面向工控系统漏洞的多维属性评估

Multi-dimensional attribute analysis of industrial control system vulnerability

针对工业控制系统漏洞风险评估角度较为单一且与工控环境联系不紧密问题,提出了面向工业控制系统漏洞的多维属性评估方法。首先,建立了漏洞有效性、风险类别属性判别模板,同时定义漏洞风险程度多维评价指标。其次,提出基于ernieCat的风险程度预测模型,使用漏洞文本描述及漏洞内在评价属性作为融合特征预测漏洞的严重性、危害性以及可利用性等级。结合工业控制系统设备层级关键信息与漏洞风险等级情况,建立多维度量化指标,对工业控制系统漏洞的危害程度进行量化评估。最后,通过实验验证ernieCat模型应用在漏洞风险程度预测方面的优越性。

In order to solve the problem that the industrial control system vulnerability risk assessment is simple and not closely related to the industrial control environment,a multi-dimensional attri-bute analysis method of industrial control system vulnerability is proposed.Firstly,a template for discriminating vulnerability attack effectiveness and risk category attributes is established,and multi-dimensional evaluation indicators for the degree of risk vulnerability are defined.Secondly,an automat-ed prediction model of risk level based on ernieCat is proposed,which uses the fusion features of vulnerability text descriptions and the intrinsic evaluation attributes of vulnerabilities to predict the seriousness level,hazard level and exploitability level of industrial vulnerabilities.Besides,this paper combines device-level critical information of industrial control system with vulnerability-level risk situations,and establishes multi-dimensional quantitative evaluation indicators to quantitatively assess the risk hazard level for industrial control system vulnerabilities.Experimental results show that the ernieCat model is superior for predicting vulnerability risk level.