﻿ 基于隐马尔可夫模型的电力信息系统动态威胁定量分析
 上海理工大学学报  2022, Vol. 44 Issue (4): 388-396, 416 PDF

1. 上海欣能信息科技发展有限公司，上海 200025;
2. 上海挚达科技发展有限公司，上海 200433;
3. 华东理工大学 信息科学与工程学院，上海 200237

Dynamic threat quantitative analysis of power information system based on hidden Markov model
SU Pengtao1, WU Kuang2, CHEN Mengjie3, ZHANG Xueqin3
1. Shanghai Shineenergy Information Technology Development Co., Ltd., Shanghai 200025, China;
2. Shanghai Zhida Technology Development Co., Ltd., Shanghai 200433, China;
3. School of Information Science and Engineering, East China University of Science and Technology, Shanghai 200237, China
Abstract: Aiming at the problem of network threat quantitative evaluation of typical power information system, a network threat dynamic analysis method hmm-ids based on network intrusion detection syetem (NIDS) alarm information and hidden Markov model was proposed in this paper. NIDS alarm information was fully used to analyzes alarm threats from four aspects: priority, severity, asset value and reliability. A quantitative description and classification method of alarm threats were given and the observation matrix in hidden Markov model was optimized. The reliability of successful attack based on Bayesian network was analyzed, which avoided the interference of NIDS false alarm information. Based on the improved hidden Markov model, the dynamic risk quantification value of the system was obtained by fusion. DDoS attacks were simulated based on DARPA2000 experimental scenario. Through comparative experiments, the effectiveness and superiority of the proposed method were verified.
Key words: power information system     quantitative threat analysis     hidden Markov     intrusion alarm     Bayesian network

1 相关理论 1.1 HMM隐马尔可夫模型 1.1.1 马尔可夫链

1.1.2 隐马尔可夫模型

a. s $\text { HMM }$ 中隐藏Markov链。设有N个状态 ${s_1},{s_2},\cdots,{s_N}$ ，在t时刻所处的状态为qt，则qt $\in$ ${s_1}, {s_2},\cdots,{s_N}$

b. V，观测状态集合。设有M个观测状态， ${\boldsymbol V} = \left\{ {{v_1},{v_2},\cdots,{v_M}} \right\}$ 。观测序列 ${\boldsymbol O}{\text{ = }}\{ {o_1},{o_2},\cdots,{o_T}\}$ ，其中 ${o_t} \in {\boldsymbol V}$ T表示观测序列的长度。

c. π，初始状态概率分布。 ${\pi _i} = P\left( {{q_1} = {v_i}} \right)$ ，其中 $1 \leqslant i \leqslant N$ 。向量表示 ${\mathbf{\boldsymbol \pi }} = \left( {{r_1},\cdots,{r_N}} \right)$

d. $\boldsymbol {T}$ ，状态转移矩阵。

 ${T_{{ij}}} = P({q_{t + 1}} = {s_j}|{q_t} = {s_i}),1 \leqslant i,j \leqslant N$ (1)

e. $\boldsymbol { O }$ ，观测矩阵。

 ${O_{nm}} = P({o_t} = {v_m}|{q_t} = {s_n})$ (2)

 图 1 隐马尔可夫模型过程 Fig. 1 Process of HMM
1.2 贝叶斯网络

 图 2 贝叶斯网络结构 Fig. 2 Bayesian network structure

2 基于NIDS报警信息和HMM的电力信息系统威胁定量评估

2.1 基于HMM的电力信息系统威胁定量评估

2.1.1 主机的安全状态

 图 3 网络威胁状态转换图 Fig. 3 Network threat state transition diagram
2.1.2 主机安全状态的分布概率

$\text{}\text{HMM}$ 包含一个三元组 $\lambda = (\boldsymbol T,\boldsymbol O,\boldsymbol \pi )$ 。其中，T表示资产状态转换概率的状态转换矩阵；O表示当资产处于某一特定状态时，观察到某种攻击概率的观察矩阵；初始状态 $\boldsymbol \pi$ 则代表计算开始时资产处于各个状态的概率。

 ${r_1}(i) = {\pi _i} \times {O_i}({o_1})$ (3)
 ${r_{t + 1}}(i) = \left[\sum\limits_{j = 1}^N {{r_t}(j) \times {T_{ji}}}\right] \times {O_i}({o_{t + 1}})$ (4)

${O_i}({o_{t + 1}})$ 是在t+1时刻观察到观测序列 ${o_{t + 1}}$ 的概率。

2.1.3 主机和系统风险值的定量计算

 $R=\sum\limits_{i=1}^{N}{r}_{i}{c}_{i}$ (5)

 ${R}_{\rm{net}}=\sum\limits_{i=1}^{L}{R}_{i}$ (6)
2.2 基于NIDS报警信息的威胁分析 2.2.1 NIDS报警类型分类

a. 严重度

NIDS，如Snort，对入侵威胁类型有较为明确的分类和严重等级定义，如表3所示，通过查询该表单可以得到相应等级的严重度S

b. 资产值

 $v = f\left( {x,y,z} \right) = \sqrt {\sqrt {x \times y} \times z}$ (7)

c. 优先级

2.2.2 基于贝叶斯网络的可信度分析

a. 构建贝叶斯网络的拓扑结构

 图 4 动态威胁分析贝叶斯拓扑结构 Fig. 4 Bayesian network topology of network threat

b. 确定条件概率分布

c. 可信度计算

 $P\left( {B\left| D \right.} \right) = \frac{{P\left( {D,B} \right)}}{{P\left( D \right)}}$ (8)

 $D = \left( {V\_ID = {\text{yes}},OS = {\text{yes}},App = {\text{yes}}} \right)$

 $\begin{split} & R =P(Attack = \text{succeed}|D) = \\ &\frac{{P(Attack = \text{succeed},V\_ID = {\text{yes}},OS = {\text{yes}},App = {\text{yes}})}}{{P(V\_ID = {\text{yes}},OS = {\text{yes}},App = {\text{yes}})}} =\\ &0.701\;9\end{split}$

d. 报警信息分类

 $\left.\begin{array} {c}{T}_{\rm S}=\dfrac{{V}_{\rm S}}{10}\times 100\%,\;{T}_{\rm A}=\dfrac{{V}_{\rm A}}{5}\times 100\%\\ {T}_{\rm P}={V}_{\rm P}\times 100\%,\;{T}_{\rm R}={V}_{\rm R}\times 100\%\end{array}\right\}$ (9)

 $T' = {\delta _1} P + {\delta _2} S + {\delta _3} R + {\delta _4} A$

2.3 HMM-NIDS算法

a. 获取Snort报警数据信息。

b. 根据报警信息对优先级、资产值和严重度进行量化分析。

c. 对动态威胁建立贝叶斯拓扑结构，并建立条件概率表，确定条件概率分布；利用工具获取节点的状态信息；通过贝叶斯网络分析计算得到攻击成功的概率，量化可信度评价指标。

d. 将上述四类因素进行融合，确定威胁值和报警类别。

e. 根据报警类别对HMM中原始Trans和Obs矩阵的参数进行优化，并设置初始概率和代价向量。

3 实验及结果

3.1 实验场景描述

 图 5 DARPA实验场景攻击步骤 Fig. 5 Scenario steps of DARPA experiment

3.2 实验及结果

3.2.1报警分类

3.2.2观测矩阵优化

 $\begin{array}{*{20}{l}} \boldsymbol T = \left[ {\begin{array}{*{20}{c}} {pGG}&{pGP}&{pGA}&{pGC} \\ {pPG}&{pPP}&{pPA}&{pPC} \\ {pAG}&{pAP}&{pAA}&{pAC} \\ {pCG}&{pCP}&{pCA}&{pCC} \end{array}} \right] = \\ \qquad \left[ {\begin{array}{*{20}{c}} {0.6}&{0.3}&{0.09}&{0.01} \\ {0.3}&{0.4}&{0.25}&{0.05} \\ {0.1}&{0.2}&{0.6}&{0.1} \\ {0.01}&{0.09}&{0.1}&{0.8} \end{array}} \right] \end{array}$
 \begin{aligned} \boldsymbol O =& \left[ {\begin{array}{*{20}{c}} {qG(1)}&{qG(2)}&{qG(3)}&{qG(4)} \\ {qP(1)}&{qP(2)}&{qP(3)}&{qP(4)} \\ {qA(1)}&{qA(2)}&{qA(3)}&{qA(4)} \\ {qC(1)}&{qC(2)}&{qC(3)}&{qC(4)} \end{array}} \right]= \\ &\left[ {\begin{array}{*{20}{c}} {0.01}&{0.14}&{0.15}&{0.7} \\ {0.05}&{0.25}&{0.25}&{0.45} \\ {0.05}&{0.2}&{0.35}&{0.4} \\ {0.05}&{0.2}&{0.25}&{0.4} \end{array}} \right]\end{aligned}

3.2.3 实时风险分析

 图 6 威胁实时分析图 Fig. 6 Real-time threat analysis diagram

4 结　论

 [1] 李欣, 段詠程. 基于改进隐马尔可夫模型的网络安全态势评估方法[J]. 计算机科学, 2020, 47(7): 287-291. [2] 梁智强, 林丹生. 基于电力系统的信息安全风险评估机制研究[J]. 信息网络安全, 2017(4): 86-90. DOI:10.3969/j.issn.1671-1122.2017.04.012 [3] 马刚, 杜宇鸽, 安波, 等. 基于威胁传播采样的复杂信息系统风险评估[J]. 计算机研究与发展, 2015, 52(7): 1642-1659. DOI:10.7544/issn1000-1239.2015.20140184 [4] CIAPESSONI E, CIRIO D, MASSUCCO S, et al. Risk-Based dynamic security assessment for power system operation and operational planning[J]. Energies, 2017, 10(4): 475. DOI:10.3390/en10040475 [5] XIONG J X, WU J Z. Construction of information network vulnerability threat assessment model for CPS risk assessment[J]. Computer Communications, 2020, 155: 197-204. DOI:10.1016/j.comcom.2020.03.026 [6] 周未, 张宏, 李博涵. 基于攻防状态图模型的网络风险评估方法[J]. 东南大学学报(自然科学版), 2016, 46(4): 688-694. DOI:10.3969/j.issn.1001-0505.2016.04.003 [7] 杨至元, 张仕鹏, 孙浩, 等. 基于Cyber-net与学习算法的变电站网络威胁风险评估[J]. 电力系统自动化, 2020, 44(24): 19-27. [8] 杨英杰, 冷强, 常德显, 等. 基于属性攻击图的网络动态威胁分析技术研究[J]. 电子与信息学报, 2019, 41(8): 1838-1846. [9] 王辉, 张娟, 赵雅, 等. 一种新型贝叶斯模型的网络风险评估方法[J]. 小型微型计算机系统, 2020, 41(9): 1898-1904. DOI:10.3969/j.issn.1000-1220.2020.09.017 [10] 张雪芹, 张立, 顾春华. 社交网络中社会工程学威胁定量评估[J]. 浙江大学学报(工学版), 2019, 53(5): 837-842. DOI:10.3785/j.issn.1008-973X.2019.05.003 [11] AL-KARAKI J N, GAWANMEH A, ALMALKAWI I T, et al. Probabilistic analysis of security attacks in cloud environment using hidden Markov models[J]. Transactions on Emerging Telecommunications Technologies, 2020, e3915. DOI:10.1002/ett.3915 [12] MEROUANE M. An approach for detecting and preventing DDoS attacks in campus[J]. Automatic Control and Computer Sciences, 2017, 51(1): 13-23. DOI:10.3103/S0146411616060043 [13] National Vulnerability Database[EB/OL]. (2000-07-01)[2022-05-18]. https://nvd.nist.gov/ [14] STEPHENSON T A. An introduction to Bayesian network theory and usage[R]. Switzerland: IDIAP, 2000: 00-03. [15] ZHANG X Q, CHEN M J. CVDE based industrial system dynamic vulnerability assessment A. T. Balkema & G. Westers[C]//Proceedings of the 2014 International Conference on Network Security and Communication Engineering (NSCE 2014). Hong Kong, China: CRC Press, 2014: 66–73. [16] Lincoln Laboratory[EB/OL]. (2022-05-12)[2022-05-19]. https://www.ll.mit.edu/r-d/datasets/2000-darpa-intrusion-detection-scenario-specific-datasets