CN112398830A - Information security system and method with anti-attack function - Google Patents
Information security system and method with anti-attack function Download PDFInfo
- Publication number
- CN112398830A CN112398830A CN202011216436.6A CN202011216436A CN112398830A CN 112398830 A CN112398830 A CN 112398830A CN 202011216436 A CN202011216436 A CN 202011216436A CN 112398830 A CN112398830 A CN 112398830A
- Authority
- CN
- China
- Prior art keywords
- attack
- information
- network
- node
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An information security system with anti-attack function is provided with a physical hardware detection module, a network connection state detection module, a static network comparison module, an attack information collection module and a simulation operation system. The method comprises the following specific steps: the method comprises the following steps: collecting equipment operation data in real time through a hardware detection module, comparing the equipment operation data with an equipment operation database, entering the next step if no abnormality exists, and otherwise, sending out a warning; step two: detecting the network connection state of each device in real time; step three: comparing with a network static connection database, if the connection is consistent, the operation is normal, entering the next step, if the connection is inconsistent, the operation is abnormal, blocking the connection and sending out a warning; step four: storing the attack information into an attack information base, and collecting the attack information on the Internet at regular time to perfect the attack information base; step five: the attack information base selects an attack instruction, attacks equipment in the simulation system, makes a blocking strategy according to an attack process, and updates an actual operation system according to the blocking strategy.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an information security system with anti-attack function and an information security method with anti-attack function.
Background
With the continuous development of related fields such as computer science, informatization technology, information security, power systems and the like, new internet +' technologies such as cloud computing, big data, mobile internet, internet of things and the like are introduced into the construction of the smart power grid, new changes occur in a power grid information acquisition method, a storage form, a transmission channel and a processing mode, and corresponding changes also occur in a network basic environment. The power system has been developed into a complex system with deep integration of information physics, and the system can stably run without leaving real-time scheduling of the information system. At present, unstable factors such as terrorist threats, military conflicts and the like frequently appear internationally, and a power system is used as a hub for mutual conversion of various energy sources, is a national key infrastructure, has great influence on national safety, economic development and social stability, and becomes one of key targets of terrorist attack.
At present, the attack modes aiming at the power system are mainly divided into two types: the first is that the physical damage is directly carried out on the primary equipment of the power system, and mainly aiming at the artificial deliberate attack of power plants, substations, transmission lines, bus nodes and even some important loads, the attack mode can cause one or more power equipment to break down and quit the operation, thereby changing the topological structure of the power network, seriously influencing the normal transmission and distribution functions of electric energy, even possibly causing a series of cascading failures to disconnect the power network, and causing large-scale power failure accidents; another attack method is that terrorists use advanced network technology to invade the power information network and destroy the function of the information system. Since the control and mutual coordination of the physical devices in the power system depend on the information system to a large extent, an attack on the information system may cause a complex physical interaction process to occur in the power system, and finally the security of the whole system is threatened. Compared with physical attack, the information attack has the characteristics of low cost and strong concealment, and the damage to the power system can be more serious. The information system and the physical system are interactive, and due to the close coupling of the information system and the physical system, serious accident results can be caused when any link goes wrong.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides an information security system and an information security method with anti-attack function, which have high intelligent degree and actively prevent attack under the condition of detecting the running data and the network connection state of equipment, and the specific technical scheme is as follows:
an information security system with anti-attack function is provided with a physical hardware detection module, which is used for detecting whether hardware configuration information is abnormal or not in real time;
setting a network connection state detection module for detecting the real-time network connection state of each device;
a static network comparison module is arranged and used for detecting and comparing the real-time network connection state and judging whether the real-time network connection state is abnormal or not;
an attack information collection module is arranged for actively collecting attack information of the internal and external networks of the system;
a simulation operation system is arranged to simulate the operation condition of a real system.
A method for an information security system with anti-attack function comprises the following specific steps:
the method comprises the following steps: collecting equipment operation data in real time through a hardware detection module, comparing the equipment operation data with an equipment operation database, entering the next step if no abnormality exists, and otherwise, sending out a warning;
step two: detecting the network connection state of each device in real time;
step three: comparing with a network static connection database, if the connection is consistent, the operation is normal, entering the next step, if the connection is inconsistent, the operation is abnormal, blocking the connection and sending out a warning;
step four: storing the attack information into an attack information base, and collecting the attack information on the Internet at regular time to perfect the attack information base;
step five: the attack information base selects an attack instruction, attacks equipment in the simulation system, makes a blocking strategy according to an attack process, and updates an actual operation system according to the blocking strategy.
As an optimization: the network static connection database in the third step is specifically tunnel configuration information, policy configuration information and link information of all electric power VPN devices in the electric power industrial control network, and node configuration tables of the central node and all terminal nodes.
As an optimization: when the warning information is sent out in the third step, the network connection source tracing is carried out, specifically:
3.1, constructing a tunnel relation table according to the acquired tunnel configuration information and the node configuration table;
3.2 according to the tunnel ID in the network attack link and the node ID, searching a tunnel relation table, positioning the source of the link as an opposite node ID, and then searching a regional IP address range list of the opposite node ID, thereby positioning the regional IP address range of the source, which is marked as [ IP1, IP2 ];
3.3 checking whether the IP of the host in the opposite terminal LAN in the network attack link is in [ IP1, IP2], if not, judging that the source IP address is forged to attack, and finally, positioning the source tracing source end to the attacked node area network; otherwise, entering the next step;
3.4, detecting whether historical network attack link information of the IP address of the host in the local area network of the opposite end exists before, if so, judging that the attack is a jumper attack, otherwise, judging that the attack is a common attack; the source end of the final tracing of the jump machine attack or the common attack can be positioned to the host IP in the opposite terminal local area network.
The invention has the beneficial effects that: simultaneously, the physical configuration information and the network connection state information of the equipment are compared, so that the running and connection safety of the equipment is ensured, and the information safety is realized; under the condition of information or network abnormity, the early warning is actively blocked, and the connection source is traced, so that the method is safe and reliable;
and collecting attack information, actively collecting external network attack information, using the attack information to attack a simulation system, actively updating an operating system, and pre-positioning information security prevention.
Detailed Description
The following detailed description of the preferred embodiments of the present invention is provided to enable those skilled in the art to more readily understand the advantages and features of the present invention, and to clearly and unequivocally define the scope of the present invention.
An information security system with anti-attack function is provided with a physical hardware detection module, which is used for detecting whether hardware configuration information is abnormal or not in real time;
setting a network connection state detection module for detecting the real-time network connection state of each device;
a static network comparison module is arranged and used for detecting and comparing the real-time network connection state and judging whether the real-time network connection state is abnormal or not;
an attack information collection module is arranged for actively collecting attack information of the internal and external networks of the system;
a simulation operation system is arranged to simulate the operation condition of a real system.
The method for the information security system with the anti-attack function comprises the following specific steps:
the method comprises the following steps: collecting equipment operation data in real time through a hardware detection module, comparing the equipment operation data with an equipment operation database, entering the next step if no abnormality exists, and otherwise, sending out a warning;
step two: detecting the network connection state of each device in real time;
step three: comparing with a network static connection database, if the connection is consistent, the operation is normal, entering the next step, if the connection is inconsistent, the operation is abnormal, blocking the connection and sending out a warning;
the network static connection database specifically includes tunnel configuration information, policy configuration information and link information of all electric power VPN devices in the electric power industrial control network, and node configuration tables of a central node and all terminal nodes.
When sending out warning information, carry out the source of network connection and trace back, specifically do:
3.1, constructing a tunnel relation table according to the acquired tunnel configuration information and the node configuration table;
3.2 according to the tunnel ID in the network attack link and the node ID, searching a tunnel relation table, positioning the source of the link as an opposite node ID, and then searching a regional IP address range list of the opposite node ID, thereby positioning the regional IP address range of the source, which is marked as [ IP1, IP2 ];
3.3 checking whether the IP of the host in the opposite terminal LAN in the network attack link is in [ IP1, IP2], if not, judging that the source IP address is forged to attack, and finally, positioning the source tracing source end to the attacked node area network; otherwise, entering the next step;
3.4, detecting whether historical network attack link information of the IP address of the host in the local area network of the opposite end exists before, if so, judging that the attack is a jumper attack, otherwise, judging that the attack is a common attack; the source end of the final tracing of the jump machine attack or the common attack can be positioned to the host IP in the opposite terminal local area network.
Step four: storing the attack information into an attack information base, and collecting the attack information on the Internet at regular time to perfect the attack information base;
step five: the attack information base selects an attack instruction, attacks equipment in the simulation system, makes a blocking strategy according to an attack process, and updates an actual operation system according to the blocking strategy.
Claims (4)
1. An information security system having protection against attacks, characterized by: the device is provided with a physical hardware detection module for detecting whether the hardware configuration information is abnormal in real time;
setting a network connection state detection module for detecting the real-time network connection state of each device;
a static network comparison module is arranged and used for detecting and comparing the real-time network connection state and judging whether the real-time network connection state is abnormal or not;
an attack information collection module is arranged for actively collecting attack information of the internal and external networks of the system;
a simulation operation system is arranged to simulate the operation condition of a real system.
2. The method for providing an information security system with an anti-attack function according to claim 1, comprising the steps of:
the method comprises the following steps: collecting equipment operation data in real time through a hardware detection module, comparing the equipment operation data with an equipment operation database, entering the next step if no abnormality exists, and otherwise, sending out a warning;
step two: detecting the network connection state of each device in real time;
step three: comparing with a network static connection database, if the connection is consistent, the operation is normal, entering the next step, if the connection is inconsistent, the operation is abnormal, blocking the connection and sending out a warning;
step four: storing the attack information into an attack information base, and collecting the attack information on the Internet at regular time to perfect the attack information base;
step five: the attack information base selects an attack instruction, attacks equipment in the simulation system, makes a blocking strategy according to an attack process, and updates an actual operation system according to the blocking strategy.
3. A method having an information security system against attacks according to claim 2, characterized in that: the network static connection database in the third step is specifically tunnel configuration information, policy configuration information and link information of all electric power VPN devices in the electric power industrial control network, and node configuration tables of the central node and all terminal nodes.
4. A method having an information security system against attacks according to claim 2, characterized in that: when the warning information is sent out in the third step, the network connection source tracing is carried out, specifically:
3.1, constructing a tunnel relation table according to the acquired tunnel configuration information and the node configuration table;
3.2 according to the tunnel ID in the network attack link and the node ID, searching a tunnel relation table, positioning the source of the link as an opposite node ID, and then searching a regional IP address range list of the opposite node ID, thereby positioning the regional IP address range of the source, which is marked as [ IP1, IP2 ];
3.3 checking whether the IP of the host in the opposite terminal LAN in the network attack link is in [ IP1, IP2], if not, judging that the source IP address is forged to attack, and finally, positioning the source tracing source end to the attacked node area network; otherwise, entering the next step;
3.4, detecting whether historical network attack link information of the IP address of the host in the local area network of the opposite end exists before, if so, judging that the attack is a jumper attack, otherwise, judging that the attack is a common attack; the source end of the final tracing of the jump machine attack or the common attack can be positioned to the host IP in the opposite terminal local area network.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011216436.6A CN112398830A (en) | 2020-11-04 | 2020-11-04 | Information security system and method with anti-attack function |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011216436.6A CN112398830A (en) | 2020-11-04 | 2020-11-04 | Information security system and method with anti-attack function |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112398830A true CN112398830A (en) | 2021-02-23 |
Family
ID=74598791
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011216436.6A Pending CN112398830A (en) | 2020-11-04 | 2020-11-04 | Information security system and method with anti-attack function |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112398830A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110336808A (en) * | 2019-06-28 | 2019-10-15 | 南瑞集团有限公司 | A kind of attack source tracing method and system towards electric power industry control network |
CN113037567A (en) * | 2021-04-01 | 2021-06-25 | 国网河北省电力有限公司电力科学研究院 | Network attack behavior simulation system and method for power grid enterprise |
CN113225328A (en) * | 2021-04-29 | 2021-08-06 | 广西群萃信息技术有限公司 | Intelligent protection system and method for multi-node network use based on block chain data |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110336808A (en) * | 2019-06-28 | 2019-10-15 | 南瑞集团有限公司 | A kind of attack source tracing method and system towards electric power industry control network |
CN111314387A (en) * | 2020-03-24 | 2020-06-19 | 东南大学 | Power system information physical double-layer strategy optimization method considering network attack influence |
-
2020
- 2020-11-04 CN CN202011216436.6A patent/CN112398830A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110336808A (en) * | 2019-06-28 | 2019-10-15 | 南瑞集团有限公司 | A kind of attack source tracing method and system towards electric power industry control network |
CN111314387A (en) * | 2020-03-24 | 2020-06-19 | 东南大学 | Power system information physical double-layer strategy optimization method considering network attack influence |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110336808A (en) * | 2019-06-28 | 2019-10-15 | 南瑞集团有限公司 | A kind of attack source tracing method and system towards electric power industry control network |
CN110336808B (en) * | 2019-06-28 | 2021-08-24 | 南瑞集团有限公司 | Attack tracing method and system for power industrial control network |
CN113037567A (en) * | 2021-04-01 | 2021-06-25 | 国网河北省电力有限公司电力科学研究院 | Network attack behavior simulation system and method for power grid enterprise |
CN113037567B (en) * | 2021-04-01 | 2022-01-11 | 国网河北省电力有限公司电力科学研究院 | Simulation method of network attack behavior simulation system for power grid enterprise |
CN113225328A (en) * | 2021-04-29 | 2021-08-06 | 广西群萃信息技术有限公司 | Intelligent protection system and method for multi-node network use based on block chain data |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112398830A (en) | Information security system and method with anti-attack function | |
Xu et al. | Review on cyber vulnerabilities of communication protocols in industrial control systems | |
CN109768880B (en) | Remote visual network topology monitoring method for power monitoring system | |
Cai et al. | Review of cyber-attacks and defense research on cyber physical power system | |
WO2021227465A1 (en) | Security defense method and system for industrial control system network | |
CN106899553A (en) | A kind of industrial control system safety protecting method based on private clound | |
AL-Jumaili et al. | Analytical survey on the security framework of cyber-physical systems for smart power system networks | |
CN104579784A (en) | Electric power industry control system network management method based on multi-dimensional virtual link | |
Tian et al. | A security model of SCADA system based on attack tree | |
Hu et al. | Research on cybersecurity strategy and key technology of the wind farms’ industrial control system | |
Liu et al. | Node Importance Evaluation of Cyber-Physical System under Cyber-Attacks Spreading | |
Liu et al. | Research on Cyber Security Defense Technology of Power Generation Acquisition Terminal in New Energy Plant | |
Yu et al. | Research and design of subway BAS intrusion detection expert system | |
Liang et al. | Research and Prospect of Cyber-Attacks Prediction Technology for New Power Systems | |
Zou et al. | Research on Information Security Protection System of Industrial Control System | |
Jiang et al. | Design and practice of industrial control network security threat model | |
Li et al. | Overview of Intrusion Detection in Smart Substation | |
Yufei et al. | Evaluating the harmfulness of cascading failures across space in electric cyber-physical systems | |
CN111130844B (en) | Transformer substation operation and maintenance debugging monitoring method and device based on network electronic fence | |
Wang et al. | Intrusion detection model of SCADA using graphical features | |
Qassim et al. | An anomaly detection technique for deception attacks in industrial control systems | |
Ru et al. | Brief Technical Analysis of Malicious Cyber Attacks in Power System | |
Zhang et al. | Key Technologies of Communication Security Detection between Heterogeneous Systems Based on Communication Gateway | |
Liu et al. | High concealed and illegal cross-district access monitoring technology for new energy power stations based on K-nearest neighbor algorithm | |
Xu et al. | Leakage Mining of Electric Power System Based on Animal Bionics Principle. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210223 |