CN110213077A - A kind of method, apparatus and system of determining electric power monitoring system security incident - Google Patents

A kind of method, apparatus and system of determining electric power monitoring system security incident Download PDF

Info

Publication number
CN110213077A
CN110213077A CN201910313652.3A CN201910313652A CN110213077A CN 110213077 A CN110213077 A CN 110213077A CN 201910313652 A CN201910313652 A CN 201910313652A CN 110213077 A CN110213077 A CN 110213077A
Authority
CN
China
Prior art keywords
alarm
attack
electric power
monitoring system
power monitoring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910313652.3A
Other languages
Chinese (zh)
Other versions
CN110213077B (en
Inventor
梁野
邵立嵩
王景
张华�
金正平
李莹
蒋正威
金学奇
肖艳炜
陈国恩
张磊
王跃强
董宁
徐浩
王超
任天宇
王黎明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Zhejiang Electric Power Co Ltd
Beijing University of Posts and Telecommunications
State Grid Jiangsu Electric Power Co Ltd
Beijing Kedong Electric Power Control System Co Ltd
State Grid Beijing Electric Power Co Ltd
Jiaxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Zhejiang Electric Power Co Ltd
Beijing University of Posts and Telecommunications
State Grid Jiangsu Electric Power Co Ltd
Beijing Kedong Electric Power Control System Co Ltd
State Grid Beijing Electric Power Co Ltd
Jiaxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Zhejiang Electric Power Co Ltd, Beijing University of Posts and Telecommunications, State Grid Jiangsu Electric Power Co Ltd, Beijing Kedong Electric Power Control System Co Ltd, State Grid Beijing Electric Power Co Ltd, Jiaxing Power Supply Co of State Grid Zhejiang Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN201910313652.3A priority Critical patent/CN110213077B/en
Publication of CN110213077A publication Critical patent/CN110213077A/en
Application granted granted Critical
Publication of CN110213077B publication Critical patent/CN110213077B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Alarm Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses the method, apparatus and system of a kind of determining electric power monitoring system security incident, comprising: obtains alarm log, includes several alarm records in the alarm log;Dendrogram modeling is carried out to alarm log based on the association between each item alarm record, constructs Attack Tree;Initial attack chain set is obtained after carrying out polymerization processing to the Attack Tree;Beta pruning and noise reduction are carried out to each initial attack chain in the initial attack chain set respectively, final attack chain set is formed, determines electric power monitoring system security incident.The present invention automatically can effectively analyze the alarm data of electric power monitoring system, extracting attack event, and showed in a manner of visual, help network administrator's awareness network safe condition, convenient for making safe disposal measure, the safety such as Logistics networks, data and equipment in time.

Description

A kind of method, apparatus and system of determining electric power monitoring system security incident
Technical field
The invention belongs to electric power monitoring system technical fields, and in particular to a kind of determining electric power monitoring system security incident Method, apparatus and system.
Background technique
The analysis of existing security incident mainly includes alarm pretreatment and alarm association.Alarm pretreatment mainly includes wrong report Removal and Alert aggregation.A large amount of wrong report is frequently present of in the alarm of safety equipment, therefore common Safety Analysis System is The accuracy rate for improving attack detecting, can be removed the low level or false alarms that it is thought.However, electric system produces Environment needs very high reliability, and removal wrong report is actually possible to real alarm removal.When carrying out Alert aggregation, lead to Normal way is that will have identical warning content source, destination IP to polymerize, and forms super alarm, or will have identical sources, The alarm event of destination IP is polymerize, or similitude polymerization alarm is utilized in the way of cluster.Above Alert aggregation Method cannot be all applicable in completely in electric power monitoring system.By warning content carry out polymerization can hide IP information, by IP into Row polymerization conceals attack along the path that IP is jumped, and is then even more to have given Alert aggregation to unsupervised in the way of cluster It practises, is polymerize by alarm similitude probably different attacks condenses together merely.
Alarm association is generally divided into: the correlating method based on similarity, the correlating method based on attack sequence and based on attacking Hit the correlating method of sample;The correlating method based on similarity be algorithm for design calculate alarm between similarity, and The high alarm of similarity is classified as among an Attack Scenarios, this method is difficult to detect multi-step attack event;It is described to be based on attacking The correlating method for hitting sequence usually requires to establish attack mode library, is then defined on matching attack row in alarm according to pattern base For, the building in attack mode library, which is divided into again according to attack knowledge library direct construction, according to system vulnerability, constructs potential attack figure, this Kind method is all difficult to directly implement under the alarm data of power grid and network environment;The correlating method based on attack sample In, the correlating method for attacking sample mainly utilizes statistical probability to learn the attack mode in sample, and usually used has Bayes Model, Hidden Markov Model, Association Rules Model etc., the premise using this method are must to possess the sample containing attack.
As it can be seen that existing alarm pretreatment and alarm association safety analytical method are all difficult to directly answer under the present conditions With needing data, environment and demand for electric power monitoring system to make and be adaptively adjusted.
Summary of the invention
In view of the above-mentioned problems, a kind of method that the present invention proposes determining electric power monitoring system security incident, can automate The alarm data of electric power monitoring system is analyzed on ground, extracting attack event, and is showed in a manner of visual, is helped Network administrator's awareness network safe condition, convenient for making safe disposal measure, the peace such as Logistics networks, data and equipment in time Entirely.
In order to achieve the above technical purposes, reach above-mentioned technical effect, the invention is realized by the following technical scheme:
In a first aspect, the present invention provides a kind of methods of determining electric power monitoring system security incident, comprising:
Alarm log is obtained, includes several alarm records in the alarm log;
Dendrogram modeling is carried out to alarm log based on the association between each item alarm record, obtains Attack Tree;
Initial attack chain set is obtained after carrying out polymerization processing to the Attack Tree;
Beta pruning is carried out to each initial attack chain in the initial attack chain set respectively, forms final attack Chain set determines electric power monitoring system security incident.
Preferably, the acquisition alarm log, specifically includes following sub-step:
Acquisition source alarm log;
The alarm field that record is alerted in the alarm log of source is reconstructed, the alarm record after reconstruct is expressed as Alert (Starttime, Endtime, Content, Type, SrcIP, DstIP, SrcPort, DstPort, Times, Level), In, Starttime represents the alarm time started, and Endtime represents the alarm end time, and Content represents warning content, Type represents alarm type, and SrcIP represents source IP, and DstIP represents destination IP, and SrcPort represents source port, and DstPort is represented Destination port, Times represent alarm number of repetition, and Level represents alarm grade.
Preferably, the alarm field to each item alarm record in the alarm log of source, which is reconstructed after step, also wraps It includes:
If the alarm type of certain alarm record, IP information, port information and any one phase in first two alarm records Together, then latter item alarm is removed, and updates end time and the number of repetition of repetition alarm.
Preferably, IP is indicated using node, the alarm from source IP to destination IP is indicated using side;It is described to be alerted based on each item Association between record carries out dendrogram modeling to alarm log, obtains Attack Tree, specifically includes following sub-step:
If each node is a TNode class: TNode={ SelfIP, ParentsIP, ChildrenInfo }, wherein SelfIP is node itself IP, and ParentsIP is that the IP of its father node gathers, and ChildrenInfo is its child node and its phase Corresponding warning information;
Carrying out modeling to each node with TNode realizes the modeling of dendrogram, constructs Attack Tree.
Preferably, it is described polymerization processing is carried out to the Attack Tree after obtain initial attack chain set, specifically include with Lower sub-step:
The extreme saturation orphan node since Attack Tree, obtains initial attack chain set, and described initial attacks It hits in chain set and contains several initial attack chains.
Preferably, it is described polymerization processing is carried out to the Attack Tree after obtain initial attack chain set, specifically include with Lower sub-step:
For each of Attack Tree node, traverse its child node set, once discovery the latter child node with it is previous The alarm type of a child node, source IP, destination IP are all the same, then converging operation are carried out to the two, at the end of the alarm of the latter Between cover the former alarm end time, and delete the latter child node;
To by previous step treated each of Attack Tree node, its child node set is traversed, once discovery The alarm type of two child nodes, source IP, destination IP are all the same, and if after being polymerize alarm time started and end time it Between range be less than setting time window, then two child nodes are polymerize, and delete the latter child node, are obtained New attack tree;
Extreme saturation is carried out since all no parent nodes of the new attack tree, extreme saturation obtains each time Attack chain be all added in initial attack chain set;
Depth time is carried out for node remaining after the extreme saturation of previous step, then to these remaining nodes It goes through, obtains remaining attack chain, and be added in initial attack chain set.
Preferably, described that beta pruning, shape are carried out to each initial attack chain in the initial attack chain set respectively At final attack chain set, electric power monitoring system security incident is determined, specifically includes the following steps:
Obtain negative causal rule;
When attacking that adjacent two alarm events meet the negative causal rule in chain, to taking chain rupture to operate herein, Final attack chain set is formed, determines electric power monitoring system security incident.
Preferably, described when attacking that adjacent two alarm events meet the negative causal rule in chain, to adopting herein After taking chain rupture to operate further include:
Each of which alarm event is all traversed to each attack chain of acquisition, alarm event adjacent for every two takes The alarm time started of previous alarm event, it is denoted as time t2, on the basis of the t2 time, translates forward a time interval t, It is denoted as time t1, if the latter alarm event did not occurred before t1, then it is assumed that the two events are secondary events, instead It, then it is assumed that it is non-secondary event, chain rupture is taken to handle, becomes two attack chains after chain rupture, and to latter item attack chain with together The method of sample carries out noise reduction, until all non-secondary events are all removed.
It is preferably, described to determine electric power monitoring system security incident, specifically:
Each attack chain structure in final attack chain set is turned into digraph, wherein IP is node, alerts thing Part is side, and each Bian Douwei directed edge indicates to have occurred the alarm event that destination IP is directed toward from source IP;
Subgraph division is carried out to digraph, the part to communicate with each other is divided into an independent attack graph.
Second aspect, the present invention provides a kind of devices of determining electric power monitoring system security incident, comprising:
Module is obtained, for obtaining alarm log, includes several alarm records in the alarm log;
Modeling module is obtained for carrying out dendrogram modeling to alarm log based on the association between each item alarm record Attack Tree;
It polymerize processing module, for obtaining initial attack chain set after carrying out polymerization processing to the Attack Tree;
Pruning module, for carrying out beta pruning to each initial attack chain in the initial attack chain set respectively, Final attack chain set is formed, determines electric power monitoring system security incident.
The third aspect, the present invention provides a kind of systems of determining electric power monitoring system security incident, comprising:
Processor is adapted for carrying out each instruction;And
Equipment is stored, is suitable for storing a plurality of instruction, described instruction is suitable for being loaded by processor and being executed in first aspect and appoint Step described in one.
Compared with prior art, beneficial effects of the present invention:
The method, apparatus and system of determining electric power monitoring system security incident proposed by the present invention alert day to source first Will is pre-processed, and redundancy is reduced;Building Attack Tree is associated with by IP again, Attack Tree is converted into attack after polymerization is handled Chain;Beta pruning and noise reduction finally are carried out to attack chain by negative causalnexus and non-secondary event, form final attack chain and can Depending on changing attack graph.The present invention extracts multi-step attack event by a small amount of priori knowledge automation, and shows it between IP Shift track.
Detailed description of the invention
Fig. 1 is the modeling procedure schematic diagram of the safety case investigation model of an embodiment of the present invention;
Fig. 2 is the attack chain structure schematic diagram that the length of an embodiment of the present invention is 3;
Fig. 3 is the tree-shaped figure structure schematic representation of an embodiment of the present invention;
Fig. 4 is the child node first time polymerization process schematic diagram of an embodiment of the present invention;
Fig. 5 is second of polymerization process schematic diagram of child node of an embodiment of the present invention;
Fig. 6 is the chain rupture schematic diagram of an embodiment of the present invention.
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to embodiments, to the present invention It is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not used to It limits the scope of protection of the present invention.
Application principle of the invention is explained in detail with reference to the accompanying drawing.
There are many safety equipments for deployment in electric power monitoring system, and control centre converges the alarm of these safety equipments It is polymerized to as original alarm, the method, apparatus and system of determination electric power monitoring system security incident of the invention will be by these originals Beginning alarming processing becomes intelligible intuitive displaying attack graph, helps network manager real time monitoring network safe condition.
Embodiment 1
It is as shown in Figure 1 the method flow diagram of the determination electric power monitoring system security incident in the embodiment of the present invention, input For electric power monitoring system original alarm, analyzable alarm log is formed after pretreatment, attack chain is then fed into and just models Block forms attack chain after polymerization and traversal, but attack chain at this time still contains a large amount of unreasonable events, therefore also needs Module carries out beta pruning after post treatment and noise reduction forms final attack chain, finally, we introduce in order to keep result more intuitive Visualization, is drawn into an attack graph for the attack chain interconnected, final output is exactly a sheet by a sheet attack graph.
Specifically, the determination electric power monitoring system security incident in the embodiment of the present invention method the following steps are included:
Step (1) obtains alarm log, and each item alarm record in the alarm log includes the alarm time started, accuses Alert end time, warning content, alarm type, source IP, destination IP;
It before carrying out safety analysis, needs to do original alarm necessary information extraction, makes that it includes necessary to analysis Field.In addition, excessive redundancy can largely effect on the efficiency of analysis, therefore, in a kind of specific embodiment party of the embodiment of the present invention In formula, the step (1) specifically includes two sub-steps of reconstruct and duplicate removal;
(1.1) it reconstructs
When analyzing source alarm log, the field informations such as IP address are needed, and there are fields to lack for source alarm log It becomes estranged skimble-scamble phenomenon, therefore is reconstructed firstly the need of the alarm field to each item alarm record in the alarm log of source, Form alarm log.After reconstruct alarm record be expressed as ten tuple Alert (Starttime, Endtime, Content, Type, SrcIP, DstIP, SrcPort, DstPort, Times, Level), wherein Starttime represents the alarm time started, Endtime represents the alarm end time, and Content represents warning content, and Type represents alarm type, and SrcIP represents source IP, DstIP represents destination IP, and SrcPort represents source port, and DstPort represents destination port, and Times represents alarm number of repetition, Level represents alarm grade.
(1.2) duplicate removal
It include at least one attack step in one complete attack process, each attack step is known as a single step and attacks It hits.One single step is attacked, safety equipment may generate multiple redundant alarm, to announcement on the basis of retention time information Alert log, which carries out duplicate removal, can reduce alarm quantity on the basis of utmostly retaining source data information, enhance managing for alarm Rationality.
Duplicate removal rule are as follows: if the alarm type of certain alarm record, IP information, port information and preceding two alarms record are appointed One is identical, then removes latter item alarm, and updates end time and the number of repetition of repetition alarm.
Step (2) carries out dendrogram modeling to alarm log based on the association of source IP and destination IP in each item alarm record, Construct Attack Tree;
In a kind of specific embodiment of the embodiment of the present invention, the step (2) specifically:
One complete attack process is made of multiple single steps attack, and multi-step attack is showed using structured form It is then attack chain, building attack chain needs to meet three IP association, causal correlation and timing conditions;The IP association refers to The source IP of the latter alarm event is identical as the destination IP of previous alarm, and the causality refers to the latter alarm event Causality is logically constituted with previous alarm event;The timing refers to the latter alarm event Starttime is greater than the Starttime of previous alarm.If indicating the IP of attack chain interior joint with IP, Alert indicates alarm Information (includes Content, Starttime, Endtime etc.), then the attack chain C as length is 3 in Fig. 2 is expressed as C= [(IP1, IP2, Alert1), (IP2, IP3, Alert2), (IP3, IP4, Alert3)].
In the entire network, IP-based alarm record is distributed in dendrogram, and if table 1 is alarm log citing, Fig. 3 is table 1 corresponding alarm dendrogram, wherein node indicates IP, and side indicates the alarm from source IP to destination IP.Network is indicated with dendrogram In alarm event be for the ease of next step child node polymerization and attack chain extract.
Table 1
Alert serial number Source IP Destination IP Warning information
1 IP1 IP4 Alert1
2 IP1 IP7 Alert2
3 IP3 IP4 Alert3
4 IP3 IP5 Alert4
5 IP3 IP6 Alert5
6 IP7 IP8 Alert6
7 IP7 IP9 Alert7
8 IP7 IP10 Alert8
It should be noted that storage organization is not really set when carrying out dendrogram modeling to alarm, but to each A node is modeled, each node is a TNode class: TNode=SelfIP, ParentsIP, ChildrenInfo }, wherein SelfIP is node itself IP, and ParentsIP is that the IP of its father node gathers, ChildrenInfo For its child node and its corresponding warning information.Carrying out modeling to each node with TNode realizes alarm and realizes tree Attack Tree is constructed in the modeling of shape figure, each IP is indicated by exclusive node at this time.
Step (3) obtains initial attack chain set after carrying out polymerization processing to the Attack Tree;
After node modeling above-mentioned, alarm log is structured as dendrogram, at this time the depth since orphan node Degree traversal can be obtained by preliminary attack chain.However, only the alarm log Jing Guo a duplicate removal there is also bulk redundancy, in order to Alarm can further be polymerize under the premise of retaining warning information as far as possible, the invention proposes child node aggregating algorithm Children Aggregation Algorithm, the algorithm is based on node modeling as a result, traversing to node set, for meeting item The child node of part is polymerize, and is specifically included and is polymerize twice.
For the first time polymerization establishes on a premise, if that is, it is considered that a host A continuously to another host B Identical security incident occurs, and there is no other any security incidents for period A host, then it is assumed that the company between host A and B Continuous similar events are same event.Polymerization based on this premise is as follows:
For each node, its child node set is traversed, once discovery the latter child node and previous child node Alarm type, source IP, destination IP are all the same, then carry out converging operation to the two, the converging operation is i.e. to temporal information Merge, the Endtime of the latter is covered to the former Endtime, and delete the latter child node.It is illustrated in figure 4 poly- for the first time Conjunction process diagram, IP1 shares 5 child nodes in (1), and there are redundancies for rear four nodes, i.e., its in addition to alarm time is different its His information is all the same.(2) are formed after the child node to IP1 polymerize, son node number is kept to 2 by 5, reduces superfluous It is remaining, and do not lost in addition to carrying out time merging external information.
Second polymerization also establishes on a premise, i.e., it is considered that occurring under a lesser time window Identical alarm belongs to same security incident.Polymerization based on this premise is as follows:
For each node, its child node set is traversed, once alarm type, source IP, the mesh of two child nodes of discovery IP it is all the same, and if alert the time window that the range between time started and end time is less than setting after being polymerize, Then two child nodes meet polymerizing condition, are polymerize, and delete the latter child node, the tool of the time window of the setting Body value needs to be configured according to the actual situation.It is illustrated in figure 5 second of polymerization process diagram, IP1 shares 5 sons in (1) Node, the alarm event of 4 types wherein two alarm destination IPs of " there are scan events " are IP3, and if are gathered Closing operation, polymerization after at the beginning of be 2018-05-03 13:00, the end time be 2018-05-03 13:37, time model Enclosing is 37 minutes, if time window is 1 hour, then the two nodes meet polymerizing condition, forms (2) after polymerization, is formed new Attack Tree.
Further, after have passed through node modeling and child node polymerization, so that it may to current new attack tree progress Extreme saturation is obtained with attack chain, and the invention proposes the algorithm Get Chains Algorithm for obtaining attack chain. When obtaining attack chain, first have to find first-in-chain(FIC) alarm, first-in-chain(FIC) alarm means before this not for the purpose of the source IP Alarm occurs, and first-in-chain(FIC) alarm includes two kinds of situations: being no parent node one is the corresponding node of alarm source IP;Another kind is to accuse The corresponding node of police's source IP has parents, but the Starttime of corresponding parents' alarm is later than the Starttime of the alarm.Corresponding chain Two kinds of alert situations of report just have in algorithm and recycle twice.Extreme saturation is carried out first since all no parent nodes, this In extreme saturation algorithm represented with function DFC (), the attack chain C ' that extreme saturation obtains each time is added to initial attack In chain set.
The first round after circulation terminates, there remains a part of node and be not accessed, i.e., first-in-chain(FIC) alarm second of feelings Condition, therefore this part of nodes is obtained with CheckNoVisited () function first, then extreme saturation is carried out to it, it is left Attack chain, and be added in initial attack chain set.
Step (4) carries out beta pruning to each initial attack chain in the initial attack chain set respectively, is formed most Whole attack chain set, determines electric power monitoring system security incident;
The thought of causalnexus security event associative analysis field by it is extensive use [5,10,11,12,15, 19.20], there is direct construction rule base, scanning vulnerability information building potential attack figure, obtain association rule using statistical probability method The methods of then, however these methods are all difficult to directly use under electric network data, the invention proposes a kind of causalnexus thoughts Evolving form: negative causalnexus.Using negative causalnexus method to attack chain carry out beta pruning both ensure that attack because Fruit is related, utmostly reduces expertise and attacks the dependence of sample, solves causalnexus in electric network data and be difficult to make The problem of using.
It is all in causal correlation between adjacent attack step, i.e., after previous alarm event is in multi-step attack each time The cause of one alarm event.Since the alarm of electric power monitoring system derives from a variety of different safety equipments, alarm exists Following characteristics:
Particle size differences are big, such as " there is the abnormal access data packet of a large amount of non-TCP/UDP, it may be possible to ICMP or other answer With protocol data packet " granularity with respect to " there are abnormal access data " granularity it is smaller, description attack it is more specific.
Alarm type is inconsistent, and such as " there are abnormal access data " belongs to Network Abnormal and alert, and " memory usage superthreshold Value " belongs to host abnormality alarming.
In order to make the event attacked in chain meet causality, the invention proposes using causal method of bearing, two A alarm event does not meet causality centainly, then both claims the causality that is negative.Negative causal rule is a definition every two Causal matrix between alarm type, negative causality only have 1 and 0 two kind of form, and 1 represents there are negative causality, and 0 Representative is not present.Such as alarm Alert1, Alert2 ... Alertn, the negative causal rule matrix of a n*n size is corresponded to, Wherein (Alerti, Alertj) indicates the negative causality between Alerti and Alertj.
In an attack chain, if former and later two alarm events are negative causalities, attack can not be constituted, It eliminates such case and just needs to carry out negative causalnexus beta pruning.If table 2 is three attack chain examples, wherein before attack chain 1,2 Event does not constitute causality afterwards, i.e., negative causality, and the front and back event of attack chain 3 constitutes causality.In attack chain 1, Front and back event is respectively " there are DDoS events " and " unauthorized access ", usually in a complete ddos attack, attack step It is followed successively by vulnerability detection, infiltration, installation tool, initiates ddos attack, it is seen that really initiating Denial of Service attack to target drone is most Latter step, purpose are exactly so that the function of target drone is paralysed, therefore in an attack, DDoS attack can only be last One step can not constitute causality with " unauthorized access ".In attack chain 2, front and back event is respectively that " tunnel is not due to having Failure is established in configuration " and " recovery of network interface state ", wherein " recovery of network interface state " can not represent certain attack or system In by attack state, thus its can not become " failure is established in tunnel " as a result, the two does not constitute causality.With attack chain 1,2 is different, and the front and back event " there are abnormal access data " and " unauthorized access " for attacking chain 3 may be constructed causality, guess " abnormal access data " may be viral script, and when it has infected destination host 192.168.21.5, which, which becomes, is jumped Plate further carries out " unauthorized access " to 192.168.29.4.
Table 2
There is negative causal rule, is in next step exactly that beta pruning is carried out to attack chain with the method for chain rupture.Fig. 6 is chain rupture signal Figure, when attack chain C=[(IP1, IP2, Alert1), (IP2, IP3, Alert2), (IP3, IP4, Alert3), (IP4, IP5, Alert4 it when two alarm events of Alert2 and Alert3)] meet negative causal rule, to taking chain rupture to operate herein, obtains Two new attack chain C1=[(IP1, IP2, Alert1), (IP2, IP3, Alert2)] and C2=[(IP3, IP4, Alert3), (IP4, IP5, Alert4)].
Further, in a kind of specific embodiment of the embodiment of the present invention, described pair to the initial attack chain Each initial attack chain in set carries out after beta pruning further include: noise reduction step, specifically:
When A, B event meet following two condition, then B is referred to as the secondary event of A:
Condition 1: sequential relationship;B event occurs after the generation of A event;B does not have within a period of time before the generation of A event There is generation;
Condition 2: non-secondary event;When B is not the secondary event of A, then B is referred to as the non-secondary event of A.
It has passed through IP association, negative causal rule beta pruning, attack chain at this time has had been provided with three necessary conditions: IP is closed Connection, causalnexus and timing, however wherein there are still some unreasonable events, i.e., non-secondary events.Secondary event refers to one Part thing is as caused by another thing, rather than secondary event is then opposite.As shown in table 3 it is the example of an alarm log, is passing through A series of processing before having crossed have obtained attack chain, and " there are abnormal access data: from hosts such as [192.168.1.1] to purpose The abnormal access data of 9641 ports of host [192.168.1.170];192.168.1.170 memory usage superthreshold ", It attacking in chain, we would generally be considered that previous part thing results in latter part thing, however when the correlation of backtracking 192.168.1.170 Find that 192.168.1.170 is just repeatedly reported before the abnormal data for receiving 192.168.1.1 when alarm record The mistake of " memory usage superthreshold " out.It can therefore be concluded that " memory usage superthreshold " this part thing in maximum probability It is not to be directly resulted in by " sending abnormal data ", but have occurred and that before this.Such front and back event with regard to right and wrong after Hair event, i.e., previous event do not lead to the generation of the latter event, and non-secondary event should give in safe sequence Removal.
Table 3
It goes unless the algorithm of secondary event is Noise Reduction Algorithm, all time for each attack chain Each of which event is gone through, for every two adjacent events, the alarm time started of previous event is taken every time, is denoted as time t2, On the basis of the t2 time, a time interval t is translate forward, time t1 is denoted as, if the latter announcement did not occurred before t1 Alert event, then it is assumed that the two events are secondary events, conversely, then thinking is non-secondary event, chain rupture are taken to handle, after chain rupture Noise reduction is carried out with same method as two chains, and to latter chain, until all non-secondary events are all removed, is formed Final attack chain.
It is described to determine that electric power monitoring system security incident is specific in order to more intuitively show attack chain and interchain association Are as follows:
(1) it is structured as digraph
Each attack chain structure is turned into digraph first, wherein IP is node, and alarm event is side, and each side is all For directed edge, indicate to have occurred the alarm event that destination IP is directed toward from source IP.Wherein each IP node is unique;
(2) subgraph is divided
Some attacks the incidence relation that same node point between chain and is not present, at this time if all unrelated chains are all put into In the same figure, meaning is not only had no, also figure can be enabled excessively huge, it is difficult to analyze.Therefore, it is necessary to carry out subgraph to digraph to draw Point, the part to communicate with each other is divided into an independent attack graph.
In conclusion a kind of method for determining electric power monitoring system security incident that the embodiment of the present invention proposes, realizes Detection in the case where no attack mode library to multi-step attack event includes: with key technology in model construction process
(1) effective capture that trajectory extraction attack method realizes association host is jumped using along IP.
Network attack generally comprises scanning, cracks, invades, the multi-step attacks such as steal information, multi-step attack be it is a series of can Doubt the sequence of movement.If a host produces suspicious action, then it may at a time be infected by another host, and The viral transmission of infection is jumped by IP to be diffused.For the effective capture for realizing association host, trajectory extraction is jumped using along IP Attack method helps to establish the initial attack chain based on safety case investigation.
(2) the mutual causal correlation of security incident is ensured using negative causalnexus method.
Alarm in electric power monitoring system is multi-source heterogeneous, and attack rule is difficult to formulate, in order to guarantee that security incident is mutual Causal correlation utmostly reduce expertise and attack the dependence of sample, solve electricity using negative causalnexus method The problem of causalnexus is difficult in network data.
(3) being effectively reduced for attack chain redundancy rate is realized using high-efficiency polymerization and noise-reduction method.
For the quantity for effectively reducing attack chain, redundancy is reduced, a large amount of unreasonable events in removal attack chain use Polymerization and noise-reduction method, greatly improve the accuracy and precision of safety case investigation.
Embodiment 2
Based on inventive concept same as Example 1, the embodiment of the invention provides a kind of determining electric power monitoring systems to pacify The device of total event, comprising:
Module is obtained, for obtaining alarm log, includes several alarm records in the alarm log;
Modeling module is obtained for carrying out dendrogram modeling to alarm log based on the association between each item alarm record Attack Tree;
It polymerize processing module, for obtaining initial attack chain set after carrying out polymerization processing to the Attack Tree;
Pruning module, for carrying out beta pruning to each initial attack chain in the initial attack chain set respectively, Final attack chain set is formed, determines electric power monitoring system security incident.
Rest part is same as Example 1.
Embodiment 3
Based on inventive concept same as Example 1, the embodiment of the invention provides a kind of determining electric power monitoring systems to pacify The system of total event characterized by comprising
Processor is adapted for carrying out each instruction;And
Equipment is stored, is suitable for storing a plurality of instruction, described instruction is suitable for being loaded by processor and being executed any in embodiment 1 Step described in.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
The embodiment of the present invention is described in conjunction with attached drawing above, but the invention is not limited to above-mentioned specific Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, those skilled in the art Under the inspiration of the present invention, without breaking away from the scope protected by the purposes and claims of the present invention, it can also make very much Form, all of these belong to the protection of the present invention.
The above shows and describes the basic principles and main features of the present invention and the advantages of the present invention.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its Equivalent thereof.

Claims (11)

1. a kind of method of determining electric power monitoring system security incident characterized by comprising
Alarm log is obtained, includes several alarm records in the alarm log;
Dendrogram modeling is carried out to alarm log based on the association between each item alarm record, obtains Attack Tree;
Initial attack chain set is obtained after carrying out polymerization processing to the Attack Tree;
Beta pruning is carried out to each initial attack chain in the initial attack chain set respectively, forms final attack chain collection It closes, determines electric power monitoring system security incident.
2. a kind of method of determining electric power monitoring system security incident according to claim 1, it is characterised in that: described to obtain Alarm log is taken, following sub-step is specifically included:
Acquisition source alarm log;
The alarm field for alerting record in the alarm log of source is reconstructed to form alarm log, wherein the alarm record after reconstruct Be expressed as Alert (Starttime, Endtime, Content, Type, SrcIP, DstIP, SrcPort, DstPort, Times, Level), wherein Starttime represents the alarm time started, and Endtime represents the alarm end time, and Content represents alarm Content, Type represent alarm type, and SrcIP represents source IP, and DstIP represents destination IP, and SrcPort represents source port, DstPort Destination port is represented, Times represents alarm number of repetition, and Level represents alarm grade.
3. a kind of method of determining electric power monitoring system security incident according to claim 2, it is characterised in that: described right The alarm field of each item alarm record in the alarm log of source is reconstructed after step further include:
If the alarm type of certain alarm record, IP information, port information and preceding two alarms any of record it is identical, Latter item alarm is removed, and updates end time and the number of repetition of repetition alarm.
4. a kind of method of determining electric power monitoring system security incident according to claim 2, it is characterised in that: using section Point indicates IP, indicates the alarm from source IP to destination IP using side;
The association based between each item alarm record carries out dendrogram modeling to alarm log, obtains Attack Tree, specific to wrap Include following sub-step:
If each node is a TNode class: TNode={ SelfIP, ParentsIP, ChildrenInfo }, wherein SelfIP is node itself IP, and ParentsIP is that the IP of its father node gathers, and ChildrenInfo is for its child node and its relatively The warning information answered;
Carrying out modeling to each node with TNode realizes the modeling of dendrogram, constructs Attack Tree.
5. a kind of method of determining electric power monitoring system security incident according to claim 1 or 4, it is characterised in that: institute It states and obtains initial attack chain set after carrying out polymerization processing to the Attack Tree, specifically include following sub-step:
The extreme saturation orphan node since Attack Tree obtains initial attack chain set, the initial attack chain Several initial attack chains are contained in set.
6. a kind of method of determining electric power monitoring system security incident according to claim 5, it is characterised in that: described right The Attack Tree obtains initial attack chain set after carrying out polymerization processing, specifically includes following sub-step:
For each of Attack Tree node, its child node set is traversed, however, it is determined that the latter child node and previous height section The alarm type of point, source IP, destination IP are all the same, then carry out converging operation to the two, and the alarm end time of the latter is covered The former alarm end time, and delete the latter child node;
To by previous step treated each of Attack Tree node, its child node set is traversed, however, it is determined that two sons The alarm type of node, source IP, destination IP are all the same, and if alerting the model between time started and end time after being polymerize The time window less than setting is enclosed, then two child nodes is polymerize, and delete the latter child node, obtains new attack Hit tree;
Extreme saturation is carried out since all no parent nodes of the new attack tree, what extreme saturation obtained each time attacks Chain is hit all to be added in initial attack chain set;
Extreme saturation is carried out for node remaining after the extreme saturation of previous step, then to these remaining nodes, is obtained To remaining attack chain, and it is added in initial attack chain set.
7. a kind of method of determining electric power monitoring system security incident according to claim 1, it is characterised in that: described right It is described that beta pruning is carried out to each initial attack chain in the initial attack chain set respectively, form final attack chain collection It closes, determines electric power monitoring system security incident, specifically includes the following steps:
Obtain negative causal rule;
When two alarm events adjacent in attack chain meet the negative causal rule, to taking chain rupture to operate herein, formed Final attack chain set, determines electric power monitoring system security incident.
8. a kind of method of determining electric power monitoring system security incident according to claim 7, it is characterised in that: described to work as When two adjacent alarm events meet the negative causal rule in attack chain, after taking chain rupture to operate herein further include:
Each of which alarm event is all traversed to each attack chain of acquisition, alarm event adjacent for every two takes previous The alarm time started of a alarm event, it is denoted as time t2, on the basis of the t2 time, translates forward a time interval t, be denoted as Time t1, if the latter alarm event did not occurred before t1, then it is assumed that the two events are secondary events, conversely, then Think it is non-secondary event, chain rupture is taken to handle, becomes two attack chains after chain rupture, and to the same side of latter item attack chain Method carries out noise reduction, until all non-secondary events are all removed.
9. a kind of method of determining electric power monitoring system security incident according to claim 1, it is characterised in that: described true Electric power monitoring system security incident is made, specifically:
Each attack chain structure in final attack chain set is turned into digraph, wherein IP is node, and alarm event is Side, each Bian Douwei directed edge indicate to have occurred the alarm event that destination IP is directed toward from source IP;
Subgraph division is carried out to digraph, the part to communicate with each other is divided into an independent attack graph.
10. a kind of device of determining electric power monitoring system security incident characterized by comprising
Module is obtained, for obtaining alarm log, includes several alarm records in the alarm log;
Modeling module is attacked for carrying out dendrogram modeling to alarm log based on the association between each item alarm record Tree;
It polymerize processing module, for obtaining initial attack chain set after carrying out polymerization processing to the Attack Tree;
Pruning module is formed final for carrying out beta pruning to each initial attack chain in initial attack chain set respectively Attack chain set, determine electric power monitoring system security incident.
11. a kind of system of determining electric power monitoring system security incident characterized by comprising
Processor is adapted for carrying out each instruction;And
Equipment is stored, is suitable for storing a plurality of instruction, described instruction is suitable for by processor load and perform claim requires to appoint in 1~9 Step described in one.
CN201910313652.3A 2019-04-18 2019-04-18 Method, device and system for determining safety event of power monitoring system Active CN110213077B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910313652.3A CN110213077B (en) 2019-04-18 2019-04-18 Method, device and system for determining safety event of power monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910313652.3A CN110213077B (en) 2019-04-18 2019-04-18 Method, device and system for determining safety event of power monitoring system

Publications (2)

Publication Number Publication Date
CN110213077A true CN110213077A (en) 2019-09-06
CN110213077B CN110213077B (en) 2022-02-22

Family

ID=67785486

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910313652.3A Active CN110213077B (en) 2019-04-18 2019-04-18 Method, device and system for determining safety event of power monitoring system

Country Status (1)

Country Link
CN (1) CN110213077B (en)

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110839019A (en) * 2019-10-24 2020-02-25 国网福建省电力有限公司 Network security threat tracing method for power monitoring system
CN110933101A (en) * 2019-12-10 2020-03-27 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
CN110933041A (en) * 2019-11-06 2020-03-27 西安四叶草信息技术有限公司 Penetration testing method and related device
CN111404879A (en) * 2020-02-26 2020-07-10 亚信科技(成都)有限公司 Visualization method and device for network threats
CN111709021A (en) * 2020-04-22 2020-09-25 中国科学院信息工程研究所 Attack event identification method based on mass alarms and electronic device
CN111858482A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Attack event tracing and tracing method, system, terminal and storage medium
CN112039841A (en) * 2020-07-23 2020-12-04 北京天融信网络安全技术有限公司 Security event merging processing method and device, electronic equipment and storage medium
CN112187720A (en) * 2020-09-01 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for generating secondary attack chain, electronic device and storage medium
CN112202724A (en) * 2020-09-09 2021-01-08 绿盟科技集团股份有限公司 Data aggregation method and device of all-in-one arrangement mode
CN112241439A (en) * 2020-10-12 2021-01-19 绿盟科技集团股份有限公司 Attack organization discovery method, device, medium and equipment
CN112486940A (en) * 2019-09-12 2021-03-12 伊姆西Ip控股有限责任公司 Method, apparatus and computer program product for event ranking
CN112564988A (en) * 2021-02-19 2021-03-26 腾讯科技(深圳)有限公司 Alarm processing method and device and electronic equipment
CN112615808A (en) * 2020-10-27 2021-04-06 国网浙江省电力有限公司绍兴供电公司 Method, device and equipment for representing white list of process layer messages of intelligent substation
CN112738071A (en) * 2020-12-25 2021-04-30 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112784025A (en) * 2021-01-12 2021-05-11 北京明略软件系统有限公司 Method and device for determining target event
CN112995176A (en) * 2021-02-25 2021-06-18 国电南瑞科技股份有限公司 Network attack reachability calculation method and device applied to power communication network
CN113162794A (en) * 2021-01-27 2021-07-23 国网福建省电力有限公司 Next-step attack event prediction method and related equipment
CN113162904A (en) * 2021-02-08 2021-07-23 国网重庆市电力公司电力科学研究院 Power monitoring system network security alarm evaluation method based on probability graph model
WO2021152423A1 (en) * 2020-01-28 2021-08-05 International Business Machines Corporation Combinatorial test design for optimizing parameter list testing
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN113722576A (en) * 2021-05-07 2021-11-30 北京达佳互联信息技术有限公司 Network security information processing method, query method and related device
CN113824676A (en) * 2020-11-13 2021-12-21 北京沃东天骏信息技术有限公司 Method and device for determining attack chain aiming at vulnerability
CN114143109A (en) * 2021-12-08 2022-03-04 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114172709A (en) * 2021-11-30 2022-03-11 中汽创智科技有限公司 Network multi-step attack detection method, device, equipment and storage medium
CN114301712A (en) * 2021-12-31 2022-04-08 西安交通大学 Industrial internet alarm log correlation analysis method and system based on graph method
CN114448679A (en) * 2022-01-04 2022-05-06 深圳萨摩耶数字科技有限公司 Attack chain construction method and device, electronic equipment and storage medium
CN114760189A (en) * 2022-03-30 2022-07-15 深信服科技股份有限公司 Information determination method, equipment and computer readable storage medium
CN114915544A (en) * 2022-05-18 2022-08-16 广东电网有限责任公司 Network multi-hop attack chain identification method, device, equipment and storage medium
CN114944956A (en) * 2022-05-27 2022-08-26 深信服科技股份有限公司 Attack link detection method and device, electronic equipment and storage medium
CN115459965A (en) * 2022-08-23 2022-12-09 广州大学 Multistep attack detection method for network security of power system
CN116488941A (en) * 2023-06-19 2023-07-25 上海观安信息技术股份有限公司 Attack chain detection method, device and equipment
CN116781340A (en) * 2023-06-12 2023-09-19 北京邮电大学 Attack association relation detection method based on multi-step attack and related equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
US20170220801A1 (en) * 2014-08-04 2017-08-03 Darktrace Limited Cyber security
CN109327480A (en) * 2018-12-14 2019-02-12 北京邮电大学 A kind of multi-step attack scene method for digging based on neural network and Bayesian network attack graph
CN109600387A (en) * 2018-12-29 2019-04-09 360企业安全技术(珠海)有限公司 The retroactive method and device of attack, storage medium, computer equipment
CN109617885A (en) * 2018-12-20 2019-04-12 北京神州绿盟信息安全科技股份有限公司 Capture host automatic judging method, device, electronic equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170220801A1 (en) * 2014-08-04 2017-08-03 Darktrace Limited Cyber security
CN104539626A (en) * 2015-01-14 2015-04-22 中国人民解放军信息工程大学 Network attack scene generating method based on multi-source alarm logs
CN106899435A (en) * 2017-02-21 2017-06-27 浙江大学城市学院 A kind of complex attack identification technology towards wireless invasive detecting system
CN109327480A (en) * 2018-12-14 2019-02-12 北京邮电大学 A kind of multi-step attack scene method for digging based on neural network and Bayesian network attack graph
CN109617885A (en) * 2018-12-20 2019-04-12 北京神州绿盟信息安全科技股份有限公司 Capture host automatic judging method, device, electronic equipment and storage medium
CN109600387A (en) * 2018-12-29 2019-04-09 360企业安全技术(珠海)有限公司 The retroactive method and device of attack, storage medium, computer equipment

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
宋珊珊: "基于数据挖掘及攻击图的告警综合关联研究", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 *
王月垒: "面向复杂网络攻击的安全事件检测与追踪技术研究", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 *

Cited By (48)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112486940A (en) * 2019-09-12 2021-03-12 伊姆西Ip控股有限责任公司 Method, apparatus and computer program product for event ranking
CN110839019A (en) * 2019-10-24 2020-02-25 国网福建省电力有限公司 Network security threat tracing method for power monitoring system
CN110933041A (en) * 2019-11-06 2020-03-27 西安四叶草信息技术有限公司 Penetration testing method and related device
CN110933041B (en) * 2019-11-06 2021-11-16 西安四叶草信息技术有限公司 Penetration testing method and related device
CN110933101A (en) * 2019-12-10 2020-03-27 腾讯科技(深圳)有限公司 Security event log processing method, device and storage medium
US11336679B2 (en) 2020-01-28 2022-05-17 International Business Machines Corporation Combinatorial test design for optimizing parameter list testing
WO2021152423A1 (en) * 2020-01-28 2021-08-05 International Business Machines Corporation Combinatorial test design for optimizing parameter list testing
CN111404879A (en) * 2020-02-26 2020-07-10 亚信科技(成都)有限公司 Visualization method and device for network threats
CN111709021A (en) * 2020-04-22 2020-09-25 中国科学院信息工程研究所 Attack event identification method based on mass alarms and electronic device
CN111858482B (en) * 2020-07-15 2021-10-15 北京市燃气集团有限责任公司 Attack event tracing and tracing method, system, terminal and storage medium
CN111858482A (en) * 2020-07-15 2020-10-30 北京市燃气集团有限责任公司 Attack event tracing and tracing method, system, terminal and storage medium
CN112039841A (en) * 2020-07-23 2020-12-04 北京天融信网络安全技术有限公司 Security event merging processing method and device, electronic equipment and storage medium
CN112187720A (en) * 2020-09-01 2021-01-05 杭州安恒信息技术股份有限公司 Method and device for generating secondary attack chain, electronic device and storage medium
CN112187720B (en) * 2020-09-01 2022-11-15 杭州安恒信息技术股份有限公司 Method and device for generating secondary attack chain, electronic device and storage medium
CN112202724A (en) * 2020-09-09 2021-01-08 绿盟科技集团股份有限公司 Data aggregation method and device of all-in-one arrangement mode
CN112241439B (en) * 2020-10-12 2023-07-21 绿盟科技集团股份有限公司 Attack organization discovery method, device, medium and equipment
CN112241439A (en) * 2020-10-12 2021-01-19 绿盟科技集团股份有限公司 Attack organization discovery method, device, medium and equipment
CN112615808B (en) * 2020-10-27 2022-01-25 国网浙江省电力有限公司绍兴供电公司 Method, device and medium for representing white list of process layer messages of intelligent substation
CN112615808A (en) * 2020-10-27 2021-04-06 国网浙江省电力有限公司绍兴供电公司 Method, device and equipment for representing white list of process layer messages of intelligent substation
CN113824676A (en) * 2020-11-13 2021-12-21 北京沃东天骏信息技术有限公司 Method and device for determining attack chain aiming at vulnerability
CN113824676B (en) * 2020-11-13 2024-02-09 北京沃东天骏信息技术有限公司 Method and device for determining attack chain aiming at loopholes
CN112738071B (en) * 2020-12-25 2023-07-28 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112738071A (en) * 2020-12-25 2021-04-30 中能融合智慧科技有限公司 Method and device for constructing attack chain topology
CN112784025B (en) * 2021-01-12 2023-08-18 青岛明略软件技术开发有限公司 Method and device for determining target event
CN112784025A (en) * 2021-01-12 2021-05-11 北京明略软件系统有限公司 Method and device for determining target event
CN113162794B (en) * 2021-01-27 2024-01-16 国网福建省电力有限公司 Next attack event prediction method and related equipment
CN113162794A (en) * 2021-01-27 2021-07-23 国网福建省电力有限公司 Next-step attack event prediction method and related equipment
CN113162904A (en) * 2021-02-08 2021-07-23 国网重庆市电力公司电力科学研究院 Power monitoring system network security alarm evaluation method based on probability graph model
CN112564988B (en) * 2021-02-19 2021-06-18 腾讯科技(深圳)有限公司 Alarm processing method and device and electronic equipment
CN112564988A (en) * 2021-02-19 2021-03-26 腾讯科技(深圳)有限公司 Alarm processing method and device and electronic equipment
CN112995176A (en) * 2021-02-25 2021-06-18 国电南瑞科技股份有限公司 Network attack reachability calculation method and device applied to power communication network
CN113722576A (en) * 2021-05-07 2021-11-30 北京达佳互联信息技术有限公司 Network security information processing method, query method and related device
CN113596037A (en) * 2021-07-31 2021-11-02 南京云利来软件科技有限公司 APT attack detection method based on event relation directed graph in network full flow
CN113596037B (en) * 2021-07-31 2023-04-14 广州广电研究院有限公司 APT attack detection method based on event relation directed graph in network full flow
CN114172709A (en) * 2021-11-30 2022-03-11 中汽创智科技有限公司 Network multi-step attack detection method, device, equipment and storage medium
CN114172709B (en) * 2021-11-30 2024-05-24 中汽创智科技有限公司 Network multi-step attack detection method, device, equipment and storage medium
CN114143109B (en) * 2021-12-08 2023-11-10 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114143109A (en) * 2021-12-08 2022-03-04 安天科技集团股份有限公司 Visual processing method, interaction method and device for attack data
CN114301712A (en) * 2021-12-31 2022-04-08 西安交通大学 Industrial internet alarm log correlation analysis method and system based on graph method
CN114448679A (en) * 2022-01-04 2022-05-06 深圳萨摩耶数字科技有限公司 Attack chain construction method and device, electronic equipment and storage medium
CN114448679B (en) * 2022-01-04 2024-05-24 深圳萨摩耶数字科技有限公司 Attack chain construction method and device, electronic equipment and storage medium
CN114760189A (en) * 2022-03-30 2022-07-15 深信服科技股份有限公司 Information determination method, equipment and computer readable storage medium
CN114915544A (en) * 2022-05-18 2022-08-16 广东电网有限责任公司 Network multi-hop attack chain identification method, device, equipment and storage medium
CN114944956A (en) * 2022-05-27 2022-08-26 深信服科技股份有限公司 Attack link detection method and device, electronic equipment and storage medium
CN115459965A (en) * 2022-08-23 2022-12-09 广州大学 Multistep attack detection method for network security of power system
CN116781340A (en) * 2023-06-12 2023-09-19 北京邮电大学 Attack association relation detection method based on multi-step attack and related equipment
CN116488941A (en) * 2023-06-19 2023-07-25 上海观安信息技术股份有限公司 Attack chain detection method, device and equipment
CN116488941B (en) * 2023-06-19 2023-09-01 上海观安信息技术股份有限公司 Attack chain detection method, device and equipment

Also Published As

Publication number Publication date
CN110213077B (en) 2022-02-22

Similar Documents

Publication Publication Date Title
CN110213077A (en) A kind of method, apparatus and system of determining electric power monitoring system security incident
Ramaki et al. Real time alert correlation and prediction using Bayesian networks
CN111600898A (en) Security alarm generation method, device and system based on rule engine
US9032521B2 (en) Adaptive cyber-security analytics
CN104539626A (en) Network attack scene generating method based on multi-source alarm logs
Alserhani et al. MARS: multi-stage attack recognition system
Sayegh et al. SCADA intrusion detection system based on temporal behavior of frequent patterns
CN110839019A (en) Network security threat tracing method for power monitoring system
CN102075516A (en) Method for identifying and predicting network multi-step attacks
Nehinbe Log Analyzer for Network Forensics and Incident Reporting
CN107896229A (en) A kind of method, system and the mobile terminal of computer network abnormality detection
Suo et al. Research on the application of honeypot technology in intrusion detection system
Bou-Harb et al. Csc-detector: A system to infer large-scale probing campaigns
Al Balushi et al. OSCIDS: An Ontology based SCADA Intrusion Detection Framework.
Liao et al. Research on network intrusion detection method based on deep learning algorithm
Ahmed et al. Enhancing intrusion detection using statistical functions
Kholidy State compression and quantitative assessment model for assessing security risks in the oil and gas transmission systems
Zhao et al. Bidirectional RNN-based few-shot training for detecting multi-stage attack
Huang et al. Application of type-2 fuzzy logic to rule-based intrusion alert correlation detection
CN115481166A (en) Data storage method and device, electronic equipment and computer storage medium
Gavrilovic et al. Snort IDS system visualization interface for alert analysis
CN115473675A (en) Network security situation sensing method and device, electronic equipment and medium
CN111343205B (en) Industrial control network security detection method and device, electronic equipment and storage medium
Tian et al. Reduction of false positives in intrusion detection via adaptive alert classifier
Zhang et al. Design and implementation of a network based intrusion detection systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant