CN114039765A - Safety management and control method and device for power distribution Internet of things and electronic equipment - Google Patents

Safety management and control method and device for power distribution Internet of things and electronic equipment Download PDF

Info

Publication number
CN114039765A
CN114039765A CN202111301571.5A CN202111301571A CN114039765A CN 114039765 A CN114039765 A CN 114039765A CN 202111301571 A CN202111301571 A CN 202111301571A CN 114039765 A CN114039765 A CN 114039765A
Authority
CN
China
Prior art keywords
event
current
safety
security
knowledge graph
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111301571.5A
Other languages
Chinese (zh)
Inventor
姚启桂
费稼轩
王向群
仇慎健
王齐
亢超群
何连杰
李帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Online Shanghai Energy Internet Research Institute Co ltd
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
Global Energy Interconnection Research Institute
Original Assignee
China Online Shanghai Energy Internet Research Institute Co ltd
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd
Global Energy Interconnection Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Online Shanghai Energy Internet Research Institute Co ltd, State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Shandong Electric Power Co Ltd, Global Energy Interconnection Research Institute filed Critical China Online Shanghai Energy Internet Research Institute Co ltd
Priority to CN202111301571.5A priority Critical patent/CN114039765A/en
Publication of CN114039765A publication Critical patent/CN114039765A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/36Creation of semantic tools, e.g. ontology or thesauri
    • G06F16/367Ontology
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E60/00Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/12Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment
    • Y04S40/128Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment involving the use of Internet protocol
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Animal Behavior & Ethology (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Power Engineering (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Remote Monitoring And Control Of Power-Distribution Networks (AREA)

Abstract

The invention discloses a safety management and control method, a safety management and control device and electronic equipment of a power distribution Internet of things, wherein the method comprises the following steps: acquiring a network security knowledge graph and a current security event; extracting an event vulnerability set corresponding to a current security event and a current entity object in the power distribution Internet of things from a network security knowledge graph, and acquiring an object vulnerability set corresponding to the current entity object; verifying whether the current security event is a noise event or not based on the relation between the event vulnerability set and the object vulnerability set; when the current safety event is not a noise event, determining a plurality of scene instances corresponding to the current safety event based on a network safety knowledge graph; and screening the high-risk terminals based on the frequency of the terminal equipment connected with the current entity object appearing in the multiple scene instances, and carrying out safety control on the high-risk terminals. By filtering noise events existing in the safety data information, a large amount of resource waste is avoided, and the safety control efficiency and the positioning accuracy of the high-risk terminal are improved.

Description

Safety management and control method and device for power distribution Internet of things and electronic equipment
Technical Field
The invention relates to the technical field of power equipment monitoring, in particular to a safety management and control method and device of a power distribution internet of things and electronic equipment.
Background
Along with the construction of a smart power grid, the traditional power distribution network is gradually developed into an active power distribution network, and a submerged path and a threat access point are added to an open interactive communication network. The internet of things of the power distribution network is greatly different from a common internet of things system in the aspect of information security technology, on one hand, the requirement on real-time performance is high, and on the other hand, the cost of the power distribution network shutdown updating system is high, and the power distribution network shutdown updating system is not suitable for frequently updating information security software patches. Due to these characteristics, the power distribution internet of things system cannot simply use the information security protection system of the common information system, and a reasonable security management and control method suitable for the actual operation environment of the power distribution internet of things needs to be researched.
Traditional safety equipment relies on a single-dimensional data source and is difficult to deal with the current frequently-changing and increasingly-complex security threats of the power distribution internet of things. In a real environment, a part of noise events exist in massive safety data information generated by safety equipment, the noise events waste resources and have adverse effects on safety control, and the problems of low safety data information processing speed, low efficiency, poor accuracy and the like are caused.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for security management and control of a power distribution internet of things, and an electronic device, so as to solve the problems of low speed, low efficiency, and accuracy in processing of noise events and security data information.
In order to achieve the purpose, the invention provides the following technical scheme:
the embodiment of the invention provides a safety management and control method of a power distribution Internet of things, which comprises the following steps:
acquiring a network security knowledge graph and a current security event, wherein the network security knowledge graph is used for describing each security event;
extracting an event vulnerability set corresponding to the current security event and a current entity object in the power distribution internet of things from the network security knowledge graph, and acquiring an object vulnerability set corresponding to the current entity object;
verifying whether the current security event is a noise event or not based on the relation between the event vulnerability set and the object vulnerability set;
when the current safety event is not a noise event, determining a plurality of scene instances corresponding to the current safety event based on the network safety knowledge graph;
and screening high-risk terminals based on the frequency of the terminal equipment connected with the current entity object appearing in the scene instances, and carrying out safety control on the high-risk terminals.
Optionally, the verifying whether the current security event is a noise event based on the relationship between the event vulnerability set and the object vulnerability set includes:
judging whether the event vulnerability set and the object vulnerability set have intersection or not;
if the intersection exists, judging that the current security event is a real event;
and if the intersection does not exist, judging that the current safety event is a noise event.
Optionally, the determining, based on the network security knowledge graph, a scene instance corresponding to the current security event includes:
extracting scene instances related to the current security event from the network security knowledge graph;
judging whether the scene instance meets an output condition;
and determining the scene instance meeting the output condition as the scene instance corresponding to the current safety event.
Optionally, the determining whether the scene instance satisfies the output condition includes:
acquiring a plurality of matched security events of the scene instances;
substituting the plurality of safety events into a preset logic model;
and if the plurality of safety events meet the requirements of the logic model, the scene instance meets the output condition.
Optionally, the screening high-risk terminals based on the frequency of the terminal device connected to the current entity object appearing in the multiple scene instances includes:
acquiring a plurality of terminal devices connected with a current entity object;
obtaining infrastructure instances associated with the plurality of scenario instances from the network knowledge graph;
counting the frequency of occurrence of each terminal device in the infrastructure instance;
judging whether the frequency of the current terminal equipment appearing in the infrastructure example exceeds a preset frequency threshold value;
and if the preset frequency threshold value is exceeded, determining the current terminal equipment as the high-risk terminal.
Optionally, the high-risk terminal is subjected to safety management and control, including:
disconnecting the entity object from the high-risk terminal;
and deleting the process of the entity object, which is locally related to the high-risk terminal.
Optionally, the method for safety management and control of the power distribution internet of things further includes constructing the network safety knowledge graph, including:
acquiring multi-source network security data;
fusing the multi-source network security data to form a network security knowledge graph to be verified;
and carrying out knowledge verification on the network security knowledge graph to be verified to obtain the network security knowledge graph.
The embodiment of the invention also provides a safety control device of the distribution internet of things, which comprises:
an acquisition module: acquiring a network security knowledge graph and a current security event, wherein the network security knowledge graph is used for describing each security event;
a vulnerability extraction module: extracting an event vulnerability set corresponding to the current security event and a current entity object in the power distribution internet of things from the network security knowledge graph, and acquiring an object vulnerability set corresponding to the current entity object;
a verification module: verifying whether the current security event is a noise event or not based on the relation between the event vulnerability set and the object vulnerability set;
a scene matching module: when the current safety event is not a noise event, determining a plurality of scene instances corresponding to the current safety event based on the network safety knowledge graph;
the safety management and control module: and screening high-risk terminals based on the frequency of the terminal equipment connected with the current entity object appearing in the scene instances, and carrying out safety control on the high-risk terminals.
An embodiment of the present invention further provides an electronic device, including:
the safety management and control method of the power distribution internet of things comprises a memory and a processor, wherein the memory and the processor are mutually connected in a communication mode, computer instructions are stored in the memory, and the processor executes the computer instructions so as to execute the safety management and control method of the power distribution internet of things provided by the embodiment of the invention.
The embodiment of the invention also provides a computer-readable storage medium, which stores computer instructions, and the computer instructions are used for enabling the computer to execute the safety control method of the power distribution internet of things provided by the embodiment of the invention.
The technical scheme of the invention has the following advantages:
the invention provides a security management and control method, a security management and control device and electronic equipment of a power distribution Internet of things, wherein a network security knowledge graph and a current security event are obtained, and the network security knowledge graph is used for describing each security event; extracting an event vulnerability set corresponding to a current security event and a current entity object in the power distribution Internet of things from a network security knowledge graph, and acquiring an object vulnerability set corresponding to the current entity object; verifying whether the current security event is a noise event or not based on the relation between the event vulnerability set and the object vulnerability set; when the current safety event is not a noise event, determining a plurality of scene instances corresponding to the current safety event based on a network safety knowledge graph; and screening the high-risk terminals based on the frequency of the terminal equipment connected with the current entity object appearing in the multiple scene instances, and carrying out safety control on the high-risk terminals. By establishing the association between the security event and the multidimensional data in the network security knowledge graph, the internal association rule can be quickly extracted and utilized in the process of managing and controlling the security event, the noise event existing in the security data information is filtered, a large amount of resource waste is avoided, and the security management and control efficiency and the positioning accuracy of the high-risk terminal are improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a security management and control method of a power distribution internet of things in an embodiment of the invention;
FIG. 2 is a flow chart of verifying whether a current security event is a noise event in an embodiment of the present invention;
FIG. 3 is a flowchart illustrating determining multiple scenario instances corresponding to a current security event in an embodiment of the present disclosure;
FIG. 4 is a flowchart illustrating determining whether a scene instance satisfies an output condition according to an embodiment of the present disclosure;
fig. 5 is a flowchart illustrating screening and safety control of high-risk terminals according to an embodiment of the present invention;
FIG. 6 is a flow diagram of constructing a network security knowledge-graph in an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a safety management and control device of a power distribution internet of things in the embodiment of the invention;
fig. 8 is a schematic structural diagram of an electronic device in an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In accordance with an embodiment of the present invention, there is provided an embodiment of a method for security management of the power distribution internet of things, where the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and where a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order different than that described herein.
In this embodiment, a method for safely managing and controlling a power distribution internet of things is provided, as shown in fig. 1, the method for safely managing and controlling the power distribution internet of things includes the following steps:
step S1: and acquiring a network security knowledge graph and a current security event, wherein the network security knowledge graph is used for describing each security event.
Step S2: and extracting an event vulnerability set corresponding to the current security event and a current entity object in the power distribution Internet of things from the network security knowledge graph, and acquiring an object vulnerability set corresponding to the current entity object. Specifically, before extracting the current entity object, whether an entity object and an object vulnerability set corresponding to the current security event exist in the memory is searched, if so, the entity object and the object vulnerability set corresponding to the current entity object are directly extracted from the memory, if not, the object vulnerability set corresponding to the current entity object and the current entity object are extracted from the network security knowledge graph, and the object vulnerability set corresponding to the current entity object and the current entity object is cached to the memory.
Step S3: and verifying whether the current security event is a noise event or not based on the relation between the event vulnerability set and the object vulnerability set. Specifically, through verification, the noise events can be effectively screened out, the noise events are not processed, and resource waste is avoided.
Step S4: when the current security event is not a noise event, determining a plurality of scene instances corresponding to the current security event based on the network security knowledge graph. Specifically, scene matching of the security events is achieved based on association rules in the multidimensional network security knowledge graph, security management and control workers can clearly and clearly know the current security events, and management and control measures which are efficient and rapid are executed according to the characteristics of the knowledge graph interconnectors.
Step S5: and screening the high-risk terminals based on the frequency of the terminal equipment connected with the current entity object appearing in the multiple scene instances, and carrying out safety control on the high-risk terminals. Specifically, the high-level terminal is subjected to safety control, so that the entity object can be effectively prevented from being influenced by the safety event.
Through the steps S1 to S5, the security management and control method of the power distribution internet of things provided by the embodiment of the invention can quickly extract and utilize the internal association rules to filter noise events existing in the security data information in the process of managing and controlling the security events by establishing the association between the security events and the multidimensional data in the network security knowledge graph, thereby avoiding a large amount of resource waste and improving the security management and control efficiency and the positioning accuracy of high-risk terminals.
Specifically, in an embodiment, as shown in fig. 2, the step S3 includes the following steps:
step S31: and judging whether an intersection exists between the event vulnerability set and the object vulnerability set. Specifically, by judging the intersection, it can be seen whether the current security event will affect the current entity object.
Step S32: and if the intersection exists, judging that the current security event is a real event. Specifically, in the case of intersection, it is stated that the current security event is a real event that may actually attack the current entity object.
Step S33: and if the intersection does not exist, judging that the current safety event is a noise event. Specifically, if there is no intersection, it indicates that the current security event does not affect the current entity object, and may be regarded as a noise event to be excluded.
Specifically, in an embodiment, as shown in fig. 3, the step S4 includes the following steps:
step S41: and extracting scene instances corresponding to the current safety events from the network safety knowledge graph. Specifically, under the condition that the current security event is determined to be a real event, firstly, the security event is matched with an attack scene in a cache, if the corresponding attack scene is matched, the state of the attack scene in the cache is updated, and the current cache is mainly used for storing the attack scene and a scene instance;
if the attack scene corresponding to the security event is not matched in the cache, matching the current security event with the attack scene in the memory, and if the corresponding attack scene is matched, putting the attack scene into the cache;
if the attack scene corresponding to the current security event is not matched in the memory, extracting the attack scene and the scene instance corresponding to the current security event from the network security knowledge graph, and putting the attack scene and the scene instance into a cache;
specifically, each security event has a specific number and a target IP, and during analysis, clustering can be performed through IP addresses, and security events belonging to the same IP are analyzed in a unified manner. Assuming that an attacker attacks a specific IP according to a certain attack scene, the generated security event set is marked as E, and the security event set is sequentially marked as E (E) according to the generation time1,E2,......,En}. And for a group of security events of the same source IP, checking whether a corresponding scene instance to be matched exists in the cache, if no new scene instance needs to be created in the cache, and if the corresponding scene instance exists, refreshing the state of the scene instance in the cache.
The existence time of each attack scene and the corresponding scene instance in the cache is limited, if the state of the attack scene is not updated all the time, the attack scene is considered not to cause potential safety hazard to the entity object, and therefore when the attack scene reaches the limited time, the attack scene is cleaned out of the cache, so that the resource occupation is further reduced, and the safety control efficiency and the positioning accuracy of the high-risk terminal are improved; if the matching frequency is high, the state can be continuously updated, so that the state can be acquired more quickly, and the matching efficiency is improved.
Step S42: and judging whether the scene instance meets the output condition.
Step S43: and determining the scene instance meeting the output condition as the scene instance corresponding to the current safety event.
Specifically, in an embodiment, as shown in fig. 4, the step S42 includes the following steps:
step S421: and acquiring a plurality of security events matched with the scene instances. Specifically, scene matching of security events can be achieved through association rules inside the network security knowledge graph.
Step S422: and substituting a plurality of safety events into a preset logic model.
Step S423: and if the plurality of safety events meet the requirements of the logic model, the scene instance meets the output condition.
Specifically, in the steps S421 to S423, each scene instance may be logically regarded as a result of cascade connection of multiple security events after and or, so that whether the output condition is satisfied may be determined through numerical calculation. For example, a scenario instance, can be computed by the following logical model:
Figure BDA0003338597530000111
if scene instance scene in current cacheIPMatched events include EIP_2、EIP_4And EIP_5E in the above equation can be expressedIP_2、eIP_4And eIP_5Setting as 1, the rest as 0, f is calculated after the sum and orsceneIPThe value is 0. If input is input into the cache for matching, the corresponding value of the scene instance can become 1, and the output condition is met. Different scene instances may have different logic models, and the specific logic model may be set according to the actual requirements of the scene instances, which is not limited in the present invention.
And outputting the scene instance when the scene instance meets the output condition, wherein the output information comprises the generation time of each event, the output time of the scene, the time period of the whole matching process and the like, and if the output condition is not reached, the scene instance can wait to continue matching before being expired.
Specifically, in an embodiment, the screening of the high-risk terminals in the step S5 based on the frequency of the terminal device connected to the current entity object appearing in the multiple scene instances specifically includes, as shown in fig. 5, the following steps:
step S51: and acquiring a plurality of terminal devices connected with the current entity object. Specifically, all terminal devices connected with the current entity object can be acquired through the network security knowledge graph, so that the subsequent security identification of the terminal devices is facilitated.
Step S52: infrastructure instances associated with a plurality of scenario instances are obtained from a network knowledge graph. Specifically, the infrastructure instance is derived from the infrastructure configuration in the network knowledge graph, wherein the detailed numbering of the terminal devices is available.
Step S53: the frequency of occurrence of each terminal device in the infrastructure instance is counted. In particular, the involved instances may be represented in a knowledge graph of the infrastructure dimension by a wire. And analyzing the connection condition of the scene instances in the knowledge graph spectrum of the infrastructure dimension in a determined time period, such as one hour, one week and the like, carrying out statistical operation on all remote terminals connected with the current entity object, and recording the number of attack scene instances involved by each remote terminal.
Step S54: and judging whether the frequency of the current terminal equipment in the infrastructure instance exceeds a preset frequency threshold value. Specifically, a numerical value is preset as a critical value for identifying whether the terminal device is a high-end terminal, for example, the preset frequency threshold is 5, and in practical application, the preset frequency threshold may be flexibly set according to the requirement of the security management and control precision, which is not limited to this.
Step S55: and if the frequency exceeds the preset frequency threshold, determining the current terminal equipment as a high-risk terminal. Specifically, if the number of attack scene instances related to all terminal devices connected with the current entity device does not exceed 5, no high-risk terminal exists in the target range; otherwise, the terminal device with the statistical frequency value exceeding 5 is a high-risk terminal, and a security management and control measure needs to be executed on the terminal device exceeding the threshold value.
Specifically, in an embodiment, the safety control is performed on the high-risk terminal in the step S5, as shown in fig. 5, the method specifically includes the following steps:
step S56: and disconnecting the entity object from the high-risk terminal.
Step S57: and deleting the process of the entity object related to the high-risk terminal locally.
Specifically, the entity object is effectively prevented from being influenced by the security event by two means of disconnecting and deleting the process.
Specifically, in an embodiment, as shown in fig. 6, the method further includes the following steps:
step S61: and acquiring multi-source network security data. Specifically, multi-source network security data information is collected, the organization structure of the data is analyzed, sub-databases with different dimensions are constructed, the sub-databases comprise a basic configuration dimension, a vulnerability dimension, an attack threat dimension and an alarm dimension, corresponding data are extracted according to required entity attributes, and data support is provided for subsequent knowledge fusion. Wherein the base configuration dimension comprises: cpe number, manufacturer, commodity number, etc.; the vulnerability dimension includes: vulnerability number, hazard level, release time, etc.; the attack threat dimension includes: classification number, preconditions, attack steps, etc.; the alarm dimension includes: alarm numbering, behavior classification, detection reliability, etc.
Step S62: fusing the multi-source network security data to form a network security knowledge graph to be verified. Specifically, the collected multi-source network security data information may contain many repeated and wrong contents, and a knowledge fusion operation is required to be performed, noise data is eliminated, and the same entity is normalized and described in the levels of data, syntax, semantics and the like. The method has the advantages that scene matching of the security events is achieved based on the association rules of the multidimensional knowledge graph, security management and control workers can clearly and clearly know the current security events, and management and control measures which are efficient and rapid are executed according to the characteristics of the knowledge graph interconnection.
Step S63: and carrying out knowledge verification on the network security knowledge graph to be verified to obtain the network security knowledge graph. Specifically, the knowledge graph formed after information fusion is normalized in format, but there may be significant problems in terms of semantic meaning, logic, and the like, and the constructed knowledge graph can be provided for upper-layer application to use after evaluation work of knowledge verification is required. By constructing the network security knowledge graph, direct incidence relation and cooperation capability exist among multiple dimensions, and the real-time performance and accuracy of security management and control can be effectively improved.
The embodiment also provides a security management and control device of the power distribution internet of things, which is used for implementing the above embodiments and preferred embodiments, and the description of the device is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
The embodiment provides a safety control device of distribution thing networking, as shown in fig. 7, include:
the obtaining module 101 is configured to obtain a network security knowledge graph and a current security event, where the network security knowledge graph is used to describe each security event, and for details, reference is made to the related description of step S1 in the foregoing method embodiment, and details are not described here again.
The vulnerability extraction module 102 is configured to extract an event vulnerability set corresponding to a current security event and a current entity object in the power distribution internet of things from the network security knowledge graph, and obtain an object vulnerability set corresponding to the current entity object, where details are referred to related description of step S2 in the foregoing method embodiment and are not described herein again.
The verification module 103 is configured to verify whether the current security event is a noise event based on a relationship between the event vulnerability set and the object vulnerability set, for details, refer to the related description of step S3 in the foregoing method embodiment, and are not described herein again.
The scene matching module 104 is configured to determine, based on the network security knowledge graph, a plurality of scene instances corresponding to the current security event when the current security event is not a noise event, for details, refer to the related description of step S4 in the foregoing method embodiment, and details are not described here again.
The safety control module 105 is configured to screen a high-risk terminal based on a frequency of the terminal device connected to the current entity object appearing in the multiple scene instances, and perform safety control on the high-risk terminal, for details, refer to the related description of step S5 in the foregoing method embodiment, and are not described herein again.
The safety control device of the power distribution internet of things in the embodiment is in the form of a functional unit, where the unit refers to an ASIC circuit, a processor and a memory executing one or more software or fixed programs, and/or other devices capable of providing the above functions.
Further functional descriptions of the modules are the same as those of the corresponding embodiments, and are not repeated herein.
There is also provided an electronic device according to an embodiment of the present invention, as shown in fig. 8, the electronic device may include a processor 901 and a memory 902, where the processor 901 and the memory 902 may be connected by a bus or in another manner, and fig. 8 takes the example of being connected by a bus.
Processor 901 may be a Central Processing Unit (CPU). The Processor 901 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 902, which is a non-transitory computer readable storage medium, may be used for storing non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the methods in the method embodiments of the present invention. The processor 901 executes various functional applications and data processing of the processor by executing non-transitory software programs, instructions and modules stored in the memory 902, that is, implements the methods in the above-described method embodiments.
The memory 902 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 901, and the like. Further, the memory 902 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 902 may optionally include memory located remotely from the processor 901, which may be connected to the processor 901 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more modules are stored in the memory 902, which when executed by the processor 901 performs the methods in the above-described method embodiments.
The specific details of the electronic device may be understood by referring to the corresponding related descriptions and effects in the above method embodiments, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, and the program can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.

Claims (10)

1. A safety management and control method for a power distribution Internet of things is characterized by comprising the following steps:
acquiring a network security knowledge graph and a current security event, wherein the network security knowledge graph is used for describing each security event;
extracting an event vulnerability set corresponding to the current security event and a current entity object in the power distribution internet of things from the network security knowledge graph, and acquiring an object vulnerability set corresponding to the current entity object;
verifying whether the current security event is a noise event or not based on the relation between the event vulnerability set and the object vulnerability set;
when the current safety event is not a noise event, determining a plurality of scene instances corresponding to the current safety event based on the network safety knowledge graph;
and screening high-risk terminals based on the frequency of the terminal equipment connected with the current entity object appearing in the scene instances, and carrying out safety control on the high-risk terminals.
2. The power distribution internet of things security management and control method according to claim 1, wherein verifying whether the current security event is a noise event based on the relationship between the event vulnerability set and the object vulnerability set comprises:
judging whether the event vulnerability set and the object vulnerability set have intersection or not;
if the intersection exists, judging that the current security event is a real event;
and if the intersection does not exist, judging that the current safety event is a noise event.
3. The method for security management and control of the power distribution internet of things as claimed in claim 1, wherein the determining the scene instance corresponding to the current security event based on the network security knowledge graph comprises:
extracting scene instances related to the current security event from the network security knowledge graph;
judging whether the scene instance meets an output condition;
and determining the scene instance meeting the output condition as the scene instance corresponding to the current safety event.
4. The safety management and control method of the power distribution internet of things as claimed in claim 3, wherein the determining whether the scene instance satisfies the output condition comprises:
acquiring a plurality of matched security events of the scene instances;
substituting the plurality of safety events into a preset logic model;
and if the plurality of safety events meet the requirements of the logic model, the scene instance meets the output condition.
5. The safety management and control method of the power distribution internet of things as claimed in claim 1, wherein the screening of the high-risk terminals based on the frequency of the terminal devices connected with the current entity object appearing in the plurality of scene instances comprises:
acquiring a plurality of terminal devices connected with a current entity object;
obtaining infrastructure instances associated with the plurality of scenario instances from the network knowledge graph;
counting the frequency of occurrence of each terminal device in the infrastructure instance;
judging whether the frequency of the current terminal equipment appearing in the infrastructure example exceeds a preset frequency threshold value;
and if the preset frequency threshold value is exceeded, determining the current terminal equipment as the high-risk terminal.
6. The safety management and control method of the power distribution internet of things according to claim 1, wherein the safety management and control of the high-risk terminal comprises the following steps:
disconnecting the entity object from the high-risk terminal;
and deleting the process of the entity object, which is locally related to the high-risk terminal.
7. The safety management and control method of the power distribution internet of things as claimed in claim 1, further comprising:
acquiring multi-source network security data;
fusing the multi-source network security data to form a network security knowledge graph to be verified;
and carrying out knowledge verification on the network security knowledge graph to be verified to obtain the network security knowledge graph.
8. The utility model provides a safety management and control device of distribution thing networking which characterized in that includes:
an acquisition module: acquiring a network security knowledge graph and a current security event, wherein the network security knowledge graph is used for describing each security event;
a vulnerability extraction module: extracting an event vulnerability set corresponding to the current security event and a current entity object in the power distribution internet of things from the network security knowledge graph, and acquiring an object vulnerability set corresponding to the current entity object;
a verification module: verifying whether the current security event is a noise event or not based on the relation between the event vulnerability set and the object vulnerability set;
a scene matching module: when the current safety event is not a noise event, determining a plurality of scene instances corresponding to the current safety event based on the network safety knowledge graph;
the safety management and control module: and screening high-risk terminals based on the frequency of the terminal equipment connected with the current entity object appearing in the scene instances, and carrying out safety control on the high-risk terminals.
9. An electronic device, comprising:
the safety control method of the power distribution internet of things comprises a storage and a processor, wherein the storage and the processor are mutually connected in a communication mode, computer instructions are stored in the storage, and the processor executes the computer instructions so as to execute the safety control method of the power distribution internet of things according to any one of claims 1-7.
10. A computer-readable storage medium storing computer instructions for causing a computer to perform the method for security management of the power distribution internet of things of any one of claims 1-7.
CN202111301571.5A 2021-11-04 2021-11-04 Safety management and control method and device for power distribution Internet of things and electronic equipment Pending CN114039765A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111301571.5A CN114039765A (en) 2021-11-04 2021-11-04 Safety management and control method and device for power distribution Internet of things and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111301571.5A CN114039765A (en) 2021-11-04 2021-11-04 Safety management and control method and device for power distribution Internet of things and electronic equipment

Publications (1)

Publication Number Publication Date
CN114039765A true CN114039765A (en) 2022-02-11

Family

ID=80142862

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111301571.5A Pending CN114039765A (en) 2021-11-04 2021-11-04 Safety management and control method and device for power distribution Internet of things and electronic equipment

Country Status (1)

Country Link
CN (1) CN114039765A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116595235A (en) * 2023-05-15 2023-08-15 重庆市敏城电子有限公司 Communication control method and device of network filter and electronic equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270785A (en) * 2018-01-15 2018-07-10 中国人民解放军国防科技大学 Knowledge graph-based distributed security event correlation analysis method
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
CN111177417A (en) * 2020-04-13 2020-05-19 中国人民解放军国防科技大学 Security event correlation method, system and medium based on network security knowledge graph
US20200322361A1 (en) * 2019-04-06 2020-10-08 International Business Machines Corporation Inferring temporal relationships for cybersecurity events
CN112949442A (en) * 2021-02-24 2021-06-11 杭州海康威视系统技术有限公司 Abnormal event pre-recognition method and device, electronic equipment and monitoring system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108270785A (en) * 2018-01-15 2018-07-10 中国人民解放军国防科技大学 Knowledge graph-based distributed security event correlation analysis method
CN109005069A (en) * 2018-08-29 2018-12-14 中国人民解放军国防科技大学 Network security knowledge graph association analysis method based on heaven-earth integrated network
US20200322361A1 (en) * 2019-04-06 2020-10-08 International Business Machines Corporation Inferring temporal relationships for cybersecurity events
CN111177417A (en) * 2020-04-13 2020-05-19 中国人民解放军国防科技大学 Security event correlation method, system and medium based on network security knowledge graph
CN112949442A (en) * 2021-02-24 2021-06-11 杭州海康威视系统技术有限公司 Abnormal event pre-recognition method and device, electronic equipment and monitoring system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116595235A (en) * 2023-05-15 2023-08-15 重庆市敏城电子有限公司 Communication control method and device of network filter and electronic equipment
CN116595235B (en) * 2023-05-15 2024-01-30 重庆市敏城电子有限公司 Communication control method and device of network filter and electronic equipment

Similar Documents

Publication Publication Date Title
US20200389495A1 (en) Secure policy-controlled processing and auditing on regulated data sets
CN108471429B (en) Network attack warning method and system
CN108932426B (en) Unauthorized vulnerability detection method and device
CN112100545A (en) Visualization method, device and equipment of network assets and readable storage medium
CN109474603B (en) Data packet grabbing processing method and terminal equipment
CN113328985B (en) Passive Internet of things equipment identification method, system, medium and equipment
CN109191021A (en) The correlation rule matching process and device of power grid anomalous event
CN115001934A (en) Industrial control safety risk analysis system and method
CN114528457A (en) Web fingerprint detection method and related equipment
CN114039765A (en) Safety management and control method and device for power distribution Internet of things and electronic equipment
CN112685255A (en) Interface monitoring method and device, electronic equipment and storage medium
CN117220957A (en) Attack behavior response method and system based on threat information
CN115865486B (en) Network intrusion detection method and system based on multi-layer perception convolutional neural network
CN114760113B (en) Abnormality alarm detection method and device, electronic equipment and storage medium
CN115643044A (en) Data processing method, device, server and storage medium
CN104881354A (en) Cloud disk monitoring method and device
CN110442837B (en) Generation method and device of complex periodic model and detection method and device thereof
CN114189585A (en) Crank call abnormity detection method and device and computing equipment
CN111639277A (en) Automated extraction method of machine learning sample set and computer-readable storage medium
CN113194075B (en) Access request processing method, device, equipment and storage medium
CN113596051B (en) Detection method, detection apparatus, electronic device, medium, and computer program
CN114095391B (en) Data detection method, baseline model construction method and electronic equipment
CN113612727B (en) Attack IP identification method, device, equipment and computer readable storage medium
CN112836212B (en) Mail data analysis method, phishing mail detection method and device
CN115378746B (en) Network intrusion detection rule generation method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination