CN111178760B - Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium - Google Patents
Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN111178760B CN111178760B CN201911396156.5A CN201911396156A CN111178760B CN 111178760 B CN111178760 B CN 111178760B CN 201911396156 A CN201911396156 A CN 201911396156A CN 111178760 B CN111178760 B CN 111178760B
- Authority
- CN
- China
- Prior art keywords
- asset
- enterprise
- target
- information
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Abstract
The application is applicable to the technical field of industrial control supervision, and particularly relates to a risk monitoring method, a risk monitoring device, terminal equipment and a computer readable storage medium. According to the method, equipment information of each of N asset equipment of a target enterprise in a target area is acquired, asset equipment belonging to the same enterprise in the N asset equipment is counted, and according to the equipment information of each asset equipment, the network risk situation of each enterprise in the target enterprise is acquired, so that the target network risk situation of the target enterprise is acquired, and the target network risk situation is displayed. The method and the system realize the perception of the network risk situation of the enterprises within a certain area range, are favorable for the safety supervision of the whole area, realize the centralized supervision of the enterprises, and simultaneously, do not need to deploy situation perception equipment for each enterprise within a certain area range, so that the cost for perceiving the network risk situation of the enterprises is reduced.
Description
Technical Field
The application belongs to the technical field of industrial control supervision, and particularly relates to a risk monitoring method, a risk monitoring device, terminal equipment and a computer readable storage medium.
Background
Along with the rapid development of networks and informations, the network security situation at home and abroad is becoming severe, in the informations construction, industrial enterprises are always informations main bodies, industrial enterprises can refer to enterprises with industrial production and other capabilities, and as industrial control systems exist in the enterprises, the industrial control systems are connected through industrial control networks and control production equipment in the industrial production, the safety of the industrial control networks determines the production safety, so that the supervision departments put higher demands on the industrial control network security construction of the enterprises.
In the prior art, a plurality of products facing to network risk situation awareness of an industrial control network exist, and corresponding situation awareness equipment is required to be deployed in the industrial control network of an enterprise so as to realize monitoring of the industrial control network risk; however, the existing situation awareness equipment is longer in enterprise deployment period and higher in budget, is unfavorable for the awareness of the network risk situation of the enterprise in a certain area range, lacks comprehensiveness, and is unfavorable for the safety supervision of the whole area.
Disclosure of Invention
The embodiment of the application provides a risk monitoring method, a risk monitoring device, terminal equipment and a computer readable storage medium, which can solve the problems that the existing situation awareness equipment is longer in deployment period, higher in budget and incapable of perceiving the network risk situation of an enterprise in a certain area range.
In a first aspect, an embodiment of the present application provides a risk monitoring method, where the risk monitoring method includes:
acquiring equipment information of each asset device in N asset devices of a target enterprise in a target area, wherein N is an integer greater than 1, and the target enterprise is an enterprise running an industrial control system in the target area;
according to the equipment information of each asset equipment, counting the asset equipment belonging to the same enterprise in the N asset equipment;
acquiring a network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring a target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation.
In a second aspect, embodiments of the present application provide a risk monitoring device, including:
the equipment information acquisition module is used for acquiring equipment information of each asset equipment in N asset equipment of a target enterprise in a target area, wherein N is an integer greater than 1, and the target enterprise is an enterprise running an industrial control system in the target area;
the statistics module is used for counting the asset devices belonging to the same enterprise in the N asset devices according to the device information of each asset device;
the risk situation acquisition module is used for acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
the display module is used for acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise and displaying the target network risk situation.
In a third aspect, an embodiment of the present application provides a terminal device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the risk monitoring method according to the first aspect when executing the computer program.
In a fourth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program which, when executed by a processor, implements the risk monitoring method according to the first aspect.
In a fifth aspect, embodiments of the present application provide a computer program product, which when run on a terminal device, causes the terminal device to perform the risk monitoring method according to the first aspect.
Compared with the prior art, the embodiment of the application has the beneficial effects that: according to the method and the device, the asset equipment of the target enterprise in the target area is monitored to obtain the network risk situation of each enterprise, and then the overall risk situation of the target enterprise in the target area is determined, for example, the monitoring is conducted on a plurality of enterprises in one province to obtain the network risk situation of the enterprise in the province, the perception of the network risk situation of the enterprise in a certain area is achieved, the safety supervision of the whole area is facilitated, the centralized supervision of the enterprise is achieved, meanwhile, each enterprise deployment situation perception device of the target enterprise in the certain area is not needed, and the cost for perceiving the network risk situation of the enterprise is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required for the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a risk monitoring method according to an embodiment of the present disclosure;
fig. 2 is a flow chart of a risk monitoring method according to a second embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of a risk monitoring apparatus according to a third embodiment of the present application;
fig. 4 is a schematic structural diagram of a terminal device according to a fourth embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
The risk monitoring method provided by the embodiment of the application can be applied to terminal equipment such as palm computers, desktop computers, notebook computers, ultra-mobile personal computers (UMPC), netbooks, cloud servers, personal digital assistants (personal digital assistant, PDA) and the like, and the specific type of the terminal equipment is not limited.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic of each process, and should not limit the implementation process of the embodiment of the present application in any way.
In order to illustrate the technical solutions described in the present application, the following description is made by specific examples.
Referring to fig. 1, a flow chart of a risk monitoring method provided in an embodiment of the present application, where the risk monitoring method may be used for a terminal device, as shown in the drawing, the risk monitoring method may include the following steps:
step S101, obtaining equipment information of each of N asset devices of a target enterprise in a target area.
And N is an integer greater than 1, and the target enterprise is an enterprise running an industrial control system in the target area. The target enterprise may include one enterprise or a plurality of enterprises, and the specific number of enterprises in the target enterprise is related to the selection of the target area.
The target area may be a jurisdiction area of a supervision department, for example, the jurisdiction area of the supervision department is a province, the target area is an area within the province, the target enterprise is an enterprise running an industrial control system within the province, or an enterprise needing to control industrial production in a networking manner, wherein the industrial control system combines an ethernet with a production control system of the enterprise, field device information, production information and the like are collected through the ethernet, a management layer (for example, a server, an engineering machine and the like) centrally decides and manages the production of the enterprise according to the information, and then a field control layer (for example, a device controller and the like) controls the production of field devices according to the decision of the management layer, so that the enterprise performs omnibearing supervision on production, operation, management and the like.
The asset device may be a device that has an ethernet port in a target enterprise and may be accessed remotely through a network, for example, a server, a switch, an engineering machine, etc., and may be an industrial control device having an industrial production control function, etc. Device information for the asset device may be obtained by network access to the asset device, where the device information includes, but is not limited to, internet protocol (Internet Protocol, IP) addresses, open ports for devices, device vendors, device types, device models, device names, device firmware versions, device description information, device support protocols, and the like.
Step S102, according to the equipment information of each asset equipment, the asset equipment belonging to the same enterprise in the N asset equipment is counted.
The target enterprise may include one enterprise or multiple enterprises, and the obtained asset device may belong to one enterprise or may belong to different enterprises.
Optionally, the device information of each asset device includes an IP address of each asset device, and the counting, according to the device information of each asset device, asset devices belonging to the same enterprise in the N asset devices includes:
acquiring the geographic position information of each asset device according to the IP address of each asset device;
acquiring enterprise information of an enterprise to which each asset device belongs according to the geographical position information of each asset device;
and counting the asset devices with the same enterprise information in the N asset devices, and determining the asset devices with the same enterprise information as asset devices belonging to the same enterprise.
A rough geographic position can be determined according to the IP address of each asset device, enterprise information, such as enterprise names, of the enterprise to which each asset device belongs can be obtained through an automatic or manual check mode, and asset devices belonging to the same enterprise, such as asset devices belonging to a 'Li San' company, are obtained through statistics.
Step S103, according to the equipment information of the asset equipment belonging to the same enterprise, acquiring the network risk situation of each enterprise in the target enterprise.
The network risk situation may refer to a risk situation of an industrial control system of an enterprise, for example, a risk degree, a risk type, and the like, may be obtained by comprehensively evaluating risk information of an asset device of an enterprise, the risk information of the asset device may refer to capability of blocking network attacks when the asset device is in a networking state or vulnerability degree of the asset device, and the like, and specific risks existing in the asset device may be determined through information such as an open port of the asset device, a device manufacturer, a device type, and the like, for example, vulnerability information, a weak password, and the like.
Optionally, the obtaining, according to the device information of the asset devices belonging to the same enterprise, a network risk situation of each enterprise in the target enterprise includes:
acquiring network risk parameters of each enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring the network risk situation of each enterprise according to the network risk parameters of each enterprise.
Wherein, the network risk parameters of the enterprise are determined by the risk information of the asset equipment, and the network risk parameters include but are not limited to vulnerability information, weak passwords and the like; if one enterprise comprises at least two asset devices, risk information of the at least two asset devices needs to be integrated; for example, according to risk information of at least two asset devices of an enterprise, network risk parameters of the enterprise are counted, and the network risk parameters are expressed in a preset form, such as a pie chart, a bar chart and the like, so as to obtain a network risk situation of the enterprise.
Step S104, according to the network risk situation of each enterprise, obtaining a target network risk situation of the target enterprise, and displaying the target network risk situation.
The network risk situation of each enterprise in the target enterprise is a network risk situation representing one enterprise, the target network risk situation of the target enterprise of the target area needs to be obtained by combining corresponding analysis, for example, the industry to which the enterprise in the target enterprise belongs is analyzed to obtain the network risk situation of each industry, namely the target network risk situation, and for example, the area to which the enterprise in the target enterprise belongs is analyzed to obtain the network risk situation of each area, namely the target network risk situation. In addition, the target network risk situation can also be the change situation of the network risk situation in different time periods, wherein the scanned IP addresses, the IP address checking number and the risky IP address number can be displayed in a change trend.
Optionally, the obtaining the target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation includes:
acquiring industries to which each enterprise belongs, and counting the enterprises belonging to the same industry;
acquiring a network risk situation of each industry according to the network risk situation of the enterprises belonging to the same industry, wherein each industry is determined by the enterprises belonging to the same industry;
and displaying the network risk situation of each industry.
The enterprise information of the enterprise in the steps can be used for knowing the industry to which the enterprise belongs, the enterprise of each industry is counted, the network risk situation of each industry can be obtained by combining the network risk situation of each enterprise, the network risk situation of each industry is displayed in a preset mode, for example, the network risk situation can be a network security rating, the industry is corresponding to the network security rating in a form, and the form is output and displayed.
Optionally, obtaining a target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation includes:
obtaining the geographical position information of each enterprise, and counting the enterprises in the same area of the target enterprise;
acquiring a network risk situation of each area according to the risk gestures of the enterprises in the same area, wherein each area is determined by the enterprises in the same area;
and displaying the network risk situation of each area.
According to the enterprise information of the enterprise in the steps, the area to which the enterprise belongs can be known, for example, the target area is a province, the area to which the enterprise belongs can be divided into the eastern part, the western part, the middle part and the like of the province, the area of the city can be divided into the areas to which the enterprise belongs, the enterprise of each area is counted, the network risk situation of each area can be obtained by combining the network risk situation of each enterprise, the network risk situation of each industry can be displayed in a preset mode, for example, the network risk situation of each area in the target area is marked prominently in a geographic information system (Geographic Information System, GIS) map, and the network risk situation of the area is displayed on the map intuitively.
According to the method and the device, the asset equipment of the target enterprise in the target area is monitored to obtain the network risk situation of each enterprise, and then the overall risk situation of the target enterprise in the target area is determined, for example, the monitoring is conducted on a plurality of enterprises in one province to obtain the network risk situation of the enterprise in the province, the perception of the network risk situation of the enterprise in a certain area is achieved, the safety supervision of the whole area is facilitated, the centralized supervision of the enterprise is achieved, meanwhile, each enterprise deployment situation perception device of the target enterprise in the certain area is not needed, and the cost for perceiving the network risk situation of the enterprise is reduced.
Referring to fig. 2, a flow chart of a risk monitoring method provided in a second embodiment of the present application is shown, where the risk monitoring method may be used for a terminal device, and as shown in the drawing, the risk monitoring method may include the following steps:
in step S201, it is detected whether each of N asset devices of the target enterprise in the target area is online.
And N is an integer greater than 1, and the target enterprise is an enterprise running an industrial control system in the target area. The target enterprise may include one enterprise or a plurality of enterprises, and the specific number of enterprises in the target enterprise is related to the selection of the target area.
The target area may be a jurisdiction area of a supervision department, for example, the jurisdiction area of the supervision department is a province, the target area is an area within the province, the target enterprise is an enterprise running an industrial control system within the province, or an enterprise needing to control industrial production in a networking manner, wherein the industrial control system combines an ethernet with a production control system of the enterprise, field device information, production information and the like are collected through the ethernet, a management layer (for example, a server, an engineering machine and the like) centrally decides and manages the production of the enterprise according to the information, and then a field control layer (for example, a device controller and the like) controls the production of field devices according to the decision of the management layer, so that the enterprise performs omnibearing supervision on production, operation, management and the like.
The asset device may be a device that has an ethernet port in a target enterprise and may be accessed remotely through a network, for example, a server, a switch, an engineering machine, etc., and may be an industrial control device having an industrial production control function, etc. The asset device being online (i.e., the asset device surviving) may mean that the asset device is powered on and accessible through a network, and device information of the asset device cannot be obtained for the asset device that is not online, so that the asset device that is not online is excluded before the device information is obtained, and resources are prevented from being occupied.
Optionally, detecting whether each asset device is online comprises:
acquiring an IP address range to be scanned according to the target area;
and carrying out port scanning on each asset device with the IP address in the IP address range to be scanned by adopting a stateless scanning algorithm, and detecting whether each asset device is online or not.
Aiming at different target areas, IP address ranges to be scanned are different, the IP address of the asset equipment of the target enterprise of the target area is in the IP address range to be scanned, the IP address of one asset equipment is an element in the IP address range to be scanned, a stateless scanning algorithm is adopted to carry out port scanning, for example, a masscan stateless port scanner is adopted, and whether the asset equipment in the IP address range to be scanned is online is determined according to network segments and equipment protocol requirements to be probed.
Step S202, if each asset device is online, calling a fingerprint script in a preset fingerprint library to interactively detect each asset device, and judging whether each asset device is an industrial control device or not.
And calling fingerprint scripts in a preset fingerprint library to interactively detect each asset device, and carrying out information interaction with the asset device through a plurality of fingerprint scripts for one asset device so as to remotely identify various information such as the type, hardware, operating system, running software (and related version numbers and configuration parameters) of the asset device, and judging whether the asset device is an industrial control device according to the type of the asset device. The preset fingerprint library can be a database for storing fingerprint scripts, and a user can store at least one fingerprint script in the preset fingerprint library according to actual needs; the fingerprint script is a script or program file with fingerprint information, and the fingerprint information is information description for the asset equipment, namely, corresponding information in the asset equipment can be obtained through the fingerprint information.
Step S203, if each asset device is an industrial control device, acquiring device information of each asset device according to the communication characteristics of the fingerprint script in the preset fingerprint library.
When information interaction is performed between the asset equipment and the fingerprint script, the asset equipment responds to information sent by the fingerprint script, outputs communication characteristics of the fingerprint script such as response information, response data and the like aiming at the fingerprint script, analyzes the communication characteristics to determine equipment information of the asset equipment, and obtains equipment type, domain name and the like of the asset equipment by analyzing the detection response information.
Correspondingly, if the asset equipment is not the industrial control equipment, skipping the asset equipment, and executing the step of determining that the asset equipment is online until the fingerprint script in the preset fingerprint library is called to carry out interactive detection on the asset equipment again until the asset equipment scanning detection of the target enterprise in the target area is completed.
Step S204, according to the equipment information of each asset equipment, the asset equipment belonging to the same enterprise in the N asset equipment is counted.
Step S205, obtaining a network risk situation of each enterprise in the target enterprise according to the device information of the asset devices belonging to the same enterprise.
Step S206, obtaining a target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation.
Step S204, step S205, and step S206 are the same as step S102, step S103, and step S104, respectively, and are not described herein.
According to the method and the system, the industrial control equipment in the online asset equipment of the target enterprise in the target area is monitored, the network risk situation of each enterprise is obtained, the overall risk situation of the target enterprise in the target area is further determined, the non-online asset equipment is eliminated, the occupation of resources is avoided, meanwhile, the industrial control equipment which directly affects the production of the enterprise is monitored, the monitoring cost and time are saved, and the resource waste is avoided.
Corresponding to the risk monitoring method of the above embodiments, fig. 3 shows a block diagram of the risk monitoring device provided in the third embodiment of the present application, and for convenience of explanation, only the portions related to the embodiments of the present application are shown.
Referring to fig. 3, the risk monitoring apparatus includes:
the device information obtaining module 31 is configured to obtain device information of each of N asset devices of a target enterprise in a target area, where N is an integer greater than 1, and the target enterprise is an enterprise running an industrial control system in the target area;
a statistics module 32, configured to, according to the device information of each asset device, count asset devices belonging to the same enterprise among the N asset devices;
the risk situation obtaining module 33 is configured to obtain a network risk situation of each enterprise in the target enterprise according to the device information of the asset devices belonging to the same enterprise;
and the display module 34 is configured to obtain a target network risk situation of the target enterprise according to the network risk situation of each enterprise, and display the target network risk situation.
Optionally, the risk monitoring device includes:
the online detection module is used for detecting whether each asset device is online or not before acquiring the device information of each asset device in N asset devices of a target enterprise in a target area;
the judging module is used for calling fingerprint scripts in a preset fingerprint library to interactively detect each asset device if each asset device is online, and judging whether each asset device is an industrial control device or not;
correspondingly, the device information obtaining module 31 is specifically configured to:
and if each asset device is an industrial control device, acquiring the device information of each of N asset devices in the target area according to the communication characteristics of the fingerprint script in the preset fingerprint library.
Optionally, the online detection module includes:
the IP address acquisition unit is used for acquiring an Internet Protocol (IP) address range to be scanned according to the target area;
and the online detection unit is used for carrying out port scanning on the asset devices with the IP addresses within the IP address range to be scanned by adopting a stateless scanning algorithm, and detecting whether each asset device is online or not.
Optionally, the device information of each asset device includes an IP address of each asset device, and the statistics module 32 includes:
the position information acquisition unit is used for acquiring the geographic position information of each asset device according to the IP address of each asset device;
the enterprise information acquisition unit is used for acquiring enterprise information of enterprises to which each asset device belongs according to the geographical position information of each asset device;
and the statistics unit is used for counting the asset devices with the same enterprise information in the N asset devices and determining the asset devices with the same enterprise information as asset devices belonging to the same enterprise.
Optionally, the risk situation obtaining module 33 includes:
the risk parameter acquisition unit is used for acquiring the network risk parameters of each enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
the risk situation acquisition unit is used for acquiring the network risk situation of each enterprise according to the network risk parameters of each enterprise.
Optionally, the display module 34 includes:
the subordinate industry acquisition unit is used for acquiring the industry to which each enterprise belongs and counting the enterprises belonging to the same industry;
the industry risk acquisition unit is used for acquiring the network risk situation of each industry according to the network risk situation of the enterprises belonging to the same industry, wherein each industry is determined by the enterprises belonging to the same industry;
and the industry risk display unit is used for displaying the network risk situation of each industry.
Optionally, the display module 34 includes:
the subordinate region acquisition unit is used for acquiring the geographic position information of each enterprise and counting the enterprises in the same region of the target enterprise;
the regional risk obtaining unit is used for obtaining the network risk situation of each region according to the risk gestures of the enterprises located in the same region, wherein each region is determined by the enterprises located in the same region;
and the regional risk display unit is used for displaying the network risk situation of each region.
It should be noted that, because the content of information interaction and execution process between the modules is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be referred to in the method embodiment section, and details are not repeated herein.
Fig. 4 is a schematic structural diagram of a terminal device according to a fourth embodiment of the present application. As shown in fig. 4, the terminal device 4 of this embodiment includes: at least one processor 40 (only one shown in fig. 4), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the processor 40 implementing the steps in any of the various risk monitoring method embodiments described above when executing the computer program 42.
The terminal device may include, but is not limited to, a processor 40, a memory 41. It will be appreciated by those skilled in the art that fig. 4 is merely an example of the terminal device 4 and is not meant to be limiting as to the terminal device 4, and may include more or fewer components than shown, or may combine certain components, or different components, such as may also include input-output devices, network access devices, etc.
The processor 40 may be a central processing unit (Central Processing Unit, CPU), the processor 40 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may in some embodiments be an internal storage unit of the terminal device 4, such as a hard disk or a memory of the terminal device 4. The memory 41 may in other embodiments also be an external storage device of the terminal device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card) or the like, which are provided on the terminal device 4. Further, the memory 41 may also include both an internal storage unit of the terminal device 4 and an external storage device. The memory 41 is used for storing an operating system, application programs, boot loader (BootLoader), data, other programs, etc., such as program codes of the computer program. The memory 41 may also be used for temporarily storing data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above device may refer to the corresponding process in the foregoing method embodiment, which is not described herein again. The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application implements all or part of the flow of the method of the above-described embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying the computer program code, a recording medium, a computer Memory, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), an electrical carrier signal, a telecommunications signal, and a software distribution medium. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The implementation of all or part of the flow of the method in the above embodiment may also be accomplished by a computer program product, which when run on a terminal device, causes the terminal device to perform the steps in the method embodiment described above.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus/terminal device and method may be implemented in other manners. For example, the apparatus/terminal device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. A risk monitoring method, the risk monitoring method comprising:
invoking a fingerprint script associated with the type of the asset equipment in a preset fingerprint library, acquiring communication characteristics output by the asset equipment in response to information sent by the fingerprint script, and analyzing the communication characteristics to remotely identify the type of the asset equipment; judging whether each asset device is an industrial control device or not according to the type of the asset device; the fingerprint script is a script or program file with fingerprint information, and the fingerprint information is information description aiming at the asset equipment;
if each asset device is an industrial control device, acquiring device information of each asset device in N asset devices of a target enterprise in a target area, wherein N is an integer greater than 1, and the target enterprise is an enterprise running an industrial control system in the target area;
according to the equipment information of each asset equipment, counting the asset equipment belonging to the same enterprise in the N asset equipment;
acquiring a network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring a target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation.
2. The risk monitoring method of claim 1, further comprising, prior to acquiring device information for each of the N asset devices of the target enterprise within the target area:
detecting whether each asset device is online;
if the asset devices are online, invoking fingerprint scripts in a preset fingerprint library to interactively detect the asset devices, and judging whether the asset devices are industrial control devices or not;
correspondingly, the acquiring the device information of each of the N asset devices in the target area includes:
and if each asset device is an industrial control device, acquiring the device information of each of N asset devices in the target area according to the communication characteristics of the fingerprint script in the preset fingerprint library.
3. The risk monitoring method of claim 2, wherein said detecting whether each asset is online comprises:
acquiring an Internet Protocol (IP) address range to be scanned according to the target area;
and carrying out port scanning on each asset device with the IP address in the IP address range to be scanned by adopting a stateless scanning algorithm, and detecting whether each asset device is online or not.
4. The risk monitoring method of claim 1, wherein the device information of each asset device includes an IP address of each asset device, and the counting asset devices belonging to the same enterprise from the N asset devices according to the device information of each asset device includes:
acquiring the geographic position information of each asset device according to the IP address of each asset device;
acquiring enterprise information of an enterprise to which each asset device belongs according to the geographical position information of each asset device;
and counting the asset devices with the same enterprise information in the N asset devices, and determining the asset devices with the same enterprise information as asset devices belonging to the same enterprise.
5. The risk monitoring method of claim 1, wherein the obtaining the network risk situation for each of the target enterprises according to the device information of the asset devices belonging to the same enterprise comprises:
acquiring network risk parameters of each enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
and acquiring the network risk situation of each enterprise according to the network risk parameters of each enterprise.
6. The risk monitoring method of claim 1, wherein the obtaining the target network risk situation of the target enterprise according to the network risk situation of each enterprise, and displaying the target network risk situation comprises:
acquiring industries to which each enterprise belongs, and counting the enterprises belonging to the same industry;
acquiring a network risk situation of each industry according to the network risk situation of the enterprises belonging to the same industry, wherein each industry is determined by the enterprises belonging to the same industry;
and displaying the network risk situation of each industry.
7. The risk monitoring method of claim 1, wherein obtaining a target cyber-risk situation for the target enterprise based on the cyber-risk situation for each enterprise, and displaying the target cyber-risk situation comprises:
obtaining the geographical position information of each enterprise, and counting the enterprises in the same area of the target enterprise;
acquiring a network risk situation of each area according to the risk gestures of the enterprises in the same area, wherein each area is determined by the enterprises in the same area;
and displaying the network risk situation of each area.
8. A risk monitoring device, the risk monitoring device comprising:
the judging module is used for calling a fingerprint script associated with the type of the asset equipment in a preset fingerprint library, acquiring communication characteristics output by the asset equipment in response to information sent by the fingerprint script, and analyzing the communication characteristics to remotely identify the type of the asset equipment; judging whether each asset device is an industrial control device or not according to the type of the asset device; the fingerprint script is a script or program file with fingerprint information, and the fingerprint information is information description aiming at the asset equipment;
the device information acquisition module is used for acquiring the device information of each asset device in N asset devices of a target enterprise in a target area under the condition that each asset device is an industrial control device, wherein N is an integer greater than 1, and the target enterprise is an enterprise running an industrial control system in the target area;
the statistics module is used for counting the asset devices belonging to the same enterprise in the N asset devices according to the device information of each asset device;
the risk situation acquisition module is used for acquiring the network risk situation of each enterprise in the target enterprise according to the equipment information of the asset equipment belonging to the same enterprise;
the display module is used for acquiring the target network risk situation of the target enterprise according to the network risk situation of each enterprise and displaying the target network risk situation.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the risk monitoring method according to any of claims 1 to 7 when executing the computer program.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the risk monitoring method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911396156.5A CN111178760B (en) | 2019-12-30 | 2019-12-30 | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911396156.5A CN111178760B (en) | 2019-12-30 | 2019-12-30 | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111178760A CN111178760A (en) | 2020-05-19 |
| CN111178760B true CN111178760B (en) | 2023-05-23 |
Family
ID=70657582
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911396156.5A Active CN111178760B (en) | 2019-12-30 | 2019-12-30 | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111178760B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111953532B (en) * | 2020-07-30 | 2022-10-11 | 中国工商银行股份有限公司 | Equipment model identification method, device and equipment |
| CN112003857A (en) * | 2020-08-20 | 2020-11-27 | 深信服科技股份有限公司 | Network asset collecting method, device, equipment and storage medium |
| CN112671887B (en) * | 2020-12-21 | 2023-03-03 | 哈尔滨工大天创电子有限公司 | Asset identification method and device, electronic equipment and computer storage medium |
| CN112953952A (en) * | 2021-03-02 | 2021-06-11 | 青岛海尔工业智能研究院有限公司 | Industrial security situation awareness method, platform, electronic device and storage medium |
| CN113014585A (en) * | 2021-03-03 | 2021-06-22 | 青岛海尔工业智能研究院有限公司 | Industrial security threat monitoring method, platform, electronic device and storage medium |
| CN113079148B (en) * | 2021-03-25 | 2023-01-10 | 恒安嘉新(北京)科技股份公司 | Industrial Internet safety monitoring method, device, equipment and storage medium |
| CN113411302B (en) * | 2021-05-11 | 2023-04-18 | 银雁科技服务集团股份有限公司 | Network security early warning method and device for local area network equipment |
| CN113765704B (en) * | 2021-08-10 | 2022-09-27 | 广州天懋信息系统股份有限公司 | Private network data acquisition method, device, equipment and storage medium |
| CN114745166B (en) * | 2022-03-29 | 2023-07-28 | 烽台科技(北京)有限公司 | Industrial asset risk perception method and device and electronic equipment |
| CN115242423A (en) * | 2022-05-25 | 2022-10-25 | 中国交通信息科技集团有限公司 | Industrial internet security situation display system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110324310A (en) * | 2019-05-21 | 2019-10-11 | 国家工业信息安全发展研究中心 | Networked asset fingerprint identification method, system and equipment |
| CN110324311A (en) * | 2019-05-21 | 2019-10-11 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of Hole Detection |
| CN111176202A (en) * | 2019-12-31 | 2020-05-19 | 成都烽创科技有限公司 | Safety management method, device, terminal equipment and medium for industrial control network |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101436967A (en) * | 2008-12-23 | 2009-05-20 | 北京邮电大学 | Method and system for evaluating network safety situation |
| US10630713B2 (en) * | 2016-07-14 | 2020-04-21 | L3Harris Technologies, Inc. | Method and tool to quantify the enterprise consequences of cyber risk |
| CN109246152A (en) * | 2018-11-06 | 2019-01-18 | 北京华顺信安科技有限公司 | A kind of a wide range of general vulnerability scanning method and system |
| CN109525427A (en) * | 2018-11-12 | 2019-03-26 | 广东省信息安全测评中心 | Distributed assets information detection method and system |
| CN110166281A (en) * | 2019-04-10 | 2019-08-23 | 奇安信科技集团股份有限公司 | Appraisal procedure, device, system and the medium of the network information security |
| CN110245497A (en) * | 2019-06-18 | 2019-09-17 | 湖南晖龙集团股份有限公司 | A kind of hygiene medical treatment safety monitoring and notification method for early warning, electronic equipment and computer readable storage medium |
| CN111193727A (en) * | 2019-12-23 | 2020-05-22 | 成都烽创科技有限公司 | Operation monitoring system and operation monitoring method |
-
2019
- 2019-12-30 CN CN201911396156.5A patent/CN111178760B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110324310A (en) * | 2019-05-21 | 2019-10-11 | 国家工业信息安全发展研究中心 | Networked asset fingerprint identification method, system and equipment |
| CN110324311A (en) * | 2019-05-21 | 2019-10-11 | 平安科技(深圳)有限公司 | Method, apparatus, computer equipment and the storage medium of Hole Detection |
| CN111176202A (en) * | 2019-12-31 | 2020-05-19 | 成都烽创科技有限公司 | Safety management method, device, terminal equipment and medium for industrial control network |
Non-Patent Citations (1)
| Title |
|---|
| 冯兵 ; 张静平 ; .网络安全脆弱性检测复合模型及应用.海军航空工程学院学报.2007,(02),85-88. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111178760A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111178760B (en) | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium | |
| US11184401B2 (en) | AI-driven defensive cybersecurity strategy analysis and recommendation system | |
| US11848966B2 (en) | Parametric analysis of integrated operational technology systems and information technology systems | |
| US20220078210A1 (en) | System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces | |
| US10216560B2 (en) | Integration based anomaly detection service | |
| US11218510B2 (en) | Advanced cybersecurity threat mitigation using software supply chain analysis | |
| US20220224723A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US9794153B2 (en) | Determining a risk level for server health check processing | |
| CN109543891B (en) | Method and apparatus for establishing capacity prediction model, and computer-readable storage medium | |
| CN113411302B (en) | Network security early warning method and device for local area network equipment | |
| CN111176202A (en) | Safety management method, device, terminal equipment and medium for industrial control network | |
| CN111193727A (en) | Operation monitoring system and operation monitoring method | |
| CN114598506A (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN112650180B (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN113765850B (en) | Internet of things abnormality detection method and device, computing equipment and computer storage medium | |
| CN115643172A (en) | Abnormity detection method, abnormity detection device, terminal equipment and storage medium | |
| CN112699369A (en) | Method and device for detecting abnormal login through stack backtracking | |
| CN116471131B (en) | Processing method and processing device for logical link information asset | |
| CN117829592A (en) | Configurable model-based risk assessment method and device | |
| CN117749443A (en) | Security event processing method and device | |
| CN112801453A (en) | Risk assessment method, device, terminal and storage medium | |
| CN115842711A (en) | Method and device for generating alarm event, storage medium and electronic equipment | |
| CN114238267A (en) | Data quality evaluation method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |