CN109922073A - Network security monitoring device, method and system - Google Patents
Network security monitoring device, method and system Download PDFInfo
- Publication number
- CN109922073A CN109922073A CN201910206334.7A CN201910206334A CN109922073A CN 109922073 A CN109922073 A CN 109922073A CN 201910206334 A CN201910206334 A CN 201910206334A CN 109922073 A CN109922073 A CN 109922073A
- Authority
- CN
- China
- Prior art keywords
- data
- equipment
- acquisition
- analysis
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
This application involves a kind of network security monitoring devices.Network security monitoring device includes data analysis set-up, system management facility and data acquisition device;System management facility transmits acquisition instructions to data acquisition device based on acquisition configuration signal, the confirmation data acquisition modes received;Data acquisition device is according to acquisition instructions, data acquisition is carried out using equipment of the corresponding data acquisition modes to control zone, noncontrolled area and production management area in electric power monitoring system, and collected device log data and equipment traffic flow data are transferred to data analysis set-up, and then it is based on device log data and equipment traffic flow data, it is analyzed as a result, and to main station system transimiison analysis result.Network security monitoring device disclosed in the present application can be effectively solved the problem of insufficient traditional technology acquisition means, verification inefficiency, network safety situation can be monitored with accurate analysis and early warning, improve the efficiency to electric power monitoring system network security monitoring.
Description
Technical field
This application involves electric power monitoring system technical field of network security, fill more particularly to a kind of network security monitoring
It sets, method and system.
Background technique
With the development of network technology, network security problem becomes increasingly conspicuous, and hacker attacks and Phenomenon of Network Attack are increasingly
Increase.As national key message infrastructure, the network security situation faced is increasingly severe for electric system, once by network
Security attack would potentially result in large-area power-cuts event, seriously threaten enterprise and national security.Therefore, in the power system, net
Network safety monitoring technology is particularly necessary.
During realization, inventor has found that at least there are the following problems: the net in electric system at present in traditional technology
Network safety monitoring technology the problems such as there are inefficiency.
Summary of the invention
Based on this, it is necessary in view of the above technical problems, provide a kind of network security monitoring device that can be improved efficiency,
Method and system.
To achieve the goals above, on the one hand, the embodiment of the invention provides a kind of network security monitoring device, network peaces
Full monitoring device is respectively deployed in control zone and production management area;Network security monitoring device includes data analysis set-up, is
Managing device of uniting and data acquisition device;Data analysis set-up connects data acquisition device, and system management facility and data acquire
Device connection;
System management facility is acquired to data and is filled based on acquisition configuration signal, the confirmation data acquisition modes received
Set transmission acquisition instructions;Data acquisition modes include active data acquisition and the acquisition of passive data;Data acquisition device is according to adopting
Collection instruction, sets control zone, noncontrolled area and production management area in electric power monitoring system using corresponding data acquisition modes
It is standby to carry out data acquisition, and collected device log data and equipment traffic flow data are transferred to data analysis set-up;
Data analysis set-up is based on device log data and equipment traffic flow data, is analyzed as a result, and to system, main website
System transimiison analysis result.
Device log data and equipment traffic flow data are transferred to master by data analysis set-up in one of the embodiments,
It stands system;
Data analysis set-up includes that outside threat analytical unit, itself vulnerability analysis unit and original document analysis are single
Member;
Outside threat analytical unit, itself vulnerability analysis unit, original document analytical unit connect data acquisition device;
Outside threat analytical unit is for analyzing external access data;
Itself vulnerability analysis unit is used for the data that analytical equipment itself generates;
Original document analytical unit is used for the original file data of analytical equipment.
Outside threat analytical unit is used for analytical equipment network communication data, external equipment in one of the embodiments,
Data and manual operation behavioral data obtain analysis as a result, and to main station system transimiison analysis result.
Itself vulnerability analysis module is for analyzing online IP assets information in one of the embodiments, each equipment it
Between logical topology connection relation information and each equipment operation system information, open port information, operation data, baseline
Data, loophole data obtain analysis as a result, and to main station system transimiison analysis result.
Equipment includes host equipment, the network equipment and safety equipment.
Original document analysis module is set for analyzing host equipment, the network equipment and safety in one of the embodiments,
Standby log information and the original message information for analysing the network equipment obtain analysis as a result, and to main station system transimiison analysis knot
Fruit.
Active data acquisition includes SNMP, ICMP and SSH in one of the embodiments,;Passive data, which acquire, includes
SNMP Trap, Syslog and flow sniff.
It in one of the embodiments, further include the communication device for connecting data analysis set-up;
Data analysis set-up is communicated by communication device to main station system transimiison analysis result, device log data and equipment
Flow data.
On the one hand, the embodiment of the invention also provides a kind of network security monitoring methods, comprising the following steps:
System management facility is acquired to data and is filled based on acquisition configuration signal, the confirmation data acquisition modes received
Set transmission acquisition instructions;Data acquisition modes include active data acquisition and the acquisition of passive data;Data acquisition device is according to adopting
Collection instruction, sets control zone, noncontrolled area and production management area in electric power monitoring system using corresponding data acquisition modes
It is standby to carry out data acquisition, and collected device log data and equipment traffic flow data are transferred to data analysis set-up;
Data analysis set-up is based on device log data and equipment traffic flow data, is analyzed as a result, and to system, main website
System transimiison analysis result.
On the other hand, it the embodiment of the invention also provides a kind of Network Security Monitor System, including main station system, is connected to
First network safety insulating device between control zone and noncontrolled area, be connected between noncontrolled area and production management area
The network security monitoring device of two network safety isolators and at least two such as any one of claim 1 to 7;
First network safety insulating device connects the second network safety isolator by system bus;Each network security prison
Control device is separately connected system bus and main station system.
First network safety insulating device includes that the first positive isolating device and first are reversed in one of the embodiments,
Isolating device;Second network safety isolator includes the second positive isolating device and the second reverse isolation device;
First positive isolating device or the first reverse isolation device pass through the positive isolating device of system bus connection second;
First positive isolating device or the first reverse isolation device pass through system bus the second reverse isolation device of connection.
A technical solution in above-mentioned technical proposal is had the following advantages and beneficial effects:
Network security monitoring device disclosed in the present application is deployed in the control zone and production management area of electric power monitoring system, uses
Network security in monitoring control zone, noncontrolled area and production management area equipment.The application can by system management facility into
Row setting data acquisition modes, effectively acquire information needed data by different data acquisition modes.Data acquisition device
Data acquisition is carried out to the equipment in control zone, noncontrolled area and production management area, obtains device log data and equipment communication
Flow data.Data analysis set-up analyzes obtained data information, obtains data analysis result, and by data analysis result
It is transferred to main station system.Network security monitoring device disclosed in the present application can be effectively solved traditional technology acquisition means not
Foot, verify inefficiency the problem of, network safety situation can be monitored with accurate analysis and early warning, improve to electric power supervise
Control the efficiency of system network safety monitoring.
Detailed description of the invention
By being more particularly described for preferred embodiment of the present application shown in the drawings, the above and other mesh of the application
, feature and advantage will become more fully apparent.Identical appended drawing reference indicates identical part in all the attached drawings, and does not carve
Meaning draws attached drawing by actual size equal proportion scaling, it is preferred that emphasis is shows the purport of the application.
Fig. 1 is the first schematic diagram of network security monitoring device in one embodiment;
Fig. 2 is the second schematic diagram of network security monitoring device in one embodiment;
Fig. 3 is the flow diagram of network security monitoring method in one embodiment;
Fig. 4 is the schematic diagram of Network Security Monitor System in one embodiment;
Fig. 5 is that Network Security Monitor System installs and uses schematic diagram in one embodiment;
Fig. 6 is the internal structure chart of computer equipment in one embodiment.
Specific embodiment
The application in order to facilitate understanding is described more fully the application below with reference to relevant drawings.In attached drawing
Give the preferred embodiment of the application.But the application can realize in many different forms, however it is not limited to this paper institute
The embodiment of description.On the contrary, purpose of providing these embodiments is make it is more thorough and comprehensive to disclosure of this application.
It should be noted that it can be directly to separately when an element is considered as " connection " another element
One element and it is in combination be integrated, or may be simultaneously present centering elements.Term as used herein " being set to ", " portion
It is deployed on " and similar statement is for illustrative purposes only.
Unless otherwise defined, all technical and scientific terms used herein and the technical field for belonging to the application
The normally understood meaning of technical staff is identical.Term used in the description of the present application is intended merely to describe specific reality
Apply the purpose of example, it is not intended that in limitation the application.Term " and or " used herein includes one or more relevant institutes
Any and all combinations of list of items.
In one embodiment, as shown in Figure 1, providing a kind of network security monitoring device, network security monitoring device
It is respectively deployed in control zone and production management area;Network security monitoring device includes data analysis set-up 130, system administration dress
Set 110 and data acquisition device 120;Data analysis set-up 120 connects data acquisition device 120, system management facility 110 and number
It is connected according to acquisition device 120;
System management facility 110 is acquired based on acquisition configuration signal, the confirmation data acquisition modes received to data
Device 120 transmits acquisition instructions;Data acquisition modes include active data acquisition and the acquisition of passive data;Data acquisition device
120 according to acquisition instructions, using corresponding data acquisition modes to the equipment of control zone in electric power monitoring system, noncontrolled area
Equipment and the equipment in production management area carry out data acquisition, and collected device log data and equipment traffic flow data are passed
It is defeated by data analysis set-up 130;
Data analysis set-up 130 is based on device log data and equipment traffic flow data, is analyzed as a result, and to main website
System transimiison analysis result.
Specifically, data acquisition device is set to the control zone and production management area of electric power monitoring system, for monitoring
The network security of noncontrolled area, production management area and control zone equipment, acquisition target are control zone, noncontrolled area and production management
Universal host machine equipment, embedded host equipment in area, the network equipment, safety equipment.It is set by data acquisition device to above-mentioned
Standby to carry out data acquisition, data analysis set-up analyzes collected device log data and equipment traffic flow data, will
Obtained analysis result is transferred to main station system.
In a specific example, universal host machine equipment includes server, the work station using the general-purpose operating system, insertion
Formula host equipment include using non-universal operating system or the embedded equipment without operating system, the network equipment include interchanger,
The network communication equipments such as router.Safety equipment include firewall, longitudinal encryption authentication device, positive isolating device, reversely every
From networks peaces such as device, Situation Awareness acquisition device, intruding detection system (IDS), O&M operation auditing system, Anti-Virus
Full equipment.
Further, acquisition mode is divided into actively acquisition and passive acquisition, and acquisition content includes log information and communication stream
Information.Specifically, the acquisition data of universal host machine equipment should include log information, the acquisition data of embedded host equipment should be wrapped
Log information is included, the acquisition data of the network equipment should include log information, communication stream information, and the acquisition data of safety equipment should wrap
Include log information.
Above-mentioned network security monitoring device can be configured data acquisition modes, different numbers by system management facility
Information needed data can be effectively acquired according to acquisition mode.Data acquisition device is to, control zone, noncontrolled area and production management
Equipment in area carries out data acquisition, obtains device log data and equipment traffic flow data.Data analysis set-up is to obtaining
Data information is analyzed, and obtains data analysis result, and data analysis result is transferred to main station system.Above-mentioned network security
Monitoring device can be effectively solved the problem of insufficient traditional technology acquisition means, verification inefficiency, can be to network security
Situation be monitored with accurate analysis and early warning, improve the efficiency to electric power monitoring system network security monitoring.
In one embodiment, as shown in Fig. 2, providing a kind of network security monitoring device, network security monitoring device
It is respectively deployed in control zone and production management area;Network security monitoring device includes that data analyze 230 devices, system administration dress
Set 210 and data acquisition device 220;Data analysis set-up 230 connects data acquisition device 220, system management facility 210 and number
It is connected according to acquisition device 220;
System management facility 210 is acquired based on acquisition configuration signal, the confirmation data acquisition modes received to data
Device 220 transmits acquisition instructions;Data acquisition modes include active data acquisition and the acquisition of passive data;Data acquisition device
220 manage control zone, noncontrolled area and production in electric power monitoring system according to acquisition instructions, using corresponding data acquisition modes
The equipment for managing area carries out data acquisition, and collected device log data and equipment traffic flow data are transferred to data analysis
Device 230;
Data analysis set-up 230 is based on device log data and equipment traffic flow data, is analyzed as a result, and to main website
System transimiison analysis result.
Wherein, device log data and equipment traffic flow data are transferred to main station system by data analysis set-up 230;
Data analysis set-up 230 includes outside threat analytical unit 2310, itself vulnerability analysis unit 2320 and original
File analyzing unit 2330;
Outside threat analytical unit 2310, itself vulnerability analysis unit 2320, original document analytical unit 2330 are distinguished
Connect data acquisition device 220;
Outside threat analytical unit 2310 is for analyzing external access data;
Itself vulnerability analysis unit 2320 is used for the data that analytical equipment itself generates;
Original document analytical unit 2330 is used for the original file data of analytical equipment.
Further, 2310 analytical equipment network communication data of outside threat analytical unit, external equipment data and artificial
Operation behavior data, and obtain analysis as a result, to main station system transimiison analysis result.
Itself vulnerability analysis module 2320 analyzes online IP assets information, the logical topology connection relationship between each equipment
The operation system information of information and each equipment, open port information, operation data, base-line data, loophole data;And it obtains
Analysis is as a result, to main station system transimiison analysis result.Equipment includes host equipment, the network equipment and safety equipment.
Original document analysis module 2330 analyzes the log information and analysis net of host equipment, the network equipment and safety equipment
The original message information of network equipment, and obtain analysis as a result, to main station system transimiison analysis result.
Active data acquisition includes SNMP, ICMP and SSH;Passive data acquisition includes SNMP Trap, Syslog and flow
Sniff.
Wherein, network security monitoring device further includes the communication device 240 for connecting data analysis set-up;
Data analysis set-up 230 to main station system transimiison analysis result, device log data and is set by communication device 240
Standby traffic flow data.
Specifically, data analysis set-up may include outside threat analytical unit, itself vulnerability analysis unit and original
Beginning file analyzing unit.Wherein outside threat analytical unit analytical equipment network communication data, external equipment data and artificial behaviour
Make behavioral data, program in machine code etc.;The online IP assets information of itself vulnerability analysis module analysis, the logic between each equipment are opened up
Flutter operation system information, open port information, operation data, the base-line data, loophole number of connection relation information and each equipment
According to;Original document analysis module analyzes the log information of host equipment, the network equipment and safety equipment and analyses the network equipment
Original message information.
Actively acquisition includes SNMP (Simple Network Management Protocol), Agent, ICMP
The modes such as (Internet Control Message Protocol), SSH (Secure Shell), network active scan, passively
Acquisition includes the modes such as SNMP Trap, Syslog, flow sniff;Acquisition content includes log information and communicates stream information, wherein
Log information refers to be collected by modes such as SNMP, SNMP Trap, Syslog, Agent, ICMP, SSH, network active scans
Information, communication stream information refer to through the collected information of flow sniff mode.
It further, include: that (1) supports analytical equipment network insertion event, packet to the analysis of device network communication data
Include: network interface insertion, network interface are extracted;(2) communication connection information in analysis network is supported, comprising: communication customer end/communication service
Hold IP, communication customer end/communication service end port, agreement, communication start time, sign off time;(3) it supports to wrap in network
FTP, the identification of http communication protocol characteristic are included, preferably supports in network the communication protocols such as including DNS, POP3, SMTP, IMAP4, TLS
Feature identification;(4) the Content of Communication information of File Transfer Protocol in reduction network, including file type, filename, file size are supported
With file MD5;(5) it supports network insertion event, communication connection information, characteristics of communication protocol information and Content of Communication information is real
When on send main station system.
Include: the peripheral hardware access events that (1) supports identification universal host machine equipment for the analysis of external equipment data, including connects
Enter and extracts;(2) the access peripheral hardware information of analysis universal host machine equipment, including peripheral type (can be sky), peripheral hardware producer are supported
(can be empty) and peripheral hardware sequence number (can be empty);(3) support by peripheral hardware access state and information it is real-time on send main station system.
Manual operation behavioral data is analyzed: (1) supporting identification universal host machine equipment, the network equipment, safety equipment
It steps on and moves back action event, including login successfully, login failure and log off;(2) the identification network equipment, safety equipment is supported to repair
Change configuration action event;(3) support that order acquisition universal host machine equipment is logged in and executed by digital certificate mode (only limits class
Unix operating system) operational order information;(4) it supports register event, modification configuration event and operational order information
On send main station system.
In addition, including: the critical file list that (1) supports reception main website to issue for program in machine code analysis;(2) it supports logical
It crosses digital certificate mode and logs in and execute the critical file letter that order obtains universal host machine equipment (only limiting class Unix operating system)
Breath, including filename, file path and file MD5;(3) support by critical file information it is real-time on send main station system.
It include: that (1) supports network sweep function to the analysis of online IP assets information, based on full protocol stack scanning mode, stream
Amount mirror-image fashion finds the online IP assets of universal host machine equipment, embedded host equipment, the network equipment and safety equipment automatically;
(2) comparison, duplicate removal and the splicing of the online IP assets information of multi-source are supported;(3) it supports to link with Situation Awareness main station system, realize
It is sent in the active of assets, lawful registration and real-time synchronization, realizes that the main station system of Asset Attributes is unified and safeguard.
It include: that (1) is supported to automatically generate universal host machine equipment, embedded for interconnecting topological data analysis between each equipment
The logical topology connection relationship of host equipment, the network equipment, safety equipment, logical topology connection relationship include serial number, safety point
Area, subnetting mark, IP subnet, vlan number (can be empty), device name (can be empty), IP address and equipment globally unique identifier
(GUID);(2) main station system is sent in support logic topological connection relation dynamic.
It include: the scan instruction that (1) support receives and executes that main website issues for the analysis of open port information data;(2)
Support analysis universal host machine equipment, embedded host equipment, the operation system information of the network equipment, safety equipment;(3) it supports to divide
Analyse universal host machine equipment, embedded host equipment, the open port information of the network equipment, safety equipment, including open port, association
Discuss title and service name;(4) support operation system information and open port information it is real-time on send main station system.
It include: that (1) supports analysis universal host machine equipment running status, including presence, CPU for Operational Data Analysis
Utilization rate, memory usage, disk utilization rate and network interface state;(2) analysis of built-in host equipment operating status is supported, including
Presence;(3) analysis network equipment operating status, including presence, cpu busy percentage, memory usage and network interface are supported
State;(4) analysis safety equipment operating status should be supported, respectively include: a) longitudinal encryption authentication device: presence, CPU benefit
Mistake etc. is established with rate, memory usage, standby host heartbeat, tunnel;B) forward and reverse isolating device: presence, cpu busy percentage,
Memory usage;C) hardware firewall equipment: presence, cpu busy percentage, memory usage, network interface state;D) Situation Awareness
Acquisition device: presence, cpu busy percentage, memory usage, network interface state, critical processes state;(5) holding equipment is run
Main station system is sent on state event is real-time.
Analyze base-line data includes: that (1) supports that receiving the baseline that main station system issues verifies script and baseline verification times
Business;(2) digital certificate mode is supported to log in universal host machine equipment and carry out baseline verification;(3) it supports to verify baseline in result to send
Main station system.
It include the vulnerability scanning data for supporting to forward main station system based on service broker's technology to the analysis of loophole data, and to
Monitored equipment initiates long-range vulnerability scanning.
It include: the log normal form rule file that (1) supports matching main station system to issue to original log information analysis, into
The log information extraction of row universal host machine equipment, the network equipment, safety equipment;(2) it supports that the original of normal formization rule will not be matched
Main station system is sent on beginning log is real-time.
It should be noted that network security monitoring device further includes the communication device for connecting data analysis set-up, data point
Analysis apparatus transmits information to main station system by communication device.In a specific example, communication device can be wire communication
Equipment and wireless telecommunications system.
The data analysis set-up of above-mentioned network security monitoring device can be by outside threat analytical unit, itself fragility point
Analyse unit and original document analytical unit composition, outside threat analytical unit analytical equipment network communication data, external equipment number
According to manual operation behavioral data;The online IP assets information of itself vulnerability analysis module analysis, the logic between each equipment are opened up
Flutter operation system information, open port information, operation data, the base-line data, loophole number of connection relation information and each equipment
According to;Original document analysis module analyzes the log information of host equipment, the network equipment and safety equipment and analyses the network equipment
Original message information.By different subdivision modules, the complete perception to disparate networks security risk event is realized, strengthens electric power
It is horizontal to improve electric power monitoring system network safety prevention comprehensively for the control of monitoring system network security closed loop.
In one embodiment, as shown in figure 3, providing a kind of network security monitoring method, comprising the following steps:
Step S310, system management facility is based on acquisition configuration signal, the confirmation data acquisition modes received, and to number
Acquisition instructions are transmitted according to acquisition device;Data acquisition modes include active data acquisition and the acquisition of passive data.
Wherein, manually data acquisition modes are configured, and acquisition configuration signal is issued to system management facility, thus
Determine data acquisition modes.Then, system management facility transmits acquisition instructions to data acquisition device.In a specific example
In, active data acquisition includes SNMP, ICMP and SSH;Passive data acquisition includes SNMP Trap, Syslog and flow sniff.
Step S320, data acquisition device is according to acquisition instructions, using corresponding data acquisition modes to controlling in electric power monitoring system
The equipment in area, noncontrolled area and production management area carries out data acquisition, and collected device log data and equipment are communicated
Stream Data Transmission is to data analysis set-up.
Wherein, data acquisition device receives acquisition instructions, carries out data according to the data acquisition modes of initial setting up and adopts
Collection, acquisition target are universal host machine equipment, embedded host equipment, network in control zone, noncontrolled area and production management area
Equipment, safety equipment, and collected device log data and equipment traffic flow data are transferred to data analysis set-up.
Step S330, data analysis set-up are based on device log data and equipment traffic flow data, are analyzed as a result, simultaneously
To main station system transimiison analysis result.
Specifically, according to data acquisition device transmission come device log data and equipment traffic flow data, data analysis
Device analyzes the data, is analyzed as a result, and analysis result is transferred to main station system.
Above-mentioned network security monitoring method can be effective using the method for active data acquisition and the acquisition of passive data
Required data are collected, meanwhile, the data normalization obtained according to above-mentioned acquisition method is higher, can directly analysis handle.It is logical
It crosses data analysis set-up to handle standby daily record data and equipment traffic flow data, realize to disparate networks security risk thing
It is horizontal to improve electric power monitoring system network safety prevention comprehensively for the overall monitor of part.
In one embodiment, as shown in figure 4, providing a kind of Network Security Monitor System, including main station system 410,
The first network safety insulating device 420 being connected between control zone and noncontrolled area, is connected to noncontrolled area and production management
The network security monitoring of any one of the second network safety isolator 430 and at least two such as claim 1 to 7 between area
Device 440;
First network safety insulating device connects the second network safety isolator by system bus;Each network security prison
Control device is separately connected system bus and main station system.
Wherein, first network safety insulating device includes the first positive isolating device and the first reverse isolation device;
Second network safety isolator includes the second positive isolating device and the second reverse isolation device;
First positive isolating device or the first reverse isolation device pass through the positive isolating device of system bus connection second;
First positive isolating device or the first reverse isolation device pass through system bus the second reverse isolation device of connection.
Specifically, first network safety monitoring device, the second network security monitoring device be deployed in respectively control zone and
In production management area, for being acquired to plant stand electric power monitoring system network security data, being carried out at analysis to security incident
Reason is managed system.Wherein first network safety monitoring device realizes the data to control zone and noncontrolled area equipment
Acquisition, analysis, and obtained data and analysis result are transferred to noncontrolled area, it is transmitted by the network equipment in noncontrolled area
Give higher level's main station system;Second network security monitoring device realizes data sampling and processing and communication to production management area equipment
Function, and obtained data and analysis result are transferred to higher level's main station system.First network safety insulating device is set to control
Between area and noncontrolled area processed, the second network safety isolator is set between noncontrolled area and production management area.First network
Safety insulating device and the second network safety isolator are all connected on the system bus.
In a specific example, as shown in figure 5, first network safety monitoring device is realized to control zone and noncontrolled area
Data acquisition, the analysis of equipment, and obtained data and analysis result are transferred to noncontrolled area, pass through net in noncontrolled area
Network equipment is transferred to higher level's main station system;Communication connection between second network security monitoring device and higher level's main station system is logical
It crosses the network equipment and goes realization, wherein the network equipment includes interchanger, longitudinal encryption authentication device and data network router.
By these equipment, more safely and effectively data information can be transmitted.
In a specific example, network safety isolator may include laterally interconnection firewall, positive isolating device,
One kind of reverse isolation device.
The Network Security Monitor System of the application can guarantee the safety of data transmission by network safety isolator,
The control of electric power monitoring system network security closed loop can be strengthened using network security monitoring device, the application may be implemented to all kinds of
The complete perception of network security risk event improves electric power monitoring system network safety prevention integral level comprehensively.Meanwhile tradition
Technology needs to place a network safety isolator respectively in control zone, noncontrolled area and production management area, and the application is only
It needs to place a network safety isolator in control zone and production management area, cost is greatly saved and improves net
Network security monitoring efficiency.
In one embodiment, a kind of computer equipment is provided, which can be terminal, internal structure
Figure can be as shown in Figure 6.The computer equipment includes processor, the memory, network interface, display connected by system bus
Screen and input unit.Wherein, the processor of the computer equipment is for providing calculating and control ability.The computer equipment is deposited
Reservoir includes non-volatile memory medium, built-in storage.The non-volatile memory medium is stored with operating system and computer journey
Sequence.The built-in storage provides environment for the operation of operating system and computer program in non-volatile memory medium.The calculating
The network interface of machine equipment is used to communicate with external terminal by network connection.When the computer program is executed by processor with
Realize a kind of network security monitoring method.The display screen of the computer equipment can be liquid crystal display or electric ink is shown
Screen, the input unit of the computer equipment can be the touch layer covered on display screen, be also possible on computer equipment shell
Key, trace ball or the Trackpad of setting can also be external keyboard, Trackpad or mouse etc..
It will be understood by those skilled in the art that structure shown in Fig. 6, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme, specific computer equipment
It may include perhaps combining certain components or with different component layouts than more or fewer components as shown in the figure.
In one embodiment, a kind of computer equipment, including memory and processor are provided, is stored in memory
Computer program, the processor perform the steps of when executing computer program
System management facility is acquired to data and is filled based on acquisition configuration signal, the confirmation data acquisition modes received
Set transmission acquisition instructions;Data acquisition modes include active data acquisition and the acquisition of passive data.
Data acquisition device is according to acquisition instructions, using corresponding data acquisition modes to control zone in electric power monitoring system
Equipment, the equipment of noncontrolled area and the equipment in production management area carry out data acquisition, and by collected device log data
Data analysis set-up is transferred to equipment traffic flow data.
Data analysis set-up is based on device log data and equipment traffic flow data, is analyzed as a result, and to system, main website
System transimiison analysis result.
In one embodiment, a kind of computer readable storage medium is provided, computer program is stored thereon with, is calculated
Machine program performs the steps of when being executed by processor
System management facility is acquired to data and is filled based on acquisition configuration signal, the confirmation data acquisition modes received
Set transmission acquisition instructions;Data acquisition modes include active data acquisition and the acquisition of passive data.
Data acquisition device is according to acquisition instructions, using corresponding data acquisition modes to control zone in electric power monitoring system
Equipment, the equipment of noncontrolled area and the equipment in production management area carry out data acquisition, and by collected device log data
Data analysis set-up is transferred to equipment traffic flow data.
Data analysis set-up is based on device log data and equipment traffic flow data, is analyzed as a result, and to system, main website
System transimiison analysis result.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer
In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein,
To any reference of memory, storage, database or other media used in each embodiment provided herein,
Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double data rate sdram (DDRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
Each technical characteristic of embodiment described above can be combined arbitrarily, for simplicity of description, not to above-mentioned reality
It applies all possible combination of each technical characteristic in example to be all described, as long as however, the combination of these technical characteristics is not deposited
In contradiction, all should be considered as described in this specification.
The several embodiments of the application above described embodiment only expresses, the description thereof is more specific and detailed, but simultaneously
It cannot therefore be construed as limiting the scope of the patent.It should be pointed out that coming for those of ordinary skill in the art
It says, without departing from the concept of this application, various modifications and improvements can be made, these belong to the protection of the application
Range.Therefore, the scope of protection of the patent of the invention shall be subject to the appended claims.
Claims (10)
1. a kind of network security monitoring device, which is characterized in that the network security monitoring device be respectively deployed in control zone with
And production management area;The network security monitoring device includes data analysis set-up, system management facility and data acquisition device;
The data analysis set-up connects the data acquisition device, and the system management facility is connect with the data acquisition device;
The system management facility confirms data acquisition modes based on the acquisition configuration signal received, and adopts to the data
Acquisition means transmit acquisition instructions;The data acquisition modes include active data acquisition and the acquisition of passive data;The data are adopted
Acquisition means are according to the acquisition instructions, using corresponding data acquisition modes to control zone, noncontrolled area in electric power monitoring system
Data acquisition is carried out with the equipment in production management area, and collected device log data and equipment traffic flow data are transferred to
The data analysis set-up;
The data analysis set-up is based on the device log data and the equipment traffic flow data, is analyzed as a result, simultaneously
The analysis result is transmitted to main station system.
2. network security monitoring device according to claim 1, which is characterized in that the data analysis set-up is set described
Standby daily record data and the equipment traffic flow data are transferred to the main station system;
The data analysis set-up includes that outside threat analytical unit, itself vulnerability analysis unit and original document analysis are single
Member;
The outside threat analytical unit, itself vulnerability analysis unit, the original document analytical unit are separately connected
The data acquisition device;
The outside threat analytical unit is for analyzing external access data;Itself vulnerability analysis unit is set for analyzing
The standby data itself generated;The original document analytical unit is used for the original file data of analytical equipment.
3. network security monitoring device according to claim 2, which is characterized in that
The outside threat analytical unit is used for analytical equipment network communication data, external equipment data and manual operation behavior number
According to obtaining analysis as a result, and transmitting the analysis result to the main station system.
4. network security monitoring device according to claim 2, which is characterized in that
Itself vulnerability analysis module is for analyzing online IP assets information, the logical topology connection relationship between each equipment
The operation system information of information and each equipment, open port information, operation data, base-line data, loophole data, obtain
Analysis is as a result, and transmit the analysis result to the main station system out;
The equipment includes host equipment, the network equipment and safety equipment.
5. network security monitoring device according to claim 2, which is characterized in that
The original document analysis module is used to analyze the log information of host equipment, the network equipment and safety equipment and described
The original message information of the network equipment obtains analysis as a result, and transmitting the analysis result to the main station system.
6. network security monitoring device according to claim 1, which is characterized in that the active data, which acquires, includes
SNMP, ICMP and SSH;The passive data acquisition includes SNMP Trap, Syslog and flow sniff.
7. network security monitoring device according to claim 1, which is characterized in that further include connecting the data analysis dress
The communication device set;
The data analysis set-up transmits the analysis result, the equipment day to the main station system by the communication device
Will data and the equipment traffic flow data.
8. a kind of network security monitoring method based on the described in any item network security monitoring devices of claim 1 to 7, special
Sign is, comprising the following steps:
The system management facility is adopted based on acquisition configuration signal, the confirmation data acquisition modes received to the data
Acquisition means transmit acquisition instructions;The data acquisition modes include active data acquisition and the acquisition of passive data;
The data acquisition device is according to the acquisition instructions, using corresponding data acquisition modes to controlling in electric power monitoring system
The equipment progress data acquisition in area, noncontrolled area and production management area processed, and collected device log data and equipment are led to
Letter flow data are transferred to the data analysis set-up;
The data analysis set-up is based on the device log data and the equipment traffic flow data, is analyzed as a result, simultaneously
The analysis result is transmitted to main station system.
9. a kind of Network Security Monitor System, which is characterized in that including main station system, be connected between control zone and noncontrolled area
First network safety insulating device, the second network safety isolator being connected between noncontrolled area and production management area,
And at least two network security monitoring device as described in any one of claim 1 to 7;
The first network safety insulating device connects second network safety isolator by system bus;Each net
Network safety monitoring device is separately connected the system bus and the main station system.
10. Network Security Monitor System according to claim 9, which is characterized in that the first network security isolation dress
It sets including the first positive isolating device and the first reverse isolation device;Second network safety isolator includes second positive
Isolating device and the second reverse isolation device;
Described first positive isolating device or the first reverse isolation device are passing through system bus connection described second just
To isolating device;
Described first positive isolating device or the first reverse isolation device are anti-by system bus connection described second
To isolating device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910206334.7A CN109922073A (en) | 2019-03-19 | 2019-03-19 | Network security monitoring device, method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910206334.7A CN109922073A (en) | 2019-03-19 | 2019-03-19 | Network security monitoring device, method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109922073A true CN109922073A (en) | 2019-06-21 |
Family
ID=66965514
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910206334.7A Pending CN109922073A (en) | 2019-03-19 | 2019-03-19 | Network security monitoring device, method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109922073A (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505221A (en) * | 2019-08-12 | 2019-11-26 | 中国南方电网有限责任公司 | Server detection method, device, computer equipment and storage medium |
| CN110677299A (en) * | 2019-09-30 | 2020-01-10 | 中兴通讯股份有限公司 | Network data acquisition method, device and system |
| CN110784459A (en) * | 2019-10-22 | 2020-02-11 | 云南恒协科技有限公司 | Power network safety protection diagnosis system and method based on fuzzy theory |
| CN110867967A (en) * | 2019-11-27 | 2020-03-06 | 云南电网有限责任公司电力科学研究院 | Background flow playback method for power monitoring system communication |
| CN111310874A (en) * | 2020-02-19 | 2020-06-19 | 北京安帝科技有限公司 | Total data acquisition identification method in industrial control environment |
| CN111625821A (en) * | 2020-05-29 | 2020-09-04 | 北京中超伟业信息安全技术股份有限公司 | Application attack detection system based on cloud platform |
| CN111970166A (en) * | 2020-07-31 | 2020-11-20 | 南京南瑞继保电气有限公司 | Test method, device, equipment, system and computer readable storage medium |
| CN112019515A (en) * | 2020-07-31 | 2020-12-01 | 浙江浙能兰溪发电有限责任公司 | Cross-region safety monitoring method, device and system for power engineering control system |
| CN112905408A (en) * | 2021-01-12 | 2021-06-04 | 南方电网数字电网研究院有限公司 | Server for electric power operation and maintenance network safety monitoring and early warning system |
| CN113542100A (en) * | 2021-07-30 | 2021-10-22 | 国网青海省电力公司信息通信公司 | Power plant safety protection system and method |
| CN115021953A (en) * | 2022-04-18 | 2022-09-06 | 广西电网有限责任公司电力科学研究院 | Network security monitoring device |
| CN116680098A (en) * | 2022-02-23 | 2023-09-01 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369927A (en) * | 2008-09-23 | 2009-02-18 | 沈阳理工大学 | Universal remote automatic data acquisition system |
| CN103530328A (en) * | 2013-09-26 | 2014-01-22 | 杭州意能软件有限公司 | Data statistic analysis system and method |
| CN106685685A (en) * | 2016-09-06 | 2017-05-17 | 国网浙江省电力公司温州供电公司 | Method and system for monitoring performance of exchange boards across safety subareas |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
| CN208227074U (en) * | 2018-02-09 | 2018-12-11 | 鼎信信息科技有限责任公司 | Electric power monitoring system network security monitors terminal |
| US20180375831A1 (en) * | 2017-06-27 | 2018-12-27 | Microsoft Technology Licensing, Llc | Firewall configuration manager |
-
2019
- 2019-03-19 CN CN201910206334.7A patent/CN109922073A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101369927A (en) * | 2008-09-23 | 2009-02-18 | 沈阳理工大学 | Universal remote automatic data acquisition system |
| CN103530328A (en) * | 2013-09-26 | 2014-01-22 | 杭州意能软件有限公司 | Data statistic analysis system and method |
| CN106685685A (en) * | 2016-09-06 | 2017-05-17 | 国网浙江省电力公司温州供电公司 | Method and system for monitoring performance of exchange boards across safety subareas |
| US20180375831A1 (en) * | 2017-06-27 | 2018-12-27 | Microsoft Technology Licensing, Llc | Firewall configuration manager |
| CN208227074U (en) * | 2018-02-09 | 2018-12-11 | 鼎信信息科技有限责任公司 | Electric power monitoring system network security monitors terminal |
| CN108769048A (en) * | 2018-06-08 | 2018-11-06 | 武汉思普崚技术有限公司 | A kind of secure visualization and Situation Awareness plateform system |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110505221A (en) * | 2019-08-12 | 2019-11-26 | 中国南方电网有限责任公司 | Server detection method, device, computer equipment and storage medium |
| CN110677299A (en) * | 2019-09-30 | 2020-01-10 | 中兴通讯股份有限公司 | Network data acquisition method, device and system |
| US11929884B2 (en) | 2019-09-30 | 2024-03-12 | Zte Corporation | Network data collection method and device |
| CN110784459A (en) * | 2019-10-22 | 2020-02-11 | 云南恒协科技有限公司 | Power network safety protection diagnosis system and method based on fuzzy theory |
| CN110784459B (en) * | 2019-10-22 | 2021-10-26 | 云南恒协科技有限公司 | Power network safety protection diagnosis system and method based on fuzzy theory |
| CN110867967A (en) * | 2019-11-27 | 2020-03-06 | 云南电网有限责任公司电力科学研究院 | Background flow playback method for power monitoring system communication |
| CN110867967B (en) * | 2019-11-27 | 2023-11-10 | 云南电网有限责任公司电力科学研究院 | Background flow playback method for communication of power monitoring system |
| CN111310874A (en) * | 2020-02-19 | 2020-06-19 | 北京安帝科技有限公司 | Total data acquisition identification method in industrial control environment |
| CN111625821A (en) * | 2020-05-29 | 2020-09-04 | 北京中超伟业信息安全技术股份有限公司 | Application attack detection system based on cloud platform |
| CN111970166A (en) * | 2020-07-31 | 2020-11-20 | 南京南瑞继保电气有限公司 | Test method, device, equipment, system and computer readable storage medium |
| CN112019515A (en) * | 2020-07-31 | 2020-12-01 | 浙江浙能兰溪发电有限责任公司 | Cross-region safety monitoring method, device and system for power engineering control system |
| CN112019515B (en) * | 2020-07-31 | 2023-03-21 | 浙江浙能兰溪发电有限责任公司 | Cross-region safety monitoring method, device and system for power engineering control system |
| CN111970166B (en) * | 2020-07-31 | 2021-11-12 | 南京南瑞继保电气有限公司 | Test method, device, equipment, system and computer readable storage medium |
| CN112905408A (en) * | 2021-01-12 | 2021-06-04 | 南方电网数字电网研究院有限公司 | Server for electric power operation and maintenance network safety monitoring and early warning system |
| CN113542100A (en) * | 2021-07-30 | 2021-10-22 | 国网青海省电力公司信息通信公司 | Power plant safety protection system and method |
| CN116680098A (en) * | 2022-02-23 | 2023-09-01 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| CN116680098B (en) * | 2022-02-23 | 2024-06-11 | 中国软件评测中心(工业和信息化部软件与集成电路促进中心) | Industrial robot safety monitoring method and device and electronic equipment |
| CN115021953A (en) * | 2022-04-18 | 2022-09-06 | 广西电网有限责任公司电力科学研究院 | Network security monitoring device |
| CN115021953B (en) * | 2022-04-18 | 2024-05-24 | 广西电网有限责任公司电力科学研究院 | Network security monitoring device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922073A (en) | Network security monitoring device, method and system | |
| US10873594B2 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| Gringoli et al. | Gt: picking up the truth from the ground for internet traffic | |
| Shiravi et al. | Toward developing a systematic approach to generate benchmark datasets for intrusion detection | |
| JP2017538376A (en) | System and method for detecting coverage channel network intrusion based on offline network traffic | |
| CN105391687A (en) | System and method for supplying information security operation service to medium-sized and small enterprises | |
| US9479523B2 (en) | System and method for automated configuration of intrusion detection systems | |
| Dalamagkas et al. | A survey on honeypots, honeynets and their applications on smart grid | |
| Joshi et al. | Fundamentals of Network Forensics | |
| Cusack et al. | Evaluating IP surveillance camera vulnerabilities | |
| Mireles et al. | Extracting attack narratives from traffic datasets | |
| Yamada et al. | RAT-based malicious activities detection on enterprise internal networks | |
| US11757915B2 (en) | Exercising security control point (SCP) capabilities on live systems based on internal validation processing | |
| Uramová et al. | Packet capture infrastructure based on Moloch | |
| Marchese et al. | Monitoring unauthorized internet accesses through a ‘honeypot’system | |
| Castiglione et al. | A novel methodology to acquire live big data evidence from the cloud | |
| Volarević et al. | Network forensics | |
| Stoecklin et al. | Passive security intelligence to analyze the security risks of mobile/BYOD activities | |
| Knöchel et al. | Analysing attackers and intrusions on a high-interaction honeypot system | |
| CN114301802A (en) | Confidential evaluation detection method and device and electronic equipment | |
| US20240169067A1 (en) | Testing device, testing method, and testing program | |
| Toor et al. | Deployment of Low Interaction Honeypot in a Private Network | |
| Mikki et al. | NetworkMonitoring System (NMS) | |
| Chin et al. | A forensic methodology for software-defined network switches | |
| Ganame et al. | A high performance system for intrusion detection and reaction management |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 510000 Guangdong city of Guangzhou province Luogang District Science City Kexiang Road No. 11 Applicant after: China Southern Power Grid Co., Ltd. Applicant after: Southern Power Grid Digital Grid Research Institute Co., Ltd. Address before: 510000 Guangdong city of Guangzhou province Luogang District Science City Kexiang Road No. 11 Applicant before: China Southern Power Grid Co., Ltd. Applicant before: Dingxin Information Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190621 |
|
| RJ01 | Rejection of invention patent application after publication |