Research On Industrial Cloud Information Security Evaluation Scheme Based On Bayesian Attack Graph

The integration of traditional network services into the industrial control system has promoted the development of the industrial cloud.At the same time,some open services have brought a series of security issues.Considering the 7*24-hour continuous operation status of the industrial equipment,as well as its limitation on the safety testing tools,it is necessary to scan it with a completely non-destructive safety tool.Therefore,it is necessary for the industrial cloud system to select a suitable evaluation scheme and estimate the risk of the results before security events occur.In this thesis we propose an information security evaluation scheme based on Bayesian attack graphs,which comprehensively evaluates the industrial cloud system under test through static and dynamic security risk management.Specific results are listed below.1.An attack graph generation algorithm based on asset exploration is proposed.Firstly,the assets included in the system,as well as their models,version numbers,open services,and communication protocols,are determined by the non-destructive scanning method of asset detection.Secondly,the fuzzy matching algorithm is used to scan the vulnerability database to find the corresponding vulnerabilities of the assets,,and the relative vulnerabilities-and-assets list is generated by this non-destructive vulnerability scanning.Thirdly,based on the attack graph reverse generation algorithm,starting from important asset vulnerabilities,a Bayesian attack graph is initially generated.2.A construction algorithm based on game-attack graph is proposed.The Bayesian attack graph method is used to calculate the conditional probability of nodes by introducing game theory and using the CVSS vulnerability scoring framework to design the utility function of the attacker and the defender.Then node conditional attack probability and conditional defense probability based on Nash equilibriumon are calculated.That means changingthe way of generating the conditional probability,and also optimizing the generated attack graph with possible loops based on the probability to obtain an acyclic Bayesian attack graph.3.An industrial cloud information security evaluation scheme based on Bayesian attack graph is proposed.Under the small-scale industrial cloud simulation experimental environment,a scheme evaluation process is designed to verify the validity of the scheme in a static and dynamic manner.