WO2023216641A1 - Security protection method and system for power terminal - Google Patents

Security protection method and system for power terminal Download PDF

Info

Publication number
WO2023216641A1
WO2023216641A1 PCT/CN2023/070408 CN2023070408W WO2023216641A1 WO 2023216641 A1 WO2023216641 A1 WO 2023216641A1 CN 2023070408 W CN2023070408 W CN 2023070408W WO 2023216641 A1 WO2023216641 A1 WO 2023216641A1
Authority
WO
WIPO (PCT)
Prior art keywords
power terminal
trust value
security
data
trust
Prior art date
Application number
PCT/CN2023/070408
Other languages
French (fr)
Chinese (zh)
Inventor
孙歆
汪自翔
韩嘉佳
吕磅
戴桦
汪溢镭
李沁园
孙昌华
王译锋
Original Assignee
国网浙江省电力有限公司电力科学研究院
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国网浙江省电力有限公司电力科学研究院 filed Critical 国网浙江省电力有限公司电力科学研究院
Publication of WO2023216641A1 publication Critical patent/WO2023216641A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Definitions

  • the invention relates to a power terminal safety protection method and system, belonging to the technical field of power terminal equipment.
  • Cipheral patent application discloses an edge IoT agent protection method and a power IoT dynamic security and trustworthy system, which relate to the technical field of power IoT security protection.
  • the edge IoT agent protection method is based on Credibility classifies terminal application services, including trusted terminal services and ordinary terminal services; parallel isolation control is performed on the trusted terminal services and ordinary terminal services; wherein, the trusted terminal services are controlled by creating a trusted business domain Processing, by creating a common business domain to process common terminal services.
  • the above solution classifies terminal application services into trusted terminal services and ordinary terminal services, and performs parallel isolation control on the trusted terminal services and ordinary terminal services, but does not have any protective measures for terminal equipment. After the terminal device is invaded, it is possible to upload false information, or even Trojans and viruses, and it is impossible to ensure that the collected information is not tampered with. Therefore, only controlling and isolating the application business cannot truly solve the network security problems of the existing power Internet of things. .
  • the first object of the present invention is to provide a zero-trust module to powerfully monitor power terminal equipment.
  • the zero-trust module can collect equipment information of the power terminal equipment; and perform monitoring based on the collected equipment information.
  • Trust score gives a trust value, so that abnormal power terminal equipment can be identified in time, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information has not been tampered with; adopt the method of evaluating first and then collecting , on the one hand, it can actively and quickly verify the security information of the terminal, accurately detect and control the terminal, and reduce physical attacks.
  • the second object of the present invention is to provide an assembly of zero-trust equipment to perform powerful monitoring of power terminal equipment.
  • the equipment information of the power terminal equipment can be collected through the zero-trust equipment; and a trust score is performed based on the collected equipment information to give a trust value. Then, data is collected from power terminal equipment that meets the requirements.
  • abnormal power terminal equipment can be identified in a timely manner, which can effectively reduce physical attacks, ensure the accuracy of data collection, and effectively avoid Power terminal equipment uploads false information, Trojans, and viruses to ensure that the collected information is not tampered with, enabling lightweight collection of terminal data information; setting up a data platform can generate security instructions based on parsed data to provide security protection for power terminal equipment And security reinforcement, a power terminal security protection system that can respond to abnormal situations in a timely and efficient manner, conduct emergency responses, and avoid the expansion of security incidents.
  • the first technical solution of the present invention is:
  • Step 1 Build a zero-trust module to collect equipment information of power terminal equipment; conduct trust scoring based on the collected equipment information and give a trust value;
  • Step two collect data from the trusted device in step one to obtain the collected data
  • Step three Build a security situation awareness module to perform situation awareness on the data collected in step two;
  • the collected data will be converted into perception data
  • the situational awareness includes intrusion detection or/and vulnerability awareness or/and file integrity detection or/and log monitoring operations;
  • Step 4 Build a real-time management and control module to manage and control the sensing data in step 4 and generate safety instructions;
  • Step 5 Issue the security instructions in Step 4 to the power terminal equipment to perform safety protection and security reinforcement on the power terminal equipment;
  • the security protection and security reinforcement include security detection or/and security reinforcement or/and file permission management or/and security upgrade.
  • the zero-trust module can collect equipment information of power terminal equipment, and at the same time performs trust scoring based on the collected equipment information to give a trust value, thereby Abnormal power terminal equipment can be identified in a timely manner, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information is not tampered with.
  • the present invention needs to conduct a trust score on the power terminal equipment, and adopts the method of first evaluation and then collection. Compared with the general passive authentication mode or the direct data collection mode, on the one hand, it can ensure the accuracy of data collection; On the other hand, it can actively and quickly check the security information of the terminal, accurately detect and control the terminal, effectively reduce physical attacks, and realize lightweight collection of terminal data information.
  • the present invention can be applied to new services with high cross-regional interaction frequency and large data volume, and is particularly suitable for boundary protection measures when large-concurrent services such as power transactions and large-bandwidth video services such as drones interact across major regions.
  • the present invention builds a security situation awareness module to perform situation awareness on the collected data, and performs operations such as intrusion detection or/and vulnerability perception or/and file integrity detection or/and log monitoring operations on the collected data to ensure data security and integrity. regulations to further prevent data from being tampered with.
  • the present invention constructs a real-time management and control module to manage and control the sensing data, generate safety instructions, and perform safety protection and safety reinforcement on the power terminal equipment, so as to respond to abnormal situations in a timely and efficient manner and perform emergency response. For example: when power terminal equipment is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
  • step one the process of collecting device information by the zero trust module is: reading device data, reading rule files, parsing the rule library, and collecting device information;
  • the zero-trust module performs continuous dynamic device authentication on power terminal equipment to block false device information
  • Trust value is an indicator of identity verification, and is obtained by a comprehensive score based on the basic attributes of the device and access delay;
  • the trust value threshold is H. If it is higher than or equal to H, it is a legitimate user, and if it is lower than H, it is an illegal user;
  • the trust value includes direct trust value, delay assessment trust value, and abnormal behavior assessment trust value.
  • the calculation formula is as follows:
  • T T d +T t +T a
  • T is the trust value
  • T d is the direct trust value
  • T t is the delay evaluation trust value
  • T a is the abnormal behavior evaluation trust value
  • the direct trust value is the S-shaped function SIGMOID, and its calculation formula is:
  • T d is the direct trust value
  • f is the direct trust value constraint coefficient of different devices
  • the delay assessment trust value and the abnormal behavior assessment trust value constitute the indirect trust value
  • the delay evaluation trust value is evaluated based on the device response time, and its calculation formula is:
  • T t is the delay evaluation trust value
  • is the maximum allowable delay of device response
  • D is the information transmission delay
  • Abnormal behavior evaluation trust value is evaluated based on the proportion of abnormal device behavior and normal behavior.
  • the calculation formula is:
  • T a is the abnormal behavior evaluation trust value
  • a u is the amount of abnormal behavior
  • a n is the amount of normal behavior.
  • the abnormal situations of the power terminal equipment include the following:
  • a certain power terminal equipment is set to upload equipment information at a certain time on a certain day, and the equipment information is uploaded with a delay.
  • the delay evaluation trust value calculation formula the trust value of the power terminal equipment is calculated. When the trust value is lower than the threshold When, abnormal equipment alarm is issued;
  • the information interaction time of power terminal equipment is fixed, the interactive information is fixed, and a certain power information interaction time is chaotic, the interactive information is chaotic, and abnormal behavior is obvious.
  • the abnormal behavior evaluation trust value calculation formula the trust value of the power terminal equipment is calculated. When the trust value of the power terminal equipment is lower than the threshold, an abnormal equipment alarm is issued;
  • Device information includes the power terminal's operating system kernel version, operating system release version, etc., CPU name, CPU architecture, CPU core number, memory size, storage size, network card information name, network card information address, network card information status, network card information type, network card The amount of information flow.
  • intrusion detection is divided into anomaly detection and misuse detection
  • the anomaly detection includes the following:
  • the misuse detection includes the following:
  • Value(I 1 ,I 2 ) is used to express the intrusion detection results
  • I 1 and I 2 correspond to normal access and undetected access
  • L(I 1 ,I 2 ) is the access speed difference
  • is the constraint coefficient used to adjust the weight of the access speed difference, usually taking a value of 1;
  • is the constraint coefficient used to adjust the weight of access address differences, usually taking a value of 1;
  • is the constraint coefficient used to adjust the difference weight of access devices, usually taking a value of 1;
  • a is the constraint coefficient of the access speed attribute difference
  • b is the constraint coefficient of the access address attribute difference
  • c is the constraint coefficient for accessing device attribute differences
  • a is a constant 6.5
  • b is a constant 58.5
  • c is a constant 29.25;
  • u 1 and u 2 are the average speeds corresponding to normal access and undetected access respectively;
  • ⁇ 1 and ⁇ 2 are the address values corresponding to normal access and access to be detected respectively;
  • ⁇ 12 is the fixed information value of the access device.
  • the vulnerability sensing is to detect the connection status of relevant network nodes
  • the vulnerability perception is to detect the connection status of relevant network nodes, and its calculation formula is:
  • s ij is the vulnerability value
  • n i is the connection value of the network node to be detected
  • n j is the connection value of adjacent network nodes
  • is a variable parameter. The corresponding values are selected according to different terminal types to obtain the most suitable network node. Connect the value.
  • the file integrity detection includes the following:
  • the events include creating, deleting, or renaming files, folders, and directories; accessing files and folders; changing file and folder attributes; changing security settings for files, folders, or directories;
  • testing is the integrity detection value.
  • the current file is the same as the original file, it is a true value, otherwise it is a false value;
  • oldfile is the original file
  • the log monitoring is real-time monitoring and analysis of important log files in the system to detect the attack methods of intruders on the system;
  • Attack methods include brute force attacks, privilege escalation, and scanning.
  • security detection is based on the sensing data statistically analyzed by the security situation awareness module to achieve real-time monitoring of abnormal behavior of power terminals;
  • the security hardening includes password hardening and kernel virtual patching
  • the file permission management includes the following:
  • the security upgrades include the following:
  • Remote upgrade and local upgrade provides rapid upgrade service through the security monitoring center, and supports remote deployment of new equipment online; local upgrade performs local upgrade through power terminals.
  • the data storage module constructs a database for storing sensing data and control data
  • the data visualization module obtains data from the data storage module and can display the terminal type, danger level, network type, and security vulnerability of the power terminal equipment.
  • the second technical solution of the present invention is:
  • Step 1 Build a zero-trust module to collect equipment information of power terminal equipment, and conduct trust value scoring based on the collected equipment information to give a trust value;
  • the power terminal equipment When the trust value reaches the standard, the power terminal equipment is trusted and the power terminal equipment is identified as a trusted device;
  • the power terminal equipment When the trust value does not meet the standard, the power terminal equipment will be identified as an abnormal equipment and an abnormal equipment alarm will be issued;
  • Step two collect data from the trusted equipment in step one to obtain the collected data
  • Step three Build a security situation awareness module to perform intrusion detection, vulnerability awareness, file integrity detection, log monitoring operations on the collected data in step two, and convert the collected data into sensing data;
  • Step 4 Build a real-time management and control module to detect and control the sensing data in step 3, and generate safety instructions;
  • Step 5 Issue the security instructions in Step 4 to the power terminal equipment to perform security protection and security reinforcement on the power terminal equipment to achieve security detection, security reinforcement, file permission management, and security upgrade of the power terminal equipment.
  • the zero-trust module of the present invention can collect equipment information of power terminal equipment, and at the same time perform trust scoring based on the collected equipment information and give a trust value, so that abnormal power terminal equipment can be identified in a timely manner, and thus the upload of power terminal equipment can be effectively avoided. False information, Trojans, and viruses to ensure that the collected information is not tampered with.
  • the present invention needs to perform trust scoring on power terminal equipment.
  • it can effectively reduce physical attacks, ensure the accuracy of data collection, and realize lightweight collection of terminal data information;
  • the evaluation method of the present invention can proactively and quickly verify the security information of the terminal and accurately detect the management and control terminal. Therefore, it can be applied to new businesses with high cross-regional interaction frequency and large data volume, especially power transactions.
  • the present invention builds a security situation awareness module to collect data to perform a series of operations such as intrusion detection, vulnerability perception, file integrity detection, log monitoring, etc., and can convert the collected data into sensing data to ensure data security and compliance, and further avoid Data has been tampered with.
  • the present invention builds a real-time management and control module to manage and control the sensing data, generate safety instructions, and perform operations such as safety detection, safety reinforcement, file permission management, and safety upgrades on power terminal equipment, so as to respond to abnormal situations in a timely and efficient manner. , carry out emergency response. For example, when a certain power terminal equipment is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
  • the third technical solution of the present invention is:
  • the zero-trust terminal collects the equipment information of the power terminal, obtains the equipment data stream, and performs trust value scoring based on the equipment information to give a trust value;
  • the network probe collects security information of power terminal equipment and obtains security data streams
  • the edge IoT agent reads and parses the device data stream and security data stream to obtain parsed data, and uploads the parsed data to the data platform;
  • the data platform processes the parsed data and generates safety instructions
  • Security instructions are issued to the power terminal equipment through the edge IoT agent to perform security protection and security reinforcement on the power terminal equipment.
  • the present invention assembles zero-trust equipment to powerfully monitor power terminal equipment.
  • the zero-trust equipment can collect equipment information of power terminal equipment, and at the same time perform trust scoring based on the collected equipment information to give a trust value, thereby Abnormal power terminal equipment can be identified in a timely manner, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information is not tampered with.
  • the present invention needs to perform trust scoring on power terminal equipment.
  • it can effectively reduce physical attacks, ensure the accuracy of data collection, and realize lightweight collection of terminal data information;
  • the protection system of the present invention can proactively and quickly verify the security information of the terminal and accurately detect the management and control terminal. Therefore, it can be applied to new businesses with high cross-regional interaction frequency and large data volume, especially power transactions.
  • the present invention is equipped with a data platform that can generate safety instructions based on parsed data, perform safety protection and safety reinforcement on power terminal equipment, and can respond to abnormal situations in a timely and efficient manner and perform emergency responses. For example, when a smart terminal is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
  • the present invention has the following beneficial effects:
  • the zero-trust module can collect equipment information of power terminal equipment, and at the same time performs trust scoring based on the collected equipment information to give a trust value, thereby Abnormal power terminal equipment can be identified in a timely manner, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information is not tampered with.
  • the present invention needs to perform trust scoring on power terminal equipment.
  • it can effectively reduce physical attacks, ensure the accuracy of data collection, and realize lightweight collection of terminal data information;
  • the evaluation method of the present invention can proactively and quickly verify the security information of the terminal and accurately detect the management and control terminal. Therefore, it can be applied to new businesses with high cross-regional interaction frequency and large data volume, especially power transactions.
  • the present invention builds a security situation awareness module to perform situation awareness on the collected data, and performs operations such as intrusion detection or/and vulnerability perception or/and file integrity detection or/and log monitoring operations on the collected data to ensure data security and integrity. regulations to further prevent data from being tampered with.
  • the present invention constructs a real-time management and control module to manage and control the sensing data, generate safety instructions, and perform safety protection and safety reinforcement on the power terminal equipment, so as to respond to abnormal situations in a timely and efficient manner and perform emergency response. For example, when a smart terminal is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
  • Figure 1 is a flow chart of the protection method of the present invention
  • Figure 2 is a structural diagram of the protection system of the present invention.
  • Step 1 Build a zero-trust module to collect equipment information of power terminal equipment, and conduct trust scoring based on the collected equipment information to give a trust value;
  • Step two collect data from the trusted device in step one to obtain the collected data
  • Step three Build a security situation awareness module to perform situation awareness on the data collected in step two;
  • the collected data will be converted into perception data
  • the situational awareness includes intrusion detection or/and vulnerability awareness or/and file integrity detection or/and log monitoring operations;
  • Step 4 Build a real-time management and control module to manage and control the sensing data in step 4 and generate safety instructions;
  • Step 5 Issue the security instructions in Step 4 to the power terminal equipment to perform safety protection and security reinforcement on the power terminal equipment;
  • the security protection and security reinforcement include security detection or/and security reinforcement or/and file permission management or/and security upgrade.
  • Step 1 Build a zero-trust module to collect equipment information of power terminal equipment, and conduct trust value scoring based on the collected equipment information to give a trust value;
  • the power terminal equipment When the trust value reaches the standard, the power terminal equipment is trusted and the power terminal equipment is identified as a trusted device;
  • the power terminal equipment When the trust value does not meet the standard, the power terminal equipment will be identified as an abnormal equipment and an abnormal equipment alarm will be issued;
  • Step two collect data from the trusted equipment in step one to obtain the collected data
  • Step three Build a security situation awareness module to perform intrusion detection, vulnerability awareness, file integrity detection, log monitoring operations on the collected data in step two, and convert the collected data into sensing data;
  • Step 4 Build a real-time management and control module to detect and control the sensing data in step 3, and generate safety instructions;
  • Step 5 Issue the security instructions in Step 4 to the power terminal equipment to perform security protection and security reinforcement on the power terminal equipment to achieve security detection, security reinforcement, file permission management, and security upgrade of the power terminal equipment.
  • the zero-trust terminal collects the equipment information of the power terminal, obtains the equipment data stream, and performs trust value scoring based on the equipment information to give a trust value;
  • the network probe collects security information of power terminal equipment and obtains security data streams
  • the edge IoT agent reads and parses the device data stream and security data stream to obtain parsed data, and uploads the parsed data to the data platform;
  • the data platform processes the parsed data and generates safety instructions
  • Security instructions are issued to the power terminal equipment through the edge IoT agent to perform security protection and security reinforcement on the power terminal equipment.
  • the hardware connections include the following:
  • the zero-trust terminal and network probe connect to the power terminal respectively, and then use 485 shielded twisted pair and network cable to connect to the edge IoT agent device.
  • the edge IoT agent device is connected to the data platform through a network cable.
  • the zero-trust terminal and network probe The needle, edge IoT agent device and data platform are configured in the same LAN, so that the edge IoT agent device can access the zero trust terminal, network probe and data platform.
  • the system startup includes the following:
  • Said authentication includes the following
  • the power terminal equipment requests identity verification.
  • the zero-trust terminal gives a trust value based on the trust value score of the device information and performs two operations based on the trust threshold. If the trust value reaches the standard, the device is trusted and information can be collected normally. Otherwise, abnormal device alarms are issued.
  • the maximum trust value is 100 and the minimum is 0;
  • the trust value threshold is 60. If it is higher than or equal to 60, it is a legitimate user, and if it is lower than 60, it is an illegal user;
  • the power terminal equipment is set to upload equipment information at six o'clock on Saturday evening. There is a delay in uploading the information of a certain power equipment. According to the delay evaluation trust value evaluation method, it is learned that the trust value of the equipment is lower than the threshold, so an abnormal equipment alarm is issued.
  • the power equipment information interaction time is fixed, the interaction information is fixed, and a certain power information interaction time is disordered, the interaction information is confusing, and the abnormal behavior is obvious. Based on the abnormal behavior evaluation, it is determined that the trust value of the equipment is lower than the threshold, so an abnormal equipment alarm is performed.
  • the security awareness includes the following:
  • zero-trust terminals and network probes are used to collect equipment information and security information of power terminals and upload them to the edge IoT agent; the edge IoT agent is responsible for reading and parsing the data uploaded by zero-trust terminals and network probes Stream to upload the parsed data to the data platform.
  • the security situation awareness module collects power terminal data, performs intrusion detection, vulnerability awareness, file integrity detection, log monitoring and other operations, and sends the data to the real-time management and control module and data storage module, and the data storage module further uploads it. to the data visualization module.
  • Intrusion detection (1) Define the characteristics of events that violate security policies, such as certain header information of network data packets. Detection mainly determines whether such features appear in the collected data. (2) Define a set of values for "normal" conditions of the system, such as CPU utilization, memory utilization, file checksums, etc. (This type of data can be defined manually, or it can be obtained by observing the system and using statistical methods), The running values of the system are then compared with the defined "normal" conditions to determine whether there are signs of an attack.
  • Vulnerability perception Use simulated hacker attacks to detect known security vulnerabilities that may exist on the target one by one. Security vulnerabilities can be detected on various objects such as workstations, servers, switches, databases, etc.
  • File Integrity Detection Continuously monitors files, folders, and directories specified in its supervision configuration file. It captures changes that have occurred and can monitor the entire directory structure or individual files and folders for events, such as: creation, deletion Or rename files, folders and directories; access files and folders; change file and folder properties; change security settings of files, folders or directories, such as permission changes, etc.
  • file integrity monitoring can determine which files have been changed. Using this information, damage can be quickly assessed and incident response initiated. If employees or administrators often modify files unintentionally. Sometimes these changes are so subtle that they go unnoticed, but they can lead to security breaches or hinder business operations. File integrity monitoring helps zero in on changes to files so they can be rolled back or other remedial action taken.
  • Log monitoring The process of gaining real-time visibility into the records generated by a host or device. Extract system log characteristic data, detect system log anomalies, feed back additions, deletions, modifications and check operations of system logs, and detect whether system logs have been tampered with.
  • the security protection includes the following:
  • the data platform analyzes and processes equipment information and security information, issues security protection and security reinforcement instructions, and alarms abnormal terminal equipment; in the method module, the real-time management and control module responds to the received security situation Perceive the security information sent by the module, perform security detection, security reinforcement, file permission management, security audit and other operations, issue relevant security instructions to the power terminal, and send the control data to the data storage module, which is further uploaded to data visualization. module.
  • Said security visualization includes the following
  • the data platform displays the data sent by the edge generation; in the method module, the data visualization module reads relevant data from the data storage module database, and displays the terminal type and terminal type when the power terminal is running in the form of a chart. Network information, security vulnerabilities, danger levels, etc.
  • embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
  • computer-usable storage media including, but not limited to, disk storage, CD-ROM, optical storage, etc.

Abstract

The present application belongs to the technical field of power terminal devices. Disclosed are a security protection method and system for a power terminal. Existing protection technology simply performs control and isolation on application services, and cannot really solve the problem of network security of the existing power Internet of Things. In the security protection method for a power terminal in the present application, a zero-trust module is constructed to perform powerful monitoring on a power terminal device, trust scoring needs to be performed on the power terminal device before data collection, and a mode of performing assessment before collection is used, such that physical attacks can be effectively reduced, the accuracy of data collection can be ensured, and lightweight collection of data information of a terminal can be realized. Moreover, a security situation sensing module is constructed to perform situation sensing on collected data, such that the security and compliance of the data are ensured. Furthermore, a real-time management and control module is constructed to manage and control sensed data, and a security instruction is generated to perform security protection on the power terminal device, such that an abnormal situation can be coped with in an efficient and timely manner, so as to perform emergency response.

Description

一种电力终端安全防护方法及系统A power terminal safety protection method and system 技术领域Technical field
本发明涉及一种电力终端安全防护方法及系统,属于电力终端设备技术领域。The invention relates to a power terminal safety protection method and system, belonging to the technical field of power terminal equipment.
背景技术Background technique
针对新型电力系统业务发展需求,原来重边界、强防护的围墙式防护体系已难以适应。In response to the business development needs of new power systems, the original wall-type protection system with heavy boundaries and strong protection has been difficult to adapt to.
在终端方面,海量电力物联终端广泛接入,安全管控难度进一步加大。如分布式风电、光伏业务终端处在偏远区域,本体安全难以保证,缺乏实时感知和处置手段。In terms of terminals, massive power IoT terminals are widely connected, making security management and control more difficult. For example, distributed wind power and photovoltaic business terminals are located in remote areas, where it is difficult to ensure the security of the system and lack real-time sensing and processing methods.
在边界方面,一是直接进行数据采集的方式会暴露不必要的攻击面,且难以限制平台侧和边端侧的横向移动;二是新业务跨大区交互频率高、数据量大,但目前跨区域数据交互效率较低,如电力交易等大并发业务和无人机等视频大带宽业务跨大区交互时边界防护措施成为业务性能瓶颈。In terms of boundaries, firstly, direct data collection will expose unnecessary attack surfaces, and it is difficult to restrict lateral movement on the platform side and edge side; secondly, new services have high cross-region interaction frequency and large data volume, but currently Cross-regional data interaction efficiency is low. For example, when large-concurrent services such as power trading and high-bandwidth video services such as drones interact across regions, border protection measures become a business performance bottleneck.
在业务方面,一是部分涉控业务向外延伸,无线涉控类业务接入需求旺盛,导致风险增加;二是随着业务扩展,各业务系统内汇聚于数据中台并向不断向外开放共享利用,数据安全合规风险骤增,如低压分布式电源、用户储能大规模接入配电台区加入源网荷储协同控制,业务数据接入省公共数据平台。In terms of business, firstly, some control-related businesses have been extended outwards, and the demand for access to wireless control-related services is strong, leading to increased risks; secondly, with the expansion of business, various business systems have converged in the data center and are continuously open to the outside world. With shared utilization, data security and compliance risks increase sharply. For example, low-voltage distributed power supplies and user energy storage are connected to distribution stations on a large scale to join the coordinated control of source, grid, load and storage, and business data is connected to the provincial public data platform.
在安全管控方面,新型业务交互需求和复杂度提升,安全应急响应难以及时高效,如智能终端被物理手段入侵,无法立即限制其访问和通信,导致安全事件扩大。In terms of security management and control, new business interaction requirements and complexity have increased, making it difficult to respond to security emergencies in a timely and efficient manner. For example, if a smart terminal is invaded by physical means, its access and communication cannot be immediately restricted, leading to the expansion of security incidents.
进一步,中国专利申请(公开号:CN112511618A)公开了一种边缘物联代理防护方法及电力物联网动态安全可信系统,涉及电力物联网安全防护技术领域,所述边缘物联代理防护方法,根据可信度对终端应用业务进行分类,包括可信终端业务和普通终端业务;对所述可信终端业务和普通终端业务进行并行隔离控制;其中,通过创建可信业务域对可信终端业务进行处理,通过创建普通业务域对普通终端业务进行处理。Furthermore, Chinese patent application (publication number: CN112511618A) discloses an edge IoT agent protection method and a power IoT dynamic security and trustworthy system, which relate to the technical field of power IoT security protection. The edge IoT agent protection method is based on Credibility classifies terminal application services, including trusted terminal services and ordinary terminal services; parallel isolation control is performed on the trusted terminal services and ordinary terminal services; wherein, the trusted terminal services are controlled by creating a trusted business domain Processing, by creating a common business domain to process common terminal services.
上述方案对终端应用业务进行分类,将终端应用业务分为可信终端业务和普通终端业务,对所述可信终端业务和普通终端业务进行并行隔离控制,但对终端设备没有任何防护措施,当终端设备被入侵后,有可能上传虚假信息,甚至木马和病毒,也无法确保采集的信息的不被篡改,因此只是对应用业务进行控制、隔离,无法真正解决现有电力物联网的网络安全问题。The above solution classifies terminal application services into trusted terminal services and ordinary terminal services, and performs parallel isolation control on the trusted terminal services and ordinary terminal services, but does not have any protective measures for terminal equipment. After the terminal device is invaded, it is possible to upload false information, or even Trojans and viruses, and it is impossible to ensure that the collected information is not tampered with. Therefore, only controlling and isolating the application business cannot truly solve the network security problems of the existing power Internet of things. .
发明内容Contents of the invention
针对现有技术的缺陷,本发明的目的一在于提供一种构建零信任模块对电力终端设备进 行强力监测,通过零信任模块能对电力终端设备的设备信息进行采集;并根据采集的设备信息进行信任评分,给出信任值,从而能够及时识别出异常电力终端设备,进而能有效避免电力终端设备上传虚假信息以及木马、病毒,确保采集的信息的不被篡改了;采用先评估后采集的方式,一方面能够主动、快速核查终端的安全信息,精准检测管控终端,减少物理攻击,另一方面确保数据采集的准确性,实现终端数据信息的轻量化采集;同时,构建安全态势感知模块,对采集数据进行态势感知,确保数据安全合规;构建了实时管控模块,对感知数据,进行管控,并生成安全指令,对电力终端设备进行安全防护以及安全加固,能够及时高效的应对异常情形,进行应急响应,避免安全事件扩大的电力终端安全防护方法。In view of the shortcomings of the existing technology, the first object of the present invention is to provide a zero-trust module to powerfully monitor power terminal equipment. The zero-trust module can collect equipment information of the power terminal equipment; and perform monitoring based on the collected equipment information. Trust score gives a trust value, so that abnormal power terminal equipment can be identified in time, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information has not been tampered with; adopt the method of evaluating first and then collecting , on the one hand, it can actively and quickly verify the security information of the terminal, accurately detect and control the terminal, and reduce physical attacks. On the other hand, it ensures the accuracy of data collection and realizes lightweight collection of terminal data information; at the same time, it builds a security situation awareness module to Collect data for situational awareness to ensure data security and compliance; a real-time management and control module is constructed to manage and control the sensed data and generate safety instructions to carry out safety protection and security reinforcement for power terminal equipment, which can respond to abnormal situations in a timely and efficient manner. Emergency response and power terminal security protection methods to avoid the expansion of security incidents.
本发明的目的二在于提供一种装配零信任设备对电力终端设备进行强力监测,通过零信任设备能对电力终端设备的设备信息进行采集;并根据采集的设备信息进行信任评分,给出信任值后,再对符合要求的电力终端设备进行数据采集,采用这种先评估后采集的方式,能够及时识别出异常电力终端设备,能够有效减少物理攻击,确保数据采集的准确性,进而能有效避免电力终端设备上传虚假信息以及木马、病毒,确保采集的信息的不被篡改,可以实现终端数据信息的轻量化采集;设置数据平台,能根据解析数据,生成安全指令,对电力终端设备进行安全防护以及安全加固,能够及时高效的应对异常情形,进行应急响应,避免安全事件扩大的电力终端安全防护系统。The second object of the present invention is to provide an assembly of zero-trust equipment to perform powerful monitoring of power terminal equipment. The equipment information of the power terminal equipment can be collected through the zero-trust equipment; and a trust score is performed based on the collected equipment information to give a trust value. Then, data is collected from power terminal equipment that meets the requirements. Using this method of first evaluation and then collection, abnormal power terminal equipment can be identified in a timely manner, which can effectively reduce physical attacks, ensure the accuracy of data collection, and effectively avoid Power terminal equipment uploads false information, Trojans, and viruses to ensure that the collected information is not tampered with, enabling lightweight collection of terminal data information; setting up a data platform can generate security instructions based on parsed data to provide security protection for power terminal equipment And security reinforcement, a power terminal security protection system that can respond to abnormal situations in a timely and efficient manner, conduct emergency responses, and avoid the expansion of security incidents.
为实现上述目的之一,本发明的第一种技术方案为:In order to achieve one of the above objects, the first technical solution of the present invention is:
一种电力终端安全防护方法,A power terminal safety protection method,
包括以下步骤:Includes the following steps:
步骤一,构建零信任模块,对电力终端设备的设备信息,进行采集;并根据采集的设备信息进行信任评分,给出信任值;Step 1: Build a zero-trust module to collect equipment information of power terminal equipment; conduct trust scoring based on the collected equipment information and give a trust value;
根据信任值对电力终端设备进行评估,将电力终端设备分为可信任设备、异常设备;Evaluate power terminal equipment based on trust value and classify power terminal equipment into trustworthy equipment and abnormal equipment;
步骤二,对步骤一中的可信任设备进行数据采集,获得采集数据;Step two: collect data from the trusted device in step one to obtain the collected data;
步骤三,构建安全态势感知模块,对步骤二中的采集数据进行态势感知;Step three: Build a security situation awareness module to perform situation awareness on the data collected in step two;
当感知合格后,将采集的数据,转换为感知数据;When the perception is qualified, the collected data will be converted into perception data;
所述态势感知包括入侵检测或/和脆弱性感知或/和文件完整性检测或/和日志监控操作;The situational awareness includes intrusion detection or/and vulnerability awareness or/and file integrity detection or/and log monitoring operations;
步骤四,构建实时管控模块,对步骤四中的感知数据,进行管控,并生成安全指令;Step 4: Build a real-time management and control module to manage and control the sensing data in step 4 and generate safety instructions;
步骤五,将步骤四的安全指令下发给电力终端设备,对电力终端设备进行安全防护以及安全加固;Step 5: Issue the security instructions in Step 4 to the power terminal equipment to perform safety protection and security reinforcement on the power terminal equipment;
所述安全防护以及安全加固包括安全检测或/和安全加固或/和文件权限管理或/和安全升级。The security protection and security reinforcement include security detection or/and security reinforcement or/and file permission management or/and security upgrade.
本发明经过不断探索以及试验,构建零信任模块对电力终端设备进行强力监测,零信任模块能对电力终端设备的设备信息进行采集,同时根据采集的设备信息进行信任评分,给出信任值,从而能够及时识别出异常电力终端设备,进而能有效避免电力终端设备上传虚假信息以及木马、病毒,确保采集的信息的不被篡改。After continuous exploration and testing, the present invention constructs a zero-trust module to powerfully monitor power terminal equipment. The zero-trust module can collect equipment information of power terminal equipment, and at the same time performs trust scoring based on the collected equipment information to give a trust value, thereby Abnormal power terminal equipment can be identified in a timely manner, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information is not tampered with.
进而,本发明在数据采集前,需要对电力终端设备进行信任评分,采用先评估后采集的方式,相比一般的被动认证模式或直接数据采集的模式,一方面能够确保数据采集的准确性;另一方面能够主动、快速核查终端的安全信息,精准检测管控终端,有效减少物理攻击,可以实现终端数据信息的轻量化采集。Furthermore, before data collection, the present invention needs to conduct a trust score on the power terminal equipment, and adopts the method of first evaluation and then collection. Compared with the general passive authentication mode or the direct data collection mode, on the one hand, it can ensure the accuracy of data collection; On the other hand, it can actively and quickly check the security information of the terminal, accurately detect and control the terminal, effectively reduce physical attacks, and realize lightweight collection of terminal data information.
因此本发明可适用于跨大区交互频率高、数据量大的新业务,特别是适用于电力交易等大并发业务和无人机等视频大带宽业务跨大区交互时的边界防护措施。Therefore, the present invention can be applied to new services with high cross-regional interaction frequency and large data volume, and is particularly suitable for boundary protection measures when large-concurrent services such as power transactions and large-bandwidth video services such as drones interact across major regions.
同时,本发明构建安全态势感知模块,对采集数据进行态势感知,对采集的数据进行入侵检测或/和脆弱性感知或/和文件完整性检测或/和日志监控操作等操作,确保数据安全合规,进一步避免数据被篡改。At the same time, the present invention builds a security situation awareness module to perform situation awareness on the collected data, and performs operations such as intrusion detection or/and vulnerability perception or/and file integrity detection or/and log monitoring operations on the collected data to ensure data security and integrity. regulations to further prevent data from being tampered with.
更进一步,本发明构建了实时管控模块,对感知数据,进行管控,并生成安全指令,对电力终端设备进行安全防护以及安全加固,能够及时高效的应对异常情形,进行应急响应。比如:电力终端设备被物理手段入侵时,可以及时的下达安全指令,控制电力终端设备立即限制其访问和通信,避免安全事件扩大。Furthermore, the present invention constructs a real-time management and control module to manage and control the sensing data, generate safety instructions, and perform safety protection and safety reinforcement on the power terminal equipment, so as to respond to abnormal situations in a timely and efficient manner and perform emergency response. For example: when power terminal equipment is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
作为优选技术措施:As preferred technical measures:
所述步骤一中,零信任模块采集设备信息的流程为:读取设备数据、读取规则文件、解析规则库、采集设备信息;In step one, the process of collecting device information by the zero trust module is: reading device data, reading rule files, parsing the rule library, and collecting device information;
同时,零信任模块对电力终端设备进行持续的动态设备身份验证,用以阻断虚假设备信息;At the same time, the zero-trust module performs continuous dynamic device authentication on power terminal equipment to block false device information;
信任值是身份验证的指标,根据设备的基础属性、访问时延进行综合评分获取;Trust value is an indicator of identity verification, and is obtained by a comprehensive score based on the basic attributes of the device and access delay;
信任值的维护包括以下内容:Maintenance of trust values includes the following:
(1)信任值最大为M,最低为N;M>N(1) The maximum trust value is M and the minimum is N; M>N
(2)信任值阈值为H,高于等于H为合法用户,低于H为非法用户;(2) The trust value threshold is H. If it is higher than or equal to H, it is a legitimate user, and if it is lower than H, it is an illegal user;
(3)每次验证成功信任值加T;(3) Each time the verification is successful, the trust value increases by T;
(4)每次验证失败信任值减T。(4) Each time verification fails, the trust value is reduced by T.
优先的,M=100,N=0,H=60,T=1。Priority, M=100, N=0, H=60, T=1.
所述信任值包括直接信任值、时延评估信任值、异常行为评估信任值,其计算公式如下:The trust value includes direct trust value, delay assessment trust value, and abnormal behavior assessment trust value. The calculation formula is as follows:
T=T d+T t+T a T=T d +T t +T a
T为信任值,T d为直接信任值、T t为时延评估信任值、T a为异常行为评估信任值; T is the trust value, T d is the direct trust value, T t is the delay evaluation trust value, and T a is the abnormal behavior evaluation trust value;
直接信任值为S型函数SIGMOID,其计算公式为:The direct trust value is the S-shaped function SIGMOID, and its calculation formula is:
Figure PCTCN2023070408-appb-000001
Figure PCTCN2023070408-appb-000001
其中T d为直接信任值,f为不同设备的直接信任值约束系数; Among them, T d is the direct trust value, and f is the direct trust value constraint coefficient of different devices;
时延评估信任值和异常行为评估信任值组成间接信任值;The delay assessment trust value and the abnormal behavior assessment trust value constitute the indirect trust value;
时延评估信任值根据设备应答时间进行评估,其计算公式为:The delay evaluation trust value is evaluated based on the device response time, and its calculation formula is:
Figure PCTCN2023070408-appb-000002
Figure PCTCN2023070408-appb-000002
其中T t为时延评估信任值,τ为设备应答最大允许延迟,D为信息传输延迟量; Among them, T t is the delay evaluation trust value, τ is the maximum allowable delay of device response, and D is the information transmission delay;
异常行为评估信任值根据设备异常行为与正常行为的占比量进行评估,其计算公式为:Abnormal behavior evaluation trust value is evaluated based on the proportion of abnormal device behavior and normal behavior. The calculation formula is:
Figure PCTCN2023070408-appb-000003
Figure PCTCN2023070408-appb-000003
其中T a为异常行为评估信任值,A u为异常行为量,A n为正常行为量。 Among them, T a is the abnormal behavior evaluation trust value, A u is the amount of abnormal behavior, and A n is the amount of normal behavior.
作为优选技术措施:As preferred technical measures:
所述电力终端设备的异常情形包括以下内容:The abnormal situations of the power terminal equipment include the following:
(1)某电力终端设备设定某天某时上传设备信息,设备信息上传延时,根据时延评估信任值计算公式,对该电力终端设备的信任值进行计算,当该信任值低于阈值时,进行异常设备报警;(1) A certain power terminal equipment is set to upload equipment information at a certain time on a certain day, and the equipment information is uploaded with a delay. According to the delay evaluation trust value calculation formula, the trust value of the power terminal equipment is calculated. When the trust value is lower than the threshold When, abnormal equipment alarm is issued;
(2)电力终端设备以密码形式进行身份验证,验证失败信任值即扣分,某电力终端设备多次验证失败,信任值持续扣分,当该电力终端设备的信任值低于信任阈值时,进行异常设备报警;(2) Power terminal equipment performs identity verification in the form of passwords. If the verification fails, the trust value will be deducted. If a certain power terminal equipment fails verification multiple times, the trust value will continue to be deducted. When the trust value of the power terminal equipment is lower than the trust threshold, Alarm for abnormal equipment;
(3)电力终端设备信息交互时间固定,交互信息固定,某电力信息交互时间错乱、交互信息混乱,异常行为明显,根据异常行为评估信任值计算公式,对该电力终端设备的信任值进行计算,当该电力终端设备的信任值低于阈值时,进行异常设备报警;(3) The information interaction time of power terminal equipment is fixed, the interactive information is fixed, and a certain power information interaction time is chaotic, the interactive information is chaotic, and abnormal behavior is obvious. According to the abnormal behavior evaluation trust value calculation formula, the trust value of the power terminal equipment is calculated. When the trust value of the power terminal equipment is lower than the threshold, an abnormal equipment alarm is issued;
设备信息包括电力终端的操作系统内核版本、操作系统发行版本等、CPU名称、CPU架构、CPU核数、内存大小、存储大小、网卡信息名称、网卡信息地址、网卡信息状态、网卡信息类型、网卡信息流量大小。Device information includes the power terminal's operating system kernel version, operating system release version, etc., CPU name, CPU architecture, CPU core number, memory size, storage size, network card information name, network card information address, network card information status, network card information type, network card The amount of information flow.
作为优选技术措施:As preferred technical measures:
所述步骤三中,入侵检测分为异常检测和误用检测;In the third step, intrusion detection is divided into anomaly detection and misuse detection;
所述异常检测包括以下内容:The anomaly detection includes the following:
建立一个系统访问正常行为的模块,凡是访问者不符合这个模块的行为将被断定为入侵;Establish a module for normal system access behavior. Any visitor's behavior that does not comply with this module will be judged as an intrusion;
所述误用检测包括以下内容:The misuse detection includes the following:
将若干不利的不可接受的行为归纳建立一个模块,凡是访问者符合这个模块的行为将被断定为入侵;Summarize a number of unfavorable and unacceptable behaviors to establish a module. Any visitor's behavior that conforms to this module will be judged as an intrusion;
入侵检测的计算公式为:The calculation formula of intrusion detection is:
Value(I 1,I 2)=[L(I 1,I 2)] α[C(I 1,I 2)] β[S(I 1,I 2)] γ    (1) Value(I 1 ,I 2 )=[L(I 1 ,I 2 )] α [C(I 1 ,I 2 )] β [S(I 1 ,I 2 )] γ (1)
Figure PCTCN2023070408-appb-000004
Figure PCTCN2023070408-appb-000004
Figure PCTCN2023070408-appb-000005
Figure PCTCN2023070408-appb-000005
Figure PCTCN2023070408-appb-000006
Figure PCTCN2023070408-appb-000006
其中,Value(I 1,I 2)用以表达入侵检测结果; Among them, Value(I 1 ,I 2 ) is used to express the intrusion detection results;
I 1、I 2对应正常访问与待检测访问; I 1 and I 2 correspond to normal access and undetected access;
L(I 1,I 2)是访问速度差异; L(I 1 ,I 2 ) is the access speed difference;
C(I 1,I 2)是访问地址差异; C(I 1 ,I 2 ) is the access address difference;
S(I 1,I 2)是访问设备差异; S(I 1 ,I 2 ) is the access device difference;
α为用来调节访问速度差异权重的约束系数,通常取值为1;α is the constraint coefficient used to adjust the weight of the access speed difference, usually taking a value of 1;
β为用来调节访问地址差异权重的约束系数,通常取值为1;β is the constraint coefficient used to adjust the weight of access address differences, usually taking a value of 1;
γ为用来调节访问设备差异权重的约束系数,通常取值为1;γ is the constraint coefficient used to adjust the difference weight of access devices, usually taking a value of 1;
a为访问速度属性差异的约束系数;a is the constraint coefficient of the access speed attribute difference;
b为访问地址属性差异的约束系数;b is the constraint coefficient of the access address attribute difference;
c为访问设备属性差异的约束系数;c is the constraint coefficient for accessing device attribute differences;
通常a为常数6.5、b为常数58.5、c为常数29.25;Usually a is a constant 6.5, b is a constant 58.5, and c is a constant 29.25;
u 1、u 2分别为对应正常访问与待检测访问的速度均值; u 1 and u 2 are the average speeds corresponding to normal access and undetected access respectively;
σ 1、σ 2分别为对应正常访问与待检测访问的地址数值; σ 1 and σ 2 are the address values corresponding to normal access and access to be detected respectively;
σ 12为访问设备的固定信息数值。 σ 12 is the fixed information value of the access device.
作为优选技术措施:As preferred technical measures:
所述脆弱性感知为检测相关网络节点连接情况;The vulnerability sensing is to detect the connection status of relevant network nodes;
所述脆弱性感知为检测相关网络节点连接情况,其计算公式为:The vulnerability perception is to detect the connection status of relevant network nodes, and its calculation formula is:
Figure PCTCN2023070408-appb-000007
Figure PCTCN2023070408-appb-000007
其中s ij为脆弱性值,n i为待检测网络节点连接数值,n j为相邻网络节点连接值,λ为可变参量,根据不同终端类型选择相应数值,用以获取最适宜的网络节点连接数值。 Among them, s ij is the vulnerability value, n i is the connection value of the network node to be detected, n j is the connection value of adjacent network nodes, and λ is a variable parameter. The corresponding values are selected according to different terminal types to obtain the most suitable network node. Connect the value.
作为优选技术措施:As preferred technical measures:
所述文件完整性检测包括以下内容:The file integrity detection includes the following:
连续监测文件、文件夹,并在其监督配置文件中指定的目录,捕捉已发生的变化;Continuously monitor files, folders, and directories specified in its supervision configuration file to capture changes that have occurred;
监视整个目录结构或单个文件和文件夹中的事件;Monitor entire directory structures or individual files and folders for events;
所述事件包括创建、删除或重命名文件、文件夹和目录,访问文件和文件夹,更改文件和文件夹属性;更改文件、文件夹或目录的安全设置;The events include creating, deleting, or renaming files, folders, and directories; accessing files and folders; changing file and folder attributes; changing security settings for files, folders, or directories;
文件完整性检测的计算公式为:The calculation formula for file integrity detection is:
Figure PCTCN2023070408-appb-000008
Figure PCTCN2023070408-appb-000008
其中,testing为完整性检测值,当现文件与原始文件一样则为真值,否则为假值;Among them, testing is the integrity detection value. When the current file is the same as the original file, it is a true value, otherwise it is a false value;
ture为真值判断函数;ture is the truth value judgment function;
false为假值判断函数;false is the false value judgment function;
newfile为当现文件;newfile is the current file;
oldfile为原始文件;oldfile is the original file;
所述日志监控为对系统中的重要日志文件实时监控分析,检测入侵者对系统的攻击方式;The log monitoring is real-time monitoring and analysis of important log files in the system to detect the attack methods of intruders on the system;
攻击方式包括暴力攻击、提权、扫描。Attack methods include brute force attacks, privilege escalation, and scanning.
作为优选技术措施:As preferred technical measures:
所述步骤五中,安全检测为根据安全态势感知模块统计分析的感知数据,实现电力终端行为异常情况实时监测;In the fifth step, security detection is based on the sensing data statistically analyzed by the security situation awareness module to achieve real-time monitoring of abnormal behavior of power terminals;
所述安全加固包括口令加固、内核虚拟补丁;The security hardening includes password hardening and kernel virtual patching;
所述文件权限管理包括以下内容:The file permission management includes the following:
持续监控文件权限,发现权限变动异常,即通过终端文件完整、结构、权限的变化,将发生风险情况提前发现,提早处理;Continuously monitor file permissions and detect abnormal permission changes. That is, through changes in the integrity, structure, and permissions of terminal files, risk situations will be discovered in advance and dealt with early;
所述安全升级包括以下内容:The security upgrades include the following:
远程升级和本地升级,远程升级通过安全监控中心进行快速升级服务,同时支持新设备 上线远程部署;本地升级通过电力终端进行本地升级。Remote upgrade and local upgrade, remote upgrade provides rapid upgrade service through the security monitoring center, and supports remote deployment of new equipment online; local upgrade performs local upgrade through power terminals.
作为优选技术措施:As preferred technical measures:
还包括数据存储模块、数据可视化模块;It also includes a data storage module and a data visualization module;
所述数据存储模块,构建数据库,用于存储感知数据以及管控数据;The data storage module constructs a database for storing sensing data and control data;
所述数据可视化模块,从数据存储模块获取数据,并能显示电力终端设备的终端类型、危险等级、网络类型、安全漏洞。The data visualization module obtains data from the data storage module and can display the terminal type, danger level, network type, and security vulnerability of the power terminal equipment.
为实现上述目的之一,本发明的第二种技术方案为:In order to achieve one of the above objects, the second technical solution of the present invention is:
一种电力终端安全防护方法,A power terminal safety protection method,
包括以下步骤:Includes the following steps:
步骤一,构建零信任模块,对电力终端设备的设备信息,进行采集,同时根据采集的设备信息进行信任值评分,给出信任值;Step 1: Build a zero-trust module to collect equipment information of power terminal equipment, and conduct trust value scoring based on the collected equipment information to give a trust value;
当信任值达标时,则信任该电力终端设备,并将该电力终端设备标识为可信任设备;When the trust value reaches the standard, the power terminal equipment is trusted and the power terminal equipment is identified as a trusted device;
当信任值不达标时,则将该电力终端设备标识为异常设备,并进行异常设备报警;When the trust value does not meet the standard, the power terminal equipment will be identified as an abnormal equipment and an abnormal equipment alarm will be issued;
步骤二,对步骤一中的可信用设备进行数据采集,获得采集数据;Step two: collect data from the trusted equipment in step one to obtain the collected data;
步骤三,构建安全态势感知模块,对步骤二中的采集数据进行入侵检测、脆弱性感知、文件完整性检测、日志监控操作,并将采集数据转换为感知数据;Step three: Build a security situation awareness module to perform intrusion detection, vulnerability awareness, file integrity detection, log monitoring operations on the collected data in step two, and convert the collected data into sensing data;
步骤四,构建实时管控模块,对步骤三中的感知数据,进行检测、管控,并生成安全指令;Step 4: Build a real-time management and control module to detect and control the sensing data in step 3, and generate safety instructions;
步骤五,将步骤四的安全指令下发给电力终端设备,对电力终端设备进行安全防护以及安全加固,实现电力终端设备的安全检测、安全加固、文件权限管理、安全升级。Step 5: Issue the security instructions in Step 4 to the power terminal equipment to perform security protection and security reinforcement on the power terminal equipment to achieve security detection, security reinforcement, file permission management, and security upgrade of the power terminal equipment.
本发明的零信任模块能对电力终端设备的设备信息进行采集,同时根据采集的设备信息进行信任评分,给出信任值,从而能够及时识别出异常电力终端设备,进而能有效避免电力终端设备上传虚假信息以及木马、病毒,确保采集的信息的不被篡改。The zero-trust module of the present invention can collect equipment information of power terminal equipment, and at the same time perform trust scoring based on the collected equipment information and give a trust value, so that abnormal power terminal equipment can be identified in a timely manner, and thus the upload of power terminal equipment can be effectively avoided. False information, Trojans, and viruses to ensure that the collected information is not tampered with.
进而,本发明在数据采集前,需要对电力终端设备进行信任评分,采用先评估后采集的方式,能够有效减少物理攻击,确保数据采集的准确性,可以实现终端数据信息的轻量化采集;相比一般的被动认证模式,本发明的评估方法,能够主动、快速核查终端的安全信息,精准检测管控终端,因此可适用于跨大区交互频率高、数据量大的新业务,特别是电力交易等大并发业务和无人机等视频大带宽业务跨大区交互时的边界防护措施。Furthermore, before data collection, the present invention needs to perform trust scoring on power terminal equipment. By adopting the method of first evaluation and then collection, it can effectively reduce physical attacks, ensure the accuracy of data collection, and realize lightweight collection of terminal data information; Compared with the general passive authentication mode, the evaluation method of the present invention can proactively and quickly verify the security information of the terminal and accurately detect the management and control terminal. Therefore, it can be applied to new businesses with high cross-regional interaction frequency and large data volume, especially power transactions. Boundary protection measures when large concurrent services and high-bandwidth video services such as drones interact across regions.
同时,本发明构建安全态势感知模块,采集数据进行入侵检测、脆弱性感知、文件完整性检测、日志监控等一系列操作,并能将采集数据转换为感知数据,确保数据安全合规,进一步避免数据被篡改。At the same time, the present invention builds a security situation awareness module to collect data to perform a series of operations such as intrusion detection, vulnerability perception, file integrity detection, log monitoring, etc., and can convert the collected data into sensing data to ensure data security and compliance, and further avoid Data has been tampered with.
并且,本发明构建了实时管控模块,对感知数据,进行管控,并生成安全指令,对电力终端设备进行安全检测、安全加固、文件权限管理、安全升级等操作,进而可及时高效的应对异常情形,进行应急响应。比如:某电力终端设备被物理手段入侵时,可以及时的下达安全指令,控制电力终端设备立即限制其访问和通信,避免安全事件扩大。Moreover, the present invention builds a real-time management and control module to manage and control the sensing data, generate safety instructions, and perform operations such as safety detection, safety reinforcement, file permission management, and safety upgrades on power terminal equipment, so as to respond to abnormal situations in a timely and efficient manner. , carry out emergency response. For example, when a certain power terminal equipment is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
为实现上述目的之一,本发明的第三种技术方案为:In order to achieve one of the above objects, the third technical solution of the present invention is:
一种电力终端安全防护系统,A power terminal safety protection system,
应用上述的一种电力终端安全防护方法,其包括零信任终端、网络探针、边缘物联代理、数据平台;Apply the above-mentioned power terminal security protection method, which includes zero-trust terminals, network probes, edge IoT agents, and data platforms;
所述零信任终端,对电力终端的设备信息进行采集,得到设备数据流,并根据设备信息进行信任值评分,给出信任值;The zero-trust terminal collects the equipment information of the power terminal, obtains the equipment data stream, and performs trust value scoring based on the equipment information to give a trust value;
所述网络探针,对电力终端设备的安全信息进行采集,得到安全数据流;The network probe collects security information of power terminal equipment and obtains security data streams;
所述边缘物联代理,对设备数据流和安全数据流,进行读取和解析,得到解析数据,并将解析数据上传至数据平台;The edge IoT agent reads and parses the device data stream and security data stream to obtain parsed data, and uploads the parsed data to the data platform;
数据平台,对解析数据进行处理,生成安全指令;The data platform processes the parsed data and generates safety instructions;
安全指令通过边缘物联代理下发给电力终端设备,对电力终端设备进行安全防护以及安全加固。Security instructions are issued to the power terminal equipment through the edge IoT agent to perform security protection and security reinforcement on the power terminal equipment.
本发明经过不断探索以及试验,装配零信任设备对电力终端设备进行强力监测,零信任设备能对电力终端设备的设备信息进行采集,同时根据采集的设备信息进行信任评分,给出信任值,从而能够及时识别出异常电力终端设备,进而能有效避免电力终端设备上传虚假信息以及木马、病毒,确保采集的信息的不被篡改。After continuous exploration and testing, the present invention assembles zero-trust equipment to powerfully monitor power terminal equipment. The zero-trust equipment can collect equipment information of power terminal equipment, and at the same time perform trust scoring based on the collected equipment information to give a trust value, thereby Abnormal power terminal equipment can be identified in a timely manner, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information is not tampered with.
进而,本发明在数据采集前,需要对电力终端设备进行信任评分,采用先评估后采集的方式,能够有效减少物理攻击,确保数据采集的准确性,可以实现终端数据信息的轻量化采集;相比一般的被动认证模式,本发明的防护系统,能够主动、快速核查终端的安全信息,精准检测管控终端,因此可适用于跨大区交互频率高、数据量大的新业务,特别是电力交易等大并发业务和无人机等视频大带宽业务跨大区交互时的边界防护措施。Furthermore, before data collection, the present invention needs to perform trust scoring on power terminal equipment. By adopting the method of first evaluation and then collection, it can effectively reduce physical attacks, ensure the accuracy of data collection, and realize lightweight collection of terminal data information; Compared with the general passive authentication mode, the protection system of the present invention can proactively and quickly verify the security information of the terminal and accurately detect the management and control terminal. Therefore, it can be applied to new businesses with high cross-regional interaction frequency and large data volume, especially power transactions. Boundary protection measures when large concurrent services and high-bandwidth video services such as drones interact across regions.
并且,本发明设置数据平台,能根据解析数据,生成安全指令,对电力终端设备进行安全防护以及安全加固,能够及时高效的应对异常情形,进行应急响应。比如:智能终端被物理手段入侵时,可以及时的下达安全指令,控制电力终端设备立即限制其访问和通信,避免安全事件扩大。Moreover, the present invention is equipped with a data platform that can generate safety instructions based on parsed data, perform safety protection and safety reinforcement on power terminal equipment, and can respond to abnormal situations in a timely and efficient manner and perform emergency responses. For example, when a smart terminal is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
与现有技术相比,本发明具有以下有益效果:Compared with the prior art, the present invention has the following beneficial effects:
本发明经过不断探索以及试验,构建零信任模块对电力终端设备进行强力监测,零信任 模块能对电力终端设备的设备信息进行采集,同时根据采集的设备信息进行信任评分,给出信任值,从而能够及时识别出异常电力终端设备,进而能有效避免电力终端设备上传虚假信息以及木马、病毒,确保采集的信息的不被篡改。After continuous exploration and testing, the present invention constructs a zero-trust module to powerfully monitor power terminal equipment. The zero-trust module can collect equipment information of power terminal equipment, and at the same time performs trust scoring based on the collected equipment information to give a trust value, thereby Abnormal power terminal equipment can be identified in a timely manner, which can effectively prevent power terminal equipment from uploading false information, Trojans, and viruses, and ensure that the collected information is not tampered with.
进而,本发明在数据采集前,需要对电力终端设备进行信任评分,采用先评估后采集的方式,能够有效减少物理攻击,确保数据采集的准确性,可以实现终端数据信息的轻量化采集;相比一般的被动认证模式,本发明的评估方法,能够主动、快速核查终端的安全信息,精准检测管控终端,因此可适用于跨大区交互频率高、数据量大的新业务,特别是电力交易等大并发业务和无人机等视频大带宽业务跨大区交互时的边界防护措施。Furthermore, before data collection, the present invention needs to perform trust scoring on power terminal equipment. By adopting the method of first evaluation and then collection, it can effectively reduce physical attacks, ensure the accuracy of data collection, and realize lightweight collection of terminal data information; Compared with the general passive authentication mode, the evaluation method of the present invention can proactively and quickly verify the security information of the terminal and accurately detect the management and control terminal. Therefore, it can be applied to new businesses with high cross-regional interaction frequency and large data volume, especially power transactions. Boundary protection measures when large concurrent services and high-bandwidth video services such as drones interact across regions.
同时,本发明构建安全态势感知模块,对采集数据进行态势感知,对采集的数据进行入侵检测或/和脆弱性感知或/和文件完整性检测或/和日志监控操作等操作,确保数据安全合规,进一步避免数据被篡改。At the same time, the present invention builds a security situation awareness module to perform situation awareness on the collected data, and performs operations such as intrusion detection or/and vulnerability perception or/and file integrity detection or/and log monitoring operations on the collected data to ensure data security and integrity. regulations to further prevent data from being tampered with.
更进一步,本发明构建了实时管控模块,对感知数据,进行管控,并生成安全指令,对电力终端设备进行安全防护以及安全加固,能够及时高效的应对异常情形,进行应急响应。比如:智能终端被物理手段入侵时,可以及时的下达安全指令,控制电力终端设备立即限制其访问和通信,避免安全事件扩大。Furthermore, the present invention constructs a real-time management and control module to manage and control the sensing data, generate safety instructions, and perform safety protection and safety reinforcement on the power terminal equipment, so as to respond to abnormal situations in a timely and efficient manner and perform emergency response. For example, when a smart terminal is invaded by physical means, security instructions can be issued in a timely manner to control the power terminal equipment to immediately restrict its access and communication to avoid the expansion of security incidents.
附图说明Description of the drawings
图1为本发明防护方法流程图;Figure 1 is a flow chart of the protection method of the present invention;
图2为本发明防护系统结构图。Figure 2 is a structural diagram of the protection system of the present invention.
具体实施方式Detailed ways
为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅仅用以解释本发明,并不用于限定本发明。In order to make the purpose, technical solutions and advantages of the present invention more clear, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described here are only used to explain the present invention and are not intended to limit the present invention.
相反,本发明涵盖任何由权利要求定义的在本发明的精髓和范围上做的替代、修改、等效方法以及方案。进一步,为了使公众对本发明有更好的了解,在下文对本发明的细节描述中,详尽描述了一些特定的细节部分。对本领域技术人员来说没有这些细节部分的描述也可以完全理解本发明。On the contrary, the invention covers any alternatives, modifications, equivalent methods and solutions that fall within the spirit and scope of the invention as defined by the claims. Furthermore, in order to enable the public to have a better understanding of the present invention, some specific details are described in detail in the following detailed description of the present invention. It is possible for a person skilled in the art to fully understand the present invention without these detailed descriptions.
除非另有定义,本文所使用的所有的技术和科学术语与属于本发明的技术领域的技术人员通常理解的含义相同。本文所使用的术语只是为了描述具体的实施例的目的,不是旨在限制本发明。本文所使用的术语“或/和”包括一个或多个相关的所列项目的任意的和所有的组合。Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the technical field to which the invention belongs. The terminology used herein is for the purpose of describing specific embodiments only and is not intended to be limiting of the invention. As used herein, the term "or/and" includes any and all combinations of one or more of the associated listed items.
如图1所示,本发明电力终端安全防护方法的一种具体实施例:As shown in Figure 1, a specific embodiment of the power terminal security protection method of the present invention:
一种电力终端安全防护方法,A power terminal safety protection method,
包括以下步骤:Includes the following steps:
步骤一,构建零信任模块,对电力终端设备的设备信息,进行采集,同时根据采集的设备信息进行信任评分,给出信任值;Step 1: Build a zero-trust module to collect equipment information of power terminal equipment, and conduct trust scoring based on the collected equipment information to give a trust value;
根据信任值对电力终端设备进行评估,将电力终端设备分为可信任设备、异常设备;Evaluate power terminal equipment based on trust value and classify power terminal equipment into trustworthy equipment and abnormal equipment;
步骤二,对步骤一中的可信任设备进行数据采集,获得采集数据;Step two: collect data from the trusted device in step one to obtain the collected data;
步骤三,构建安全态势感知模块,对步骤二中的采集数据进行态势感知;Step three: Build a security situation awareness module to perform situation awareness on the data collected in step two;
当感知合格后,将采集的数据,转换为感知数据;When the perception is qualified, the collected data will be converted into perception data;
所述态势感知包括入侵检测或/和脆弱性感知或/和文件完整性检测或/和日志监控操作;The situational awareness includes intrusion detection or/and vulnerability awareness or/and file integrity detection or/and log monitoring operations;
步骤四,构建实时管控模块,对步骤四中的感知数据,进行管控,并生成安全指令;Step 4: Build a real-time management and control module to manage and control the sensing data in step 4 and generate safety instructions;
步骤五,将步骤四的安全指令下发给电力终端设备,对电力终端设备进行安全防护以及安全加固;Step 5: Issue the security instructions in Step 4 to the power terminal equipment to perform safety protection and security reinforcement on the power terminal equipment;
所述安全防护以及安全加固包括安全检测或/和安全加固或/和文件权限管理或/和安全升级。The security protection and security reinforcement include security detection or/and security reinforcement or/and file permission management or/and security upgrade.
本发明电力终端安全防护方法的一种最佳实施例:A best embodiment of the power terminal safety protection method of the present invention:
一种电力终端安全防护方法,A power terminal safety protection method,
包括以下步骤:Includes the following steps:
步骤一,构建零信任模块,对电力终端设备的设备信息,进行采集,同时根据采集的设备信息进行信任值评分,给出信任值;Step 1: Build a zero-trust module to collect equipment information of power terminal equipment, and conduct trust value scoring based on the collected equipment information to give a trust value;
当信任值达标时,则信任该电力终端设备,并将该电力终端设备标识为可信任设备;When the trust value reaches the standard, the power terminal equipment is trusted and the power terminal equipment is identified as a trusted device;
当信任值不达标时,则将该电力终端设备标识为异常设备,并进行异常设备报警;When the trust value does not meet the standard, the power terminal equipment will be identified as an abnormal equipment and an abnormal equipment alarm will be issued;
步骤二,对步骤一中的可信用设备进行数据采集,获得采集数据;Step two: collect data from the trusted equipment in step one to obtain the collected data;
步骤三,构建安全态势感知模块,对步骤二中的采集数据进行入侵检测、脆弱性感知、文件完整性检测、日志监控操作,并将采集数据转换为感知数据;Step three: Build a security situation awareness module to perform intrusion detection, vulnerability awareness, file integrity detection, log monitoring operations on the collected data in step two, and convert the collected data into sensing data;
步骤四,构建实时管控模块,对步骤三中的感知数据,进行检测、管控,并生成安全指令;Step 4: Build a real-time management and control module to detect and control the sensing data in step 3, and generate safety instructions;
步骤五,将步骤四的安全指令下发给电力终端设备,对电力终端设备进行安全防护以及安全加固,实现电力终端设备的安全检测、安全加固、文件权限管理、安全升级。Step 5: Issue the security instructions in Step 4 to the power terminal equipment to perform security protection and security reinforcement on the power terminal equipment to achieve security detection, security reinforcement, file permission management, and security upgrade of the power terminal equipment.
如图2所示,本发明电力终端安全防护系统的一种具体实施例:As shown in Figure 2, a specific embodiment of the power terminal safety protection system of the present invention:
一种电力终端安全防护系统,A power terminal safety protection system,
应用上述的一种电力终端安全防护方法,其包括零信任终端、网络探针、边缘物联代理、 数据平台;Apply the above-mentioned power terminal security protection method, which includes zero-trust terminals, network probes, edge IoT agents, and data platforms;
所述零信任终端,对电力终端的设备信息进行采集,得到设备数据流,并根据设备信息进行信任值评分,给出信任值;The zero-trust terminal collects the equipment information of the power terminal, obtains the equipment data stream, and performs trust value scoring based on the equipment information to give a trust value;
所述网络探针,对电力终端设备的安全信息进行采集,得到安全数据流;The network probe collects security information of power terminal equipment and obtains security data streams;
所述边缘物联代理,对设备数据流和安全数据流,进行读取和解析,得到解析数据,并将解析数据上传至数据平台;The edge IoT agent reads and parses the device data stream and security data stream to obtain parsed data, and uploads the parsed data to the data platform;
数据平台,对解析数据进行处理,生成安全指令;The data platform processes the parsed data and generates safety instructions;
安全指令通过边缘物联代理下发给电力终端设备,对电力终端设备进行安全防护以及安全加固。Security instructions are issued to the power terminal equipment through the edge IoT agent to perform security protection and security reinforcement on the power terminal equipment.
应用本发明的一种具体实施例:A specific embodiment of applying the present invention:
以某变电站的某一电力终端设备为例,展示本发明的具体实施流程,其具体包括硬件连接、系统启动、身份验证、安全感知、安全防护、安全可视化。Taking a certain power terminal equipment in a certain substation as an example, the specific implementation process of the present invention is demonstrated, which specifically includes hardware connection, system startup, identity verification, security perception, security protection, and security visualization.
所述硬件连接包括以下内容:The hardware connections include the following:
首先分别将零信任终端、网络探针连接电力终端,再使用485屏蔽双绞线和网线与边缘物联代理设备连接,边缘物联代理设备通过网线和数据平台相连,其中零信任终端、网络探针、边缘物联代理设备和数据平台配置在同一局域网内,使得边缘物联代理设备可以访问到零信任终端、网络探针和数据平台。First, connect the zero-trust terminal and network probe to the power terminal respectively, and then use 485 shielded twisted pair and network cable to connect to the edge IoT agent device. The edge IoT agent device is connected to the data platform through a network cable. Among them, the zero-trust terminal and network probe The needle, edge IoT agent device and data platform are configured in the same LAN, so that the edge IoT agent device can access the zero trust terminal, network probe and data platform.
所述系统启动包括以下内容:The system startup includes the following:
分别启动零信任终端、网络探针、边缘物联代理和数据平台,其中的系统开机自启动,然后输入预设地址,登陆数据平台。数据平台的应用包括前端、后端、数据库和MQTTbroker。Start the zero trust terminal, network probe, edge IoT agent and data platform respectively. The system will start automatically after booting. Then enter the preset address and log in to the data platform. Applications of the data platform include front-end, back-end, database and MQTTbroker.
所述身份验证包括以下内容Said authentication includes the following
电力终端设备请求身份验证,零信任终端根据设备信息设备信任值评分,给出信任值,并根据信任阈值进行两种操作,信任值达标则信任设备,可以正常采集信息,否则进行异常设备报警。The power terminal equipment requests identity verification. The zero-trust terminal gives a trust value based on the trust value score of the device information and performs two operations based on the trust threshold. If the trust value reaches the standard, the device is trusted and information can be collected normally. Otherwise, abnormal device alarms are issued.
信任值的维护原则为:The principles for maintaining trust value are:
(1)信任值最大为100,最低为0;(1) The maximum trust value is 100 and the minimum is 0;
(2)信任值阈值为60.高于等于60为合法用户,低于60为非法用户;(2) The trust value threshold is 60. If it is higher than or equal to 60, it is a legitimate user, and if it is lower than 60, it is an illegal user;
(3)每次验证成功信任值加1;(3) The trust value increases by 1 for each successful verification;
(4)每次验证失败信任值减1。(4) The trust value is reduced by 1 for each verification failure.
设备信任值异常情形举例:Examples of abnormal device trust values:
(1)电力终端设备设定星期六晚六点上传设备信息,某电力设备信息上传延时,根据 时延评估信任值评估方法,获悉该设备信任值低于阈值,因此进行异常设备报警。(1) The power terminal equipment is set to upload equipment information at six o'clock on Saturday evening. There is a delay in uploading the information of a certain power equipment. According to the delay evaluation trust value evaluation method, it is learned that the trust value of the equipment is lower than the threshold, so an abnormal equipment alarm is issued.
(2)电力设备以密码形式进行身份验证,验证失败信任值即扣分,某电力多次验证失败,信任值持续扣分,信任值低于信任阈值,因此进行异常设备报警。(2) Electric power equipment performs identity verification in the form of passwords. If the verification fails, the trust value will be deducted. If a certain electric power fails to be verified multiple times, the trust value will continue to be deducted. The trust value is lower than the trust threshold, so abnormal equipment alarms are issued.
(3)电力设备信息交互时间固定,交互信息固定,某电力信息交互时间错乱、交互信息混乱,异常行为明显,根据异常行为评估,判定该设备信任值低于阈值,因此进行异常设备报警。(3) The power equipment information interaction time is fixed, the interaction information is fixed, and a certain power information interaction time is disordered, the interaction information is confusing, and the abnormal behavior is obvious. Based on the abnormal behavior evaluation, it is determined that the trust value of the equipment is lower than the threshold, so an abnormal equipment alarm is performed.
所述安全感知包括以下内容:The security awareness includes the following:
系统模块中,零信任终端和网络探针用于采集电力终端的设备信息和安全信息,并上传至边缘物联代理;边缘物联代理负责读取和解析零信任终端和网络探针上传的数据流,将解析后数据上传至数据平台。In the system module, zero-trust terminals and network probes are used to collect equipment information and security information of power terminals and upload them to the edge IoT agent; the edge IoT agent is responsible for reading and parsing the data uploaded by zero-trust terminals and network probes Stream to upload the parsed data to the data platform.
方法模块中,安全态势感知模块收集到电力终端数据,进行入侵检测、脆弱性感知、文件完整性检测、日志监控等操作,并将数据发给实时管控模块和数据存储模块,数据存储模块进一步上传至数据可视化模块。In the method module, the security situation awareness module collects power terminal data, performs intrusion detection, vulnerability awareness, file integrity detection, log monitoring and other operations, and sends the data to the real-time management and control module and data storage module, and the data storage module further uploads it. to the data visualization module.
入侵检测:(1)定义违背安全策略的事件的特征,如网络数据包的某些头信息。检测主要判别这类特征是否在所收集到的数据中出现。(2)定义一组系统“正常”情况的数值,如CPU利用率、内存利用率、文件校验和等(这类数据可以人为定义,也可以通过观察系统、并用统计的办法得出),然后将系统运行时的数值与所定义的“正常”情况比较,得出是否有被攻击的迹象。Intrusion detection: (1) Define the characteristics of events that violate security policies, such as certain header information of network data packets. Detection mainly determines whether such features appear in the collected data. (2) Define a set of values for "normal" conditions of the system, such as CPU utilization, memory utilization, file checksums, etc. (This type of data can be defined manually, or it can be obtained by observing the system and using statistical methods), The running values of the system are then compared with the defined "normal" conditions to determine whether there are signs of an attack.
脆弱性感知:采用模拟黑客攻击的方式对目标可能存在的已知安全漏洞进行逐项检测,可以对工作站、服务器、交换机、数据库等各种对象进行安全漏洞检测。Vulnerability perception: Use simulated hacker attacks to detect known security vulnerabilities that may exist on the target one by one. Security vulnerabilities can be detected on various objects such as workstations, servers, switches, databases, etc.
文件完整性检测:连续监测文件,文件夹,并在其监督配置文件中指定的目录,它捕捉已发生的变化,可以监视整个目录结构或单个文件和文件夹中的事件,例如:创建,删除或重命名文件,文件夹和目录;访问文件和文件夹;更改文件和文件夹属性;更改文件,文件夹或目录的安全设置,例如权限更改等。File Integrity Detection: Continuously monitors files, folders, and directories specified in its supervision configuration file. It captures changes that have occurred and can monitor the entire directory structure or individual files and folders for events, such as: creation, deletion Or rename files, folders and directories; access files and folders; change file and folder properties; change security settings of files, folders or directories, such as permission changes, etc.
如果出现入侵者攻击行为,文件完整性监控可以确定哪些文件已被更改。利用此信息,可以快速评估损坏并开始事件响应。如果员工或管理员经常无意间修改了文件。有时这些变化非常细微以至于它们被忽略,但是它们可能导致安全漏洞或阻碍业务运营。文件完整性监视可帮助文件归零更改,因此可以回滚文件或采取其他补救措施。In the event of an intruder attack, file integrity monitoring can determine which files have been changed. Using this information, damage can be quickly assessed and incident response initiated. If employees or administrators often modify files unintentionally. Sometimes these changes are so subtle that they go unnoticed, but they can lead to security breaches or hinder business operations. File integrity monitoring helps zero in on changes to files so they can be rolled back or other remedial action taken.
日志监控:实时了解主机或设备生成的记录的过程。提取系统日志特征数据,检测系统日志的异常,反馈系统日志的增删改查操作,检测系统日志是否遭受篡改。Log monitoring: The process of gaining real-time visibility into the records generated by a host or device. Extract system log characteristic data, detect system log anomalies, feed back additions, deletions, modifications and check operations of system logs, and detect whether system logs have been tampered with.
所述安全防护包括以下内容The security protection includes the following
在安全感知基础之上,防护系统中,数据平台分析和处理设备信息与安全信息、下发安全防护、安全加固指令,对异常终端设备进行报警;方法模块中,实时管控模块根据接收到安全态势感知模块发送的安全信息,进行安全检测、安全加固、文件权限管理、安全审计等操作,将相关安全指令下发给电力终端,将管控数据发送给数据存储模块,数据存储模块进一步上传至数据可视化模块。On the basis of security perception, in the protection system, the data platform analyzes and processes equipment information and security information, issues security protection and security reinforcement instructions, and alarms abnormal terminal equipment; in the method module, the real-time management and control module responds to the received security situation Perceive the security information sent by the module, perform security detection, security reinforcement, file permission management, security audit and other operations, issue relevant security instructions to the power terminal, and send the control data to the data storage module, which is further uploaded to data visualization. module.
所述安全可视化包括以下内容Said security visualization includes the following
在安全防护基础之上,防护系统中,数据平台展示边代送入数据;方法模块中,数据可视化模块从数据存储模块数据库中读取相关数据,以图表形式展示电力终端运行时的终端类型、网络信息、安全漏洞、危险等级等内容。On the basis of security protection, in the protection system, the data platform displays the data sent by the edge generation; in the method module, the data visualization module reads relevant data from the data storage module database, and displays the terminal type and terminal type when the power terminal is running in the form of a chart. Network information, security vulnerabilities, danger levels, etc.
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will understand that embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment that combines software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each process and/or block in the flowchart illustrations and/or block diagrams, and combinations of processes and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine, such that the instructions executed by the processor of the computer or other programmable data processing device produce a use A device for realizing the functions specified in one process or multiple processes of the flowchart and/or one block or multiple blocks of the block diagram.
最后应当说明的是:以上实施例仅用以说明本发明的技术方案而非对其限制,尽管参照上述实施例对本发明进行了详细的说明,所属领域的普通技术人员应当理解:依然可以对本发明的具体实施方式进行修改或者等同替换,而未脱离本发明精神和范围的任何修改或者等同替换,其均应涵盖在本发明的权利要求保护范围之内。Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present invention and not to limit it. Although the present invention has been described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that the present invention can still be modified. Modifications or equivalent substitutions may be made to the specific embodiments, and any modifications or equivalent substitutions that do not depart from the spirit and scope of the invention shall be covered by the scope of the claims of the invention.

Claims (9)

  1. 一种电力终端安全防护方法,其特征在于,A power terminal safety protection method, characterized by:
    包括以下步骤:Includes the following steps:
    步骤一,构建零信任模块,对电力终端设备的设备信息,进行采集;Step 1: Build a zero-trust module to collect equipment information of power terminal equipment;
    并根据采集的设备信息进行信任评分,给出信任值;And perform trust scoring based on the collected device information and give a trust value;
    根据信任值对电力终端设备进行评估,将电力终端设备分为可信任设备、异常设备;Evaluate power terminal equipment based on trust value and classify power terminal equipment into trustworthy equipment and abnormal equipment;
    零信任模块采集设备信息的流程为:读取设备数据、读取规则文件、解析规则库、采集设备信息;The process of collecting device information by the zero trust module is: reading device data, reading rule files, parsing the rule library, and collecting device information;
    同时,零信任模块对电力终端设备进行持续的动态设备身份验证,用以阻断虚假设备信息;At the same time, the zero-trust module performs continuous dynamic device authentication on power terminal equipment to block false device information;
    信任值是身份验证的指标,根据设备的基础属性、访问时延进行综合评分获取;Trust value is an indicator of identity verification, and is obtained by a comprehensive score based on the basic attributes of the device and access delay;
    信任值的维护包括以下内容:Maintenance of trust values includes the following:
    (1)信任值最大为M,最低为N;M>N(1) The maximum trust value is M and the minimum is N; M>N
    (2)信任值阈值为H,高于等于H为合法用户,低于H为非法用户;(2) The trust value threshold is H. If it is higher than or equal to H, it is a legitimate user, and if it is lower than H, it is an illegal user;
    (3)每次验证成功信任值加T;(3) Each time the verification is successful, the trust value increases by T;
    (4)每次验证失败信任值减T;(4) The trust value is reduced by T for each verification failure;
    所述信任值包括直接信任值、时延评估信任值、异常行为评估信任值,其计算公式如下:The trust value includes direct trust value, delay assessment trust value, and abnormal behavior assessment trust value. The calculation formula is as follows:
    T=T d+T t+T a T=T d +T t +T a
    T为信任值,T d为直接信任值、T t为时延评估信任值、T a为异常行为评估信任值; T is the trust value, T d is the direct trust value, T t is the delay evaluation trust value, and T a is the abnormal behavior evaluation trust value;
    直接信任值为S型函数,其计算公式为:The direct trust value is an S-shaped function, and its calculation formula is:
    Figure PCTCN2023070408-appb-100001
    Figure PCTCN2023070408-appb-100001
    其中T d为直接信任值,f为不同设备的直接信任值约束系数; Among them, T d is the direct trust value, and f is the direct trust value constraint coefficient of different devices;
    时延评估信任值和异常行为评估信任值组成间接信任值;The delay assessment trust value and the abnormal behavior assessment trust value constitute the indirect trust value;
    时延评估信任值根据设备应答时间进行评估,其计算公式为:The delay evaluation trust value is evaluated based on the device response time, and its calculation formula is:
    Figure PCTCN2023070408-appb-100002
    Figure PCTCN2023070408-appb-100002
    其中T t为时延评估信任值,τ为设备应答最大允许延迟,D为信息传输延迟量; Among them, T t is the delay evaluation trust value, τ is the maximum allowable delay of device response, and D is the information transmission delay;
    异常行为评估信任值根据设备异常行为与正常行为的占比量进行评估,其计算公式为:Abnormal behavior evaluation trust value is evaluated based on the proportion of abnormal device behavior and normal behavior. The calculation formula is:
    Figure PCTCN2023070408-appb-100003
    Figure PCTCN2023070408-appb-100003
    其中T a为异常行为评估信任值,A u为异常行为量,A n为正常行为量。 Among them, T a is the abnormal behavior evaluation trust value, A u is the amount of abnormal behavior, and A n is the amount of normal behavior.
    步骤二,对步骤一中的可信任设备进行数据采集,获得采集数据;Step two: collect data from the trusted device in step one to obtain the collected data;
    步骤三,构建安全态势感知模块,对步骤二中的采集数据进行态势感知;Step three: Build a security situation awareness module to perform situation awareness on the data collected in step two;
    当感知合格后,将采集的数据,转换为感知数据;When the perception is qualified, the collected data will be converted into perception data;
    所述态势感知包括入侵检测或/和脆弱性感知或/和文件完整性检测或/和日志监控操作;The situational awareness includes intrusion detection or/and vulnerability awareness or/and file integrity detection or/and log monitoring operations;
    步骤四,构建实时管控模块,对步骤四中的感知数据,进行管控,并生成安全指令;Step 4: Build a real-time management and control module to manage and control the sensing data in step 4 and generate safety instructions;
    步骤五,将步骤四的安全指令下发给电力终端设备,对电力终端设备进行安全防护以及安全加固;Step 5: Issue the security instructions in Step 4 to the power terminal equipment to perform safety protection and security reinforcement on the power terminal equipment;
    所述安全防护以及安全加固包括安全检测或/和安全加固或/和文件权限管理或/和安全升级。The security protection and security reinforcement include security detection or/and security reinforcement or/and file permission management or/and security upgrade.
  2. 如权利要求1所述的一种电力终端安全防护方法,其特征在于,A power terminal safety protection method as claimed in claim 1, characterized in that:
    所述电力终端设备的异常情形包括以下内容:The abnormal situations of the power terminal equipment include the following:
    (1)某电力终端设备设定某天某时上传设备信息,设备信息上传延时,根据时延评估信任值计算公式,对该电力终端设备的信任值进行计算,当该信任值低于阈值时,进行异常设备报警;(1) A certain power terminal equipment is set to upload equipment information at a certain time on a certain day, and the equipment information is uploaded with a delay. According to the delay evaluation trust value calculation formula, the trust value of the power terminal equipment is calculated. When the trust value is lower than the threshold When, abnormal equipment alarm is issued;
    (2)电力终端设备以密码形式进行身份验证,验证失败信任值即扣分,某电力终端设备多次验证失败,信任值持续扣分,当该电力终端设备的信任值低于信任阈值时,进行异常设备报警;(2) Power terminal equipment performs identity verification in the form of passwords. If the verification fails, the trust value will be deducted. If a certain power terminal equipment fails verification multiple times, the trust value will continue to be deducted. When the trust value of the power terminal equipment is lower than the trust threshold, Alarm for abnormal equipment;
    (3)电力终端设备信息交互时间固定,交互信息固定,某电力信息交互时间错乱、交互信息混乱,异常行为明显,根据异常行为评估信任值计算公式,对该电力终端设备的信任值进行计算,当该电力终端设备的信任值低于阈值时,进行异常设备报警;(3) The information interaction time of power terminal equipment is fixed, the interactive information is fixed, and a certain power information interaction time is chaotic, the interactive information is chaotic, and abnormal behavior is obvious. According to the abnormal behavior evaluation trust value calculation formula, the trust value of the power terminal equipment is calculated. When the trust value of the power terminal equipment is lower than the threshold, an abnormal equipment alarm is issued;
    设备信息包括电力终端的操作系统内核版本、操作系统发行版本等、CPU名称、CPU架构、CPU核数、内存大小、存储大小、网卡信息名称、网卡信息地址、网卡信息状态、网卡信息类型、网卡信息流量大小。Device information includes the power terminal's operating system kernel version, operating system release version, etc., CPU name, CPU architecture, CPU core number, memory size, storage size, network card information name, network card information address, network card information status, network card information type, network card The amount of information flow.
  3. 如权利要求1所述的一种电力终端安全防护方法,其特征在于,A power terminal safety protection method as claimed in claim 1, characterized in that:
    所述步骤三中,入侵检测分为异常检测和误用检测;In the third step, intrusion detection is divided into anomaly detection and misuse detection;
    所述异常检测包括以下内容:The anomaly detection includes the following:
    建立一个系统访问正常行为的模块,凡是访问者不符合这个模块的行为将被断定为入侵;Establish a module for normal system access behavior. Any visitor's behavior that does not comply with this module will be judged as an intrusion;
    所述误用检测包括以下内容:The misuse detection includes the following:
    将若干不利的不可接受的行为归纳建立一个模块,凡是访问者符合这个模块的行为将被断定为入侵;Summarize a number of unfavorable and unacceptable behaviors to establish a module. Any visitor's behavior that conforms to this module will be judged as an intrusion;
    入侵检测的计算公式为:The calculation formula of intrusion detection is:
    Value(I 1,I 2)=[L(I 1,I 2)] α[C(I 1,I 2)] β[S(I 1,I 2)] γ Value(I 1 ,I 2 )=[L(I 1 ,I 2 )] α [C(I 1 ,I 2 )] β [S(I 1 ,I 2 )] γ
    Figure PCTCN2023070408-appb-100004
    Figure PCTCN2023070408-appb-100004
    Figure PCTCN2023070408-appb-100005
    Figure PCTCN2023070408-appb-100005
    Figure PCTCN2023070408-appb-100006
    Figure PCTCN2023070408-appb-100006
    其中,Value(I 1,I 2)用以表达入侵检测结果; Among them, Value(I 1 ,I 2 ) is used to express the intrusion detection results;
    I 1、I 2对应正常访问与待检测访问; I 1 and I 2 correspond to normal access and undetected access;
    L(I 1,I 2)是访问速度差异; L(I 1 ,I 2 ) is the access speed difference;
    C(I 1,I 2)是访问地址差异; C(I 1 ,I 2 ) is the access address difference;
    S(I 1,I 2)是访问设备差异; S(I 1 ,I 2 ) is the access device difference;
    α为用来调节访问速度差异权重的约束系数;α is the constraint coefficient used to adjust the weight of the access speed difference;
    β为用来调节访问地址差异权重的约束系数;β is the constraint coefficient used to adjust the weight of access address differences;
    γ为用来调节访问设备差异权重的约束系数;γ is the constraint coefficient used to adjust the difference weight of access devices;
    a为访问速度属性差异的约束系数;a is the constraint coefficient of the access speed attribute difference;
    b为访问地址属性差异的约束系数;b is the constraint coefficient of the access address attribute difference;
    c为访问设备属性差异的约束系数;c is the constraint coefficient for accessing device attribute differences;
    u 1、u 2分别为对应正常访问与待检测访问的速度均值; u 1 and u 2 are the average speeds corresponding to normal access and undetected access respectively;
    σ 1、σ 2分别为对应正常访问与待检测访问的地址数值; σ 1 and σ 2 are the address values corresponding to normal access and access to be detected respectively;
    σ 12为访问设备的固定信息数值。 σ 12 is the fixed information value of the access device.
  4. 如权利要求3所述的一种电力终端安全防护方法,其特征在于,A power terminal safety protection method as claimed in claim 3, characterized in that:
    所述脆弱性感知为检测相关网络节点连接情况,其计算公式为:The vulnerability perception is to detect the connection status of relevant network nodes, and its calculation formula is:
    Figure PCTCN2023070408-appb-100007
    Figure PCTCN2023070408-appb-100007
    其中s ij为脆弱性值,n i为待检测网络节点连接数值,n j为相邻网络节点连接值,λ为可变参量,根据不同终端类型选择相应数值,用以获取最适宜的网络节点连接数值。 Among them, s ij is the vulnerability value, n i is the connection value of the network node to be detected, n j is the connection value of adjacent network nodes, and λ is a variable parameter. The corresponding values are selected according to different terminal types to obtain the most suitable network node. Connect the value.
  5. 如权利要求4所述的一种电力终端安全防护方法,其特征在于,A power terminal safety protection method as claimed in claim 4, characterized in that:
    所述文件完整性检测包括以下内容:The file integrity detection includes the following:
    连续监测文件、文件夹,并在其监督配置文件中指定的目录,捕捉已发生的变化;Continuously monitor files, folders, and directories specified in its supervision configuration file to capture changes that have occurred;
    监视整个目录结构或单个文件和文件夹中的事件;Monitor entire directory structures or individual files and folders for events;
    所述事件包括创建、删除或重命名文件、文件夹和目录,访问文件和文件夹,更改文件和文件夹属性;更改文件、文件夹或目录的安全设置;The events include creating, deleting, or renaming files, folders, and directories; accessing files and folders; changing file and folder attributes; changing security settings for files, folders, or directories;
    文件完整性检测的计算公式为:The calculation formula for file integrity detection is:
    Figure PCTCN2023070408-appb-100008
    Figure PCTCN2023070408-appb-100008
    其中,testing为完整性检测值,当现文件与原始文件一样则为真值,否则为假值;Among them, testing is the integrity detection value. When the current file is the same as the original file, it is a true value, otherwise it is a false value;
    ture为真值判断函数;ture is the truth value judgment function;
    false为假值判断函数;false is the false value judgment function;
    newfile为当现文件;newfile is the current file;
    oldfile为原始文件;oldfile is the original file;
    所述日志监控为对系统中的重要日志文件实时监控分析,检测入侵者对系统的攻击方式;攻击方式包括暴力攻击、提权、扫描。The log monitoring is real-time monitoring and analysis of important log files in the system to detect the attack methods of intruders on the system; attack methods include brute force attacks, privilege escalation, and scanning.
  6. 如权利要求1所述的一种电力终端安全防护方法,其特征在于,A power terminal safety protection method as claimed in claim 1, characterized in that:
    所述步骤五中,安全检测为根据安全态势感知模块统计分析的感知数据,实现电力终端行为异常情况实时监测;In the fifth step, security detection is based on the sensing data statistically analyzed by the security situation awareness module to achieve real-time monitoring of abnormal behavior of power terminals;
    所述安全加固包括口令加固、内核虚拟补丁;The security hardening includes password hardening and kernel virtual patching;
    所述文件权限管理包括以下内容:The file permission management includes the following:
    持续监控文件权限,发现权限变动异常,即通过终端文件完整、结构、权限的变化,将发生风险情况提前发现,提早处理;Continuously monitor file permissions and detect abnormal permission changes. That is, through changes in the integrity, structure, and permissions of terminal files, risk situations will be discovered in advance and dealt with early;
    所述安全升级包括以下内容:The security upgrades include the following:
    远程升级和本地升级,远程升级通过安全监控中心进行快速升级服务,同时支持新设备上线远程部署;本地升级通过电力终端进行本地升级。Remote upgrade and local upgrade, remote upgrade provides rapid upgrade services through the security monitoring center, and supports remote deployment of new equipment online; local upgrade performs local upgrade through power terminals.
  7. 如权利要求1-6任一所述的一种电力终端安全防护方法,其特征在于,还包括数据存储模块、数据可视化模块;A power terminal security protection method according to any one of claims 1 to 6, characterized in that it also includes a data storage module and a data visualization module;
    所述数据存储模块,构建数据库,用于存储感知数据以及管控数据;The data storage module constructs a database for storing sensing data and control data;
    所述数据可视化模块,从数据存储模块获取数据,并能显示电力终端设备的终端类型、危险等级、网络类型、安全漏洞。The data visualization module obtains data from the data storage module and can display the terminal type, danger level, network type, and security vulnerability of the power terminal equipment.
  8. 一种电力终端安全防护方法,其特征在于,A power terminal safety protection method, characterized by:
    包括以下步骤:Includes the following steps:
    步骤一,构建零信任模块,对电力终端设备的设备信息,进行采集,同时根据采集的设备信息进行信任值评分,给出信任值;Step 1: Build a zero-trust module to collect equipment information of power terminal equipment, and conduct trust value scoring based on the collected equipment information to give a trust value;
    当信任值达标时,则信任该电力终端设备,并将该电力终端设备标识为可信任设备;When the trust value reaches the standard, the power terminal equipment is trusted and the power terminal equipment is identified as a trusted device;
    当信任值不达标时,则将该电力终端设备标识为异常设备,并进行异常设备报警;When the trust value does not meet the standard, the power terminal equipment will be identified as an abnormal equipment and an abnormal equipment alarm will be issued;
    零信任模块采集设备信息的流程为:读取设备数据、读取规则文件、解析规则库、采集设备信息;The process of collecting device information by the zero trust module is: reading device data, reading rule files, parsing the rule library, and collecting device information;
    同时,零信任模块对电力终端设备进行持续的动态设备身份验证,用以阻断虚假设备信息;At the same time, the zero-trust module performs continuous dynamic device authentication on power terminal equipment to block false device information;
    信任值是身份验证的指标,根据设备的基础属性、访问时延进行综合评分获取;Trust value is an indicator of identity verification, and is obtained by a comprehensive score based on the basic attributes of the device and access delay;
    信任值的维护包括以下内容:Maintenance of trust values includes the following:
    (1)信任值最大为M,最低为N;M>N(1) The maximum trust value is M and the minimum is N; M>N
    (2)信任值阈值为H,高于等于H为合法用户,低于H为非法用户;(2) The trust value threshold is H. If it is higher than or equal to H, it is a legitimate user, and if it is lower than H, it is an illegal user;
    (3)每次验证成功信任值加T;(3) Each time the verification is successful, the trust value increases by T;
    (4)每次验证失败信任值减T;(4) The trust value is reduced by T for each verification failure;
    所述信任值包括直接信任值、时延评估信任值、异常行为评估信任值,其计算公式如下:The trust value includes direct trust value, delay assessment trust value, and abnormal behavior assessment trust value. The calculation formula is as follows:
    T=T d+T t+T a T=T d +T t +T a
    T为信任值,T d为直接信任值、T t为时延评估信任值、T a为异常行为评估信任值; T is the trust value, T d is the direct trust value, T t is the delay evaluation trust value, and T a is the abnormal behavior evaluation trust value;
    直接信任值为S型函数,其计算公式为:The direct trust value is an S-shaped function, and its calculation formula is:
    Figure PCTCN2023070408-appb-100009
    Figure PCTCN2023070408-appb-100009
    其中T d为直接信任值,f为不同设备的直接信任值约束系数; Among them, T d is the direct trust value, and f is the direct trust value constraint coefficient of different devices;
    时延评估信任值和异常行为评估信任值组成间接信任值;The delay assessment trust value and the abnormal behavior assessment trust value constitute the indirect trust value;
    时延评估信任值根据设备应答时间进行评估,其计算公式为:The delay evaluation trust value is evaluated based on the device response time, and its calculation formula is:
    Figure PCTCN2023070408-appb-100010
    Figure PCTCN2023070408-appb-100010
    其中T t为时延评估信任值,τ为设备应答最大允许延迟,D为信息传输延迟量; Among them, T t is the delay evaluation trust value, τ is the maximum allowable delay of device response, and D is the information transmission delay;
    异常行为评估信任值根据设备异常行为与正常行为的占比量进行评估,其计算公式为:Abnormal behavior evaluation trust value is evaluated based on the proportion of abnormal device behavior and normal behavior. The calculation formula is:
    Figure PCTCN2023070408-appb-100011
    Figure PCTCN2023070408-appb-100011
    其中T a为异常行为评估信任值,A u为异常行为量,A n为正常行为量。 Among them, T a is the abnormal behavior evaluation trust value, A u is the amount of abnormal behavior, and A n is the amount of normal behavior.
    步骤二,对步骤一中的可信用设备进行数据采集,获得采集数据;Step two: collect data from the trusted equipment in step one to obtain the collected data;
    步骤三,构建安全态势感知模块,对步骤二中的采集数据进行入侵检测、脆弱性感知、文件完整性检测和日志监控操作,并将采集数据转换为感知数据;Step three: Build a security situation awareness module to perform intrusion detection, vulnerability awareness, file integrity detection and log monitoring operations on the collected data in step two, and convert the collected data into sensing data;
    步骤四,构建实时管控模块,对步骤三中的感知数据,进行检测、管控,并生成安全指令;Step 4: Build a real-time management and control module to detect, manage and control the sensing data in step 3, and generate safety instructions;
    步骤五,将步骤四的安全指令下发给电力终端设备,对电力终端设备进行安全防护以及安全加固,实现电力终端设备的安全检测、安全加固、文件权限管理、安全升级。Step 5: Issue the security instructions in Step 4 to the power terminal equipment to perform security protection and security reinforcement on the power terminal equipment to achieve security detection, security reinforcement, file permission management, and security upgrade of the power terminal equipment.
    安全检测为根据安全态势感知模块统计分析的感知数据,实现电力终端行为异常情况实时监测;Security detection is based on the sensory data statistically analyzed by the security situation awareness module to realize real-time monitoring of abnormal behavior of power terminals;
    所述安全加固包括口令加固、内核虚拟补丁;The security hardening includes password hardening and kernel virtual patching;
    所述文件权限管理包括以下内容:The file permission management includes the following:
    持续监控文件权限,发现权限变动异常,即通过终端文件完整、结构、权限的变化,将发生风险情况提前发现,提早处理;Continuously monitor file permissions and detect abnormal permission changes. That is, through changes in the integrity, structure, and permissions of terminal files, risk situations will be discovered in advance and dealt with early;
    所述安全升级包括以下内容:The security upgrades include the following:
    远程升级和本地升级,远程升级通过安全监控中心进行快速升级服务,同时支持新设备上线远程部署;本地升级通过电力终端进行本地升级。Remote upgrade and local upgrade, remote upgrade provides rapid upgrade services through the security monitoring center, and supports remote deployment of new equipment online; local upgrade performs local upgrade through power terminals.
  9. 一种电力终端安全防护系统,其特征在于,A power terminal safety protection system, characterized by:
    应用如权利要求1-8任一所述的一种电力终端安全防护方法,其包括零信任终端、网络探针、边缘物联代理、数据平台;Apply a power terminal security protection method as described in any one of claims 1-8, which includes a zero-trust terminal, a network probe, an edge IoT agent, and a data platform;
    所述零信任终端,对电力终端的设备信息进行采集,得到设备数据流,并根据设备信息进行信任值评分,给出信任值;The zero-trust terminal collects the equipment information of the power terminal, obtains the equipment data stream, and performs trust value scoring based on the equipment information to give a trust value;
    所述网络探针,对电力终端设备的安全信息进行采集,得到安全数据流;The network probe collects security information of power terminal equipment and obtains security data streams;
    所述边缘物联代理,对设备数据流和安全数据流,进行读取和解析,得到解析数据,并将解析数据上传至数据平台;The edge IoT agent reads and parses the device data stream and security data stream to obtain parsed data, and uploads the parsed data to the data platform;
    数据平台,对解析数据进行处理,生成安全指令;The data platform processes the parsed data and generates safety instructions;
    安全指令通过边缘物联代理下发给电力终端设备,对电力终端设备进行安全防护以及安全加固。Security instructions are issued to the power terminal equipment through the edge IoT agent to perform security protection and security reinforcement on the power terminal equipment.
PCT/CN2023/070408 2022-05-07 2023-01-04 Security protection method and system for power terminal WO2023216641A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210491285.8 2022-05-07
CN202210491285.8A CN114584405B (en) 2022-05-07 2022-05-07 Electric power terminal safety protection method and system

Publications (1)

Publication Number Publication Date
WO2023216641A1 true WO2023216641A1 (en) 2023-11-16

Family

ID=81767795

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/070408 WO2023216641A1 (en) 2022-05-07 2023-01-04 Security protection method and system for power terminal

Country Status (2)

Country Link
CN (1) CN114584405B (en)
WO (1) WO2023216641A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117640258A (en) * 2024-01-25 2024-03-01 远江盛邦(北京)网络安全科技股份有限公司 Protection method, device, equipment and storage medium for network asset mapping
CN117692257A (en) * 2024-02-02 2024-03-12 数盾信息科技股份有限公司 High-speed encryption method and device for service data of electric power Internet of things
CN117792798B (en) * 2024-02-27 2024-05-14 常州银杉信息技术有限公司 Instant messaging information interaction system and method

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114584405B (en) * 2022-05-07 2022-08-02 国网浙江省电力有限公司电力科学研究院 Electric power terminal safety protection method and system
CN115426200B (en) * 2022-11-03 2023-03-03 北京数盾信息科技有限公司 Data acquisition processing method and system
CN115987579B (en) * 2022-12-07 2023-09-15 南京鼎山信息科技有限公司 Data processing method and data processing system based on big data and Internet of things communication
CN116545890A (en) * 2023-04-26 2023-08-04 苏州维格纳信息科技有限公司 Information transmission management system based on block chain
CN117354343B (en) * 2023-10-10 2024-04-16 国网河南省电力公司濮阳供电公司 Intelligent information safety communication system and method for power grid power
CN117235326A (en) * 2023-11-16 2023-12-15 国网山东省电力公司泰安供电公司 Visual display system of district equipment based on district portrait

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015171580A1 (en) * 2014-05-09 2015-11-12 Veritaseum, Inc. Devices, systems, and methods for facilitating low trust and zero trust value transfers
CN112118102A (en) * 2020-10-21 2020-12-22 国网天津市电力公司 Dedicated zero trust network system of electric power
CN113542291A (en) * 2021-07-21 2021-10-22 国网浙江省电力有限公司电力科学研究院 Internet of things security access control strategy
CN114584405A (en) * 2022-05-07 2022-06-03 国网浙江省电力有限公司电力科学研究院 Electric power terminal safety protection method and system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100251370A1 (en) * 2009-03-26 2010-09-30 Inventec Corporation Network intrusion detection system
CN106296359A (en) * 2016-08-13 2017-01-04 深圳市樊溪电子有限公司 Credible electric power networks transaction platform based on block chain technology
US11411958B2 (en) * 2019-01-18 2022-08-09 Cisco Technology, Inc. Machine learning-based application posture for zero trust networking
CN112511618B (en) * 2020-11-25 2023-03-24 全球能源互联网研究院有限公司 Edge Internet of things agent protection method and power Internet of things dynamic security trusted system
CN112596984B (en) * 2020-12-30 2023-07-21 国家电网有限公司大数据中心 Data security situation awareness system in business weak isolation environment
CN113901499A (en) * 2021-10-18 2022-01-07 北京八分量信息科技有限公司 Zero-trust access authority control system and method based on trusted computing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015171580A1 (en) * 2014-05-09 2015-11-12 Veritaseum, Inc. Devices, systems, and methods for facilitating low trust and zero trust value transfers
CN112118102A (en) * 2020-10-21 2020-12-22 国网天津市电力公司 Dedicated zero trust network system of electric power
CN113542291A (en) * 2021-07-21 2021-10-22 国网浙江省电力有限公司电力科学研究院 Internet of things security access control strategy
CN114584405A (en) * 2022-05-07 2022-06-03 国网浙江省电力有限公司电力科学研究院 Electric power terminal safety protection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
JINGYU FENG, YU TINGTING; WANG ZIYING; ZHANG WENBO; HAN GANG: "An Edge Zero-Trust Model Against Compromised Terminals Threats in Power IoT Environments", JOURNAL OF COMPUTER RESEARCH AND DEVELOPMENT, vol. 59, no. 5, 10 February 2022 (2022-02-10), pages 1120 - 1132, XP093106787 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117640258A (en) * 2024-01-25 2024-03-01 远江盛邦(北京)网络安全科技股份有限公司 Protection method, device, equipment and storage medium for network asset mapping
CN117640258B (en) * 2024-01-25 2024-04-26 远江盛邦(北京)网络安全科技股份有限公司 Protection method, device, equipment and storage medium for network asset mapping
CN117692257A (en) * 2024-02-02 2024-03-12 数盾信息科技股份有限公司 High-speed encryption method and device for service data of electric power Internet of things
CN117692257B (en) * 2024-02-02 2024-04-30 数盾信息科技股份有限公司 High-speed encryption method and device for service data of electric power Internet of things
CN117792798B (en) * 2024-02-27 2024-05-14 常州银杉信息技术有限公司 Instant messaging information interaction system and method

Also Published As

Publication number Publication date
CN114584405B (en) 2022-08-02
CN114584405A (en) 2022-06-03

Similar Documents

Publication Publication Date Title
WO2023216641A1 (en) Security protection method and system for power terminal
US20210273957A1 (en) Cyber security for software-as-a-service factoring risk
US20210360027A1 (en) Cyber Security for Instant Messaging Across Platforms
EP3641225B1 (en) Policy-driven compliance
US11228612B2 (en) Identifying cyber adversary behavior
US10140453B1 (en) Vulnerability management using taxonomy-based normalization
CA2526759C (en) Event monitoring and management
CN104662517B (en) Security Vulnerability Detection
US20070050777A1 (en) Duration of alerts and scanning of large data stores
EP3465515A1 (en) Classifying transactions at network accessible storage
EP1894443A2 (en) Duration of alerts and scanning of large data stores
Mishra et al. Efficient approaches for intrusion detection in cloud environment
CN116074075A (en) Security event association behavior analysis method, system and equipment based on association rule
CN203206283U (en) IDC information monitor system based on data transparent scan
Shao Design and implementation of network security management system based on K-means algorithm
RU2799117C1 (en) Method and system for preventing unauthorized access to corporate network objects
KR20200054495A (en) Method for security operation service and apparatus therefor
CN113949578B (en) Automatic detection method and device for unauthorized loopholes based on flow and computer equipment
Xu et al. Development of computer network security management technology based on artificial intelligence under big data
Yang et al. Design Issues of Trustworthy Cloud Platform Based on IP Monitoring and File Risk
CN113193977A (en) Safe and trusted system based on block chain technology
CN117424766A (en) Threat behavior detection system and method based on trusted measurement
CN114826783A (en) Big data based prediction method and system
EA044131B1 (en) METHOD AND SYSTEM FOR PREVENTING UNAUTHORIZED ACCESS TO CORPORATE NETWORK OBJECTS
CN117879970A (en) Network security protection method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23802418

Country of ref document: EP

Kind code of ref document: A1