Detailed Description
The embodiments of the present invention will be described in further detail with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad invention. It should be further noted that, for convenience of description, only some structures, not all structures, relating to the embodiments of the present invention are shown in the drawings.
Example one
Fig. 1 is a flowchart of a method for predicting a security situation of an industrial internet according to a first embodiment of the present invention, where the method is applicable to predicting a security situation of an industrial internet, and the method may be implemented by an industrial internet security situation predicting apparatus, and the apparatus may be implemented in a software and/or hardware manner and integrated in an electronic device. Specifically, referring to fig. 1, the method specifically includes the following steps:
step 110, at least one item of security situation data is obtained from the target database.
It should be noted that, in the field, security situation awareness is an ability to dynamically and integrally know security risks based on an environment, and the real-time security status of a network environment is visually displayed by using technologies such as data fusion, data mining, intelligent analysis and visualization, so as to provide technical support for industrial internet security assurance.
In this embodiment, the security situation data may be industrial internet traffic data, log data, trojan data, vulnerability data, virus data, or the like, which is not limited in this embodiment.
The target database may store one or more kinds of security situation data, and for example, the target database may store industrial internet traffic data, log data, trojan data, vulnerability data, and virus data. It should be noted that, in this embodiment, the number of the security situation data stored in the target database is not limited, and for example, the number may be 1 ten thousand, one hundred thousand, or five million, and the like, and this is not limited in this embodiment.
And 120, classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index.
The security posture index may be threat information, vulnerable information, or system information, which is not limited in this embodiment.
In an optional implementation manner of this embodiment, after at least one item of security situation data is acquired in the target database, each item of security situation data may be further classified according to at least one situation indicator, so as to obtain a classification result set corresponding to each situation indicator.
For example, each piece of security posture data may be classified according to the threat information index and the fragile information index, so as to obtain a classification result set corresponding to the fragile information index and a classification result set corresponding to the threat information index.
In another specific example of this embodiment, each security situation data may be further classified according to a threat information index, a system information index, and a vulnerable information index, so as to obtain a classification result set corresponding to the vulnerable information index, a classification result set corresponding to the system information index, and a classification result set corresponding to the threat information index
And 130, training by using each classification result set to obtain a safety situation model.
In an optional implementation manner of this embodiment, after classifying the acquired security situation data according to at least one situation indicator to obtain classification result sets respectively corresponding to the situation indicators, the security situation model may be further obtained by training using the classification result sets.
For example, in this embodiment, a security situation model may be obtained by extracting a feature vector of each classification result set and training according to each feature vector; and each classification result set can be subjected to unsupervised training, so that a safety situation model is obtained. It should be noted that, in this embodiment, the security situation model may also be obtained through training by other methods, which is not described herein again.
And 140, predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
In an optional implementation manner of this embodiment, after the security situation model is obtained by training using the classification result sets respectively corresponding to the situation indexes, the security situation of the industrial internet data obtained in real time may be further predicted by using the security situation model obtained by training, and the obtained prediction result is visually displayed.
In an optional implementation manner of this embodiment, after the security situation model is obtained through training, the obtained industrial internet data may be input into the security situation model in real time to predict the industrial internet data, for example, the industrial internet data may be determined to be one or more of security situation data such as traffic data, log data, trojan data, vulnerability data, or virus data.
Further, the obtained prediction result can be visually displayed, for example, the data type (i.e., which kind or kinds of security situation data) of the predicted industrial internet data and the attribute characteristics of the industrial internet data can be displayed on a large screen; the attribute characteristics of the industrial internet data may include a name, an Identity (id), a size, or the like of the industrial internet data, which is not limited in this embodiment.
The embodiment of the method comprises the steps of acquiring at least one item of safety situation data from a target database; classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index; training by using each classification result set to obtain a safety situation model; and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result, so that the security situation of the industrial internet is predicted, and the prediction result can be visually displayed.
Example two
Fig. 2 is a flowchart of a method for predicting an industrial internet security situation in a second embodiment of the present invention, where this embodiment is a further refinement of the above technical solutions, and the technical solution in this embodiment may be combined with various alternatives in one or more of the above embodiments. As shown in fig. 2, the method for predicting the industrial internet security situation may include the following steps:
step 210, acquiring safety situation data through a probe arranged on an industrial internet node, and storing the safety situation data in a target database; and/or receiving each safety situation data uploaded by each industrial internet device and storing the safety situation data in a target database.
In an optional implementation manner of this embodiment, before acquiring at least one item of security situation data from the target database, each piece of security situation data may also be acquired through a probe set in an industrial internet node, and the acquired security situation data is stored in the target database; and the security situation data uploaded by each industrial Internet device can be received, and the received security situation data is stored in a target database.
In an optional implementation manner of this embodiment, after the probe set in the industrial internet node acquires the industrial internet data, a transmission protocol of each industrial internet data may be identified, and what kind of security situation data each industrial internet data is may be determined according to the transmission protocol.
For example, after the industrial internet data a is acquired through the probe, a transmission protocol of the industrial internet data a may be further identified, and further, according to the transmission protocol, what kind of security situation data the industrial internet data a is may be determined, for example, the industrial internet data a may be determined to be traffic data, trojan data, vulnerability data, virus data, or the like.
In another optional implementation manner of this embodiment, log data uploaded by each industrial internet device in the industrial internet can be received in real time, and the received log data can be stored in the target database.
Step 220, at least one item of security posture data is obtained from the target database.
And step 230, classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index.
And 240, training by using each classification result set to obtain a safety situation model.
And 250, predicting the security situation of the industrial internet data acquired in real time by using a security situation model, and visually displaying the prediction result.
According to the scheme of the embodiment, before at least one item of security situation data is acquired from the target database, each piece of security situation data can be acquired through a probe arranged on an industrial internet node, the acquired security situation data are stored in the target database, the security situation data uploaded by each piece of industrial internet equipment are received, the received security situation data are stored in the target database, the security situation data in the target database can be enriched continuously, the accuracy of a security situation model can be improved, and a basis is provided for improving the accuracy of a prediction result of the industrial internet security situation.
EXAMPLE III
Fig. 3 is a flowchart of a method for predicting an industrial internet security situation in a third embodiment of the present invention, where this embodiment is a further refinement of the above technical solutions, and the technical solution in this embodiment may be combined with various alternatives in one or more of the above embodiments. As shown in fig. 3, the method for predicting the industrial internet security situation may include the following steps:
step 310, acquiring safety situation data through a probe arranged on an industrial internet node, and storing the data in a target database; and/or receiving each safety situation data uploaded by each industrial internet device and storing the safety situation data in a target database.
And step 320, acquiring at least one item of safety situation data from the target database.
And 330, acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data.
Optionally, after at least one item of security situation data is acquired from the target database, each item of security situation data may be further classified according to at least one situation index, so as to obtain a classification result set corresponding to each situation index; in this embodiment, classifying each security situation data according to at least one situation indicator to obtain a classification result set corresponding to each situation indicator, which may include: acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data; respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity; screening out all the safety situation data with the maximum similarity exceeding a preset threshold value, and respectively adding all the safety situation data into the classification result set corresponding to the safety situation indexes.
Wherein the safety situation index comprises at least one of the following: threat information, vulnerability information, system information, and the like, which are not limited in this embodiment.
In an optional implementation manner of this embodiment, after acquiring each security situation data from the target database, a target feature vector of each security situation index and a reference feature vector of each security situation data may be further acquired; for example, in this embodiment, attribute information of each security posture index may be extracted, so as to generate a target feature vector of the security posture index; and extracting the attribute information of each acquired safety situation data, thereby generating a reference feature vector of each safety situation data.
And 340, respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity respectively corresponding to each safety situation data and a safety situation index corresponding to the maximum similarity.
In an implementation manner of this embodiment, after obtaining the target feature vector of each security situation index and the reference feature vector of each security situation data obtained from the target database, similarity between each target feature vector and each reference feature vector may be further calculated, and a maximum similarity corresponding to each security situation data and a security situation index corresponding to the maximum similarity may be obtained.
For example, if the security situation indicator includes a threat information indicator and a vulnerable information indicator, a target feature vector a corresponding to the threat information indicator and a target feature vector B corresponding to the vulnerable information indicator may be obtained; respectively calculating the similarity of the target characteristic vector A and the target characteristic vector B with each reference characteristic vector; furthermore, the similarity result between the reference feature vector a and the target feature vector a and the similarity result between the reference feature vector a and the target feature vector B can be compared, so as to obtain the maximum similarity corresponding to the security situation data a and the security situation index corresponding to the maximum similarity.
Illustratively, the similarity result between the reference feature vector a and the target feature vector a is 0.9, and the similarity result between the reference feature vector a and the target feature vector B is 0.8, then the maximum similarity corresponding to the security posture data a is 0.9, and the security posture index corresponding to the maximum similarity is the threat information index.
And 350, screening all the safety situation data of which the maximum similarity exceeds a preset threshold value, and respectively adding all the safety situation data into a classification result set corresponding to the safety situation indexes.
The preset threshold may be a value such as 0.6, 0.7, or 0.85, which is not limited in this embodiment.
In an optional implementation manner of this embodiment, after obtaining the maximum similarity corresponding to each security situation data and the security situation index corresponding to the maximum similarity, each security situation data whose maximum similarity exceeds a preset threshold may be further screened, and each security situation data is added into the classification result set corresponding to the security situation index.
Illustratively, after obtaining the maximum similarity corresponding to each security situation data and the security situation index corresponding to the maximum similarity, each maximum similarity may be further compared with a preset threshold, the security situation data corresponding to the maximum similarity greater than the threshold is retained, and each retained security situation data is added into the classification result set corresponding to the security situation index.
And step 360, predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
In an optional implementation manner of this embodiment, while the prediction result is visually displayed, the classification result sets respectively corresponding to the situation indexes may also be visually displayed. For example, the classification result set can be displayed in a fixed area (not overlapping with a visual display area of the prediction result) of a large screen, so that the user can conveniently view the classification result set.
In an optional implementation manner of this embodiment, the prediction result can be visually displayed, and the security posture model can be visually displayed at the same time. Illustratively, the safety situation model can be displayed in a fixed area (which is not overlapped with the visual display area of the prediction result and the visual display area of the classification result set) of a large screen, so that a user can conveniently view the safety situation model.
In the scheme of this embodiment, each security situation data is classified according to at least one situation indicator, and a classification result set corresponding to each situation indicator is obtained, where the classification result set includes: acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data; respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity; screening out each safety situation data with the maximum similarity exceeding a preset threshold value, and adding each safety situation data into the classification result set corresponding to the safety situation index respectively, so that the classification result set corresponding to each situation index can be accurately determined, and a basis is provided for accurately predicting the safety situation of the industrial internet data in the follow-up process.
In order to make those skilled in the art better understand the method for predicting the industrial internet security situation of the embodiment, fig. 4 is a schematic diagram of an industrial internet security situation prediction system in a third embodiment of the present invention, which mainly includes: the system comprises a security situation data acquisition module 410, a security situation index extraction module 420, a security situation data classification module 430, a general situation evaluation module 440 and a situation prediction module 450.
Wherein, the safety situation index includes: threat information, vulnerability information, and system information; the security situation data classification module 430 comprises threat situation assessment, vulnerable situation assessment, stable situation assessment and disaster recovery situation assessment; the general situation evaluation module 440 is a security situation model involved in the embodiment of the present invention.
According to the scheme of the embodiment of the invention, the visualization of threat situation can be realized, the comprehensive security situation of the whole network industrial control equipment and key nodes can be visually monitored, the attack source, the attack purpose and the attack path can be visually traced and analyzed according to the source information and the target information of the network threat event, the deep analysis and excavation of the network threat attack characteristics of a user are facilitated, and the prejudgment and active defense capability of potential threats and unknown threats are improved.
The scheme of the embodiment of the invention can also realize threat event monitoring, can support integration of various industrial control detection system data, can perform real-time visual monitoring on various network threat events such as malicious domain names, vulnerability attacks, flow abnormity, deadwood vermin, DDos attacks, industrial control networks, APT attacks and the like, can support graded alarm on various network abnormal events, helps a user to quickly find network safety hidden dangers, and can better prevent and resist the network threat events.
The scheme of the embodiment of the invention can also realize threat information situation display, can support integration with a mainstream threat information acquisition system, carries out real-time monitoring alarm and visual analysis on the sensitive information from each threat information channel inside and outside the country, supports visual analysis of the development situation of the threat information, visual traceability analysis of the threat, visual analysis of a propagation path and the like, helps a management department master the latest threat situation at the first time, and improves the monitoring strength and the response efficiency of a manager on the threat information.
The scheme of the embodiment of the invention can also realize the visualization of network equipment, can support the three-dimensional simulation display of the data center, and truly reflects the quantity, type and distribution condition of the existing equipment. The system supports integration with systems such as network monitoring, host monitoring, storage monitoring and the like, performs real-time visual monitoring on the running state of network equipment, can provide various interactive supports such as click query, viewpoint adjustment and the like, can drill down to check attribute information of a specific server, and helps a user to more intuitively master the running state of the equipment.
According to the scheme of the embodiment of the invention, operation and maintenance data visualization can be realized, integration with monitoring systems such as building control, security protection, fire protection, video and the like can be supported, a uniform visual monitoring platform is provided for operation and maintenance of the data center, operation and maintenance data such as temperature and humidity of a machine room of a network center, an operation state of an electric power system, energy consumption of the machine room and the like are monitored and analyzed in real time, a manager is helped to clearly and intuitively master the operation state of the network center, and operation and maintenance efficiency is improved.
The scheme of the embodiment of the invention can also realize the visualization of the information assets, can support the integration with various IT asset configuration management databases, can perform real-time visual monitoring on the safety state of the information assets within the network operation range of the user, and can help the user to quickly discover the potential safety hazard of the information assets by combining the operation data of systems such as IDS, VDS, a firewall, host monitoring and the like, thereby enhancing the monitoring and perception of the manager on the safety situation of the information assets.
The scheme of the embodiment of the invention can also realize the visualization analysis and judgment of the data and the fusion of various types of data. The method can be compatible with various existing data source data, safety asset information data, service system data, attack event data and the like, supports various artificial intelligence model algorithm accesses, realizes fusion display of cross-service system information, and provides comprehensive and objective data support and basis for user decision and study and judgment.
The scheme of the embodiment of the invention can also realize multidimensional visual analysis of data, can support the integrated network to safely monitor the data of each service system, and can carry out multidimensional visual parallel analysis according to the service requirements of users. The method can provide various visual analysis means such as clustering, heat maps and activity rules, and the visual analysis charts of nearly hundreds of data can be provided, and the data analysis support such as scrolling, drilling and slicing can help the user to know the association relationship of the complex data.
The technical scheme of the embodiment of the invention can also realize professional model algorithm access support, can support the combination of an interface level and a professional analysis algorithm and a data model in the field of network security subdivision, supports the fusion visualization analysis of a calculation result and other source data, utilizes the existing informatization construction result to the maximum extent, and provides powerful technical support for more complex industrial application.
Example four
Fig. 5 is a schematic structural diagram of an industrial internet security situation prediction apparatus according to a fourth embodiment of the present invention, which is capable of executing the industrial internet security situation prediction methods related to the foregoing embodiments. Referring to fig. 5, the apparatus includes: a security posture data acquisition module 510, a security posture data classification module 520, a security posture model determination module 530, and a security posture prediction module 540.
A security situation data obtaining module 510, configured to obtain at least one item of security situation data from a target database;
a security situation data classification module 520, configured to classify each piece of security situation data according to at least one situation indicator, so as to obtain a classification result set corresponding to each situation indicator;
a security situation model determining module 530, configured to use each classification result set to train to obtain a security situation model;
and the security situation prediction module 540 is configured to predict the security situation of the industrial internet data acquired in real time by using the security situation model, and visually display a prediction result.
According to the scheme of the embodiment, at least one item of security situation data is acquired from a target database through a security situation data acquisition module; classifying the safety situation data according to at least one situation index through a safety situation data classification module to obtain a classification result set corresponding to each situation index; training by using each classification result set through a safety situation model determining module to obtain a safety situation model; the security situation of the industrial internet data acquired in real time is predicted by the security situation prediction module through the security situation model, and the prediction result is visually displayed, so that the security situation of the industrial internet is predicted, and the prediction result can be visually displayed.
In an optional implementation manner of this embodiment, the security posture data includes at least one of:
industrial internet traffic data, log data, trojan data, vulnerability data, and virus data.
In an optional implementation manner of this embodiment, the industrial internet security situation prediction apparatus further includes: a security posture data storage module for
Acquiring each safety situation data through a probe arranged on an industrial internet node, and storing the safety situation data in the target database; and/or
And receiving and storing each safety situation data uploaded by each industrial Internet device in the target database.
In an optional implementation manner of this embodiment, the security posture data classification module 520 is specifically configured to
Acquiring a target characteristic vector of each safety situation index and a reference characteristic vector of each safety situation data;
respectively calculating the similarity of each target characteristic vector and each reference characteristic vector, and acquiring the maximum similarity corresponding to each safety situation data and the safety situation index corresponding to the maximum similarity;
screening out the safety situation data with the maximum similarity exceeding a preset threshold value, and adding the safety situation data into a classification result set corresponding to the safety situation indexes.
In an optional base pay mode of this embodiment, the safety situation indicator includes at least one of the following: threat information, vulnerability information, and system information.
In an optional base pay mode of this embodiment, the device for predicting the security situation of the industrial internet further includes: a first display module for
And carrying out visual display on the classification result sets respectively corresponding to the situation indexes.
In an optional base pay mode of this embodiment, the device for predicting the security situation of the industrial internet further includes: a second display module for
And visually displaying the safety situation model.
The industrial internet security situation prediction device provided by the embodiment of the invention can execute the industrial internet security situation prediction method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Fig. 6 is a schematic structural diagram of an electronic device according to a fifth embodiment of the present invention, as shown in fig. 6, the electronic device includes a processor 60, a memory 61, an input device 62, and an output device 63; the number of the processors 60 in the electronic device may be one or more, and one processor 60 is taken as an example in fig. 6; the processor 60, the memory 61, the input device 62 and the output device 63 in the electronic apparatus may be connected by a bus or other means, and the bus connection is exemplified in fig. 6.
The memory 61 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the industrial internet security situation prediction method in the embodiment of the present invention (for example, in the industrial internet security situation prediction apparatus, the security situation data acquisition module 510, the security situation data classification module 520, the security situation model determination module 530, and the security situation prediction module 540). The processor 60 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 61, so as to implement the above-mentioned industrial internet security situation prediction method.
The memory 61 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 61 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 61 may further include memory located remotely from the processor 60, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 62 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the electronic apparatus. The output device 63 may include a display device such as a display screen.
EXAMPLE six
An embodiment of the present invention further provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for predicting an industrial internet security situation, the method including:
acquiring at least one item of safety situation data from a target database;
classifying the safety situation data according to at least one situation index to obtain a classification result set corresponding to each situation index;
training by using each classification result set to obtain a safety situation model;
and predicting the security situation of the industrial internet data acquired in real time by using the security situation model, and visually displaying the prediction result.
Of course, the storage medium containing the computer-executable instructions provided by the embodiments of the present invention is not limited to the method operations described above, and may also perform related operations in the industrial internet security situation prediction method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the foregoing industrial internet security situation prediction apparatus, each included unit and module are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.