CN112769796B - Cloud network side collaborative defense method and system based on end side edge computing - Google Patents

Cloud network side collaborative defense method and system based on end side edge computing Download PDF

Info

Publication number
CN112769796B
CN112769796B CN202011619791.8A CN202011619791A CN112769796B CN 112769796 B CN112769796 B CN 112769796B CN 202011619791 A CN202011619791 A CN 202011619791A CN 112769796 B CN112769796 B CN 112769796B
Authority
CN
China
Prior art keywords
flow
equipment
data
network
computing center
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011619791.8A
Other languages
Chinese (zh)
Other versions
CN112769796A (en
Inventor
张晓良
石进
吴克河
杨文�
蔡军飞
张伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
North China Electric Power University
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
North China Electric Power University
State Grid Henan Electric Power Co Ltd
Electric Power Research Institute of State Grid Henan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, North China Electric Power University, State Grid Henan Electric Power Co Ltd, Electric Power Research Institute of State Grid Henan Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202011619791.8A priority Critical patent/CN112769796B/en
Publication of CN112769796A publication Critical patent/CN112769796A/en
Application granted granted Critical
Publication of CN112769796B publication Critical patent/CN112769796B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/23Clustering techniques
    • G06F18/232Non-hierarchical techniques
    • G06F18/2321Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions
    • G06F18/23213Non-hierarchical techniques using statistics or function optimisation, e.g. modelling of probability density functions with fixed number of clusters, e.g. K-means clustering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The invention discloses a cloud network side cooperative defense method and system based on end side edge computing, and relates to the information safety of a power engineering control system. The method comprises the following steps: setting an edge calculation center at a terminal side, collecting industrial control system terminal equipment information and communication flow information, defining and identifying the attribute characteristics of the industrial control power terminal by using equipment fingerprints, automatically collecting the industrial control power terminal equipment fingerprints by using an Nmap scanning method, establishing a training model by using a decision tree algorithm, and realizing the dynamic authentication of the terminal equipment fingerprints; by setting a switch mirror image, intelligently monitoring the flow control of a host and training a flow baseline in a cloud computing center, the abnormal flow detection of industrial control terminal equipment is realized, and a cloud cooperative defense technology based on edge computing is realized. Abnormal flow detection of an electric power industrial control intranet is realized through flow data acquisition, information entropy quantitative flow characteristic attribute preprocessing and improved semi-supervised clustering K-means algorithm training, and real-time defense of a cloud network based on abnormal flow detection is realized.

Description

Cloud network side collaborative defense method and system based on end side edge computing
Technical Field
The invention relates to information security protection of an electric power engineering control system, in particular to a cloud network side collaborative defense method and system based on end side edge computing.
Background
With the rapid development of smart grids, the safety problem of the power engineering control system is becoming more severe. In recent years, the occurrence of frequent safety events of the power engineering system, particularly APT attacks such as 'vibration net', 'flame' and 'poison region' fully reflects the rigor of the situation faced by the information safety of the power engineering system.
Because the industrial control system terminal equipment is positioned at the edge of the industrial control system, and the diversity and the complexity of the characteristics of the forms and the characteristics of the industrial control system terminal equipment, the industrial control system terminal equipment often becomes the primary target of attackers, and the server and other legal equipment are attacked or invaded by the illegally accessed industrial control terminal, so that the whole safety system of the industrial control system is challenged. The source of the traditional industrial control terminal which is easy to counterfeit lies in the statics of the terminal identification information. The conventional industrial control terminal authentication scheme generally adopts information such as equipment ID, user ID, IP address and the like for authentication. The static property of the device ID and the user ID, and the openness of the IP address and the MAC address all enable the information to be easily scanned, read and counterfeited by hackers.
Under the trend of integration of an industrial control system network and a mobile internet, once an attacker breaks through the network security protection boundary of the electric power industrial control system, the attacker can cause great damage to the industrial control network. The existing intelligent substation network abnormal flow detection needs to be matched with a switch capable of mirroring flow, the mirrored flow is captured, so that original message information is obtained, whether the flow is abnormal or not is obtained through simple statistics on the original messages, abnormal conditions are sent to a remote dispatching system when the flow is abnormal, and the messages are stored. The defects of the detection mode are as follows: the abnormal detection is only carried out on the port mirror image switch for message comparison, only the number, the length and the protocol of the communication data packets can be compared, the data packets are not analyzed and trained according to the cloud platform, the characteristics of the communication data packets are obtained, and the false alarm rate and the detection rate are not good. The patent application with publication number CN106357622A discloses a network abnormal traffic detection defense system based on a software-defined network, which is greatly different from the traditional network in the method for detecting abnormal traffic, so that the traditional detection method is no longer applicable, and by applying the idea of separating a network control plane and a data plane, the software-defined network provides a new solution for developing new applications of the network and handling the network security problem. However, the software-defined network only stands at the angle of a single network session to measure whether the traffic is abnormal, and does not stand at the angle of equipment to measure the traffic as a whole, and normal access cannot be guaranteed from the source.
At present, many research results are obtained for the safety defense of the power engineering control system, and a solution is provided for the safety defense of the power engineering control system. However, the industrial control system needs low delay and real-time network control, the cloud computing center processes mass data generated by industrial control system equipment in real time with the increase of computing services, and as the mass data generated by the industrial control system equipment and data are all subjected to operation analysis for the cloud computing center, the real-time performance cannot be guaranteed, and the cloud computing center needs to work cooperatively based on edge computing and a cloud computing platform, however, such a scheme is not provided in the prior art.
Disclosure of Invention
The purpose of the invention is as follows: aiming at the defects of the prior art, the invention provides a cloud network side cooperative defense method based on end side edge computing, which improves the capability of an electric power engineering control system to cope with attacks.
The invention further aims to provide a cloud network end collaborative defense system based on end-side edge computing.
The technical scheme is as follows: according to a first aspect of the embodiments of the present invention, a cloud network side collaborative defense method based on end-side edge computing is provided, which includes the following steps:
the method comprises the steps that an edge computing center arranged on the terminal side of the electric power engineering system is used for collecting terminal equipment information of the industrial control system, an equipment fingerprint is established according to the terminal equipment information and is sent to a cloud computing center, the cloud computing center establishes an equipment fingerprint identification model, and intelligent dynamic authentication is conducted on terminal equipment of the electric power engineering system according to the equipment fingerprint identification model;
acquiring communication flow of terminal equipment and control communication flow inside an industrial control system by using a mirror image function of a switch arranged in an edge computing center, sending flow data to an intelligent monitoring host, uniformly sending the flow data to a cloud computing center by the intelligent monitoring host, establishing a flow safety baseline by the cloud computing center and sending the flow safety baseline to the intelligent monitoring host, and detecting the flow of the terminal equipment by the intelligent monitoring host according to the flow safety baseline;
the method comprises the steps of obtaining network internal network flow data of the power engineering control system, sending the network internal network flow data to a cloud computing center, carrying out entropy quantification by the cloud computing center according to network flow characteristic attributes, generating a normal flow clustering center and an abnormal flow clustering center by utilizing a clustering analysis model, establishing a normal flow model base according to the normal flow clustering center, and detecting abnormal network flow based on the normal flow model base.
The edge computing center collects information of terminal equipment of the industrial control system, and the establishment of the equipment fingerprint according to the information of the terminal equipment specifically comprises the following steps: the edge computing center obtains an IP address of industrial control system terminal equipment, performs Nmap sniffing according to the IP address, obtains relevant information of equipment where the IP address is located, and combines the information to be used as the fingerprint of the equipment. The Nmap sniffs information including terminal presence status, open ports, service agreements, device application names, version numbers, device names, device types, and other details.
The cloud computing center establishing the equipment fingerprint identification model comprises the following steps: the method comprises the steps of designing collected industrial control system terminal equipment information into a data table with fields including online states, open ports, service protocols, equipment application program names, version numbers, equipment names and equipment types, finishing the importing, converting and exporting of fingerprint data to files through a Python csv module, importing the generated data in the csv files into a Sklearn module integrated with a decision tree algorithm, and creating a classification training model.
The intelligent monitoring host computer carries out the flow detection of the terminal equipment according to the flow safety baseline and comprises the following steps: the intelligent monitoring host machine is switched to a working operation mode, the communication flow of the equipment is collected in real time, the judgment of abnormal flow is carried out on each equipment according to a flow safety baseline, the judgment dimensions comprise outflow flow, inflow flow, total flow and an accessed port, and when operation except the safety baseline occurs, abnormal flow alarm is generated and a log is recorded.
The method for acquiring the network internal flow data of the power engineering control system is carried out according to the following data acquisition strategies: matching different acquisition frequency coefficients according to the security level of the area where the equipment is located; setting different acquisition frequency coefficients according to different functions and purposes; reasonably changing the current acquisition frequency according to the congestion condition of the link; according to the load condition of the equipment, the acquisition frequency of the current equipment is reasonably changed, so that the normal operation of the functions of the industrial control system is guaranteed.
The cloud computing center performing entropy quantization according to the network traffic characteristic attribute comprises: acquiring the occurrence frequency of a certain characteristic attribute in a unit flow divided by the captured N data packets according to the time sequence, and recording the occurrence frequency as X { X }1,X2,……XNCalculating an attribute entropy value of the attack event according to the unit flow, wherein the attribute comprises one or more of an IP address, an industrial control protocol, a source port and a destination port, and the entropy value calculation formula is as follows:
Figure BDA0002872058960000031
wherein Y is { n ═ ni(i ═ 1,2 … … M) } indicates that the ith instance of a certain characteristic attribute in the measurement data occurred n times;
Figure BDA0002872058960000032
representing the total number of occurrences of the characteristic attribute, M being the total number of different instances of the characteristic attribute in a unit flow, will
Figure BDA0002872058960000033
Substituting into formula (1) to obtain characteristic attribute entropy value of unit flow。
The step of generating the normal flow clustering center and the abnormal flow clustering center by using the clustering analysis model comprises the following steps: recording a certain characteristic attribute entropy value data set obtained by N network flow data samples as D ═ X1,X2,……XN) Firstly, determining the number of marked normal flow packets as a K value, then randomly selecting K data from marked network flow data samples as a clustering initial center, and dividing characteristic attribute entropy data into S ═ S { S } under the condition that K is less than or equal to N1,S2,…SKAnd (4) calculating the distance between the residual data and the mean value of the Si respectively by using Euclidean distance, measuring the distance between the residual data and the clustering center, assigning each data to the Si most similar to the residual data according to the calculated distance value, calculating the mean value of each data according to the Si data, updating the mean value to be the new mean value of the Si, and repeating the above processes continuously until the minimum variance function is converged.
The detecting abnormal network traffic based on the normal traffic model library comprises: sampling the flow in the network at regular time, and carrying out statistical analysis on the current sampled flow to obtain statistical characteristics of the current sampled flow; accessing a normal flow model library, performing statistical analysis on the characteristics of the current sampling flow and the characteristics in the normal flow model, calculating whether the deviation of the current flow characteristics to the normal flow is in a confidence space, and judging whether the current flow condition is normal; if the flow detection is normal, adding the current flow characteristics into a model base of normal flow, increasing the capacity of a comparison base, and if the current flow detection is abnormal, generating an abnormal detection report and performing abnormal alarm.
According to a second aspect of the embodiments of the present invention, there is provided a cloud network side collaborative defense system based on end-side edge computing, including:
the cloud-end cooperative authentication module comprises a cloud computing center and an edge computing center arranged on the terminal side of the electric power engineering system, wherein the edge computing center is used for acquiring information of terminal equipment of the industrial control system, establishing an equipment fingerprint according to the information of the terminal equipment, sending the equipment fingerprint to the cloud computing center, establishing an equipment fingerprint identification model by the cloud computing center, and carrying out intelligent dynamic authentication on the terminal equipment of the electric power engineering system according to the equipment fingerprint identification model;
the cloud-end cooperative flow detection module comprises a switch arranged in an edge computing center, an intelligent monitoring host capable of being arranged at any position of a network and the cloud computing center, wherein the switch has a mirror image function and is used for acquiring communication flow of terminal equipment and internal control communication flow of an industrial control system, sending flow data to the intelligent monitoring host, uniformly sending the flow data to the cloud computing center by the intelligent monitoring host, establishing a flow safety baseline by the cloud computing center and sending the flow safety baseline to the intelligent monitoring host, and detecting the flow of the terminal equipment by the intelligent monitoring host according to the flow safety baseline;
the cloud-network cooperative flow detection module comprises flow collection equipment and a cloud computing center, wherein the flow collection equipment is used for obtaining network flow data inside a power engineering control system network and sending the data to the cloud computing center, the cloud computing center carries out entropy quantification according to network flow characteristic attributes, a normal flow clustering center and an abnormal flow clustering center are generated by using a clustering analysis model, a normal flow model base is established according to the normal flow clustering center, and abnormal network flow is detected based on the normal flow model base.
Has the advantages that: according to the invention, the normal operation of the internal network communication of the power engineering control system is ensured through the cloud network cooperation, and the transmission communication flow from the equipment fingerprint authentication equipment to the equipment is normal through the cloud terminal cooperation, so that the normal access from the source is ensured. The cloud computing center ensures that communication flow characteristics are trained from data in an off-line state, and the end-side edge computing center ensures that terminal communication flow is detected in real time. The cloud network end collaborative defense method based on the end-side edge computing provides a new solution, and the beneficial effects are specifically embodied as follows:
(1) and cloud cooperative defense is realized. The industrial control terminal equipment is protected from data acquisition, Nmap sniffing, classification training of a decision tree and dynamic authentication of edge calculation on the terminal equipment, and damage of a malicious pretended terminal to an industrial control system is prevented. By analyzing the communication flow of the detection terminal, once abnormal flow is detected, a corresponding abnormal flow log can be generated for subsequent historical log query, and powerful technical support is provided for safe, stable and reliable operation of the user industrial network.
(2) And realizing cloud network cooperative defense. According to the characteristics of the power industrial control system, a framework deployment and data acquisition mode of a safety monitoring and early warning platform of the power grid industrial control system is provided, a method for quantizing network flow characteristic attributes of the power grid industrial control system based on information entropy is adopted, a cluster analysis model is used for realizing abnormal flow detection of the global network, the problem of data splitting caused by the current safety island is eliminated, the safety state of each link of each control system in the production control network is monitored in real time, and therefore potential safety hazards in the production control network environment are found in time.
Drawings
FIG. 1 is a flowchart of the cloud network side collaborative defense method based on end-side edge computing according to the present invention;
FIG. 2 is a flow chart of the detection of the industrial power control terminal device according to the present invention;
FIG. 3 is a flow chart of dynamic authentication of the electrical industrial control terminal device according to the present invention;
fig. 4 is a flow chart of the network flow anomaly detection of the power engineering system of the present invention.
Detailed Description
The technical scheme of the invention is further explained by combining the attached drawings.
With the rapid development of the intelligent power engineering control system, the safety problem of the power engineering control system is becoming more severe, and the eye terminal data acquisition equipment of the power engineering control system becomes the target of an attacker. According to the invention, the edge computing center is arranged at the edge of the industrial control system to process the authentication and flow detection tasks of the terminal equipment at the end side in real time, and the cloud computing center trains the flow detection model through machine learning, so that the safe and stable operation of the electric power industrial control system is ensured.
Referring to fig. 1, the present invention focuses on dynamic authentication and communication traffic detection of a data acquisition terminal device, and the terminal dynamic authentication uses a dynamic complex identification information combination, for example, information combinations such as an IP address, an operating system version, a port state, a network access location, and the like, to form a dynamic device fingerprint identifying a current state of the device. When the edge computing center receives the IP of the industrial control terminal equipment, the edge computing center firstly judges whether the IP address exists or not. If the IP exists, Nmap scanning is carried out on data such as the operating system of the IP and an open port number, and then the obtained data is imported into a database. And training the data imported into the database in a classified manner to generate a training model, and performing intelligent fingerprint authentication on the terminal equipment on the basis of the training model.
The equipment fingerprint combines static equipment information with dynamic user behavior data, constructs more dynamic and complex identification information combination, and provides a new idea for accurate authentication of the industrial control terminal. For example, combining information such as IP address, port status, and network access location constitutes a dynamic device fingerprint that identifies the current status of the device. Device fingerprints introduce dynamics and complexity of device identification, i.e. a device may correspond to different device fingerprint instances at different times and may generate new device fingerprint instances at any time.
The flow detection comprises the flow detection of terminal equipment and the communication flow detection of internal equipment of the industrial control network. The data acquisition terminal flow detection is that a switch mirror image is arranged in an edge computing center, data of the mirror image is sent to an intelligent monitoring host machine to be arranged and uniformly sent to a cloud center, the intelligent monitoring host machine can be connected into a specified position in a network in series to carry out data acquisition, and after a flow operation base line is trained by the cloud computing center, the data is fed back to the intelligent monitoring host machine to carry out flow detection.
The communication flow detection of the internal equipment of the industrial control network is to sample the flow in the network at regular time and carry out statistical analysis on the current sampled flow to obtain the statistical characteristics of the current sampled flow. And accessing a normal flow model library, performing statistical analysis on the characteristics of the current sampling flow and the characteristics in the normal flow model, and calculating whether the deviation of the current flow characteristics to the normal flow is in a confidence space, thereby judging whether the current flow condition is normal. And if the flow detection is normal, adding the current flow characteristics into a model library of normal flow, and increasing the capacity of the comparison library. And if the current flow detection is abnormal flow, generating an abnormal detection report, and sending the abnormal flow condition to the monitoring system for abnormal alarm.
Referring to fig. 2 and fig. 3, the power industry control terminal device provided by the present invention performs dynamic authentication, and the main process is as follows: when the edge computing center receives the IP of the industrial control data acquisition terminal, the edge computing center firstly judges whether the IP address exists or not. And if the data exists, Nmap scanning the IP operating system and the open port number, then importing the obtained data into a database, and uploading the data to the cloud computing center. And training the data imported into the database in a classified manner to generate a training model, and dynamically authenticating the fingerprint of the terminal equipment on the basis of the training model.
The method specifically comprises the following steps:
(1) device fingerprint definition: the basis of the dynamic authentication of the industrial control terminal is to extract the fingerprint of the equipment. The Nmap sniffs information including terminal presence status, open ports, service agreements, device application names, version numbers, device names, device types, and other details. The definition of device fingerprints is mainly intended to uniquely identify a specific terminal, for example: combining device types, open ports, and service protocols can all better identify devices.
(2) Terminal detection: and (4) carrying out batch sniffing on the terminal equipment to be detected by utilizing an Nmap tool. A terminal detection module is developed, and the main function comprises reading an IP row in a file; automatically scanning a terminal corresponding to the IP; the device fingerprint (characteristic information) is extracted and imported into a database.
(3) Model training: the main function is to train the classifier. And (3) selecting and preprocessing the acquired device characteristic information, and importing the normalized device fingerprint training set into a classification algorithm module so as to create a classification training model. Specifically, firstly, the collected sniffed terminal device fingerprint data is designed into fields including an online state, an open port, a service protocol, a device application program name, a version number, a device name and a device type data table, and the fingerprint data is imported, converted and exported to a file through a csv module of Python so as to be trained later. And training the data in the generated csv file. Dividing all data into 2 parts, and taking 90% of data as a training set; 10% was used as a test set to verify the accuracy of the generated model. And exporting the generated model as a classifier model, and detecting and identifying subsequent device fingerprints on the basis of the classifier model.
In the training of classification models, the construction of classifiers is key, and machine learning algorithms for constructing the classifiers are various, and different methods have different classification effects. In the embodiment of the invention, logistic regression is selected for training.
The PythonSklearn module integrates a decision tree algorithm and a machine learning algorithm, and the calling implementation steps are similar. The method comprises the following specific steps.
1) Importing a sklern.
2) Dividing the device fingerprint into feature data and classification data;
3) introducing a model _ selection.train _ test _ split function, subdividing a data set into training set characteristics, test set characteristics, a training set target value and a characteristic value target value;
4) importing a skeren.tree.Desision TreeClassifier function and importing a decision tree classifier;
5) training the model using a training set;
6) introducing a sklern. metrics. accuracy _ score evaluation calculation method to check the accuracy of the prediction result;
7) the sklern. exoternals. joblib class is imported for deriving the training model.
(4) Dynamic fingerprint authentication of the terminal equipment: and realizing equipment authentication through the trained classifier. The authentication result is to determine the unique identity of the equipment, and ensure that the equipment is normal terminal equipment of the industrial control system and is not illegal equipment. According to the model obtained by training, different terminal devices have different fingerprint characteristic information, and the edge computing center performs identification and authentication through communication with the terminal devices. The method mainly comprises the steps of collecting fingerprint information of equipment, and detecting the obtained characteristic information by using a training model to obtain a judgment result. And the part for scanning the target IP and collecting the fingerprint of the terminal equipment calls a terminal detection module. And then, importing the obtained classifier training model by using a load () method in the joblib subclass in Python Sklearn, and predicting the scanned information by using the model to obtain a judgment result.
The flow detection of the electric power engineering system comprises the flow detection of data acquisition terminal equipment, the control communication flow (namely control plane flow) in the industrial control system and the network flow (namely forwarding layer flow) in the industrial control system. The data acquisition terminal equipment flow refers to the communication flow between the terminal acquisition equipment and the edge computing center and the acquired power utilization data of the user, and the detection of the control plane flow adopts a training baseline mode, and comprises the following steps:
step 1: the switch mirror image is arranged in the edge computing center, the data of the mirror image is sent to the intelligent monitoring host for unified management, the intelligent monitoring host can be connected into a designated position in a network in series for data acquisition, and the arrangement mode of the intelligent monitoring host is selected and set according to the actual condition of the power industrial control network.
Step 2: and starting a learning mode, collecting flow data of the data acquisition terminal by the edge computing center, sending the flow data to the cloud side for training, and generating a flow operation safety baseline of the data acquisition terminal at the cloud side, wherein the baseline refers to the characteristic of normal communication flow in the operation process of the electric power industrial control equipment. The cloud computing center feeds the flow safety baseline back to the edge computing center, and the intelligent monitoring host establishes a network flow monitoring baseline.
And step 3: and (3) starting abnormal flow monitoring: after the network flow monitoring base line is formed in the step 2, the intelligent monitoring host is switched to a working operation mode, and flow collection and abnormal flow judgment are formally started.
And 4, step 4: the method comprises the steps of collecting flow in real time, and according to a flow baseline, judging abnormal flow of each device, wherein the abnormal flow comprises outflow flow, inflow flow, total flow and several dimensions of accessed ports, and abnormal operation of the devices is caused by abnormal control command communication flow in the electric power engineering system, and once the abnormal operation is caused in the safety baseline, the next step is carried out.
And 5: generating abnormal flow alarm and recording log: when abnormal flow occurs, the equipment corresponding to the monitoring page is changed into an alarm state, an alarm log capable of being inquired subsequently is generated, and when the equipment does not have the abnormal flow currently but has the abnormality historically but the corresponding abnormal log is not processed in the monitoring page, a corresponding prompt is presented on the monitoring page.
Step 6: the monitoring is restarted. After a monitoring period, the corresponding normal flow and abnormal flow are reset, and the monitoring of the next period is restarted.
In the edge computing center, an intelligent monitoring host is arranged at the position of an industrial switch supporting the mirror image function in a bypass mode, and the intelligent monitoring host copies all network flow passing through the switch through a mirror image port of the switch. Because the bypass deployment is adopted, and the intelligent monitoring host only receives the network flow, any interference message can not occur to the industrial control network, and therefore, no influence can be caused to the production control process.
Based on the auxiliary establishment of a network traffic monitoring baseline by an intelligent learning engine, the learning engine can generate a traffic model according to the following elements: a. a service type; b. monitoring a subject; c. monitoring the time; d. uplink flow; e. downlink flow; f. special wave crests; g. a special trough. Among these factors, the traffic basic training data set used differs depending on the traffic type, and the monitoring targets are all edge terminal devices that can send or receive data in the electric power engineering system.
Referring to fig. 4, the internal network abnormal flow detection of the cloud network cooperative power engineering system provided by the present invention includes the following steps:
the method comprises the following steps: and collecting flow data.
Different from the collection mode of the communication flow controlled in the network, the collection of the partial flow data refers to that Wireshark software is installed on a human-machine interface (HMI), WinPCAP is used as an interface, data and message exchange is directly carried out between the WinPCAP and a network card, and the WinPCAP is used for collecting interactive data between a human-machine interface operating station and a controller. The HMI is a set of software and hardware that allows an operator to monitor a process under control, modify control equipment to change control targets, and manually override automatic control operations in the event of an emergency.
The industrial control system of the power grid is different from a common network system, and cannot tolerate the breakdown of the system in the aspect of stability. Therefore, the network data acquisition strategy of the power grid industrial control system is as follows: matching different acquisition frequency coefficients according to the security level of the area where the equipment is located; setting different acquisition frequency coefficients according to different functions and purposes; reasonably changing the current acquisition frequency according to the congestion condition of the link; according to the load condition of the equipment, the acquisition frequency of the current equipment is reasonably changed, so that the normal operation of the functions of the industrial control system is guaranteed. The network flow data collected by the power grid industrial control system is also different from the general network flow data, and the data length is smaller than the general data; second, the periodic information data is in the mainstream; thirdly, the data flow direction is fixed; fourthly, the time sequence is strong, and the response time is short.
Step two: and preprocessing the information entropy quantization flow characteristic attribute.
According to the characteristics of network flow data of the power grid industrial control system, the normal flow and the abnormal flow have great difference in distribution characteristics according to different attributes, so that the flow characteristic attributes can be subjected to quantitative processing through the information entropy, and the entropy value of the flow characteristic attributes is analyzed to detect the flow abnormality of the power grid industrial control system. Information entropy is a concept used in information theory to measure the total amount of information. The more ordered the total information amount is, the lower the information entropy is due to the centralized rule of distribution; conversely, the information entropy is high. The address entropy is utilized to reflect the distribution condition of the IP addresses of the attack events, and the more chaotic the IP addresses are, the more dispersed the distribution is, the higher the address entropy is; conversely, the more ordered the IP addresses are, the more concentrated the distribution is, and the lower the address entropy is. Many large-scale information security events are reflected in anomalies in the distribution of IP addresses. The number of occurrences of a certain characteristic attribute in a unit flow rate obtained by dividing the captured N packets into time-series units is obtained, for example, the captured packets are divided into a subset in time-series units of 1000 packets, the subset is defined as the unit flow rate, and the number of occurrences of a certain characteristic attribute in one unit flow rate is obtained and is denoted as X { X }1,X2,……XN},The property entropy values of the IP address, the industrial control protocol, the source port and the destination port of the attack event can be calculated according to the unit flow. Taking the entropy value of the IP address of the unit flow source as an example, the number of different source IPs appearing in X is M, ni(i ═ 1,2 … … M) is the number of times the different source IP occurred. The number of occurrences is exemplified by calculating the entropy of the source IP address of the unit traffic, M is the number of different source IPs occurring in the unit traffic X, ni(i-1, 2, …, M) is the number of times the different source IP respectively appears,
Figure BDA0002872058960000091
representing the total times of occurrence of a certain characteristic attribute, the IP address entropy value calculation formula is as follows:
Figure BDA0002872058960000092
wherein Y is { n ═ ni(i ═ 1,2 … … M) } indicates that a certain characteristic attribute i has occurred n times in the measurement data;
Figure BDA0002872058960000093
representing the total number of occurrences of a characteristic attribute. Will be provided with
Figure BDA0002872058960000094
Substituting the entropy value into the formula (1) to obtain the entropy value of the unit flow source IP. So far, all attribute features of the network traffic can be subjected to data quantization processing according to the information entropy.
Step three: and (5) formulating a detection model.
According to the characteristics of relatively fixed network flow data flow direction, strong periodic time sequence and the like of the power grid industrial control system, normal flow data are set to be marked data samples, abnormal flow data do not need to be marked so as to reduce processing complexity, the marked data are initialized, cluster analysis and comparison are carried out on the marked data and unmarked samples, an analysis model is established, and detection rules are formulated.
And the probability distribution after the marked sample data and the unmarked sample data are combined is utilized for learning, so that the learning speed is improved. And classifying the characteristic attribute entropy values of the power grid industrial control flow by using an improved semi-supervised clustering K-means algorithm. The K-mean algorithm has two problems: firstly, the initial value of the K value is selected differently, so that the obtained clustering result has larger difference, and the clustering analysis effect is influenced; secondly, some individual deviation data areas or isolated data points which do not accord with most data characteristics can cause great deviation of the average value, and influence the overall clustering accuracy. The method improves the selection of the K value of the K-means algorithm and the selection of the initial value of the clustering center, and because the flow direction of normal network flow in the power grid industrial control system is relatively fixed, the K value can select the number of marked normal flow packets in the traditional K-means algorithm; in the selection of the clustering center particles, the average value of the clustering centers is not used as a reference point, but the central point of the clustering centers is used as a reference point, so that the adverse effect of isolated points on the analysis of the K-means algorithm can be effectively avoided.
Firstly, determining a K value, then randomly selecting K data from a marked data sample as a clustering initial center, randomly selecting one of the K data as a central point object, distributing the rest non-central point objects to a clustering center Si represented by the nearest central point object according to the distance between the non-central point object and each central point object, continuously repeating the processes, repeatedly replacing the central point object with the non-central point object, calculating and comparing the sum of the distances from the central point object to the non-central point objects, solving the sum of the minimum distances, and continuously iterating until each central point object in each clustering center becomes the actual central point object of the clustering center where the non-central point object is located.
Specifically, assuming a total of N network traffic data samples, the IP address entropy data set is D ═ X (X)1,X2,……XN). Firstly, determining the number of marked normal flow packets as a K value, then randomly selecting K data from marked network flow data samples as a clustering initial center, and dividing IP address entropy data into S ═ N under the condition that K is less than or equal to N1,S2,…SKCalculating the distance between the rest data and the Si mean value, and measuring the distance between the rest data and the cluster centers by using Euclidean distanceThe value formula is:
Figure BDA0002872058960000101
and assigning each data to the Si most similar to the data according to the calculated distance value, then calculating the mean value of each data according to the Si data, updating the mean value to the new mean value of the Si, and repeating the above processes until the variance minimum function converges. On the numerical model, the minimum of variance formula is:
Figure BDA0002872058960000102
wherein muiIs SiE is the sum of the squared errors of all data elements.
The final generated is the actual cluster center after the isolated points are excluded. And obtaining a clustering center of normal flow according to the operation, and representing the abnormal flow as an outlier in the clustering through the trained flow base line, thereby detecting the abnormal flow.
Therefore, entropy quantization is carried out on network flow data of the power grid industrial control system according to attribute characteristics of the network flow data, then a clustering analysis model is established by using an improved semi-supervised K center K-means algorithm, a normal flow clustering center and an abnormal flow clustering center are generated, data which accord with the normal flow clustering center are detected and marked as normal; otherwise, the mark is abnormal, so that the aim of safety monitoring and early warning is fulfilled according to judgment of the detection result.
According to another embodiment of the present invention, there is also provided a cloud network side cooperative defense system based on end-side edge computing, including:
the cloud-end cooperative authentication module comprises a cloud computing center and an edge computing center arranged on the terminal side of the electric power engineering system, wherein the edge computing center is used for collecting information of terminal equipment of the industrial control system, establishing an equipment fingerprint according to the information of the terminal equipment, sending the equipment fingerprint to the cloud computing center, establishing an equipment fingerprint identification model by the cloud computing center, and carrying out intelligent dynamic authentication on the terminal equipment of the electric power engineering system according to the equipment fingerprint identification model;
the cloud-end cooperative flow detection module comprises a switch arranged in an edge computing center, an intelligent monitoring host which can be arranged at any position of a network, and the cloud computing center, wherein the switch has a mirror image function and is used for acquiring communication flow of terminal equipment and internal control communication flow of an industrial control system, sending flow data to the intelligent monitoring host, uniformly sending the flow data to the cloud computing center by the intelligent monitoring host, establishing a flow safety baseline by the cloud computing center and sending the flow safety baseline to the intelligent monitoring host, and detecting the flow of the terminal equipment by the intelligent monitoring host according to the flow safety baseline;
the cloud-network cooperative flow detection module comprises flow collection equipment and a cloud computing center, wherein the flow collection equipment is used for obtaining network flow data inside a power engineering control system network and sending the data to the cloud computing center, the cloud computing center carries out entropy quantification according to network flow characteristic attributes, a normal flow clustering center and an abnormal flow clustering center are generated by using a clustering analysis model, a normal flow model base is established according to the normal flow clustering center, and abnormal network flow is detected based on the normal flow model base.
It should be understood that, in the embodiment of the present invention, the cloud network side collaborative defense system may implement all technical solutions in the foregoing method embodiments, functions of each functional module and specific devices in the modules may be implemented specifically according to the method in the foregoing method embodiments, and specific implementation processes and computing manners thereof may refer to relevant descriptions in the foregoing method embodiments, and details are not described herein again.
According to the cloud network side collaborative defense method and the defense system based on the end side edge computing, the dynamic fingerprint authentication of the terminal equipment is realized by intelligently identifying the edge data acquisition equipment, and generating the training model through acquiring IP, Nmap scanning and classification training. The abnormal flow detection of the terminal equipment is realized by setting a switch mirror image, intelligently monitoring the flow control of a host and training a flow baseline of a cloud computing center. The abnormal flow detection of the power industry control intranet is realized through flow data acquisition, information entropy quantization flow characteristic attribute preprocessing and improved semi-supervised clustering K-means algorithm training, the safety state of each link of each control system in the production control network is monitored in real time, and therefore potential safety hazards in the production control network environment are found in time. The invention can realize safe, stable and reliable operation of the closed-source power industrial control system and has wide engineering practical value.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (8)

1. A cloud network side cooperative defense method based on end-side edge computing is characterized by comprising the following steps:
the method comprises the steps that an edge computing center arranged on the terminal side of the electric power engineering system is used for collecting terminal equipment information of the industrial control system, an equipment fingerprint is established according to the terminal equipment information and is sent to a cloud computing center, the cloud computing center establishes an equipment fingerprint identification model, and intelligent dynamic authentication is conducted on terminal equipment of the electric power engineering system according to the equipment fingerprint identification model; the edge computing center collects information of terminal equipment of the industrial control system, and the establishment of the equipment fingerprint according to the information of the terminal equipment specifically comprises the following steps: the edge computing center obtains an IP address of industrial control system terminal equipment, performs Nmap sniffing according to the IP address, obtains relevant information of the equipment where the IP address is located, wherein the relevant information comprises a terminal online state, an open port, a service protocol, an equipment application program name, a version number, an equipment name and an equipment type, and combines the information to be used as a fingerprint of the equipment;
acquiring communication flow of terminal equipment and control communication flow inside an industrial control system by using a mirror image function of a switch arranged in an edge computing center, sending flow data to an intelligent monitoring host, uniformly sending the flow data to a cloud computing center by the intelligent monitoring host, establishing a flow safety baseline by the cloud computing center and sending the flow safety baseline to the intelligent monitoring host, and detecting the flow of the terminal equipment by the intelligent monitoring host according to the flow safety baseline;
the method comprises the steps of obtaining network internal network flow data of the power engineering control system, sending the network internal network flow data to a cloud computing center, carrying out entropy quantification by the cloud computing center according to network flow characteristic attributes, generating a normal flow clustering center and an abnormal flow clustering center by utilizing a clustering analysis model, establishing a normal flow model base according to the normal flow clustering center, and detecting abnormal network flow based on the normal flow model base.
2. The method for cloud network-side collaborative defense based on end-side edge computing according to claim 1, wherein the cloud computing center building an equipment fingerprint identification model comprises: the method comprises the steps of designing collected industrial control system terminal equipment information into a data table with fields including online states, open ports, service protocols, equipment application program names, version numbers, equipment names and equipment types, finishing the importing, converting and exporting of fingerprint data to files through a Python csv module, importing the generated data in the csv files into a Sklearn module integrated with a decision tree algorithm, and creating a classification training model.
3. The cloud network side cooperative defense method based on the end-side edge computing according to claim 1, wherein the intelligent monitoring host performing the traffic detection of the terminal device according to the traffic safety baseline comprises: the intelligent monitoring host machine is switched to a working operation mode, the communication flow of the equipment is collected in real time, the judgment of abnormal flow is carried out on each equipment according to a flow safety baseline, the judgment dimensions comprise outflow flow, inflow flow, total flow and an accessed port, and when operation except the safety baseline occurs, abnormal flow alarm is generated and a log is recorded.
4. The method for defending against the cloud network side collaboration based on the end side edge computing in claim 1 is characterized in that the acquisition of the network internal flow data of the electric power engineering system is performed according to the following data acquisition strategies: matching different acquisition frequency coefficients according to the security level of the area where the equipment is located; setting different acquisition frequency coefficients according to different functions and purposes; reasonably changing the current acquisition frequency according to the congestion condition of the link; according to the load condition of the equipment, the acquisition frequency of the current equipment is reasonably changed, so that the normal operation of the functions of the industrial control system is guaranteed.
5. The method for cloud network side collaborative defense based on end-side edge computing according to claim 1, wherein the cloud computing center performs entropy quantization according to network traffic characteristic attributes, and comprises: acquiring the occurrence frequency of a certain characteristic attribute in a unit flow divided by the captured N data packets according to the time sequence, and recording the occurrence frequency as X { X }1,X2,……XNCalculating an attribute entropy value of the attack event according to the unit flow, wherein the attribute comprises one or more of an IP address, an industrial control protocol, a source port and a destination port, and the entropy value calculation formula is as follows:
Figure FDA0003232834500000021
wherein Y is { n ═ ni(i ═ 1,2 … … M) } indicates that the ith instance of a certain characteristic attribute in the measurement data occurred n times;
Figure FDA0003232834500000022
representing the total number of occurrences of the characteristic attribute, M being the total number of different instances of the characteristic attribute in a unit flow, will
Figure FDA0003232834500000023
Substituting the formula (1) to obtain the characteristic attribute entropy value of the unit flow.
6. The cloud network side cooperative defense method based on end-side edge computing according to claim 1, characterized in that the cluster analysis model is used for generating normal flowThe volume clustering center and the abnormal volume clustering center include: recording a certain characteristic attribute entropy value data set obtained by N network flow data samples as D ═ X1,X2,……XN) Firstly, determining the number of marked normal flow packets as a K value, then randomly selecting K data from marked network flow data samples as a clustering initial center, and dividing characteristic attribute entropy data into S ═ S { S } under the condition that K is less than or equal to N1,S2,…SKAnd (4) calculating the distance between the residual data and the mean value of the Si respectively by using Euclidean distance, measuring the distance between the residual data and the clustering center, assigning each data to the Si most similar to the residual data according to the calculated distance value, calculating the mean value of each data according to the Si data, updating the mean value to be the new mean value of the Si, and repeating the above processes continuously until the minimum variance function is converged.
7. The method for cloud network side collaborative defense based on end-side edge computing according to claim 1, wherein the detecting abnormal network traffic based on a normal traffic model library comprises: sampling the flow in the network at regular time, and carrying out statistical analysis on the current sampled flow to obtain statistical characteristics of the current sampled flow; accessing a normal flow model library, performing statistical analysis on the characteristics of the current sampling flow and the characteristics in the normal flow model, calculating whether the deviation of the current flow characteristics to the normal flow is in a confidence space, and judging whether the current flow condition is normal; if the flow detection is normal, adding the current flow characteristics into a model base of normal flow, increasing the capacity of a comparison base, and if the current flow detection is abnormal, generating an abnormal detection report and performing abnormal alarm.
8. A cloud network side collaborative defense system based on end-side edge computing is characterized by comprising:
the cloud-end cooperative authentication module comprises a cloud computing center and an edge computing center arranged on the terminal side of the electric power engineering system, wherein the edge computing center is used for acquiring information of terminal equipment of the industrial control system, establishing an equipment fingerprint according to the information of the terminal equipment, sending the equipment fingerprint to the cloud computing center, establishing an equipment fingerprint identification model by the cloud computing center, and carrying out intelligent dynamic authentication on the terminal equipment of the electric power engineering system according to the equipment fingerprint identification model; the edge computing center collects information of terminal equipment of the industrial control system, and the establishment of the equipment fingerprint according to the information of the terminal equipment specifically comprises the following steps: the edge computing center obtains an IP address of industrial control system terminal equipment, performs Nmap sniffing according to the IP address, obtains relevant information of the equipment where the IP address is located, wherein the relevant information comprises a terminal online state, an open port, a service protocol, an equipment application program name, a version number, an equipment name and an equipment type, and combines the information to be used as a fingerprint of the equipment;
the cloud-end cooperative flow detection module comprises a switch arranged in an edge computing center, an intelligent monitoring host capable of being arranged at any position of a network and the cloud computing center, wherein the switch has a mirror image function and is used for acquiring communication flow of terminal equipment and internal control communication flow of an industrial control system, sending flow data to the intelligent monitoring host, uniformly sending the flow data to the cloud computing center by the intelligent monitoring host, establishing a flow safety baseline by the cloud computing center and sending the flow safety baseline to the intelligent monitoring host, and detecting the flow of the terminal equipment by the intelligent monitoring host according to the flow safety baseline;
the cloud-network cooperative flow detection module comprises flow collection equipment and a cloud computing center, wherein the flow collection equipment is used for obtaining network flow data inside a power engineering control system network and sending the data to the cloud computing center, the cloud computing center carries out entropy quantification according to network flow characteristic attributes, a normal flow clustering center and an abnormal flow clustering center are generated by using a clustering analysis model, a normal flow model base is established according to the normal flow clustering center, and abnormal network flow is detected based on the normal flow model base.
CN202011619791.8A 2020-12-30 2020-12-30 Cloud network side collaborative defense method and system based on end side edge computing Active CN112769796B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011619791.8A CN112769796B (en) 2020-12-30 2020-12-30 Cloud network side collaborative defense method and system based on end side edge computing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011619791.8A CN112769796B (en) 2020-12-30 2020-12-30 Cloud network side collaborative defense method and system based on end side edge computing

Publications (2)

Publication Number Publication Date
CN112769796A CN112769796A (en) 2021-05-07
CN112769796B true CN112769796B (en) 2021-10-19

Family

ID=75698098

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011619791.8A Active CN112769796B (en) 2020-12-30 2020-12-30 Cloud network side collaborative defense method and system based on end side edge computing

Country Status (1)

Country Link
CN (1) CN112769796B (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113420791B (en) * 2021-06-02 2022-08-30 国网河北省电力有限公司信息通信分公司 Access control method and device for edge network equipment and terminal equipment
CN113253037B (en) * 2021-06-22 2021-10-08 北京赛博联物科技有限公司 Current ripple-based edge cloud cooperative equipment state monitoring method and system and medium
CN113179221B (en) * 2021-06-30 2021-09-21 北京浩瀚深度信息技术股份有限公司 Internet traffic control method and system
CN113612777B (en) * 2021-08-04 2023-07-11 百度在线网络技术(北京)有限公司 Training method, flow classification method, device, electronic equipment and storage medium
CN113645232B (en) * 2021-08-10 2023-04-28 克拉玛依和中云网技术发展有限公司 Intelligent flow monitoring method, system and storage medium for industrial Internet
CN113671287B (en) * 2021-08-16 2024-02-02 广东电力通信科技有限公司 Intelligent detection method, system and readable storage medium for power grid automation terminal
CN113486354A (en) * 2021-08-20 2021-10-08 国网山东省电力公司电力科学研究院 Firmware safety evaluation method, system, medium and electronic equipment
CN113783862B (en) * 2021-09-02 2023-06-02 北京国联视讯信息技术股份有限公司 Method and device for checking data in edge cloud cooperation process
US20230117221A1 (en) * 2021-10-18 2023-04-20 SparkAI Inc. Edge-case resolution in artificial intelligence systems
CN114019946B (en) * 2021-11-11 2023-08-29 辽宁石油化工大学 Method and device for processing monitoring data of industrial control terminal
CN114157458A (en) * 2021-11-18 2022-03-08 深圳依时货拉拉科技有限公司 Flow detection method, device, equipment and medium for hybrid cloud environment
CN114172702A (en) * 2021-11-26 2022-03-11 中能电力科技开发有限公司 Network safety monitoring method and system for power grid industrial control system
CN114138501B (en) * 2022-02-07 2022-06-14 杭州智现科技有限公司 Processing method and device for edge intelligent service for field safety monitoring
CN114629690B (en) * 2022-02-24 2023-12-29 广东电网有限责任公司 Device safety baseline compliance detection method and device and computer device
CN114448830B (en) * 2022-03-07 2024-04-05 中国农业银行股份有限公司 Equipment detection system and method
CN114826976B (en) * 2022-04-13 2023-12-05 京东科技信息技术有限公司 Statistical method and device for uplink flow data based on edge computing service
CN115277045A (en) * 2022-05-17 2022-11-01 广东申立信息工程股份有限公司 IDC safety management system
CN114785680B (en) * 2022-06-17 2022-11-15 深圳市信润富联数字科技有限公司 Wind power industrial control equipment transformation method and terminal transformation method
CN114844724A (en) * 2022-06-28 2022-08-02 杭州安恒信息技术股份有限公司 Port anomaly detection method, device, equipment and medium based on end cloud linkage
CN115426358A (en) * 2022-09-07 2022-12-02 河海大学 Slope safety early warning method and system based on big data and storable medium
CN115580490B (en) * 2022-11-25 2023-03-24 国家工业信息安全发展研究中心 Industrial Internet edge device behavior detection method, device, equipment and medium
CN115955334B (en) * 2022-12-02 2023-11-10 深圳市铭励扬科技有限公司 Network attack flow processing method and system based on edge calculation
CN116527303B (en) * 2023-02-28 2023-12-12 浙江大学 Industrial control equipment information extraction method and device based on marked flow comparison
CN116055413B (en) * 2023-03-07 2023-08-15 云南省交通规划设计研究院有限公司 Tunnel network anomaly identification method based on cloud edge cooperation

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111831427A (en) * 2020-05-18 2020-10-27 南京邮电大学 Distributed inter-vehicle task unloading method based on mobile edge calculation

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102018009906A1 (en) * 2018-12-20 2020-06-25 Volkswagen Aktiengesellschaft Process for the management of computer capacities in a network with mobile participants
CN111064633B (en) * 2019-11-28 2021-09-24 国网甘肃省电力公司电力科学研究院 Cloud-edge cooperative power information communication equipment automated testing resource allocation method
CN111582016A (en) * 2020-03-18 2020-08-25 宁波送变电建设有限公司永耀科技分公司 Intelligent maintenance-free power grid monitoring method and system based on cloud edge collaborative deep learning
CN112615434A (en) * 2020-06-14 2021-04-06 石霜霜 Data management method applied to edge computing and cloud computing and edge computing platform

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111831427A (en) * 2020-05-18 2020-10-27 南京邮电大学 Distributed inter-vehicle task unloading method based on mobile edge calculation

Also Published As

Publication number Publication date
CN112769796A (en) 2021-05-07

Similar Documents

Publication Publication Date Title
CN112769796B (en) Cloud network side collaborative defense method and system based on end side edge computing
CN112651006B (en) Power grid security situation sensing system
Jalili et al. Detection of distributed denial of service attacks using statistical pre-processor and unsupervised neural networks
KR102091076B1 (en) Intelligent security control system and method using mixed map alert analysis and non-supervised learning based abnormal behavior detection method
CN114584405B (en) Electric power terminal safety protection method and system
CN114742477B (en) Enterprise order data processing method, device, equipment and storage medium
CN113904881B (en) Intrusion detection rule false alarm processing method and device
CN111782484B (en) Anomaly detection method and device
CN108234426B (en) APT attack warning method and APT attack warning device
CN115001934A (en) Industrial control safety risk analysis system and method
CN111651760B (en) Method for comprehensively analyzing equipment safety state and computer readable storage medium
CN115118525B (en) Internet of things safety protection system and protection method thereof
CN115618353B (en) Industrial production safety identification system and method
CN109190408B (en) Data information security processing method and system
CN114285596B (en) Transformer substation terminal account abnormity detection method based on machine learning
CN114039837A (en) Alarm data processing method, device, system, equipment and storage medium
CN112291213A (en) Abnormal flow analysis method and device based on intelligent terminal
CN111597549A (en) Network security behavior identification method and system based on big data
JP2019175070A (en) Alert notification device and alert notification method
CN111565187B (en) DNS (Domain name System) anomaly detection method, device, equipment and storage medium
CN115809950B (en) Machine room operation and maintenance management platform and management method
CN115098602B (en) Data processing method, device and equipment based on big data platform and storage medium
CN111475380B (en) Log analysis method and device
CN117914547A (en) Security situation awareness processing method, system and equipment for built-in data processing unit
CN117640240A (en) Dynamic white list admittance release method and system based on machine learning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant