CN109587124B - Method, device and system for processing power network - Google Patents
Method, device and system for processing power network Download PDFInfo
- Publication number
- CN109587124B CN109587124B CN201811393591.8A CN201811393591A CN109587124B CN 109587124 B CN109587124 B CN 109587124B CN 201811393591 A CN201811393591 A CN 201811393591A CN 109587124 B CN109587124 B CN 109587124B
- Authority
- CN
- China
- Prior art keywords
- strategy
- protection
- power network
- preset
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012545 processing Methods 0.000 title claims abstract description 55
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004458 analytical method Methods 0.000 claims abstract description 68
- 238000001514 detection method Methods 0.000 claims description 61
- 230000006399 behavior Effects 0.000 claims description 46
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 44
- 238000012544 monitoring process Methods 0.000 claims description 26
- 238000012806 monitoring device Methods 0.000 claims description 16
- 238000003672 processing method Methods 0.000 claims description 10
- 230000002441 reversible effect Effects 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 241000191291 Abies alba Species 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 description 14
- 230000000694 effects Effects 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 10
- 238000005457 optimization Methods 0.000 description 10
- 238000007726 management method Methods 0.000 description 9
- 238000012550 audit Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000007123 defense Effects 0.000 description 5
- 239000000243 solution Substances 0.000 description 5
- 238000012800 visualization Methods 0.000 description 5
- 230000002265 prevention Effects 0.000 description 4
- 230000001737 promoting effect Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000035772 mutation Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 230000000007 visual effect Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 1
- 238000009960 carding Methods 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013079 data visualisation Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006698 induction Effects 0.000 description 1
- 230000002401 inhibitory effect Effects 0.000 description 1
- 230000000670 limiting effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000523 sample Substances 0.000 description 1
- 230000027772 skotomorphogenesis Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/10—Active monitoring, e.g. heartbeat, ping or trace-route
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The invention discloses a method, a device and a system for processing a power network. Wherein, the method comprises the following steps: acquiring a protection strategy of safety equipment in a power network; analyzing the protection strategy to obtain an analysis result, wherein the analysis result is used for representing whether the protection strategy is effective or not; and under the condition that the analysis result is that the protection strategy is invalid, processing the protection strategy, wherein the processing comprises one or more of the following steps: and deleting and combining. The invention solves the technical problem that the safety equipment in the power network in the prior art cannot meet the safety protection requirement.
Description
Technical Field
The invention relates to the field of power systems, in particular to a method, a device and a system for processing a power network.
Background
The existing network security defense system of the information communication company of the national network Qinghai province electric power company comprehensively adopts various means such as a firewall, intrusion detection, host monitoring, identity authentication, virus prevention and the like to construct a bastion type rigid defense system and block or isolate external intrusion, and as shown in figure 1, the system consists of the firewall, the intrusion detection, the intrusion prevention, an information network boundary security detection probe, internal and external network virus prevention, an internal and external network unified vulnerability patch management system, an internal and external network desktop terminal management system, system vulnerability scanning equipment, unknown threat induction equipment, flow control, traceability and other systems.
The province company deploys security domain boundary firewalls at boundaries of application areas aiming at boundary data transmission security such as data centers, marketing and ERP, and sets a security protection strategy based on quintuple on the security domain boundary firewalls to realize security access control on system port levels such as data centers, marketing and transaction. And an IDS/IPS security device is deployed on each security domain bypass, and known threats such as abnormal traffic, trojans, worms, SQL injection, XSS and the like in the province company network are effectively detected and presented by adopting a characteristic library matching-based mode. And the IPS is used for accurately blocking the attack behaviors of application layers such as SQL injection, XSS and the like, so that the application level safety of a service system is guaranteed.
Safety products such as a firewall, intrusion prevention and the like are deployed on a backbone network, and the safety of a longitudinal backbone network of the Qinghai company is guaranteed by adopting a firewall safety strategy and an IPS feature library.
The city realizes access control by deploying safety equipment such as intrusion detection, a firewall and the like and adopting a mode of a source address, a destination address and a port, thereby reducing unknown risks and threats.
However, the static layered defense-in-depth system has the advantages of rapid response and effective protection in the face of known attacks based on prior knowledge, but cannot effectively sense, alarm and position when an unknown attack opponent is resisted, and has the danger that the static layered defense-in-depth system is easily attacked. In the defense system, as the basic safety protection facilities usually adopt a fixed deployment mode and related protocols, services, applications, operation parameters and the like are generally lack of variable deployment, an attacker can carry out long-term analysis, search and utilize system bugs, the attack can be continuously controlled and maintained for a long time after the attack is successful, the system safety is continuously damaged, and once a single attack means takes effect on a local part, the attack means is easy to spread, and the large-area influence is caused on the whole network.
Aiming at the problem that the safety equipment in the power network in the prior art can not meet the safety protection requirement, an effective solution is not provided at present.
Disclosure of Invention
The embodiment of the invention provides a processing method, a processing device and a processing system of a power network, which are used for at least solving the technical problem that safety equipment in the power network in the prior art cannot meet the safety protection requirement.
According to an aspect of an embodiment of the present invention, there is provided a processing method for a power network, including: acquiring a protection strategy of safety equipment in a power network; analyzing the protection strategy to obtain an analysis result, wherein the analysis result is used for representing whether the protection strategy is effective or not; and under the condition that the analysis result is that the protection strategy is invalid, processing the protection strategy, wherein the processing comprises one or more of the following steps: and deleting and combining.
Further, analyzing the protection strategy, and obtaining an analysis result comprises: analyzing the logic of the protection strategy, and judging whether a preset strategy exists in the protection strategy, wherein the preset strategy comprises one or more of the following strategies: a cross strategy, a redundancy strategy, a conflict strategy and a merging strategy; acquiring data traffic of a power network, and judging whether a first matching degree of a protection strategy and the data traffic is greater than or equal to a first preset threshold value, wherein the data traffic comprises: traffic flow and management flow; acquiring a preset protection list, and judging whether a second matching degree of a protection strategy and the preset protection list is greater than or equal to a second preset threshold value, wherein the preset protection list comprises: a black list and a white list; determining that the analysis result is valid under the condition that a preset strategy does not exist in the protection strategy, the first matching degree is greater than or equal to a first preset threshold value, and the second matching degree is greater than or equal to a second preset threshold value; and determining that the analysis result is invalid of the protection strategy under the condition that the protection strategy has a preset strategy, the first matching degree is smaller than a first preset threshold value, or the second matching degree is smaller than a second preset threshold value.
Further, after processing the protection policy, the method further includes: acquiring data traffic of a power network and first equipment information of a safety equipment, wherein the first equipment information comprises: operating system information and open port information of the security device; obtaining an association relation between the safety devices based on the data flow and the device information; and displaying the association relation.
Further, obtaining the association relationship between the security devices based on the data traffic and the device information includes: obtaining quintuple data of the power network based on the data flow and the equipment information; and obtaining the association relation based on the quintuple data.
Further, displaying the association relationship includes: displaying interconnection information of the incidence relation, wherein the interconnection information comprises: the start time and end time of the association, the network address, the open port, the home, the attribute information of the security device, and the protocol data.
Further, after acquiring the data traffic of the power network, the method further includes: acquiring the characteristics of data flow; obtaining network assets of the power network based on the characteristics of the data traffic; and carrying out validity check on the network assets to obtain a check result.
Further, after obtaining the network assets of the power network based on the characteristics of the data traffic, the method further includes: judging whether the network assets are preset assets or not, wherein the preset assets are generated by assets in the power network; after determining that the network asset is the preset asset, determining that the network address corresponding to the network asset is the alive network asset.
Further, after processing the protection policy, the method further includes: acquiring a network message in a power network; based on the network message, carrying out attack detection on the power network to obtain a first detection result, wherein the first detection result is used for representing whether the power network has an attack, and the attack comprises one or more of the following steps: options attacks, scanning attacks, christmas tree attacks, and denial of service attacks.
Further, in a case that the first detection result is that there is an attack in the power network, the method further includes: obtaining the network address of the safety equipment with attack through network address positioning; and displaying the network address of the security device with the attack.
Further, after processing the protection policy, the method further includes: acquiring service connection of a power network; and analyzing the service connection to obtain a second detection result, wherein the second detection result is used for representing whether Trojan horse behaviors exist in the power network.
Further, analyzing the service connection, and obtaining a second detection result includes one or more of the following: judging whether reverse connection exists in the service connection, wherein if the reverse connection exists in the service connection, the second detection result is determined to be that Trojan horse behaviors exist in the power network, and if the reverse connection does not exist in the service connection, the second detection result is determined to be that the Trojan horse behaviors do not exist in the power network; judging whether the flow ratio of the uplink flow and the downlink flow of the service connection meets a preset characteristic, wherein if the flow ratio does not meet the preset characteristic, the second detection result is determined to be that Trojan horse behaviors exist in the power network, and if the flow ratio meets the preset characteristic, the second detection result is determined to be that Trojan horse behaviors do not exist in the power network; judging whether heartbeat data messages exist in the service connection, wherein if the heartbeat data messages exist in the service connection, the second detection result is determined to be that Trojan horse behaviors exist in the power network, and if the heartbeat data messages do not exist in the service connection, the second detection result is determined to be that Trojan horse behaviors do not exist in the power network; and judging whether a service message corresponding to the service connection can be analyzed, whether an encryption behavior exists or whether an illegal value exists, wherein if the service message cannot be analyzed, the encryption behavior exists or the illegal value exists, the second detection result is determined to be that the Trojan behavior exists in the power network, and if the service message can be analyzed, the encryption behavior does not exist and the illegal value does not exist, the second detection result is determined to be that the Trojan behavior does not exist in the power network.
According to another aspect of the embodiments of the present invention, there is also provided a processing apparatus for a power network, including: the acquisition module is used for acquiring a protection strategy of the safety equipment in the power network; the analysis module is used for analyzing the protection strategy to obtain an analysis result, wherein the analysis result is used for representing whether the protection strategy is effective or not; the processing module is used for processing the protection strategy under the condition that the analysis result is that the protection strategy is invalid, wherein the processing comprises one or more of the following steps: and deleting and combining.
According to another aspect of the embodiments of the present invention, there is also provided a processing system of a power network, including: an electrical power network comprising: a security device; the monitoring equipment is connected with the power network and used for acquiring the protection strategy of the safety equipment, analyzing the protection strategy to obtain an analysis result, and processing the protection strategy under the condition that the analysis result is invalid, wherein the analysis result is used for representing whether the protection strategy is valid or not, and the processing comprises one or more of the following steps: and deleting and combining.
Further, the monitoring device comprises: a first monitoring device deployed at a provincial corporation in the power network; the second monitoring equipment is deployed at the front ends of a provincial company data center, a management system and a marketing system in the power network; and the third monitoring equipment is deployed on a core switch of the local access network.
According to another aspect of the embodiments of the present invention, there is also provided a storage medium including a stored program, wherein when the program runs, a device on which the storage medium is located is controlled to execute the processing method of the power network.
According to another aspect of the embodiments of the present invention, there is also provided a processor, configured to execute a program, where the program executes the processing method of the power network.
In the embodiment of the invention, after the protection strategy of the safety equipment in the power network is obtained, the protection strategy is analyzed to obtain an analysis result, and under the condition that the analysis result is that the protection strategy is invalid, the protection strategy is deleted, merged and the like, so that the firewall strategy is verified and combed, the problem of the problem strategy is pointed out, clear and reasonable optimization suggestions can be given, the technical effect of promoting the optimization of the firewall strategy to ensure that the performance and the protection effect of the safety equipment meet the basic requirements of each unit is achieved, and the technical problem that the safety equipment in the power network in the prior art cannot meet the safety protection requirements is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of an electrical power network according to the prior art;
FIG. 2 is a flow chart of a method of processing a power network according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a processing device of a power network according to an embodiment of the invention;
FIG. 4 is a schematic diagram of a processing system of a power network according to an embodiment of the invention;
FIG. 5 is a schematic diagram of an alternative provincial corporation processing system in accordance with embodiments of the present invention; and
FIG. 6 is a schematic diagram of an alternative processing system for a metro company in accordance with an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
In accordance with an embodiment of the present invention, there is provided an embodiment of a processing method for an electrical power network, it is noted that the steps illustrated in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and that while a logical order is illustrated in the flowchart, in some cases the steps illustrated or described may be performed in an order different than here.
Fig. 2 is a flow chart of a processing method of a power network according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
step S202, a protection strategy of the safety equipment in the power network is obtained.
Specifically, the security device may be a security domain device in the power network, and may be a firewall, for example, and the protection policy may be a firewall policy. Whether the firewall strategy is reasonable and effective or not relates to whether the performance of the firewall can be comprehensively exerted or not and further relates to whether the power information intranet achieves the expected access control effect or not.
And step S204, analyzing the protection strategy to obtain an analysis result, wherein the analysis result is used for representing whether the protection strategy is effective or not.
It should be noted that, because the firewall administrator cannot comprehensively grasp the internal network condition of the power information, it is impossible to make an efficient access control policy, and the efficiency of the firewall will become lower and lower as time goes on. Some overdue and redundant strategies needing cleaning are dared by an administrator, so that the access control is influenced; for policy issues that can be merged, this can lead to reduced firewall performance. When the protection strategy and configuration of the original old safety technical equipment are migrated to a new product, the problems that whether the safety protection strategy of the original old technical equipment is effective or not, redundancy, looseness, repetition and the like exist or not cannot be confirmed at the maximum are faced.
In an optional scheme, audit analysis may be performed on the firewall policy through the security domain flow monitoring system, and problems of a cross policy, a redundancy policy, a conflict policy, a mergeable policy, and the like existing in the firewall policy are discovered in time, and when it is determined that the firewall policy has the above problems, it may be determined that the firewall policy is invalid.
Step S206, under the condition that the analysis result is that the protection strategy is invalid, processing the protection strategy, wherein the processing comprises one or more of the following steps: and deleting and combining.
In an optional scheme, after firewall policies are analyzed and determined to be invalid, if it is determined that there are policies which are expired in the firewall policies and whose redundancy needs to be cleaned, relevant policies can be cleaned and deleted; if it is determined that there are policy issues in the firewall policies that can be merged, the relevant policies can be merged.
By adopting the embodiment of the invention, after the protection strategy of the safety equipment in the power network is obtained, the protection strategy is analyzed to obtain the analysis result, and under the condition that the analysis result is that the protection strategy is invalid, the protection strategy is deleted, merged and the like, so that the firewall strategy is verified and combed, the problem of the problem strategy is pointed out, clear and reasonable optimization suggestions can be given, the technical effect of promoting the optimization of the firewall strategy to ensure that the performance and the protection effect of the safety equipment meet the basic requirements of each unit is achieved, and the technical problem that the safety equipment in the power network in the prior art can not meet the safety protection requirements is solved.
Optionally, in the foregoing embodiment of the present invention, in step S204, analyzing the protection policy, and obtaining an analysis result includes:
step S2040, analyzing the logic of the protection policy, and determining whether a preset policy exists in the protection policy, where the preset policy includes one or more of the following: cross policy, redundancy policy, conflict policy, and merge policy.
In an optional scheme, basic analysis may be performed on the firewall policy, that is, audit analysis may be performed on the logic of the firewall policy itself, and it is found that there are problems of a cross policy, a redundancy policy, a conflict policy, a mergeable policy, and the like in the firewall policy.
Step S2042, acquiring data traffic of the power network, and determining whether a first matching degree between the protection policy and the data traffic is greater than or equal to a first preset threshold, where the data traffic includes: traffic flow and management flow.
It should be noted that in the actual environment of the power information network, it is often encountered that a policy including a time range needs to be configured, and the policy is not cleared in time after the time expires; another situation is that firewall administrators lack overall awareness of the power information network, are uncertain of access control rules, and are configured with policies that encompass any or a large range.
Specifically, the data traffic may be data traffic in an electric power service network, and the first preset threshold may be a preset matching degree for characterizing that the protection policy is successfully matched with the data traffic.
In an optional scheme, by matching and associating the firewall policy with the real data traffic, a deep problem existing in the firewall policy can be found, and the purpose of optimizing the firewall is achieved.
Step S2044, acquiring a preset protection list, and determining whether a second matching degree between the protection policy and the preset protection list is greater than or equal to a second preset threshold, where the preset protection list includes: black and white lists.
Specifically, the preset protection list may be a black list and a white list, and the second preset threshold may be a preset matching degree for representing that the protection policy is successfully matched with the black and white list.
In an optional scheme, the purpose of refining the firewall policy can be achieved according to the determination of the black and white list, which is the released traffic and which is the blocked traffic, the black and white list can be obtained by sorting through a period of interconnected data, and the sorted black and white list is matched and associated with the firewall policy for analysis, so that the firewall policy is further refined.
Step S2046, determining that the analysis result is that the protection policy is valid under the condition that the protection policy does not include a preset policy, the first matching degree is greater than or equal to a first preset threshold, and the second matching degree is greater than or equal to a second preset threshold.
In an optional scheme, if it is determined that there are no problems of a cross policy, a redundancy policy, a conflict policy, a mergeable policy, and the like in the firewall policy, the firewall policy is successfully matched with the data traffic (that is, a first matching degree of the protection policy and the data traffic is greater than or equal to a first preset threshold), and the firewall policy is successfully matched with the black-and-white list (that is, a second matching degree of the protection policy and the black-and-white list is greater than or equal to a second preset threshold), it may be determined that the firewall policy is reasonable and effective.
Step S2048, determining that the analysis result is that the protection policy is invalid when a preset policy exists in the protection policy, and the first matching degree is smaller than a first preset threshold, or the second matching degree is smaller than a second preset threshold.
In an optional scheme, if it is determined that there are problems of a cross policy, a redundancy policy, a conflict policy, a mergeable policy, and the like in the firewall policy, and the firewall policy fails to match the data traffic (that is, a first matching degree of the protection policy and the data traffic is smaller than a first preset threshold), or the firewall policy fails to match the black-and-white list (that is, a second matching degree of the protection policy and the black-and-white list is smaller than a second preset threshold), it may be determined that the firewall policy is invalid and needs to be optimized.
By the scheme, not only can a static analysis technology (for analyzing the static relation between firewall strategies) of the firewall strategies be adopted, but also a strategy dynamic analysis technology based on real firewall flow can be adopted, so that detection of wide strategies and detection of hidden flow are more accurate.
Optionally, in the foregoing embodiment of the present invention, after the step S206, after processing the protection policy, the method further includes:
step S208, acquiring data traffic of the power network and first device information of the security device, where the first device information includes: operating system information and open port information of the security device.
Specifically, the data traffic may be information intranet traffic of the national network, the Qinghai communication company, obtained in a sniffing manner. The first device information may be operating system information and port opening information of the host.
Step S210, obtaining the association relation between the safety devices based on the data flow and the device information.
Step S212, displaying the association relation.
In an optional scheme, data traffic between security domains and within the security domains in the security domain of the power intranet can be collected through the security domain flow monitoring system, and after the information of the host of the service intranet is obtained, the interconnection relationship between security domain devices can be combed out, and the interconnection relationship can be displayed.
Through the scheme, security situations of provincial companies and local and city branch companies are visualized, so that an attack source can be positioned and found within the first time when unknown threat attacks occur, attack tracks are displayed in a visualized map, and an important basis is provided for a decision maker to make correct command work. And (4) carrying out early warning on illegal external connection, illegal assets and other events in real time, and creating a safe network environment capable of operating, managing and visualizing.
Optionally, in the foregoing embodiment of the present invention, in step S210, obtaining the association relationship between the security devices based on the data traffic and the device information includes:
in step S2102, quintuple data of the power network is obtained based on the data traffic and the device information.
Specifically, the quintuple data may include: source IP, destination IP, source port, destination port, protocol, etc.
Step S2104, an association is obtained based on the five-tuple data.
In an optional scheme, data traffic between security domains and within the security domains in the power intranet security domain can be collected through the security domain flow monitoring system, and after the information of the host of the service intranet is obtained, the interconnection relationship between security domain devices can be further combed through quintuple data of network security.
Optionally, in the foregoing embodiment of the present invention, in step S212, displaying the association relationship includes:
step S2122, displaying interconnection information of the association relationship, wherein the interconnection information comprises: the start time and end time of the association, the network address, the open port, the home, the attribute information of the security device, and the protocol data.
Specifically, the network address may be an IP address, the home may be an IP home, the attribute information may be attribute information of an IP corresponding device, and the protocol data may be application layer protocol content.
In an optional scheme, after the interconnection relationship among the security domain devices is combed by the security domain flow monitoring system, detailed information of the interconnection start-stop time, the IP, the port, the IP home location, the attribute information of the device corresponding to the IP, the application layer protocol content, and the like of the interconnection relationship can be displayed.
By the scheme, the security domain flow monitoring system can record detailed interconnected data information, can timely discover illegal external connection, suspicious data volume and the like in the network of the national network Qinghai communication company and can visually display the illegal external connection, the suspicious data volume and the like.
Optionally, in the above embodiment of the present invention, after acquiring the data traffic of the power network in step S208, the method further includes:
step S214, the characteristics of the data flow are obtained.
Step S216, obtaining network assets of the power network based on the characteristics of the data flow.
In an optional scheme, after the information intranet flow of the national network Qinghai communication company is obtained by an active sniffing mode, the characteristics of the flow can be analyzed, and assets in the power network can be accurately found.
And step S218, carrying out validity check on the network assets to obtain a check result.
In an optional scheme, for the discovered power intranet network assets, which are legal network assets and illegal network assets can be checked and confirmed in a manual mode, and online confirmation of the assets is supported.
By the scheme, the surviving host in the network assets can be comprehensively, accurately and automatically discovered under the condition of no interference to the network.
Optionally, in the foregoing embodiment of the present invention, after obtaining the network asset of the power network based on the characteristic of the data traffic in step S216, the method further includes:
step S220, determining whether the network asset is a preset asset, wherein the preset asset is generated by an asset in the power network.
Specifically, the preset assets may be traffic generated by real assets in the power grid.
In step S222, after determining that the network asset is the preset asset, determining that the network address corresponding to the network asset is a live network asset.
In an alternative scheme, by analyzing the characteristics of the traffic, it can be accurately found which traffic is generated by real assets in the power intranet, and the corresponding IP address is reported as a live network asset.
Optionally, in the foregoing embodiment of the present invention, after the step S206, after processing the protection policy, the method further includes:
step S224, a network message in the power network is acquired.
Specifically, for the abnormal connection detection existing in the network of the national network, the Qinghai communication company, the security domain flow monitoring system provides four attack types of detection, which are Tcp (Transmission Control Protocol, short for Transmission Control Protocol) attack (i.e., the Option attack), Tcp Scan attack (i.e., the scanning attack), Xmas Tree attack (i.e., the Christmas Tree attack), and Land attack (i.e., the denial of service attack).
Further, the network packet may be a TCP packet, and the second device information includes: host alive, port open, operating system, etc.
Step S226, based on the network packet, performing attack detection on the power network to obtain a first detection result, where the first detection result is used to represent whether an attack exists in the power network, and the attack includes one or more of the following: options attacks, scanning attacks, christmas tree attacks, and denial of service attacks.
It should be noted that, for the Tcp Option attack, an attacker constructs an abnormal message by using the characteristics of the Option field in the Tcp message, which increases the performance consumption of the server and may seriously cause the situations such as the crash of the protocol processing unit; for Tcp Scan attack, an attacker utilizes the characteristic that the host returns different information under the condition that the flag bits in the TCP message are in different combinations to detect the host information, so that the subsequent attack is facilitated; for Xmas Tree attack, an attacker sets all the flag bit fields of TCP messages to be 1, and the processing of the messages can increase the resources of a route processor and the bandwidth of an IP internal control communication bus, so that the purposes of consuming the resources of a router or a server and inhibiting normal legal connection are achieved; for the Land attack, an attacker sets the destination address of the message source as the address of the server, so that the server establishes communication with the attacker, the resource of the server is consumed, and under the Land attack, the server runs slowly and even the system crashes.
In an optional scheme, whether a Tcp Option attack exists in the power network can be detected by detecting an Option field in a TCP message; whether Tcp Scan attack exists in the power network is detected by detecting whether the flag bit in the TCP message represents that whether host information is scanned or not; detecting whether Xmas Tree attacks exist in the power network by detecting whether newspaper fields in the TCP message are all set to be 1; and detecting whether the Land attack exists in the power network by detecting whether the source and destination addresses in the TCP message are set as server addresses. After detecting that any kind of attack exists in the power network, a detection result of the attack existing in the power network is generated.
Optionally, in the above embodiment of the present invention, in a case that the first detection result is that there is an attack in the power network, the method further includes:
step S228, obtaining the network address of the security device with the attack through network address positioning.
Specifically, the network address location may be an IP geolocation technology, and by using the IP geolocation technology, IP source location and IP address area configuration support of a list/policy are realized, so that not only readability and relevance of data are enhanced, but also a view angle of data analysis is enriched.
And step S230, displaying the network address of the security device with the attack.
In an optional scheme, the IP address with the attack can be positioned through an IP geographic positioning technology and effectively presented, the visualization of the flow security situation in the network of the national network Qinghai communication company can be realized, and the track and the attack source of virus propagation caused by zero-day bugs in the network can be timely found and positioned.
Optionally, in the foregoing embodiment of the present invention, after the step S206, after processing the protection policy, the method further includes:
step S232, acquiring a service connection of the power network.
Step S234, analyzing the service connection to obtain a second detection result, where the second detection result is used to represent whether a Trojan horse behavior exists in the power network.
In an optional scheme, the security domain flow monitoring system may perform feature analysis on features in service connection of the national network Qinghai communication company based on a Trojan horse detection method based on Trojan horse traffic behavior features, determine whether Trojan horse behavior exists in the power network, and may locate an IP address of the Trojan horse behavior through an IP geolocation technology and effectively present the Trojan horse behavior under the condition that it is determined that the Trojan horse behavior exists in the power network, so that traffic security situation visualization in the national network Qinghai communication company network can be realized, and a Trojan horse propagation track and an attack source caused by a zero-day vulnerability in the positioning network can be timely found and located.
Through the scheme, a detection technology based on Trojan horse traffic behavior characteristics can be adopted, so that the Trojan horse traffic detection range is wider, the traffic of a known Trojan horse can be detected, and the traffic of an unknown Trojan horse can also be effectively detected.
Optionally, in the foregoing embodiment of the present invention, in step S234, analyzing the service connection, and obtaining the second detection result includes one or more of the following:
step S2342, determining whether a reverse connection exists in the service connection, wherein if the reverse connection exists in the service connection, it is determined that the second detection result is that a trojan behavior exists in the power network, and if the reverse connection does not exist in the service connection, it is determined that the second detection result is that the trojan behavior does not exist in the power network.
Step S2344, determining whether a traffic ratio of the uplink traffic and the downlink traffic of the service connection satisfies a preset feature, wherein if the traffic ratio does not satisfy the preset feature, it is determined that the second detection result is that the Trojan horse behavior exists in the power network, and if the traffic ratio satisfies the preset feature, it is determined that the second detection result is that the Trojan horse behavior does not exist in the power network.
Step S2346, judging whether the heartbeat data message exists in the service connection, wherein if the heartbeat data message exists in the service connection, the second detection result is determined to be that the Trojan horse behavior exists in the power network, and if the heartbeat data message does not exist in the service connection, the second detection result is determined to be that the Trojan horse behavior does not exist in the power network.
Step S2348, judging whether a service message corresponding to the service connection can be analyzed, whether an encryption behavior exists or whether an illegal value exists, wherein if the service message cannot be analyzed, the encryption behavior exists or the illegal value exists, determining that the second detection result is that the Trojan behavior exists in the power network, and if the service message can be analyzed, the encryption behavior does not exist, and the illegal value does not exist, determining that the second detection result is that the Trojan behavior does not exist in the power network.
In an optional scheme, whether reverse connection exists in the connection or not, whether the uplink-downlink flow ratio of the connection is not in accordance with general characteristics or not, whether data messages similar to heartbeat exist in the connection or not are established on common services or not, but data contents cannot be analyzed or encryption behaviors exist, characteristics such as illegal values of certain fields in the data messages are used as detection points, and therefore the novel unknown Trojan possibly existing in the network of the national network Qinghai communication company can be detected, the Trojan characteristic library does not need to be relied on for working, the timeliness of novel Trojan detection is improved, and Trojan behaviors in the flow of the power network can be effectively detected.
It should be noted that, the security domain flow monitoring system may also actively discover, through a behavior feature algorithm, an IP with a certain threat, so as to achieve the purpose of detecting a high-risk IP, and support at present: detection of several characteristics of worm, ip scanning, port scanning, ARP spoofing, trojan, frequency mutation, flow mutation and the like.
It should be further noted that data visualization display technologies such as maps, topological graphs, histograms, pie charts, and trend charts can be adopted, so that the information intranet data display is more intuitive, the monitoring and analysis work is easier, and a significant information security event can assist a decision maker in making a correct decision.
Through the scheme provided by the embodiment of the invention, the security protection strategy combing optimization can be completed by multiple dimensions such as network security protection strategy combing, equipment interconnection relation and business logic access relation visualization, high-level unknown threat perception and alarm and the like, and the validity and rationality verification of the protection strategy of the existing security protection equipment is realized. Meanwhile, the flow flowing through the core switching area is visualized through an IP geographic positioning technology, and the unknown network threats existing in the company network environment are sensed and early-warned, so that a decision basis is provided for the whole network safety protection. The system can improve the functions of the information security system of a company, improve the processing efficiency of information security events, reduce the times of shutdown maintenance of a production system due to information security accidents, and effectively improve the production and management efficiency. The information security decision is more timely and accurate, the information security target of a company is better realized, and the negative influence caused by information security accidents is avoided. Therefore, the work of company information security protection strategy carding optimization, strategy effectiveness verification, network flow visualization presentation, Trojan CC channel discovery, high-level unknown threat perception and the like is solved, the processing performance and the protection effect of the existing and newly-added security equipment are improved, a set of dynamic defense system is further formed, the information security defense capability of each system of the company is improved, a solid security technical support is laid for the development of intelligent power grid automation services, and the method has wide popularization and application prospects and social benefits.
Example 2
According to an embodiment of the invention, an embodiment of a processing device of a power network is provided.
Fig. 3 is a schematic diagram of a processing device of an electrical power network according to an embodiment of the present invention, as shown in fig. 3, the device comprising:
the obtaining module 32 is configured to obtain a protection policy of a security device in the power network.
Specifically, the security device may be a security domain device in the power network, and may be a firewall, for example, and the protection policy may be a firewall policy. Whether the firewall strategy is reasonable and effective or not relates to whether the performance of the firewall can be comprehensively exerted or not and further relates to whether the power information intranet achieves the expected access control effect or not.
And the analysis module 34 is configured to analyze the protection policy to obtain an analysis result, where the analysis result is used to represent whether the protection policy is valid.
A processing module 36, configured to process the protection policy if the analysis result is that the protection policy is invalid, where the processing includes one or more of the following: and deleting and combining.
By adopting the embodiment of the invention, after the protection strategy of the safety equipment in the power network is obtained, the protection strategy is analyzed to obtain the analysis result, and under the condition that the analysis result is that the protection strategy is invalid, the protection strategy is deleted, merged and the like, so that the firewall strategy is verified and combed, the problem of the problem strategy is pointed out, clear and reasonable optimization suggestions can be given, the technical effect of promoting the optimization of the firewall strategy to ensure that the performance and the protection effect of the safety equipment meet the basic requirements of each unit is achieved, and the technical problem that the safety equipment in the power network in the prior art can not meet the safety protection requirements is solved.
Example 3
According to an embodiment of the invention, an embodiment of a processing system of a power network is provided.
Fig. 4 is a schematic diagram of a processing system of an electrical power network according to an embodiment of the invention, as shown in fig. 4, the system comprising: a power network 42 and a monitoring device 44, the power network comprising: a security device.
The monitoring equipment is connected with the power network and used for acquiring the protection strategy of the safety equipment, analyzing the protection strategy to obtain an analysis result, and processing the protection strategy under the condition that the analysis result is invalid, wherein the analysis result is used for representing whether the protection strategy is valid or not, and the processing comprises one or more of the following steps: and deleting and combining.
In particular, the monitoring device described above may be a secure domain flow monitoring system. The security device may be a security domain device in the power network, and may be a firewall, for example, and the protection policy may be a firewall policy. Whether the firewall strategy is reasonable and effective or not relates to whether the performance of the firewall can be comprehensively exerted or not and further relates to whether the power information intranet achieves the expected access control effect or not.
By adopting the embodiment of the invention, after the protection strategy of the safety equipment in the power network is obtained, the protection strategy is analyzed by the monitoring equipment to obtain the analysis result, and the protection strategy is deleted, merged and the like under the condition that the analysis result is that the protection strategy is invalid, so that the firewall strategy is verified and combed, the problem of the problem strategy is pointed out, clear and reasonable optimization suggestions can be given, the technical effect of promoting the optimization of the firewall strategy to ensure that the performance and the protection effect of the safety equipment meet the basic requirements of each unit is achieved, and the technical problem that the safety equipment in the power network in the prior art cannot meet the safety protection requirement is solved.
Optionally, in the foregoing embodiment of the present invention, the monitoring device includes: the monitoring system comprises a first monitoring device, a second monitoring device and a third monitoring device.
Wherein the first monitoring device is deployed at a provincial corporation in the power network; the second monitoring equipment is deployed at the front ends of a provincial company data center, a management system and a marketing system in the power network; the third monitoring device is deployed on a core switch of the metro access network.
Specifically, the first monitoring device may be a security domain flow monitoring system data center device, and the second monitoring device and the third monitoring device may be security domain flow monitoring system audit engines.
In an optional scheme, as shown in fig. 5, 2 security domain flow monitoring systems-data center devices are deployed in a province company, 1 security domain flow monitoring system-audit engine is deployed at the front end of a data center, an ERP and a marketing system of the province company, and security audit analysis and visualization are performed on data traffic in the region. As shown in fig. 6, at the same time, 1 security domain flow monitoring system, namely an audit engine, is respectively deployed on 8 local access network core switches of xining, hai-east, etiolation, hai-south, hai-north, hai-west, fruit-loe, and yushu, and collects all services and management flows flowing through the core switches, so as to implement security analysis audit and detection. Totaling 2 data center devices and 9 audit engines.
It should be noted that, the security access control capability of the data communication network management information service can be improved through the combing and verification work of the firewall policies of 8 local companies; through visual display of interconnection relationships between provincial companies and 8 prefecture branch company devices, visual display of service system logic access relationships by an end user, discovery, positioning and alarm of an internal puppet host, a trojan and the like; and sensing and early warning unknown threats existing in the company network.
Example 4
According to an embodiment of the present invention, there is provided an embodiment of a storage medium including a stored program, wherein a device in which the storage medium is located is controlled to execute the processing method of the power network in the above-described embodiment 1 when the program is executed.
Example 5
According to an embodiment of the present invention, an embodiment of a processor for running a program is provided, where the program executes the processing method of the power network in the above embodiment 1.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units may be a logical division, and in actual implementation, there may be another division, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (15)
1. A method of processing a power network, comprising:
acquiring a protection strategy of safety equipment in a power network;
analyzing the protection strategy to obtain an analysis result, wherein the analysis result is used for representing whether the protection strategy is effective or not;
processing the protection strategy under the condition that the analysis result is that the protection strategy is invalid, wherein the processing comprises one or more of the following steps: deleting and merging;
wherein, analyzing the protection strategy to obtain the analysis result comprises:
analyzing the logic of the protection strategy, and judging whether a preset strategy exists in the protection strategy, wherein the preset strategy comprises one or more of the following strategies: a cross strategy, a redundancy strategy, a conflict strategy and a merging strategy;
acquiring data traffic of the power network, and judging whether a first matching degree of the protection strategy and the data traffic is greater than or equal to a first preset threshold, wherein the data traffic comprises: traffic flow and management flow;
acquiring a preset protection list, and judging whether a second matching degree of the protection strategy and the preset protection list is greater than or equal to a second preset threshold, wherein the preset protection list comprises: a black list and a white list;
determining that the analysis result is that the protection strategy is effective under the condition that the preset strategy does not exist in the protection strategy, the first matching degree is greater than or equal to the first preset threshold value, and the second matching degree is greater than or equal to the second preset threshold value;
and determining that the analysis result is that the protection strategy is invalid under the condition that the preset strategy exists in the protection strategies, the first matching degree is smaller than the first preset threshold value, or the second matching degree is smaller than the second preset threshold value.
2. The method of claim 1, wherein after processing the protection policy, the method further comprises:
acquiring data traffic of the power network, and first device information of the safety device, wherein the first device information includes: operating system information and open port information of the security device;
obtaining an association relation between the safety devices based on the data traffic and the device information;
and displaying the association relation.
3. The method of claim 2, wherein obtaining the association between the security devices based on the data traffic and the device information comprises:
obtaining quintuple data of the power network based on the data traffic and the equipment information;
and obtaining the association relation based on the quintuple data.
4. The method of claim 2, wherein displaying the association comprises:
displaying interconnection information of the incidence relation, wherein the interconnection information comprises: the starting time and the ending time of the incidence relation, the network address, the opened port, the attribution, the attribute information of the safety equipment and the protocol data.
5. The method of claim 2, wherein after acquiring data traffic of the power network, the method further comprises:
acquiring the characteristics of the data flow;
obtaining network assets of the power network based on the characteristics of the data traffic;
and carrying out validity check on the network assets to obtain a check result.
6. The method of claim 5, wherein after deriving network assets for the electrical power network based on the characteristics of the data traffic, the method further comprises:
judging whether the network assets are preset assets or not, wherein the preset assets are generated by assets in the power network;
after determining that the network asset is the preset asset, determining that a network address corresponding to the network asset is a live network asset.
7. The method of claim 1, wherein after processing the protection policy, the method further comprises:
acquiring a network message in the power network;
based on the network message, performing attack detection on the power network to obtain a first detection result, wherein the first detection result is used for representing whether an attack exists in the power network, and the attack includes one or more of the following: options attacks, scanning attacks, christmas tree attacks, and denial of service attacks.
8. The method of claim 7, wherein if the first detection result is that the attack is present in the power network, the method further comprises:
obtaining the network address of the safety equipment with the attack through network address positioning;
and displaying the network address of the security device with the attack.
9. The method of claim 1, wherein after processing the protection policy, the method further comprises:
acquiring service connection of the power network;
and analyzing the service connection to obtain a second detection result, wherein the second detection result is used for representing whether Trojan horse behaviors exist in the power network.
10. The method of claim 9, wherein analyzing the service connection and obtaining the second detection result comprises one or more of:
judging whether reverse connection exists in the service connection, wherein if the reverse connection exists in the service connection, the second detection result is determined to be that the Trojan horse behavior exists in the power network, and if the reverse connection does not exist in the service connection, the second detection result is determined to be that the Trojan horse behavior does not exist in the power network;
judging whether the flow ratio of the uplink flow and the downlink flow of the service connection meets a preset characteristic, wherein if the flow ratio does not meet the preset characteristic, the second detection result is determined that the Trojan horse behavior exists in the power network, and if the flow ratio meets the preset characteristic, the second detection result is determined that the Trojan horse behavior does not exist in the power network;
judging whether a heartbeat data message exists in the service connection, wherein if the heartbeat data message exists in the service connection, the second detection result is determined to be that the Trojan horse behavior exists in the power network, and if the heartbeat data message does not exist in the service connection, the second detection result is determined to be that the Trojan horse behavior does not exist in the power network;
and judging whether a service message corresponding to the service connection can be analyzed, whether an encryption behavior exists or whether an illegal value exists, wherein if the service message cannot be analyzed, the encryption behavior exists or the illegal value exists, the second detection result is determined to be that the Trojan behavior exists in the power network, and if the service message can be analyzed, the encryption behavior does not exist and the illegal value does not exist, the second detection result is determined to be that the Trojan behavior does not exist in the power network.
11. A processing apparatus of an electrical power network, comprising:
the acquisition module is used for acquiring a protection strategy of the safety equipment in the power network;
the analysis module is used for analyzing the protection strategy to obtain an analysis result, wherein the analysis result is used for representing whether the protection strategy is effective or not;
a processing module, configured to process the protection policy when the analysis result is that the protection policy is invalid, where the processing includes one or more of: deleting and merging;
wherein the analysis module is further configured to analyze the protection policy, and obtaining the analysis result includes:
analyzing the logic of the protection strategy, and judging whether a preset strategy exists in the protection strategy, wherein the preset strategy comprises one or more of the following strategies: a cross strategy, a redundancy strategy, a conflict strategy and a merging strategy;
acquiring data traffic of the power network, and judging whether a first matching degree of the protection strategy and the data traffic is greater than or equal to a first preset threshold, wherein the data traffic comprises: traffic flow and management flow;
acquiring a preset protection list, and judging whether a second matching degree of the protection strategy and the preset protection list is greater than or equal to a second preset threshold, wherein the preset protection list comprises: a black list and a white list;
determining that the analysis result is that the protection strategy is effective under the condition that the preset strategy does not exist in the protection strategy, the first matching degree is greater than or equal to the first preset threshold value, and the second matching degree is greater than or equal to the second preset threshold value;
and determining that the analysis result is that the protection strategy is invalid under the condition that the preset strategy exists in the protection strategies, the first matching degree is smaller than the first preset threshold value, or the second matching degree is smaller than the second preset threshold value.
12. A processing system for an electrical power network, comprising:
an electrical power network comprising: a security device;
the monitoring equipment is connected with the power network and used for acquiring the protection strategy of the safety equipment, analyzing the protection strategy to obtain an analysis result, and processing the protection strategy under the condition that the protection strategy is invalid according to the analysis result, wherein the analysis result is used for representing whether the protection strategy is valid or not, and the processing comprises one or more of the following steps: deleting and merging;
wherein, the monitoring device is further configured to analyze the protection policy, and obtaining the analysis result includes:
analyzing the logic of the protection strategy, and judging whether a preset strategy exists in the protection strategy, wherein the preset strategy comprises one or more of the following strategies: a cross strategy, a redundancy strategy, a conflict strategy and a merging strategy;
acquiring data traffic of the power network, and judging whether a first matching degree of the protection strategy and the data traffic is greater than or equal to a first preset threshold, wherein the data traffic comprises: traffic flow and management flow;
acquiring a preset protection list, and judging whether a second matching degree of the protection strategy and the preset protection list is greater than or equal to a second preset threshold, wherein the preset protection list comprises: a black list and a white list;
determining that the analysis result is that the protection strategy is effective under the condition that the preset strategy does not exist in the protection strategy, the first matching degree is greater than or equal to the first preset threshold value, and the second matching degree is greater than or equal to the second preset threshold value;
and determining that the analysis result is that the protection strategy is invalid under the condition that the preset strategy exists in the protection strategies, the first matching degree is smaller than the first preset threshold value, or the second matching degree is smaller than the second preset threshold value.
13. The system of claim 12, wherein the monitoring device comprises:
a first monitoring device deployed at a provincial corporation in the power network;
the second monitoring equipment is deployed at the front end of a provincial company data center, a management system and a marketing system in the power network;
and the third monitoring equipment is deployed on a core switch of the local access network.
14. A storage medium, characterized in that the storage medium comprises a stored program, wherein when the program runs, a device in which the storage medium is located is controlled to execute the processing method of the power network according to any one of claims 1 to 10.
15. A processor, characterized in that the processor is configured to run a program, wherein the program is configured to execute the processing method of the power network according to any one of claims 1 to 10 when running.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811393591.8A CN109587124B (en) | 2018-11-21 | 2018-11-21 | Method, device and system for processing power network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811393591.8A CN109587124B (en) | 2018-11-21 | 2018-11-21 | Method, device and system for processing power network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109587124A CN109587124A (en) | 2019-04-05 |
| CN109587124B true CN109587124B (en) | 2021-08-03 |
Family
ID=65923675
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811393591.8A Active CN109587124B (en) | 2018-11-21 | 2018-11-21 | Method, device and system for processing power network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109587124B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110933064B (en) * | 2019-11-26 | 2023-10-03 | 云南电网有限责任公司信息中心 | Method and system for determining user behavior track |
| CN111641601A (en) * | 2020-05-12 | 2020-09-08 | 中信银行股份有限公司 | Firewall management method, device, equipment and storage medium |
| CN111988273A (en) * | 2020-07-07 | 2020-11-24 | 国网思极网安科技(北京)有限公司 | Firewall policy management method and device |
| CN112153053A (en) * | 2020-09-25 | 2020-12-29 | 杭州安恒信息技术股份有限公司 | DDoS (distributed denial of service) protection configuration detection method, device, equipment and readable storage medium |
| CN114338403A (en) * | 2020-10-10 | 2022-04-12 | 华为技术有限公司 | Method for monitoring network intention, network intention monitoring system and storage medium |
| CN112637179B (en) * | 2020-12-17 | 2022-11-22 | 深信服科技股份有限公司 | Firewall policy analysis method, device, equipment and storage medium |
| CN113467311B (en) * | 2021-07-08 | 2023-03-14 | 国网新疆电力有限公司电力科学研究院 | Electric power Internet of things safety protection device and method based on software definition |
| CN113676473B (en) * | 2021-08-19 | 2023-05-02 | 中国电信股份有限公司 | Network service safety protection device, method and storage medium |
| CN116405328B (en) * | 2023-06-08 | 2023-08-08 | 国网上海能源互联网研究院有限公司 | Multistage linkage network security supervision system and method for power monitoring system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580090A (en) * | 2013-10-18 | 2015-04-29 | 华为技术有限公司 | Method and device for evaluating operation and maintenance of safety strategy |
| US9438559B1 (en) * | 2003-01-09 | 2016-09-06 | Jericho Systems Corporation | System for managing access to protected resources |
| CN107612890A (en) * | 2017-08-24 | 2018-01-19 | 中国科学院信息工程研究所 | A kind of network monitoring method and system |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN108289088A (en) * | 2017-01-09 | 2018-07-17 | 中国移动通信集团河北有限公司 | Abnormal traffic detection system and method based on business model |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721188A (en) * | 2014-12-04 | 2016-06-29 | 北京神州泰岳信息安全技术有限公司 | Firewall strategy check method and system |
| CN106411562B (en) * | 2016-06-17 | 2021-10-29 | 全球能源互联网研究院 | Electric power information network safety linkage defense method and system |
-
2018
- 2018-11-21 CN CN201811393591.8A patent/CN109587124B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9438559B1 (en) * | 2003-01-09 | 2016-09-06 | Jericho Systems Corporation | System for managing access to protected resources |
| CN104580090A (en) * | 2013-10-18 | 2015-04-29 | 华为技术有限公司 | Method and device for evaluating operation and maintenance of safety strategy |
| CN108289088A (en) * | 2017-01-09 | 2018-07-17 | 中国移动通信集团河北有限公司 | Abnormal traffic detection system and method based on business model |
| CN107612890A (en) * | 2017-08-24 | 2018-01-19 | 中国科学院信息工程研究所 | A kind of network monitoring method and system |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
Non-Patent Citations (1)
| Title |
|---|
| 青海电力信息网络安全防护体系设计;孙少华;《青海电力》;20170930;第26页-29页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109587124A (en) | 2019-04-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109587124B (en) | Method, device and system for processing power network | |
| Bryant et al. | A novel kill-chain framework for remote security log analysis with SIEM software | |
| US9438616B2 (en) | Network asset information management | |
| Sandhu et al. | A survey of intrusion detection & prevention techniques | |
| CN107888607A (en) | A kind of Cyberthreat detection method, device and network management device | |
| Maglaras et al. | Threats, protection and attribution of cyber attacks on critical infrastructures | |
| Maglaras et al. | Threats, countermeasures and attribution of cyber attacks on critical infrastructures | |
| CN113422779B (en) | Active security defense system based on centralized management and control | |
| Bhardwaj et al. | A framework for effective threat hunting | |
| CN112398844A (en) | Flow analysis implementation method based on internal and external network real-time drainage data | |
| Skendžić et al. | Management and monitoring security events in a business organization-siem system | |
| Ma et al. | Determining risks from advanced multi-step attacks to critical information infrastructures | |
| Farhaoui et al. | Performance Assessment of Tools of the intrusionDetection/Prevention Systems | |
| Baykara et al. | An overview of monitoring tools for real-time cyber-attacks | |
| Li et al. | A new type of intrusion prevention system | |
| Jain et al. | The role of decision tree technique for automating intrusion detection system | |
| CN114285628A (en) | Honeypot deployment method, device and system and computer readable storage medium | |
| Raulerson | Modeling cyber situational awareness through data fusion | |
| Zhuang et al. | Enhancing intrusion detection system with proximity information | |
| Stiawan et al. | Classification of habitual activities in behavior-based network detection | |
| Sandhu et al. | A study of the novel approaches used in intrusion detection and prevention systems | |
| CN117792733A (en) | Network threat detection method and related device | |
| CN117040871B (en) | Network security operation service method | |
| Sato et al. | An Evaluation on Feasibility of a Communication Classifying System | |
| Jacquier | A monthly snapshot-based approach for threat hunting within Windows IT environments |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |