Design of Threat Response Modeling Language for Attacker Profile Based on Probability Distribution

Threat modeling and simulation (TMS) was aimed at dynamically capturing the features of attacks, which is a challenging job in complex Industrial Internet of Things (IIoT) control systems due to the complicated relationships among attacks. Recently, Meta Attack Language (MAL) showed its powerful TMS capabilities for representing complex attacks. However, existing methods pay less attention to the impact of changes in threat profiles on the simulation of key attack techniques. This paper proposes a novel method called threat response modeling language (TRMLang) for threat modeling and simulation in complex IIoT attacks. TRMLang obtains attacker information through an automated analysis of cyber threat intelligence (CTI) to build dynamic attacker profiles. Furthermore, it merges attacker features and probabilistic attack graphs in the simulation to improve TMS performance. The experimental results demonstrate that TRMLang can represent and evaluate the security conditions of IIoT control systems with two attack cases by Lazarus Group on SEGRID smart grids.