Modeling method and device of network attack path, computer device, readable storage medium and program product
By combining semantic modeling and finite state machine templates with multi-source data processing technology, the problem of existing systems being unable to cope with unknown attacks and complex cross-domain paths is solved, enabling accurate and real-time analysis and risk assessment of network attack paths.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- ELECTRIC POWER RES INST CHINA SOUTHERN POWER GRID CO LTD
- Filing Date
- 2026-04-24
- Publication Date
- 2026-07-14
AI Technical Summary
Existing network attack path analysis systems cannot effectively deal with unknown attacks and complex cross-domain attack paths, cannot provide accurate and real-time analysis and risk assessment, and are difficult to simulate dynamically changing attack paths.
A semantic model is constructed using the OWL or RDFS semantic modeling specification. By combining the structured event description specification and finite state machine template with multi-source security data sources and subgraph isomorphic matching algorithms, standardized event data and cross-domain attack and defense interaction graphs are built to perform attack path modeling and risk assessment.
It enables accurate, real-time analysis and risk assessment of complex cross-domain attack paths, adapts to dynamic changes in complex environments such as power grids, and provides effective support for attack path deduction and risk assessment.
Smart Images

Figure CN122394906A_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of computer technology, and in particular to a method, apparatus, computer device, computer-readable storage medium, and computer program product for modeling network attack paths. Background Technology
[0002] With the development of computer network technology, network attack path modeling systems have emerged, which can respond to network attacks and analyze attack paths.
[0003] In traditional technologies, existing systems typically use rule engines or machine learning algorithms to identify anomalous behavior or potential attack patterns. Furthermore, existing systems often involve the construction and analysis of attack paths, mostly employing simplified methods to correlate attack behavior with attack chains or threat scenarios; for complex cross-domain attack path analysis, they generally rely on pre-defined attack models or limited behavioral rules. In addition, the risk assessment and visualization functions of existing systems largely depend on static rules or predictive models based on historical data.
[0004] However, while existing systems offer some protection in basic security, they are incapable of dealing with unknown attacks or advanced persistent threats (APS), and cannot effectively identify new or evolving attack paths. Furthermore, they cannot provide accurate, real-time attack path analysis for dynamically changing or cross-domain attack paths, and struggle to effectively simulate complex attack paths. Moreover, existing systems cannot accurately assess the potential losses or system vulnerabilities caused by real attacks when conducting risk analysis. Summary of the Invention
[0005] Therefore, it is necessary to provide a modeling method, apparatus, computer equipment, computer-readable storage medium, and computer program product for network attack paths that can achieve accurate and complete attack path analysis and refined, real-time risk assessment, in response to the above-mentioned technical problems.
[0006] Firstly, this application provides a method for modeling network attack paths, including:
[0007] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0008] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0009] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0010] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0011] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0012] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0013] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0014] In one embodiment, the method further includes: constructing a directed attribute graph model based on standardized event data, wherein nodes in the directed attribute graph model represent event instances or entity objects, edges represent causal relationships or interaction relationships between events, and each edge is attached with contextual attribute information;
[0015] When the similarity of event features between two event instances exceeds a preset similarity threshold, they are determined to be the same event instance and a merging process is performed. For subgraphs from multiple evidence sources, the union operation of the node set and the edge set is performed, and the edge weights are calculated by weighted average to achieve subgraph fusion. Cross-domain association relationships from information layer data to control layer devices are constructed through communication protocol field parsing, device unique identifier matching, and function code mapping. Based on the directed attribute graph model, the merged event instances, the fused subgraphs, and the cross-domain association relationships, a cross-domain attack and defense interaction graph is constructed.
[0016] In one embodiment, the process of calculating event feature similarity includes:
[0017]
[0018] in, For the event and The similarity value, For the event and Feature distance metric, This is the distance adjustment coefficient; Calculated using Euclidean distance:
[0019]
[0020] in, and events and In the The values are taken on each feature dimension, which includes the time stamp information difference in the structured event description specification, the communication protocol type, the device unique identifier in the semantic model, and the port number corresponding to the interface configuration.
[0021] In one embodiment, the method further includes: selecting the degree of concealment of the attack behavior, the required access permission level, the execution complexity of the attack steps, and the probability of being detected by security devices based on the state machine modeling results of the cross-domain attack and defense interaction graph and the multi-stage attack path; and constructing a path risk cost assessment model based on the selection results.
[0022] By using a path risk cost assessment model, the risk cost weight of each side in each attack path is calculated. Combining the risk cost weights, the attack path with the minimum risk cost from the initial attack state to the target attack state is found in the cross-domain attack and defense interaction graph, so as to complete the attack path optimization modeling.
[0023] In one embodiment, the process of calculating edge weights includes:
[0024]
[0025] in, After fusion The weight value, and They are the edges In the subgraph to be merged and The original weight values are assigned based on the trust level of the multi-source secure data source.
[0026] In one embodiment, the method further includes: performing time consistency verification on the minimum risk attack path based on time window constraints and interval clock technology to eliminate invalid pseudo-paths with timing inconsistencies and obtain valid attack paths that pass the verification; the time consistency verification is used to verify each event in the path. Time stamp information Does it meet the requirements? ;in and events The upper and lower limits of the effective time interval are set based on actual operating condition parameters, which include the response time of power grid equipment and network transmission delay.
[0027] The valid attack paths that pass verification are overlaid and mapped with the topology of power grid physical equipment, network topology and control logic flow to achieve multi-level visualization and deduction.
[0028] Based on effective attack paths, event flows, parameter configurations of finite state machine templates, asset objects in semantic models, interface configurations, and communication protocols, reproducible scenario packages are generated for attack path verification and defense strategy testing.
[0029] Secondly, this application also provides a modeling apparatus for network attack paths, comprising:
[0030] The model building module is used to build semantic models for network security protection scenarios of digital power grids and industrial control systems, using OWL or RDFS semantic modeling specifications. These models include asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies.
[0031] The building module is used to construct a structured event description specification based on the semantic model. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0032] The conversion module is used to convert multiple heterogeneous data into a standardized triplet or hyperedge data format based on the structured event description specification, so as to obtain standardized data for modeling. The multiple heterogeneous data include network logs, traffic data and security alarms.
[0033] The extraction module is used to extract raw data from multiple secure data sources through offline extraction and transformation loading tools and online streaming data processing pipelines. The multiple secure data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0034] The conversion module is also used to convert the raw data into standardized event data with the same format as the standardized data based on the structured event description specification. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0035] The building module is also used to build finite state machine templates based on a library of known attack patterns and standard operating procedures of power grid systems. The finite state machine templates include attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0036] The matching module is used to assemble standardized event data into an event stream based on time stamps. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0037] Thirdly, this application also provides a computer device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0038] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0039] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0040] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0041] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0042] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0043] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0044] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0045] Fourthly, this application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, performs the following steps:
[0046] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0047] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0048] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0049] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0050] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0051] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0052] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0053] Fifthly, this application also provides a computer program product, including a computer program that, when executed by a processor, performs the following steps:
[0054] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0055] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0056] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0057] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0058] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0059] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0060] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0061] The aforementioned network attack path modeling methods, devices, computer equipment, computer-readable storage media, and computer program products, by establishing semantic models and constructing structured event description specifications, can lay the foundation for subsequent knowledge graph construction and dynamic attack path analysis. By converting various heterogeneous data into standardized data, they effectively solve the analysis problems caused by inconsistent data formats, improving data processing efficiency and accuracy. By extracting raw data from multi-source security data sources through offline extraction, transformation, and loading tools and online streaming data processing pipelines, and transforming the raw data into standardized event data, they can ensure data integrity, real-time performance, and consistency. By constructing finite state machine templates and using subgraph isomorphic matching algorithms to perform fault-tolerant matching of event streams with finite state machine templates, they can adapt to dynamic changes in complex environments such as power grids, and effectively handle cross-stage and cross-domain attack path deduction, thus providing strong support for subsequent risk assessment and attack response. Attached Figure Description
[0062] To more clearly illustrate the technical solutions in the embodiments of this application or related technologies, the drawings used in the description of the embodiments of this application or related technologies will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other related drawings can be obtained based on these drawings without creative effort.
[0063] Figure 1 This is an application environment diagram of a network attack path modeling method in one embodiment;
[0064] Figure 2 This is a flowchart illustrating a method for modeling network attack paths in one embodiment;
[0065] Figure 3 This is a flowchart illustrating a network attack path modeling method in another embodiment;
[0066] Figure 4 This is a structural block diagram of a network attack path modeling device in one embodiment;
[0067] Figure 5 This is an internal structural diagram of a computer device in one embodiment. Detailed Implementation
[0068] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the scope of this application.
[0069] It should be noted that the terms "first," "second," etc., used in this application can be used to describe various elements, but these elements are not limited by these terms. These terms are only used to distinguish the first element from the second element. The terms "comprising" and "having," and any variations thereof, used in this application, are intended to cover non-exclusive inclusion. The term "multiple" used in this application refers to two or more. The term "and / or" used in this application refers to one of the embodiments, or any combination of multiple embodiments.
[0070] The network attack path modeling method provided in this application embodiment can be applied to, for example, Figure 1 In the application environment shown, terminal 102 communicates with server 104 via a network. A data storage system can store the data that server 104 needs to process. The data storage system can be integrated onto server 104 or located on a cloud or other network server. Specifically, terminal 102 or server 104 completes a method for modeling a network attack path, which includes:
[0071] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0072] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0073] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0074] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0075] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0076] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0077] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0078] Terminal 102 can be, but is not limited to, various personal computers, laptops, smartphones, tablets, drones, low-altitude aircraft, IoT devices, and portable wearable devices. IoT devices can include smart speakers, smart TVs, smart air conditioners, smart in-vehicle devices, and projection equipment. Portable wearable devices can include smartwatches, smart bracelets, and head-mounted displays. Head-mounted displays can be virtual reality (VR) devices, augmented reality (AR) devices, and smart glasses. Server 104 can be a standalone physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server providing cloud computing services.
[0079] In one exemplary embodiment, such as Figure 2 As shown, a method for modeling network attack paths is provided, which can be applied to... Figure 1 Taking the server in the example, the explanation includes the following steps 202 to 214. Wherein:
[0080] Step 202: For network security protection scenarios of digital power grids and industrial control systems, adopt the OWL or RDFS semantic modeling specifications to establish a semantic model that includes asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies.
[0081] For example, for specific cybersecurity protection scenarios in digital power grids and industrial control systems, an attack and defense ontology is constructed, i.e., a semantic model is established. This model needs to cover all core concepts and relationships that may affect attack path analysis. Core concepts include asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control policies. Each core concept is interconnected through strict relational predicates, thus forming an extensible OWL (Web Ontology Language) or RDFS (Resource Description Framework Schema) semantic model. Furthermore, a set of related attribute constraints is defined for each core concept to rigorously normalize the attributes of each concept within the semantic model.
[0082] Step 204: Based on the semantic model, construct a structured event description specification. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0083] Among them, the Structured Event Description Specification (DSL, Domain Specific Language) is used to describe attack events and defense response events.
[0084] The time stamp information is used to mark the moment the event occurred; the initiating entity of the operation includes attackers, defenders, and devices; the object of the operation refers to the object of the event operation, including asset objects, sessions, and files; the specific execution actions include reading, writing, executing, opening, connecting, forwarding, and commanding, which are used to describe the operations of attackers or defenders in detail; the runtime environment parameters are used to describe the protocol context, including the specific application scenarios of protocols such as IEC-104, Modbus / TCP, and DNP3; the validity verification identifier refers to methods such as hash values, YARA rules, Sigma rules, and PCAP indexes, which are used to ensure the source and validity of the event.
[0085] For example, based on the semantic model established above, a structured event description specification (DSL) is constructed to accurately describe events at different levels, from data flow, logs, traffic to device control, in order to describe attack events and defense response events. The core content of the DSL includes time stamp information, operation initiator, operation target, specific execution action, operating environment parameters, and validity verification identifier.
[0086] Step 206: Based on the structured event description specification, convert multiple heterogeneous data into a standardized triplet or hyperedge data format to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alarms.
[0087] Among them, standardized triples refer to the use of a "subject-verb-object" structure to uniformly express heterogeneous data. Hyperedge data format refers to the use of a standardized format to uniformly express multiple event operators jointly completing an attack event or a defense response event.
[0088] For example, based on the structured event description specification, multiple heterogeneous data such as network logs, traffic data, and security alerts are uniformly mapped into a standardized triple or hyperedge data format. Specifically, any attack, abnormal traffic, or device operation is converted into a set of standardized event data.
[0089] Step 208: Using an offline extraction, transformation, and loading tool and an online streaming data processing pipeline, connect to and extract data from multiple security data sources to obtain raw data. The multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0090] Among them, the online streaming data processing pipeline refers to the real-time, continuous capture, analysis, and response to secure data streams.
[0091] For example, during the data extraction phase, an offline Extract-Transform-Load (ETL) tool and an online streaming pipeline are used to extract raw data from multiple security data sources, including security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs. The raw data includes network traffic logs, host logs, event reports, and communication logs from industrial control systems.
[0092] Step 210: Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0093] For example, based on a predefined event DSL, the extracted raw data of different formats are converted into standardized event data with consistent format. Each standardized event data includes information such as time stamp information, operation initiator, operation target, specific execution action, communication protocol type, and validity verification identifier, and ensures that the standardized event data is compatible with the subsequent graph construction.
[0094] Optionally, the extracted set of raw data can be set as follows:
[0095]
[0096] Among them, the event-based DSL will divide each raw data Converted into standardized event data, it can be represented as:
[0097]
[0098] in, For time stamp information, As the entity that initiates the operation, As the object of operation, To carry out specific actions, For communication protocol type, This is a validity verification identifier.
[0099] Step 212: Based on the known attack pattern library and the standard operating procedure of the power grid system, construct a finite state machine template. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0100] The attack phase state represents a specific stage in the attack or defense process, such as scanning the network, obtaining credentials, or remotely executing commands during an attack. The state entry condition describes the conditions for entering the current attack phase state, which is usually an event triggered by the previous state or the fulfillment of a certain condition, such as successfully obtaining permissions for a device. The state transition verification rule verifies the conditions for state transition. Only when the verification rule is met can the attack transition from the current state to the next state. The state output action defines the action to be performed in the current state, including sending malicious commands or disabling the protection system.
[0101] For example, based on a known attack pattern library and standard operating procedures for power grid systems, a finite state machine (FSM) template library is constructed, containing various attack techniques and tactics. This FSM template library includes attack paths at different stages, covering every state change from the initial attack to its completion. Furthermore, in a power grid environment, this FSM template library includes both traditional attack behaviors and attacks related to industrial control systems. Each FSM template includes attack stage states, state entry conditions, state transition verification rules, and state output actions.
[0102] Alternatively, a finite transition machine (FSM) can be represented as:
[0103]
[0104] in, This is a set of states, representing all possible attack or defense states. The input set represents the input conditions that trigger the state transition; The output set represents the actions performed in each state; For the transition function, the transition conditions from one state to another are defined.
[0105] For example, in complex attack paths, different attack stages may be interdependent during a multi-stage attack. For instance, an attacker might need to complete a network scan and obtain credentials under specific conditions before executing remote commands. In this process, a Synchronous Finite State Machine (HFSM) is needed to describe multiple attack stages simultaneously. During FSM modeling, the states of multiple attack stages can be combined through a synchronization mechanism to form a continuous attack path. Specifically, the HFSM allows multiple FSMs to execute concurrently under identical conditions until the attack target is achieved.
[0106] Specifically, two finite state machines are defined. and Then the synchronization of these two finite state machines can be expressed as:
[0107]
[0108] in, The Cartesian product of two FSM states represents the synchronization state; For synchronization, the transition function is used to ensure that the transitions between different states are coordinated and consistent. For example, if the conditions of either stage are met, the states of the two FSMs can transition to the next stage simultaneously.
[0109] Step 214: Based on time stamps, standardized event data are grouped into an event stream; the event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0110] For example, based on time stamp information, standardized event data is organized into an event stream. A subgraph isomorphic matching algorithm is then used to match the event stream with the states in the FSM template, thus mapping the event stream to the FSM template. When the time stamp information in the event stream matches the state transition conditions in the FSM, specific segments of the attack path can be identified. Furthermore, a verifiable attack trajectory, including the initial state, triggering events, and target state, is generated based on the actual attack process, thereby completing the state machine modeling of a multi-stage attack path.
[0111] Optionally, the timestamp information and attack actions in each event stream can be mapped to state transitions in the FSM. For example, an event stream may represent "the attacker scans from the external network to the internal network". Mapping this event stream to the FSM represents the transition from the "network scan" state to the "internal network penetration" state.
[0112] For example, due to factors such as network latency, event loss, and data jitter, some attack behaviors may not fully meet the time requirements in the FSM template. In this case, it is necessary to perform fault-tolerant matching between the event stream and the FSM template by using interval clocks to compensate for the timing inconsistencies caused by data jitter or packet loss, so that the deduction of the attack path is not affected by timing inconsistencies.
[0113] The interval clock is used to apply relaxed temporal constraints to state transitions in the FSM, enabling the identification of the correct attack path even with slight deviations in the timing of attack events. The interval clock can be represented as:
[0114]
[0115] in, The earliest time point allowed for state transition. This is the latest allowed time for state transitions, ensuring that the event stream can still match the FSM template within a certain timeframe.
[0116] The aforementioned network attack path modeling methods, by establishing a semantic model and constructing a structured event description specification, lay the foundation for subsequent knowledge graph construction and dynamic attack path analysis. By converting various heterogeneous data into standardized data, the analysis challenges caused by inconsistent data formats are effectively solved, improving data processing efficiency and accuracy. By extracting raw data from multi-source security data sources through offline extraction, transformation, and loading tools and online streaming data processing pipelines, and transforming the raw data into standardized event data, the integrity, real-time performance, and consistency of the data can be ensured. By constructing a finite state machine template and using a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, it can adapt to dynamic changes in complex environments such as power grids and effectively handle cross-stage and cross-domain attack path deduction, thus providing strong support for subsequent risk assessment and attack response.
[0117] In one embodiment, the method further includes: constructing a directed attribute graph model based on standardized event data, wherein nodes in the directed attribute graph model represent event instances or entity objects, edges represent causal relationships or interaction relationships between events, and each edge is attached with contextual attribute information; when the similarity of event features between two event instances is greater than a preset similarity threshold, they are determined to be the same event instance and a merging process is performed; for subgraphs from multiple evidence sources, a union operation of the node set and the edge set is performed, and a weighted average calculation is performed on the edge weights to achieve subgraph fusion; a cross-domain association relationship from information layer data to control layer devices is constructed through communication protocol field parsing, device unique identifier matching, and function code mapping; and a cross-domain attack and defense interaction graph is constructed based on the directed attribute graph model, the merged event instances, the fused subgraphs, and the cross-domain association relationship.
[0118] The context attribute information includes protocol type, event triggering conditions, etc.
[0119] For example, after transforming the raw data into standardized event data, a directed attribute graph model is constructed based on the standardized event data. Each node in this directed attribute graph model represents an event instance or entity object, and edges represent causal or interaction relationships between events. This directed attribute graph model can be represented as:
[0120]
[0121] in, For nodes in a directed property graph, they represent event instances or entity objects; The edges of a directed attribute graph represent causal or interactive relationships between events, such as an attacker's access to assets or commands controlling devices. Additionally, each edge is accompanied by relevant contextual information, such as protocol type and event triggering conditions.
[0122] Optionally, nodes can be Represented as an event or entity, edge Indicates an event With the event The interaction relationships between edges, and the attributes of edges such as protocol and execution time, can be represented by corresponding tags and weights.
[0123] For example, when the similarity of event features between two event instances from different data sources is greater than a preset similarity threshold, the two event instances are determined to be the same event instance and merged to avoid duplicate records, thereby achieving entity disambiguation.
[0124] Specifically, two event instances are defined as follows: and The calculation process for the similarity of their event features includes:
[0125]
[0126] in, For the event and The similarity value, For the event and Feature distance metric, This is the distance adjustment coefficient; Calculated using Euclidean distance:
[0127]
[0128] in, and events and In the The values are taken on each feature dimension, which includes the time stamp information difference in the structured event description specification, the communication protocol type, the device unique identifier in the semantic model, and the port number corresponding to the interface configuration.
[0129] In feature similarity value Exceeding the preset similarity threshold At that time, these two event instances are considered and These are the same event instance, and the two event instances are merged.
[0130] For example, for a subgraph from multiple sources of evidence, i.e., a directed attribute graph model The node set and edge set of each subgraph are combined to obtain the merged node and edge. The merged edge is weighted according to the weight and credibility of the evidence source. Based on the merged node and edge, a merged graph is obtained, thus completing the subgraph fusion.
[0131] Specifically, two subgraphs are defined. and The union operation is performed between the node sets and edge sets of these two subgraphs, i.e.:
[0132]
[0133]
[0134] in, The set of nodes in the merged graph. Let be the edge set of the merged graph. Therefore, the merged graph can be represented as:
[0135]
[0136] In addition, the calculation process for edge weights during the merging process includes:
[0137]
[0138] in, For the later integration The weight value, and They are the edges In the subgraph to be merged and The original weight values are assigned based on the trust level of the multi-source secure data source.
[0139] For example, to target attack paths in industrial control systems, it is necessary to construct a cross-domain mapping relationship from information data to control layer devices by using information such as protocol field parsing, device unique identifier matching, and function codes.
[0140] Specifically, in power systems, remote control commands may involve the execution of tripping instructions from the dispatch master station to specific equipment. This mapping process can be achieved through mapping functions. To represent, that is:
[0141]
[0142] in, This indicates a command within the information data; This represents the device in the control layer. The relationship between commands and control layer devices is determined by matching protocol fields with commands.
[0143] For example, based on the constructed attribute graph model Merged event instances, merged subgraphs And the cross-domain mapping relationship constructed from information data to control layer devices, to build a full-domain, cross-domain attack and defense interaction graph.
[0144] In this embodiment, by constructing a directed attribute graph model, two event instances with similar characteristics are merged into the same event instance, and subgraphs from multiple evidence sources are fused. Furthermore, cross-domain associations between information layer data and control layer devices are constructed, which can improve the accuracy and completeness of attack path deduction and provide a structured foundation for attack path analysis.
[0145] In one embodiment, based on the state machine modeling results of the cross-domain attack and defense interaction graph and the multi-stage attack path, the degree of concealment of the attack behavior, the required access level, the execution complexity of the attack steps, and the probability of being detected by security devices are selected. Based on the selection results, a path risk cost assessment model is constructed. Through the path risk cost assessment model, the risk cost weight of each edge in each attack path is calculated. Combining the risk cost weights, the attack path with the minimum risk cost from the initial attack state to the target attack state is found in the cross-domain attack and defense interaction graph to complete the attack path optimization modeling.
[0146] The stealth of an attack refers to the difficulty for an attacker to conceal their activities, which can usually be estimated by factors such as log visibility and the detection capabilities of traffic analysis tools. The required access level refers to the access permissions required for the attack path, including whether administrator privileges are required and whether authentication needs to be bypassed. The complexity of attack steps can be the step cost, which is the cost for an attacker to transition from one state to the next. It is usually assessed by the type and complexity of the operations performed by the attacker and the degree of impact on the system. The probability of being detected by security devices refers to the probability of the attack being detected during its execution, which is usually affected by factors such as firewalls, IDS / IPS, and behavioral analysis systems.
[0147] For example, based on the cross-domain attack and defense interaction graph constructed above and the finite state machine modeling results of multi-stage attack paths, a path risk cost assessment model is constructed according to different factors on each attack path, including the degree of concealment of the attack behavior, the required access permission level, the execution complexity of the attack steps and the probability of being detected by security devices, in order to calculate the risk cost weight of each side in each attack path.
[0148] Based on the number of edges in each attack path and the risk cost weight corresponding to each edge, the overall risk cost of each attack path is calculated. , can be represented as:
[0149]
[0150] in, This represents the number of edges contained in the attack path. This represents the risk cost weights corresponding to each edge in the attack path.
[0151] Based on the overall risk cost of each attack path obtained Path search algorithms, such as the A* algorithm or bidirectional search algorithms, are used to find the minimum risk-cost path from the initial attack state to the final target state, thus completing the attack path optimization modeling. The A* algorithm, in particular, uses heuristic search combined with path risk contingency planning. and heuristic functions This is used to evaluate the priority of attack paths, ensuring that the searched attack paths have the lowest risk and reduce computational complexity.
[0152] In this embodiment, by constructing a path risk cost assessment model, calculating the risk cost weight of each side in each attack path, and combining the risk cost weights, the attack path with the minimum risk cost can be found, which can improve the accuracy and efficiency of attack path analysis and effectively reduce the risk of the system being attacked.
[0153] In one embodiment, the method further includes: performing time consistency verification on the minimum risk attack path based on time window constraints and interval clock technology to eliminate invalid pseudo-paths with timing inconsistencies and obtain valid attack paths that pass the verification; the time consistency verification is used to verify each event in the path. Time stamp information Does it meet the requirements? ;in and events The effective time interval has upper and lower limits, and the effective time interval is set based on actual operating condition parameters, including the response time of power grid equipment and network transmission delay. The verified effective attack paths are overlaid and mapped with the topology of power grid physical equipment, network topology structure and control logic flow to achieve multi-level visualization and deduction. Based on the effective attack paths, event flow, parameter configuration of finite state machine template, asset objects in semantic model, interface configuration and communication protocol, a reproducible scenario package is generated for attack path verification and defense strategy testing.
[0154] For example, during path search, the actual timestamp information of events may deviate due to factors such as network latency and device response time affecting the event flow within the attack path. Therefore, based on time window constraints and interval clock technology, time consistency verification is performed on the attack path with the lowest risk cost. For events within the attack path... The consistency check of the execution time of this event can be represented as:
[0155]
[0156] in, For the event Time stamp information, and events The upper and lower limits of the valid time interval.
[0157] An attack path is considered valid if all events in it meet the consistency requirements. If there are temporal inconsistencies or events that exceed the valid time interval, the attack path is considered invalid and should be removed.
[0158] For example, after the minimum risk cost attack path passes the verification, that is, when the minimum risk cost attack path is a valid attack path, each state and state transition process in the attack path is overlaid and mapped with the power grid physical device topology, network topology structure and control logic flow to generate an interactive visualization interface to dynamically display the attack stage, specific execution actions, information layer data commands and control layer devices.
[0159] When visualizing attack paths, a visualization interface is needed to display the transition process of each attack state along the path. Users can click on different nodes to view detailed information for that stage and observe the propagation methods and results of the attack path across different control layer devices and network nodes. Furthermore, the visualization simulation supports event replay and can generate an event replay list as standard input for subsequent simulations and adversarial exercises.
[0160] Specifically, the visualization and deduction of attack paths can be represented as a set of paths. Each path It includes a series of states and transitions, namely:
[0161]
[0162] in, This represents each state in the attack path. This represents the total number of states in the attack path. The visualization interface graphically displays these states and their transition relationships, and renders the interaction process of control layer devices and the network based on the actual topology.
[0163] For example, based on effective attack paths, event flow replay lists, parameter configurations of finite state machine templates, asset objects in the semantic model, interface configurations, and communication protocols, a reproducible scenario package is generated by packaging and standardizing each stage and state of the attack path and the event replay list. This scenario package can include each step performed by the attacker, the responses of relevant devices, timing information, etc., to ensure that the attack process can be realistically reproduced during simulation.
[0164] In this embodiment, by performing time consistency verification on the attack path with the lowest risk cost, and realizing multi-level visualization simulation and generating reproducible scenario packages, the reliability, accuracy and practicality of attack path analysis are improved, and the effectiveness and feasibility of the defense strategy are verified.
[0165] like Figure 3 As shown, a specific embodiment illustrates a method for modeling network attack paths, including steps 302 to 308. Wherein,
[0166] Step 302: Establish a semantic model for network security protection scenarios of digital power grids and industrial control systems, and construct a structured event description specification.
[0167] Specifically, a semantic model is established that includes core concepts such as asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control policies. Each core concept is interconnected through strict relational predicates, thereby forming an extensible OWL or RDFS semantic model.
[0168] Based on a semantic model, a structured event description specification (DSL) is constructed, including time stamp information, the initiating entity of the operation, the object of the operation, the specific execution action, operating environment parameters, and validity verification identifiers. Based on the DSL, multiple heterogeneous data sources such as network logs, traffic data, and security alarms are uniformly mapped into standardized triplet or hyperedge data formats, thereby transforming any attack, abnormal traffic, or device operation into a set of standardized event data.
[0169] Step 304: Obtain raw data from different data sources and convert it into standardized event data, construct a directed attribute graph model and realize subgraph fusion, and construct cross-domain mapping relationships.
[0170] Specifically, raw data is extracted from multiple secure data sources using an offline Extract-Transform-Load (ETL) tool and an online streaming pipeline, and the extracted raw data in different formats is converted into standardized event data with consistent formatting according to a predefined event DSL.
[0171] Then, a directed attribute graph model is constructed based on the standardized event data. And each node in the directed attribute graph model Represents an event instance or entity object, edge It represents the causal or interactive relationships between events.
[0172] Meanwhile, in two event instances from different data sources and Similarity of event features between Greater than the preset similarity threshold When two event instances are identified as the same event instance, they are merged to achieve entity disambiguation.
[0173] Secondly, perform subgraph fusion operations on subgraphs from multiple evidence sources, such as for two subgraphs from different evidence sources. and The node set and edge set of the two subgraphs are combined to obtain the node set of the merged graph. and the edge set of the merged graph Thus, the merged graph is obtained. .
[0174] In addition, targeting attack paths in industrial control systems, cross-domain mapping relationships from information data to control layer devices are constructed by parsing protocol fields, matching device unique identifiers, and using function codes, in order to determine the relationship between commands and control layer devices.
[0175] Finally, based on the constructed attribute graph model Merged event instances, merged subgraphs And the cross-domain mapping relationship constructed from information data to control layer devices, to build a full-domain, cross-domain attack and defense interaction graph.
[0176] Step 306: Construct a synchronous combination of a finite state machine template and a multi-stage path, and map the event flow onto the finite state machine template.
[0177] Specifically, based on known attack pattern libraries and standard operating procedures of power grid systems, a finite state machine (FSM) template library was constructed, encompassing attack paths at different stages and covering every state change from the initial attack to its completion. Furthermore, during multi-stage attacks, the states and transition conditions of multiple FSM templates are synchronously combined into a synchronous finite state machine (HFSM) to describe multiple attack stages simultaneously.
[0178] During attack path construction, a subgraph isomorphic matching algorithm is used to match the standardized event flow with the states in the FSM template, thus mapping the event flow to the FSM template. An interval clock is also introduced. Fault-tolerant matching is performed between the event stream and the FSM template, so that the event stream can still match the FSM template even if there is a slight deviation in the time of the attack event.
[0179] Step 308: Identify the attack path with the lowest risk and cost and perform time consistency verification. Then, visualize and deduce the generated attack path and generate a reproducible scenario package.
[0180] Specifically, based on the cross-domain attack and defense interaction graph constructed above and the finite state machine modeling results of multi-stage attack paths, a path risk cost assessment model is constructed according to different factors on each attack path to calculate the risk cost weight of each edge in each attack path. Calculate the overall risk cost of each attack path. Then, a path search algorithm is used to find the path with the minimum risk cost from the initial attack state to the final target state, thus completing the attack path optimization modeling.
[0181] In addition, during the path search process, based on time window constraints and interval clock technology, time consistency verification is performed on the attack path with the least risk cost to ensure that the attack path is a valid path.
[0182] After the minimum risk cost attack path passes the verification, i.e., if the minimum risk cost attack path is a valid attack path, each state and state transition process in the attack path is overlaid and mapped with the power grid physical device topology, network topology structure, and control logic flow to generate an interactive visualization interface. This visualization interface displays the transition process of each attack state in the attack path, and users can click on different nodes to view detailed information for that stage. Users can also see the propagation methods and results of the attack path on different control layer devices and network nodes, thus achieving a visual deduction of the attack path.
[0183] In addition, by packaging and standardizing the various stages, states, and event replay lists of the attack path, a reproducible scenario package is generated for subsequent simulation testing, vulnerability remediation verification, and emergency response drills.
[0184] It should be understood that although the steps in the flowcharts of the embodiments described above are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated herein, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the flowcharts of the embodiments described above may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages in other steps. It is understood that the steps in different embodiments can be freely combined as needed, and all non-contradictory solutions formed by such combinations are within the scope of protection of this application.
[0185] Based on the same inventive concept, this application also provides a network attack path modeling apparatus for implementing the network attack path modeling method described above. The solution provided by this apparatus is similar to the implementation described in the above method; therefore, the specific limitations in one or more network attack path modeling apparatus embodiments provided below can be found in the limitations of the network attack path modeling method described above, and will not be repeated here.
[0186] In one exemplary embodiment, such as Figure 4 As shown, a network attack path modeling device 400 is provided, including: a model building module 402, a construction module 404, a conversion module 406, an extraction module 408, and a matching module 410, wherein:
[0187] Model building module 402 is used to build a semantic model for network security protection scenarios of digital power grids and industrial control systems, using OWL or RDFS semantic modeling specifications, including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules and security control strategies.
[0188] Module 404 is used to build a structured event description specification based on a semantic model. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0189] The conversion module 406 is used to convert multiple heterogeneous data into a standardized triplet or hyperedge data format based on the structured event description specification, so as to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alarms;
[0190] The extraction module 408 is used to extract raw data from multiple security data sources by connecting to an offline extraction and conversion loading tool and an online streaming data processing pipeline. The multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0191] The conversion module 406 is also used to convert the raw data into standardized event data with the same format as the standardized data based on the structured event description specification. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0192] Module 404 is also used to build a finite state machine template based on a library of known attack patterns and standard operating procedures of the power grid system. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0193] The matching module 412 is used to form an event stream from standardized event data based on time stamps; and to map the event stream to a finite state machine template through a subgraph isomorphic matching algorithm, so as to perform fault-tolerant matching between the event stream and the finite state machine template, and obtain a verifiable attack trajectory including the initial state, triggering event and target state, so as to complete the state machine modeling of the multi-stage attack path.
[0194] In one embodiment, the construction module is further configured to construct a directed attribute graph model based on standardized event data. In the directed attribute graph model, nodes represent event instances or entity objects, edges represent causal relationships or interactions between events, and each edge is accompanied by contextual attribute information. When the similarity of event features between two event instances is greater than a preset similarity threshold, they are determined to be the same event instance and a merging process is performed. For subgraphs from multiple evidence sources, the union operation of the node set and the edge set is performed, and the edge weights are calculated by weighted average to achieve subgraph fusion. Through communication protocol field parsing, device unique identifier matching, and function code mapping, a cross-domain association relationship from information layer data to control layer devices is constructed. Based on the directed attribute graph model, the merged event instances, the fused subgraphs, and the cross-domain association relationship, a cross-domain attack and defense interaction graph is constructed.
[0195] In one embodiment, the construction module is also used in the process of calculating event feature similarity, including:
[0196]
[0197] in, For the event and The similarity value, For the event and Feature distance metric, This is the distance adjustment coefficient; Calculated using Euclidean distance:
[0198]
[0199] in, and events and In the The values are taken on each feature dimension, which includes the time stamp information difference in the structured event description specification, the communication protocol type, the device unique identifier in the semantic model, and the port number corresponding to the interface configuration.
[0200] In one embodiment, the construction module is further configured to select the degree of concealment of the attack behavior, the required access permission level, the execution complexity of the attack steps, and the probability of being detected by security devices based on the state machine modeling results of the cross-domain attack and defense interaction graph and the multi-stage attack path; based on the selection results, construct a path risk cost assessment model; calculate the risk cost weight of each edge in each attack path through the path risk cost assessment model; and combine the risk cost weights to find the minimum risk cost attack path from the initial attack state to the attack target state in the cross-domain attack and defense interaction graph, so as to complete the attack path optimization modeling.
[0201] In one embodiment, the building module is also used in the edge weight calculation process, including:
[0202]
[0203] in, For the later integration The weight value, and They are the edges In the subgraph to be merged and The original weight values are assigned based on the trust level of the multi-source secure data source.
[0204] In one embodiment, the construction module is further configured to perform time consistency verification on the minimum risk attack path based on time window constraints and interval clock technology, in order to eliminate invalid pseudo-paths with timing inconsistencies and obtain valid attack paths that pass the verification; the time consistency verification is used to verify each event in the path. Time stamp information Does it meet the requirements? ;in and events The effective time interval has upper and lower limits, and the effective time interval is set based on actual operating condition parameters, including the response time of power grid equipment and network transmission delay. The verified effective attack paths are overlaid and mapped with the topology of power grid physical equipment, network topology structure and control logic flow to achieve multi-level visualization and deduction. Based on the effective attack paths, event flow, parameter configuration of finite state machine template, asset objects in semantic model, interface configuration and communication protocol, a reproducible scenario package is generated for attack path verification and defense strategy testing.
[0205] Each module in the aforementioned network attack path modeling device can be implemented entirely or partially through software, hardware, or a combination thereof. These modules can be embedded in or independent of the processor in a computer device, or stored in the computer device's memory as software, so that the processor can invoke and execute the corresponding operations of each module.
[0206] In one exemplary embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as follows: Figure 5 As shown, the computer device includes a processor, memory, input / output interfaces, a communication interface, a display unit, and an input device. The processor, memory, and input / output interfaces are connected via a system bus, and the communication interface, display unit, and input device are also connected to the system bus via the input / output interfaces. The processor provides computational and control capabilities. The memory includes non-volatile storage media and internal memory. The non-volatile storage media stores the operating system and computer programs. The internal memory provides an environment for the operation of the operating system and computer programs stored in the non-volatile storage media. The input / output interfaces are used for exchanging information between the processor and external devices. The communication interface is used for wired or wireless communication with external terminals; wireless communication can be achieved through Wi-Fi, mobile cellular networks, Near Field Communication (NFC), or other technologies. When executed by the processor, the computer program implements a method for modeling network attack paths.
[0207] Those skilled in the art will understand that Figure 5 The structure shown is merely a block diagram of a portion of the structure related to the present application and does not constitute a limitation on the computer device to which the present application is applied. Specific computer devices may include more or fewer components than those shown in the figure, or combine certain components, or have different component arrangements.
[0208] In one exemplary embodiment, a computer device is provided, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to perform the following steps:
[0209] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0210] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0211] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0212] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0213] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0214] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0215] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0216] In one embodiment, when the processor executes the computer program, it further implements the following steps: Based on standardized event data, a directed attribute graph model is constructed, where nodes in the directed attribute graph model represent event instances or entity objects, edges represent causal relationships or interactions between events, and each edge is accompanied by contextual attribute information; when the similarity of event features between two event instances is greater than a preset similarity threshold, they are determined to be the same event instance and a merging process is performed; for subgraphs from multiple evidence sources, a union operation of the node set and the edge set is performed, and a weighted average calculation of the edge weights is performed to achieve subgraph fusion; through communication protocol field parsing, device unique identifier matching, and function code mapping, a cross-domain association relationship from information layer data to control layer devices is constructed; based on the directed attribute graph model, the merged event instances, the fused subgraphs, and the cross-domain association relationship, a cross-domain attack and defense interaction graph is constructed.
[0217] In one embodiment, when the processor executes the computer program, it further performs the following steps: a process for calculating the similarity of event features, including:
[0218]
[0219] in, For the event and The similarity value, For the event and Feature distance metric, This is the distance adjustment coefficient; Calculated using Euclidean distance:
[0220]
[0221] in, and events and In the The values are taken on each feature dimension, which includes the time stamp information difference in the structured event description specification, the communication protocol type, the device unique identifier in the semantic model, and the port number corresponding to the interface configuration.
[0222] In one embodiment, when the processor executes the computer program, it also performs the following steps: based on the state machine modeling results of the cross-domain attack and defense interaction graph and the multi-stage attack path, select the degree of concealment of the attack behavior, the required access permission level, the execution complexity of the attack steps, and the probability of being detected by security devices; based on the selection results, construct a path risk cost assessment model; through the path risk cost assessment model, calculate the risk cost weight of each edge in each attack path; and combine the risk cost weights to find the minimum risk cost attack path from the initial attack state to the attack target state in the cross-domain attack and defense interaction graph, so as to complete the attack path optimization modeling.
[0223] In one embodiment, when the processor executes the computer program, it further implements the following steps: a process for calculating edge weights, including:
[0224]
[0225] in, For the later integration The weight value, and They are the edges In the subgraph to be merged and The original weight values are assigned based on the trust level of the multi-source secure data source.
[0226] In one embodiment, when the processor executes the computer program, it further performs the following steps: based on time window constraints and interval clocking techniques, it performs time consistency verification on the attack path with the minimum risk cost to eliminate invalid pseudo-paths with timing inconsistencies and obtain valid attack paths that pass the verification; the time consistency verification is used to verify each event in the path. Time stamp information Does it meet the requirements? ;in and events The effective time interval has upper and lower limits, and the effective time interval is set based on actual operating condition parameters, including the response time of power grid equipment and network transmission delay. The verified effective attack paths are overlaid and mapped with the topology of power grid physical equipment, network topology structure and control logic flow to achieve multi-level visualization and deduction. Based on the effective attack paths, event flow, parameter configuration of finite state machine template, asset objects in semantic model, interface configuration and communication protocol, a reproducible scenario package is generated for attack path verification and defense strategy testing.
[0227] The implementation principle and technical effects of the above embodiments are similar to those of the above method embodiments, and will not be repeated here.
[0228] In one embodiment, a computer-readable storage medium is provided having a computer program stored thereon, the computer program performing the following steps when executed by a processor:
[0229] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0230] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0231] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0232] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0233] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0234] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0235] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0236] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: Based on standardized event data, a directed attribute graph model is constructed, in which nodes represent event instances or entity objects, edges represent causal relationships or interactions between events, and each edge is accompanied by contextual attribute information; when the similarity of event features between two event instances is greater than a preset similarity threshold, they are determined to be the same event instance and a merging process is performed; for subgraphs from multiple evidence sources, the union operation of the node set and the edge set is performed, and the edge weights are weighted and averaged to achieve subgraph fusion; through communication protocol field parsing, device unique identifier matching, and function code mapping, a cross-domain association relationship from information layer data to control layer devices is constructed; based on the directed attribute graph model, the merged event instances, the fused subgraphs, and the cross-domain association relationship, a cross-domain attack and defense interaction graph is constructed.
[0237] In one embodiment, when the computer program is executed by a processor, it further implements the following steps: a process for calculating the similarity of event features, including:
[0238]
[0239] in, For the event and The similarity value, For the event and Feature distance metric, This is the distance adjustment coefficient; Calculated using Euclidean distance:
[0240]
[0241] in, and events and In the The values are taken on each feature dimension, which includes the time stamp information difference in the structured event description specification, the communication protocol type, the device unique identifier in the semantic model, and the port number corresponding to the interface configuration.
[0242] In one embodiment, when the computer program is executed by the processor, it further performs the following steps: based on the state machine modeling results of the cross-domain attack and defense interaction graph and the multi-stage attack path, select the degree of concealment of the attack behavior, the required access permission level, the execution complexity of the attack steps, and the probability of being detected by security devices; based on the selection results, construct a path risk cost assessment model; through the path risk cost assessment model, calculate the risk cost weight of each edge in each attack path; and combine the risk cost weights to find the minimum risk cost attack path from the initial attack state to the attack target state in the cross-domain attack and defense interaction graph, so as to complete the attack path optimization modeling.
[0243] In one embodiment, when the computer program is executed by a processor, it further implements the following steps: a process for calculating edge weights, including:
[0244]
[0245] in, For the later integration The weight value, and They are the edges In the subgraph to be merged and The original weight values are assigned based on the trust level of the multi-source secure data source.
[0246] In one embodiment, when the computer program is executed by the processor, it further performs the following steps: based on time window constraints and interval clocking techniques, it performs time consistency verification on the attack path with the minimum risk cost to eliminate invalid pseudo-paths with timing inconsistencies and obtain valid attack paths that pass the verification; the time consistency verification is used to verify each event in the path. Time stamp information Does it meet the requirements? ;in and events The effective time interval has upper and lower limits, and the effective time interval is set based on actual operating condition parameters, including the response time of power grid equipment and network transmission delay. The verified effective attack paths are overlaid and mapped with the topology of power grid physical equipment, network topology structure and control logic flow to achieve multi-level visualization and deduction. Based on the effective attack paths, event flow, parameter configuration of finite state machine template, asset objects in semantic model, interface configuration and communication protocol, a reproducible scenario package is generated for attack path verification and defense strategy testing.
[0247] The implementation principle and technical effects of the above embodiments are similar to those of the above method embodiments, and will not be repeated here.
[0248] In one embodiment, a computer program product is provided, including a computer program that, when executed by a processor, performs the following steps:
[0249] For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications.
[0250] Based on the semantic model, a structured event description specification is constructed. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier.
[0251] Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alerts;
[0252] By using offline extraction, transformation, and loading tools and online streaming data processing pipelines, we connect to and extract data from multiple security data sources to obtain raw data. These multiple security data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs.
[0253] Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type and validity verification identifier.
[0254] Based on the known attack pattern library and the standard operating procedures of the power grid system, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions.
[0255] Based on time stamps, standardized event data are organized into an event stream. The event stream is mapped to a finite state machine template through a subgraph isomorphic matching algorithm to perform fault-tolerant matching between the event stream and the finite state machine template, thereby obtaining a verifiable attack trajectory including the initial state, triggering event, and target state, in order to complete the state machine modeling of the multi-stage attack path.
[0256] In one embodiment, when the computer program is executed by the processor, it further implements the following steps: Based on standardized event data, a directed attribute graph model is constructed, in which nodes represent event instances or entity objects, edges represent causal relationships or interactions between events, and each edge is accompanied by contextual attribute information; when the similarity of event features between two event instances is greater than a preset similarity threshold, they are determined to be the same event instance and a merging process is performed; for subgraphs from multiple evidence sources, the union operation of the node set and the edge set is performed, and the edge weights are weighted and averaged to achieve subgraph fusion; through communication protocol field parsing, device unique identifier matching, and function code mapping, a cross-domain association relationship from information layer data to control layer devices is constructed; based on the directed attribute graph model, the merged event instances, the fused subgraphs, and the cross-domain association relationship, a cross-domain attack and defense interaction graph is constructed.
[0257] In one embodiment, when the computer program is executed by a processor, it further implements the following steps: a process for calculating the similarity of event features, including:
[0258]
[0259] in, For the event and The similarity value, For the event and Feature distance metric, This is the distance adjustment coefficient; Calculated using Euclidean distance:
[0260]
[0261] in, and events and In the The values are taken on each feature dimension, which includes the time stamp information difference in the structured event description specification, the communication protocol type, the device unique identifier in the semantic model, and the port number corresponding to the interface configuration.
[0262] In one embodiment, when the computer program is executed by the processor, it further performs the following steps: based on the state machine modeling results of the cross-domain attack and defense interaction graph and the multi-stage attack path, select the degree of concealment of the attack behavior, the required access permission level, the execution complexity of the attack steps, and the probability of being detected by security devices; based on the selection results, construct a path risk cost assessment model; through the path risk cost assessment model, calculate the risk cost weight of each edge in each attack path; and combine the risk cost weights to find the minimum risk cost attack path from the initial attack state to the attack target state in the cross-domain attack and defense interaction graph, so as to complete the attack path optimization modeling.
[0263] In one embodiment, when the computer program is executed by a processor, it further implements the following steps: a process for calculating edge weights, including:
[0264]
[0265] in, For the later integration The weight value, and They are the edges In the subgraph to be merged and The original weight values are assigned based on the trust level of the multi-source secure data source.
[0266] In one embodiment, when the computer program is executed by the processor, it further performs the following steps: based on time window constraints and interval clocking techniques, it performs time consistency verification on the attack path with the minimum risk cost to eliminate invalid pseudo-paths with timing inconsistencies and obtain valid attack paths that pass the verification; the time consistency verification is used to verify each event in the path. Time stamp information Does it meet the requirements? ;in and events The effective time interval has upper and lower limits, and the effective time interval is set based on actual operating condition parameters, including the response time of power grid equipment and network transmission delay. The verified effective attack paths are overlaid and mapped with the topology of power grid physical equipment, network topology structure and control logic flow to achieve multi-level visualization and deduction. Based on the effective attack paths, event flow, parameter configuration of finite state machine template, asset objects in semantic model, interface configuration and communication protocol, a reproducible scenario package is generated for attack path verification and defense strategy testing.
[0267] The implementation principle and technical effects of the above embodiments are similar to those of the above method embodiments, and will not be repeated here.
[0268] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties, and the collection, use and processing of the relevant data must comply with relevant regulations.
[0269] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The computer program can be stored in a non-volatile computer-readable storage medium, and when executed, it can include the processes of the embodiments of the above methods. Any references to memory, databases, or other media used in the embodiments provided in this application can include at least one of non-volatile memory and volatile memory. Non-volatile memory can include read-only memory (ROM), magnetic tape, floppy disk, flash memory, optical memory, high-density embedded non-volatile memory, resistive random access memory (ReRAM), magnetic random access memory (MRAM), ferroelectric random access memory (FRAM), phase change memory (PCM), graphene memory, etc. Volatile memory can include random access memory (RAM) or external cache memory, etc. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM). The databases involved in the embodiments provided in this application may include at least one type of relational database and non-relational database. Non-relational databases may include, but are not limited to, blockchain-based distributed databases. The processors involved in the embodiments provided in this application may be general-purpose processors, central processing units, graphics processing units, digital signal processors, programmable logic devices, quantum computing-based data processing logic devices, artificial intelligence (AI) processors, etc., and are not limited to these.
[0270] The technical features of the above embodiments can be combined in any way. For the sake of brevity, not all possible combinations of the technical features in the above embodiments are described. However, as long as there is no contradiction in the combination of these technical features, they should be considered to be within the scope of this application.
[0271] The embodiments described above are merely illustrative of several implementation methods of this application, and while the descriptions are specific and detailed, they should not be construed as limiting the scope of this patent application. It should be noted that those skilled in the art can make various modifications and improvements without departing from the concept of this application, and these all fall within the protection scope of this application. Therefore, the protection scope of this application should be determined by the appended claims.
Claims
1. A method for modeling network attack paths, characterized in that, The method includes: For cybersecurity protection scenarios in digital power grids and industrial control systems, semantic models including asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies are established using OWL or RDFS semantic modeling specifications. Based on the semantic model, a structured event description specification is constructed, which includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier. Based on the structured event description specification, multiple heterogeneous data are uniformly converted into standardized triplet or hyperedge data formats to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data, and security alarms; The system uses an offline extraction, transformation, and loading tool and an online streaming data processing pipeline to connect to and extract data from multiple secure data sources to obtain raw data. These multiple secure data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs. Based on the structured event description specification, the raw data is converted into standardized event data with the same format as the standardized data. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type, and validity verification identifier. Based on a known attack pattern library and standard operating procedures of power grid systems, a finite state machine template is constructed. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions. Based on time stamps, the standardized event data are organized into an event stream. The event stream is then mapped to a finite state machine template using a subgraph isomorphic matching algorithm. This allows for fault-tolerant matching between the event stream and the finite state machine template, resulting in a verifiable attack trajectory that includes the initial state, triggering event, and target state. This completes the state machine modeling of the multi-stage attack path.
2. The method according to claim 1, characterized in that, The method further includes: Based on the standardized event data, a directed attribute graph model is constructed. In the directed attribute graph model, nodes represent event instances or entity objects, edges represent causal relationships or interaction relationships between events, and each edge is attached with contextual attribute information. When the similarity of event features between two event instances exceeds a preset similarity threshold, they are determined to be the same event instance and a merging process is performed. For subgraphs from multiple evidence sources, the union operation of the node set and the edge set is performed, and the edge weights are calculated by weighted average to achieve subgraph fusion. Through communication protocol field parsing, device unique identifier matching, and function code mapping, a cross-domain association relationship from information layer data to control layer devices is constructed. Based on the directed attribute graph model, the merged event instances, the fused subgraphs, and the cross-domain association relationship, a cross-domain attack and defense interaction graph is constructed.
3. The method according to claim 2, characterized in that, The calculation process for the similarity of event features includes: in, For the event and The similarity value, For the event and Feature distance metric, This is the distance adjustment coefficient; Calculated using Euclidean distance: in, and events and In the The values are taken on each feature dimension, which includes the time stamp information difference in the structured event description specification, the communication protocol type, the device unique identifier in the semantic model, and the port number corresponding to the interface configuration.
4. The method according to claim 2, characterized in that, The method further includes: Based on the state machine modeling results of the cross-domain attack and defense interaction graph and the multi-stage attack path, the degree of concealment of the attack behavior, the required access level, the execution complexity of the attack steps, and the probability of being detected by security devices are selected; based on the selection results, a path risk cost assessment model is constructed. The path risk cost assessment model is used to calculate the risk cost weight of each side in each attack path. Based on the risk cost weight, the attack path with the minimum risk cost from the initial attack state to the target attack state is found in the cross-domain attack and defense interaction graph to complete the attack path optimization modeling.
5. The method according to claim 2, characterized in that, The calculation process of the edge weights includes: in, For the later integration The weight value, and They are the edges In the subgraph to be merged and The original weight values are assigned based on the trust level of the multi-source security data source.
6. The method according to claim 4, characterized in that, The method further includes: Based on time window constraints and interval clocking techniques, a time consistency check is performed on the minimum risk cost attack path to eliminate invalid pseudo-paths with timing inconsistencies, thus obtaining valid attack paths that pass the check. The time consistency check is used to verify each event in the path. Time stamp information Does it meet the requirements? ;in and events The effective time interval is set based on actual operating condition parameters, including the response time of power grid equipment and network transmission delay. The valid attack paths that pass the verification are overlaid and mapped with the topology of power grid physical equipment, network topology and control logic flow to achieve multi-level visualization and deduction. Based on the effective attack path, the event flow, the parameter configuration of the finite state machine template, the asset objects in the semantic model, the interface configuration, and the communication protocol, a reproducible scenario package is generated for attack path verification and defense strategy testing.
7. A modeling device for network attack paths, characterized in that, The device includes: The model building module is used to build semantic models for network security protection scenarios of digital power grids and industrial control systems, using OWL or RDFS semantic modeling specifications. These models include asset objects, interface configurations, communication protocols, identity identifiers, access permissions, data partitions, business modules, and security control strategies. The construction module is used to construct a structured event description specification based on the semantic model. The structured event description specification includes time stamp information, operation initiator, operation target, specific execution action, runtime environment parameters, and validity verification identifier. The conversion module is used to convert multiple heterogeneous data into a standardized triplet or hyperedge data format based on the structured event description specification, so as to obtain standardized data for modeling; the multiple heterogeneous data include network logs, traffic data and security alarms; The extraction module is used to connect to and extract raw data from multiple secure data sources through offline extraction and conversion loading tools and online streaming data processing pipelines. The multiple secure data sources include security information and event management systems, network traffic analysis data, network packet capture files, host terminal detection and response data, industrial control gateway logs, and scheduling master station logs. The conversion module is further configured to convert the original data into standardized event data with the same format as the standardized data based on the structured event description specification. The standardized event data includes time stamp information, operation initiator, operation target, specific execution action, communication protocol type, and validity verification identifier. The construction module is also used to construct a finite state machine template based on a known attack pattern library and standard operating procedures of the power grid system. The finite state machine template includes attack phase states, state entry conditions, state transition verification rules, and state output actions. The matching module is used to form an event stream from the standardized event data based on time stamps; and to map the event stream to a finite state machine template through a subgraph isomorphic matching algorithm, so as to perform fault-tolerant matching between the event stream and the finite state machine template, and obtain a verifiable attack trajectory including the initial state, triggering event and target state, so as to complete the state machine modeling of the multi-stage attack path.
8. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 6.
9. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.
10. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 6.