CN112801359A - Industrial internet security situation prediction method and device, electronic equipment and medium - Google Patents
Industrial internet security situation prediction method and device, electronic equipment and medium Download PDFInfo
- Publication number
- CN112801359A CN112801359A CN202110096613.XA CN202110096613A CN112801359A CN 112801359 A CN112801359 A CN 112801359A CN 202110096613 A CN202110096613 A CN 202110096613A CN 112801359 A CN112801359 A CN 112801359A
- Authority
- CN
- China
- Prior art keywords
- data
- situation
- security
- industrial internet
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012549 training Methods 0.000 claims abstract description 18
- 230000000007 visual effect Effects 0.000 claims description 18
- 238000003860 storage Methods 0.000 claims description 12
- 239000000523 sample Substances 0.000 claims description 9
- 241000700605 Viruses Species 0.000 claims description 7
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 claims description 7
- 238000012216 screening Methods 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 description 13
- 238000012544 monitoring process Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 6
- 238000012800 visualization Methods 0.000 description 6
- 230000010354 integration Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000004927 fusion Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 238000007726 management method Methods 0.000 description 4
- 238000004422 calculation algorithm Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000000717 retained effect Effects 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000009412 basement excavation Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000007418 data mining Methods 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000013079 data visualisation Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000005553 drilling Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005265 energy consumption Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/285—Clustering or classification
- G06F16/287—Visualization; Browsing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
- G06Q10/06393—Score-carding, benchmarking or key performance indicator [KPI] analysis
Abstract
The embodiment of the invention discloses a method, a device, electronic equipment and a medium for predicting the security situation of an industrial internet. The method comprises the following steps: acquiring at least one item of safety situation data from a target database; classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index; training by using each classification result set to obtain a safety situation model; and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result. According to the scheme of the embodiment of the invention, the safety situation of the industrial Internet is predicted, and the prediction result can be displayed visually.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to a method and a device for predicting the security situation of an industrial internet, electronic equipment and a medium.
Background
With the continuous development of science and technology, the industrial internet is developed rapidly. The industrial internet can greatly improve the production efficiency and the management efficiency.
While the industrial internet greatly improves the production efficiency and the management efficiency, the safety situation of the industrial internet is more and more complex, the open network and the service sharing scene of the industrial internet are more complex and changeable, and the challenge in the aspect of safety is more severe.
How to predict the security situation of the industrial internet is a key issue of concern in the industry.
Disclosure of Invention
The embodiment of the invention provides a method, a device, electronic equipment and a medium for predicting the security situation of an industrial internet, so as to predict the security situation of the industrial internet.
In a first aspect, an embodiment of the present invention provides a method for predicting an industrial internet security situation, including:
acquiring at least one item of safety situation data from a target database;
classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index;
training by using each classification result set to obtain a safety situation model;
and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
Optionally, the security posture data includes at least one of:
industrial internet traffic data, log data, trojan data, vulnerability data, and virus data.
Optionally, before acquiring at least one item of security posture data from the target database, the method further includes:
acquiring each safety situation data through a probe arranged on an industrial internet node, and storing the safety situation data in the target database; and/or
And receiving and storing each safety situation data uploaded by each industrial Internet device in the target database.
Optionally, the classifying the security situation data according to at least one situation indicator to obtain a classification result set corresponding to each situation indicator, including:
acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data;
respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity;
screening out the safety situation data with the maximum similarity exceeding a preset threshold value, and adding the safety situation data into a classification result set corresponding to the safety situation indexes.
Optionally, the safety situation indicator includes at least one of the following: threat information, vulnerability information, and system information.
Optionally, while visually displaying the prediction result, the method further includes:
and carrying out visual display on the classification result sets respectively corresponding to the situation indexes.
Optionally, while visually displaying the prediction result, the method further includes:
and visually displaying the safety situation model.
In a second aspect, an embodiment of the present invention further provides an apparatus for predicting a security situation of an industrial internet, including:
the safety situation data acquisition module is used for acquiring at least one item of safety situation data from a target database;
the safety situation data classification module is used for classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index;
the safety situation model determining module is used for training by using each classification result set to obtain a safety situation model;
and the safety situation prediction module is used for predicting the safety situation of the industrial internet data acquired in real time by using the safety situation model and visually displaying the prediction result.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
a storage device for storing one or more programs,
when the one or more programs are executed by the one or more processors, the one or more processors implement the method for predicting the industrial internet security situation according to any embodiment of the invention.
In a fourth aspect, the present invention further provides a storage medium containing computer-executable instructions, where the computer-executable instructions are used to perform the method for predicting the industrial internet security situation according to any one of the embodiments of the present invention when executed by a computer processor.
The embodiment of the invention obtains at least one item of safety situation data from a target database; classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index; training by using each classification result set to obtain a safety situation model; and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result, so that the security situation of the industrial internet is predicted, and the prediction result can be visually displayed.
Drawings
Fig. 1 is a flowchart of a method for predicting a security situation of an industrial internet according to a first embodiment of the present invention;
FIG. 2 is a flowchart of a method for predicting the security situation of the industrial Internet according to a second embodiment of the present invention;
FIG. 3 is a flowchart of a method for predicting the security situation of the industrial Internet according to a third embodiment of the present invention;
FIG. 4 is a schematic diagram of an industrial Internet security situation prediction system according to a third embodiment of the present invention;
fig. 5 is a schematic structural diagram of an industrial internet security situation prediction apparatus according to a fourth embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device in a fifth embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad invention. It should be further noted that, for convenience of description, only some structures, not all structures, relating to the embodiments of the present invention are shown in the drawings.
Example one
Fig. 1 is a flowchart of a method for predicting a security situation of an industrial internet according to a first embodiment of the present invention, where the method is applicable to predicting a security situation of an industrial internet, and the method may be implemented by an industrial internet security situation predicting apparatus, and the apparatus may be implemented in a software and/or hardware manner and integrated in an electronic device. Specifically, referring to fig. 1, the method specifically includes the following steps:
It should be noted that, in the field, security situation awareness is an ability to dynamically and integrally know security risks based on an environment, and the real-time security status of a network environment is visually displayed by using technologies such as data fusion, data mining, intelligent analysis and visualization, so as to provide technical support for industrial internet security assurance.
In this embodiment, the security situation data may be industrial internet traffic data, log data, trojan data, vulnerability data, virus data, or the like, which is not limited in this embodiment.
The target database may store one or more kinds of security situation data, and for example, the target database may store industrial internet traffic data, log data, trojan data, vulnerability data, and virus data. It should be noted that, in this embodiment, the number of the security situation data stored in the target database is not limited, and for example, the number may be 1 ten thousand, one hundred thousand, or five million, and the like, and this is not limited in this embodiment.
And 120, classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index.
The security posture index may be threat information, vulnerable information, or system information, which is not limited in this embodiment.
In an optional implementation manner of this embodiment, after at least one item of security situation data is acquired in the target database, each item of security situation data may be further classified according to at least one situation indicator, so as to obtain a classification result set corresponding to each situation indicator.
For example, each piece of security posture data may be classified according to the threat information index and the fragile information index, so as to obtain a classification result set corresponding to the fragile information index and a classification result set corresponding to the threat information index.
In another specific example of this embodiment, each security situation data may be further classified according to a threat information index, a system information index, and a vulnerable information index, so as to obtain a classification result set corresponding to the vulnerable information index, a classification result set corresponding to the system information index, and a classification result set corresponding to the threat information index
And 130, training by using each classification result set to obtain a safety situation model.
In an optional implementation manner of this embodiment, after classifying the acquired security situation data according to at least one situation indicator to obtain classification result sets respectively corresponding to the situation indicators, the security situation model may be further obtained by training using the classification result sets.
For example, in this embodiment, a security situation model may be obtained by extracting a feature vector of each classification result set and training according to each feature vector; and each classification result set can be subjected to unsupervised training, so that a safety situation model is obtained. It should be noted that, in this embodiment, the security situation model may also be obtained through training by other methods, which is not described herein again.
And 140, predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
In an optional implementation manner of this embodiment, after the security situation model is obtained by training using the classification result sets respectively corresponding to the situation indexes, the security situation of the industrial internet data obtained in real time may be further predicted by using the security situation model obtained by training, and the obtained prediction result is visually displayed.
In an optional implementation manner of this embodiment, after the security situation model is obtained through training, the obtained industrial internet data may be input into the security situation model in real time to predict the industrial internet data, for example, the industrial internet data may be determined to be one or more of security situation data such as traffic data, log data, trojan data, vulnerability data, or virus data.
Further, the obtained prediction result can be visually displayed, for example, the data type (i.e., which kind or kinds of security situation data) of the predicted industrial internet data and the attribute characteristics of the industrial internet data can be displayed on a large screen; the attribute characteristics of the industrial internet data may include a name, an Identity (id), a size, or the like of the industrial internet data, which is not limited in this embodiment.
The embodiment of the method comprises the steps of acquiring at least one item of safety situation data from a target database; classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index; training by using each classification result set to obtain a safety situation model; and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result, so that the security situation of the industrial internet is predicted, and the prediction result can be visually displayed.
Example two
Fig. 2 is a flowchart of a method for predicting an industrial internet security situation in a second embodiment of the present invention, where this embodiment is a further refinement of the above technical solutions, and the technical solution in this embodiment may be combined with various alternatives in one or more of the above embodiments. As shown in fig. 2, the method for predicting the industrial internet security situation may include the following steps:
In an optional implementation manner of this embodiment, before acquiring at least one item of security situation data from the target database, each piece of security situation data may also be acquired through a probe set in an industrial internet node, and the acquired security situation data is stored in the target database; and the security situation data uploaded by each industrial Internet device can be received, and the received security situation data is stored in a target database.
In an optional implementation manner of this embodiment, after the probe set in the industrial internet node acquires the industrial internet data, a transmission protocol of each industrial internet data may be identified, and what kind of security situation data each industrial internet data is may be determined according to the transmission protocol.
For example, after the industrial internet data a is acquired through the probe, a transmission protocol of the industrial internet data a may be further identified, and further, according to the transmission protocol, what kind of security situation data the industrial internet data a is may be determined, for example, the industrial internet data a may be determined to be traffic data, trojan data, vulnerability data, virus data, or the like.
In another optional implementation manner of this embodiment, log data uploaded by each industrial internet device in the industrial internet can be received in real time, and the received log data can be stored in the target database.
And step 230, classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index.
And 240, training by using each classification result set to obtain a safety situation model.
And 250, predicting the security situation of the industrial internet data acquired in real time by using a security situation model, and visually displaying the prediction result.
According to the scheme of the embodiment, before at least one item of security situation data is acquired from the target database, each piece of security situation data can be acquired through a probe arranged on an industrial internet node, the acquired security situation data are stored in the target database, the security situation data uploaded by each piece of industrial internet equipment are received, the received security situation data are stored in the target database, the security situation data in the target database can be enriched continuously, the accuracy of a security situation model can be improved, and a basis is provided for improving the accuracy of a prediction result of the industrial internet security situation.
EXAMPLE III
Fig. 3 is a flowchart of a method for predicting an industrial internet security situation in a third embodiment of the present invention, where this embodiment is a further refinement of the above technical solutions, and the technical solution in this embodiment may be combined with various alternatives in one or more of the above embodiments. As shown in fig. 3, the method for predicting the industrial internet security situation may include the following steps:
And step 320, acquiring at least one item of safety situation data from the target database.
And 330, acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data.
Optionally, after at least one item of security situation data is acquired from the target database, each item of security situation data may be further classified according to at least one situation index, so as to obtain a classification result set corresponding to each situation index; in this embodiment, classifying each security situation data according to at least one situation indicator to obtain a classification result set corresponding to each situation indicator, which may include: acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data; respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity; screening out all the safety situation data with the maximum similarity exceeding a preset threshold value, and respectively adding all the safety situation data into the classification result set corresponding to the safety situation indexes.
Wherein the safety situation index comprises at least one of the following: threat information, vulnerability information, system information, and the like, which are not limited in this embodiment.
In an optional implementation manner of this embodiment, after acquiring each security situation data from the target database, a target feature vector of each security situation index and a reference feature vector of each security situation data may be further acquired; for example, in this embodiment, attribute information of each security posture index may be extracted, so as to generate a target feature vector of the security posture index; and extracting the attribute information of each acquired safety situation data, thereby generating a reference feature vector of each safety situation data.
And 340, respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity respectively corresponding to each safety situation data and a safety situation index corresponding to the maximum similarity.
In an implementation manner of this embodiment, after obtaining the target feature vector of each security situation index and the reference feature vector of each security situation data obtained from the target database, similarity between each target feature vector and each reference feature vector may be further calculated, and a maximum similarity corresponding to each security situation data and a security situation index corresponding to the maximum similarity may be obtained.
For example, if the security situation indicator includes a threat information indicator and a vulnerable information indicator, a target feature vector a corresponding to the threat information indicator and a target feature vector B corresponding to the vulnerable information indicator may be obtained; respectively calculating the similarity of the target characteristic vector A and the target characteristic vector B with each reference characteristic vector; furthermore, the similarity result between the reference feature vector a and the target feature vector a and the similarity result between the reference feature vector a and the target feature vector B can be compared, so as to obtain the maximum similarity corresponding to the security situation data a and the security situation index corresponding to the maximum similarity.
Illustratively, the similarity result between the reference feature vector a and the target feature vector a is 0.9, and the similarity result between the reference feature vector a and the target feature vector B is 0.8, then the maximum similarity corresponding to the security posture data a is 0.9, and the security posture index corresponding to the maximum similarity is the threat information index.
And 350, screening all the safety situation data of which the maximum similarity exceeds a preset threshold value, and respectively adding all the safety situation data into a classification result set corresponding to the safety situation indexes.
The preset threshold may be a value such as 0.6, 0.7, or 0.85, which is not limited in this embodiment.
In an optional implementation manner of this embodiment, after obtaining the maximum similarity corresponding to each security situation data and the security situation index corresponding to the maximum similarity, each security situation data whose maximum similarity exceeds a preset threshold may be further screened, and each security situation data is added into the classification result set corresponding to the security situation index.
Illustratively, after obtaining the maximum similarity corresponding to each security situation data and the security situation index corresponding to the maximum similarity, each maximum similarity may be further compared with a preset threshold, the security situation data corresponding to the maximum similarity greater than the threshold is retained, and each retained security situation data is added into the classification result set corresponding to the security situation index.
And step 360, predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
In an optional implementation manner of this embodiment, while the prediction result is visually displayed, the classification result sets respectively corresponding to the situation indexes may also be visually displayed. For example, the classification result set can be displayed in a fixed area (not overlapping with a visual display area of the prediction result) of a large screen, so that the user can conveniently view the classification result set.
In an optional implementation manner of this embodiment, the prediction result can be visually displayed, and the security posture model can be visually displayed at the same time. Illustratively, the safety situation model can be displayed in a fixed area (which is not overlapped with the visual display area of the prediction result and the visual display area of the classification result set) of a large screen, so that a user can conveniently view the safety situation model.
In the scheme of this embodiment, each security situation data is classified according to at least one situation indicator, and a classification result set corresponding to each situation indicator is obtained, where the classification result set includes: acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data; respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity; screening out each safety situation data with the maximum similarity exceeding a preset threshold value, and adding each safety situation data into the classification result set corresponding to the safety situation index respectively, so that the classification result set corresponding to each situation index can be accurately determined, and a basis is provided for accurately predicting the safety situation of the industrial internet data in the follow-up process.
In order to make those skilled in the art better understand the method for predicting the industrial internet security situation of the embodiment, fig. 4 is a schematic diagram of an industrial internet security situation prediction system in a third embodiment of the present invention, which mainly includes: the system comprises a security situation data acquisition module 410, a security situation index extraction module 420, a security situation data classification module 430, a general situation evaluation module 440 and a situation prediction module 450.
Wherein, the safety situation index includes: threat information, vulnerability information, and system information; the security situation data classification module 430 comprises threat situation assessment, vulnerable situation assessment, stable situation assessment and disaster recovery situation assessment; the general situation evaluation module 440 is a security situation model involved in the embodiment of the present invention.
According to the scheme of the embodiment of the invention, the visualization of threat situation can be realized, the comprehensive security situation of the whole network industrial control equipment and key nodes can be visually monitored, the attack source, the attack purpose and the attack path can be visually traced and analyzed according to the source information and the target information of the network threat event, the deep analysis and excavation of the network threat attack characteristics of a user are facilitated, and the prejudgment and active defense capability of potential threats and unknown threats are improved.
The scheme of the embodiment of the invention can also realize threat event monitoring, can support integration of various industrial control detection system data, can perform real-time visual monitoring on various network threat events such as malicious domain names, vulnerability attacks, flow abnormity, deadwood vermin, DDos attacks, industrial control networks, APT attacks and the like, can support graded alarm on various network abnormal events, helps a user to quickly find network safety hidden dangers, and can better prevent and resist the network threat events.
The scheme of the embodiment of the invention can also realize threat information situation display, can support integration with a mainstream threat information acquisition system, carries out real-time monitoring alarm and visual analysis on the sensitive information from each threat information channel inside and outside the country, supports visual analysis of the development situation of the threat information, visual traceability analysis of the threat, visual analysis of a propagation path and the like, helps a management department master the latest threat situation at the first time, and improves the monitoring strength and the response efficiency of a manager on the threat information.
The scheme of the embodiment of the invention can also realize the visualization of network equipment, can support the three-dimensional simulation display of the data center, and truly reflects the quantity, type and distribution condition of the existing equipment. The system supports integration with systems such as network monitoring, host monitoring, storage monitoring and the like, performs real-time visual monitoring on the running state of network equipment, can provide various interactive supports such as click query, viewpoint adjustment and the like, can drill down to check attribute information of a specific server, and helps a user to more intuitively master the running state of the equipment.
According to the scheme of the embodiment of the invention, operation and maintenance data visualization can be realized, integration with monitoring systems such as building control, security protection, fire protection, video and the like can be supported, a uniform visual monitoring platform is provided for operation and maintenance of the data center, operation and maintenance data such as temperature and humidity of a machine room of a network center, an operation state of an electric power system, energy consumption of the machine room and the like are monitored and analyzed in real time, a manager is helped to clearly and intuitively master the operation state of the network center, and operation and maintenance efficiency is improved.
The scheme of the embodiment of the invention can also realize the visualization of the information assets, can support the integration with various IT asset configuration management databases, can perform real-time visual monitoring on the safety state of the information assets within the network operation range of the user, and can help the user to quickly discover the potential safety hazard of the information assets by combining the operation data of systems such as IDS, VDS, a firewall, host monitoring and the like, thereby enhancing the monitoring and perception of the manager on the safety situation of the information assets.
The scheme of the embodiment of the invention can also realize the visualization analysis and judgment of the data and the fusion of various types of data. The method can be compatible with various existing data source data, safety asset information data, service system data, attack event data and the like, supports various artificial intelligence model algorithm accesses, realizes fusion display of cross-service system information, and provides comprehensive and objective data support and basis for user decision and study and judgment.
The scheme of the embodiment of the invention can also realize multidimensional visual analysis of data, can support the integrated network to safely monitor the data of each service system, and can carry out multidimensional visual parallel analysis according to the service requirements of users. The method can provide various visual analysis means such as clustering, heat maps and activity rules, and the visual analysis charts of nearly hundreds of data can be provided, and the data analysis support such as scrolling, drilling and slicing can help the user to know the association relationship of the complex data.
The technical scheme of the embodiment of the invention can also realize professional model algorithm access support, can support the combination of an interface level and a professional analysis algorithm and a data model in the field of network security subdivision, supports the fusion visualization analysis of a calculation result and other source data, utilizes the existing informatization construction result to the maximum extent, and provides powerful technical support for more complex industrial application.
Example four
Fig. 5 is a schematic structural diagram of an industrial internet security situation prediction apparatus according to a fourth embodiment of the present invention, which is capable of executing the industrial internet security situation prediction methods related to the foregoing embodiments. Referring to fig. 5, the apparatus includes: a security posture data acquisition module 510, a security posture data classification module 520, a security posture model determination module 530, and a security posture prediction module 540.
A security situation data obtaining module 510, configured to obtain at least one item of security situation data from a target database;
a security situation data classification module 520, configured to classify each piece of security situation data according to at least one situation indicator, so as to obtain a classification result set corresponding to each situation indicator;
a security situation model determining module 530, configured to use each classification result set to train to obtain a security situation model;
and the security situation prediction module 540 is configured to predict the security situation of the industrial internet data acquired in real time by using the security situation model, and visually display a prediction result.
According to the scheme of the embodiment, at least one item of security situation data is acquired from a target database through a security situation data acquisition module; classifying the safety situation data according to at least one situation index through a safety situation data classification module to obtain a classification result set corresponding to each situation index; training by using each classification result set through a safety situation model determining module to obtain a safety situation model; the security situation of the industrial internet data acquired in real time is predicted by the security situation prediction module through the security situation model, and the prediction result is visually displayed, so that the security situation of the industrial internet is predicted, and the prediction result can be visually displayed.
In an optional implementation manner of this embodiment, the security posture data includes at least one of:
industrial internet traffic data, log data, trojan data, vulnerability data, and virus data.
In an optional implementation manner of this embodiment, the industrial internet security situation prediction apparatus further includes: a security posture data storage module for
Acquiring each safety situation data through a probe arranged on an industrial internet node, and storing the safety situation data in the target database; and/or
And receiving and storing each safety situation data uploaded by each industrial Internet device in the target database.
In an optional implementation manner of this embodiment, the security posture data classification module 520 is specifically configured to
Acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data;
respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity;
screening out the safety situation data with the maximum similarity exceeding a preset threshold value, and adding the safety situation data into a classification result set corresponding to the safety situation indexes.
In an optional base pay mode of this embodiment, the safety situation indicator includes at least one of the following: threat information, vulnerability information, and system information.
In an optional base pay mode of this embodiment, the device for predicting the security situation of the industrial internet further includes: a first display module for
And carrying out visual display on the classification result sets respectively corresponding to the situation indexes.
In an optional base pay mode of this embodiment, the device for predicting the security situation of the industrial internet further includes: a second display module for
And visually displaying the safety situation model.
The industrial internet security situation prediction device provided by the embodiment of the invention can execute the industrial internet security situation prediction method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 6 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention, as shown in fig. 6, the electronic device includes a processor 60, a memory 61, an input device 62, and an output device 63; the number of the processors 60 in the electronic device may be one or more, and one processor 60 is taken as an example in fig. 6; the processor 60, the memory 61, the input device 62 and the output device 63 in the electronic apparatus may be connected by a bus or other means, and the bus connection is exemplified in fig. 6.
The memory 61 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the industrial internet security situation prediction method in the embodiment of the present invention (for example, in the industrial internet security situation prediction apparatus, the security situation data acquisition module 510, the security situation data classification module 520, the security situation model determination module 530, and the security situation prediction module 540). The processor 60 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 61, so as to implement the above-mentioned industrial internet security situation prediction method.
The memory 61 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 61 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 61 may further include memory located remotely from the processor 60, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 62 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the electronic apparatus. The output device 63 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for predicting an industrial internet security situation, the method including:
acquiring at least one item of safety situation data from a target database;
classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index;
training by using each classification result set to obtain a safety situation model;
and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the industrial internet security situation prediction method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the foregoing industrial internet security situation prediction apparatus, each included unit and module are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A method for predicting the security situation of an industrial Internet is characterized by comprising the following steps:
acquiring at least one item of safety situation data from a target database;
classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index;
training by using each classification result set to obtain a safety situation model;
and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
2. The method of claim 1, wherein the security posture data comprises at least one of:
industrial internet traffic data, log data, trojan data, vulnerability data, and virus data.
3. The method of claim 2, further comprising, prior to obtaining at least one item of security posture data from the target database:
acquiring each safety situation data through a probe arranged on an industrial internet node, and storing the safety situation data in the target database; and/or
And receiving and storing each safety situation data uploaded by each industrial Internet device in the target database.
4. The method of claim 1, wherein classifying each of the security posture data according to at least one posture index to obtain a classification result set corresponding to each of the posture indexes, comprises:
acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data;
respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity;
screening out the safety situation data with the maximum similarity exceeding a preset threshold value, and adding the safety situation data into a classification result set corresponding to the safety situation indexes.
5. The method of claim 4, wherein the security posture indicators include at least one of: threat information, vulnerability information, and system information.
6. The method according to any one of claims 1-5, wherein the method further comprises, while visually presenting the prediction result:
and carrying out visual display on the classification result sets respectively corresponding to the situation indexes.
7. The method according to any one of claims 1-5, wherein the method further comprises, while visually presenting the prediction result:
and visually displaying the safety situation model.
8. An industrial internet security situation prediction apparatus, comprising:
the safety situation data acquisition module is used for acquiring at least one item of safety situation data from a target database;
the safety situation data classification module is used for classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index;
the safety situation model determining module is used for training by using each classification result set to obtain a safety situation model;
and the safety situation prediction module is used for predicting the safety situation of the industrial internet data acquired in real time by using the safety situation model and visually displaying the prediction result.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the industrial internet security situation prediction method of any one of claims 1-7.
10. A storage medium containing computer-executable instructions for performing the industrial internet security situation prediction method of any one of claims 1-7 when executed by a computer processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110096613.XA CN112801359A (en) | 2021-01-25 | 2021-01-25 | Industrial internet security situation prediction method and device, electronic equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110096613.XA CN112801359A (en) | 2021-01-25 | 2021-01-25 | Industrial internet security situation prediction method and device, electronic equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112801359A true CN112801359A (en) | 2021-05-14 |
Family
ID=75811584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110096613.XA Pending CN112801359A (en) | 2021-01-25 | 2021-01-25 | Industrial internet security situation prediction method and device, electronic equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112801359A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113792300A (en) * | 2021-11-17 | 2021-12-14 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on internet and industrial control network bug parameters |
| CN114021149A (en) * | 2021-11-17 | 2022-02-08 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on correction parameters |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180270266A1 (en) * | 2017-03-20 | 2018-09-20 | Fair Isaac Corporation | System and Method for Empirical Organizational Cybersecurity Risk Assessment Using Externally-Visible Data |
| CN109840415A (en) * | 2018-12-29 | 2019-06-04 | 江苏博智软件科技股份有限公司 | A kind of industry control network Security Situation Awareness Systems |
| CN111652496A (en) * | 2020-05-28 | 2020-09-11 | 中国能源建设集团广东省电力设计研究院有限公司 | Operation risk assessment method and device based on network security situation awareness system |
| CN111832017A (en) * | 2020-07-17 | 2020-10-27 | 中国移动通信集团广西有限公司 | Cloud-oriented database security situation sensing system |
| CN111917785A (en) * | 2020-08-06 | 2020-11-10 | 重庆邮电大学 | Industrial internet security situation prediction method based on DE-GWO-SVR |
-
2021
- 2021-01-25 CN CN202110096613.XA patent/CN112801359A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180270266A1 (en) * | 2017-03-20 | 2018-09-20 | Fair Isaac Corporation | System and Method for Empirical Organizational Cybersecurity Risk Assessment Using Externally-Visible Data |
| CN109840415A (en) * | 2018-12-29 | 2019-06-04 | 江苏博智软件科技股份有限公司 | A kind of industry control network Security Situation Awareness Systems |
| CN111652496A (en) * | 2020-05-28 | 2020-09-11 | 中国能源建设集团广东省电力设计研究院有限公司 | Operation risk assessment method and device based on network security situation awareness system |
| CN111832017A (en) * | 2020-07-17 | 2020-10-27 | 中国移动通信集团广西有限公司 | Cloud-oriented database security situation sensing system |
| CN111917785A (en) * | 2020-08-06 | 2020-11-10 | 重庆邮电大学 | Industrial internet security situation prediction method based on DE-GWO-SVR |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113792300A (en) * | 2021-11-17 | 2021-12-14 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on internet and industrial control network bug parameters |
| CN114021149A (en) * | 2021-11-17 | 2022-02-08 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on correction parameters |
| CN113792300B (en) * | 2021-11-17 | 2022-02-11 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on internet and industrial control network bug parameters |
| CN114021149B (en) * | 2021-11-17 | 2022-06-03 | 山东云天安全技术有限公司 | System for predicting industrial control network bugs based on correction parameters |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3287927B1 (en) | Non-transitory computer-readable recording medium storing cyber attack analysis support program, cyber attack analysis support method, and cyber attack analysis support device | |
| CN111786950B (en) | Network security monitoring method, device, equipment and medium based on situation awareness | |
| CN110620759A (en) | Network security event hazard index evaluation method and system based on multidimensional correlation | |
| CN107579855B (en) | Layered multi-domain visual safe operation and maintenance method based on graph database | |
| CN112100545A (en) | Visualization method, device and equipment of network assets and readable storage medium | |
| US10885185B2 (en) | Graph model for alert interpretation in enterprise security system | |
| CN103281177A (en) | Method and system for detecting hostile attack on Internet information system | |
| CN111586046B (en) | Network traffic analysis method and system combining threat intelligence and machine learning | |
| US11159564B2 (en) | Detecting zero-day attacks with unknown signatures via mining correlation in behavioral change of entities over time | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN107733863A (en) | Daily record adjustment method and device under a kind of distributed hadoop environment | |
| CN111294233A (en) | Network alarm statistical analysis method, system and computer readable storage medium | |
| CN112131571B (en) | Threat tracing method and related equipment | |
| CN112801359A (en) | Industrial internet security situation prediction method and device, electronic equipment and medium | |
| Kumar et al. | Unsupervised outlier detection technique for intrusion detection in cloud computing | |
| Wang et al. | KGBIAC: Knowledge graph based intelligent alert correlation framework | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN112596984B (en) | Data security situation awareness system in business weak isolation environment | |
| KR20080079767A (en) | A standardization system and method of event types in real time cyber threat with large networks | |
| CN108234431A (en) | A kind of backstage logs in behavioral value method and detection service device | |
| CN112839029B (en) | Botnet activity degree analysis method and system | |
| CN116155519A (en) | Threat alert information processing method, threat alert information processing device, computer equipment and storage medium | |
| Malviya et al. | An Efficient Network Intrusion Detection Based on Decision Tree Classifier & Simple K-Mean Clustering using Dimensionality Reduction-A Review | |
| EP2991305A1 (en) | Apparatus and method for identifying web page for industrial control system | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room 402, block B, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Zhonghan street, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant after: Haier digital technology (Qingdao) Co.,Ltd. Applicant after: CAOS industrial Intelligence Research Institute (Qingdao) Co.,Ltd. Applicant after: Haier CAOS IOT Ecological Technology Co.,Ltd. Applicant after: HAIER DIGITAL TECHNOLOGY (SHANGHAI) Co.,Ltd. Address before: Room 402, block B, Qingdao International Innovation Park, No.1 Keyuan Weiyi Road, Zhonghan street, Laoshan District, Qingdao City, Shandong Province, 266101 Applicant before: Haier digital technology (Qingdao) Co.,Ltd. Applicant before: QINGDAO HAIER INDUSTRIAL INTELLIGENCE RESEARCH INSTITUTE Co.,Ltd. Applicant before: Haier CAOS IOT Ecological Technology Co.,Ltd. Applicant before: HAIER DIGITAL TECHNOLOGY (SHANGHAI) Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210514 |
|
| RJ01 | Rejection of invention patent application after publication |