CN108063753A - A kind of information safety monitoring method and system - Google Patents
A kind of information safety monitoring method and system Download PDFInfo
- Publication number
- CN108063753A CN108063753A CN201711104542.3A CN201711104542A CN108063753A CN 108063753 A CN108063753 A CN 108063753A CN 201711104542 A CN201711104542 A CN 201711104542A CN 108063753 A CN108063753 A CN 108063753A
- Authority
- CN
- China
- Prior art keywords
- information
- network
- flow
- message
- instruction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention, which provides a kind of information safety monitoring method and system, this method, to be included:Obtain the flow information and message of device node in network;It is compared according to flow information and Model of network traffic, judges whether flow is abnormal;It is compared according to message and service logic model, whether decision instruction is abnormal;When there are when Traffic Anomaly and/or instruction exception, obtain safety equipment and/or security system daily record to judge whether Traffic Anomaly and/or instruction exception associate with information security attack presence;When Traffic Anomaly and/or instruction exception exist with information security attack to be associated, information security alarm is carried out.The information safety monitoring method and system of the present invention, by being acquired, parsing, modeling to electric power monitoring system network proprietary protocol flow and message, on the basis of regular traffic behavior, identify running abnormal behaviour, it can access safety equipment and/or security system correlation log simultaneously, realize that potential attack perceives.
Description
Technical field
The present invention relates to industrial control system field network field of information security technology, and in particular to a kind of information security prison
Survey method and system.
Background technology
Electric power monitoring system uses universal network and information technology, inevitably introduces information security issue.Although
Great Qu and management information great Qu is controlled to keep apart the production of electric power monitoring system by technology of network isolation so that electric power is supervised
Control system is in the environment of relative closure safety;But with the increase for industrial control system security attack and each bound pair
The concern of industrial control system information security issue so that the obtaining product information canal of the control system including electric power monitoring system
Road is more rich, and the chance that attacker learns various Control System Softwares, firmware and communication protocol increases.Occurred with the end of the year 2015
Exemplified by Ukraine's electric system attack, virus is horizontal by going fishing software or other means enter Utilities Electric Co.'s information network
To monitoring system host is propagated to, supervisory control of substation permission is obtained, grid switching operation is sent and cuts away substation's load, and prevent to dispatch
Member's remote operation combined floodgate restores electricity.This attack process is dissected, attacker not only possesses customization virus and grasped to infect common IT
Make the ability of system, also grasp Ukraine power grid SCADA (Supervisory Control And Data Acquisition numbers
According to acquisition and supervisor control, abbreviation SCADA) system configuration software and functional mechanism, from IT networks initiate invade, finally
Target of attack be power grid SCADA system.
It is current fire wall, IDS (Intrusion Detection Systems intruding detection systems, abbreviation IDS), anti-
The protection object of the safety information products such as virus and Situation Awareness is general information technoloy equipment, operating system, software and communication protocols
View, targetedly can not analyze and monitor the abnormal behaviour and potential threat in electric power monitoring system.
The content of the invention
Therefore, the technical problem to be solved in the present invention is to overcome the letter lacked in the prior art for electric power monitoring system
The defects of ceasing safety monitoring product, so as to provide a kind of business characteristic for electric power monitoring system, while combines conventional security
The information safety monitoring method and system of equipment.
According in a first aspect, a kind of information safety monitoring method of one embodiment of the present of invention offer, comprises the following steps:
Obtain the flow information and message of device node in network;It is compared, is sentenced with Model of network traffic according to the flow information
Whether cutout amount is abnormal;It is compared according to the message and service logic model, whether decision instruction is abnormal;When there are flows
When exception and/or instruction exception, safety equipment and/or security system daily record are obtained to judge the Traffic Anomaly and/or instruction
Whether exception exists with information security attack associates;When the Traffic Anomaly and/or instruction exception are attacked with information security
When behavior has association, information security alarm is carried out.
Further, compared according to the flow information with Model of network traffic, judge whether flow is abnormal, bag
It includes:Connection relation, flow distribution and the flow tendency of device node in network are obtained according to the flow information;By the net
The connection relation of device node, flow distribution and flow tendency and Model of network traffic are compared in network;When the network
When the connection relation of interior device node and Model of network traffic difference or, between the flow distribution and Model of network traffic
When difference is more than threshold value or, when the tendency of the flow is with Model of network traffic difference, judges that the flow information is corresponding and set
There are Traffic Anomalies for slave node.
Further, compared according to the message and service logic model, whether decision instruction is abnormal, including:Root
According to correspondence, Content of Communication and the communication logic order of device node in the parsing acquisition of information network of the message;By institute
The correspondence of device node in network, Content of Communication and communication logic order is stated to be compared with service logic model;Work as institute
State correspondence or communication logic order with during service logic model difference or, the Content of Communication and service logic model it
Between difference be more than threshold value when, judge that there are instruction exceptions for the corresponding device node of the message.
Further, when there are when Traffic Anomaly and/or instruction exception, obtaining safety equipment and/or security system daily record
To judge whether the Traffic Anomaly and/or instruction exception associate with information security attack presence, including:Identify the stream
Measure the originally transmitted host of exception and/or the corresponding message of instruction exception;The corresponding safety of the originally transmitted host is obtained to set
Standby and/or security system daily record simultaneously identifies whether are the corresponding safety equipment of the originally transmitted host and/or security system daily record
There are abnormal conditions;When the corresponding safety equipment of the originally transmitted host and/or security system daily record are there are during abnormal conditions,
Judge that the Traffic Anomaly and/or instruction exception exist with information security attack to associate.
Further, identify that the corresponding safety equipment of the originally transmitted host and/or security system daily record whether there is
Abnormal conditions, including:The corresponding Host Security monitoring journal of the originally transmitted host is obtained, to identify the originally transmitted master
Whether whether virus infection or wooden horse and the wooden horse or virus are to the corresponding network monitoring system of the originally transmitted host for machine
System process is modified;Firewall Log and intruding detection system daily record are obtained, to identify whether the originally transmitted host is deposited
The situation of the correspondence protocol port of other equipment node on access network is attempted;Obtain user's letter of the originally transmitted host
Breath and the corresponding mail of the user information, to identify that the user of the originally transmitted host reveals user name with the presence or absence of mail
With the situation of password.
Further, when the originally transmitted host virus infection or wooden horse and the wooden horse or virus are to described original
When network monitoring system process on transmission host is modified, alternatively, attempting to access net when the originally transmitted host exists
On network during the situation of the correspondence protocol port of other equipment node, alternatively, there are mails as the user of the originally transmitted host
When revealing the situation of the user name and password, judge that the Traffic Anomaly and/or instruction exception exist with information security attack
Association.
According to second aspect, one embodiment of the present of invention provides a kind of information security monitoring system, including:Message gathers
With analytical equipment, for obtaining the flow information and message of device node in network;Information security monitoring platform, for according to institute
It states flow information to be compared with Model of network traffic, judges whether flow is abnormal;With the message and industry collected for basis
Business logical model is compared, and whether decision instruction is abnormal;And for when there are when Traffic Anomaly and/or instruction exception, obtaining
Safety equipment and/or security system daily record are taken to judge whether the Traffic Anomaly and/or instruction exception are attacked with information security
There is association in behavior, and when the Traffic Anomaly and/or instruction exception exist with information security attack and associate, carry out
Information security alerts.
According to the third aspect, one embodiment of the present of invention provides a kind of non-transient computer readable storage medium storing program for executing, described
Non-transient computer readable storage medium storing program for executing stores computer instruction, and such as first is realized when the computer instruction is executed by processor
Information safety monitoring method described in aspect embodiment.
According to fourth aspect, one embodiment of the present of invention provides a kind of information security monitoring system, including:It is at least one
Message gathers and analytical equipment, for obtaining the flow information and message of device node in network;At least one processor;And
The memory being connected at least one processor communication;Wherein, have can be by least one place for the memory storage
The instruction that device performs is managed, described instruction is performed by least one processor, so that at least one processor performs such as
Information safety monitoring method described in first aspect embodiment.
Technical solution of the present invention has the following advantages that:Information safety monitoring method proposed by the present invention and system, by right
The network message of electric power monitoring system is acquired, parses, models, and on the basis of regular traffic behavior, identification is running different
Chang Hangwei, while safety equipment correlation log in production control great Qu and management information great Qu is can access, realize potential attack sense
Know, be of great significance for the information security of protection of electrical monitoring system.
Description of the drawings
It, below will be to specific in order to illustrate more clearly of the specific embodiment of the invention or technical solution of the prior art
Embodiment or attached drawing needed to be used in the description of the prior art are briefly described, it should be apparent that, in describing below
Attached drawing is some embodiments of the present invention, for those of ordinary skill in the art, before not making the creative labor
It puts, can also be obtained according to these attached drawings other attached drawings.
Fig. 1 is the flow chart of a specific example of information safety monitoring method in the embodiment of the present invention 1;
Fig. 2 is the flow that information safety monitoring method step S101 obtains device node in network in the embodiment of the present invention 1
The flow chart of information and a specific example of message;
Fig. 3 is that information safety monitoring method step S104 works as there are Traffic Anomaly and/or instructs different in the embodiment of the present invention 2
Chang Shi obtains safety equipment and/or security system daily record to judge whether Traffic Anomaly and/or instruction exception attack with information security
Hit flow chart of the behavior there are an associated specific example;
Fig. 4 be in the embodiment of the present invention 2 information safety monitoring method step S103 according to message and service logic model into
Row comparison, the flow chart of a whether abnormal specific example of decision instruction;
Fig. 5 is that information safety monitoring method step S104 works as there are Traffic Anomaly and/or instructs different in the embodiment of the present invention 3
Chang Shi obtains safety equipment and/or security system daily record to judge whether Traffic Anomaly and/or instruction exception attack with information security
Hit flow chart of the behavior there are an associated specific example;
Fig. 6 is the functional block diagram of the specific example that information security monitors system in the embodiment of the present invention 4;
Fig. 7 is the functional block diagram of a specific example of information security monitoring device in the embodiment of the present invention 6.
Reference numeral:
1-message gathers and analytical equipment, 2-information security monitoring platform, 3-safety equipment and/or security system,
4-processor, 5-memory.
Specific embodiment
Technical scheme is clearly and completely described below in conjunction with attached drawing, it is clear that described implementation
Example is part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill
Personnel's all other embodiments obtained without making creative work, belong to the scope of protection of the invention.
In addition, technical characteristic involved in invention described below different embodiments is as long as they do not conflict with each other
It can be combined with each other.
Embodiment 1
The embodiment of the present invention 1 provides a kind of information safety monitoring method, as shown in Figure 1, it comprises the following steps:
Step S101:Obtain the flow information and message of device node in network;
Step S102:It is compared according to flow information and Model of network traffic, judges whether flow is abnormal;
Step S103:It is compared according to message and service logic model, whether decision instruction is abnormal;
Step S104:When there are when Traffic Anomaly and/or instruction exception, obtaining safety equipment and/or security system daily record
To judge whether the Traffic Anomaly and/or instruction exception associate with information security attack presence;
Step S105:When the Traffic Anomaly and/or instruction exception exist with information security attack to be associated, carry out
Information security alerts.
Preferably, in a specific embodiment, as shown in Fig. 2, step S101 obtains the flow of device node in network
Information and message can be realized by following steps:
Step S101a:In image network between device node interchanger communication data;
Step S101b:Flow information and message are obtained according to the communication data of mirror image;
Step S101c:Identify the application environment of message;
Step S101d:According to communication protocol corresponding with the application environment of message, message is parsed with described in acquisition
The parsing information of message.
First, the message acquisition and analysis for being arranged on electric power monitoring system production control great Qu are utilized in step S101a
Crucial switch device in equipment connection production control great Qu, mirror image is carried out to communication data.Secondly, carried in step S101b
The flow information and message in mirror image data are taken, to carry out the work such as subsequent packet parsing and anomalous identification.In mirror image switch
Communication data, on the one hand the normal circulation of communication data will not be impacted, the mirror image communication after on the other hand handling
Data will not be back to the production control great Qu of electric power monitoring system, avoid impacting normal power operation.Finally, exist
According to the application environment of message corresponding specialized protocol is selected to parse message in step S101c and S101d, for electric power
The business characteristic of monitoring system realizes the information security monitoring based on power generation monitoring network specific protocols parsing.
In practical applications, the application of electronic report environment of electric power monitoring system generally comprises:Power plant's discrete control system, power plant
Supplementary controlled system, electric substation automation system, dispatch automated system and distribution automation system, different application environments one
As be provided with private communication protocol, such as IEC 61850MMS, IEC 61850GOOSE, IEC 61850SV and IEC 60870-5-
104。
The information safety monitoring method that the embodiment of the present invention 1 proposes is carried out by the network message to electric power monitoring system
Acquisition, parsing, modeling on the basis of regular traffic behavior, identify running abnormal behaviour, while it is big to can access production control
Safety equipment and/or security system correlation log in area and management information great Qu realize that potential attack perceives, for protection of electrical
The information security of monitoring system is of great significance.
Embodiment 2
The embodiment of the present invention 2 provides a kind of information safety monitoring method, includes the Overall Steps of the embodiment of the present invention 1, is
It avoids repeating, details are not described herein.The embodiment of the present invention 2 give step S102 according to flow information and Model of network traffic into
Row comparison judges the whether abnormal specific method of flow, as shown in figure 3, it comprises the following steps:
Step S102a:Connection relation, flow distribution and the flow that device node in network is obtained according to flow information are walked
Gesture;
Step S102b:By the connection relation of device node, flow distribution and flow tendency and network traffics mould in network
Type is compared;
Step S102c:When the connection relation of device node and Model of network traffic difference in network or, flow distribution
When difference between Model of network traffic is more than threshold value or, when the tendency of flow is with Model of network traffic difference, flow is judged
There are Traffic Anomalies for the corresponding device node of information.
In the embodiment of the present invention 2, according to the flow information collected, based on source IP, destination IP, source MAC, purpose MAC and
The information such as port, analysis obtains device node connection in network, different kinds of business flow occupies distribution situation, network flow
Tendency is measured, using general networks discharge model as benchmark, abnormal conditions is identified and are alerted.
The embodiment of the present invention 2 gives step S103 and is compared according to message and service logic model, decision instruction
Whether abnormal specific method, as shown in figure 4, it comprises the following steps:
Step S103a:According to the correspondence of device node, Content of Communication in the parsing acquisition of information network of message and lead to
Believe logical order;
Step S103b:By the correspondence of device node, Content of Communication and communication logic order and service logic in network
Model is compared;
Step S103c:When correspondence or communication logic order with service logic model difference when or, Content of Communication with
When difference between service logic model is more than threshold value, judge that there are instruction exceptions for the corresponding device node of the message.
In a specific embodiment, the information safety monitoring method of the embodiment of the present invention 2 is applied to dispatching automation
The information spy of system.The message in substation is parsed by IEC 61850MMS agreements, information master after parsing
To include source IP, destination IP, source MAC, purpose MAC, MMS PDU types, MMS service types, physical equipment, logical device and patrol
Collect nodename and MMS service content;It is compareed, can be identified with standard Q/GDW 1396-2012 by these information
Logical place (such as station level, wall) of the equipment in substation network, device type (such as measuring and controlling equipment, protection equipment) and
Connection relation, and then obtain correspondence, Content of Communication and the communication logic order of device node corresponding with message;It will be above-mentioned
The correspondence of device node, Content of Communication and communication logic order are compared with service logic model, to identify that message is
It is no to include instruction exception.Service logic model is to include rational service communication according to what the service content of substation was set up
Relation (such as monitoring backstage only sends control command, the corresponding control model of different control commands to measuring and controlling equipment), Content of Communication
Equipment communication logic order in the case of (the data set size of such as each logical node, the zone of reasonableness of measured value) and different faults
The model of information, being capable of normergic transformer substation communication service logic.Service logic model is violated when message exists, that is, is violated
During the communication abnormality behavior of correspondence, Content of Communication or communication logic order, judge that message is instruction exception message.
On the one hand the information safety monitoring method of the embodiment of the present invention 2 is distributed the agreement in network traffics, frequency of giving out a contract for a project
Degree, connection distribution are counted, and identify abnormal behaviour and the alarm of flow stage;On the other hand, according to the message of equipment room
Interaction, the logical relation that pursues one's vocational study automatically and legitimate traffic operation, identify the abnormal behaviour in business operation and alarm, realize
Traffic Anomaly and the instruction exception identification of electric power monitoring system.
Embodiment 3
The embodiment of the present invention 3 provides a kind of information safety monitoring method, including the complete of Example 1 and Example 2 of the present invention
Portion's step, to avoid repeating, details are not described herein.The embodiment of the present invention 3 give step S104 when there are Traffic Anomaly and/or
During instruction exception, obtain safety equipment and/or security system daily record with judge Traffic Anomaly and/or instruction exception whether with information
Security attack behavior is there are associated specific method, as shown in figure 5, it comprises the following steps:
Step S104a:Identify the originally transmitted host of Traffic Anomaly and/or the corresponding message of instruction exception;
Step S104b:It obtains the corresponding safety equipment of originally transmitted host and/or security system daily record and identifies original hair
The corresponding safety equipment of host and/or security system daily record is sent to whether there is abnormal conditions;
Step S104c:When the corresponding safety equipment of originally transmitted host and/or security system daily record, there are abnormal conditions
When, judge that Traffic Anomaly and/or instruction exception exist with information security attack and associate.
In a specific embodiment, the information safety monitoring method of the embodiment of the present invention 3 is applied to dispatching automation
The information spy of system.Substation's telecontrol equipment receives IEC 60870-5-104 " remote control " orders, if the command message
Source IP address is different from normal dispatching remote control order, then judges to be somebody's turn to do " remote control " order as instruction exception and alert;Meanwhile it associates
The Host Security monitoring journal of the corresponding host of the source IP address, check the host whether virus infection or wooden horse, wooden horse or disease
Whether poison is modified the electric power monitoring system process on the host;Associate Firewall Log and IDS (Intrusion
Detection Systems intruding detection systems, abbreviation IDS) daily record, check that the source IP address is attempted to access with the presence or absence of a large amount of
The situation of other 104 protocol ports of electric power monitoring system IP address;Electric power monitoring system on the host is associated to correspond to using user
Behavior of the corporate mailbox in mail auditing system checks that the user applies user with the presence or absence of mail leakage electric power monitoring system
The situation of name and password.
When originally transmitted host virus infection or wooden horse and wooden horse or virus are to the network monitoring on originally transmitted host
When system process is modified, alternatively, when originally transmitted host has the corresponding association for attempting to access other equipment node on network
When discussing the situation of port, judge that Traffic Anomaly and/or instruction exception exist with information security attack and associate;When originally transmitted
When the user of host has that mail reveals the user name and password, judge that Traffic Anomaly and/or instruction exception are pacified with information
There is association in full attack.
Meanwhile it when judging Traffic Anomaly and/or instruction exception with information security attack in the presence of associating, can identify
Go out the path of information security attack, the information security attack and attack path are alerted, to prompt power monitoring
Other users in system attack potential information security protection in advance for attack path.Attack path is generally divided into two
Class, first, by virus infection host to operate network monitoring system, second is that obtaining net by social engineering or website fishing
The application permission of network monitoring system.First kind attack path corresponding host safety monitoring daily record is abnormal or Firewall Log and
IDS daily records are abnormal;Second class attack path corresponds to mail exception.
The information safety monitoring method of the embodiment of the present invention 3, with IP address, device name, operating system user name, application
The information elements such as system process and application system user (asu) name, safety equipment and/or security system daily record are associated with message,
While flow in finding electric power monitoring system or instruction abnormal behavior, if associated Host Supervision System daily record, fire wall
Daily record, IDS system logs, mailing system daily record are it has also been found that abnormal behaviour, then can be determined that flow in electric power monitoring system or refer to
The information securities attack such as abnormal behavior and mail fishing, viral infection, malicious intrusions is made to be identified simultaneously there are incidence relation
Go out attack path.
Embodiment 4
The embodiment of the present invention 4 provides a kind of information security monitoring system, gathers and divides as shown in fig. 6, system includes message
Desorption device 1 and information security monitoring platform 2.
Message gathers the flow information and message for being used to obtain device node in network with analytical equipment 1.Information security is supervised
Platform 2 is surveyed for being compared according to flow information and Model of network traffic, judges whether flow is abnormal;With for according to acquisition
To message compared with service logic model, whether decision instruction abnormal;And for working as there are Traffic Anomaly and/or referring to
When order is abnormal, obtain safety equipment and/or security system daily record with judge the Traffic Anomaly and/or instruction exception whether with letter
It ceases security attack behavior and there is association, and when the Traffic Anomaly and/or instruction exception exist with information security attack
During association, information security alarm is carried out.
Specifically, message acquisition can be used for performing the step as described in above-described embodiment 1 to embodiment 3 with analytical equipment 1
Rapid S101, details are not described herein;The information security monitoring platform 2 can be used for performing as described in above-described embodiment 1 to embodiment 3
Step S102 is to step S105, and details are not described herein.
Information security monitoring platform 2 is according to the message interaction of equipment room, the logical relation that pursues one's vocational study automatically and legitimate traffic
Operation identifies the abnormal behaviour in business operation and alarm;To in network traffics agreement distribution, frequency of giving out a contract for a project, connection
Distribution is counted, and identifies abnormal behaviour and the alarm of flow stage.Information security monitoring platform 2 provides interface, and access is distributed in
Production control great Qu and safety equipment and/or security system 3 in management information great Qu in electric power monitoring system, to obtain safety
The daily record of equipment and/or security system 3.Specifically, the daily record of safety equipment and/or security system 3 includes Host Supervision System
Daily record, Firewall Log, IDS system logs and mailing system daily record etc..Message is gathered and analyzed by information security monitoring platform 2
The message that equipment 1 is parsed and the daily record of above-mentioned safety equipment and/or security system 3 are associated, and behavior scene are modeled, to industry
Business security postures are perceived, and find the potential attack behavior using electric power monitoring system as target.
In a specific embodiment, by the information security Application of Monitoring System of the embodiment of the present invention 4 in dispatching automation
The information spy of system.More message acquisitions are respectively deployed in substation and control centre with analytical equipment 1, in substation
Side connection Substation Station control layer switch, process layer switch and substation exit interchanger, data are connected in control centre side
Gather the interchanger of front server both sides, flow be acquired, the application layer protocol of parsing include IEC 61850MMS,
IEC 61850GOOSE, IEC 61850SV and IEC 60870-5-104.Information security monitoring platform 2 is deployed in control centre
Production control great Qu, can be gathered with message by dispatch data net and communicated with analytical equipment 1.
In practical applications, the daily record of safety equipment and/or security system 3 can be respectively connected to information security monitoring platform
It, can also be by SOC class systematic unity access information safety monitorings platform 2 in 2.
The information security monitoring system that the embodiment of the present invention 4 proposes, is carried out by the network message to electric power monitoring system
Acquisition, parsing, modeling on the basis of regular traffic behavior, identify running abnormal behaviour, while it is big to can access production control
Safety equipment correlation log in area and management information great Qu realizes that potential attack perceives, for the letter of protection of electrical monitoring system
Breath safety is of great significance.
Embodiment 5
The embodiment of the present invention 5 provides a kind of non-transient computer readable storage medium storing program for executing.The non-transient computer readable storage
Medium storing computer instructs, and the information as described in any in embodiment 1-3 is realized when which is executed by processor
Safety monitoring method.
Embodiment 6
The embodiment of the present invention 6 provides a kind of information security monitoring device, as shown in fig. 7, the equipment includes obtaining net
The acquisition of the message of the flow information of device node and message is communicated to connect with analytical equipment 1, processor 4 and with processor 4 in network
Memory 5.Wherein, memory 5 is stored with the instruction that can be performed by processor 4, instructs and is performed by processor 4, so that processing
Device 4 performs the information safety monitoring method as described in any in embodiment 1-3.
It should be understood by those skilled in the art that, the embodiment of the present invention can be provided as method, system or computer program
Product.Therefore, the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware can be used in the present invention
Apply the form of example.Moreover, the computer for wherein including computer usable program code in one or more can be used in the present invention
The computer program production that usable storage medium is implemented on (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The present invention be with reference to according to the method for the embodiment of the present invention, the flow of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
The processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that the instruction performed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction generation being stored in the computer-readable memory includes referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps is performed on calculation machine or other programmable devices to generate computer implemented processing, so as in computer or
The instruction offer performed on other programmable devices is used to implement in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Obviously, the above embodiments are merely examples for clarifying the description, and is not intended to limit the embodiments.It is right
For those of ordinary skill in the art, can also make on the basis of the above description it is other it is various forms of variation or
It changes.There is no necessity and possibility to exhaust all the enbodiments.And the obvious variation thus extended out or
Among changing still in the protection domain of the invention.
Claims (9)
1. a kind of information safety monitoring method, which is characterized in that include the following steps:
Obtain the flow information and message of device node in network;
It is compared according to the flow information with Model of network traffic, judges whether flow is abnormal;
It is compared according to the message and service logic model, whether decision instruction is abnormal;
When there are when Traffic Anomaly and/or instruction exception, obtain safety equipment and/or security system daily record to judge the flow
Whether exception and/or instruction exception exist with information security attack associates;
When the Traffic Anomaly and/or instruction exception exist with information security attack to be associated, information security alarm is carried out.
2. information safety monitoring method according to claim 1, which is characterized in that described according to the flow information and net
Network discharge model is compared, and judges whether flow is abnormal, including:
Connection relation, flow distribution and the flow tendency of device node in network are obtained according to the flow information;
The connection relation of device node, flow distribution and flow tendency and Model of network traffic in the network are carried out pair
Than;
When the connection relation of device node and Model of network traffic difference in the network or, the flow distribution and network
When difference between discharge model is more than threshold value or, when the tendency of the flow is with Model of network traffic difference, the stream is judged
Measuring the corresponding device node of information, there are Traffic Anomalies.
3. information safety monitoring method according to claim 1, which is characterized in that described to be patrolled according to the message with business
Model is collected to be compared, whether decision instruction is abnormal, including:
It is suitable according to the correspondence of device node, Content of Communication and communication logic in the parsing acquisition of information network of the message
Sequence;
The correspondence of device node in the network, Content of Communication and communication logic order and service logic model are carried out pair
Than;
When the correspondence or communication logic order with service logic model difference when or, the Content of Communication patrolled with business
When collecting the difference between model more than threshold value, judge that there are instruction exceptions for the corresponding device node of the message.
4. information safety monitoring method according to claim 1, which is characterized in that it is described when there are Traffic Anomaly and/or
During instruction exception, obtain safety equipment and/or security system daily record with judge the Traffic Anomaly and/or instruction exception whether with
There is association in information security attack, including:
Identify the originally transmitted host of the Traffic Anomaly and/or the corresponding message of instruction exception;
It obtains the corresponding safety equipment of the originally transmitted host and/or security system daily record and identifies the originally transmitted host
Corresponding safety equipment and/or security system daily record whether there is abnormal conditions;
When the corresponding safety equipment of the originally transmitted host and/or security system daily record are there are during abnormal conditions, described in judgement
Traffic Anomaly and/or instruction exception exist with information security attack to be associated.
5. information safety monitoring method according to claim 4, which is characterized in that the identification originally transmitted host corresponds to
Safety equipment and/or security system daily record with the presence or absence of abnormal conditions, including:
The corresponding Host Security monitoring journal of the originally transmitted host is obtained, to identify whether the originally transmitted host infects
Virus or wooden horse;
Firewall Log and intruding detection system daily record are obtained, to identify that the originally transmitted host accesses net with the presence or absence of trial
The situation of the correspondence protocol port of other equipment node on network;
The corresponding user information of the originally transmitted host and the corresponding mail of the user information are obtained, it is described original to identify
Send situation of the user with the presence or absence of mail leakage the user name and password of host.
6. information safety monitoring method according to claim 5, it is characterised in that:
When the originally transmitted host virus infection or wooden horse and the wooden horse or virus correspond to the originally transmitted host
Network monitoring system process when modifying;Alternatively,
When the originally transmitted host there is a situation where to attempt to access the correspondence protocol port of other equipment node on network;Or
Person,
When the user of the originally transmitted host has that mail reveals the user name and password;
Judge that the Traffic Anomaly and/or instruction exception exist with information security attack to associate.
7. a kind of information security monitors system, which is characterized in that including:
Message gathers and analytical equipment, for obtaining the flow information and message of device node in network;
Whether information security monitoring platform for being compared according to the flow information with Model of network traffic, judges flow
It is abnormal;With for being compared according to the message collected with service logic model, whether decision instruction is abnormal;And for working as
There are when Traffic Anomaly and/or instruction exception, obtain safety equipment and/or security system daily record to judge the Traffic Anomaly
And/or whether instruction exception exists with information security attack and associate, and when the Traffic Anomaly and/or instruction exception and
When information security attack has association, information security alarm is carried out.
8. a kind of non-transient computer readable storage medium storing program for executing, which is characterized in that the non-transient computer readable storage medium storing program for executing is deposited
Computer instruction is stored up, the information security as described in claim 1-7 is any is realized when the computer instruction is executed by processor
Monitoring method.
9. a kind of information security monitors system, which is characterized in that including:
At least one message acquisition and analytical equipment, for obtaining the flow information and message of device node in network;
At least one processor;And
The memory being connected at least one processor communication;Wherein, have can be by described at least one for the memory storage
The instruction that a processor performs, described instruction is performed by least one processor, so that at least one processor is held
Any information safety monitoring methods of row claim 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711104542.3A CN108063753A (en) | 2017-11-10 | 2017-11-10 | A kind of information safety monitoring method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711104542.3A CN108063753A (en) | 2017-11-10 | 2017-11-10 | A kind of information safety monitoring method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108063753A true CN108063753A (en) | 2018-05-22 |
Family
ID=62135688
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711104542.3A Pending CN108063753A (en) | 2017-11-10 | 2017-11-10 | A kind of information safety monitoring method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108063753A (en) |
Cited By (54)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683551A (en) * | 2018-08-08 | 2018-10-19 | 武汉思普崚技术有限公司 | A kind of method and device of duct type flow control |
| CN109067763A (en) * | 2018-08-29 | 2018-12-21 | 阿里巴巴集团控股有限公司 | Safety detection method, equipment and device |
| CN109359098A (en) * | 2018-10-31 | 2019-02-19 | 云南电网有限责任公司 | A kind of dispatch data net behavior monitoring system and method |
| CN109495482A (en) * | 2018-11-23 | 2019-03-19 | 江苏华存电子科技有限公司 | A kind of network data information safe transmission method |
| CN109587124A (en) * | 2018-11-21 | 2019-04-05 | 国家电网有限公司 | Processing method, the device and system of electric power networks |
| CN109743224A (en) * | 2018-12-27 | 2019-05-10 | 国网北京市电力公司 | Electrically-charging equipment data processing method and device |
| CN109753049A (en) * | 2018-12-21 | 2019-05-14 | 国网江苏省电力有限公司南京供电分公司 | The exceptional instructions detection method of one provenance net load interaction industrial control system |
| CN110035062A (en) * | 2019-03-07 | 2019-07-19 | 亚信科技(成都)有限公司 | A kind of network inspection method and apparatus |
| CN110034977A (en) * | 2019-04-18 | 2019-07-19 | 浙江齐治科技股份有限公司 | A kind of device security monitoring method and safety monitoring equipment |
| CN110062049A (en) * | 2019-04-30 | 2019-07-26 | 深圳前海微众银行股份有限公司 | A kind of monitoring method of office network, device, computer equipment and storage medium |
| CN110460619A (en) * | 2019-08-30 | 2019-11-15 | 北京卓识网安技术股份有限公司 | Packet identification method, system, device and storage medium |
| CN110515793A (en) * | 2019-07-23 | 2019-11-29 | 平安科技(深圳)有限公司 | System performance monitoring method, device, equipment and storage medium |
| CN110572381A (en) * | 2019-08-30 | 2019-12-13 | 北京科东电力控制系统有限责任公司 | intelligent learning system and method applied to electric power safety protection device |
| CN110636075A (en) * | 2019-09-30 | 2019-12-31 | 全球能源互联网研究院有限公司 | Operation and maintenance management and control and operation and maintenance analysis method and device |
| CN110830470A (en) * | 2019-11-06 | 2020-02-21 | 浙江军盾信息科技有限公司 | Method, device and equipment for detecting defect-losing host and readable storage medium |
| CN110891068A (en) * | 2019-12-18 | 2020-03-17 | 北京网太科技发展有限公司 | Routing protocol anomaly detection method and device based on correlation analysis |
| CN111211923A (en) * | 2019-12-27 | 2020-05-29 | 国网新疆电力有限公司电力科学研究院 | Power industry control system and control method |
| CN111339785A (en) * | 2020-05-18 | 2020-06-26 | 杭州木链物联网科技有限公司 | Semantic level security audit method based on business modeling |
| CN111367217A (en) * | 2020-03-20 | 2020-07-03 | 北京四方继保自动化股份有限公司 | Monitoring method for improving inter-station communication safety of stability control system |
| CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
| CN111598268A (en) * | 2020-05-22 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Power plant equipment detection method, system, equipment and computer storage medium |
| CN111695118A (en) * | 2020-06-17 | 2020-09-22 | 安徽三实信息技术服务有限公司 | Network threat identification system |
| CN112333706A (en) * | 2019-07-16 | 2021-02-05 | 中国移动通信集团浙江有限公司 | Internet of things equipment anomaly detection method and device, computing equipment and storage medium |
| CN112351035A (en) * | 2020-11-06 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Industrial control security situation sensing method, device and medium |
| CN112383417A (en) * | 2020-11-02 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Terminal security external connection detection method, system, equipment and readable storage medium |
| CN112711756A (en) * | 2020-12-28 | 2021-04-27 | 中国电力科学研究院有限公司 | Passive electric power industrial control equipment fingerprint identification method and system |
| CN112738063A (en) * | 2020-12-25 | 2021-04-30 | 山东钢铁集团日照有限公司 | Industrial control system network safety monitoring platform |
| CN112804190A (en) * | 2020-12-18 | 2021-05-14 | 国网湖南省电力有限公司 | Security event detection method and system based on boundary firewall flow |
| CN112884509A (en) * | 2021-02-09 | 2021-06-01 | 北京明略昭辉科技有限公司 | Abnormal flow identification method and device and electronic equipment |
| CN112905548A (en) * | 2021-03-25 | 2021-06-04 | 昆仑数智科技有限责任公司 | Safety audit system and method |
| CN112911004A (en) * | 2021-02-03 | 2021-06-04 | 北京寄云鼎城科技有限公司 | Method and device for ensuring safe operation of Internet of things system and computing equipment |
| CN112968869A (en) * | 2021-01-29 | 2021-06-15 | 国网河南省电力公司平顶山供电公司 | Information safety monitoring system of electric power production control large area |
| CN113110268A (en) * | 2021-05-28 | 2021-07-13 | 国家计算机网络与信息安全管理中心 | Monitoring system, data acquisition equipment and method for rail transit control network |
| CN113132408A (en) * | 2021-04-29 | 2021-07-16 | 中原工学院 | Network information security intrusion detection method |
| CN113159992A (en) * | 2021-04-23 | 2021-07-23 | 全球能源互联网研究院有限公司 | Method and device for classifying behavior patterns of closed-source power engineering control system |
| CN113179182A (en) * | 2021-04-27 | 2021-07-27 | 中国联合网络通信集团有限公司 | Network supervision method, device, equipment and storage medium |
| CN113225342A (en) * | 2021-05-08 | 2021-08-06 | 四川英得赛克科技有限公司 | Communication abnormity detection method and device, electronic equipment and storage medium |
| CN113259349A (en) * | 2021-05-12 | 2021-08-13 | 国家计算机网络与信息安全管理中心 | Monitoring method and device for rail transit control network |
| CN113301560A (en) * | 2021-05-20 | 2021-08-24 | 中国信息通信研究院 | Electric power Internet of things terminal control method and system |
| CN113890821A (en) * | 2021-09-24 | 2022-01-04 | 绿盟科技集团股份有限公司 | Log association method and device and electronic equipment |
| CN114157465A (en) * | 2021-11-19 | 2022-03-08 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for determining Lessovirus propagation path |
| CN114567463A (en) * | 2022-02-15 | 2022-05-31 | 浙江腾珑网安科技有限公司 | Industrial network information safety monitoring and protection system |
| CN114598904A (en) * | 2020-11-20 | 2022-06-07 | 中国移动通信集团广东有限公司 | Fault positioning method and device for IPTV service |
| CN114666088A (en) * | 2021-12-30 | 2022-06-24 | 爱普(福建)科技有限公司 | Method, device, equipment and medium for detecting industrial network data behavior information |
| CN114760103A (en) * | 2022-03-21 | 2022-07-15 | 广州大学 | Industrial control system abnormity detection system, method, equipment and storage medium |
| CN115022078A (en) * | 2022-06-28 | 2022-09-06 | 杭州康吉森自动化科技有限公司 | Controller built-in network safety protection method and device and electronic equipment |
| US11444923B2 (en) | 2020-07-29 | 2022-09-13 | International Business Machines Corporation | Runtime detection of database protocol metadata anomalies in database client connections |
| CN115242455A (en) * | 2022-06-27 | 2022-10-25 | 山西西电信息技术研究院有限公司 | Social network instant message safety monitoring system and method based on cloud computing |
| CN115296941A (en) * | 2022-10-10 | 2022-11-04 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN115659341A (en) * | 2022-12-23 | 2023-01-31 | 中国计量大学现代科技学院 | Software information safety monitoring system |
| CN115759734A (en) * | 2022-10-19 | 2023-03-07 | 国网物资有限公司 | Index-based power service supply chain monitoring method, device, equipment and medium |
| CN116680098A (en) * | 2022-02-23 | 2023-09-01 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| CN116846675A (en) * | 2023-08-04 | 2023-10-03 | 北京中科网芯科技有限公司 | Monitoring method for system network communication security |
| CN117118709A (en) * | 2023-08-25 | 2023-11-24 | 国网山东省电力公司泰安供电公司 | Abnormal flow early warning method, system, equipment and medium for electric power system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
| CN106209826A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of safety case investigation method of Network Security Device monitoring |
| CN106302540A (en) * | 2016-10-14 | 2017-01-04 | 国网浙江省电力公司绍兴供电公司 | Communications network security detecting system based on substation information safety and method |
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| CN107241224A (en) * | 2017-06-09 | 2017-10-10 | 珠海市鸿瑞软件技术有限公司 | The network risks monitoring method and system of a kind of transformer station |
-
2017
- 2017-11-10 CN CN201711104542.3A patent/CN108063753A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104753946A (en) * | 2015-04-01 | 2015-07-01 | 浪潮电子信息产业股份有限公司 | Security analysis framework based on network traffic metadata |
| CN106209826A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of safety case investigation method of Network Security Device monitoring |
| CN106302540A (en) * | 2016-10-14 | 2017-01-04 | 国网浙江省电力公司绍兴供电公司 | Communications network security detecting system based on substation information safety and method |
| CN107046543A (en) * | 2017-04-26 | 2017-08-15 | 国家电网公司 | A kind of threat intelligence analysis system traced to the source towards attack |
| CN107241224A (en) * | 2017-06-09 | 2017-10-10 | 珠海市鸿瑞软件技术有限公司 | The network risks monitoring method and system of a kind of transformer station |
Non-Patent Citations (1)
| Title |
|---|
| 高昆仑等: "智能电网调度控制系统安全防护技术及发展", 《电力系统自动化》 * |
Cited By (79)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108683551A (en) * | 2018-08-08 | 2018-10-19 | 武汉思普崚技术有限公司 | A kind of method and device of duct type flow control |
| CN109067763A (en) * | 2018-08-29 | 2018-12-21 | 阿里巴巴集团控股有限公司 | Safety detection method, equipment and device |
| CN109067763B (en) * | 2018-08-29 | 2020-05-29 | 阿里巴巴集团控股有限公司 | Safety detection method, equipment and device |
| US11201886B2 (en) | 2018-08-29 | 2021-12-14 | Advanced New Technologies Co., Ltd. | Security detection method, device, and apparatus |
| CN109359098A (en) * | 2018-10-31 | 2019-02-19 | 云南电网有限责任公司 | A kind of dispatch data net behavior monitoring system and method |
| CN109359098B (en) * | 2018-10-31 | 2023-04-11 | 云南电网有限责任公司 | System and method for monitoring scheduling data network behaviors |
| CN109587124B (en) * | 2018-11-21 | 2021-08-03 | 国家电网有限公司 | Method, device and system for processing power network |
| CN109587124A (en) * | 2018-11-21 | 2019-04-05 | 国家电网有限公司 | Processing method, the device and system of electric power networks |
| CN109495482A (en) * | 2018-11-23 | 2019-03-19 | 江苏华存电子科技有限公司 | A kind of network data information safe transmission method |
| CN109753049A (en) * | 2018-12-21 | 2019-05-14 | 国网江苏省电力有限公司南京供电分公司 | The exceptional instructions detection method of one provenance net load interaction industrial control system |
| CN109753049B (en) * | 2018-12-21 | 2021-12-17 | 国网江苏省电力有限公司南京供电分公司 | Abnormal instruction detection method for source-network-load interactive industrial control system |
| CN109743224A (en) * | 2018-12-27 | 2019-05-10 | 国网北京市电力公司 | Electrically-charging equipment data processing method and device |
| CN110035062A (en) * | 2019-03-07 | 2019-07-19 | 亚信科技(成都)有限公司 | A kind of network inspection method and apparatus |
| CN110034977A (en) * | 2019-04-18 | 2019-07-19 | 浙江齐治科技股份有限公司 | A kind of device security monitoring method and safety monitoring equipment |
| CN110034977B (en) * | 2019-04-18 | 2021-11-09 | 浙江齐治科技股份有限公司 | Equipment safety monitoring method and safety monitoring equipment |
| CN110062049A (en) * | 2019-04-30 | 2019-07-26 | 深圳前海微众银行股份有限公司 | A kind of monitoring method of office network, device, computer equipment and storage medium |
| CN112333706A (en) * | 2019-07-16 | 2021-02-05 | 中国移动通信集团浙江有限公司 | Internet of things equipment anomaly detection method and device, computing equipment and storage medium |
| CN112333706B (en) * | 2019-07-16 | 2022-08-23 | 中国移动通信集团浙江有限公司 | Internet of things equipment anomaly detection method and device, computing equipment and storage medium |
| CN110515793A (en) * | 2019-07-23 | 2019-11-29 | 平安科技(深圳)有限公司 | System performance monitoring method, device, equipment and storage medium |
| CN110515793B (en) * | 2019-07-23 | 2022-02-18 | 平安科技(深圳)有限公司 | System performance monitoring method, device, equipment and storage medium |
| CN110460619A (en) * | 2019-08-30 | 2019-11-15 | 北京卓识网安技术股份有限公司 | Packet identification method, system, device and storage medium |
| CN110572381A (en) * | 2019-08-30 | 2019-12-13 | 北京科东电力控制系统有限责任公司 | intelligent learning system and method applied to electric power safety protection device |
| CN110636075A (en) * | 2019-09-30 | 2019-12-31 | 全球能源互联网研究院有限公司 | Operation and maintenance management and control and operation and maintenance analysis method and device |
| CN110830470A (en) * | 2019-11-06 | 2020-02-21 | 浙江军盾信息科技有限公司 | Method, device and equipment for detecting defect-losing host and readable storage medium |
| CN110830470B (en) * | 2019-11-06 | 2022-02-01 | 杭州安恒信息安全技术有限公司 | Method, device and equipment for detecting defect-losing host and readable storage medium |
| CN110891068A (en) * | 2019-12-18 | 2020-03-17 | 北京网太科技发展有限公司 | Routing protocol anomaly detection method and device based on correlation analysis |
| CN111211923A (en) * | 2019-12-27 | 2020-05-29 | 国网新疆电力有限公司电力科学研究院 | Power industry control system and control method |
| CN111367217A (en) * | 2020-03-20 | 2020-07-03 | 北京四方继保自动化股份有限公司 | Monitoring method for improving inter-station communication safety of stability control system |
| CN111541647B (en) * | 2020-03-25 | 2022-12-13 | 杭州数梦工场科技有限公司 | Security detection method, device, storage medium and computer equipment |
| CN111541647A (en) * | 2020-03-25 | 2020-08-14 | 杭州数梦工场科技有限公司 | Security detection method and device, storage medium and computer equipment |
| CN111339785A (en) * | 2020-05-18 | 2020-06-26 | 杭州木链物联网科技有限公司 | Semantic level security audit method based on business modeling |
| CN111598268A (en) * | 2020-05-22 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Power plant equipment detection method, system, equipment and computer storage medium |
| CN111598268B (en) * | 2020-05-22 | 2023-07-07 | 杭州安恒信息技术股份有限公司 | Power plant equipment detection method, system, equipment and computer storage medium |
| CN111695118A (en) * | 2020-06-17 | 2020-09-22 | 安徽三实信息技术服务有限公司 | Network threat identification system |
| US11444923B2 (en) | 2020-07-29 | 2022-09-13 | International Business Machines Corporation | Runtime detection of database protocol metadata anomalies in database client connections |
| CN112383417A (en) * | 2020-11-02 | 2021-02-19 | 杭州安恒信息安全技术有限公司 | Terminal security external connection detection method, system, equipment and readable storage medium |
| CN112351035A (en) * | 2020-11-06 | 2021-02-09 | 杭州安恒信息技术股份有限公司 | Industrial control security situation sensing method, device and medium |
| CN114598904A (en) * | 2020-11-20 | 2022-06-07 | 中国移动通信集团广东有限公司 | Fault positioning method and device for IPTV service |
| CN114598904B (en) * | 2020-11-20 | 2023-06-30 | 中国移动通信集团广东有限公司 | Fault positioning method and device for IPTV service |
| CN112804190A (en) * | 2020-12-18 | 2021-05-14 | 国网湖南省电力有限公司 | Security event detection method and system based on boundary firewall flow |
| CN112738063A (en) * | 2020-12-25 | 2021-04-30 | 山东钢铁集团日照有限公司 | Industrial control system network safety monitoring platform |
| CN112711756A (en) * | 2020-12-28 | 2021-04-27 | 中国电力科学研究院有限公司 | Passive electric power industrial control equipment fingerprint identification method and system |
| CN112711756B (en) * | 2020-12-28 | 2024-02-27 | 中国电力科学研究院有限公司 | Fingerprint identification method and system for passive power industrial control equipment |
| CN112968869A (en) * | 2021-01-29 | 2021-06-15 | 国网河南省电力公司平顶山供电公司 | Information safety monitoring system of electric power production control large area |
| CN112911004A (en) * | 2021-02-03 | 2021-06-04 | 北京寄云鼎城科技有限公司 | Method and device for ensuring safe operation of Internet of things system and computing equipment |
| CN112884509A (en) * | 2021-02-09 | 2021-06-01 | 北京明略昭辉科技有限公司 | Abnormal flow identification method and device and electronic equipment |
| CN112905548A (en) * | 2021-03-25 | 2021-06-04 | 昆仑数智科技有限责任公司 | Safety audit system and method |
| CN112905548B (en) * | 2021-03-25 | 2023-12-08 | 昆仑数智科技有限责任公司 | Security audit system and method |
| CN113159992A (en) * | 2021-04-23 | 2021-07-23 | 全球能源互联网研究院有限公司 | Method and device for classifying behavior patterns of closed-source power engineering control system |
| CN113179182A (en) * | 2021-04-27 | 2021-07-27 | 中国联合网络通信集团有限公司 | Network supervision method, device, equipment and storage medium |
| CN113132408A (en) * | 2021-04-29 | 2021-07-16 | 中原工学院 | Network information security intrusion detection method |
| CN113225342A (en) * | 2021-05-08 | 2021-08-06 | 四川英得赛克科技有限公司 | Communication abnormity detection method and device, electronic equipment and storage medium |
| CN113225342B (en) * | 2021-05-08 | 2023-06-30 | 四川英得赛克科技有限公司 | Communication abnormality detection method and device, electronic equipment and storage medium |
| CN113259349A (en) * | 2021-05-12 | 2021-08-13 | 国家计算机网络与信息安全管理中心 | Monitoring method and device for rail transit control network |
| CN113301560A (en) * | 2021-05-20 | 2021-08-24 | 中国信息通信研究院 | Electric power Internet of things terminal control method and system |
| CN113110268A (en) * | 2021-05-28 | 2021-07-13 | 国家计算机网络与信息安全管理中心 | Monitoring system, data acquisition equipment and method for rail transit control network |
| CN113890821B (en) * | 2021-09-24 | 2023-11-17 | 绿盟科技集团股份有限公司 | Log association method and device and electronic equipment |
| CN113890821A (en) * | 2021-09-24 | 2022-01-04 | 绿盟科技集团股份有限公司 | Log association method and device and electronic equipment |
| CN114157465A (en) * | 2021-11-19 | 2022-03-08 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for determining Lessovirus propagation path |
| CN114157465B (en) * | 2021-11-19 | 2024-04-19 | 杭州安恒信息技术股份有限公司 | Determination method, device, equipment and medium for Lesu virus propagation path |
| CN114666088A (en) * | 2021-12-30 | 2022-06-24 | 爱普(福建)科技有限公司 | Method, device, equipment and medium for detecting industrial network data behavior information |
| CN114567463B (en) * | 2022-02-15 | 2024-04-02 | 浙江腾珑网安科技有限公司 | Industrial network information safety monitoring and protecting system |
| CN114567463A (en) * | 2022-02-15 | 2022-05-31 | 浙江腾珑网安科技有限公司 | Industrial network information safety monitoring and protection system |
| CN116680098A (en) * | 2022-02-23 | 2023-09-01 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| CN116680098B (en) * | 2022-02-23 | 2024-06-11 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| CN114760103A (en) * | 2022-03-21 | 2022-07-15 | 广州大学 | Industrial control system abnormity detection system, method, equipment and storage medium |
| CN114760103B (en) * | 2022-03-21 | 2023-10-31 | 广州大学 | Industrial control system abnormality detection system, method, equipment and storage medium |
| CN115242455A (en) * | 2022-06-27 | 2022-10-25 | 山西西电信息技术研究院有限公司 | Social network instant message safety monitoring system and method based on cloud computing |
| CN115242455B (en) * | 2022-06-27 | 2023-08-18 | 山西西电信息技术研究院有限公司 | Social network instant information safety monitoring system and method based on cloud computing |
| CN115022078A (en) * | 2022-06-28 | 2022-09-06 | 杭州康吉森自动化科技有限公司 | Controller built-in network safety protection method and device and electronic equipment |
| CN115296941B (en) * | 2022-10-10 | 2023-03-24 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN115296941A (en) * | 2022-10-10 | 2022-11-04 | 北京知其安科技有限公司 | Method for detecting traffic safety monitoring equipment, attack request generation method and equipment |
| CN115759734A (en) * | 2022-10-19 | 2023-03-07 | 国网物资有限公司 | Index-based power service supply chain monitoring method, device, equipment and medium |
| CN115759734B (en) * | 2022-10-19 | 2024-01-12 | 国网物资有限公司 | Index-based power service supply chain monitoring method, device, equipment and medium |
| CN115659341A (en) * | 2022-12-23 | 2023-01-31 | 中国计量大学现代科技学院 | Software information safety monitoring system |
| CN115659341B (en) * | 2022-12-23 | 2023-03-10 | 中国计量大学现代科技学院 | Software information safety monitoring system |
| CN116846675A (en) * | 2023-08-04 | 2023-10-03 | 北京中科网芯科技有限公司 | Monitoring method for system network communication security |
| CN116846675B (en) * | 2023-08-04 | 2024-02-20 | 北京中科网芯科技有限公司 | Monitoring method for system network communication security |
| CN117118709A (en) * | 2023-08-25 | 2023-11-24 | 国网山东省电力公司泰安供电公司 | Abnormal flow early warning method, system, equipment and medium for electric power system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108063753A (en) | A kind of information safety monitoring method and system | |
| CN111092869B (en) | Security management and control method for terminal access to office network and authentication server | |
| EP2721801B1 (en) | Security measures for the smart grid | |
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN109391613A (en) | A kind of intelligent substation method for auditing safely based on SCD parsing | |
| CN107295010A (en) | A kind of enterprise network security management cloud service platform system and its implementation | |
| CN104506507A (en) | Honey net safeguard system and honey net safeguard method for SDN (self-defending network) | |
| CN104852927A (en) | Safety comprehensive management system based on multi-source heterogeneous information | |
| CN107231371A (en) | The safety protecting method of Electricity Information Network, device and system | |
| CN109976239A (en) | Industrial control system terminal security guard system | |
| CN107547228B (en) | Implementation architecture of safe operation and maintenance management platform based on big data | |
| CN105867347B (en) | Cross-space cascading fault detection method based on machine learning technology | |
| CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
| CN103891206A (en) | Method and device for synchronizing network data flow detection status | |
| CN107332863A (en) | The safety detection method and system of a kind of main frame based on centralized management | |
| CN114553537A (en) | Abnormal flow monitoring method and system for industrial Internet | |
| CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
| CN206962850U (en) | The security protection system and power information system of Electricity Information Network | |
| CN114125083B (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| CN112968869A (en) | Information safety monitoring system of electric power production control large area | |
| CN105162639A (en) | Virtual network fault positioning device based on Kernel-based virtual machine (KVM) | |
| CN116781412A (en) | Automatic defense method based on abnormal behaviors | |
| Ciancamerla et al. | An electrical grid and its SCADA under cyber attacks: Modelling versus a Hybrid Test Bed | |
| CN113285937B (en) | Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow | |
| KR102444922B1 (en) | Apparatus of controlling intelligent access for security situation recognition in smart grid |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180522 |