Threat Inference And Assessment Of Train Control System Based On Konwledge Graph

At present,organized and purposeful network attacks are becoming more and more obvious,among which Advanced Persistent Threat has attracted much attention.It continues to penetrate into various important industries such as party and government organs,scientific research units and other important industries,and the relatively closed train operation control system in traditional cognition is also facing threats in this regard.On the one hand,with the development of the information integration of the train control system,the attack surface is constantly expanding,and the threat risk is increasing.On the other hand,Advanced Persistent Threat attacks are highly concealed,long-term latent,and extremely threatening.As a result,it is difficult to prevent internal deliberate attacks and historical major loopholes from the train control system,which seriously affects the safety and efficiency of railway transportation,and directly interferes with social stability and order.The essence of knowledge graph is a networked knowledge base in which entities with attributes are linked through relationships.Nodes represent real-world entities,and various semantic relationships between entities constitute edges in the network.Knowledge graph has obvious application advantages in the field of network security.With the dynamic evolution of network threat information,the constructed network security ontology has dynamic adaptability and good scalability,and the graphical information is easier to understand.Therefore,combining the predicament of train control system network security and the advantages of knowledge graph,a knowledge graph of train control system network security is constructed.The knowledge graph combines the existing knowledge of network security and train control system to form a complex semantic network.It correlates the detected attack facts and potential attack paths,timely feedbacks the current attack activity stage and mitigation strategy,and improves the network security active defense capability of the train control system.The main work of this thesis is as follows.1.Briefly describe the architecture of CTCS-3 train control system,and analyze the vulnerability in the system.Based on the System Theoretic Process Analysis for Security,(STPA-Sec)method,the train control system is identified by detailed threat scenarios,and the knowledge link from security constraints to system-level accidents is obtained,and the train control system threat scenario knowledge base is constructed.2.Realize the APT attack threat identification of the train control system at two granularity levels.At the coarse-grained level,the abnormal event flow in the system is dynamically monitored in real time,and the mapping of abnormal events to attack tactics,techniques and procedures(TTPs)is realized based on the network analysis repository.After subsequent statistical analysis,the scope of threat detection was narrowed down,the host threat score is determined,and the results are displayed in a heat map and a line graph.At the fine-grained level,through the agglomerative hierarchical clustering Ward method,the correlation between technologies is used to learn attack intentions,and the clustering index is the Phi correlation distance between technologies.At a strict 95% confidence level,a suitable attack cluster value is obtained.Finally,the validity of the attack cluster division is verified based on the normalized mutual information(NMI),and the obtained attack cluster shows high predictability.3.Established the ontology model of the network security knowledge graph of the train control system and the required knowledge stack,extracted the available knowledge nodes,and connected them to form an understandable semantic network.Realize the integration of the train control system threat scenario knowledge base and the network security knowledge base,and draw 13 entity attribute graphs to show how to connect nodes reliably.And based on the knowledge graph,the validity of the most likely technology correlation algorithm and the attack cluster early warning algorithm is verified.