CN113783886A - Intelligent operation and maintenance method and system for power grid based on intelligence and data - Google Patents

Abstract

The invention discloses an intelligent operation and maintenance method of a power grid based on information and data and a system thereof, belonging to the technical field of electric power, comprising the steps of collecting basic safety logs and machine data, carrying out format standardization on data to be processed, expanding a data source, enriching the data source, carrying out safety arrangement on response actions, analyzing users, terminal equipment and application programs in the environment through a detection mechanism, finding abnormal behaviors and unknown threats, solving the technical problems of investigation, detection and understanding of network safety events and taking rapid and cooperative actions to resist the threats, adopting an artificial intelligence technology to actively identify information such as danger alarms and abnormal states, analyzing information values in multiple dimensions, shortening response time and reducing labor cost, adopting a message pushing platform to actively push machine research and judgment results to operation and maintenance personnel, the push message can be customized according to different scenes, and the processing speed is greatly improved.

Description

Intelligent operation and maintenance method and system for power grid based on intelligence and data

Technical Field

The invention belongs to the technical field of electric power, and relates to a power grid intelligent operation and maintenance method and a system thereof based on intelligence and data.

Background

With the rapid development of information technology, the types and the number of the power grid information safety protection devices are gradually increased year by year, the operation and maintenance management and control requirements are gradually improved, and meanwhile, the pressure of professional operation and maintenance personnel gaps is also faced, and the traditional communication, operation and maintenance working mode is difficult to effectively cope with the increasingly severe network safety situation and the continuously improved professional management requirements.

At present, the pain points of network security operation and maintenance personnel mainly include:

1. the network security operation and maintenance monitoring information amount is large. The network topology of the national network company carries out network planning around three defense lines, namely an internet large area, a management information large area and a production control large area from outside to inside in sequence, and access control and isolation are carried out between the large areas through a firewall, a logic strong isolation device and a forward and reverse physical isolation device. Each access control or isolation deploys a plurality of sets of safety equipment, only a Changzhou company has 15 safety equipment, each equipment independently monitors data flow, the system has a large number of repeated alarms and error alarms, the information quantity is large, the workload of operation and maintenance personnel is large, and the comprehensive control is difficult to realize only by manual monitoring;

2. the requirement on timeliness of network security monitoring and disposal is high. During attack and defense drilling, province companies require reporting network attacks within 15 minutes, and the network attacks are difficult to complete on time only by manual monitoring in the presence of a large amount of alarm data;

3. the network security monitoring disposal effectiveness requirement is high. The network security monitoring has higher requirements on professional technologies of operation and maintenance personnel, the web network attack means are more, the concealment is strong, the manual operation and maintenance often neglects the network attack, and the reliability is poor; the monitoring is required for 24 hours during the attack and defense exercise, the labor cost is high, the personnel quality is uneven, and the management difficulty is high.

Disclosure of Invention

The invention aims to solve the technical problems, and aims to provide an intelligent operation and maintenance method and system for a power grid based on intelligence and data, so that the technical problems of investigation, detection and understanding of network security events and rapid and cooperative action for resisting threats are solved.

In order to achieve the purpose, the invention adopts the following technical scheme:

a power grid intelligent operation and maintenance method based on intelligence and data comprises the following steps:

1) collecting basic safety logs and machine data to generate data to be processed, wherein the data to be processed comprises asset information ledger data and threat information for daily maintenance;

2) carrying out format standardization on data to be processed, and adding identity data to ensure that common fields of the data to be processed have the same uniform name to obtain standardized data;

3) expanding the data source, collecting data from the non-safety related data source, and supplementing safety analysis;

4) enriching data sources, associating external threat information and asset information, and accurately judging events;

5) carrying out simple response action according to the standardized data, carrying out automatic processing on the response action, and carrying out safety arrangement on the response action so as to complete a specific safety operation process;

6) users, terminal devices and applications in the environment are analyzed through a detection mechanism to find abnormal behaviors and unknown threats.

Preferably, the data to be processed in step 1 includes network traffic data, terminal logs, authentication logs, network activity data, and security device alarms;

the network traffic data comprises the traffic types of the incoming and outgoing networks and the blocked network communication traffic data;

the terminal log is data captured from a server, a terminal and an operating system, and the terminal log contains malicious activity data;

the identity authentication log is used for acquiring the time and the place of the user accessing the system or the application program;

the network activity data comprises network attack lines, namely starting from frequent visit of a user to a website and ending from valuable data leakage to the website controlled by an attacker;

the security device alarm comprises the steps of taking the security alarm in a physical security device or an operating system as basic data of abnormal network behaviors, combining the analysis of original network flow, endpoint logs and authentication log data, recording and classifying the abnormal network behaviors according to IP addresses, and capturing various traces related to network attacks from the network behaviors and user behaviors.

Preferably, the step 2 of standardizing the format of the data to be processed includes extracting fields of the data to be processed, standardizing the fields in different data sources, associating the fields to different preset data type models, and then implementing association analysis and monitoring early warning of the security event through association among the different data type models.

Preferably, the data sources extended in step 3 include line transfer data related to the source protocol from Bro, DNS query-level data from debug-level logs or line transfer data sources, DHCP activity logs, and file system data.

Preferably, the asset information in step 4 includes open source intelligent OSINT source and internal resource information; the external threat intelligence is intelligence data periodically released by an external security agency.

Preferably, the step 5 of security orchestration of response actions includes combining security capabilities of different systems or different components within a system together according to a certain logical relationship via a programmable interface API and a manual checkpoint to complete a specific security operation process.

A power grid intelligent operation and maintenance system based on intelligence and data comprises a data acquisition server, a database server, an intelligence center server, a data analysis server, a support data acquisition server and an information push platform, wherein the data acquisition server, the database server, the intelligence center server, the data analysis server, the support data acquisition server and the information push platform are communicated with one another through the Internet;

the data acquisition server acquires data and logs generated by the safety equipment through a plurality of protocol interfaces, and the acquisition mode comprises active acquisition and passive reception;

the database server is used for storing the original data acquired by the data acquisition server, and the database server adopts backup processing when the data is backed up;

the intelligence center server is used for collecting threat intelligence, wherein the threat intelligence comprises a malicious URL (uniform resource locator), a malicious domain name, a malicious IP (Internet protocol), malicious codes, an Oday vulnerability and a vulnerability library;

the data analysis server is used for performing correlation analysis on threat information, performing format standardization on data to be processed, expanding a data source, enriching the data source and performing safe arrangement on response actions;

the data analysis server generates a push message;

the supporting data acquisition server is used for acquiring asset information ledger data and comprises an organization architecture, an IP address, a CMDB database, a DNS (domain name system) library, a security domain and employee account numbers;

the information push platform is used for issuing push messages.

The invention has the beneficial effects that:

the invention relates to an intelligent operation and maintenance method and system for a power grid based on information and data, which solve the technical problems of investigation, detection and understanding of network security events and rapid and cooperative action for resisting threats.

Drawings

FIG. 1 is a flow chart of the present invention;

fig. 2 is a system architecture diagram of the present invention.

Detailed description of the preferred embodiments

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Example 1:

as shown in fig. 1-2, a smart operation and maintenance method for a power grid based on intelligence and data includes collecting basic security logs and machine data, and generating data to be processed, wherein the data to be processed includes asset information ledger data and threat intelligence for daily maintenance;

in this embodiment, the collected data includes data generated by dozens of network security devices such as a firewall, an attack tracing, a network tracing, a vulnerability scanning, an access control, a host/VM, antivirus software, database information, an application system, an IDS/IPS, a WAF, a mail gateway, an authentication system, middleware information, and the like, and the adopted protocol interfaces include a Syslog protocol, a TCP/UDP protocol, a WMI protocol, an ODBC/JDBC protocol, a universal forwarder, and the like.

Carrying out format standardization on data to be processed, and adding identity data to ensure that common fields of the data to be processed have the same uniform name to obtain standardized data;

expanding the data source, collecting data from the non-safety related data source, and supplementing safety analysis;

enriching data sources, associating external threat information and asset information, and accurately judging events;

carrying out simple response action according to the standardized data, carrying out automatic processing on the response action, and carrying out safety arrangement on the response action so as to complete a specific safety operation process;

users, terminal devices and applications in the environment are analyzed through a detection mechanism to find abnormal behaviors and unknown threats.

The embodiment applies a complex detection mechanism including machine learning, and analyzes users, terminal devices and applications in the environment by applying machine learning, data science and advanced statistical techniques, thereby finding abnormal behaviors and unknown threats. More granular data collection is performed from the terminal, thereby more effectively detecting threats.

The machine learning technology can utilize the strong understanding and reasoning ability to rapidly analyze and judge whether the information has abnormity. For example, if a sudden large flow is encountered, the platform may speculate that a distributed denial of service (DDoS) attack exists in the network, immediately analyze the characteristics of the software packets, coordinate the probe cooperation task, and discard all the software packets with the same type of characteristics, thereby avoiding the loss of other network services to the maximum extent. If a new virus attack or hacker intrusion occurs, the machine learning can also write the relevant records in the platform by utilizing the learning capability of the machine learning. Algorithms are trained using billions of data artifacts in structured and unstructured data sources. Through machine learning and deep learning technology, the detection capability of the system is continuously improved, and therefore network security threats and network risks are reduced.

Preferably, the data to be processed includes network traffic data, terminal logs, identity verification logs, network activity data and security device alarms;

the network traffic data comprises the type of traffic entering and leaving the network and the blocked network communication traffic data;

network traffic data is the most important data in any scene, and the network traffic data is usually in GB unit, and the quantity is huge, and is difficult to complete only by manpower. The invention automatically checks and analyzes the traffic types of the incoming and outgoing networks in real time, and analyzes each passing network traffic, wherein the blocked network communication is mainly analyzed.

The terminal log is data captured from the server, the terminal and all operating systems (Windows, Linux, MacOS, etc.), and contains data of malicious activities (e.g., execution of malicious software, execution of unauthorized activities by insiders, or an attacker camping on an inside network).

The identity verification log is used for acquiring the time and the place of the user accessing the system or the application program;

since most successful attackers will eventually involve the use of legal identities, this data can provide a basis for distinguishing legitimate login from illegitimate operations such as account theft, brute force cracking, and the like.

The network activity data comprises network attack lines, namely, from the beginning of frequent visits of users to the website to the end of valuable data leakage to the website controlled by an attacker;

in this embodiment, analyzing the network activities may provide a basis for determining whether the user attacks the website.

The security device alarm comprises the steps of taking the security alarm in a physical security device or an operating system as basic data of abnormal network behaviors, combining the analysis of original network flow, endpoint logs and identity verification log data, recording and classifying the abnormal network behaviors according to IP addresses, and capturing various traces related to network attacks from the network behaviors and user behaviors.

Preferably, the format standardization of the data to be processed includes field extraction of the data to be processed, and standardization of fields in different data sources so as to match a preset data type model.

In the embodiment, on the basis of uniform data acquisition, the method performs field extraction on the data, and standardizes fields in different data sources to enable the fields to be matched with a data type model. In the data standardization process, data are ensured to be classified safely according to standards, so that common fields (such as source IP addresses, ports, user names and the like) have uniform names, and therefore log source equipment does not need to be distinguished intentionally. Normalizing the data will simplify the investigation and improve the efficiency of the analysis. After data are standardized, original data are correlated to different data type models in the models, and correlation analysis and monitoring early warning of safety events are achieved through correlation among different data models.

The invention will implement data monitoring, track the system and users on the network, and utilize self-defined mass detection mechanism to carry on the real-time monitoring of the threat. Subsequent retrospective surveys will also utilize detection mechanisms from the system of the present invention, which also enables easier cross-source association and surveys.

Preferably, format standardization is performed on data to be processed, original data are correlated to different data type models, and correlation analysis and monitoring early warning of security events are achieved through correlation among the different data type models.

Preferably, the extended data sources include line transfer data associated with the source protocol from Bro, DNS query level data from debug level logs or line transfer data sources, DHCP activity logs, and file system data.

The invention collects data from other non-safety related data sources to supplement safety analysis, and the collected network and terminal data have rich contents but lack the context relation. Some potential threats remain undetected in the network.

Preferably, the asset information comprises an open source intelligent OSINT source and internal resource information; the external threat intelligence is intelligence data periodically released by an external security agency.

In this embodiment, the influence of the context and the occurrence of an event can be better understood by adding external threat intelligence (periodically issued by an external security organization) and asset information (CMDB ledger, asset inventory, etc.). The asset information data is very important, operation and maintenance personnel can enrich the data through other internal and external sources, including Open Source Intelligence (OSINT) source, internal resource information and the like, and the access to the front-back association and investigation between the data can enable the operation and maintenance personnel to obtain more values from the data and discover more hidden problems, so that security events and accidents can be detected as early as possible.

The invention relates the unknown security risk by IP address or user information through boundary firewall log, IDS/PS log, terminal security log, agent & reverse agent log and DNS log, and combines threat intelligence, asset and personnel information.

Preferably, the security orchestration of response actions includes combining the security capabilities of different systems or different components within a system together according to a certain logical relationship via a programmable interface API and a manual checkpoint to complete a particular security operation. .

In the present embodiment, a continuous and repeatable security operation and maintenance capability is established that enables continuous monitoring of problems and alarms in a network environment and responses to threats in a fast, repeatable and measurable manner, including: the ability to track incidents, periodically measure analyst efficiency, team action according to the tactics described above, and automate simple response actions, and combine them into more complex choreographies.

The process of security orchestration relies on the API of each relevant system to implement. For example, the process of in-depth detection and response (operation) performed by a user on a received suspicious mail can be decomposed into a process of inquiring a threat intelligence system according to information such as a disassembled sender, a URL link, an IP and the like, sending an attachment to a sandbox system for analysis, further determining whether to notify the mail system to delete the mail or the attachment according to information returned by the intelligence system and the sandbox system, and whether to acquire further information on a receiver terminal through EDR (terminal detection and response) for analysis, and the like. The suspicious mail analysis process described above is an example of the organization of mail systems, threat intelligence systems, sandbox systems, EDRs, etc. together through certain logic.

Example 2:

as shown in fig. 1-2, the intelligent operation and maintenance system for power grid based on intelligence and data, which is matched with the intelligent operation and maintenance method for power grid based on intelligence and data described in embodiment 1, includes a data acquisition server, a database server, an intelligence center server, a data analysis server, a support data acquisition server and an information push platform, wherein the data acquisition server, the database server, the intelligence center server, the data analysis server, the support data acquisition server and the information push platform all communicate with each other through the internet;

the data acquisition server acquires data and logs generated by the safety equipment through a plurality of protocol interfaces, and the acquisition mode comprises active acquisition and passive reception; such as SYSLOG/Windows, Event/file-wise/SNMP/ODBC, etc.

The database server is used for storing the original data acquired by the data acquisition server, and the database server adopts backup processing when the data is backed up;

the intelligence center server is used for collecting threat intelligence, wherein the threat intelligence comprises a malicious URL (uniform resource locator), a malicious domain name, a malicious IP (Internet protocol), malicious codes, an Oday vulnerability and a vulnerability library;

the data analysis server is used for performing correlation analysis on threat information, performing format standardization on data to be processed, expanding a data source, enriching the data source and performing safe arrangement on response actions;

the data analysis server generates a push message;

the supporting data acquisition server is used for acquiring asset information ledger data and comprises an organization architecture, an IP address, a CMDB database, a DNS (domain name system) library, a security domain and employee account numbers;

the invention establishes an asset center and an identity center, and automatically generates an internal asset table and an internal personnel information table through the information of CMDB, an asset list, LDAP, a personnel list and the like.

When a security event occurs, the platform can automatically associate information such as ip, mac, nt _ host and the like in the security event with an asset center, associate information such as user, email and the like with an identity center, and further judge the severity and the influence range of the event.

According to the invention, asset identification is carried out through asset information mapping, and the position, function, owner and influence range of the server are judged;

through personnel ID information mapping, identity recognition is carried out, and the role level, the authority and the affiliated department are found;

the asset information is acquired by various modes such as terminal type data automatic identification, CMDB access, asset table and the like, and is recorded into an asset center for storage.

Terminal class: PA Trap acquires the corresponding relation of equipment IP, MAC and NT _ HOST.

CMDB: and acquiring information of a network area, a site and a department corresponding to the equipment.

Asset table (manual entry): an asset level is obtained.

In this embodiment, the asset acquisition mode is shown in table 1:

TABLE 1

The format and contents of the asset information entered into the asset center are shown in table 2:

TABLE 2

The identity information is obtained through a plurality of modes such as LDAP, HR-DB, an identity information table and the like, and is recorded into an identity center for storage.

LDAP: user name, mail address, department of belonging.

HR-DB: personnel level, whether to leave the job, and date of leaving the job.

Identity information table (manual entry) personnel level.

The identity information acquisition mode is shown in table 3:

table 3 the format and content of the identity information entered into the identity center are shown in table 4:

TABLE 4

The information push platform is used for issuing push messages.

The method collects various existing safety data, combines a threat information center, supports data (asset and personnel information), introduces a risk scoring model, realizes several safety modules such as threat early warning, safety situation monitoring, investigation and analysis and the like, completes a series of full-automatic processes such as threat sensing, threat finding, threat processing, threat pushing and the like.

Under the existing network environment, the attack modes are more and more, and the high-level security threat cannot be completely prevented by independently depending on a firewall, an intrusion prevention system and antivirus software. And more original threat data come from different security devices, a large number of alarms sent by different security devices, too many reports of malicious software, phishing attacks and DDoS attacks, and it is difficult for operation and maintenance personnel to find real valuable information from the alarm and attack reports.

The threat statement takes an attacker as a key point, and provides rich intelligence data aiming at the attacker and the attack mode, technology and program thereof. The method comprises attack motivation and targets under different attack scenes, targeted vulnerabilities, used domains, malicious programs and behavior modes.

Through threat intelligence correlation analysis, operation and maintenance personnel can quickly find out high-risk attack activities or potential risks from a large number of security events. Based on the information contained in the threat intelligence, the operation and maintenance personnel can quickly know the following important information:

the identity of the attacker: threat intelligence needs to be able to help operation and maintenance personnel trace away the attack/malicious activities to the identity of the attacker (the equipment used by the attacker, the location, the department, etc.);

the reason for the attack is: knowing the attack motivation and how much effort they will put into the attack, whether it is an APT (advanced persistent threat attack) or a model-in attack, and how strong it is for the purpose, etc.;

the purpose of attack is as follows: the purpose of knowing the attacker has important significance for operation and maintenance personnel to adjust the response priority and the importance of the assets;

what is specifically done is: the policies, techniques and procedures of the attacker, which also include the tools, infrastructure, etc. used by the attacker;

how to mitigate the attack: information that the operation and maintenance personnel can use to protect assets;

by establishing a threat information center, combining an external threat information source and an internal network security device log, detecting unknown threats based on a attack and kill chain mode, and discovering potential risks of the system in time.

The types of threat intelligence contained are as follows: IP, email address, URL, file name, process name, service, registry, X509 certificate, user;

the intelligence center is composed of a plurality of threat intelligence sources, including: external threat intelligence, security product threat intelligence, and internal threat intelligence.

External threat intelligence: the system is periodically released by an external safety mechanism, and is periodically and automatically synchronized through an API (application program interface);

safety product threat information, provided by palo alto or other safety product companies, is synchronized through safety products;

the internal threat information comprises information such as a seriously infected or suspected invaded internal host, a stolen account and the like which are found by a safety rule;

the method automatically performs correlation matching according to threat information, sends an alarm to any matching item which is in accordance with the threat information, and automatically adds a security event management and investigation framework;

in this embodiment, the implementation process is as follows:

step S1: threat information acquisition management: automatically collecting information of different threat information sources, setting collection and synchronization time, and adding and deleting the information sources at any time; as shown in fig. 5, it is a list of sources of threat reports available in this embodiment;

TABLE 5

Step S2: threat intelligence classification: classifying the collected threat information according to IP, mail address, URL, file name, process name, service, registration item and X509 certificate, and uniformly formatting threat information sources of different sources through classification so as to carry out field association matching in the next step;

step S3: association and matching: the invention carries out type matching on the original logs with different sources and formats in a field identification and event type classification mode. After matching is completed, the model contains a series of threat intelligence fields, such as dest _ ip, src _ ip, user, process and other information;

and the threat information center automatically matches the matched threat information fields with threat information stored by the information center according to different types. And after the alarm is matched, the alarm is directly given, the related investigation interface can be seen through the alarm interface, and operation and maintenance personnel can perform interventional analysis.

Use of threat intelligence:

according to threat information discovered by a threat information center, various high-level threat scenes which may exist can be discovered by combining a attack and kill chain and a built-in safety rule;

in this embodiment, taking phishing mail attack as an example, in combination with attack and kill chains, the attack behavior can be divided into the following steps:

step 1: investigation: finding a vulnerability, finding a method which is most likely to obtain access authority, attacking a vulnerable server and stealing a known good document (taking pdf as an example);

step 2: weaponization: an attacker creates malware in pdf format, packages it, and names it as the same document on a web portal, making it look like a good document

And step 3: delivering: an attacker spoofs, using technical means to send an e-mail that appears to be from a normal company employee to multiple targets of the company

And 4, step 4: the following steps are utilized: only one user needs to read the email and open the attachment, the document reader will inadvertently execute the malware installer

And 5: installation: after the installation of the malicious software is completed, a malicious service or process can be established and can be generally disguised as a system process, such as svchost

Step 6: command and control: exe process establishes communication with an external control server, and an attacker can remotely control an infected server

And 7: the actions of the attacker: and the infected server is utilized to realize horizontal line expansion or penetration and steal user data or other malicious operations.

In the attack process, based on a threat intelligence center, potential risks can be found in multiple links of an attack and kill chain, so that the attack behavior is prevented from happening:

investigation: discovery of scanning behavior from malicious IP or access behavior to primary portal in conjunction with threatening IP

Delivering: mail from malicious sender is discovered in conjunction with threatening mail address

The following steps are utilized: combining threat program name or hash value to discover malicious program

Installation: combining the threat process name or the hash value to discover the malicious process

Command and control: combining threat IP and discovering communication behavior with malicious IP

The actions of the attacker: and combining the internal threat IP to discover abnormal communication or behavior of the infected or invaded host.

The invention relates to an intelligent operation and maintenance method and system for a power grid based on information and data, which solve the technical problems of investigation, detection and understanding of network security events and rapid and cooperative action for resisting threats.

In the present invention, any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing steps of a custom logic function or process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the embodiments of the present invention.

The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. If implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (7)

1. A power grid intelligent operation and maintenance method based on intelligence and data is characterized by comprising the following steps: the method comprises the following steps:

1) collecting basic safety logs and machine data to generate data to be processed, wherein the data to be processed comprises asset information ledger data and threat information for daily maintenance;

2) carrying out format standardization on data to be processed, and adding identity data to ensure that common fields of the data to be processed have the same uniform name to obtain standardized data;

3) expanding the data source, collecting data from the non-safety related data source, and supplementing safety analysis;

4) enriching data sources, associating external threat information and asset information, and accurately judging events;

5) carrying out simple response action according to the standardized data, carrying out automatic processing on the response action, and carrying out safety arrangement on the response action so as to complete a specific safety operation process;

6) users, terminal devices and applications in the environment are analyzed through a detection mechanism to find abnormal behaviors and unknown threats.

2. The intelligence and data based power grid intelligent operation and maintenance method of claim 1, wherein: the data to be processed in the step 1 comprises network flow data, terminal log data, identity verification log data, network activity data and safety equipment alarm data;

the network traffic data comprises the traffic types of the incoming and outgoing networks and the blocked network communication traffic data;

the terminal log is data captured from a server, a terminal and an operating system, and the terminal log contains malicious activity data;

the identity authentication log is used for acquiring the time and the place of the user accessing the system or the application program;

the network activity data comprises network attack behaviors, namely starting from frequent visit of a user to a website and ending from valuable data leakage to the website controlled by an attacker;

the safety equipment alarm data comprises basic data of abnormal network behaviors, which is safety alarms in physical safety equipment or an operating system, and records and classifies the abnormal network behaviors according to IP addresses by combining analysis of original network flow, endpoint logs and identity verification log data, and various traces related to network attacks are captured from the network behaviors and user behaviors.

3. The intelligence and data based power grid intelligent operation and maintenance method of claim 1, wherein: and 2, performing format standardization on the data to be processed in the step 2 comprises performing field extraction on the data to be processed, standardizing fields in different data sources, associating the fields to different preset data type models, and realizing association analysis and monitoring early warning of the security events through association among the different data type models.

4. The intelligence and data based power grid intelligent operation and maintenance method of claim 1, wherein: the data sources extended in step 3 include line transfer data related to the source protocol from Bro, DNS query level data from debug level logs or line transfer data sources, DHCP activity logs, and file system data.

5. The intelligence and data based power grid intelligent operation and maintenance method of claim 1, wherein: the asset information in the step 4 comprises an open source intelligent OSINT source and internal resource information; the external threat intelligence is intelligence data periodically released by an external security agency.

6. The intelligence and data based power grid intelligent operation and maintenance method of claim 1, wherein: the step 5 of performing security arrangement on response actions includes combining security capabilities of different systems or different components in one system together according to a certain logical relationship through a programmable interface API and a manual checkpoint to complete a specific security operation process.

7. An intelligent operation and maintenance system for power grid using the operation and maintenance method of claim 1, wherein: the system comprises a data acquisition server, a database server, an information center server, a data analysis server, a support data acquisition server and an information push platform, wherein the data acquisition server, the database server, the information center server, the data analysis server, the support data acquisition server and the information push platform are communicated with each other through the Internet;

the data acquisition server acquires data and logs generated by the safety equipment through a plurality of protocol interfaces, and the acquisition mode comprises active acquisition and passive reception;

the database server is used for storing the original data acquired by the data acquisition server, and the database server adopts backup processing when the data is backed up;

the intelligence center server is used for collecting threat intelligence, wherein the threat intelligence comprises a malicious URL (uniform resource locator), a malicious domain name, a malicious IP (Internet protocol), malicious codes, an Oday vulnerability and a vulnerability library;

the data analysis server is used for performing correlation analysis on threat information, performing format standardization on data to be processed, expanding a data source, enriching the data source and performing safe arrangement on response actions;

the data analysis server generates a push message;

the supporting data acquisition server is used for acquiring asset information ledger data and comprises an organization architecture, an IP address, a CMDB database, a DNS (domain name system) library, a security domain and employee account numbers;

the information push platform is used for issuing push messages.

Images