CN111178760A - Risk monitoring method and device, terminal equipment and computer readable storage medium - Google Patents
Risk monitoring method and device, terminal equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN111178760A CN111178760A CN201911396156.5A CN201911396156A CN111178760A CN 111178760 A CN111178760 A CN 111178760A CN 201911396156 A CN201911396156 A CN 201911396156A CN 111178760 A CN111178760 A CN 111178760A
- Authority
- CN
- China
- Prior art keywords
- enterprise
- asset
- target
- equipment
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Landscapes
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Development Economics (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application is applicable to the technical field of industrial control supervision, and particularly relates to a risk monitoring method, a risk monitoring device, terminal equipment and a computer-readable storage medium. The method includes the steps of obtaining equipment information of each asset equipment in N asset equipment of a target enterprise in a target area, counting the asset equipment belonging to the same enterprise in the N asset equipment, obtaining a network risk situation of each enterprise in the target enterprise according to the equipment information of each asset equipment, further obtaining the target network risk situation of the target enterprise, and displaying the target network risk situation. The network risk situation perception method and the network risk situation perception system have the advantages that the network risk situation perception of enterprises in a certain area range is achieved, the safety supervision of the whole area is facilitated, the centralized supervision of the enterprises is achieved, meanwhile, situation perception equipment does not need to be deployed for each enterprise in the certain area range, and the cost for perceiving the network risk situation of the enterprises is reduced.
Description
Technical Field
The application belongs to the technical field of industrial control supervision, and particularly relates to a risk monitoring method, a risk monitoring device, terminal equipment and a computer readable storage medium.
Background
With the rapid development of networks and informatization, the security situation of home and abroad networks is getting more and more severe, in the informatization construction, industrial enterprises are always the main subjects of informatization, and can refer to enterprises with the capabilities of industrial production and the like.
In the prior art, some products for network risk situation awareness facing an industrial control network exist, and corresponding situation awareness equipment needs to be deployed in the industrial control network of an enterprise to monitor industrial control network risks; however, the existing situation awareness equipment has a long period of enterprise deployment and a high budget, is not beneficial to the awareness of the network risk situation of the enterprise in a certain area range, lacks comprehensiveness, and is not beneficial to the safety supervision of the whole area.
Disclosure of Invention
The embodiment of the application provides a risk monitoring method and device, terminal equipment and a computer-readable storage medium, and can solve the problems that the existing situation awareness equipment is long in deployment period, high in budget and incapable of perceiving network risk situations of enterprises in a certain area range.
In a first aspect, an embodiment of the present application provides a risk monitoring method, where the risk monitoring method includes:
acquiring equipment information of each asset equipment in N asset equipment of a target enterprise in a target area, wherein N is an integer greater than 1, and the target enterprise is an enterprise operating an industrial control system in the target area;
according to the equipment information of each asset equipment, counting the asset equipment belonging to the same enterprise in the N asset equipment;
acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation.
In a second aspect, an embodiment of the present application provides a risk monitoring device, where the risk monitoring device includes:
the system comprises an equipment information acquisition module, a data processing module and a data processing module, wherein the equipment information acquisition module is used for acquiring equipment information of each asset equipment in N asset equipment of a target enterprise in a target area, N is an integer larger than 1, and the target enterprise is an enterprise operating an industrial control system in the target area;
the statistic module is used for counting the asset equipment belonging to the same enterprise in the N asset equipment according to the equipment information of each asset equipment;
the risk situation acquisition module is used for acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and the display module is used for acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise and displaying the target network risk situation.
In a third aspect, an embodiment of the present application provides a terminal device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the risk monitoring method according to the first aspect is implemented.
In a fourth aspect, the present application provides a computer-readable storage medium, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the risk monitoring method according to the first aspect.
In a fifth aspect, an embodiment of the present application provides a computer program product, which, when running on a terminal device, causes the terminal device to execute the risk monitoring method according to the first aspect.
Compared with the prior art, the embodiment of the application has the advantages that: this application monitors through the asset equipment to target enterprise in the target area, obtain the network risk situation of every enterprise, and then confirm the holistic risk situation of target enterprise in the target area, for example, monitor to many enterprises of a province, obtain the network risk situation of the enterprise of this province, realized the perception to the network risk situation of enterprise in certain area within range, be favorable to the safety supervision to whole region, the centralized supervision of enterprise has been realized, and simultaneously, need not dispose situation perception equipment at every enterprise of target enterprise in certain area within range, the cost of the network risk situation of perception enterprise has been reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the embodiments or the prior art descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a risk monitoring method according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a risk monitoring method according to a second embodiment of the present application;
fig. 3 is a schematic structural diagram of a risk monitoring device according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of a terminal device according to a fourth embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system structures, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
As used in this specification and the appended claims, the term "if" may be interpreted contextually as "when", "upon" or "in response to" determining "or" in response to detecting ". Similarly, the phrase "if it is determined" or "if a [ described condition or event ] is detected" may be interpreted contextually to mean "upon determining" or "in response to determining" or "upon detecting [ described condition or event ]" or "in response to detecting [ described condition or event ]".
Furthermore, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used for distinguishing between descriptions and not necessarily for describing or implying relative importance.
Reference throughout this specification to "one embodiment" or "some embodiments," or the like, means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," or the like, in various places throughout this specification are not necessarily all referring to the same embodiment, but rather "one or more but not all embodiments" unless specifically stated otherwise. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
The risk monitoring method provided by the embodiment of the application can be applied to terminal devices such as a palm computer, a desktop computer, a notebook computer, an ultra-mobile personal computer (UMPC), a netbook, a cloud server, a Personal Digital Assistant (PDA) and the like, and the embodiment of the application does not limit the specific types of the terminal devices.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
In order to explain the technical solution described in the present application, the following description will be given by way of specific examples.
Referring to fig. 1, which is a schematic flowchart of a risk monitoring method provided in an embodiment of the present application, where the risk monitoring method may be used in a terminal device, as shown in the figure, the risk monitoring method may include the following steps:
step S101, acquiring equipment information of each asset equipment in N asset equipment of a target enterprise in a target area.
And N is an integer greater than 1, and the target enterprise is an enterprise operating an industrial control system in the target area. The target enterprise may include one enterprise or a plurality of enterprises, and the specific number of enterprises in the target enterprise is related to the selection of the target area.
The target area may refer to a jurisdiction area of a supervision department, for example, if the jurisdiction area of the supervision department is a province, the target area is an area within the province, and the target enterprise is an enterprise operating an industrial control system within the province, or an enterprise needing to be networked to control industrial production, wherein the industrial control system combines an ethernet with a production control system of the enterprise, collects field device information, production information, and the like through the ethernet, centrally decides and manages the production of the enterprise according to the information by a management layer (e.g., a server, an engineering machine, and the like), and then controls the production of the field device by a field control layer (e.g., a device controller, and the like) according to the decision of the management layer, thereby realizing the omnibearing supervision of the production, operation, management, and the like by the enterprise.
The asset device may refer to a device which has an ethernet port in a target enterprise and can be remotely accessed through a network, such as a server, a switch, an engineering machine, and the like, and may also be an industrial control device having an industrial production control function, and the like. The asset device may be accessed via a network to obtain device information of the asset device, where the device information includes, but is not limited to, an Internet Protocol (IP) address, an open port of the device, a device manufacturer, a device type, a device model, a device name, a device firmware version, device description information, a device support Protocol, and the like.
And step S102, counting the asset devices belonging to the same enterprise in the N asset devices according to the device information of each asset device.
The target enterprise may include one enterprise or a plurality of enterprises, and the obtained asset devices may belong to one enterprise or may belong to different enterprises.
Optionally, the device information of each asset device includes an IP address of each asset device, and the counting, according to the device information of each asset device, asset devices belonging to the same enterprise in the N asset devices includes:
acquiring the geographical position information of each asset device according to the IP address of each asset device;
acquiring enterprise information of an enterprise to which each asset device belongs according to the geographical position information of each asset device;
and counting the asset devices with the same enterprise information in the N asset devices, and determining the asset devices with the same enterprise information as the asset devices belonging to the same enterprise.
A rough geographic location can be determined according to the IP address of each asset device, enterprise information, such as an enterprise name, of an enterprise to which each asset device belongs can be obtained through an automatic or manual checking mode, and then asset devices belonging to the same enterprise, such as asset devices belonging to the company "lisi", are obtained through statistics.
And step S103, acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise.
The network risk situation may refer to a risk condition of an industrial control system of an enterprise, for example, a risk degree, a risk type, and the like, and may be obtained by comprehensively evaluating risk information of asset devices of an enterprise, where the risk information of an asset device may refer to a capability of blocking a network attack when the asset device is in a networking state, or a vulnerability degree of the asset device, and a specific risk existing in the asset device may be determined through information of an open port of the asset device, a device manufacturer, a device type, and the like, for example, vulnerability information, a weak password, and the like.
Optionally, the obtaining, according to the device information of the asset devices belonging to the same enterprise, a network risk situation of each enterprise in the target enterprise includes:
acquiring the network risk parameter of each enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring the network risk situation of each enterprise according to the network risk parameters of each enterprise.
The network risk parameters of the enterprise are determined by the risk information of the asset equipment, and include but are not limited to vulnerability information, weak passwords and the like; if an enterprise comprises at least two asset devices, risk information of the at least two asset devices needs to be integrated; for example, according to the risk information of at least two asset devices of an enterprise, network risk parameters of the enterprise are counted, and the network risk parameters are expressed in a preset form, such as a pie chart, a bar chart and the like, so as to obtain the network risk situation of the enterprise.
And step S104, acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation.
The network risk situation of each enterprise in the target enterprise is a network risk situation representing one enterprise, the target network risk situation of the target enterprise in the target area needs to be obtained by combining corresponding analysis, for example, the industry to which the enterprise in the target enterprise belongs is analyzed, the obtained network risk situation of each industry is the target network risk situation, and for example, the area to which the enterprise in the target enterprise belongs is analyzed, the obtained network risk situation of each area is the target network risk situation. In addition, the target network risk situation may also be a change situation of the network risk situation at different time periods, wherein the scanned IP addresses, the number of checked IP addresses, and the number of IP addresses with risks may be subjected to a trend display.
Optionally, the obtaining a target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation includes:
acquiring the industry to which each enterprise belongs, and counting the enterprises belonging to the same industry;
acquiring the network risk situation of each industry according to the network risk situation of the enterprises belonging to the same industry, wherein each industry is determined by the enterprises belonging to the same industry;
and displaying the network risk situation of each industry.
The industry to which the enterprise belongs can be known according to the enterprise information of the enterprise in the above steps, the enterprise of each industry is counted, the network risk situation of each industry can be obtained by combining the network risk situation of each enterprise, the network risk situation of each industry is displayed in a preset form, for example, the network risk situation can be network security rating, the industry corresponds to the network security rating in the form through the form, and the form is output and displayed.
Optionally, acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation includes:
acquiring the geographical position information of each enterprise, and counting the enterprises in the same area in the target enterprise;
acquiring the network risk situation of each area according to the risk postures of the enterprises in the same area, wherein each area is determined by the enterprises in the same area;
and displaying the network risk situation of each area.
The area to which the enterprise belongs can be known according to the enterprise Information of the enterprise in the above steps, for example, the target area is a province, the area to which the enterprise belongs can be divided into the east, the west, the middle and the like of the province, and can also be divided into a city to which the enterprise belongs, the region of the city is the area to which the enterprise belongs, the enterprise of each area is counted, the network risk situation of each area can be obtained by combining the network risk situation of each enterprise, and the network risk situation of each industry is displayed in a preset form, for example, in a Geographic Information System (GIS) map, the network risk situation of each area in the target area is prominently marked, and the network risk situation of the area is visually displayed on the map.
This application monitors through the asset equipment to target enterprise in the target area, obtain the network risk situation of every enterprise, and then confirm the holistic risk situation of target enterprise in the target area, for example, monitor to many enterprises of a province, obtain the network risk situation of the enterprise of this province, realized the perception to the network risk situation of enterprise in certain area within range, be favorable to the safety supervision to whole region, the centralized supervision of enterprise has been realized, and simultaneously, need not dispose situation perception equipment at every enterprise of target enterprise in certain area within range, the cost of the network risk situation of perception enterprise has been reduced.
Referring to fig. 2, which is a schematic flow chart of a risk monitoring method provided in the second embodiment of the present application, the risk monitoring method may be used in a terminal device, and as shown in the figure, the risk monitoring method may include the following steps:
step S201, whether each asset device in N asset devices of a target enterprise in a target area is online is detected.
And N is an integer greater than 1, and the target enterprise is an enterprise operating an industrial control system in the target area. The target enterprise may include one enterprise or a plurality of enterprises, and the specific number of enterprises in the target enterprise is related to the selection of the target area.
The target area may refer to a jurisdiction area of a supervision department, for example, if the jurisdiction area of the supervision department is a province, the target area is an area within the province, and the target enterprise is an enterprise operating an industrial control system within the province, or an enterprise needing to be networked to control industrial production, wherein the industrial control system combines an ethernet with a production control system of the enterprise, collects field device information, production information, and the like through the ethernet, centrally decides and manages the production of the enterprise according to the information by a management layer (e.g., a server, an engineering machine, and the like), and then controls the production of the field device by a field control layer (e.g., a device controller, and the like) according to the decision of the management layer, thereby realizing the omnibearing supervision of the production, operation, management, and the like by the enterprise.
The asset device may refer to a device which has an ethernet port in a target enterprise and can be remotely accessed through a network, such as a server, a switch, an engineering machine, and the like, and may also be an industrial control device having an industrial production control function, and the like. The asset device is online (i.e. the asset device is alive) may mean that the asset device is powered on and can be accessed through the network, and the device information of the asset device cannot be obtained if the asset device which is not online cannot be accessed through the network, so that the asset device which is not online is excluded before the device information is obtained, thereby avoiding occupying resources.
Optionally, detecting whether each asset device is online comprises:
acquiring an IP address range to be scanned according to the target area;
and adopting a stateless scanning algorithm to perform port scanning on each asset device with the IP address within the range of the IP address to be scanned, and detecting whether each asset device is on line.
Aiming at different target areas, the ranges of IP addresses to be scanned are different, the IP addresses of the asset devices of target enterprises in the target areas are in the range of the IP addresses to be scanned, the IP address of one asset device is an element in the range of the IP address to be scanned, a stateless scanning algorithm is adopted for port scanning, for example, a massscan stateless port scanner determines whether the asset devices in the range of the IP addresses to be scanned are on-line or not according to the network segments to be detected and the device protocol requirements.
Step S202, if each asset device is on line, calling a fingerprint script in a preset fingerprint library to carry out interactive detection on each asset device, and judging whether each asset device is an industrial control device.
The method comprises the steps of calling fingerprint scripts in a preset fingerprint library to carry out interactive detection on each asset device, carrying out information interaction on one asset device and the asset device through a plurality of fingerprint scripts so as to remotely identify various information such as the type, hardware, an operating system, running software (and related version numbers and configuration parameters) and the like of the asset device, and judging whether the asset device is an industrial control device or not according to the type of the asset device. The preset fingerprint database can be a database for storing fingerprint scripts, and a user can store at least one fingerprint script in the preset fingerprint database according to actual needs; the fingerprint script is a script or a program file with fingerprint information, and the fingerprint information is information description for the asset device, that is, corresponding information in the asset device can be acquired through the fingerprint information.
Step S203, if each asset device is an industrial control device, acquiring device information of each asset device according to the communication characteristics of the fingerprint script in the preset fingerprint library.
When information interaction is performed with the asset device through the fingerprint script, the asset device responds to information sent by the fingerprint script, outputs communication characteristics of the fingerprint script, such as response information and response data of the fingerprint script, analyzes the communication characteristics to determine device information of the asset device, and obtains a device type and a domain name of the asset device by analyzing the detection response information, for example.
Correspondingly, if the asset equipment is not the industrial control equipment, skipping the asset equipment, and executing the step from the step of determining that the asset equipment is on line to the step of calling the fingerprint script in the preset fingerprint library to carry out interactive detection on the asset equipment again until the scanning detection of the asset equipment of the target enterprise in the target area is finished.
And step S204, counting the asset devices belonging to the same enterprise in the N asset devices according to the device information of each asset device.
And step S205, acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise.
And S206, acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation.
Step S204, step S205, and step S206 are the same as step S102, step S103, and step S104, respectively, and are not described herein again.
This application monitors through the industrial control equipment among the online property equipment to target enterprise in the target area, obtains the network risk situation of every enterprise, and then confirms the holistic risk situation of target enterprise in the target area, gets rid of the not online property equipment, has avoided the resource to occupy, simultaneously, monitors to the industrial control equipment that directly influences the enterprise production, saves monitoring cost and time, has avoided the wasting of resources.
Corresponding to the risk monitoring method of the above embodiment, fig. 3 shows a structural block diagram of a risk monitoring device provided in the third embodiment of the present application, and for convenience of description, only the relevant parts of the third embodiment of the present application are shown.
Referring to fig. 3, the risk monitoring device includes:
the device information acquiring module 31 is configured to acquire device information of each asset device of N asset devices of a target enterprise in a target area, where N is an integer greater than 1, and the target enterprise is an enterprise in which an industrial control system operates in the target area;
a statistic module 32, configured to count asset devices belonging to the same enterprise in the N asset devices according to the device information of each asset device;
a risk situation acquiring module 33, configured to acquire a network risk situation of each enterprise in the target enterprise according to the device information of the asset devices belonging to the same enterprise;
and the display module 34 is configured to acquire a target network risk situation of the target enterprise according to the network risk situation of each enterprise, and display the target network risk situation.
Optionally, the risk monitoring device comprises:
the online detection module is used for detecting whether each asset device is online or not before acquiring the device information of each asset device in N asset devices of a target enterprise in a target area;
the judging module is used for calling a fingerprint script in a preset fingerprint library to carry out interactive detection on each asset device if each asset device is online, and judging whether each asset device is an industrial control device or not;
correspondingly, the device information acquiring module 31 is specifically configured to:
and if each asset device is industrial control equipment, acquiring the equipment information of each asset device in the N asset devices in the target area according to the communication characteristics of the fingerprint script in the preset fingerprint library.
Optionally, the online detection module includes:
the IP address acquisition unit is used for acquiring an IP address range of the Internet protocol to be scanned according to the target area;
and the online detection unit is used for carrying out port scanning on the asset equipment with the IP address within the range of the IP address to be scanned by adopting a stateless scanning algorithm and detecting whether each asset equipment is online.
Optionally, the device information of each asset device includes an IP address of each asset device, and the statistics module 32 includes:
a location information obtaining unit, configured to obtain geographic location information of each asset device according to the IP address of each asset device;
the enterprise information acquisition unit is used for acquiring enterprise information of an enterprise to which each asset device belongs according to the geographical position information of each asset device;
and the statistical unit is used for counting the asset devices with the same enterprise information in the N asset devices and determining the asset devices with the same enterprise information as the asset devices belonging to the same enterprise.
Optionally, the risk situation acquiring module 33 includes:
a risk parameter acquiring unit, configured to acquire a network risk parameter of each enterprise according to the device information of the asset devices belonging to the same enterprise;
and the risk situation acquisition unit is used for acquiring the network risk situation of each enterprise according to the network risk parameters of each enterprise.
Optionally, the display module 34 includes:
the subordinate industry acquiring unit is used for acquiring the industry to which each enterprise belongs and counting the enterprises belonging to the same industry;
the industry risk acquiring unit is used for acquiring the network risk situation of each industry according to the network risk situation of the enterprises belonging to the same industry, wherein each industry is determined by the enterprises belonging to the same industry;
and the industry risk display unit is used for displaying the network risk situation of each industry.
Optionally, the display module 34 includes:
the subordinate area acquisition unit is used for acquiring the geographical position information of each enterprise and counting the enterprises in the same area in the target enterprise;
the regional risk acquiring unit is used for acquiring the network risk situation of each region according to the risk postures of the enterprises in the same region, wherein each region is determined by the enterprises in the same region;
and the regional risk display unit is used for displaying the network risk situation of each region.
It should be noted that, because the contents of information interaction, execution process, and the like between the modules are based on the same concept as that of the embodiment of the method of the present application, specific functions and technical effects thereof may be specifically referred to a part of the embodiment of the method, and details are not described here.
Fig. 4 is a schematic structural diagram of a terminal device according to a fourth embodiment of the present application. As shown in fig. 4, the terminal device 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 4), a memory 41, and a computer program 42 stored in memory 41 and executable on at least one processor 40, the steps of any of the various risk monitoring method embodiments described above being implemented when processor 40 executes computer program 42.
The terminal device may include, but is not limited to, a processor 40, a memory 41. Those skilled in the art will appreciate that fig. 4 is merely an example of the terminal device 4, and does not constitute a limitation of the terminal device 4, and may include more or less components than those shown, or combine some components, or different components, such as an input-output device, a network access device, and the like.
The Processor 40 may be a Central Processing Unit (CPU), and the Processor 40 may be other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may in some embodiments be an internal storage unit of the terminal device 4, such as a hard disk or a memory of the terminal device 4. The memory 41 may also be an external storage device of the terminal device 4 in other embodiments, such as a plug-in hard disk provided on the terminal device 4, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like. Further, the memory 41 may also include both an internal storage unit of the terminal device 4 and an external storage device. The memory 41 is used for storing an operating system, an application program, a BootLoader (BootLoader), data, and other programs, such as program codes of the computer program. The memory 41 may also be used to temporarily store data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of the functional units and modules is illustrated, and in practical applications, the above-mentioned function distribution may be performed by different functional units and modules according to needs, that is, the internal structure of the apparatus is divided into different functional units or modules, so as to perform all or part of the functions described above. Each functional unit and module in the embodiments may be integrated in one processing unit, or each unit may exist alone physically, or two or more units are integrated in one unit, and the integrated unit may be implemented in a form of hardware, or in a form of software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working processes of the units and modules in the above-mentioned apparatus may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, all or part of the processes in the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium and can implement the steps of the embodiments of the methods described above when the computer program is executed by a processor. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying the computer program code, recording medium, computer Memory, Read-only Memory (ROM), Random-Access Memory (RAM), electrical carrier wave signals, telecommunications signals, and software distribution medium. Such as a usb-disk, a removable hard disk, a magnetic or optical disk, etc. In certain jurisdictions, computer-readable media may not be an electrical carrier signal or a telecommunications signal in accordance with legislative and patent practice.
When the computer program product runs on a terminal device, the terminal device implements the steps of the method embodiments when executing the computer program product.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and reference may be made to the related descriptions of other embodiments for parts that are not described or illustrated in a certain embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other ways. For example, the above-described embodiments of the apparatus/terminal device are merely illustrative, and for example, the division of the modules or units is only one logical division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present application and are intended to be included within the scope of the present application.
Claims (10)
1. A risk monitoring method, characterized in that the risk monitoring method comprises:
acquiring equipment information of each asset equipment in N asset equipment of a target enterprise in a target area, wherein N is an integer greater than 1, and the target enterprise is an enterprise operating an industrial control system in the target area;
according to the equipment information of each asset equipment, counting the asset equipment belonging to the same enterprise in the N asset equipment;
acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation.
2. The risk monitoring method of claim 1, prior to obtaining device information for each of the N asset devices of the target enterprise within the target area, further comprising:
detecting whether each asset device is online;
if the asset equipment is online, calling a fingerprint script in a preset fingerprint library to carry out interactive detection on the asset equipment, and judging whether the asset equipment is industrial control equipment or not;
correspondingly, the acquiring the device information of each asset device of the N asset devices in the target area includes:
and if each asset device is industrial control equipment, acquiring the equipment information of each asset device in the N asset devices in the target area according to the communication characteristics of the fingerprint script in the preset fingerprint library.
3. The risk monitoring method of claim 2, wherein said detecting whether said each asset is online comprises:
acquiring an Internet Protocol (IP) address range to be scanned according to the target area;
and adopting a stateless scanning algorithm to perform port scanning on each asset device with the IP address within the range of the IP address to be scanned, and detecting whether each asset device is on line.
4. The risk monitoring method according to claim 1, wherein the device information of each asset device includes an IP address of each asset device, and wherein the counting asset devices belonging to a same enterprise among the N asset devices according to the device information of each asset device includes:
acquiring the geographical position information of each asset device according to the IP address of each asset device;
acquiring enterprise information of an enterprise to which each asset device belongs according to the geographical position information of each asset device;
and counting the asset devices with the same enterprise information in the N asset devices, and determining the asset devices with the same enterprise information as the asset devices belonging to the same enterprise.
5. The risk monitoring method according to claim 1, wherein the obtaining the network risk situation of each enterprise in the target enterprise according to the device information of the asset devices belonging to the same enterprise comprises:
acquiring the network risk parameter of each enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring the network risk situation of each enterprise according to the network risk parameters of each enterprise.
6. The risk monitoring method according to claim 1, wherein the obtaining a target cyber risk situation of the target enterprise according to the cyber risk situation of each enterprise and displaying the target cyber risk situation comprises:
acquiring the industry to which each enterprise belongs, and counting the enterprises belonging to the same industry;
acquiring the network risk situation of each industry according to the network risk situation of the enterprises belonging to the same industry, wherein each industry is determined by the enterprises belonging to the same industry;
and displaying the network risk situation of each industry.
7. The risk monitoring method according to claim 1, wherein obtaining the target cyber risk potential of the target enterprise according to the cyber risk potential of each enterprise, and displaying the target cyber risk potential comprises:
acquiring the geographical position information of each enterprise, and counting the enterprises in the same area in the target enterprise;
acquiring the network risk situation of each area according to the risk postures of the enterprises in the same area, wherein each area is determined by the enterprises in the same area;
and displaying the network risk situation of each area.
8. A risk monitoring device, characterized in that the risk monitoring device comprises:
the system comprises an equipment information acquisition module, a data processing module and a data processing module, wherein the equipment information acquisition module is used for acquiring equipment information of each asset equipment in N asset equipment of a target enterprise in a target area, N is an integer larger than 1, and the target enterprise is an enterprise operating an industrial control system in the target area;
the statistic module is used for counting the asset equipment belonging to the same enterprise in the N asset equipment according to the equipment information of each asset equipment;
the risk situation acquisition module is used for acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and the display module is used for acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise and displaying the target network risk situation.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the risk monitoring method according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the risk monitoring method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911396156.5A CN111178760B (en) | 2019-12-30 | 2019-12-30 | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911396156.5A CN111178760B (en) | 2019-12-30 | 2019-12-30 | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111178760A true CN111178760A (en) | 2020-05-19 |
| CN111178760B CN111178760B (en) | 2023-05-23 |
Family
ID=70657582
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911396156.5A Active CN111178760B (en) | 2019-12-30 | 2019-12-30 | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111178760B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953532A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Equipment model identification method, device and equipment |
| CN112003857A (en) * | 2020-08-20 | 2020-11-27 | 深信服科技股份有限公司 | Network asset collecting method, device, equipment and storage medium |
| CN112671887A (en) * | 2020-12-21 | 2021-04-16 | 哈尔滨工大天创电子有限公司 | Asset identification method and device, electronic equipment and computer storage medium |
| CN112953952A (en) * | 2021-03-02 | 2021-06-11 | 青岛海尔工业智能研究院有限公司 | Industrial security situation awareness method, platform, electronic device and storage medium |
| CN113014585A (en) * | 2021-03-03 | 2021-06-22 | 青岛海尔工业智能研究院有限公司 | Industrial security threat monitoring method, platform, electronic device and storage medium |
| CN113079148A (en) * | 2021-03-25 | 2021-07-06 | 恒安嘉新(北京)科技股份公司 | Industrial Internet safety monitoring method, device, equipment and storage medium |
| CN113411302A (en) * | 2021-05-11 | 2021-09-17 | 银雁科技服务集团股份有限公司 | Network security early warning method and device for local area network equipment |
| CN113765704A (en) * | 2021-08-10 | 2021-12-07 | 广州天懋信息系统股份有限公司 | Private network data acquisition method, device, equipment and storage medium |
| CN114745166A (en) * | 2022-03-29 | 2022-07-12 | 烽台科技(北京)有限公司 | Industrial asset risk sensing method and device and electronic equipment |
| CN115242423A (en) * | 2022-05-25 | 2022-10-25 | 中国交通信息科技集团有限公司 | Industrial internet security situation display system |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| US20180020018A1 (en) * | 2016-07-14 | 2018-01-18 | L3 Technologies, Inc. | Method and tool to quantify the enterprise consequences of cyber risk |
| CN109246152A (en) * | 2018-11-06 | 2019-01-18 | 北京华顺信安科技有限公司 | A kind of a wide range of general vulnerability scanning method and system |
| CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
| CN110166281A (en) * | 2019-04-10 | 2019-08-23 | 奇安信科技集团股份有限公司 | Appraisal procedure, device, system and the medium of the network information security |
| CN110245497A (en) * | 2019-06-18 | 2019-09-17 | 湖南晖龙集团股份有限公司 | A kind of hygiene medical treatment safety monitoring and notification method for early warning, electronic equipment and computer readable storage medium |
| CN110324311A (en) * | 2019-05-21 | 2019-10-11 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of Hole Detection |
| CN110324310A (en) * | 2019-05-21 | 2019-10-11 | 国家工业信息安全发展研究中心 | Networked asset fingerprint identification method, system and equipment |
| CN111176202A (en) * | 2019-12-31 | 2020-05-19 | 成都烽创科技有限公司 | Safety management method, device, terminal equipment and medium for industrial control network |
| CN111193727A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Operation monitoring system and operation monitoring method |
-
2019
- 2019-12-30 CN CN201911396156.5A patent/CN111178760B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| US20180020018A1 (en) * | 2016-07-14 | 2018-01-18 | L3 Technologies, Inc. | Method and tool to quantify the enterprise consequences of cyber risk |
| CN109246152A (en) * | 2018-11-06 | 2019-01-18 | 北京华顺信安科技有限公司 | A kind of a wide range of general vulnerability scanning method and system |
| CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
| CN110166281A (en) * | 2019-04-10 | 2019-08-23 | 奇安信科技集团股份有限公司 | Appraisal procedure, device, system and the medium of the network information security |
| CN110324311A (en) * | 2019-05-21 | 2019-10-11 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of Hole Detection |
| CN110324310A (en) * | 2019-05-21 | 2019-10-11 | 国家工业信息安全发展研究中心 | Networked asset fingerprint identification method, system and equipment |
| CN110245497A (en) * | 2019-06-18 | 2019-09-17 | 湖南晖龙集团股份有限公司 | A kind of hygiene medical treatment safety monitoring and notification method for early warning, electronic equipment and computer readable storage medium |
| CN111193727A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Operation monitoring system and operation monitoring method |
| CN111176202A (en) * | 2019-12-31 | 2020-05-19 | 成都烽创科技有限公司 | Safety management method, device, terminal equipment and medium for industrial control network |
Non-Patent Citations (2)
| Title |
|---|
| 冯兵;张静平;: "网络安全脆弱性检测复合模型及应用" * |
| 宋进等: "网络安全态势感知技术研究与应用", 《通信技术》 * |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953532B (en) * | 2020-07-30 | 2022-10-11 | 中国工商银行股份有限公司 | Equipment model identification method, device and equipment |
| CN111953532A (en) * | 2020-07-30 | 2020-11-17 | 中国工商银行股份有限公司 | Equipment model identification method, device and equipment |
| CN112003857A (en) * | 2020-08-20 | 2020-11-27 | 深信服科技股份有限公司 | Network asset collecting method, device, equipment and storage medium |
| CN112671887A (en) * | 2020-12-21 | 2021-04-16 | 哈尔滨工大天创电子有限公司 | Asset identification method and device, electronic equipment and computer storage medium |
| CN112671887B (en) * | 2020-12-21 | 2023-03-03 | 哈尔滨工大天创电子有限公司 | Asset identification method and device, electronic equipment and computer storage medium |
| CN112953952A (en) * | 2021-03-02 | 2021-06-11 | 青岛海尔工业智能研究院有限公司 | Industrial security situation awareness method, platform, electronic device and storage medium |
| CN113014585A (en) * | 2021-03-03 | 2021-06-22 | 青岛海尔工业智能研究院有限公司 | Industrial security threat monitoring method, platform, electronic device and storage medium |
| CN113079148A (en) * | 2021-03-25 | 2021-07-06 | 恒安嘉新(北京)科技股份公司 | Industrial Internet safety monitoring method, device, equipment and storage medium |
| CN113079148B (en) * | 2021-03-25 | 2023-01-10 | 恒安嘉新(北京)科技股份公司 | Industrial Internet safety monitoring method, device, equipment and storage medium |
| CN113411302A (en) * | 2021-05-11 | 2021-09-17 | 银雁科技服务集团股份有限公司 | Network security early warning method and device for local area network equipment |
| CN113765704B (en) * | 2021-08-10 | 2022-09-27 | 广州天懋信息系统股份有限公司 | Private network data acquisition method, device, equipment and storage medium |
| CN113765704A (en) * | 2021-08-10 | 2021-12-07 | 广州天懋信息系统股份有限公司 | Private network data acquisition method, device, equipment and storage medium |
| CN114745166A (en) * | 2022-03-29 | 2022-07-12 | 烽台科技(北京)有限公司 | Industrial asset risk sensing method and device and electronic equipment |
| CN115242423A (en) * | 2022-05-25 | 2022-10-25 | 中国交通信息科技集团有限公司 | Industrial internet security situation display system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111178760B (en) | 2023-05-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111178760A (en) | Risk monitoring method and device, terminal equipment and computer readable storage medium | |
| US20220060511A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US11032323B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| US10915358B2 (en) | Systems and methods of data acquisition | |
| CN110708315A (en) | Asset vulnerability identification method, device and system | |
| US9369364B2 (en) | System for analysing network traffic and a method thereof | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN107682345B (en) | IP address detection method and device and electronic equipment | |
| CN111176202A (en) | Safety management method, device, terminal equipment and medium for industrial control network | |
| CN110995695A (en) | Abnormal account detection method and device, electronic equipment and storage medium | |
| WO2021216163A2 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20130318609A1 (en) | Method and apparatus for quantifying threat situations to recognize network threat in advance | |
| CN112653693A (en) | Industrial control protocol analysis method and device, terminal equipment and readable storage medium | |
| CN112017323A (en) | Patrol alarm method and device, readable storage medium and terminal equipment | |
| CN112087462A (en) | Vulnerability detection method and device of industrial control system | |
| CN115225385B (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| US20230362142A1 (en) | Network action classification and analysis using widely distributed and selectively attributed sensor nodes and cloud-based processing | |
| US20180183819A1 (en) | System to detect machine-initiated events in time series data | |
| CN111193727A (en) | Operation monitoring system and operation monitoring method | |
| CN114666101B (en) | Attack tracing detection system and method | |
| CN114598506A (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN112650180A (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN113347042A (en) | Data security protection method and server based on digitization and artificial intelligence | |
| CN113765850B (en) | Internet of things abnormality detection method and device, computing equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |