CN109067587B - Method and device for determining key information infrastructure - Google Patents

Method and device for determining key information infrastructure Download PDF

Info

Publication number
CN109067587B
CN109067587B CN201810949504.6A CN201810949504A CN109067587B CN 109067587 B CN109067587 B CN 109067587B CN 201810949504 A CN201810949504 A CN 201810949504A CN 109067587 B CN109067587 B CN 109067587B
Authority
CN
China
Prior art keywords
information
data
candidate
key
function module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810949504.6A
Other languages
Chinese (zh)
Other versions
CN109067587A (en
Inventor
秦小伟
李佳
史波良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201810949504.6A priority Critical patent/CN109067587B/en
Publication of CN109067587A publication Critical patent/CN109067587A/en
Application granted granted Critical
Publication of CN109067587B publication Critical patent/CN109067587B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/10Services
    • G06Q50/26Government or public services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0823Configuration setting characterised by the purposes of a change of settings, e.g. optimising configuration for enhancing reliability

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Tourism & Hospitality (AREA)
  • Strategic Management (AREA)
  • Economics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Theoretical Computer Science (AREA)
  • Marketing (AREA)
  • Development Economics (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Educational Administration (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Primary Health Care (AREA)
  • Game Theory and Decision Science (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a method and a device for determining key information infrastructure, wherein in the method, a transmission path of a core data stream supporting normal operation of a key service is determined, then a network facility and an information system through which the core data stream flows on the transmission path and a digital asset generated during transmission on the transmission path are obtained to obtain a candidate element set, and then candidate elements meeting preset conditions are screened from the candidate element set to obtain a target element, so that the key information infrastructure corresponding to the key service is determined according to the target element.

Description

Method and device for determining key information infrastructure
Technical Field
The invention relates to the technical field of key information infrastructures, in particular to a method and a device for determining key information infrastructures.
Background
The Critical Information Infrastructure (CII) refers to a facility related to normal and safe operation of the national economic society in the fields of energy, communication, finance, transportation and the like, and specifically may include network facilities, Information systems, digital assets and the like, and once the Critical Information Infrastructure is damaged, loses functions and data leakage, the national security, the national civilian life and public benefits may be seriously damaged. According to the requirements of national policies, CII operators need to report the specific conditions of CII operated by themselves, perform risk assessment, security inspection and other work on CII to national authorities, and it is a prerequisite and basis for developing the work to determine which network facilities, information systems and digital assets should belong to key information infrastructure.
For example, for a key service (such as an instant messaging service or an online payment service), the number of network facilities, information systems and digital assets supporting the operation of the key service may be huge, and if all the network facilities, information systems and digital assets are attributed to CII, some network facilities, information systems and digital assets which are not important will be maintained and operated according to CII, which will cause unnecessary cost to operators and also make protection measures unfocusable; if a small part of the network facilities, the information systems and the digital assets are randomly selected to be classified as CII, important network facilities, information systems and digital assets may be omitted, so that the important network facilities, information systems and digital assets cannot be effectively protected.
In the process of research and practice on the prior art, the inventor of the present invention finds that, in the prior art, CII operators are generally identified from the importance of the industry, such as communication operators, national large banks, high-speed railway transportation, etc., because once the operation networks of these enterprises are attacked by the network, the national security, economic development and social stability are often seriously affected, however, only CII operators can be identified from the importance of the industry, and it is impossible to accurately select which network facilities, information systems and digital assets owned by CII operators should be included in the CII category, which greatly increases the cost of CII operators and ensures that protective measures cannot be effectively implemented.
Disclosure of Invention
The embodiment of the invention provides a method and a device for determining a key information infrastructure, which can accurately identify the key information infrastructure, are favorable for improving the accuracy of a protection policy and reducing the cost of an operator.
The embodiment of the invention provides a method for determining key information infrastructure, which comprises the following steps:
determining a transmission path of a core data stream supporting normal operation of the key service;
acquiring network facilities and information systems through which core data streams flow on the transmission path and digital assets generated during transmission on the transmission path to obtain a candidate element set;
screening candidate elements meeting preset conditions from the candidate element set to obtain target elements;
and determining key information infrastructure corresponding to the key service according to the target element.
An embodiment of the present invention further provides a device for determining a key information infrastructure, including:
the first determining module is used for determining a transmission path of a core data stream supporting normal operation of the key service;
the first acquisition module is used for acquiring network facilities and information systems through which core data streams flow on the transmission path and digital assets generated during transmission on the transmission path to obtain a candidate element set;
the screening module is used for screening candidate elements meeting preset conditions from the candidate element set to obtain target elements;
and the second determining module is used for determining the key information infrastructure corresponding to the key service according to the target element.
According to the method for determining the key information infrastructure, the transmission path of the core data stream supporting the normal operation of the key service is determined, then the network facility, the information system and the digital assets generated when the data stream flows through the transmission path are obtained, the candidate elements meeting the preset conditions are determined, the target elements are obtained, and the key information infrastructure corresponding to the key service is determined according to the target elements.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of a scenario of a method for determining a key information infrastructure according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for determining a key information infrastructure according to an embodiment of the present invention;
fig. 3 is a schematic diagram illustrating a relationship between nine data phases in the method for determining a key information infrastructure according to the embodiment of the present invention;
fig. 4 is a schematic flowchart illustrating a process of screening candidate elements meeting a preset condition from a candidate element set in the method for determining a key information infrastructure according to an embodiment of the present invention;
FIG. 5 is another schematic flow chart diagram of a method for determining a key information infrastructure provided by an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a description file of a functional module in the method for determining a key information infrastructure according to the embodiment of the present invention;
fig. 7 is a schematic diagram illustrating a presentation form of a document in presentation information of a key information infrastructure in the method for determining a key information infrastructure according to the embodiment of the present invention;
fig. 8 is a schematic structural diagram of a device for determining a key information infrastructure according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of another structure of a key information infrastructure determining apparatus provided in an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a method and a device for determining key information infrastructure. The determining means of the critical information infrastructure may be integrated in a server or the like.
For example, as shown in fig. 1, the determining device of the key information infrastructure may be configured to determine a transmission path of a core data stream supporting normal operation of a key service, such as a path shown by a dashed arrow in the figure, where the key service may be an instant messaging application, a mailbox application, a cloud storage application, and the like, then obtain a network facility, an information system, and a digital asset generated during transmission on the transmission path through which the core data stream flows on the transmission path, so as to obtain candidate elements, such as candidate elements A, B, C, D1, D2, and E, F, G, H, I shown in the figure, and then determine candidate elements meeting a condition, so as to obtain a target element, thereby determining the key information infrastructure corresponding to the key service according to the target element. Through the mode, the candidate elements are obtained based on the core data stream of the key service, and then the target elements meeting the preset conditions are screened from the candidate elements to determine the key information infrastructure, so that the key information infrastructure can be determined more accurately, the accuracy of a protection policy is improved, and the cost of an operator is reduced.
The following are detailed below.
The first embodiment,
The present embodiment will be described from the perspective of a server.
Referring to fig. 2, the method for determining a key information infrastructure according to the present invention includes the following steps:
s201, determining a transmission path of a core data stream supporting normal operation of the key service.
The key business may be, for example, an instant messaging application, a mailbox application, or a cloud storage application, among others. In this embodiment, the sum of the data flows in the nine data phases is defined as the core data flow, that is, in this embodiment, the core data flow supporting normal operation of the key service is divided into data flows in the nine data phases, and with reference to fig. 3, the nine data phases include a data design phase, a data collection phase, an external data importing phase, a data integration phase, a data processing phase, a data presentation phase, other application phases, a data storage phase, and a data destruction phase.
The data design stage is a source end of the core data stream, the data destruction stage is a terminal of the core data stream, and the data operation of each data stage is mainly as follows:
in the data design stage, for a given application environment, such as an instant messaging application, an optimal data mode suitable for the application environment is designed, so that the optimal data mode can be effectively stored, circulated and the like, and application requirements of various users can be met.
The data collection stage is mainly a process of collecting data designed in the data design stage.
And in the external data importing stage, information data except the data designed by the business itself is collected mainly according to the requirements of the key business itself.
And a data integration stage, which is mainly used for sorting and cleaning data of different data sources (namely a data collection stage and an external data input stage), converting and loading the data to obtain a new data source so as to meet the requirement of unified processing of information data.
The data processing stage is mainly to extract and derive information data that are valuable and meaningful for certain purposes from a large, possibly chaotic, unintelligible amount of information data.
The data presentation stage is mainly the final presentation of the target to be achieved in the data design stage.
Other application phases, mainly use the information data for presenting other purposes than the final presentation described above.
Data storage stage, mainly recording information data on the medium in a certain format
The data destruction stage is mainly a process of information data extinction and is divided into two types, one type is recoverable deletion, and the other type is non-recoverable deletion.
The transmission path of the core data stream supporting normal operation of the key service is determined according to the transmission sub-paths of the data stream between the nine data phases, that is, the transmission sub-paths of the data stream in the nine data phases form a complete transmission path of the core data stream, and thus, the transmission path of the core data stream is obtained through each transmission sub-path.
S202, acquiring network facilities and information systems which the core data stream flows through on a transmission path and digital assets generated during transmission on the transmission path to obtain a candidate element set.
The network facility, the information system and the generated digital assets that the core data stream flows through on the transmission path can be obtained according to the network facility, the information system and the digital assets that are generated when the data stream flows through on the respective transmission sub-paths in the nine data phases, so as to obtain the candidate element set.
Specifically, the candidate element set is the sum of the network infrastructure, the information system, and the generated digital assets that the data stream flows through in each data phase. Wherein each candidate element in the set of candidate elements represents a network facility, an information system, or a digital asset. The candidate element set forms the maximum possible range (boundary) of the key information infrastructure corresponding to the key service, that is, the network facility, the information system and the digital asset in the candidate element set are most likely to constitute the key information infrastructure corresponding to the key service among all the network facilities, the information systems and the digital assets supporting the key service.
S203, screening candidate elements meeting preset conditions from the candidate element set to obtain target elements.
In order to improve the accuracy of identifying the key information infrastructure, in this embodiment, the candidate elements are further screened to select candidate elements that meet the preset condition. Specifically, the screening of candidate elements meeting the preset condition from the candidate element set may include: judging whether the data interaction of each candidate element in the candidate element set belongs to one of refusal type data interaction, slow type data interaction, error type data interaction and leakage type data interaction; if yes, the candidate elements accord with the preset conditions, and if not, the candidate elements do not accord with the preset conditions.
Wherein, the refusal data interaction: the method means that the candidate elements lose basic functions after being damaged and cannot provide informatization support for the key services supported by the candidate elements. For example, after a signal control system (one of information systems) of a railway is damaged, a train cannot be warned or stopped; after the disaster early warning system is damaged, the disaster early warning system cannot provide dangerous case early warning data and cannot send out a control instruction; a cloud service fails, denies any form of access request, etc.
Slow data interaction: the method means that after the candidate element is attacked, although basic functions are not lost, the information interaction rate between the candidate element and the key service supported by the candidate element is lower than a preset level. For example, in the webcast service, information is transmitted between a client and a server (a user request is received and video information on the server is pushed to the client), and if a candidate element supporting the above function is attacked, the information transmission rate is reduced, which is represented as slow request submission by the user or video playing pause.
Error data interaction: the basic function is tampered after the candidate element is attacked, and error informatization support is provided between the candidate element and the key service supported by the candidate element. For example, the power control system guarantees the safety of power scheduling, and once attacked, the power control system sends an error instruction to the power supply system; the navigation system provides accurate position information for a user, and provides wrong position information after being attacked; the online payment service is to transfer funds to a user-designated account, and if the system is attacked, an incorrect amount of funds may be transferred to the wrong account, and so on.
And (3) leaked data interaction: the method refers to that after the candidate elements are attacked, the key service data information supported by the candidate elements can be leaked out. For example, the data storage service is an important function of cloud service, and only information interaction is performed with authorized users under normal conditions, and if the information is attacked, the information may be provided for illegal users, namely, data leakage occurs; the electronic medical system stores a large amount of patient information, and if the electronic medical system is attacked, personal privacy data can be leaked.
In this embodiment, it is determined whether the data interaction of the candidate element belongs to one of a denial type data interaction, a slow type data interaction, an error type data interaction, and a leakage type data interaction, that is, it is determined whether the candidate element is damaged or attacked, for example, if it is determined that the data interaction of the candidate element belongs to the denial type data interaction, it is described that the candidate element loses a basic function after being damaged, it is completely impossible to provide an informatization support for a key service supported by the candidate element, and so on.
With reference to fig. 4, determining whether the data interaction of each candidate element in the candidate element set belongs to one of a refusal data interaction, a slow data interaction, an error data interaction, and a leakage data interaction may specifically include: and destroying or attacking the candidate element, and then judging whether the data interaction of the candidate element belongs to refusal type data interaction, if so, determining the candidate element to be a target element according with a preset condition, if not, further judging whether the data interaction of the candidate element belongs to slow type data interaction, if so, determining the candidate element to be a target element according with the preset condition, if not, further judging whether the data interaction of the candidate element belongs to error type data interaction, and the like.
Therefore, in this embodiment, when the data interaction of the candidate element belongs to any one of the four data interactions, it may be determined that the candidate element meets the preset condition, and may be determined as the target element, and when the data interaction of the candidate element does not belong to any one of the four data interactions, the candidate element does not meet the preset condition, and is not considered as the target element. By the method, the target elements meeting the preset conditions can be obtained.
And S204, determining key information infrastructure corresponding to the key service according to the target element.
In this embodiment, the set of all target elements is determined as the key information infrastructure supporting normal operation of the key service, that is, in this embodiment, all network facilities, information systems and digital assets meeting the preset conditions in the candidate element set constitute the key information infrastructure of the key service.
In this embodiment, a candidate element set, that is, the maximum possible range of the key information infrastructure, that is, the part of the network facilities, the information systems, and the digital assets that most likely constitute the key information infrastructure, among all the network facilities, the information systems, and the digital assets that support the key service, is determined first through the core data stream of the key service, and then target elements that meet preset conditions are further screened from the candidate element set, so as to obtain the key information infrastructure corresponding to the key service, thereby more accurately determining the key information infrastructure, which is beneficial to improving the accuracy of a protection policy, reducing the cost of an operator, and improving the security protection of the key information infrastructure.
Further, as shown in fig. 5, in another embodiment of the present invention, after step 204, the following steps are further included:
s205, obtaining and outputting the presentation information of the key information infrastructure, wherein the presentation information comprises target element list information.
There are various ways to output the presentation information, for example, the presentation information may be directly displayed on a screen, or stored in a file, or output by printing.
In this embodiment, the presentation information of the key information infrastructure may further include a name of the key information infrastructure, contact information, and operation information of the key service. The name of the key information infrastructure may be uploaded by an operator, or may also be obtained according to profile information of the key service, for example, if the key service is introduced in the profile information of the key service for power scheduling, the obtained name of the key information infrastructure may be a power scheduling command, and the like. In one implementation, the contact information, the running information of the key service and the target element list information may be recorded in a description document, so that the presentation information of the key information infrastructure includes a name and a description document.
The target element list information is list information about target elements included in the key information infrastructure, for example, a name list of the target elements may be formed by using names of the target elements, and then the target element list information may be obtained, and function descriptions of the corresponding target elements may be added beside the names of the name list, so that the names and the function descriptions of the target elements may be displayed. Alternatively, in another implementation, the target elements may be categorized according to functions, and then the categorization information may be displayed as target element list information.
Specifically, acquiring and outputting the presence information of the key information infrastructure may include the steps of:
(11) and acquiring the function type information of each target element to determine the function type of each target element.
The type of function of the target element, i.e. what kind of function the target element implements, is for example for instant messaging applications, there are network facilities or password management systems for implementing password security management, there are transceiving systems for implementing information transmission and reception, etc. The function type information of the target element may be uploaded by an operator, for example, when a network facility is configured to implement information transceiving, the operator may upload the function type information of the network facility; or the function type of the target element can be determined according to the function realized by the target element, so as to obtain the function type information.
(12) According to the function type of each target element, performing function division on all target elements to obtain at least one-level or multi-level function module, and generating a description file of each function module, wherein the description file of the function module comprises a name, an explanation document and a description file of a next-level function module of the function module, and the explanation document of the function module comprises function description information, a network topology structure schematic diagram and a list of the contained target elements of the function module.
In this embodiment, the target element is a network facility, an information system, or a digital asset. For example, network facilities of the same function type may be classified into the same category to obtain one function module, and information systems of the same function type may be classified into the same category to obtain another function module, whereby all target elements are divided according to function types to obtain a plurality of function modules, each function module including one or more target elements.
Further, the obtained plurality of function modules may be further classified to obtain a large function module including the plurality of function modules, so as to obtain a multi-level function module related to the target element, for example, the target elements in the function module a are network facilities of a password management type, the target elements in the function module B are information systems of a password management type, the function module a and the function module B are function modules of a password management type, at this time, the function module a and the function module B may be combined into one large function module C, that is, the function module a and the function module B are next-level function modules of the function module C.
As shown in fig. 6, the description file of the function module includes a name of the function module, a description document, and a description file of the next function module, where the description document includes the function description information of the current function module, the network topology diagram, and a list of included target elements, where the list of the target elements does not include the target elements included in the next function module.
(13) And obtaining a function module description file list according to the description file of the maximum-level function module, and further obtaining target element list information.
The function module description file list is also a file list formed by description files of the maximum level function modules. In this embodiment, the function module description file list is used as the target element list information. Taking the example of outputting the presentation information of the key information infrastructure in a display manner, in this embodiment, when the presentation information of the key information infrastructure is displayed, the displayed target element list information is a function module description file list, that is, a file list formed by description files of the maximum-level function modules.
It should be noted that, in this embodiment, although a file list formed by the description files of each maximum-level function module is displayed as target element list information, the description file of the maximum-level function module further includes the description file of the next-level function module and a network topology diagram of the current-level function module, and so on, so that the content included in the description file of the maximum-level function module is also implied in the displayed presentation information, and the content included in the description file of the maximum-level function module can be displayed by clicking the description file of the maximum-level function module.
For example, when displaying the presentation information of the key information infrastructure, the presentation form of the description document included in the presentation information may be as shown in fig. 7, where 71 in the figure is a content display interface of the description document of the key information infrastructure, and the target element list information is a list of description files of each maximum level function module. Wherein, the description file of a certain function module can be clicked in the content display interface 71 to open the description file, for example, after clicking the description file of the function module 1, the content in the description file of the function module 1 will be displayed, as shown in the content display interface indicated by 72. In the content display interface 72, an explanatory document of the function module 1 can be opened, the content interface of the explanatory document is shown as 73 in the figure, and in the content display interface 73 of the explanatory document of the function module 1, the specific function introduction of the function module 1, the network topology structure diagram thereof, the target elements included in the function module, and the like can be viewed.
As shown in fig. 7, in the content display interface 71 of the explanatory document of the key information infrastructure, the descriptive file of the function module 1 may be a folder loaded with a name file, an explanatory document and a descriptive file of the next function module, or may be a link address linked to the content display interface 72, and the explanatory document in the content display interface 72 may be a text document, or may be a link address linked to the content display interface 73.
When a certain level of functional module does not include a next level of functional module, the description file of the level of functional module may be a name and description document that only includes the functional module.
Through the basic information of the key information infrastructure of the embodiment, the specific conditions of each target element contained in the key information infrastructure can be conveniently and quickly consulted.
In the above embodiment, the core data stream is selected from data streams in nine data phases, and in other embodiments of the present invention, the core data stream of the critical service may also be all data streams generated when the critical service operates, so the candidate element set obtained according to the core data stream may be the sum of all network facilities, information systems, and digital assets supporting the critical service.
Example II,
The present embodiment will be described from the perspective of a server.
Referring to fig. 8, the device for determining a key information infrastructure of the present embodiment includes a first determining module 801, a first obtaining module 802, a screening module 803, and a second determining module 804.
The first determining module 801 is configured to determine a transmission path of a core data stream supporting normal operation of a critical service. In this embodiment, the core data stream supporting normal operation of the key service is divided into data streams in nine data phases, and the first determining module 801 is specifically configured to determine the transmission path supporting the core data stream supporting normal operation of the key service according to the transmission sub-path of the data streams between the nine data phases. The nine data phases comprise a data design phase, a data collection phase, an external data import phase, a data integration phase, a data processing phase, a data presentation phase, other application phases, a data storage phase and a data destruction phase. The data design stage is a source end of the core data stream, and the data destruction stage is a terminal of the core data stream.
The first obtaining module 802 is configured to obtain a network facility, an information system, and a digital asset generated during transmission of a core data stream on a transmission path, so as to obtain a candidate element set. Specifically, the first obtaining module 802 may be configured to obtain the network facility, the information system, and the generated digital assets that the core data stream flows through on the transmission path according to the network facility, the information system, and the digital assets that are generated when the data stream flows through on the respective transmission sub-paths in the nine data phases, so as to obtain the candidate element set. The candidate element set is the sum of the network facilities and information systems through which the core data stream flows in each data phase and the digital assets generated in each data phase, which includes all the network facilities and information systems through which the core data stream flows and all the digital assets generated in the transmission process.
The screening module 803 is configured to screen candidate elements that meet a preset condition from the candidate element set to obtain a target element. In this embodiment, the candidate elements are further screened to select candidate elements meeting the preset condition. Specifically, the screening module 803 is specifically configured to determine whether the data interaction of each candidate element in the candidate element set belongs to one of a refusal type data interaction, a slow type data interaction, an error type data interaction, and a leakage type data interaction; if yes, the candidate elements accord with the preset conditions, and if not, the candidate elements do not accord with the preset conditions.
Therefore, in this embodiment, when the data interaction of the candidate element belongs to any one of the four data interactions, it may be determined that the candidate element meets the preset condition, and may be determined as the target element, and when the data interaction of the candidate element does not belong to any one of the four data interactions, the candidate element does not meet the preset condition, and is not considered as the target element. By the method, the target elements meeting the preset conditions can be obtained.
The second determining module 804 is configured to determine a key information infrastructure corresponding to the key service according to the target element. Specifically, the second determining module 804 is configured to determine the set of all target elements as the key information infrastructure supporting normal operation of the key service, that is, in this embodiment, all network facilities, information systems and digital assets meeting the preset condition in the candidate element set constitute the key information infrastructure of the key service.
In this embodiment, a candidate element set, that is, the maximum possible range of the key information infrastructure, that is, the part of the network facilities, the information systems, and the digital assets that most likely constitute the key information infrastructure, among all the network facilities, the information systems, and the digital assets that support the key service, is determined first through the core data stream of the key service, and then target elements that meet preset conditions are further screened from the candidate element set, so as to obtain the key information infrastructure corresponding to the key service, thereby more accurately determining the key information infrastructure, which is beneficial to improving the accuracy of the protection policy, and reducing the cost of an operator.
Further, referring to fig. 9, the determining apparatus according to the embodiment of the present invention may further include an output module 805 configured to obtain and output presence information of the key information infrastructure, where the presence information includes target element list information. There are various ways to output the presentation information, for example, the presentation information may be directly displayed on a screen, or stored in a file, or output by printing.
In this embodiment, the presentation information of the key information infrastructure may further include a name of the key information infrastructure, contact information, and operation information of the key service. The name of the key information infrastructure may be uploaded by an operator, or may also be obtained according to profile information of the key service, for example, if the key service is introduced in the profile information of the key service for power scheduling, the obtained name of the key information infrastructure may be a power scheduling command, and the like. In one implementation, the contact information, the running information of the key service and the target element list information may be recorded in a description document, so that the presentation information of the key information infrastructure includes a name and a description document.
The target element list information is list information about target elements included in the key information infrastructure, for example, a name list of the target elements may be formed by using names of the target elements, and then the target element list information may be obtained, and function descriptions of the corresponding target elements may be added beside the names of the name list, so that the names and the function descriptions of the target elements may be displayed. Alternatively, in another implementation, the target elements may be categorized according to functions, and then the categorization information may be displayed as target element list information.
Specifically, the output module 805 may be configured to obtain function type information of each target element to determine a function type of each target element; then, according to the function type of each target element, performing function division on all target elements to obtain at least one-level or multi-level function module, and generating a description file of each function module, wherein the description file of the function module comprises a name, an explanation document and a description file of a next-level function module of the function module, and the explanation document of the function module comprises function description information of the function module, a network topological structure schematic diagram and a list of contained target elements; and then obtaining a function module description file list according to the description file of the maximum-level function module, and further obtaining target element list information.
In this embodiment, the output module 805 outputs the presentation information in a display manner. For example, when displaying the presentation information of the key information infrastructure, displaying the description document contained in the presentation information may be as shown in fig. 7, wherein the description file of a certain function module may be clicked in the content display interface 71 of the description document of the key information infrastructure to open the description file, for example, after clicking the description file of the function module 1, the content in the description file of the function module 1 will be displayed, as shown in the content display interface indicated by 72. In the content display interface 72, an explanatory document of the function module 1 can be opened, the content interface of the explanatory document is shown as 73 in the figure, and in the content display interface 73 of the explanatory document of the function module 1, the specific function introduction of the function module 1, the network topology structure diagram thereof, the target elements included in the function module, and the like can be viewed.
Through the basic information of the key information infrastructure of the embodiment, the specific conditions of each target element contained in the key information infrastructure can be conveniently and quickly consulted.
Example III,
An embodiment of the present invention further provides a server, as shown in fig. 10, which shows a schematic structural diagram of the server according to the embodiment of the present invention, specifically:
the server may include components such as a processor 1001 of one or more processing cores, memory 1002 of one or more computer-readable storage media, a power source 1003, and an input unit 1004. Those skilled in the art will appreciate that the server architecture shown in FIG. 10 is not meant to be limiting, and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components. Wherein:
the processor 1001 is a control center of the server, connects various parts of the entire server using various interfaces and lines, and performs various functions of the server and processes data by running or executing software programs and/or modules stored in the memory 1002 and calling data stored in the memory 1002, thereby performing overall monitoring of the server. Optionally, processor 1001 may include one or more processing cores; preferably, the processor 1001 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 1001.
The memory 1002 may be used to store software programs and modules, and the processor 1001 executes various functional applications and data processing by operating the software programs and modules stored in the memory 1002. The memory 1002 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created according to the use of the server, and the like. Further, the memory 1002 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 1002 may also include a memory controller to provide the processor 1001 access to the memory 1002.
The server further includes a power source 1003 for supplying power to each component, and preferably, the power source 1003 may be logically connected to the processor 1001 through a power management system, so that functions of managing charging, discharging, power consumption, and the like are implemented through the power management system. The power source 1003 may also include any component including one or more of a dc or ac power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The server may also include an input unit 1004, and the input unit 1004 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the server may further include a display unit and the like, which will not be described in detail herein. Specifically, in this embodiment, the processor 1001 in the server loads the executable file corresponding to the process of one or more application programs into the memory 1002 according to the following instructions, and the processor 1001 runs the application programs stored in the memory 1002, so as to implement various functions as follows:
determining a transmission path of a core data stream supporting normal operation of a key service, then acquiring network facilities and information systems through which the core data stream flows on the transmission path and digital assets generated during transmission on the transmission path to obtain a candidate element set, and then screening candidate elements meeting preset conditions from the candidate element set to obtain target elements, thereby determining a key information infrastructure corresponding to the key service according to the target elements.
Wherein, whether the data interaction of each candidate element in the candidate element set belongs to one of refusal data interaction, slow data interaction, error data interaction and leakage data interaction can be judged; if yes, the candidate elements accord with preset conditions; if not, the candidate element does not meet the preset condition.
The transmission path of the core data stream supporting normal operation of the key service can be determined according to the transmission sub-paths of the data streams in the nine data phases, and then the network facility, the information system and the generated digital assets through which the core data stream flows on the transmission path can be obtained according to the network facility, the information system and the generated digital assets through which the data streams in the data phases flow on the transmission sub-paths.
After determining the key information infrastructure, the presence information of the key information infrastructure can be acquired and output, and the presence information includes target element list information.
The target element list information may be obtained, for example, by obtaining function type information of each target element to determine a function type of each target element, then performing function division on all target elements according to the function type of each target element to obtain one or more function modules, and generating a description file of each function module, where the description file of a function module includes a name, an explanation document, and a description file of a next-level function module, and the explanation document of a function module includes function description information of the function module, a network topology diagram, and a list of target elements included in the description document, so that a function module description file list is obtained according to the description file of the maximum-level function module, and then target element list information is obtained.
In this embodiment, a candidate element set, that is, the maximum possible range of the key information infrastructure, that is, the part of the network facilities, the information systems, and the digital assets that most likely constitute the key information infrastructure, among all the network facilities, the information systems, and the digital assets that support the key service, is determined first through the core data stream of the key service, and then target elements that meet preset conditions are further screened from the candidate element set, so as to obtain the key information infrastructure corresponding to the key service, thereby more accurately determining the key information infrastructure, which is beneficial to improving the accuracy of the protection policy, and reducing the cost of an operator.
Example four,
It will be understood by those skilled in the art that all or part of the steps of the methods of the above embodiments may be performed by instructions or by associated hardware controlled by the instructions, which may be stored in a computer readable storage medium and loaded and executed by a processor.
To this end, embodiments of the present invention provide a storage medium having stored therein a plurality of instructions that can be loaded by a processor to perform the steps of any of the methods for determining a critical information infrastructure provided by embodiments of the present invention. For example, the instructions may include the steps of:
determining a transmission path of a core data stream supporting normal operation of a key service, then acquiring network facilities and information systems through which the core data stream flows on the transmission path and digital assets generated during transmission on the transmission path to obtain a candidate element set, and then screening candidate elements meeting preset conditions from the candidate element set to obtain target elements, thereby determining a key information infrastructure corresponding to the key service according to the target elements.
Wherein, whether the data interaction of each candidate element in the candidate element set belongs to one of refusal data interaction, slow data interaction, error data interaction and leakage data interaction can be judged; if yes, the candidate elements accord with preset conditions; if not, the candidate element does not meet the preset condition.
The transmission path of the core data stream supporting normal operation of the key service can be determined according to the transmission sub-paths of the data streams in the nine data phases, and then the network facility, the information system and the generated digital assets through which the core data stream flows on the transmission path can be obtained according to the network facility, the information system and the generated digital assets through which the data streams in the data phases flow on the transmission sub-paths.
After determining the key information infrastructure, the presence information of the key information infrastructure can be acquired and output, and the presence information includes target element list information.
The target element list information may be obtained, for example, by obtaining function type information of each target element to determine a function type of each target element, then performing function division on all target elements according to the function type of each target element to obtain one or more function modules, and generating a description file of each function module, where the description file of a function module includes a name, an explanation document, and a description file of a next-level function module, and the explanation document of a function module includes function description information of the function module, a network topology diagram, and a list of target elements included in the description document, so that a function module description file list is obtained according to the description file of the maximum-level function module, and then target element list information is obtained.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
Wherein the storage medium may include: read Only Memory (ROM), Random Access Memory (RAM), magnetic or optical disks, and the like.
Since the instructions stored in the storage medium may execute the steps in the method for determining any key information infrastructure provided in the embodiment of the present invention, the beneficial effects that can be achieved by the method for determining any key information infrastructure provided in the embodiment of the present invention can be achieved, which are detailed in the foregoing embodiments and will not be described again here.
The method and the apparatus for determining a key information infrastructure provided by the embodiment of the present invention are described in detail above, and a specific example is applied in the text to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A method for determining a key information infrastructure, comprising:
determining a transmission path of a core data stream supporting normal operation of the key service;
acquiring network facilities and information systems through which core data streams flow on the transmission path and digital assets generated during transmission on the transmission path to obtain a candidate element set; the candidate element set refers to all or part of network facilities, information systems and digital assets supporting key services;
screening candidate elements meeting preset conditions from the candidate element set to obtain target elements;
determining key information infrastructure corresponding to the key service according to the target element;
the screening of candidate elements meeting preset conditions from the candidate element set comprises:
judging whether the data interaction of each candidate element in the candidate element set belongs to one of refusal type data interaction, slow type data interaction, error type data interaction and leakage type data interaction; the refusal type data interaction means that the basic function of the candidate element is lost after the candidate element is damaged, and the informatization support cannot be provided for the key service supported by the candidate element; the slow data interaction means that the information interaction rate between the candidate elements and the supported key services is lower than a preset level although the candidate elements do not lose basic functions after being attacked; the error data interaction means that after the candidate elements are attacked, the basic functions are tampered, and error informatization support is provided between the candidate elements and the supported key services; the leakage type data interaction means that after the candidate elements are attacked, key service data information supported by the candidate elements can be leaked out;
if yes, the candidate elements accord with preset conditions; if not, the candidate element does not accord with the preset condition;
the determining a transmission path of a core data stream supporting normal operation of the critical service includes:
determining a transmission path of a core data stream supporting normal operation of a key service according to transmission sub-paths of the data stream in nine data stages, wherein the nine data stages comprise a data design stage, a data collection stage, an external data import stage, a data integration stage, a data processing stage, a data presentation stage, other application stages, a data storage stage and a data destruction stage.
2. The method of claim 1, wherein obtaining the network infrastructure, information system, and digital assets generated while transmitting over the transmission path through which the core data stream flows comprises: and obtaining the network facility, the information system and the generated digital assets of the core data stream flowing on the transmission path according to the network facility, the information system and the generated digital assets of the data stream flowing on each transmission sub-path in each data phase.
3. The method of claim 1, after determining a key information infrastructure corresponding to the key service according to the target element, further comprising:
and acquiring and outputting the presentation information of the key information infrastructure, wherein the presentation information comprises target element list information.
4. The method of claim 3, wherein the obtaining and outputting presence information for the key information infrastructure comprises:
acquiring function type information of each target element to determine the function type of each target element;
according to the function type of each target element, performing function division on all the target elements to obtain at least one-level or multi-level function module, and generating a description file of each function module, wherein the description file of the function module comprises a name of the function module, an explanation document and a description file of the next-level function module, and the explanation document of the function module comprises function description information of the function module, a network topology schematic diagram and a list of the contained target elements;
and obtaining a function module description file list according to the description file of the maximum-level function module, and further obtaining target element list information.
5. The method of claim 3, wherein the presence information further comprises a name of a key information infrastructure, contact information, and running information of a key service.
6. An apparatus for determining a key information infrastructure, comprising:
the first determining module is used for determining a transmission path of a core data stream supporting normal operation of the key service;
the first acquisition module is used for acquiring network facilities and information systems through which core data streams flow on the transmission path and digital assets generated during transmission on the transmission path to obtain a candidate element set; the candidate element set refers to all or part of network facilities, information systems and digital assets supporting key services;
the screening module is used for screening candidate elements meeting preset conditions from the candidate element set to obtain target elements;
the second determining module is used for determining key information infrastructure corresponding to the key service according to the target element;
the screening module is specifically configured to:
judging whether the data interaction of each candidate element in the candidate element set belongs to one of refusal type data interaction, slow type data interaction, error type data interaction and leakage type data interaction; the refusal type data interaction means that the basic function of the candidate element is lost after the candidate element is damaged, and the informatization support cannot be provided for the key service supported by the candidate element; the slow data interaction means that the information interaction rate between the candidate elements and the supported key services is lower than a preset level although the candidate elements do not lose basic functions after being attacked; the error data interaction means that after the candidate elements are attacked, the basic functions are tampered, and error informatization support is provided between the candidate elements and the supported key services; the leakage type data interaction means that after the candidate elements are attacked, key service data information supported by the candidate elements can be leaked out;
if yes, the candidate elements accord with preset conditions; if not, the candidate element does not accord with the preset condition;
the first determining module is specifically configured to determine a transmission path of a core data stream supporting normal operation of a key service according to transmission sub-paths of the data stream in nine data phases, where the nine data phases include a data design phase, a data collection phase, an external data import phase, a data integration phase, a data processing phase, a data presentation phase, other application phases, a data storage phase, and a data destruction phase;
the first obtaining module is specifically configured to obtain, according to the network facility, the information system, and the generated digital asset that the data stream in each data phase flows through on each transmission sub-path, the network facility, the information system, and the generated digital asset that the core data stream flows through on the transmission path.
7. The apparatus of claim 6, further comprising:
and the output module is used for acquiring and outputting the presentation information of the key information infrastructure, wherein the presentation information comprises target element list information.
8. The apparatus of claim 7, wherein the output module is specifically configured to:
acquiring function type information of each target element to determine the function type of each target element;
according to the function type of each target element, performing function division on all the target elements to obtain at least one-level or multi-level function module, and generating a description file of each function module, wherein the description file of the function module comprises a name of the function module, an explanation document and a description file of the next-level function module, and the explanation document of the function module comprises function description information of the function module, a network topology schematic diagram and a list of the contained target elements;
and obtaining a function module description file list according to the description file of the maximum-level function module, and further obtaining target element list information.
9. The apparatus of claim 8, wherein the presence information further comprises a name of a key information infrastructure, contact information, and operation information of a key service.
10. A computer-readable storage medium storing a computer program for message processing, wherein the computer program causes a computer to perform the method according to any one of claims 1-5.
CN201810949504.6A 2018-08-20 2018-08-20 Method and device for determining key information infrastructure Active CN109067587B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810949504.6A CN109067587B (en) 2018-08-20 2018-08-20 Method and device for determining key information infrastructure

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810949504.6A CN109067587B (en) 2018-08-20 2018-08-20 Method and device for determining key information infrastructure

Publications (2)

Publication Number Publication Date
CN109067587A CN109067587A (en) 2018-12-21
CN109067587B true CN109067587B (en) 2020-09-04

Family

ID=64687531

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810949504.6A Active CN109067587B (en) 2018-08-20 2018-08-20 Method and device for determining key information infrastructure

Country Status (1)

Country Link
CN (1) CN109067587B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110334904B (en) * 2019-05-30 2023-03-03 北京理工大学 LightGBM-based key information infrastructure type unit attribution determination method
CN112686468B (en) * 2021-01-14 2023-05-26 浙江工商大学 Public facility stability optimization method
CN117914625B (en) * 2024-03-11 2024-05-24 四川九洲视讯科技有限责任公司 Network security situation assessment method and system based on key information infrastructure

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101587488A (en) * 2009-05-25 2009-11-25 深圳市腾讯计算机系统有限公司 Method and device for detecting re-orientation of page in search engine
CN102799834A (en) * 2012-06-07 2012-11-28 天津大学 System-asset-based software security requirement analysis method
CN103970872A (en) * 2014-05-13 2014-08-06 上海新炬网络技术有限公司 Multi-level data processing method based on service aperture
CN104636663A (en) * 2014-12-29 2015-05-20 国家电网公司 Security threat analyzing method based on service data stream model
CN105868373A (en) * 2016-03-31 2016-08-17 国网江西省电力公司信息通信分公司 Method and device for processing key data of power service information system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110153748A1 (en) * 2009-12-18 2011-06-23 Electronics And Telecommunications Research Institute Remote forensics system based on network
CN108270605A (en) * 2016-12-31 2018-07-10 中国移动通信集团山西有限公司 The determining method, apparatus and equipment of a kind of important network element
CN106789322B (en) * 2017-01-05 2019-08-27 清华大学 The determination method and apparatus of key node in Information Network

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101587488A (en) * 2009-05-25 2009-11-25 深圳市腾讯计算机系统有限公司 Method and device for detecting re-orientation of page in search engine
CN102799834A (en) * 2012-06-07 2012-11-28 天津大学 System-asset-based software security requirement analysis method
CN103970872A (en) * 2014-05-13 2014-08-06 上海新炬网络技术有限公司 Multi-level data processing method based on service aperture
CN104636663A (en) * 2014-12-29 2015-05-20 国家电网公司 Security threat analyzing method based on service data stream model
CN105868373A (en) * 2016-03-31 2016-08-17 国网江西省电力公司信息通信分公司 Method and device for processing key data of power service information system

Also Published As

Publication number Publication date
CN109067587A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
US11036867B2 (en) Advanced rule analyzer to identify similarities in security rules, deduplicate rules, and generate new rules
Ab Rahman et al. Forensic-by-design framework for cyber-physical cloud systems
US10657287B2 (en) Identification of pseudonymized data within data sources
Breier et al. Anomaly detection from log files using data mining techniques
CN109361711B (en) Firewall configuration method and device, electronic equipment and computer readable medium
US9094291B1 (en) Partial risk score calculation for a data object
CN112636957B (en) Early warning method and device based on log, server and storage medium
CN109067587B (en) Method and device for determining key information infrastructure
US10440050B1 (en) Identifying sensitive data on computer networks
KR20200057903A (en) Artificial intelligence model platform and operation method thereof
US11297024B1 (en) Chat-based systems and methods for data loss prevention
US20210096974A1 (en) Evidence mining for compliance management
CN110414246B (en) Shared file security management method, device, terminal and storage medium
CN110955897A (en) Software research and development safety control visualization method and system based on big data
JPWO2015121923A1 (en) Log analysis device, unauthorized access audit system, log analysis program, and log analysis method
US20240356939A1 (en) Security analysis assistance apparatus, security analysis assistance method, and computer-readable recording medium
US20170078234A1 (en) Systems and methods for detecting, reporting and cleaning metadata from inbound attachments
Lee et al. Quantum computing threat modelling on a generic cps setup
US20130145289A1 (en) Real-time duplication of a chat transcript between a person of interest and a correspondent of the person of interest for use by a law enforcement agent
Bountakas et al. SYNAPSE-An Integrated Cyber Security Risk & Resilience Management Platform, With Holistic Situational Awareness, Incident Response & Preparedness Capabilities: SYNAPSE
Temple et al. Railway system failure scenario analysis
CN112732539A (en) Data responsibility adjustment early warning method and system based on personnel organization and post information transaction
US8996672B2 (en) Application data layer coverage discovery and gap analysis
CN115577369A (en) Source code leakage behavior detection method and device, electronic equipment and storage medium
CN111241547A (en) Detection method, device and system for unauthorized vulnerability

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant