CN103607291A - Alarm analysis merging method for power secondary system intranet security monitoring platform - Google Patents
Alarm analysis merging method for power secondary system intranet security monitoring platform Download PDFInfo
- Publication number
- CN103607291A CN103607291A CN201310512995.5A CN201310512995A CN103607291A CN 103607291 A CN103607291 A CN 103607291A CN 201310512995 A CN201310512995 A CN 201310512995A CN 103607291 A CN103607291 A CN 103607291A
- Authority
- CN
- China
- Prior art keywords
- alarm
- alarm data
- binary tree
- balanced binary
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses an alarm analysis merging method for a power secondary system intranet security monitoring platform. The method comprises the steps of constructing a balanced binary tree containing alarm data, receiving original alarm data, determining whether or not to join a legitimate alarm queue according to the legitimacy of the alarm data and determining whether or not to join an alarm queue within a monitoring range according to a source IP range of the alarm data, classifying alarm queues according to alarm equipment types and calculating alarm feature values of the classified alarm queues, matching the alarm feature values in the balanced binary tree and updating the balanced binary tree, and storing the alarm data corresponding to the balanced binary tree. By the adoption of the alarm analysis merging method, the storage efficiency of alarm data can be improved, and meanwhile, the database load pressure of the power secondary system intranet security monitoring platform can be reduced.
Description
Technical field
The present invention relates to a kind of alarm data processing method, relate in particular to a kind of warning analysis merging method for electric power secondary system intranet security monitoring platform, belong to network security technology field.
Background technology
Electric power secondary system is by grid operating monitoring systems at different levels, dispatching data network, the agrment information system large system that electric power data communication network forms of unifying.Along with the extensive use of computer networking technology, power dispatching automation level improves day by day, and a large amount of utilizations of Long-distance Control have proposed new severe challenge to the fail safe of electric power system internal network, reliability.For taking precautions against the attack infringement to electrical network and power plant's computer supervisory control system and dispatching data network, avoid the power system accident causing thus, ensure the safe and stable operation of electric power system, need to set up and improve the security protection system of electrical network and power plant's computer supervisory control system and dispatching data network.
Electric power secondary system intranet security monitoring platform (be called for short intranet security monitoring platform) is mainly used in the security incident supervision, security incident analysis, statistical report form, asset management of electric power secondary system internal network etc., is the important technology guarantee of safeguarding electric power secondary system safe and stable operation.But in existing intranet security monitoring platform, alarm event mostly is one by one the information that isolates, do not have relevance, innumerable and disordered for user, be unfavorable for that user grasps alarm event in real time, understand on the whole the safe operation state of electric power secondary system.Simultaneously, existing intranet security monitoring platform is mainly realized alarm data and is gathered function, mass alarm data are not carried out to secondary analysis, cause that on-the-spot alarm is various, information relevance is not strong, security risk index not only bad for reflection electric power secondary system, also can cause onsite user tired in solving all kinds of alarm events, have a strong impact on the task performance of intranet security monitoring platform.
In the Chinese invention patent application that is CN101222725A at publication number, a kind of method of utilizing alarm merger to reduce northbound interface alarm quantity is disclosed, wherein, Element management system EMS by northbound interface to network management system mouth NMS report and alarm or alarm clearing, pre-configured alarm merger rule and the rule that judges identical alarm, when EMS receives while meeting the identical alarm of many of same alarm merger rule, EMS only reports the alarm occurring first, be that report is alert, and remaining identical alarm does not report from alarm.When EMS receives that while meeting alarm clearing corresponding to many identical alarms of same alarm merger rule, EMS only reports the alert corresponding alarm clearing of report, and does not report from alarm clearing corresponding to alarm.This technical scheme has reduced the alarm quantity that need to report, and effectively reduces the burden of warning system, has also facilitated technical staff's management maintenance work.
Summary of the invention
For the existing deficiency of prior art, technical problem to be solved by this invention is to provide a kind of warning analysis merging method for electric power secondary system intranet security monitoring platform.Utilize the method can effectively improve the warehouse-in efficiency of alarm data.
For realizing above-mentioned goal of the invention, the present invention adopts following technical scheme:
A warning analysis merging method for electric power secondary system intranet security monitoring platform, comprises the steps:
The balanced binary tree that structure contains alarm data;
Receive original alarm data;
According to the legitimacy of alarm data, determine whether to add legitimate alarm queue, according to the source IP scope of alarm data, determine whether to add alarm queue in monitoring range;
According to alarm equipment type, alarm queue is classified, classified alarm queue is calculated to alarm feature value;
Described alarm feature value is mated in described balanced binary tree, and upgrade described balanced binary tree;
Preserve the alarm data that described balanced binary tree is corresponding.
The step of the balanced binary tree that wherein more preferably, described structure contains alarm data further comprises:
Build empty balanced binary tree;
From warning information table, obtain the alarm data of having stored and calculate one by one alarm feature value;
Described alarm feature value is inserted in empty balanced binary tree, built the balanced binary tree that contains alarm data.
Wherein more preferably, in receiving original alarm data process, LAN safety monitor unit sends alarm data by mind-set electric power secondary system intranet security monitoring platform in Host Security monitoring agent, Host Security monitor management.
Wherein more preferably, described Host Security monitor management center receives after alarm data, the alarm data that described Host Security monitoring agent is sent is forwarded to the security alarm service of described dispatch automated system basic platform and processes, and sends this alarm data to described electric power secondary system intranet security monitoring platform.
Wherein more preferably, the legitimacy verification of described alarm data comprises whether the content format of the alarm data that verification receives meets Syslog form, and whether warning content meets cannonical format.
Wherein more preferably, according to the source IP of alarm data, whether in the monitoring range of described electric power secondary system intranet security monitoring platform, the source IP scope legitimacy of described alarm data is judged.
Wherein more preferably, the step of described calculating alarm feature value further comprises:
Remove the alarm time in alarm data;
Remove the space existing in alarm data;
Calculate MD5 value and simplify result of calculation.
Wherein more preferably, the step of upgrading described balanced binary tree further comprises:
Alarm feature value and described balanced binary tree are compared, search the node that whether has described alarm feature value;
If there is no, described node is inserted in described balanced binary tree and warning information table;
If there is alarm number of times and the alarm end time of upgrading node described in described balanced binary tree.
Warning analysis merging method provided by the present invention increases alarm source part on the one hand in alarm data, facilitates user to locate the true source (comprising the information such as region, node, business) of alarm.On the other hand, only new alarm data is carried out to corresponding database manipulation, existing alarm data is safeguarded and regularly synchronizeed with background data base by the balanced binary tree in internal memory.Profit has improved the warehouse-in efficiency of alarm data in this way, has reduced the database loads pressure of intranet security monitoring platform simultaneously.
Accompanying drawing explanation
Fig. 1 be one towards the overall structure schematic diagram of the network operation supervisory control system of electric power system;
Fig. 2 is the overall flow schematic diagram of warning analysis merging method;
Fig. 3 is the schematic flow sheet that intranet security monitoring platform builds balanced binary tree;
Schematic flow sheet when Fig. 4 is coupling alarm feature value existence.
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in further detail.
Fig. 1 be one towards the overall structure schematic diagram of the network operation supervisory control system of electric power system.According to the operation characteristic of electric power system, this network operation supervisory control system can be divided into provincial control centre and regional dispatch center two-stage.In Mei one-level control centre, include this grade of all intranet security monitoring platform, wide area network security monitoring unit and local area network (LAN) security monitoring unit.Wherein, wide area network security monitoring unit and local area network (LAN) security monitoring unit transmit alarm data to the intranet security monitoring platform of this grade in real time.Subordinate's intranet security monitoring platform regularly superior intranet security monitoring platform sends monitor data.
Wide area network security monitoring unit mainly carries out real time monitoring to being deployed in the electric power specialized security device of horizontal stroke, longitudinal boundary and the ruuning situation of universal safety equipment and abnormal access situation, by wide area network log collection module, be captured in the important alarm datas such as the abnormal access that exists in network, illegal external connection, utilize data dispatching net to realize the cascaded communication function of the log collection module of subordinate control centre and control centre's intranet security monitoring platform of higher level simultaneously.
LAN safety monitor unit monitors the key equipment of dispatch automated system inside and system operation, by the interface of operating system, the running status of Real-time Obtaining supporting system technology, when there is abnormal, illegal operation or outreaching in system, according to predefined rule, by local area network (LAN) log collection module, alarm data is reported to intranet security monitoring platform at the same level, for user, carries out overall statistical analysis and integrated management.
The construction of above-mentioned intranet security monitoring platform, contributes to electric power secondary system security protection system to be developed to depth protection by Border Protection, solves dispatch automated system the daily record of key safety equipment, server is concentrated and gathered and unified management problem; Realization, to the Real-time Alarm of safety means and monitoring running state, is supported for dispatch automated system provides comprehensive foundation for security.The potential safety hazard existing for timely grasp electric power secondary system, adopts an effective measure and stops malicious attack behavior, ensures power grid security, reliable, stable operation is significant.
Intranet security monitoring platform, in the situation that facing big data quantity alarm event, can produce great pressure to inner database operation, easily occurs the phenomenon that alarm data is lost, thereby is unfavorable for that user locates the true source of alarm event.In order fundamentally to address this problem, the present invention proposes a kind of warning analysis merging method for electric power secondary system intranet security monitoring platform, comprise the steps: to build the balanced binary tree that contains alarm data; Receive original alarm data; According to the legitimacy of alarm data, determine whether to add legitimate alarm queue, according to the source IP scope of alarm data, determine whether to add alarm queue in monitoring range; According to alarm equipment type, alarm queue is classified, classified alarm queue is calculated to alarm feature value; Alarm feature value is mated in balanced binary tree, and upgrade described balanced binary tree; Preserve the alarm data that described balanced binary tree is corresponding.Below in conjunction with Fig. 2, the concrete steps of this warning analysis merging method are launched to detailed specific description.
First, introduce the step that builds the balanced binary tree that contains alarm data.
The safety means alarm data of real-time storage electric power secondary system in the database of intranet security monitoring platform, these alarm datas are stored in the warning information table (Real time warning) of the database of intranet security monitoring platform inside.As shown in Figure 3, intranet security monitoring platform builds empty balanced binary tree after starting; From warning information table, obtain the alarm data of having stored and calculate one by one alarm feature value; These alarm feature values are inserted in empty balanced binary tree; The balanced binary tree that structure contains alarm data.
Secondly, introduce the step that receives original alarm data.
Intranet security monitoring platform is responsible for gathering the original alarm data of wide area network security monitoring unit and the transmission of local area network (LAN) security monitoring unit.Specifically, this intranet security monitoring platform is mainly used Syslog mode to gather the log information of safety means, and determines safety means warning information by SYSLOG information.Electric power system specialized security device (such as lateral isolation equipment, longitudinal encrypting and authenticating device etc.) is used Syslog mode directly to gather log information; Universal safety equipment (such as fire compartment wall, intruding detection system, Anti-Virus etc.) is acted on behalf of after daily record is converted to the daily record that meets electric power system reference format and is gathered by Agent.The key equipment of dispatch automated system inside and application are acted on behalf of and daily record is converted to electric power system reference format is sent to intranet security monitoring platform by Agent.In intranet security monitoring platform, adopt User Datagram Protoco (UDP) (UDP) as its bottom transport layer mechanism, SYSLOG information adopts the UDP message bag of standard to send information to Intranet security monitoring platform.
Wide area network security monitoring monitoring units electrical secondary system safety means (comprising electric power specialized security device and universal safety equipment), the abnormal access by existing in wide area network log collection module Real-time Collection network, the illegal outer important alarm data such as connect.
LAN safety monitor unit monitors the safe condition of dispatch automated system internal host, when main frame abnormal, illegal operation occurs or connects, to Intranet security monitoring platform, sends alarm outward.In one embodiment of the invention, it mainly sends alarm data by mind-set electric power secondary system intranet security monitoring platform in Host Security monitoring agent (Agent), Host Security monitor management.The specific works description of contents of Host Security monitoring agent is as follows: monitor the system resource of main frame, such as the operating state of CPU, internal memory, hard disk etc., send alarm when system load surpasses predefined threshold value; Monitor the external equipment (USB interface, serial ports, parallel port) of main frame, according to the configuration file of Host Security monitoring agent, when having the external equipment access of the security strategy of not meeting, send alarm; The network interface that monitors main frame, when occurring unauthorized access or connecting, sends alarm with Syslog form to Host Security monitor management center outward; Monitor the critical processes of main frame, when process illegally exits or occurs sending when abnormal alarm.When Host Security monitor management center receives after alarm data, utilize the security alarm service of dispatch automated system basic platform, the alarm data that Host Security monitoring agent is sent is forwarded to the security alarm service of basic platform and processes, and sends this alarm data to intranet security monitoring platform.Host Security monitor management center has authority to revise the configuration file of Host Security monitoring agent, according to the requirement of " unified plan, differentiated control ", realizes the cascaded communication of upper and lower level control centre intranet security monitoring platform.According to the management strategy of working out in advance, subordinate's intranet security monitoring platform initiatively superior intranet security monitoring platform is reported and submitted alarm data.
Again, introduce the step that alarm data is added to legitimate alarm queue.
After intranet security monitoring platform receiving alarm data, first these alarm datas are done to data validation.According to the legitimacy of alarm data, determine whether alarm data is added to legitimate alarm queue.If the alarm data receiving is illegal, this illegal alarm data is abandoned; If the alarm data receiving is legal, this legal alarm data is added to legitimate alarm queue.The alarm data legitimacy verification is here mainly the whether standard compliant Syslog form of content format of the alarm data that receives of verification, and judges whether warning content meets cannonical format.
Below, the legitimacy of verifying Syslog alarm data " <3>2006-03-12 20:12:23 fw01FW 01 admin 10.1.1.1 " of take illustrates as example:
The first step, check message size can not be less than 32 bytes;
Second step, judges whether message beginning starts with <>;
The 3rd step, whether ' > ' afterwards content is the time;
The 4th step, device type, for example whether FW, be to define in daily record standard;
The 5th step, whether Log Types and daily record subtype is legal.
For not passing through the message of above determining step, think invalid data, be recorded in daily record and use for audit.
The formal definition of electric power secondary system security monitoring daily record is as follows: " > device type < space, > device name < space, > alarm time < space, < alarm level >< space > content description ".Electric power secondary system security monitoring daily record is mainly divided into alarm log and audit log.Alarm log is urgent and severity level, is generally used for the Real-time Alarm of the great security incident of electric power secondary system; Audit log is less important and notices rank, is generally used for the statistical analysis afterwards of electric power secondary system ruuning situation.
The 4th, introduce the step that alarm data is added to the alarm queue in monitoring range.
After intranet security monitoring platform is verified the legitimacy of alarm data, first the source IP scope of these alarm datas is done to legitimate verification, according to the legitimacy of alarm data source IP scope, determine whether alarm data is added to the alarm queue in monitoring range.If the source IP scope of the alarm data receiving is illegal, this illegal alarm data is abandoned.If the source IP scope of the alarm data receiving is legal, this legal alarm data is added to legitimate alarm queue.To the validity judgement of alarm data source IP scope mainly according to source IP whether in the monitoring range of intranet security monitoring platform.The alarm data receiving due to intranet security monitoring platform is to take the UDP message bag that Syslog form is standard, and the data head of UDP message bag has IP address, and the IP address is here exactly the source IP that produces the safety protection equipment of alarm data.Therefore, by the data head of UDP message bag, just can determine source IP, and further can identify alarm source.
The 5th, introduce the step of alarm queue being classified according to alarm equipment type.
Intranet security monitoring platform carries out after legitimate verification the source IP scope of alarm data, alarm data need to be divided into a plurality of alarm queues according to alarm equipment type.For example, longitudinally queue, fire compartment wall queue, IDS queue, anti-virus queue, forward queue, oppositely queue, server queue, platform queue etc.
Below, take verify in Syslog alarm data wherein one be example, to alarm data being divided into the process of a plurality of alarm queues, be specifically described:
For example, in alarm data " <3> 2006-03-12 20:12:23 fw01 FW 0 1admin 10.1.1.1 ", fw01 is safety means title, also can describe with IP address of equipment.Device type is FW, and FW is expressed as fire compartment wall.The device type of describing alarm source is a character set of digits that is no more than 32 characters.
The 6th, introduce the step of classified alarm queue being calculated to alarm feature value.
Intranet security monitoring platform reads sorted alarm queue, obtains the alarm data of current transmission from these sorted alarm queues, and for example, calculates corresponding alarm feature value by characteristic value extraction algorithm (MD5 algorithm).
MD5 algorithm is the widely used a kind of hash function of computer safety field, for the integrity protection giving information.The particular content of this algorithm can be referring to RFC 1321(R.Rivest, MIT Laboratory for Computer Science and RSA Data Security Inc.April 1992).MD5 algorithm just can generate one unique " digital finger-print " for any file or content (no matter its size, form, quantity), if anyone has done any change to file or content, its MD5 value namely corresponding " digital finger-print " all can change.
In one embodiment of the invention, adopt a kind of alarm feature value of optimizing deformation method calculating alarm data of MD5 algorithm, concrete computational process is as follows:
(1) remove the alarm time in alarm data
This is because warning content is identical, but alarm time may be different.For keeping the consistency of alarm data, need to remove alarm time.
(2) remove the space existing in alarm data
Space itself is little for the particular content impact of alarm data.For improving the operation efficiency of MD5 algorithm, space is removed.
(3) the MD5 value of alarm data simplify result of calculation after computing
Because the characteristic value result of standard MD5 algorithm is 16 bytes, the present invention considers the content finiteness of power business feature and alarm data, in order to improve balanced binary tree, search, insert efficiency simultaneously, front 8 bytes in 16 byte results and rear 8 bytes are carried out to XOR, obtain the alarm feature value of 8 bytes.
Finally, introduce alarm feature value is mated in balanced binary tree, and upgrade the step of described balanced binary tree.
Intranet security monitoring platform calculates after the alarm feature value of every alarm data, compares with the balanced binary tree that contains alarm data building after the initialization of intranet security monitoring platform.As shown in Figure 4, in balanced binary tree, search the node that whether has this alarm feature value; If there is no, this node is inserted in the warning information table of balanced binary tree and database; If there is alarm number of times and the alarm end time of upgrading this node in balanced binary tree.
After upgrading balanced binary tree, preserve the corresponding alarm data of this balanced binary tree.
Compared with prior art, warning analysis merging method provided by the invention increases alarm source part in alarm data, facilitates user to locate the true source (comprising the information such as region, node, business) of alarm.On the other hand, only new alarm data is carried out to corresponding database manipulation, existing alarm data is safeguarded and regularly synchronizeed with background data base by the balanced binary tree in internal memory.Profit has improved the warehouse-in efficiency of alarm data in this way, has reduced the database loads pressure of intranet security monitoring platform simultaneously.
Above the warning analysis merging method for electric power secondary system intranet security monitoring platform provided by the present invention is had been described in detail.For one of ordinary skill in the art, any apparent change of under the prerequisite that does not deviate from connotation of the present invention, it being done, all will form infringement of patent right of the present invention, will bear corresponding legal liabilities.
Claims (9)
1. for a warning analysis merging method for electric power secondary system intranet security monitoring platform, it is characterized in that comprising the steps:
The balanced binary tree that structure contains alarm data;
Receive original alarm data;
According to the legitimacy of alarm data, determine whether to add legitimate alarm queue, according to the source IP scope of alarm data, determine whether to add alarm queue in monitoring range;
According to alarm equipment type, alarm queue is classified, classified alarm queue is calculated to alarm feature value;
Described alarm feature value is mated in described balanced binary tree, and upgrade described balanced binary tree;
Preserve the alarm data that described balanced binary tree is corresponding.
2. warning analysis merging method as claimed in claim 1, is characterized in that, the step of the balanced binary tree that described structure contains alarm data further comprises:
Build empty balanced binary tree;
From warning information table, obtain the alarm data of having stored and calculate one by one alarm feature value;
Described alarm feature value is inserted in empty balanced binary tree, built the balanced binary tree that contains alarm data.
3. warning analysis merging method as claimed in claim 1, it is characterized in that in receiving original alarm data process, LAN safety monitor unit sends alarm data by mind-set electric power secondary system intranet security monitoring platform in Host Security monitoring agent, Host Security monitor management.
4. warning analysis merging method as claimed in claim 3, it is characterized in that, described Host Security monitor management center receives after alarm data, the alarm data that described Host Security monitoring agent is sent is forwarded to the security alarm service of described dispatch automated system basic platform and processes, and sends this alarm data to described electric power secondary system intranet security monitoring platform.
5. warning analysis merging method as claimed in claim 1, is characterized in that, the legitimacy verification of described alarm data comprises whether the content format of the alarm data that verification receives meets Syslog form, and whether warning content meets cannonical format.
6. whether warning analysis merging method as claimed in claim 1, is characterized in that according to the source IP of alarm data in the monitoring range of described electric power secondary system intranet security monitoring platform, the source IP scope legitimacy of described alarm data being judged.
7. warning analysis merging method as claimed in claim 1, is characterized in that, the step of described calculating alarm feature value further comprises:
Remove the alarm time in alarm data;
Remove the space existing in alarm data;
Calculate MD5 value and simplify result of calculation.
8. warning analysis merging method as claimed in claim 7, is characterized in that, described simplification result of calculation refers to carries out XOR by front 8 bytes in 16 byte results and rear 8 bytes, obtains the alarm feature value of 8 bytes.
9. warning analysis merging method as claimed in claim 1, is characterized in that the step of upgrading described balanced binary tree further comprises:
Alarm feature value and described balanced binary tree are compared, search the node that whether has described alarm feature value;
If there is no, described node is inserted in described balanced binary tree and warning information table;
If there is alarm number of times and the alarm end time of upgrading node described in described balanced binary tree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310512995.5A CN103607291A (en) | 2013-10-25 | 2013-10-25 | Alarm analysis merging method for power secondary system intranet security monitoring platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310512995.5A CN103607291A (en) | 2013-10-25 | 2013-10-25 | Alarm analysis merging method for power secondary system intranet security monitoring platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103607291A true CN103607291A (en) | 2014-02-26 |
Family
ID=50125492
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310512995.5A Pending CN103607291A (en) | 2013-10-25 | 2013-10-25 | Alarm analysis merging method for power secondary system intranet security monitoring platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103607291A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601361A (en) * | 2014-09-30 | 2015-05-06 | 北京科东电力控制系统有限责任公司 | Electric power secondary system safety incident analysis method for non-conformity strategy access |
| CN104616205A (en) * | 2014-11-24 | 2015-05-13 | 北京科东电力控制系统有限责任公司 | Distributed log analysis based operation state monitoring method of power system |
| CN105183911A (en) * | 2015-10-12 | 2015-12-23 | 国家电网公司 | Data source binary tree based source tracing method for abnormal data of power system |
| CN105491139A (en) * | 2015-12-16 | 2016-04-13 | 国网安徽省电力公司 | Extraction uploading system and method of vast data in network message analytical apparatus |
| CN105827418A (en) * | 2015-01-04 | 2016-08-03 | 中国移动通信集团山东有限公司 | Communication network alarm correlation method and communication network alarm correlation device |
| CN108320079A (en) * | 2018-01-04 | 2018-07-24 | 浙江大学 | Consider the electric power secondary system methods of risk assessment of information system connection and transmission |
| CN110086795A (en) * | 2019-04-28 | 2019-08-02 | 中国人民解放军战略支援部队信息工程大学 | Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform |
| CN113109642A (en) * | 2021-03-10 | 2021-07-13 | 中国电力科学研究院有限公司 | Method and system for processing power quality signal data |
| CN115065536A (en) * | 2022-06-16 | 2022-09-16 | 北京天融信网络安全技术有限公司 | Network security data analyzer, analysis method, electronic device and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101163032A (en) * | 2006-10-11 | 2008-04-16 | 中兴通讯股份有限公司 | Method of managing alarm inquiry |
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN201491020U (en) * | 2009-08-20 | 2010-05-26 | 福建富士通信息软件有限公司 | Event classification and rule tree-based association analysis device |
-
2013
- 2013-10-25 CN CN201310512995.5A patent/CN103607291A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101163032A (en) * | 2006-10-11 | 2008-04-16 | 中兴通讯股份有限公司 | Method of managing alarm inquiry |
| CN101610174A (en) * | 2009-07-24 | 2009-12-23 | 深圳市永达电子股份有限公司 | A kind of log correlation analysis system and method |
| CN201491020U (en) * | 2009-08-20 | 2010-05-26 | 福建富士通信息软件有限公司 | Event classification and rule tree-based association analysis device |
Non-Patent Citations (1)
| Title |
|---|
| 丛佩丽,: ""SOC中报警聚类及关联分析技术的设计与实现"", 《万方学位论文》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104601361A (en) * | 2014-09-30 | 2015-05-06 | 北京科东电力控制系统有限责任公司 | Electric power secondary system safety incident analysis method for non-conformity strategy access |
| CN104601361B (en) * | 2014-09-30 | 2020-08-11 | 北京科东电力控制系统有限责任公司 | Power secondary system security event analysis method for non-policy-compliant access |
| CN104616205A (en) * | 2014-11-24 | 2015-05-13 | 北京科东电力控制系统有限责任公司 | Distributed log analysis based operation state monitoring method of power system |
| CN104616205B (en) * | 2014-11-24 | 2019-10-25 | 北京科东电力控制系统有限责任公司 | A kind of operation states of electric power system monitoring method based on distributed information log analysis |
| CN105827418B (en) * | 2015-01-04 | 2019-07-05 | 中国移动通信集团山东有限公司 | A kind of communication network warning correlating method and device |
| CN105827418A (en) * | 2015-01-04 | 2016-08-03 | 中国移动通信集团山东有限公司 | Communication network alarm correlation method and communication network alarm correlation device |
| CN105183911A (en) * | 2015-10-12 | 2015-12-23 | 国家电网公司 | Data source binary tree based source tracing method for abnormal data of power system |
| CN105491139A (en) * | 2015-12-16 | 2016-04-13 | 国网安徽省电力公司 | Extraction uploading system and method of vast data in network message analytical apparatus |
| CN108320079A (en) * | 2018-01-04 | 2018-07-24 | 浙江大学 | Consider the electric power secondary system methods of risk assessment of information system connection and transmission |
| CN108320079B (en) * | 2018-01-04 | 2021-12-24 | 浙江大学 | Electric power secondary system risk assessment method considering information system connection and transmission |
| CN110086795A (en) * | 2019-04-28 | 2019-08-02 | 中国人民解放军战略支援部队信息工程大学 | Authenticate the stream security exchange system based on certification tree under tree constructing method and cloud platform |
| CN113109642A (en) * | 2021-03-10 | 2021-07-13 | 中国电力科学研究院有限公司 | Method and system for processing power quality signal data |
| CN113109642B (en) * | 2021-03-10 | 2023-12-05 | 中国电力科学研究院有限公司 | Method and system for processing power quality signal data |
| CN115065536A (en) * | 2022-06-16 | 2022-09-16 | 北京天融信网络安全技术有限公司 | Network security data analyzer, analysis method, electronic device and storage medium |
| CN115065536B (en) * | 2022-06-16 | 2023-08-25 | 北京天融信网络安全技术有限公司 | Network security data parser, parsing method, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103607291A (en) | Alarm analysis merging method for power secondary system intranet security monitoring platform | |
| US11212299B2 (en) | System and method for monitoring security attack chains | |
| CN106230851B (en) | Data security method and system based on block chain | |
| CN110278211A (en) | A kind of data checking method and device based on block chain | |
| CN103220173B (en) | A kind of alarm monitoring method and supervisory control system | |
| CN102684944B (en) | Method and device for detecting intrusion | |
| CN103563302A (en) | Network asset information management | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN103986743A (en) | Method, apparatus and system for acquiring data in Internet of Things | |
| CN104509034A (en) | Pattern consolidation to identify malicious activity | |
| EP2479698A1 (en) | Systems and methods for detecting fraud associated with systems application processing | |
| CN115001877B (en) | Big data-based information security operation and maintenance management system and method | |
| CN103905450A (en) | Smart power grid embedded device network detection assessment system and detection assessment method | |
| CN109150869A (en) | A kind of exchanger information acquisition analysis system and method | |
| CN112651021A (en) | Information security defense system based on big data | |
| CN108833442A (en) | A kind of distributed network security monitoring device and its method | |
| Dong et al. | Research on abnormal detection of ModbusTCP/IP protocol based on one-class SVM | |
| CN115147956A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN113031997A (en) | Upgrade package generation and management method and device, computer equipment and storage medium | |
| CN110099041A (en) | A kind of Internet of Things means of defence and equipment, system | |
| CN104104666B (en) | Method of detecting abnormal cloud service and device | |
| CN115277490B (en) | Network target range evaluation method, system, equipment and storage medium | |
| CN107277070A (en) | A kind of computer network instrument system of defense and intrusion prevention method | |
| CN108206826B (en) | Lightweight intrusion detection method for integrated electronic system | |
| Ali et al. | Probabilistic model checking for AMI intrusion detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140226 |