multiple devices in the industrial control network. The path determination module is used to determine the set of attack paths based on the vulnerability knowledge graph and industrial control network topology; The iteration module is used to iterate over each attack path in the attack path set using the replicator dynamic model to obtain the success probability of each attack path. The sorting module is used to sort all attack paths according to the success probability of each attack path and according to a preset sorting rule. The filtering module is used to filter all sorted attack paths according to preset filtering conditions and determine the remaining attack paths as target attack paths.

9. An electronic device, characterized in that, include: The device includes a processor, a memory, and a bus. The memory stores machine-readable instructions executable by the processor. When the electronic device is running, the processor communicates with the memory via the bus. The machine-readable instructions are executed by the processor to perform the steps of the attack path planning method as described in any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program that, when executed by a processor, performs the steps of the attack path planning method as described in any one of claims 1 to 7.