CN112583820A - Power attack test system based on attack topology - Google Patents

Power attack test system based on attack topology Download PDF

Info

Publication number
CN112583820A
CN112583820A CN202011446647.9A CN202011446647A CN112583820A CN 112583820 A CN112583820 A CN 112583820A CN 202011446647 A CN202011446647 A CN 202011446647A CN 112583820 A CN112583820 A CN 112583820A
Authority
CN
China
Prior art keywords
attack
power
sample
database
samples
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011446647.9A
Other languages
Chinese (zh)
Other versions
CN112583820B (en
Inventor
许爱东
李立浧
蒋屹新
张宇南
徐文渊
冀晓宇
吴之昊
李鹏
习伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Research Institute of Southern Power Grid Co Ltd
Original Assignee
Zhejiang University ZJU
Research Institute of Southern Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU, Research Institute of Southern Power Grid Co Ltd filed Critical Zhejiang University ZJU
Priority to CN202011446647.9A priority Critical patent/CN112583820B/en
Publication of CN112583820A publication Critical patent/CN112583820A/en
Application granted granted Critical
Publication of CN112583820B publication Critical patent/CN112583820B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a power attack testing system based on attack topology, and belongs to the technical field of power network security. The invention is oriented to the topological structure of the power system, constructs a complete power attack sample database, provides corresponding attack samples for each link in the power system, comprises a construction method of the power attack database, constructs a user interaction interface, establishes an attack channel module to implement targeted attack, and finally adopts an attack and defense sample expansion module and a defense platform to link and autonomously expand the samples. The invention establishes a standardized place for storing, testing and practicing information security of the power industry and the industrial control system.

Description

Power attack test system based on attack topology
Technical Field
The invention relates to the technical field of power network security, in particular to a power attack testing system based on attack topology.
Background
With the development of the electric power industry in China, particularly the acceleration of the informatization process, the network technology plays an increasingly important role in the electric power system. Especially, in the key period of industrial transformation and upgrading in China, information technology is permeating into the industrial field comprehensively, so that the security defense of large-scale industrial control systems including the power industry becomes part of the national security strategy.
At present, an electric power system is vulnerable to security threats such as DDoS attack and SCADA (supervisory control and data acquisition) vulnerability attack, so that many units related to information security establish a security attack and defense exercise platform in the field for simulating external hacker attack and improving the self defense capability. The attack and defense exercise platforms carry out simulation attack based on the existing attack samples and are used for testing the safety precaution capability of the system.
The secure attack and defense drill platform relies on attack samples that can be trained against. However, there is not a perfect attack sample library facing to the topological structure of the power system, and a simulation attack sample cannot be provided for the security attack and defense platform of the power system.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a power attack test system based on attack topology, which can establish a complete power attack sample database and provide corresponding attack samples for each link in a power system. Meanwhile, if a novel attack type occurs, the library can be expanded by depending on a linkage mechanism with a defense platform.
In order to achieve the purpose, the technical scheme of the invention is as follows:
a power attack testing system based on an attack topology, comprising:
the power attack sample acquisition module is used for acquiring a power attack sample from the open source database;
the electric power attack sample screening module is used for grouping and screening the electric power attack samples according to different action platforms, damage degrees, damage modes and activity degrees of the attack samples;
the power attack database is used for storing power attack samples in groups, and comprises names, action platforms, harm degrees, harm modes, activities and detailed information of the power attack samples;
the interaction module is used for displaying the power attack samples in the power attack database, so that a user or an administrator can manage and control the data in the power attack database, wherein the management comprises the steps of adding the samples, deleting the samples, modifying the samples, implementing the attack and stopping the attack;
the attack channel module is used for implementing attack behaviors and consists of a server master station and an attack implementation slave station; the server master station is connected with the power attack database and the interaction module, and the attack slave station is connected with the power equipment;
the power system safety monitoring module is used for acquiring voltage, current, power information and flow information of the power equipment in real time and judging whether the power equipment is attacked or not;
the attack and defense sample expansion module is used for matching whether an attack sample of the attack power equipment is recorded in the power attack database or not; marking attack samples which are not recorded in the power attack database, and adding the attack samples into the power attack database; the content of the label comprises an action platform, a hazard degree, a hazard mode and an activity degree.
The invention has the beneficial effects that:
1. the invention can realize the work of effectively collecting, sorting, classifying, screening and the like on the existing attack samples by establishing a complete power attack sample library, provides a large-scale attack sample library which is rich in types, sufficient in reserves and pertinence for an information security attack and defense drilling system, and establishes a standard place for testing and drilling for the information security of the power industry and the industrial control system.
2. The invention can realize the complete system construction integrating the power attack sample base data management and the attack drilling by establishing a complete attack flow and relating to the links of a database, a user interface, hardware connection and the like.
3. The method and the system can realize the continuous expansion of the newly added attack sample through the linkage with the defense platform, improve the integrity of the attack sample library covering the attack type, the damage mode and the like, and provide more complete and efficient power attack sample data for users.
Drawings
Fig. 1 is a schematic structural diagram of a power attack testing system in this embodiment.
Fig. 2 is a flow chart of the work flow of the safety monitoring module and the attack and defense sample expansion module of the power system.
FIG. 3 is a flow chart of the attack and defense sample expansion module marking according to the present invention.
Detailed Description
The following description is presented to disclose the invention so as to enable any person skilled in the art to practice the invention. The preferred embodiments in the following description are given by way of example only, and other obvious variations will occur to those skilled in the art. The basic principles of the invention, as defined in the following description, may be applied to other embodiments, variations, modifications, equivalents, and other technical solutions without departing from the spirit and scope of the invention.
As shown in fig. 1, the construction process of the power attack test system of the present invention includes the following steps:
1) constructing a power attack sample database:
acquiring data: the data sources of the power attack sample database are divided into two types. One is basic data, the source of the basic data is a China national information security vulnerability sharing platform, a national information security vulnerability library, a China national industrial control system industry vulnerability library, an American national industrial control system industry vulnerability library and the like, vulnerability information of the last year is crawled through a network crawler, and the vulnerability information is updated in a month period. The other type is extended data generated by an attack and defense sample extension module, and the extended data is intercepted and labeled by a defense platform and then is added into a power sample database for storage. The defense platform can be a power system safety monitoring module in the system and can also be a third-party defense platform.
Data screening: and combining the characteristics of the power industry and an industrial control system, and grouping and screening the attack samples according to different action platforms, damage degrees, attack targets, activity degrees and the like.
Research and research are carried out on safety attack events in the power industry, and the action platform of an attack sample is divided into Vxworks, Linux, a video monitoring system, Wi-Fi-supporting equipment, Internet of things equipment and the like.
The damage modes are divided into attack by executable files, attack by system bugs through the internet, stealing SSH identity certificates, traffic redirection to steal data, capturing monitoring video streams and the like.
The degree of damage is shown in table 1, and can be divided into three levels of high-risk, medium-risk and low-risk according to the attack way, the authentication requirement, the range of obtaining data or resources and the capability of obtaining control authority, wherein the high-risk vulnerability refers to invading key equipment, does not need authentication, can completely obtain data or resources and can obtain control authority; the medium-risk vulnerability refers to invasion of key equipment, does not need authentication, can acquire partial data or resources and cannot acquire control authority; the low-risk vulnerability refers to intrusion into common equipment, one or more times of authentication, incapability of acquiring data or resources and incapability of acquiring control authority.
The degree of activity is classified as living or non-living by whether the attack can be directly performed.
TABLE 1
Figure BDA0002824870400000041
Integrating and classifying attack samples, establishing a power attack sample database through an sqlite database, and selecting fields as follows: name, platform of action, mode of hazard, activity, degree of hazard, detailed information.
2) And (3) building a user interaction interface module: the system is used for interactive display with a user and is communicated with all data of the database. The module displays specific information (including name, action platform, damage mode, activity and damage degree) of the power attack sample to an administrator and a user, and the administrator can manage the database on the interface, including operations of adding, deleting, modifying, implementing attack, stopping attack and the like. In this embodiment, the user interface uses a Browser/Server (Browser/Server) structure, which includes three main modules, a browsing layer, a Server layer, and a database layer.
The browsing layer is a main interactive interface for the administrator and the user to check data, manage data and perform attack operation. The method comprises the steps of developing a display page through HTML and JavaScript, wherein the display page comprises a Bootstrap frame and mainly comprises three sub-windows of an attack sample source, attack sample statistical information and attack sample data display. The attack sample source window displays the corresponding relation between the industrial control security event and the attack sample. The attack sample statistical information window displays the statistical information of the attack type, the action platform and the damage degree, and is presented in the form of a pie chart. The attack sample data display window is presented in a form mode and respectively displays names, action platforms, damage modes, activities, damage degrees and detailed information. The form additionally supports the addition and deletion of attack samples for administrator operation, attack and stop of attack interfaces for user operation.
And secondly, the server layer plays a role in data processing and transmission between the browsing layer and the database, and is developed by Python by using a background management system of a Django framework. The server layer can process database operation processing such as adding and deleting of attack sample data by an administrator, and a communication channel between the server master station and the attack implementation slave station is built. A user can carry out specific attack on specific power equipment through an attack interface of a browsing layer and a communication channel of a background and attack implementation slave station, and meanwhile, the time length and frequency of the attack can be controlled by stopping the attack interface.
And the database layer is connected with the power attack database and the attack implementation slave station, processes and transmits the data received from the browsing layer in the server layer, and performs corresponding operation on the database through a Django background function.
Adding a sample:
Model.objects.create(
name=name,
platform=platform,
category=category,
describe=describe)
deleting the sample:
Model.objects.filter(name=name).delete()
and modifying the sample:
Model.objects.filter(name=name).update(
name=new_name,
platform=new_platform,
category=new_category,
describe=new_describe)
and (3) inquiring a sample:
Model.objects.get(name=name)
3) building an attack channel module: the attack path module is a hardware path for establishing attack behaviors. The attack channel module is built by a server master station of a Windows system, an attack implementation slave station of a Linux system and various power equipment. The attack implementation slave station stores various attack examples in a power attack sample database, such as data traffic packets and the like, and can implement specific attack behaviors by accessing different power devices, such as DTUs and the like. And the information sharing is realized with the power attack sample database. The user carries out specific attack on specific power equipment through the user interaction interface, the attack and stop attack instruction is issued to the attack implementation slave station through the SSH protocol, and the attack implementation slave station attacks the specific power equipment.
4) Building a defense platform: for augmenting the attack sample library. The module is established on the linkage with a defense platform, and is used for collecting and recording attack samples which are not recorded in a database but harm the power industry and an industrial control system. The system is divided into two parts, namely a power system safety monitoring module and an attack sample expansion module, and the specific flow is shown in fig. 2.
The safety monitoring module of the power system is a built-in defense platform, and utilizes an external data acquisition device to acquire the current, voltage and power information of each device in the power system in real time and record the network flow information of the network where the safety monitoring module is located. And acquiring N data at intervals of M time, wherein the signal frequency is f, calculating the acquired current, voltage and power information of the power equipment, and extracting characteristic values. And calculating the average value, the maximum value, the minimum value and the variance in the period of time adopted by the characteristic value, the short-time zero-crossing rate, the short-time energy and the MFCC.
Average value:
Figure BDA0002824870400000061
maximum value: max ═ max { xi}
Minimum value: min ═ min { xi}
Variance:
Figure BDA0002824870400000062
short-time zero-crossing rate:
Figure BDA0002824870400000063
short-time energy:
Figure BDA0002824870400000064
MFCC:
Figure BDA0002824870400000065
and classifying the extracted features through a support vector machine to judge whether the power equipment is attacked or not, and then classifying the attacked by using a RIPPER algorithm to perform rule matching. And if the power sample attack library is judged to be attacked but the original attack sample cannot be matched in the power sample attack library, judging the power sample attack library to be a new attack sample. In addition, the invention also provides a communication interface which can be used by a third party electric power security monitoring anti-seepage system or other information security defense platforms and is used for retrieving the electric power attack sample database.
Secondly, the power sample attack base expansion module labels the attack detected by the defense platform according to the characteristics of the attack, and the method comprises the following steps as shown in fig. 3:
the method comprises the following steps: judging an attack mode, if the attack mode is based on flow information, intercepting abnormal flow in an attack stage, using the abnormal flow as replay attack, and marking the abnormal flow as a living body; if it is a worm virus based attack, it is marked as non-live.
Step two: and recording the affected platform and the damage mode, and evaluating and marking the damage degree of the affected platform and the damage mode.
Step three: and adding the new attack sample into the power attack sample library.
In an implementation of the present invention, a power attack testing system based on attack topology constructed by the above process is specifically described.
A power attack testing system based on an attack topology, comprising:
the power attack sample acquisition module is used for acquiring a power attack sample from the open source database;
the electric power attack sample screening module is used for grouping and screening the electric power attack samples according to different action platforms, damage degrees, damage modes and activity degrees of the attack samples;
the power attack database is used for storing power attack samples in groups, and comprises names, action platforms, harm degrees, harm modes, activities and detailed information of the power attack samples;
the interaction module is used for displaying the power attack samples in the power attack database, so that a user or an administrator can manage and control the data in the power attack database, wherein the management comprises the steps of adding the samples, deleting the samples, modifying the samples, implementing the attack and stopping the attack;
the attack channel module is used for implementing attack behaviors and consists of a server master station and an attack implementation slave station; the server master station is connected with the power attack database and the interaction module, and the attack slave station is connected with the power equipment;
the power system safety monitoring module is used for acquiring voltage, current, power information and flow information of the power equipment in real time and judging whether the power equipment is attacked or not;
the attack and defense sample expansion module is used for matching whether an attack sample of the attack power equipment is recorded in the power attack database or not; marking attack samples which are not recorded in the power attack database, and adding the attack samples into the power attack database; the content of the label comprises an action platform, a hazard degree, a hazard mode and an activity degree.
In one specific implementation of the invention, the action platform comprises Vxworks, Linux, a video monitoring system, Wi-Fi-supporting equipment and Internet of things equipment; the degree of harm is divided into three levels of high-risk vulnerability, medium-risk vulnerability and low-risk vulnerability according to attack ways, authentication requirements, data or resource obtaining range and control authority obtaining capacity; the damage mode comprises attack through an executable file, attack through a system bug on the Internet, stealing SSH identity certificates, redirecting flow to steal data and capturing monitoring video stream; the degree of activity is classified into living and non-living by whether or not the attack can be directly performed.
The high-risk vulnerability refers to invading key equipment, does not need authentication, can completely acquire data or resources and can acquire an attack sample of control authority; the medium-risk vulnerability refers to an attack sample which invades key equipment, does not need authentication, can obtain partial data or resources and cannot obtain control authority; the low-risk vulnerability refers to an attack sample which invades common equipment, needs one or more times of authentication, cannot acquire data or resources and cannot obtain control authority.
In one embodiment of the present invention, the interactive module comprises a browsing layer, a server layer and a database layer;
the browsing layer is used for displaying an attack sample source, attack sample statistical information and attack sample data detailed information, the attack sample source is a corresponding relation between an industrial control security event and an attack sample, and the attack sample statistical information comprises the name, an action platform, the damage degree, the damage mode and the activity degree of a power attack sample; the system is used for a user or an administrator to send control commands to data in the power attack database, wherein the control commands comprise a sample adding command, a sample deleting command, a sample modifying command, an attack implementing command and an attack stopping command;
in this embodiment, the browsing layer is a Web interactive interface, the Web interactive interface is divided into three sub-windows of an attack sample source, attack sample statistical information and attack sample data detailed information, the attack sample data detailed information sub-window is provided with a form for displaying an attack sample, the form supports addition, deletion and modification of the attack sample, each attack sample corresponds to an attack implementation interface and an attack stop interface, the attack implementation interface and the attack stop interface are connected to the attack implementation slave station through a server layer, the attack implementation slave station is provided with a data traffic packet of the attack sample, specific attack behaviors are implemented by accessing different power devices, and the attack duration and frequency are controlled by implementing the attack commands and the attack stop commands.
The server layer is arranged between the browsing layer and the database layer, is used for performing operation processing on a sample adding command, a sample deleting command and a sample modifying command, and is used for sending an attack implementing command and an attack stopping command to the attack implementing slave station through an SSH protocol;
the database layer is connected with the power attack database and the attack implementation slave station and is used for transmitting the added, deleted or modified attack sample information to the power attack database and updating the power attack database; and the system is used for acquiring the specified attack sample from the power attack database and transmitting the attack sample to the attack implementation slave station.
In one specific implementation of the present invention, the power system safety monitoring module collects voltage, current, power information and flow information of the power equipment in real time, calculates characteristic values including an average value, a maximum value, a minimum value, a variance, a short-time zero-crossing rate, a short-time energy and MFCC, and determines whether the power equipment is attacked or not by using a support vector machine.
In one specific implementation of the present invention, the attack and defense sample expansion module collects an attack sample corresponding to an attacked power device, and verifies whether the attack sample has been included through rule matching, if so, the attack sample is removed from the collection table, and if not, the attack sample is a new attack sample;
recording the current equipment state information and network environment of a new attack sample, judging the equipment and the attack path of the new attack sample, and adding the new attack sample into a power attack database after marking, wherein the marking method comprises the following steps:
the method comprises the following steps: judging an attack mode, if the attack mode is based on flow information, intercepting abnormal flow in an attack stage, using the abnormal flow as replay attack, and marking the abnormal flow as a living body; if it is a worm virus based attack, it is marked as non-live.
Step two: recording an action platform and a hazard mode of the device, and evaluating the hazard degree;
and step three, marking the action platform, the damage degree, the damage mode and the activity degree in a new attack sample, and adding the new attack sample into a power attack database to realize data expansion.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described modules are merely illustrative, and may be divided into logical functions, and other division manners may exist in actual implementation, for example, a plurality of modules may be combined or may be integrated into another system, or some features may be omitted, or may not be executed. The indirect coupling or communication connection between the modules may be electrical or otherwise.
In addition, the controllers of the respective modules may be integrated into one processing unit, or the respective processing units may exist alone physically, or the controllers of two or more modules may be integrated into one unit. The integrated module or the separate module may be implemented in the form of hardware, or may be implemented in the form of a software functional unit.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.

Claims (10)

1. A power attack testing system based on attack topology, comprising:
the power attack sample acquisition module is used for acquiring a power attack sample from the open source database;
the electric power attack sample screening module is used for grouping and screening the electric power attack samples according to different action platforms, damage degrees, damage modes and activity degrees of the attack samples;
the power attack database is used for storing power attack samples in groups, and comprises names, action platforms, harm degrees, harm modes, activities and detailed information of the power attack samples;
the interaction module is used for displaying the power attack samples in the power attack database, so that a user or an administrator can manage and control the data in the power attack database, wherein the management comprises the steps of adding the samples, deleting the samples, modifying the samples, implementing the attack and stopping the attack;
the attack channel module is used for implementing attack behaviors and consists of a server master station and an attack implementation slave station; the server master station is connected with the power attack database and the interaction module, and the attack slave station is connected with the power equipment;
the power system safety monitoring module is used for acquiring voltage, current, power information and flow information of the power equipment in real time and judging whether the power equipment is attacked or not;
the attack and defense sample expansion module is used for matching whether an attack sample of the attack power equipment is recorded in the power attack database or not; marking attack samples which are not recorded in the power attack database, and adding the attack samples into the power attack database; the content of the label comprises an action platform, a hazard degree, a hazard mode and an activity degree.
2. The power attack testing system based on the attack topology according to claim 1, wherein the action platform comprises Vxworks, Linux, a video monitoring system, Wi-Fi-enabled equipment and Internet of things equipment; the degree of harm is divided into three levels of high-risk vulnerability, medium-risk vulnerability and low-risk vulnerability according to attack ways, authentication requirements, data or resource obtaining range and control authority obtaining capacity; the damage mode comprises attack through an executable file, attack through a system bug on the Internet, stealing SSH identity certificates, redirecting flow to steal data and capturing monitoring video stream; the degree of activity is classified into living and non-living by whether or not the attack can be directly performed.
3. The power attack testing system based on the attack topology according to claim 2, wherein the high-risk vulnerability refers to an attack sample which invades key equipment, does not need authentication, can completely acquire data or resources and can obtain control authority; the medium-risk vulnerability refers to an attack sample which invades key equipment, does not need authentication, can obtain partial data or resources and cannot obtain control authority; the low-risk vulnerability refers to an attack sample which invades common equipment, needs one or more times of authentication, cannot acquire data or resources and cannot obtain control authority.
4. The power attack testing system based on the attack topology according to claim 1, wherein the interaction module comprises a browsing layer, a server layer and a database layer;
the browsing layer is used for displaying an attack sample source, attack sample statistical information and attack sample data detailed information, the attack sample source is a corresponding relation between an industrial control security event and an attack sample, and the attack sample statistical information comprises the name, an action platform, the damage degree, the damage mode and the activity degree of a power attack sample; the system is used for a user or an administrator to send control commands to data in the power attack database, wherein the control commands comprise a sample adding command, a sample deleting command, a sample modifying command, an attack implementing command and an attack stopping command;
the server layer is arranged between the browsing layer and the database layer, is used for performing operation processing on a sample adding command, a sample deleting command and a sample modifying command, and is used for sending an attack implementing command and an attack stopping command to the attack implementing slave station through an SSH protocol;
the database layer is connected with the power attack database and the attack implementation slave station and is used for transmitting the added, deleted or modified attack sample information to the power attack database and updating the power attack database; and the system is used for acquiring the specified attack sample from the power attack database and transmitting the attack sample to the attack implementation slave station.
5. The power attack testing system based on the attack topology according to claim 4, wherein the browsing layer is a Web interactive interface, the Web interactive interface is divided into three sub-windows of an attack sample source, attack sample statistical information and attack sample data detailed information, the attack sample data detailed information sub-window is provided with a form for displaying the attack sample, the form supports addition, deletion and modification of the attack sample, each attack sample corresponds to an attack implementation interface and an attack stop interface, and the attack implementation interface and the attack stop interface are connected to the attack implementation slave station through a server layer.
6. The power attack testing system based on the attack topology according to claim 4, wherein the attack duration and frequency are controlled by the attack implementation command and the attack stopping command.
7. The power attack testing system based on the attack topology according to claim 1 or 4, wherein the attack implementation is implemented by deploying data traffic packets with attack samples from stations and implementing specific attack behaviors by accessing different power devices.
8. The power attack testing system based on the attack topology according to claim 1 or 4, wherein the power system security monitoring module collects voltage, current, power information and flow information of the power equipment in real time, calculates a characteristic value, and judges whether the power equipment is attacked or not through a support vector machine.
9. The power attack testing system according to claim 8, wherein the characteristic values include mean, maximum, minimum, variance, short-term zero-crossing rate, short-term energy, and MFCC.
10. The power attack testing system based on the attack topology according to claim 8, wherein the attack and defense sample expansion module collects attack samples corresponding to power devices suffering from attacks, verifies whether the attack samples are included through rule matching, removes the attack samples from the collection table if the attack samples are included, and obtains new attack samples if the attack samples are not included;
recording the current equipment state information and network environment of a new attack sample, judging the equipment and the attack path of the new attack sample, and adding the new attack sample into a power attack database after marking, wherein the marking method comprises the following steps:
the method comprises the following steps: judging an attack mode, if the attack mode is based on flow information, intercepting abnormal flow in an attack stage, using the abnormal flow as replay attack, and marking the abnormal flow as a living body; if it is a worm virus based attack, it is marked as non-live.
Step two: recording an action platform and a hazard mode of the device, and evaluating the hazard degree;
and step three, marking the action platform, the damage degree, the damage mode and the activity degree in a new attack sample, and adding the new attack sample into a power attack database to realize data expansion.
CN202011446647.9A 2020-12-09 2020-12-09 Power attack testing system based on attack topology Active CN112583820B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011446647.9A CN112583820B (en) 2020-12-09 2020-12-09 Power attack testing system based on attack topology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011446647.9A CN112583820B (en) 2020-12-09 2020-12-09 Power attack testing system based on attack topology

Publications (2)

Publication Number Publication Date
CN112583820A true CN112583820A (en) 2021-03-30
CN112583820B CN112583820B (en) 2022-06-17

Family

ID=75130957

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011446647.9A Active CN112583820B (en) 2020-12-09 2020-12-09 Power attack testing system based on attack topology

Country Status (1)

Country Link
CN (1) CN112583820B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116015983A (en) * 2023-03-27 2023-04-25 江苏天创科技有限公司 Network security vulnerability analysis method and system based on digital twin
CN116132154A (en) * 2023-02-03 2023-05-16 北京六方云信息技术有限公司 Verification method, device, equipment and storage medium of DNS tunnel traffic detection system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160028750A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Signature creation for unknown attacks
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
US20180165597A1 (en) * 2016-12-08 2018-06-14 Resurgo, Llc Machine Learning Model Evaluation in Cyber Defense
CN108347430A (en) * 2018-01-05 2018-07-31 国网山东省电力公司济宁供电公司 Network invasion monitoring based on deep learning and vulnerability scanning method and device
CN110098951A (en) * 2019-03-04 2019-08-06 西安电子科技大学 A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system
CN110943969A (en) * 2019-10-08 2020-03-31 成都天和讯达科技有限公司 Network attack scene reproduction method, system, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160028750A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Signature creation for unknown attacks
US20180165597A1 (en) * 2016-12-08 2018-06-14 Resurgo, Llc Machine Learning Model Evaluation in Cyber Defense
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN108347430A (en) * 2018-01-05 2018-07-31 国网山东省电力公司济宁供电公司 Network invasion monitoring based on deep learning and vulnerability scanning method and device
CN110098951A (en) * 2019-03-04 2019-08-06 西安电子科技大学 A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system
CN110943969A (en) * 2019-10-08 2020-03-31 成都天和讯达科技有限公司 Network attack scene reproduction method, system, equipment and storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
周黎辉等: "工业控制网络安全攻防演练平台设计与研发", 《信息与电脑(理论版)》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132154A (en) * 2023-02-03 2023-05-16 北京六方云信息技术有限公司 Verification method, device, equipment and storage medium of DNS tunnel traffic detection system
CN116132154B (en) * 2023-02-03 2023-06-30 北京六方云信息技术有限公司 Verification method, device, equipment and storage medium of DNS tunnel traffic detection system
CN116015983A (en) * 2023-03-27 2023-04-25 江苏天创科技有限公司 Network security vulnerability analysis method and system based on digital twin
CN116015983B (en) * 2023-03-27 2023-07-07 江苏天创科技有限公司 Network security vulnerability analysis method and system based on digital twin

Also Published As

Publication number Publication date
CN112583820B (en) 2022-06-17

Similar Documents

Publication Publication Date Title
US20220345476A1 (en) Threat mitigation system and method
CN111092852A (en) Network security monitoring method, device, equipment and storage medium based on big data
CN107273748B (en) Method for realizing android system vulnerability detection based on vulnerability poc
CN112583820B (en) Power attack testing system based on attack topology
CN112383538B (en) Hybrid high-interaction industrial honeypot system and method
CN109040119B (en) Vulnerability detection method and device for intelligent building network
CN109905492B (en) Safety operation management system and method based on distributed modular data center
US11032303B1 (en) Classification using projection of graphs into summarized spaces
CN111859374B (en) Method, device and system for detecting social engineering attack event
WO2021050525A1 (en) Threat mitigation system and method
CN114338171A (en) Black product attack detection method and device
Kenfack et al. Implementation of machine learning method for the detection and prevention of attack in supervised network
CN112637873A (en) Robustness testing method and device based on wireless communication network of unmanned system
CN114416668B (en) Method and system for generating PKG (public key gateway) decoy file
CN114844691B (en) Data processing method and device, electronic equipment and storage medium
Li et al. Automated Privacy Network Traffic Detection via Self-labeling and Learning
Tong et al. Cyber-attack research for integrated energy systems by the correlated matrix based object-oriented modeling method
CN115442277B (en) Method and system for improving correctness of 5G traceability association
Yoon et al. An efficient network operation automation scheme using network status information for local 5G networks
Singh et al. Traffic Filtering (QoS) Dataset For SD-WAN
CN115514687A (en) Multi-cloud application gateway flow monitoring method and device, computer equipment and medium
CN116684122A (en) Network attack and defense platform for network loopholes

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant