Discovery Of Cyber Attack Clues Using Knowledge Graph For Industrial Control Systems

Under the background of industrial internet,mature internet technology has broken the relative closure of industrial control system(Industrial Control System,ICS).There are many vulnerabilities in the existing ICS that can be exploited by attackers,which makes the security problems and risks of ICS more prominent.Security professionals require certain clues regarding attacks for security decisions,whereas intrusion detection systems can only detect attacks and cannot provide clues.Therefore,focusing on the exploitation of vulnerabilities,we build an ontology including manufacturers,devices,vulnerabilities,attack methods and attack results,extract data from multiple data sources for data layer construction,and then get a more complete vulnerability utilization knowledge graph of ICS through knowledge fusion and knowledge reasoning.we can explain the attacks from the perspective of knowledge base to provide relevant attack clues for security personnel.The main work can be divided into the following three parts:(1)A knowledge graph is introduced into ICS security,which can fully utilize unstructured web information to mine attack intelligence,and provide clues for the ongoing attacks of the ICS through knowledge reasoning,so as to cover the shortage of intrusion detection system.(2)Substantial nesting and aliases exist owing to the large differences in entity lengths between the attack methods and attack results.Based on the linear chain conditional random field model,we propose a feature combination approach including high-frequency words constitute entities and entity context keywords to improve the entity recognition integrity.Within the context of a limited corpus and the existence of a large number of compound long entities with different frequencies,we analyze the causes of multiple words with one meaning and propose an entity alignment framework based on rule and aggregation similarity,which improves the entity alignment effect to a certain extent.(3)To solve the problem whereby positive triples may exist in the process of generating negative triples by the random substitution of the Trans E model,a potential correct probability knowledge reasoning algorithm based on a pre-training model is proposed.Experiments on public datasets FB15 K,WN18,WN18 RR show that the algorithm has better performance under the Mean Rank and Hit @ 10 evaluation criteria.This paper designs experiments and proves the superiority of the proposed method.The combination of attack clues discovery system and intrusion detection system,which is visualized in the form of force oriented graph,can provide more intuitive,rich and accurate attack clues for security experts.It can help them find the exploited vulnerabilities better,fill up vulnerabilities timely,eliminate the attack environment,and reduce the losses caused by attacks.