CN112651006B

CN112651006B - Power grid security situation sensing system

Info

Publication number: CN112651006B
Application number: CN202011424457.7A
Authority: CN
Inventors: 朱朝阳; 周亮; 魏轶弢; 缪思薇; 吕建章; 栾芳冰; 唐琴; 白旭东
Original assignee: China Electric Power Research Institute Co Ltd CEPRI
Current assignee: China Electric Power Research Institute Co Ltd CEPRI
Priority date: 2020-12-07
Filing date: 2020-12-07
Publication date: 2023-08-25
Anticipated expiration: 2040-12-07
Also published as: CN112651006A

Abstract

The invention provides a power grid security situation awareness platform architecture, which comprises a security data acquisition and storage module, an intrusion detection module, a situation intelligent analysis module and a situation visualization module; the power Internet of things security threat sensing, attack discovery, illegal behavior monitoring, threat warning and other capabilities are formed through technologies such as active monitoring, flow analysis and enterprise side acquisition, and security situation sensing services are provided for the power industry aiming at the characteristics of multiple sensing nodes, different types, multiple connections, dynamic and changeable information and the like in the power Internet of things environment, so that a power Internet of things security situation sensing solution is formed.

Description

Power grid security situation sensing system

Technical Field

The invention relates to the technical field of big data application, in particular to a power grid security situation awareness system.

Background

Along with the rapid growth of new energy generated energy such as wind power, solar energy and the like, intelligent energy and electric power Internet of things are coming from the time of whistle, an energy system is transformed into fragmented energy, and the fragmented energy exists in a form of everything interconnection and high intelligence, so that the value of the fragmented energy is maximized. The electric power Internet of things environment is a network environment for collecting, storing, analyzing, calculating and sharing large data, belongs to a huge nonlinear complex system, and mainly has the complexity of huge node number, node diversity, connection diversity, information diversity, dynamics complexity, complex and changeable network structure and multiple complexity fusion, so that the network in the electric power Internet of things environment faces more safety risks.

The electric power internet of things is still in a starting stage, and the construction of the electric power internet of things has obvious positive significance for improving user experience, improving power grid operation level, promoting new energy consumption and cultivating emerging businesses. At present, a complete set of situation awareness system in the environment of the electric power Internet of things does not exist, and the information security risk of the industrial control network can be effectively monitored and estimated. In addition, the whole power system can generate a large amount of data in the links of production, transmission, storage, transaction, operation and maintenance, consumption and the like. Advancing the construction of these data security monitoring and protection security capabilities is urgent.

However, the existing network security situation awareness model has the following problems:

1. the existing network security situation awareness model is mostly a single-source or multi-source homogeneous model, and is difficult to adapt to a complex network environment in the electric power Internet of things. The safety information of the environment of the electric power Internet of things has the characteristics of multiple data types, rich formats and the like, and a large number of errors and redundancies exist in massive historical data, so that the safety information cannot be directly used as an analysis object for network safety situation awareness, and data preprocessing is needed;

2. factors influencing the network security state in the environment of the electric power Internet of things are complex and various, and massive complex data influence the real-time performance of data fusion and event association analysis.

Under the big data environment, the security feature elements have association relations, are mutually influenced and changed in real time, and have great difficulty in information fusion processing; when a large amount of network security feature data are fused, incomplete feature data extraction may be caused, the feature space dimension reduction effect is difficult to evaluate, and inaccurate feature information may be finally induced from the data set.

The network security perceived data in the electric power Internet of things environment contains a large amount of uncertainty information, is incomplete, inaccurate and contradictory to a certain extent, and is required to solve the problem of uncertainty information in the situation assessment process; at present, the research network security situation indexes often lack an index system for describing global network security situation assessment in the environment of the electric power internet of things aiming at a certain aspect or a certain application scene, and have no unified evaluation standard.

3. The existing network security situation awareness model still has the defects of heavy load, large response delay, poor integrity, stability, accuracy and the like.

4. At present, no complete situation awareness system in the environment of the electric power Internet of things exists in China, and the information security risk of the industrial control network can be effectively monitored and estimated. Therefore, the situation sensing system suitable for the electric industrial control system needs to be researched aiming at the characteristics of the electric industrial control system. The lack of a network security situation dynamic prediction model oriented to the electric power Internet of things environment cannot realize the real-time and accurate prediction of the global network security situation in the electric power Internet of things environment; the existing network security situation prediction strongly depends on data preprocessing and manual intervention, and the historical experience knowledge learning is not intelligent; the network security prediction method is still to be further researched in the future in terms of improving learning efficiency, convergence speed and prediction accuracy; the existing network security situation prediction method is difficult to predict the occurrence time, node position and attack type of network attack in the electric power Internet of things environment, and cannot effectively support the accurate decision of network security active defense in the electric power Internet of things environment.

Disclosure of Invention

In order to solve the problems, the invention provides a power grid security situation sensing system, which is used for constructing a security situation sensing platform of an electric power Internet of things environment, supporting the construction of key information infrastructure in China and even on-line monitoring network in China, and improving the technical capabilities of situation sensing, hidden danger investigation, attack discovery and the like in the industrial field.

The embodiment of the invention provides a power grid security situation awareness system, which comprises a security data acquisition and storage module, an intrusion detection module, a situation intelligent analysis module and a situation visualization module;

the safety data acquisition and storage module comprises a data processing layer and a data storage layer; the data processing layer is used for acquiring network security data used for security situation awareness in the power industrial control system as original data and preprocessing the original data; the data storage layer is used for storing the preprocessed network security data; the network security data includes asset information data, network traffic data, log data, operational status data, vulnerability data, and security event data;

the intrusion detection module is used for carrying out real-time security detection on network messages in log data and network flow data by adopting a deep packet monitoring technology;

The intelligent situation analysis module is used for acquiring stored network security data and security detection results, inputting the network security data and the security detection results into a pre-constructed machine learning model, and carrying out multi-angle security situation analysis according to situation indexes;

the situation visualization module is used for visualizing and presenting the result of the security situation analysis.

According to the power grid security situation awareness system provided by the embodiment of the invention, through combining the constructed machine learning model with measured data, preprocessing the data to realize a data correction model, verifying an autonomous benign learning process of the data by using the model, and through technologies such as active monitoring, flow analysis, enterprise side acquisition and the like, the capabilities of electric power Internet of things security threat awareness, attack discovery, illegal behavior monitoring, threat alarming and the like are formed, and aiming at the characteristics of multiple awareness nodes, different types, multiple connections, dynamic and changeable information and the like in an electric power Internet of things environment, security situation awareness services are provided for the electric power industry, and an electric power Internet of things security situation awareness solution is formed.

Preferably, the knowledge base comprises a built-in database and an external database; the built-in database comprises an IP address library, a domain name library, a malicious IP address library, a malicious domain name library, a malicious URL library and a vulnerability information library; the external database comprises a GIS geographic information base, a threat information base and an asset management responsible person information base.

In the embodiment, the comprehensive and detailed address library, domain name library, external database and the like are built in, so that timely sensing of security threat, timely discovery of attack and timely monitoring of illegal behaviors of the electric power Internet of things are facilitated, and accurate and rapid prediction of the security situation of the electric power Internet of things is realized.

Preferably, the data processing layer comprises a data preprocessing sub-module, and the data preprocessing sub-module comprises a standardized unit, a mild summarizing unit and a severe summarizing unit; the normalization unit is used for obtaining unstructured data in the original data to a message queue and normalizing the data through a stream calculation process; the light summarizing unit is used for slightly summarizing the standardized data and storing the association analysis result generated in the light summarizing process into the part; and the severe summary unit is used for acquiring the structured data in the original data to the storage layer, carrying out severe summary on the data of the storage layer, and storing the severe summary result to the distributed file storage layer.

Preferably in any one of the foregoing embodiments, the normalization unit includes a data parsing subunit, a data cleansing subunit, a data conversion subunit, and a data enhancer unit; the data analysis subunit is used for identifying the original data and distinguishing the data format of the original data; the data cleaning subunit is used for removing duplication of the same data obtained in different modes; the data conversion subunit is used for splitting the fields of the original data according to the format requirement to divide different fields; the data enhancement subunit; the method is used for selectively enriching the data of the split fields and realizing field enhancement.

In the embodiment, through unified standardization processing of massive data and mild summarization and severe summarization of different types of data, data fusion and analysis processing under complex scenes are facilitated, and real useful information is obtained from massive PMU data quickly, and typical characteristics of each type of event are extracted according to massive PMU data records to serve as a basis of a sample data set. The preprocessed enhancement data is firstly stored in the real-time index layer, so that the user can search quickly, and secondly enters the distributed file storage layer, so that situation analysis and calculation are facilitated.

In any one of the foregoing embodiments, preferably, the intelligent analysis module includes, according to a security situation analysis angle, a comprehensive situation assessment sub-module, an asset situation assessment sub-module, a traffic situation assessment sub-module, a vulnerability situation assessment sub-module, and a behavior situation assessment sub-module.

In any of the above embodiments, preferably, the comprehensive situation assessment submodule is configured to perform comprehensive assessment on situation indexes from a time dimension and/or a space dimension after integrating any two or more other situation assessments, and perform comprehensive assessment according to the situation indexes; the visualization of the comprehensive situation assessment comprises any one or more of a meter panel, a counter, a radar chart, a pie chart and a histogram in the following display modes.

In the embodiment, when the situation is evaluated comprehensively, multiple situations are synthesized, situation indexes are researched and judged through data acquired in real time, an index measurement method is constructed, and feasibility of situation quantitative calculation is met; aiming at the characteristic of rapid change of massive safety data in the environment of the electric power Internet of things, the safety situation can be timely and accurately reflected by the selection of the safety evaluation method.

In any one of the foregoing embodiments, preferably, the asset situation assessment submodule includes an asset discovery unit, an asset attribute unit, an asset type judgment unit, and an asset situation assessment unit; the asset discovery unit is used for discovering assets in the network from asset information data; the asset attribute unit is used for complementing the attribute of the discovered asset; the asset type judging unit adopts an asset fingerprint identification library to judge the type of the found asset; the asset situation assessment unit is used for respectively carrying out all-dimensional asset security situation analysis from the aspects of asset types, network area angles and business system angles according to preset indexes; the comprehensive asset security posture analysis includes asset type information, asset compromised information, asset vulnerability profiles, asset attacked profiles, and asset risk posture.

In this embodiment, asset situation assessment identifies and clusters assets and business objects to be protected in the target network by proactively discovering, importing, or creating. The obtained and maintained protected object information is utilized by perception of other dimensions in the whole situation analysis and presentation process, and becomes the basis of security object-oriented security situation analysis. Based on asset discovery and security object information maintenance, asset perception also fuses various attack threat information, vulnerability information, operation information and the like to form security situations of the protected asset and business object view.

In any one of the foregoing embodiments, preferably, the traffic situation assessment submodule includes a traffic analysis unit and a traffic situation assessment unit; the flow analysis unit is used for carrying out quantitative statistics and real-time association analysis on flow behaviors in the network flow data; the flow situation assessment unit is used for realizing visualized presentation of network space flow situations, intelligent prediction and abnormal early warning of network space flow abnormality by using data after statistics and association analysis.

In the embodiment, through the collection of network flow data, the flow distribution condition is visually presented by means of big data storage capacity and various analysis means, and the network access relation is automatically found, so that the network flow order is recognized, understood, built, perfected and predicted, the requirements on network space flow monitoring and abnormal perception are met, and the flow situation in the network security situation is formed.

In any one of the foregoing embodiments, preferably, the vulnerability posture assessment submodule includes a vulnerability data processing unit and a vulnerability posture analysis unit; the vulnerability data processing unit is used for performing de-overlapping merging on original vulnerability data of different types of vulnerability scanning tools, code audit, penetration test, risk assessment and supervision notification in vulnerability data, and performing automatic standardized processing on vulnerability information; the vulnerability situation analysis unit analyzes the standardized vulnerability data according to analysis indexes by utilizing a vulnerability database in a preset knowledge base, and visually presents analysis results; the analysis result includes: performing vulnerability severity level statistical analysis; performing vulnerability type statistical analysis; asset type statistical analysis; vulnerability distribution impact and vulnerability focus.

In the embodiment, through vulnerability scanning data and a built-in database, a multi-dimensional security vulnerability situation awareness is provided by combining an information security vulnerability technology and a data mining technology, and dynamic icons and data lists in different dimensions are displayed. By means of multidimensional vulnerability analysis, an index measurement method is established for each dimension, feasibility of situation quantitative calculation is met, and detailed capture of multidimensional situations of network security vulnerability is achieved.

In any one of the foregoing embodiments, preferably, the behavior situation assessment submodule is configured to analyze network behavior by using a threshold decision method, a statistical analysis method, a cluster analysis method, a time series method, a feature matching method, a data mining method, or an analysis method based on a graph model; the network behavior includes user behavior, host behavior, business behavior, attack behavior, application behavior, and global network behavior.

In the monitoring of network traffic in this embodiment, behavior situation assessment is adopted to perform abnormal behavior monitoring, so that not only can attack behaviors (for example, DDoS) be timely discovered, network faults (for example, routing problems) be detected, but also illegal behaviors (for example, P2P transmission of oversized files) can be detected. More importantly, compared with the misuse detection technology, the anomaly detection not only can detect unknown new attacks, but also can detect internal threats.

Drawings

The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application. In the drawings:

FIG. 1 is a general framework diagram of a power grid security situation awareness system of the present application;

FIG. 2 (a) is a schematic diagram of a deep packet inspection probe system in a power grid security situation awareness system according to the present invention;

FIG. 2 (b) is a DPI technical diagram of a grid security situation awareness system according to the present invention;

FIG. 3 is an overall framework of a data processing layer in a safety data acquisition and storage module in a power grid safety situation awareness system;

FIG. 4 is a flow chart of the overall data processing of the present invention;

FIG. 5 is a flow chart of data collection according to the present invention;

FIG. 6 is a flow chart of data preprocessing according to the present invention;

FIG. 7 is a slight summary flow chart of the data of the present invention;

FIG. 8 is a data severity summary flowchart of the present invention;

FIG. 9 is a flow chart of the data storage of the present invention;

FIG. 10 is a technical diagram of an asset fingerprint library of the present invention;

FIG. 11 is a diagram of a statistical analysis of vulnerability count according to the present invention;

FIG. 12 is a graph of the vulnerability count versus the present invention;

FIG. 13 is a diagram showing a statistical analysis of risk values according to the present invention;

FIG. 14 is a graph of risk value versus duty cycle analysis according to the present invention;

FIG. 15 is a graph of the average vulnerability count analysis of the present invention;

FIG. 16 is a graph of statistical analysis of risk averages in accordance with the present invention;

FIG. 17 is a vulnerability ordering diagram of the present invention;

FIG. 18 is a graph of vulnerability duty analysis of the present invention;

FIG. 19 is a diagram of an exception vulnerability inventory of the present invention.

Detailed Description

The application will be described in detail below with reference to the drawings in connection with embodiments. It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other.

The following detailed description is exemplary and is intended to provide further details of the application. Unless defined otherwise, all technical terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments in accordance with the application.

As shown in fig. 1, the embodiment of the application provides a power grid security situation awareness system, which comprises a security data acquisition and storage module, an intrusion detection module, a situation intelligent analysis module and a situation visualization module;

The situation awareness system achieves an ideal analysis target through data acquisition and processing, so that the relevant requirements of the situation awareness system are met, and for analysis, data sources needing to be acquired include but are not limited to the following:

asset information: asset class, asset home, asset IP, asset type, etc.

Network traffic data: network traffic five-tuple, TCP, UDP, ICMP, HTTP, FTP, TFTP, IMAP, SNMP, etc., also includes abnormal traffic, etc.

Log content: service log, operation log, login log, system log and alarm log.

Operational status data: the online condition of various security devices, servers and other assets, CPU and use condition, memory and use condition, network use condition, process, continuous running time and the like.

Vulnerability data: including the device IP/domain name of the asset where the vulnerability exists, the vulnerability name, the vulnerability number, the affected operating system and application version, the vulnerability detailed description, the vulnerability hazard level, the repair suggestion, and the vulnerability configuration information of the asset including vulnerability name, type, associated asset, hazard level, etc., wherein the vulnerability configuration information includes weak password, open exception port, etc.

Security event data: the network attack event should include: DDoS attacks, vulnerability attacks, network scanning eavesdropping, interference events, etc.; the host layer security event should include: brute force cracking, port scanning, missed scanning and utilization, abnormal host behavior, abnormal processes, abnormal account behavior and the like.

As shown in fig. 2 (a) and (b), the deep packet inspection probe provides dynamic, deep and active security inspection, so that the inspection capability of application protocols, abnormal behaviors and malicious files is enhanced from three aspects of intelligent recognition, environment perception and behavior analysis in order to cope with the threat brought by the novel attack.

The deep packet inspection probe detects attacks by hackers in any fragmentation mode through the capabilities of IP fragment recombination, TCP stream convergence, data stream state tracking and the like. The deep packet detection adopts an intelligent protocol identification technology, discovers the protocol where the intelligent packet is located by dynamically analyzing the protocol characteristics contained in the network message, and then submits the protocol to a corresponding protocol analysis engine for processing, so that the malicious intrusion implemented through a dynamic port or an intelligent tunnel can be detected accurately at high speed without participation of an administrator, various malicious traffic and vulnerability attacks bound on any port can be found accurately, and the software applying the SmartTunnel technology can be captured and analyzed accurately.

As shown in fig. 3, in order to conveniently call the collected data source, the data preprocessing layer is based on a big data technology, and is a multifunctional data processing cluster integrating diversified data collection, standardization, storage, high-speed reading and association call. The data processing layer design mainly comprises a data processing process and a data storage.

The principle of big data processing comprises the following points:

the network message and the log data adopt a passive acquisition mode, namely the situation awareness platform does not actively acquire the data, but actively pushes the data into the platform by each data acquisition probe.

The monitoring and early warning system analyzes scene models and environmental data, and adopts an active acquisition mode, namely the situation awareness platform can periodically collect the data and incorporate the data into the platform for use.

For the problem that the data source system cannot be in butt joint with the situation awareness platform because the data model (structure) does not accord with the situation awareness platform standard, data conversion needs to be carried out at the data source end, and then the data is pushed to the data processing layer.

For pushed data, the collection frequency is determined by the sending frequency of the data source.

As shown in fig. 4-8, the data processing procedure is as follows:

As shown in fig. 4 and 5, the data processing layer includes a data preprocessing sub-module, and the data preprocessing sub-module includes a standardized unit, a mild summarization unit and a severe summarization unit;

the normalization unit is used for obtaining unstructured data in the original data to a message queue and normalizing the data through a stream calculation process;

as shown in fig. 6, the normalization unit includes a data parsing subunit, a data cleansing subunit, a data conversion subunit, and a data enhancer unit; the data analysis subunit is used for identifying the original data and distinguishing the data format of the original data; the data cleaning subunit is used for removing duplication of the same data obtained in different modes; the data conversion subunit is used for splitting the fields of the original data according to the format requirement to divide different fields; the data enhancement subunit; the method is used for selectively enriching the data of the split fields and realizing field enhancement. This process is not an essential step, and is performed only on data to be processed, such as adding geographic information to some data or adding asset information to some data.

The network message is mainly aimed at network data information generated by network equipment, such as Flow. The log data is mainly aimed at various log data generated by a data source system, and the data is transmitted by adopting a Syslog protocol. And sending the stream data collected by the situation awareness platform into a message queue, and generating an alarm after standardization and enhancement.

The light summarization unit as shown in fig. 7 is configured to lightly summarize the normalized data, and store the correlation analysis result generated in the light summarization process into part; the light summary is always a process of filtering the enhancement data and summarizing the results after the association analysis, and the association analysis of the light summary is performed by combining the information system, the scene model and the environmental data in the association analysis process.

As shown in fig. 8, the heavy summarizing unit is configured to obtain structured data in the original data to the storage layer, heavy summarize the data in the storage layer, and store the heavy summarizing result to the distributed file storage layer.

The heavy summary always fuses and correlates the data stored in the storage layer through the fusion platform, the generated result is called a heavy summary result, and the data can flow into the distributed file storage layer again for storage for later use. The reason for the severe summary is: the offline data are respectively stored in different positions, such as Hadoop, parquet, postgreSQL, and analysis processing under complex scenes is realized by carrying out data fusion and corresponding calculation through a severe summary tool.

The collected data, the preprocessed data, the heavy summary data and some integrated data collected by the situation awareness platform are all imported into the big data storage platform for unified storage.

The data stored in the platform comprises collected original data, result data obtained through platform analysis, management data and knowledge base data, wherein the former two are collectively called as platform business big data.

The platform provides storage and management of a knowledge base, and can call some built-in IP libraries, vulnerability libraries and characteristic event libraries in the data analysis process. And through a data acquisition function, the data of the knowledge base is imported, and finally, the association analysis of the security event is realized. The knowledge base data comprises an IP address base, a domain name base, a malicious IP address base, a malicious domain name base, a malicious URL base, a vulnerability information base, a threat information base and the like.

The management data includes: the method comprises the steps of carrying out efficient structured storage and reading of policy data related to platform management, inter-component calling process management data, platform self-running data, user information, audit data and the like by adopting a structured database.

The knowledge base data mainly refers to external databases which are required to be added based on actual display consideration of an application layer and a presentation layer, such as a GIS geographic information base, a threat information base, an asset management responsible person information base and other external element data which are required to be used for display, the data are required to be frequently used when data enhancement is carried out, and the structured databases are mainly used when storage is carried out.

The intelligent situation analysis module comprises a comprehensive situation assessment sub-module, an asset situation assessment sub-module, a flow situation assessment sub-module, a vulnerability situation assessment sub-module and a behavior situation assessment sub-module according to a safety situation analysis angle.

The comprehensive situation assessment submodule is used for carrying out comprehensive assessment on situation indexes from time dimension and/or space dimension after the other two or more situation assessments are synthesized, and carrying out comprehensive assessment according to the situation indexes; the visualization of the comprehensive situation assessment comprises any one or more of a meter panel, a counter, a radar chart, a pie chart and a histogram in the following display modes.

Specifically, the comprehensive situation assessment refers to the situation analysis of more than two situation analysis sub-types, so that overall situation data in a network is obtained, situation indexes are researched and judged, and comprehensive situation presentation is performed.

In the related situation awareness technology and products at present, due to the characteristics of the technology and the products, the specific security elements and types covered are different, and generally, at least two or more types of evaluation sub-types such as asset situation evaluation, flow situation evaluation, operation situation evaluation, vulnerability situation evaluation, attack situation evaluation, behavior situation evaluation, security event situation evaluation and the like are required to be comprehensively evaluated.

In addition, after integration, the comprehensive situation assessment can be performed from different time dimensions such as the past, the present, the future and the like; the comprehensive situation assessment can be performed from different space dimensions such as geographic positions, and the comprehensive situation assessment can be performed on network entities in the network boundary according to different types.

As a preferred embodiment, the asset situation assessment submodule includes an asset discovery unit, an asset attribute unit, an asset type judging unit and an asset situation assessment unit; the asset discovery unit is used for discovering assets in the network from asset information data; including asset discovery techniques based on network scanning probes and passive asset discovery techniques based on logs and traffic collection.

The asset discovery technology based on network scanning detection actively discovers assets in a network, such as WEB assets on the internet, IT assets in each unit or enterprise, assets on the industrial internet and internet of things, and the like, through the active scanning detection technology. Active scanning detection is divided into a plurality of detection methods such as host detection, port scanning, version inspection, system detection and the like.

According to the passive asset discovery technology based on log and flow collection, the situation awareness platform can collect log data and flow data in a network, the asset situation can analyze metadata in the log and the flow, and related information such as IP (Internet protocol), ports and domain names in the metadata is found out and used as an asset passive mode for storing asset data. And further confirming the authenticity and survival state of the asset by matching with an asset active asset discovery mode.

The asset attribute unit is used for complementing the attribute of the discovered asset; unknown assets and surviving devices can be discovered through the asset discovery functionality, but more information is needed for device management, including more valuable information such as asset basic attributes, asset specific attributes, vulnerability attributes, basic configuration attributes, databases on the asset, and component deployment scenarios. The asset situation can complete automatic acquisition of the attributes through deep scanning, such as automatic completion of the process, starting item, open port and patch attribute of the host; configuration change condition of the security device and interface state of the network device; information such as version information, installation path and the like of an application system, a database and middleware.

As shown in fig. 10, the asset type judging unit judges the type of the found asset by using an asset fingerprint identification library; the asset situation adopts an asset fingerprint identification library to judge the type of the discovered asset, and the asset fingerprint library is a collection containing various information such as asset port information, operating system information, manufacturer information and the like, and is a key for identifying the asset. The characteristics of various types of assets are established through a powerful asset fingerprint library, wherein the characteristics comprise network equipment, security equipment, various operating systems, databases and application middleware, and the fingerprint library mainly comprises:

port fingerprint: open port information, specific port information of each manufacturer device;

OS fingerprint: version information of the operating system, device type information, system name, vendor information;

web fingerprinting: HTML information, header information, URI information, file information.

The asset situation assessment unit is used for respectively carrying out all-dimensional asset security situation analysis from the aspects of asset types, network area angles and business system angles according to preset indexes; the comprehensive asset security posture analysis includes asset type information, asset compromised information, asset vulnerability profiles, asset attacked profiles, and asset risk posture.

Asset situation presentation:

the security aspect of the asset view will look at the overall security protection status of the asset from an asset type perspective, a network area perspective, and a business system perspective. From each perspective dimension, relevant situational information for asset hazard overview, asset vulnerability profiles, asset attack profiles, and asset risk can be provided:

summary information of asset type: several primary statistical indicators in each asset type may be monitored, including the number of alarms, the total number of vulnerabilities generated, the total number of configuration vulnerabilities, and the number of security events.

Asset compromised overview: the method comprises the steps of high-risk alarm influence degree, high-risk vulnerability influence degree, high-risk attack influence degree, total coverage rate of alarms in each asset type and time-varying trend of the alarms.

Asset vulnerability scenario: including vulnerability detection rates for asset types and vulnerability change trends over time.

Asset under attack condition: the method comprises the main types under attack in the asset types, the access condition of the security log and the proportion distribution of the asset ports utilized by the attack related events.

Asset risk situation: including the risk level of each asset type, the risk value distribution on the risk situation matrix, and the risk trend.

The flow data is one of basic data collected by the situation awareness system, the flow distribution condition is visually presented by collecting the network flow data and by means of large data storage capacity and various analysis means, and the network access relation is automatically found, so that the network flow order is recognized, understood, built, perfected and predicted, the requirements on network space flow monitoring and abnormal awareness are met, and the flow situation in the network security situation is formed.

The flow situation assessment sub-module comprises a flow analysis unit and a flow situation assessment unit;

the flow analysis unit is used for carrying out quantitative statistics and real-time association analysis on flow behaviors in the network flow data;

The flow situation assessment unit is used for realizing visualized presentation of network space flow situations, intelligent prediction and abnormal early warning of network space flow abnormality by using data after statistics and association analysis.

The network traffic data basically includes three layers: the application protocol metadata, session connection data (FLOW data), the original full-sealed data packet provides a reliable data basis for the evaluation of traffic situation through the recording, indexing, classifying and correlating of the three layers of data. The application protocol metadata is the analysis of key fields in the current mainstream protocol application layer load, and the application protocols comprise HTTP protocol, DNS protocol, SMTP protocol, TELNET protocol, FTP protocol and the like; and supporting the bypass port to mirror and collect the packet in the pcap format of the original flow.

After network flow data are obtained, the flow distribution, abnormal attack, TCP address, TCP protocol, safety overall situation and other information of the monitoring network area can be dynamically visualized through quantitative statistics and real-time association analysis on the flow behaviors of the network space, so that a visualized flow situation is formed.

2) The visual presentation technology of network space traffic situation comprises the following steps:

based on time and space, the flow characteristic value analyzes the network flow and network behavior in a multi-dimensional and fine-granularity manner, displays the user flow distribution condition, the network connection condition and the service interaction condition, and monitors the flow of an important host and a key service system. From summary to concrete, the network operation is known from macroscopic to microscopic carding network order through visualized charts and curves.

Whole network flow analysis based on region, time sequence and technical characteristics:

regional analysis: the monitored network equipment and the service system can be analyzed and displayed according to the angles of total flow, TCP address, TCP application, TCP protocol and the like.

And (3) time sequence analysis: the method can be used for inquiring according to a time range, displaying and analyzing macroscopic flow trend according to equipment, service scenes and in a form of broken line and list, setting various time periods and supporting a self-defined time interval.

Technical characteristics analysis: the method comprises the steps of analyzing according to the conversation, analyzing the number of data packets and analyzing the flow, and displaying specific contents including total flow, uplink and downlink flow, total data packet number, uplink and downlink data packet number, total conversation number, uplink and downlink conversation number and the like.

3) Intelligent prediction and anomaly early warning of network space flow anomalies:

the intelligent analysis and detection technology of the network space flow comprises a classical correlation analysis technology, an emerging threat information early warning technology, an abnormal flow detection baseline based on an adaptive algorithm and the like. These algorithms rely on deep flow detection and Deep Packet Inspection (DPI) techniques.

Rule, context based association analysis:

rule-based association analysis refers to rule matching by a traffic event association engine to identify attacks and violations of known patterns. And the expression capability of the rule depends on the number of attribute fields of the traffic event and the logical expression richness of the rule.

Threat early warning based on threat information:

and performing collision comparison on threat information and corresponding attribute fields (URL, domain name, IP address and Email address) in the flow log to form a threat early warning situation.

Threat attack prediction based on abnormal traffic baseline:

the abnormal flow baselines comprise characteristic baselines, behavior baselines, periodic baselines, moving window baselines and custom baselines. Through learning historical flow data in a designated time window, various network flow measures including overall network flow level, flow fluctuation, flow jump and the like are acquired, a self-adaptive flow base line is established, and an abnormal flow detection model is formed. Based on modeling and analysis of flow behavior, flow-sensitive abnormal behavior detection, such as DDOS type attacks, network misuse and the like, can be identified.

For the traffic attack situation, the source, means and other information of the security attack can be mastered rapidly, an effective problem tracing and network evidence obtaining mechanism is formed, and through high-performance retrieval and analysis capability, historical traffic information in any time period can be traced back, so that the process of capturing an original message of an attack context and restoring a real attack is also an important ring of traffic situation assessment.

The system also comprises an operation situation assessment, wherein the operation situation assessment ranges from a traditional IT three-large infrastructure to a current IT infrastructure, and is a challenge for monitoring the operation states of the IT infrastructure and an application system under the current complex and changeable environment due to the change of the IT infrastructure and the diversity of software and hardware products.

By analyzing the IT infrastructure and the application system architecture, the running state in the whole network can be clearly known, the service stability and risk of the application system can be clearly known, and hidden dangers such as hidden Trojan and undiscovered inside can be found by monitoring the running state. The following operational state data are mainly analyzed in IT architecture:

on-line status of assets, operating systems, application systems, etc., CPU and usage, memory and usage, network usage, processes, continuous run time, etc.

The vulnerability situation assessment sub-module comprises a vulnerability data processing unit and a vulnerability situation analysis unit; the vulnerability data processing unit is used for performing de-overlapping merging on original vulnerability data of different types of vulnerability scanning tools, code audit, penetration test, risk assessment and supervision notification in the vulnerability data, and performing automatic standardized processing on vulnerability information.

Specifically, the following functions can be realized through vulnerability situation assessment:

1) Centralized management of various vulnerability detection tools and platforms:

centralized management is performed through an API interface and vulnerability scanner equipment, the centralized management comprises automatic vulnerability scanning task issuing and vulnerability scanning strategy configuration, automatic execution of vulnerability scanning work and automatic vulnerability data acquisition are realized, and multi-source vulnerability data is used as vulnerability situation awareness analysis basic data.

2) Heterogeneous vulnerability data analysis and standardization processing:

the vulnerability data normative processing is used for carrying out de-coincidence merging on original vulnerability data of different types of vulnerability scanning tools, code audit, penetration test, risk assessment and supervision notification, carrying out automatic standardization processing on vulnerability information, and standardizing the unnormal original vulnerability data into vulnerability data conforming to national standards.

3) Standard vulnerability database:

the core vulnerability database assets should cover: network equipment, security equipment, an operating system, a database, middleware, web application, application programs and BYOD equipment. Vulnerability attributes should include; vulnerability name, vulnerability number, vulnerability level, date of disclosure, vulnerability introduction, influencing product, repair suggestion, verification tool, CNVD number, CNNVD number, BID number, CWE number, CVE number, reference information, vulnerability type, CVSS vector, CVSS score, revision type.

4) Vulnerability status visualization management:

dividing vulnerability operation and maintenance management into a discovery stage, a verification stage and a treatment stage, and then carrying out visual state management on vulnerabilities in different stages and identifying states of the vulnerabilities in different stages. The state label can be changed for the vulnerability state at different stages.

5) Analyzing content and showing:

by storing periodic vulnerability scanning data and a built-in analysis model, combining an information security vulnerability technology and a data mining technology, providing multidimensional security vulnerability situation awareness, displaying by dynamic icons and data lists with different dimensions, wherein the analysis dimensions comprise: statistical analysis, contrast analysis, trend analysis, differentiation analysis, focus analysis, validation analysis, vulnerability impact.

The vulnerability situation analysis unit analyzes the standardized vulnerability data according to analysis indexes by utilizing a vulnerability database in a preset knowledge base, and visually presents analysis results; the analysis result includes: performing vulnerability severity level statistical analysis; performing vulnerability type statistical analysis; asset type statistical analysis; vulnerability distribution impact and vulnerability focus.

The specific situation analysis index and the specific situation analysis result comprise the following parts:

1) Statistical analysis based on vulnerability severity level;

a) Vulnerability statistical analysis based on severity level is shown in fig. 11:

analysis content: and respectively counting the number of high-risk vulnerabilities, the number of medium-risk vulnerabilities and the number of low-risk vulnerabilities in the current asset range, analyzing the distribution situation of the vulnerabilities in the current asset range, and counting according to the severity level of the vulnerabilities. The data types corresponding to the vulnerability analysis index comprise: asset number, vulnerability severity level.

Analysis indexes: high-risk loopholes, medium-risk loopholes and low-risk loopholes.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the current sum of high-risk vulnerabilities, the current sum of medium-risk vulnerabilities and the current sum of low-risk vulnerabilities in the asset range.

Asset count high risk vulnerability count = high risk vulnerability count;

asset count medium risk vulnerability count = medium risk vulnerability count;

asset count low risk vulnerability count = low risk vulnerability count.

b) Vulnerability duty cycle analysis based on severity level is shown in fig. 12:

analysis content: and respectively performing duty ratio calculation on the high-risk vulnerability quantity, the medium-risk vulnerability quantity and the low-risk vulnerability quantity in the current asset range, and analyzing the duty ratio conditions of vulnerabilities of different severity grades in the current asset range to the total number of vulnerabilities. The data types corresponding to the vulnerability analysis index comprise: asset number, vulnerability severity level.

Analysis indexes: high-risk vulnerability percentage, medium-risk vulnerability percentage, and low-risk vulnerability percentage.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the current high-risk vulnerability duty ratio, the medium-risk vulnerability duty ratio and the low-risk vulnerability duty ratio in the asset range.

(high risk number of holes/total number of holes) ×100=high risk number of holes percentage;

(number of medium risk holes/total number of holes) ×100=percentage of medium risk holes;

(low risk vulnerability count/vulnerability count) ×100=low risk vulnerability count percentage;

c) Statistical analysis of risk values based on severity level, as shown in fig. 13:

Analysis content: and respectively counting the high-risk vulnerability risk value, the medium-risk vulnerability risk value and the low-risk vulnerability risk value in the current asset range, and analyzing vulnerability risk value distribution conditions of different severity levels in the current asset range. The data types corresponding to the vulnerability analysis index comprise: the number of assets, the number of vulnerabilities, the vulnerability severity level, the vulnerability risk value.

Analysis indexes: high risk vulnerability risk value, medium risk vulnerability risk value, and low risk vulnerability risk value.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the sum of the current high-risk vulnerability risk values, the sum of the medium-risk vulnerability risk values and the sum of the low-risk vulnerability risk values in the asset range.

Asset count (high-risk vulnerability 1 risk value+high-risk vulnerability 2 risk value+high-risk vulnerability N risk value.+ -.) = high-risk vulnerability risk value;

asset count (medium risk vulnerability 1 risk value + medium risk vulnerability 2 risk value + medium risk vulnerability N risk value.+ -.) = medium risk vulnerability risk value;

asset count (low risk vulnerability 1 risk value + low risk vulnerability 2 risk value + low risk vulnerability N risk value..+ -.) = low risk vulnerability risk value.

d) Risk value duty cycle analysis based on severity level, as shown in fig. 14:

analysis content: and respectively performing duty ratio calculation on the high-risk vulnerability risk value, the medium-risk vulnerability risk value and the low-risk vulnerability risk value in the current asset range, and analyzing the duty ratio condition of the vulnerability risk values of different severity grades in the current asset range to the total number of the vulnerability risk values. The data types corresponding to the vulnerability analysis index comprise: the number of assets, the number of vulnerabilities, the vulnerability severity level, the vulnerability risk value.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the current high-risk vulnerability risk value duty ratio, the medium-risk vulnerability risk value duty ratio and the low-risk vulnerability risk value duty ratio in the asset range.

(high risk vulnerability risk value/vulnerability risk value total) ×100=high risk vulnerability risk value percentage;

(medium risk vulnerability value/total vulnerability risk value) ×100=medium risk vulnerability value percentage;

(low risk vulnerability value/vulnerability risk value total) ×100=low risk vulnerability value percentage.

e) Vulnerability number average analysis based on severity level, as shown in fig. 15:

analysis content: and respectively counting the high-risk vulnerability quantity average value, the medium-risk vulnerability quantity average value and the low-risk vulnerability quantity average value in the current asset range, and analyzing the vulnerability quantity average value conditions of different severity levels in the current asset range. The data types corresponding to the vulnerability analysis index comprise: asset number, vulnerability severity level.

Analysis indexes: high risk vulnerability average, medium risk vulnerability average, low risk vulnerability average.

The analysis method comprises the following steps: and selecting an analysis asset range, respectively calculating the sum of the current high-risk vulnerabilities, the sum of the medium-risk vulnerabilities and the sum of the low-risk vulnerabilities in the asset range, and dividing the sum by the number of the assets.

High-risk vulnerability number and/asset number = high-risk vulnerability average;

medium risk vulnerability number and/asset number = medium risk vulnerability average;

low risk vulnerability number and/asset number = low risk vulnerability average.

f) Vulnerability risk average analysis based on severity level, as shown in fig. 16:

analysis content: and respectively counting the high-risk vulnerability risk average value, the medium-risk vulnerability risk average value and the low-risk vulnerability risk average value in the current asset range, and analyzing the vulnerability quantity average value conditions of different severity levels in the current asset range. The data types corresponding to the vulnerability analysis index comprise: the number of assets, the number of vulnerabilities, the vulnerability severity level, the vulnerability risk value.

The analysis method comprises the following steps: and selecting an analysis asset range, respectively calculating a current high-risk vulnerability risk value, a medium-risk vulnerability risk value and a low-risk vulnerability risk value in the asset range, and dividing the values by the number of the assets.

High risk vulnerability risk value/asset number = high risk vulnerability risk average;

medium risk vulnerability value/asset count = medium risk vulnerability average;

low risk vulnerability value/asset number = low risk vulnerability average.

2) Statistical analysis based on vulnerability types;

a) Statistical analysis based on vulnerability types;

analysis content: and respectively counting the vulnerability numbers of different vulnerability types in the current asset range, and analyzing the vulnerability distribution situation of the different vulnerability types in the current asset range. The data types corresponding to the vulnerability analysis index comprise: asset number, vulnerability type.

Analysis indexes: vulnerability type, vulnerability number.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the vulnerability numbers of different vulnerability types in the asset range.

b) Duty cycle analysis based on vulnerability type;

analysis content: and respectively performing duty ratio calculation on the different types of vulnerability numbers in the current asset range, and analyzing the duty ratio conditions of the different types of vulnerability numbers in the current asset range. The data types corresponding to the vulnerability analysis index comprise: asset number, vulnerability type.

Analysis indexes: different types of vulnerability percentages.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the number percentages of different types of vulnerabilities in the asset range.

c) Statistical analysis of risk values based on vulnerability types;

analysis content: and respectively counting the vulnerability risk values of different types in the current asset range, and analyzing the vulnerability risk value distribution conditions of different vulnerability types in the current asset range. The data types corresponding to the vulnerability analysis index comprise: the number of assets, the number of vulnerabilities, the type of vulnerability, and the vulnerability risk value.

Analysis indexes: risk values for different vulnerability types.

The analysis method comprises the following steps: and selecting and analyzing the asset range, and respectively calculating the current vulnerability type risk value in the asset range.

d) Analyzing the risk value duty ratio based on the vulnerability type;

analysis content: and respectively performing duty ratio calculation on the risk values of the loopholes of different types in the current asset range, and analyzing the duty ratio condition of the risk values of the loopholes of different types in the current asset range to the total number of the risk values of the loopholes. The data types corresponding to the vulnerability analysis index comprise: the number of assets, the number of vulnerabilities, the type of vulnerability, and the vulnerability risk value.

Analysis indexes: different types of vulnerability percentages.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the current different types of vulnerability risk value duty ratios in the asset range.

3) Statistical analysis based on asset type;

a) Vulnerability statistical analysis based on asset type;

analysis content: and respectively counting the vulnerability numbers of different asset types in the current asset range, and analyzing the vulnerability distribution situation of the different asset types in the current asset range. The data types corresponding to the vulnerability analysis index comprise: asset number, asset type, vulnerability number, vulnerability severity level.

Analysis indexes: asset type, vulnerability number, vulnerability severity level.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the vulnerability quantity of different asset types in the asset range.

b) Based on the duty cycle analysis of the asset type;

analysis content: and respectively performing duty ratio calculation on the vulnerability numbers of different asset types in the current asset range, and analyzing the duty ratio condition of the vulnerability numbers of different asset types in the current asset range. The data types corresponding to the vulnerability analysis index comprise: asset type, vulnerability number, vulnerability severity level.

Analysis indexes: different asset type vulnerability percentages.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the vulnerability quantity percentages of different asset types in the asset range.

c) Statistical analysis of risk values based on asset type;

analysis content: and respectively counting the vulnerability risk values of different types in the current asset range, and analyzing the vulnerability risk value distribution conditions of different asset types in the current asset range. The data types corresponding to the vulnerability analysis index comprise: asset type, vulnerability number, vulnerability risk value.

Analysis indexes: risk values for different asset types.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the current risk values of different asset types in the asset range.

d) Analyzing the risk value duty ratio based on the asset type;

analysis content: and respectively performing duty ratio calculation on the risk values of different types of assets in the current asset range, and analyzing the duty ratio condition of the risk values of different types of assets in the current asset range to the total number of vulnerability risk values. The data types corresponding to the vulnerability analysis index comprise: asset type, vulnerability number, vulnerability risk value.

Analysis indexes: different asset type vulnerability percentages.

The analysis method comprises the following steps: and selecting an analysis asset range, and respectively calculating the current loophole risk value duty ratio of different asset types in the asset range.

4) The distribution and impact are shown in fig. 17:

and viewing the assets by the loopholes, performing descending order arrangement by the range of the influence of the loopholes, providing a loopholes ordering list with the most extensive influence range, and performing dynamic ordering according to the loopholes grade, the risk value and the number of the influence asset ports.

And automatically screening the loopholes with successful verification states and reinforced exception, and displaying the loophole data meeting the conditions in the form of a data list. The method helps users filter out the vulnerability data which most needs to be concerned and processed from the mass vulnerability data. And the distribution of the loopholes which need to be focused and the proportion of the original loopholes are shown in figure 18 through the pie chart.

Network behavior refers to the intentional activity performed by a principal of behavior to achieve a particular goal, using computer network applications as a means and method. Network behavior analysis (NetworkBehaviorAnalysis, NBA) is a method to enhance network security by monitoring traffic and focusing on abnormal behavior or deviations from normal operation. Conventional intrusion detection system solutions implement protection at network boundaries by using packet detection, feature matching, and real-time blocking, and NBA solutions observe what happens inside the network, summarizing data from multiple observation points to support offline analysis. In deep defense and multi-level network security protection mechanisms, behavior analysis and anomaly detection are indispensable technologies and play a very important role. Abnormal behavior detection establishes a normal behavior model of the system, user, network, application or some subject, and if the behavior to be detected deviates from the model to some extent, it is judged as abnormal. In monitoring network traffic, abnormal behavior detection not only can timely discover attack behaviors (e.g., DDoS), detect network faults (e.g., routing problems), but also can detect illegal behaviors (e.g., P2P transmission of oversized files). More importantly, anomaly detection not only can detect unknown new attacks, but also can detect internal threats, as compared to misuse detection techniques.

The method of network behavior analysis and the model constructed are different from object to object. The objects of the network behavior analysis can be classified into the following types:

(1) User behavior analysis: and carrying out statistics and analysis on the online data of the users or the roles, finding out the regularity of the network user behaviors, and detecting and auditing abnormal users or abnormal operations according to the regularity.

(2) Host behavior analysis: the network transmission process of the terminal, the server and other devices is monitored from the perspective of the host, and internal threats such as information leakage, malicious agents and the like are found.

(3) Business behavior analysis: according to the characteristics, scenes and targets of various network services, a corresponding service behavior model is established pertinently, and common service behavior analysis comprises mail service behavior analysis, DNS service behavior analysis, web service behavior analysis and the like.

(4) Analysis of attack behavior: and establishing behavior models of various attacks, and realizing the inspection of the attack behaviors, such as scanning detection type attacks, doS type attacks, APT and the like.

(5) Application behavior analysis: classification of applications is achieved based on network behavior analysis of the applications, such as P2P, HTTP, FTP.

(6) Global network behavior analysis: and summarizing all the traffic together, and analyzing the global state of the network.

The common analysis method for network behavior analysis and abnormal behavior detection mainly comprises the following steps: threshold decision methods, statistical analysis methods, clustering analysis methods, time series methods, feature matching methods, data mining methods, graph model-based analysis methods and the like.

(1) The threshold decision method comprises the following steps: including constant threshold methods and adaptive threshold methods. The constant threshold detection method is to give a constant threshold to a certain network parameter, and if the collected parameter value is found to exceed a preset threshold at a certain sampling time, an abnormal behavior alarm is sent out. The self-adaptive threshold method does not set a fixed threshold, but establishes a normal network parameter range, is an improvement on constant threshold detection, and thus, meets the actual requirements of abnormal behavior detection, and increases the detection accuracy.

(2) Statistical analysis: the statistical analysis method adopts statistical variables to describe network behaviors, all statistical detection points form a statistical model, and when the statistical value of the observed value deviates from the model, abnormal behaviors can be judged. The method is characterized in that the data of the network behavior is sampled at certain time intervals, and the sample data collected each time is calculated, so that the network behavior is described through a series of parameter variables, and a network behavior model is constructed. Common statistical indicators include: total amount index, relative index (homonymy, cyclic ratio), average index (arithmetic mean, geometric mean, mode, median), variation index (full-distance, standard deviation, coefficient of variation, skewness, kurtosis), correlation index (Pearson's simple correlation coefficient), and the like. The theoretical research of the statistical analysis method is mature, the algorithm is perfect, no great prior knowledge is needed when the statistical analysis method is used for detecting abnormal behaviors, and the behavior characteristics of the object can be adaptively detected.

(3) Clustering analysis: and taking the index related to the network behavior as a characteristic, realizing distance or similarity measurement, and then carrying out group division on the network behavior or detecting outliers based on various clustering algorithms. Common cluster analysis methods include partition-based clustering, hierarchical clustering, density-based clustering, model-based clustering, fuzzy clustering, and the like. The partition-based clustering method first requires determining the number of clusters K, and then transferring objects from one partition to another partition by cyclic localization to improve the quality of the partition, the K-means algorithm being a typical partition-based clustering algorithm. Hierarchical clustering includes both cohesive hierarchical clustering and split hierarchical clustering types. The aggregation hierarchical clustering is to take each object as a single-point cluster, and combine two nearest clusters from the single-point cluster in each step until all the objects are combined into one cluster; split hierarchical clustering begins with clusters containing all objects, splitting one cluster at each step until the last single point cluster remains. The main goal of density-based clustering algorithms is to find high density regions separated by low density regions. Unlike distance-based clustering algorithms, which have a spherical cluster as a clustering result, density-based clustering algorithms can find clusters of arbitrary shape, which plays an important role for data with noise points, DBSCAN algorithm is a typical density clustering algorithm. In addition, there are model-based clustering methods typified by EM algorithms and fuzzy clustering algorithms typified by FCM algorithms.

(4) The time sequence method comprises the following steps:

this method analyzes the normal/abnormal situation of the network behavior by using the time series. Some features in network traffic have some correlation in time. And researching the change trend of the characteristic attribute (such as the change of an IP address) of the network flow along with time, calculating a time sequence model of the normal flow, and detecting the tested flow by using the model so as to judge whether the tested flow is normal or not. Similarly, an abnormal traffic model may be simulated to determine network traffic anomalies exhibited when network abnormal behavior occurs.

(5) The feature matching method comprises the following steps: feature matching methods can be divided into two categories. One type is statistical deviation detection, which is to establish a baseline of historical data by a statistical method, and to generate an alarm when the current characteristics have obvious deviations from the expected characteristics, assuming that the behavior of users and networks is predictable and accords with a certain mode. And secondly, pattern matching detection, namely modeling the known attack type and the corresponding network configuration, and when detecting that a certain pattern is matched, considering that the corresponding network attack exists.

(6) The data mining method comprises the following steps:

the data mining method does not need excessive domain knowledge and is suitable for complex data sources. The network abnormal behavior detection can be used for constructing a concise and accurate model from a large number of network data packets by using a data mining technology, and the model is used as a basis for judgment. Data mining can be divided into the following types: association analysis, data classification, sequence pattern mining, and the like.

(7) Graph model-based analysis method:

in network behavior analysis, the nature of the communication behavior relationships found by graph analysis techniques (GraphAnalysis, GA) can be exploited to mine information from network traffic for the most influential host nodes in the network traffic. Such as flow behavior graph method (TrafficActivityGraph, TAG), spectral clustering method, graph theory-based feature extraction, etc.

Claims

1. The power grid security situation awareness system is characterized by comprising a security data acquisition and storage module, an intrusion detection module, a situation intelligent analysis module and a situation visualization module;

the intelligent situation analysis module is used for acquiring stored network security data and security detection results, inputting the network security data and the security detection results into a pre-constructed machine learning model and knowledge base, and carrying out multi-angle security situation analysis according to situation indexes;

the intelligent situation analysis module comprises a comprehensive situation assessment sub-module, an asset situation assessment sub-module, a flow situation assessment sub-module, a vulnerability situation assessment sub-module and a behavior situation assessment sub-module according to a safety situation analysis angle;

the comprehensive situation assessment submodule is used for carrying out comprehensive assessment on situation indexes from time dimension and/or space dimension after the other two or more situation assessments are synthesized, and carrying out comprehensive assessment according to the situation indexes; the visualization of the comprehensive situation assessment comprises any one or more of an instrument panel, a counter, a radar chart, a pie chart and a histogram in the following display modes;

the asset situation assessment submodule comprises an asset discovery unit, an asset attribute unit, an asset type judging unit and an asset situation assessment unit;

The asset discovery unit is used for discovering assets in the network from asset information data;

the asset attribute unit is used for complementing the attribute of the discovered asset;

the asset type judging unit adopts an asset fingerprint identification library to judge the type of the found asset;

the asset situation assessment unit is used for respectively carrying out all-dimensional asset security situation analysis from the aspects of asset types, network area angles and business system angles according to preset indexes; the comprehensive asset security posture analysis comprises asset type information, asset endangered information, asset vulnerability distribution, asset attacked distribution and asset risk posture;

the flow situation assessment unit is used for realizing visualized presentation of network space flow situations, intelligent prediction and abnormal early warning of network space flow abnormality by using the data after statistics and association analysis;

the vulnerability situation assessment sub-module comprises a vulnerability data processing unit and a vulnerability situation analysis unit;

The vulnerability data processing unit is used for performing de-overlapping merging on original vulnerability data of different types of vulnerability scanning tools, code audit, penetration test, risk assessment and supervision notification in vulnerability data, and performing automatic standardized processing on vulnerability information;

the vulnerability situation analysis unit analyzes the standardized vulnerability data according to analysis indexes by utilizing a vulnerability database in a preset knowledge base, and visually presents analysis results; the analysis result includes: performing vulnerability severity level statistical analysis; performing vulnerability type statistical analysis; asset type statistical analysis; vulnerability distribution impact and vulnerability focus;

the behavior situation assessment submodule is used for analyzing network behaviors by adopting a threshold decision method, a statistical analysis method, a clustering analysis method, a time sequence method, a feature matching method, a data mining method or an analysis method based on a graph model; the network behavior comprises user behavior, host behavior, business behavior, attack behavior, application behavior and global network behavior;

2. The grid security situational awareness system of claim 1, wherein said knowledge base comprises a built-in database and an external database; the built-in database comprises an IP address library, a domain name library, a malicious IP address library, a malicious domain name library, a malicious URL library and a vulnerability information library; the external database comprises a GIS geographic information base, a threat information base and an asset management responsible person information base.

3. The grid security situational awareness system of claim 1, wherein the data processing layer comprises a data preprocessing sub-module comprising a normalization unit, a light summarization unit, and a heavy summarization unit;

the light summarizing unit is used for slightly summarizing the standardized data and storing the association analysis result generated in the light summarizing process into the part;

and the severe summary unit is used for acquiring the structured data in the original data to the storage layer, carrying out severe summary on the data of the storage layer, and storing the severe summary result to the distributed file storage layer.

4. A grid security situation awareness system according to claim 3, wherein the normalization unit comprises a data parsing subunit, a data cleansing subunit, a data conversion subunit and a data enhancer unit;

the data analysis subunit is used for identifying the original data and distinguishing the data format of the original data;

The data cleaning subunit is used for removing duplication of the same data obtained in different modes;

the data conversion subunit is used for splitting the fields of the original data according to the format requirement to divide different fields;

the data enhancement subunit; the method is used for selectively enriching the data of the split fields and realizing field enhancement.