CN108111342B - Visualization-based threat alarm display method - Google Patents
Visualization-based threat alarm display method Download PDFInfo
- Publication number
- CN108111342B CN108111342B CN201711351278.3A CN201711351278A CN108111342B CN 108111342 B CN108111342 B CN 108111342B CN 201711351278 A CN201711351278 A CN 201711351278A CN 108111342 B CN108111342 B CN 108111342B
- Authority
- CN
- China
- Prior art keywords
- threat
- information
- node
- chain
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0677—Localisation of faults
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Abstract
The invention discloses a threat alarm display method based on visualization, which comprises the following steps: real-time threat monitoring is carried out on an asset information chain which takes key assets as nodes in the system; when a threat event triggers an alarm, determining the position of the threat in the asset information chain; analyzing the threat level of the threat according to a preset judgment basis, and calculating the security score of the threat by a preset calculation method; displaying identification information of the threat, the threat level and the security score in a network topological graph; and triggering and displaying the specific node information of the threat when the identification information is detected to be clicked. By the technical scheme, the accuracy of threat presentation and the logicality of associated information are guaranteed, the processing efficiency and the accuracy of a threat alarm event are effectively improved, and the operation safety of an industrial control system is improved.
Description
Technical Field
The invention relates to the technical field of information visualization, in particular to a threat alarm display method based on visualization.
Background
The method for displaying the threat alarm based on visualization is used for presenting the field network security state of the industrial control system in real time and alarming an emergency abnormal event. Once the alarm occurs, the field screen monitoring personnel can immediately inform field maintenance personnel to repair on the spot and process the relevant threat field. However, in practical situations, the alarm method has some disadvantages, mainly including:
(1) the degree of association is low. The core of the field network security is the security of each device and each partition in the networking state, so that the security state of the device and the partition needs to be displayed when the security state of the network is displayed. Existing systems may be incomplete and incomplete with respect to field device statistics. And when the data is transmitted to each subarea and each accessory, only the data is displayed and not reflected, and the overall logic association degree is low. Especially in the face of a large number of field devices, threat handling efficiency is greatly reduced. Directly hampers the effectiveness of the problem.
(2) It is not intuitive enough. Even in the case of fully statistical field device partitioning, the alarm exposure information of existing systems is sometimes too redundant or too professional. The user needs to spend a large amount of time study and receive training in the initial stage, and once a threat event occurs, the display result is also not visual, which is not beneficial to the user to lock key threats quickly, so that the processing efficiency is reduced, and the user experience satisfaction is not high.
Disclosure of Invention
Aiming at the defects in the problems, the invention provides a threat alarm display method based on visualization, by inputting the key asset information and forming a linear asset information chain by taking the key asset node as a core, when a threat event occurs, positioning the threat at the position of an asset chain, displaying the threat in a network topology map, displaying the threat in high and low categories at the same time, representing the safety degree by a safety score for related equipment or partitions, the depth analysis of the current threat node message is performed, quintuple information is matched with node information before and after the chain, and the obvious identification information is used for displaying, the identification node is clicked, the threat is visually and accurately positioned, the accuracy of threat display and the logicality of associated information are guaranteed, the processing efficiency and the accuracy of the threat alarm event are effectively improved, and the operation safety of the industrial control system is improved.
In order to achieve the above object, the present invention provides a threat alarm display method based on visualization, which comprises: real-time threat monitoring is carried out on an asset information chain which takes key assets as nodes in the system; when a threat event triggers an alarm, determining the position of the threat in the asset information chain; analyzing the threat level of the threat according to a preset judgment basis, and calculating the security score of the threat by a preset calculation method; displaying identification information of the threat in a network topology map along with the threat level and the security score; and triggering and displaying specific node information of the threat when the identification information is detected to be clicked.
In the foregoing technical solution, preferably, when the threat event triggers an alarm, determining the position of the threat in the asset information chain specifically includes: when a threat event triggers an alarm, deep analysis is carried out on the node message and an abnormal node message is judged; determining node information associated with a quintuple result according to the quintuple result of the abnormal node message; and determining the position of the threat in the asset information chain according to the node information.
In the foregoing technical solution, preferably, the analyzing the threat level of the threat according to a preset judgment basis and calculating the security score of the threat according to a preset calculation method specifically includes: determining the threat level of the threat according to the attribute of the equipment or the area of the node where the threat is located and the corresponding relation between the preset attribute of the equipment or the area and the threat level; and calculating a weighted average value of different attributes of the area or the equipment as a safety score according to the attribute of the equipment or the area of the node where the threat is located.
In the above technical solution, preferably, the key assets include devices, jurisdictions and factories of a system pre-entered by a user, the asset information chain is a relationship defined according to field boundary logic, and the node information is specific information of the devices, jurisdictions or factories corresponding to the node of the system pre-entered by the user.
In the above technical solution, preferably, the network topology is a topology structure diagram generated according to node information of the asset information chain.
In the above technical solution, preferably, the method for displaying threat alarm based on visualization further includes: and after the position of the threat in the asset information chain is determined, sending alarm information to equipment or an area of a node corresponding to the threat.
In the above technical solution, preferably, the method for displaying threat alarm based on visualization further includes: and storing the determined threat level and security score of the threat and the node information of the threat.
Compared with the prior art, the invention has the beneficial effects that: by inputting key asset information and forming a linear asset information chain by taking key asset nodes as a core, when a threat event occurs, positioning the threat at the position of the asset chain, displaying the threat in a network development graph, displaying the threat in high, medium and low categories at the same time, embodying the safety degree of equipment or partitions by using a safety score, carrying out deep analysis on a message of the current threat node, matching node information before and after the chain by using quintuple information, displaying the node information by using a remarkable mark, clicking a mark node, visually and accurately positioning the threat, ensuring the accuracy of the threat display and the logic of associated information, effectively improving the processing efficiency and accuracy of the threat alarm event, and further improving the operation safety of an industrial control system.
Drawings
Fig. 1 is a schematic flow chart of a threat alarm display method based on visualization according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
The invention is described in further detail below with reference to the attached drawing figures:
as shown in fig. 1, an embodiment of a threat alarm display method based on visualization provided by the present invention includes: step S101, carrying out real-time threat monitoring on an asset information chain taking key assets as nodes in a system; step S102, when a threat event triggers an alarm, determining the position of the threat in the asset information chain; step S103, analyzing the threat level of the threat according to a preset judgment basis, and calculating the security score of the threat by a preset calculation method; step S104, displaying identification information of the threat, the threat level and the security score in a network topological graph; and step S105, triggering and displaying specific node information of the threat when the identification information is detected to be clicked.
In this embodiment, preferably, when the threat event triggers an alarm, determining the position of the threat in the asset information chain specifically includes: when a threat event triggers an alarm, deep analysis is carried out on the node message and an abnormal node message is judged; determining node information associated with the quintuple result according to the quintuple result of the abnormal node message; and determining the position of the threat in the asset information chain according to the node information.
In this embodiment, preferably, the calculating the security score of the threat by a preset calculation method according to the threat level of the analyzed threat by a preset judgment specifically includes: determining the threat level of the threat according to the attribute of the equipment or the area of the node where the threat is located and the corresponding relation between the preset attribute of the equipment or the area and the threat level; and calculating the weighted average value of different attributes of the area or the equipment as a safety score according to the attribute of the equipment or the area of the node where the threat is located.
In the above embodiment, preferably, the key assets include devices, jurisdictions and factories of a system pre-entered by a user, the asset information chain is a relationship defined according to field boundary logic, and the node information is specific information of the devices, jurisdictions or factories corresponding to nodes of the system pre-entered by the user.
In the above embodiment, preferably, the network topology is a topology structure diagram generated according to the node information of the asset information chain.
In this embodiment, the asset information is mainly from the entry of key asset information by the early-stage user, and the confirmation and additional entry of the later-stage system discovery asset. The key node chain conforms to the field boundary logic, is not a newly introduced concept, does not actually exist, and is a relation defined by the system according to the field boundary logic. Once the node information is obtained, the system automatically generates a network topological graph. Wherein the accuracy of the asset information needs to be confirmed and guaranteed by the user.
Specifically, when the system is in an initial state, a user manually introduces key asset information, namely information of equipment, a district, a factory area and the like, and forms an asset information chain by taking nodes constructed by the key assets of the equipment, the district, the factory area and the like as cores. When the system triggers an alarm due to a threat event, namely when an abnormal event occurs in a certain device or a certain area, the system can immediately position the threat in an asset information chain and display the threat in a network topological graph, the threat can be displayed in high, medium and low classes at the same time, the related devices or partitions reflect the safety degree by a safety score, meanwhile, the system carries out deep analysis on the current threat node message, quintuple information is matched with node information before and after the chain, preset device information, a control loop, a distribution room or a control area and the like associated with the threat are determined, and the link is quickly positioned at the background according to the successfully matched information and displayed by obvious identification information. After the user clicks the identified node, the threat can be accurately found in the network topological graph of the corresponding area.
The method provided by the embodiment of the invention adopts a business logic key information matching mechanism, takes a large amount of complete chain information as a database, ensures the accuracy of threat presentation, takes the chain information as a core to perform chain tracing before and after, and ensures the logic of associated information. The alarm event is displayed in a mode of safety score, threat classification and a network topological graph, the cognitive abilities of users to known elements and unknown threats are well fitted, stable transition is achieved, and compared with the situation that the complexity of system use is improved due to the introduction of professional nouns and technologies, the convenience of use of the users can be remarkably improved. Based on the chain information, the visual construction of the industrial control network is realized, and the spatial display of the chain information is further realized. Compared with the traditional pattern without a map or only a map, the image labeling is more beneficial to directly discovering and summarizing the relevant paths of the threats. An effective bridge for threat perception is formed by depending on three known elements of a security score, threat grading and a network topological graph, and the cognitive ability and the processing efficiency of a user on threats are greatly improved.
In the above embodiment, preferably, the method for displaying threat alarm based on visualization further includes: and after the position of the threat in the asset information chain is determined, sending alarm information to equipment or an area of a node corresponding to the threat.
In this embodiment, after the position of the threat in the asset information chain is determined, not only the identification information of the threat is displayed in the network topology map, but also the warning information is sent to the device, jurisdiction or partition of the node where the threat is located, so as to remind the user of the occurrence of the threat event. The alarm information comprises screen identification display, sound and light alarm and the like.
In the above embodiment, preferably, the method for displaying threat alarm based on visualization further includes: and storing the determined threat level and security score of the threat and the node information of the threat.
In this embodiment, the calculated or analyzed threat level, security score and node information of the threat are stored, so that the detailed information of the threat event can be referred to at a later stage.
The above is an implementation manner of the present invention, and in view of the technical problems of low association degree and insufficient intuition of the threat alarm method in the prior art, the present invention provides a method for displaying threat alarm based on visualization, which comprises the steps of inputting key asset information, forming a linear asset information chain with key asset nodes as the core, positioning the position of the threat in the asset chain when a threat event occurs, displaying the threat event in a network supplementing map, displaying the threat in high, low, middle and low categories at the same time, embodying the security degree by using a security score for related devices or partitions, performing deep analysis on the current message of the threat node, matching node information before and after the chain by using quintuple information, displaying the node information by using significant identification information, clicking the identification node, visually and accurately positioning the threat, ensuring the accuracy of the threat display and the logic of associated information, and effectively improving the processing efficiency and accuracy of the threat alarm event, thereby improving the safety of the operation of the industrial control system.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (1)
1. A threat alarm display method based on visualization is characterized by comprising the following steps:
real-time threat monitoring is carried out on an asset information chain which takes key assets as nodes in the system;
when a threat event triggers an alarm, determining the position of the threat in the asset information chain, specifically comprising:
when a threat event triggers an alarm, deep analysis is carried out on the node message and an abnormal node message is judged;
determining node information associated with a quintuple result according to the quintuple result of the abnormal node message;
determining the position of the threat in the asset information chain according to the node information;
analyzing the threat level of the threat according to a preset judgment basis, and calculating the security score of the threat by a preset calculation method, wherein the method specifically comprises the following steps:
determining the threat level of the threat according to the attribute of the equipment or the area of the node where the threat is located and the corresponding relation between the preset attribute of the equipment or the area and the threat level;
calculating a weighted average value of different attributes of the area or the equipment as a safety score according to the attribute of the equipment or the area of the node where the threat is located;
displaying identification information of the threat, the threat level and the security score in a network topology graph, wherein the network topology graph is a topology structure graph generated according to node information of the asset information chain;
triggering and displaying specific node information of the threat when detecting that the node corresponding to the identification information is clicked;
after the position of the threat in the asset information chain is determined, alarm information is sent to equipment or an area of a node corresponding to the threat;
storing the determined threat level and security score of the threat and the node information of the threat;
the method comprises the steps that key assets comprise equipment, a district and a factory area of a user pre-input system, a node constructed by the key assets serves as a core to form a linear asset information chain, the asset information chain is a relation defined according to field boundary logic, the node information is specific information of the equipment, the district or the factory area corresponding to the node of the user pre-input system, complete chain information serves as a database, when a threat event occurs, the position of the threat on the asset chain is located, and the traceability of the asset information chain is developed by taking the position as the core.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711351278.3A CN108111342B (en) | 2017-12-15 | 2017-12-15 | Visualization-based threat alarm display method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711351278.3A CN108111342B (en) | 2017-12-15 | 2017-12-15 | Visualization-based threat alarm display method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108111342A CN108111342A (en) | 2018-06-01 |
| CN108111342B true CN108111342B (en) | 2021-08-27 |
Family
ID=62217278
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711351278.3A Active CN108111342B (en) | 2017-12-15 | 2017-12-15 | Visualization-based threat alarm display method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108111342B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110188099A (en) * | 2019-05-17 | 2019-08-30 | 深圳前海微众银行股份有限公司 | A kind of data managing method and device |
| CN110753039B (en) * | 2019-09-29 | 2022-04-22 | 苏州浪潮智能科技有限公司 | Method and device for remote login safety protection |
| CN113472725B (en) * | 2020-03-31 | 2023-04-07 | 阿里巴巴集团控股有限公司 | Data processing method and device |
| CN111880708A (en) * | 2020-07-31 | 2020-11-03 | 北京微步在线科技有限公司 | Interaction method and storage medium for network attack event graph |
| CN112202764B (en) * | 2020-09-28 | 2023-05-19 | 中远海运科技股份有限公司 | Network attack link visualization system, method and server |
| CN114338110A (en) * | 2021-12-20 | 2022-04-12 | 上海纽盾科技股份有限公司 | Prediction defense method, device and system for threat information in situation awareness |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010034060A1 (en) * | 2008-09-24 | 2010-04-01 | Iintegrate Systems Pty Ltd | Alert generation system and method |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN104348667A (en) * | 2014-11-11 | 2015-02-11 | 上海新炬网络技术有限公司 | Fault positioning method based on warning information |
| CN106254137A (en) * | 2016-08-30 | 2016-12-21 | 广州汇通国信信息科技有限公司 | The alarm root-cause analysis system and method for supervisory systems |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| CN102170431A (en) * | 2011-03-25 | 2011-08-31 | 中国电子科技集团公司第三十研究所 | Host risk evaluation method and device |
| CN106357470B (en) * | 2016-11-15 | 2019-09-10 | 中国电子科技集团公司第四十一研究所 | One kind threatening method for quickly sensing based on SDN controller network |
-
2017
- 2017-12-15 CN CN201711351278.3A patent/CN108111342B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010034060A1 (en) * | 2008-09-24 | 2010-04-01 | Iintegrate Systems Pty Ltd | Alert generation system and method |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN104348667A (en) * | 2014-11-11 | 2015-02-11 | 上海新炬网络技术有限公司 | Fault positioning method based on warning information |
| CN106254137A (en) * | 2016-08-30 | 2016-12-21 | 广州汇通国信信息科技有限公司 | The alarm root-cause analysis system and method for supervisory systems |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108111342A (en) | 2018-06-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108111342B (en) | Visualization-based threat alarm display method | |
| CN110611651B (en) | Network monitoring method, network monitoring device and electronic equipment | |
| CN103576641B (en) | For monitoring the system and method for the assets in operating process unit | |
| US9633552B2 (en) | Methods, systems, and devices for managing, reprioritizing, and suppressing initiated alarms | |
| CN107958337A (en) | A kind of information resources visualize mobile management system | |
| CN110224894A (en) | A kind of transformer station process layer network management system for monitoring | |
| CN110868425A (en) | Industrial control information safety monitoring system adopting black and white list for analysis | |
| JP5913145B2 (en) | Log visualization device, method, and program | |
| KR20180108446A (en) | System and method for management of ict infra | |
| CN109164780A (en) | A kind of industrial field device control method based on edge calculations, apparatus and system | |
| CN107196895A (en) | Network attack is traced to the source implementation method and device | |
| CN105656693B (en) | A kind of method and system of the information security abnormality detection based on recurrence | |
| CN104811437B (en) | A kind of system and method that security strategy is generated in industrial control network | |
| CN111178828A (en) | Method and system for building fire safety early warning | |
| CN110162445A (en) | The host health assessment method and device of Intrusion Detection based on host log and performance indicator | |
| CN112910696A (en) | Automatic modeling analysis method for network topology | |
| CN110297468A (en) | System and method for managing alarm associated with the equipment of Process Control System | |
| CN111210029A (en) | Device and method for auxiliary analysis of service and related equipment | |
| CN110347694A (en) | A kind of apparatus monitoring method based on Internet of Things, apparatus and system | |
| CN116859800A (en) | Production workshop safety monitoring system and method based on complex event stream | |
| CN114299686A (en) | Chemical enterprise safety management method, device, equipment and storage medium | |
| CN113743892A (en) | Tracking processing method and device for power grid infrastructure problem, computer equipment and medium | |
| Naderpour et al. | A human-system interface risk assessment method based on mental models | |
| CN109446291B (en) | Road network state statistical method and device and computer readable storage medium | |
| CN115393142A (en) | Intelligent park management method and management platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB03 | Change of inventor or designer information | ||
| CB03 | Change of inventor or designer information |
Inventor after: Hou Zhanying Inventor after: Zhou Wenjun Inventor before: Zhou Lei Inventor before: Zhou Wenjun Inventor before: Jiang Shuanglin |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |