CN112819336A - Power monitoring system network threat-based quantification method and system - Google Patents

Power monitoring system network threat-based quantification method and system Download PDF

Info

Publication number
CN112819336A
CN112819336A CN202110149542.5A CN202110149542A CN112819336A CN 112819336 A CN112819336 A CN 112819336A CN 202110149542 A CN202110149542 A CN 202110149542A CN 112819336 A CN112819336 A CN 112819336A
Authority
CN
China
Prior art keywords
attack
quantitative evaluation
key
event
threat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110149542.5A
Other languages
Chinese (zh)
Other versions
CN112819336B (en
Inventor
梁野
李泽科
陈泽文
张晓�
汪明
唐志军
余斯航
金明辉
李勃
马力
何纪成
王春艳
王景
高英健
赵航
高航
李航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Beijing Kedong Electric Power Control System Co Ltd
State Grid Fujian Electric Power Co Ltd
NARI Group Corp
State Grid Shanghai Electric Power Co Ltd
State Grid Electric Power Research Institute
Original Assignee
State Grid Corp of China SGCC
Beijing Kedong Electric Power Control System Co Ltd
State Grid Fujian Electric Power Co Ltd
NARI Group Corp
State Grid Shanghai Electric Power Co Ltd
State Grid Electric Power Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Beijing Kedong Electric Power Control System Co Ltd, State Grid Fujian Electric Power Co Ltd, NARI Group Corp, State Grid Shanghai Electric Power Co Ltd, State Grid Electric Power Research Institute filed Critical State Grid Corp of China SGCC
Priority to CN202110149542.5A priority Critical patent/CN112819336B/en
Publication of CN112819336A publication Critical patent/CN112819336A/en
Application granted granted Critical
Publication of CN112819336B publication Critical patent/CN112819336B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0639Performance analysis of employees; Performance analysis of enterprise or organisation operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
    • G06Q50/06Electricity, gas or water supply

Abstract

The invention discloses a method and a system for quantifying network threats based on a power monitoring system, wherein an attack path is drawn according to alarm information collected by the power monitoring system, the attack path is quantified according to a pre-constructed attack quantification evaluation model based on a key host, an attack quantification evaluation model based on an alarm level, an attack quantification evaluation model based on a key event and an attack quantification evaluation model based on vulnerability exploitation, and scores after each model is processed are summarized to obtain a total threat value of the attack path. The advantages are that: the risk of the attack event is comprehensively and quantitatively scored through four dimensions of the threat degree of the key host, the threat degree of the key event, the alarm level threat degree and the similarity of the vulnerability utilization path, a recommendation scoring table for quantitative evaluation is creatively provided, and multi-dimensional quantitative scoring and calculation of the threat degree of the attack event are realized.

Description

Power monitoring system network threat-based quantification method and system
Technical Field
The invention relates to a method and a system for quantifying network threats based on a power monitoring system, and belongs to the technical field of power monitoring systems.
Background
The harm of network attack to the power grid is huge, for example, 12 months and 23 days in 2015, 140 million residents in the capital and subsidiary part of Ukrainian and the west part of Ukran suffer large-scale power failure for several hours, at least three power areas are attacked, and the power areas occupy half of the whole country. Kyivobriengo electric utilities in ukrainian indicate that their companies have suffered a trojan BlackEnergy network intrusion, thus causing 7 substations of 110KV and 23 substations of 35KV to fail, resulting in a power outage.
Most of the attack events existing in the power grid are multi-step attack events, the damage degrees of different multi-step attack events are different, some attacks utilize loopholes with higher risk degree, and some attacks utilize loopholes with lower risk degree. Therefore, how to measure the risk degree of the network attack has important significance for analyzing and deducing the network attack by technicians of the power grid.
The existing risk and threat analysis of the security incident of the power monitoring system is mainly based on a security incident log, the key information of the log is extracted, and an attack path is established, so that the purpose of tracing the security threat attack is achieved, however, after the attack path is generated, due to the lack of visual evaluation on the threat degree of the attack path, the attack path is not beneficial to operation and maintenance personnel to pay attention to the key point of maintenance, dangerous incidents are easy to ignore, and the power monitoring system has great potential safety hazards.
The existing main method for evaluating the network threat situation is to evaluate the network threat situation based on original alarm information generated by IDS, perform correlation analysis on alarms by analyzing logical relations among the alarms, and analyze the network threat situation based on correlation results, but their research assumes that all alarm information represents successful attack behaviors, while in the actual network, a large proportion of alarms are false alarms or irrelevant alarms; and the threat situation is evaluated through a hidden Markov model, IDS alarm information is used as an observation sequence of the hidden Markov model, and the security state of the network is quantitatively evaluated in real time by using the hidden Markov model.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method and a system for quantifying the network threat based on a power monitoring system.
In order to solve the technical problem, the invention provides a power monitoring system network threat-based quantification method, which comprises the following steps:
acquiring alarm log information acquired by a power monitoring system, and drawing an attack path according to the alarm log information;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on a key host, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the key event;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the exploit, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the exploit;
and calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability exploitation, wherein the dimensions comprise the dimension of the key host, the dimension of the alarm level, the dimension of the key event and the dimension of the vulnerability exploitation path.
Further, the processing procedure of the attack quantitative evaluation model based on the key host comprises:
identifying a key host IP by using the alarm information;
traversing each attack path in the alarm information, traversing nodes in each path, and recording as a1 score if the node IP is not in the key host IP sequence; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node in the attack path and the event.
Further, the process of identifying the key host IP by using the original alarm information includes:
preprocessing original alarm information to obtain a dense time sequence, determining a starting point and an end point of abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
Further, the processing procedure of the attack quantitative evaluation model based on the alarm level includes:
traversing each attack path in the alarm information, and for each attack path, obtaining the alarm level of each security event in the attack path and assigning a score to the alarm level, wherein the highest 0-level threat is b1, the highest 1-level threat is b2, and the highest 2-level threat is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
Further, the processing procedure of the attack quantitative evaluation model based on the key events comprises:
extracting logs of various safety devices of the power grid according to the alarm information, and determining key events according to the logs;
traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 point if the alarm content is not matched with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and after the scores of the alarm events of each node in the attack path are calculated, taking the maximum value of the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
Further, the process of determining the key events according to the log includes:
carrying out statistics and extraction on logs of various safety devices in a power grid to form a safety event sequence;
according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events and a flat top event which is sharply reduced after the surge and the continuous fluctuation of a small range, and determining a key event based on a mutation point;
according to the safety event sequence, considering that the alarm quantity does not suddenly increase but slowly increases until a preset quantity threshold value is exceeded, key events based on the threshold value are determined.
Further, the processing procedure of the exploit-based attack quantitative evaluation model includes:
traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1 percent;
screening the first 1% of vulnerability attack paths, setting a threshold value K, and screening out the vulnerability utilization paths with the vulnerability utilization path similarity greater than K;
quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, wherein the quantifying process comprises the following steps: for all CVE loopholes of the paths on the loophole utilization path, searching corresponding CVSS scores of the CVE loopholes by contrasting with a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the loophole utilization path;
and taking the maximum value of the danger degree of all the screened vulnerability paths as a threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model.
A power monitoring system network threat-based quantification system comprises:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the key host and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the alarm level and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed key event-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the key event-based attack quantitative evaluation model;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path to a pre-constructed vulnerability exploitation-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the vulnerability exploitation-based attack quantitative evaluation model;
and the calculation module is used for calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability utilization, wherein the dimensions comprise the key host dimension, the alarm level dimension, the key event dimension and the vulnerability utilization path dimension.
Further, the key host scoring module includes:
the identification module is used for identifying the IP of the key host by utilizing the alarm information;
the first traversal module is used for traversing each attack path in the alarm information and then traversing nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as a1 score; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and the first value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node and the event in the attack path.
Further, the identification module comprises:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
and the judging module is used for determining a starting point and an end point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
Further, the alarm level scoring module comprises:
the second traversal module is used for traversing each attack path in the alarm information, obtaining the alarm level of each security event in the attack path and assigning a score to each attack path, wherein the highest threat level of 0 is b1, the highest threat level of 1 is b2, and the highest threat level of 2 is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and the second value taking module is used for taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
Further, the highlight event scoring module comprises:
the determining module is used for extracting logs of various safety devices of the power grid according to the alarm information and determining key events according to the logs;
the third traversal module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 points if the alarm content does not match with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and the third value taking module is used for taking the maximum value of the scores after calculating the scores of the alarm events of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
Further, the determining module comprises:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on mutation points according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events, and a flat top event which is sharply reduced after the surge and the small-range continuous fluctuation;
and the second determining module is used for determining key events based on the threshold value according to the safety event sequence, considering that the alarm quantity is not suddenly increased but slowly increased until the preset quantity threshold value is exceeded.
Further, the vulnerability exploiting path similarity degree scoring module comprises:
the fourth traversal module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack paths, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1% higher;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold value K and screening out the vulnerability exploitation paths with the vulnerability exploitation path similarity degree larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, and the quantifying process comprises the following steps: for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching CVSS scores corresponding to the vulnerabilities by referring to a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the vulnerability exploitation path;
and the fourth value taking module is used for taking the maximum value of the danger degrees of all the screened vulnerability exploitation paths as the threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model of the vulnerability exploitation.
The invention achieves the following beneficial effects:
according to the method, the threat degree of the attack path is quantized through the multi-dimensional quantization model, and the threat degree of the attack path is visually displayed, so that a power grid technician can intuitively feel the threat degree of the vulnerability exploitation path; the risk of the attack event is comprehensively and quantitatively scored through four dimensions of the threat degree of the key host, the threat degree of the key event, the alarm level threat degree and the similarity of the vulnerability utilization path, a recommendation scoring table for quantitative evaluation is creatively provided, and multi-dimensional quantitative scoring and calculation of the threat degree of the attack event are realized.
Drawings
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a key host detection identification method;
FIG. 3 is a process diagram of a highlight event monitoring flow;
FIG. 4 is a diagram of an intranet network deployment of an embodiment;
FIG. 5 is a schematic diagram of an attack path;
FIG. 6 is a schematic diagram of an exploit path.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a power monitoring system network threat-based quantification method, which comprises 4 algorithms of scoring an attack path according to a key host, scoring the attack path according to a key event, scoring the attack path according to an alarm level and scoring according to the similarity degree with a vulnerability utilization path, wherein when the total threat value of the attack path is calculated, different weights are set for the score calculated by the scoring algorithm of each dimension, the weights can be manually adjusted, and the suggested weights are given according to the severity and range of influence of each dimension on threat evaluation: the 'alarm level' is weighted by 20%, 'key suspicious device' is weighted by 20%, 'key event' is weighted by 20%, 'vulnerability exploitation path similarity' is weighted by 40%, and the scoring detailed rule of the multi-dimensional quantization algorithm is as follows:
TABLE 1 multidimensional metric Scoring rules
Figure BDA0002932145510000081
The multidimensional quantification formula of the threat degree of the attack path is as follows: and quantitative scoring of attack paths from different dimensions is realized.
Multidimensional quantization algorithm
The multi-dimensional quantization algorithm described in this patent involves the following concepts:
(1) the alarm level is directly extracted from the original data, the importance degree of the alarm is directly reflected, and if the alarm level of the node in the attack path is high, the attack path is more threatening;
(2) the key event is an alarm event which frequently occurs within a certain time, the abnormal condition may have an attack, and if the alarm event in the attack path is the key event, the attack path is more threatened;
(3) the exploit path is a multi-step attack mode existing in the local area network, and if an existing attack path is similar to the exploit path, the threat level of the attack path is higher. In addition, if the attack path is similar to the more dangerous exploit path, the threat level of the attack path may be higher.
Attack quantitative evaluation method based on key host
The method comprises the steps of firstly identifying key hosts and key host key safety events to obtain key host IPs, and then grading according to drawn attack graphs. Firstly, traversing each attack path in the attack graph, then traversing nodes in each path, and if the node IP is not in the key host IP sequence, marking as 0 score; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as 0.3 point; if the event occurrence time is matched, but the corresponding high-occurrence event of the key host IP is not matched, recording the event occurrence time as 0.7 point; if the corresponding high-occurrence event of the key IP is matched, the score is recorded as 1. And taking the maximum value in the scores according to the matching scores of the nodes and the events in the attack chain, and then obtaining the attack quantitative evaluation score output by the model.
First, a key host is identified. The critical host refers to a condition that the alarm quantity is suddenly increased or exceeds a certain threshold value in a certain time period when the alarm sent or received by each IP is observed, and the IP is called the critical host in the time period. According to whether the IP sends an attack or receives an attack, the key host is divided into a suspicious host and a victim host, and the detection flow of the key host is as follows:
as shown in fig. 2, the key host identification is divided into 4 steps: the device comprises a data preprocessing module, a time sequence training algorithm module, a starting boundary detection module and an ending boundary detection module. The data preprocessing module takes original alarm information as input and processes the original alarm information into a dense time sequence which is taken as the input of a time sequence training module, a starting boundary detection module and an ending boundary detection module; the time sequence training module takes current data as input and determines a threshold value for each IP according to a set threshold parameter; the starting boundary detection module and the ending boundary detection module are core parts and are used for determining a starting point and an ending point of the abnormal number, and the date between the two time points is the non-normal date.
Second, attack quantitative evaluation method based on key events
When the attack path is evaluated according to the key event, firstly traversing each attack path, then traversing each alarm event for each attack path, and if the alarm content is not matched with the key event, marking as 0 score; if the key event is matched, the time is matched again, if the alarm event occurrence time is not matched, the score is recorded as 0.4, and if the time is matched, the relevant IP is matched again; if the type and the occurrence time of the key event are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, marking as 0.7 point, and if the type and the occurrence time of the key event, the source IP and the destination IP of the key event and the source IP and the destination IP in the attack path are matched simultaneously, marking as 1 point. And taking the maximum value after calculating the score of each alarm event in the chain, namely obtaining the key event score of the attack path.
The attack paths form independent chains after being associated, and cannot be directly combined with other chains, so that the key events cannot be observed. Therefore, the key events are analyzed separately and combined with the attack path, and once a certain event in the attack path matches the key event, the doubtful degree of the attack path is increased.
A critical event is a condition in which the number of alarms found in each particular alarm type suddenly increases or exceeds a certain threshold value within a certain time period, and such alarms are referred to as critical events within the time period. A key time monitoring model is introduced below, a statistical analysis method is applied to the model, the model is used for discovering the security events with the characteristics of rapid increase of the number of alarms and the like, and the model comprises two parts, namely log preprocessing and key security event detection. The log preprocessing is mainly used for counting and extracting logs of various safety devices in the smart grid to form a safety event sequence; the key safety event detection is composed of a key event detection algorithm based on catastrophe points and a key safety event detection algorithm based on threshold values, and key safety events with different characteristics are detected. The specific process flow of the model is shown in fig. 3.
The key safety event detection module based on the mutation point takes a safety event sequence of a certain alarm as input, emphasizes on taking the alarm quantity surge event and the alarm quantity sharp reduction event in the adjacent safety events and the flat top event which is sharply reduced after the surge and the small-range continuous fluctuation, and outputs the key safety event of the alarm type. The key safety event detection module based on the threshold takes a safety event sequence of a certain alarm as input, emphasizes that the alarm quantity is not suddenly increased but slowly increased until the safety event exceeds a certain threshold, and outputs the key safety event of the alarm type.
Third, attack quantitative evaluation method based on alarm level
The evaluation method scores the attack path according to the alarm level, calculates the threat value according to the alarm level of the alarm event in the attack path, and further quantitatively evaluates the threat degree. In the alarm log, each alarm event has a corresponding alarm level, the alarm levels have three levels, namely level 0, level 1 and level 2, wherein the threat level 0 is the highest level, and therefore the corresponding score is the highest. The alert level 2 is the lowest and therefore the corresponding score is the lowest. The level 0 alarm is usually an alarm containing intrusion behavior, the level 1 alarm is usually a network abnormal event, and the level 2 alarm is usually a host alarm. The alarm information collected and received by the power monitoring system also contains alarms highly related to the power grid service, such as 'abnormal access related to IEC104 protocol', and the like, and the classification of the alarm level also fully considers the particularity of the power grid network environment, so that the alarm level is significant when being directly applied to the grading of the attack path.
When the alarm level is used for carrying out attack scoring, firstly, each attack path is traversed, then, for each attack path, the alarm level of each security event in the attack path is obtained and assigned with a score, wherein the highest 0-level threat is 1 score, the 1-level threat is 0.5 score, and the 2-level threat is 0 score, then, the score of each security event is taken as the maximum value, and the score is quantified and evaluated for the threat of the attack path.
Attack quantitative evaluation method based on vulnerability exploitation
The vulnerability exploitation means that a user finds a vulnerability which is easy to attack from a target system, and then the vulnerability is used for acquiring authority, so that the target system is controlled, and the vulnerability exploitation is an important mode of network attack. The exploit path describes the process of the exploit. The vulnerability exploiting path is a vulnerability exploiting process, a data structure of the vulnerability exploiting path is represented as a graph structure, wherein nodes represent a single host, edges represent the vulnerability from one host to another host, and specific description of vulnerability information and vulnerability can be obtained from a CVE (content common vulnerability repository).
One attack path corresponds to a plurality of vulnerability utilization paths, the vulnerability utilization paths similar to the attack path are found for the attack path by using a graph similarity algorithm, the attack path is input by the algorithm, the output of the algorithm is a threat value of the attack path in the dimension of the vulnerability utilization path, and the algorithm comprises the following steps:
(1) and traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, and extracting the vulnerability attack paths with the similarity of 1% in front of the similarity ranking according to the ranking mode.
(2) Screening the first 1% of vulnerability attack paths, setting a threshold value K, screening out the vulnerability path with the vulnerability path similarity greater than K, wherein the K value is selected in relation to a specific power grid environment, and K is taken to be 0.5 under a common environment.
(3) And evaluating the danger degree of the selected vulnerability utilization paths, namely quantifying the threat degree of each attack path according to a CVSS scoring rule base, wherein the specific quantification mode is as follows: and for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching cvss scores corresponding to the vulnerabilities according to the scoring rule base, and averaging the cvss scores to obtain the risk degree score of the vulnerability exploitation path.
(4) And (4) taking the maximum value of the risk degree of all the screened vulnerability paths, wherein the value is the score of the attack path in the aspect of vulnerability.
Carrying out the process
Simulating a small LAN environment, network deployment relationship, as shown in FIGS. 4, 5 and 6:
the host 1.1, the host 1.2, the host 1.3 constitute an internal network, and since the host 1.3 hosts the MySQL database, the host 1.3 is more important than the other hosts. An attacker launches an attack from the host computer 1.34 and detects the following attack path in the intranet system.
Meanwhile, the key hosts detected in the internal system are:
Figure BDA0002932145510000131
the key events detected by the internal system are
Figure BDA0002932145510000132
The alarm levels detected in the attack path are as follows:
Figure BDA0002932145510000133
Figure BDA0002932145510000141
as shown in fig. 6, the vulnerability exploitation path 1 is from host 1.1 to 1.3, with vulnerability numbers cve-2001-1030;
a vulnerability exploitation path 2 from a host computer 1.1 to 1.3, with vulnerability numbers cve-2001 and 0439;
exploit path 3: from host 1.1 to 1.2, to 1.3, leak numbers cve-2002-1359 and cve-2001-1030;
the leak utilization paths 4 from host 1.1 to 1.2 to 1.3, the leak numbers cve-2002 and 1359 and cve-2001 and 0439.
With the attack path as an object, the threat values of the four aspects are quantized:
1. the key host computer: the characteristic of [ alarm type + time + IP ] is satisfied, so the score is 1.0
2. Key events: the score is 0.4 according with the characteristics of the alarm type
3. And (4) alarm level: the alarm level is 0, so the score is 1.0
4. And (3) scoring the vulnerability similarity:
calculating the similarity of the attack path and the vulnerability exploitation path according to a similarity calculation method, selecting the vulnerability exploitation path with the similarity larger than 0.5 and the similarity ranking of 1 percent, and finally screening out two vulnerability exploitation paths (1) and (2), and calculating out the score of the vulnerability similarity to be 0.75 according to the cvss score of cve vulnerability as shown in the following table.
Figure BDA0002932145510000142
Figure BDA0002932145510000151
In conclusion, the comprehensive scores of the threat values of the attack graph are as follows: 1.0 × 20% +0.4 × 20% +1.0 × 20% +0.75 × 40% ═ 0.2+0.08+0.2+0.3 ═ 0.78. The score is in line with the expectation of this attack path.
Correspondingly, the invention also provides a system for quantifying the network threat based on the power monitoring system, which comprises:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the key host and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the alarm level and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed key event-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the key event-based attack quantitative evaluation model;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path to a pre-constructed vulnerability exploitation-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the vulnerability exploitation-based attack quantitative evaluation model;
and the calculation module is used for calculating the total threat value of the attack path by utilizing the weight determined in advance according to the severity and range of the influence of each dimension on the threat assessment, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the key host, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the alarm level, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the key event and the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the vulnerability exploitation, wherein the dimensions comprise the key host dimension, the alarm level dimension, the key event dimension and the vulnerability exploitation path dimension.
The key host scoring module includes:
the identification module is used for identifying the IP of the key host by utilizing the alarm information;
the first traversal module is used for traversing each attack path in the alarm information and traversing nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as 0 point; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as 0.3 point; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, recording as 0.7 point; if the corresponding security event of the key IP is matched, marking as 1 point;
and the first value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching scores of the nodes and the events in the attack chain.
The identification module comprises:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
and the judging module is used for determining a starting point and an end point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
The alarm level scoring module comprises:
the second traversal module is used for traversing each attack path in the alarm information, obtaining the alarm level of each security event in the attack path and assigning a score to each attack path, wherein the highest threat of the 0 level is 1 score, the 1 level is 0.5 score, and the 2 level is 0 score;
and the second value taking module is used for taking the maximum value in each security event score as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
The highlight event scoring module comprises:
the determining module is used for extracting logs of various safety devices of the power grid according to the alarm information and determining key events according to the logs;
the third traversal module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording the alarm event as 0 point if the alarm content is not matched with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is 0.4, if the key event type is matched with the occurrence time, the score is 0.7, and if the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is 1;
and the third value taking module is used for taking the maximum value of the scores after the scores of all the alarm events are obtained through calculation as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
The determining module comprises:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on mutation points according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events, and a flat top event which is sharply reduced after the surge and the small-range continuous fluctuation;
and the second determining module is used for determining key events based on the threshold value according to the safety event sequence, considering that the alarm quantity is not suddenly increased but slowly increased until the preset quantity threshold value is exceeded.
The vulnerability exploiting path similarity degree scoring module comprises:
the fourth traversal module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack paths, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1% higher;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold value K and screening out the vulnerability exploitation paths with the vulnerability exploitation path similarity degree larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, and the quantifying process comprises the following steps: for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching CVSS scores corresponding to the vulnerabilities by referring to a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the vulnerability exploitation path;
and the fourth value taking module is used for taking the maximum value of the danger degrees of all the screened vulnerability exploitation paths as the threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model of the vulnerability exploitation.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (14)

1. A quantification method based on a power monitoring system network threat is characterized by comprising the following steps:
acquiring alarm log information acquired by a power monitoring system, and drawing an attack path according to the alarm log information;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on a key host, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the key event;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the exploit, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the exploit;
and calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability exploitation, wherein the dimensions comprise the dimension of the key host, the dimension of the alarm level, the dimension of the key event and the dimension of the vulnerability exploitation path.
2. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the attack quantification assessment model based on the key host comprises the following steps:
identifying a key host IP by using the alarm information;
traversing each attack path in the alarm information, traversing nodes in each path, and recording as a1 score if the node IP is not in the key host IP sequence; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node in the attack path and the event.
3. The method for quantifying network threats based on a power monitoring system according to claim 1, wherein the process of identifying key host IPs by using original alarm information comprises the following steps:
preprocessing original alarm information to obtain a dense time sequence, determining a starting point and an end point of abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
4. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the attack quantification assessment model based on the alarm level comprises the following steps:
traversing each attack path in the alarm information, and for each attack path, obtaining the alarm level of each security event in the attack path and assigning a score to the alarm level, wherein the highest 0-level threat is b1, the highest 1-level threat is b2, and the highest 2-level threat is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
5. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the attack quantitative evaluation model based on the key events comprises:
extracting logs of various safety devices of the power grid according to the alarm information, and determining key events according to the logs;
traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 point if the alarm content is not matched with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and after the scores of the alarm events of each node in the attack path are calculated, taking the maximum value of the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
6. The method according to claim 1, wherein the process of determining key events from the log comprises:
carrying out statistics and extraction on logs of various safety devices in a power grid to form a safety event sequence;
according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events and a flat top event which is sharply reduced after the surge and the continuous fluctuation of a small range, and determining a key event based on a mutation point;
according to the safety event sequence, considering that the alarm quantity does not suddenly increase but slowly increases until a preset quantity threshold value is exceeded, key events based on the threshold value are determined.
7. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the exploit-based attack quantitative evaluation model comprises:
traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1 percent;
screening the first 1% of vulnerability attack paths, setting a threshold value K, and screening out the vulnerability utilization paths with the vulnerability utilization path similarity greater than K;
quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, wherein the quantifying process comprises the following steps: for all CVE loopholes of the paths on the loophole utilization path, searching corresponding CVSS scores of the CVE loopholes by contrasting with a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the loophole utilization path;
and taking the maximum value of the danger degree of all the screened vulnerability paths as a threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model.
8. A quantification system based on power monitoring system network threat, comprising:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the key host and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the alarm level and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed key event-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the key event-based attack quantitative evaluation model;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path to a pre-constructed vulnerability exploitation-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the vulnerability exploitation-based attack quantitative evaluation model;
and the calculation module is used for calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability utilization, wherein the dimensions comprise the key host dimension, the alarm level dimension, the key event dimension and the vulnerability utilization path dimension.
9. The power monitoring system cyber threat-based quantification system of claim 8, wherein the key host scoring module comprises:
the identification module is used for identifying the IP of the key host by utilizing the alarm information;
the first traversal module is used for traversing each attack path in the alarm information and then traversing nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as a1 score; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and the first value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node and the event in the attack path.
10. The system of claim 8, wherein the identification module comprises:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
and the judging module is used for determining a starting point and an end point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
11. The power monitoring system cyber threat-based quantification system of claim 8, wherein the alarm level scoring module comprises:
the second traversal module is used for traversing each attack path in the alarm information, obtaining the alarm level of each security event in the attack path and assigning a score to each attack path, wherein the highest threat level of 0 is b1, the highest threat level of 1 is b2, and the highest threat level of 2 is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and the second value taking module is used for taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
12. The power monitoring system cyber threat-based quantification system of claim 8, wherein the milestone score module comprises:
the determining module is used for extracting logs of various safety devices of the power grid according to the alarm information and determining key events according to the logs;
the third traversal module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 points if the alarm content does not match with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and the third value taking module is used for taking the maximum value of the scores after calculating the scores of the alarm events of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
13. The system of claim 8, wherein the means for determining comprises:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on mutation points according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events, and a flat top event which is sharply reduced after the surge and the small-range continuous fluctuation;
and the second determining module is used for determining key events based on the threshold value according to the safety event sequence, considering that the alarm quantity is not suddenly increased but slowly increased until the preset quantity threshold value is exceeded.
14. The method of claim 8, wherein the exploit path similarity score module comprises:
the fourth traversal module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack paths, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1% higher;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold value K and screening out the vulnerability exploitation paths with the vulnerability exploitation path similarity degree larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, and the quantifying process comprises the following steps: for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching CVSS scores corresponding to the vulnerabilities by referring to a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the vulnerability exploitation path;
and the fourth value taking module is used for taking the maximum value of the danger degrees of all the screened vulnerability exploitation paths as the threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model of the vulnerability exploitation.
CN202110149542.5A 2021-02-03 2021-02-03 Quantification method and system based on network threat of power monitoring system Active CN112819336B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110149542.5A CN112819336B (en) 2021-02-03 2021-02-03 Quantification method and system based on network threat of power monitoring system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110149542.5A CN112819336B (en) 2021-02-03 2021-02-03 Quantification method and system based on network threat of power monitoring system

Publications (2)

Publication Number Publication Date
CN112819336A true CN112819336A (en) 2021-05-18
CN112819336B CN112819336B (en) 2023-12-15

Family

ID=75860921

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110149542.5A Active CN112819336B (en) 2021-02-03 2021-02-03 Quantification method and system based on network threat of power monitoring system

Country Status (1)

Country Link
CN (1) CN112819336B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259176A (en) * 2021-06-11 2021-08-13 长扬科技(北京)有限公司 Alarm event analysis method and device
CN114124552A (en) * 2021-11-29 2022-03-01 恒安嘉新(北京)科技股份公司 Network attack threat level obtaining method, device and storage medium
CN114726642A (en) * 2022-04-26 2022-07-08 东北电力大学 Quantification system based on network threat of power monitoring system
CN114866325A (en) * 2022-05-10 2022-08-05 国网湖南省电力有限公司 Prediction method for network attack of power system
CN114978617A (en) * 2022-05-06 2022-08-30 国网湖北省电力有限公司信息通信公司 Network attack threat statistical judgment method based on Markov process learning model
CN115208647A (en) * 2022-07-05 2022-10-18 南京领行科技股份有限公司 Attack behavior handling method and device
CN115314322A (en) * 2022-10-09 2022-11-08 安徽华云安科技有限公司 Vulnerability detection confirmation method, device, equipment and storage medium based on flow
CN117155665A (en) * 2023-09-04 2023-12-01 中国信息通信研究院 Attack tracing method and system

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
CN106941502A (en) * 2017-05-02 2017-07-11 北京理工大学 A kind of security measure method and apparatus of internal network
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN107204876A (en) * 2017-05-22 2017-09-26 成都网络空间安全技术有限公司 A kind of network security risk evaluation method
CN108256335A (en) * 2018-02-08 2018-07-06 北京百度网讯科技有限公司 For detecting the method and apparatus of loophole
CN108429766A (en) * 2018-05-29 2018-08-21 广西电网有限责任公司 Network safety situation analyzing and alarming system based on big data and WSN technology
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN108810025A (en) * 2018-07-19 2018-11-13 平安科技(深圳)有限公司 A kind of security assessment method of darknet, server and computer-readable medium
US20180357422A1 (en) * 2016-02-25 2018-12-13 Sas Institute Inc. Simulated attack generator for testing a cybersecurity system
CN109191326A (en) * 2018-08-23 2019-01-11 东北大学 The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle
US20190086938A1 (en) * 2015-07-27 2019-03-21 Genghiscomm Holdings, LLC Airborne Relays in Cooperative-MIMO Systems
CN109639670A (en) * 2018-12-10 2019-04-16 北京威努特技术有限公司 A kind of industry control network security postures quantitative estimation method of knowledge based map
CN110011976A (en) * 2019-03-07 2019-07-12 中国科学院大学 A kind of network attack damage capability quantitative estimation method and system
CN110012120A (en) * 2019-03-14 2019-07-12 罗向阳 A kind of IP City-level location algorithm based on PoP network topology
CN110545280A (en) * 2019-09-09 2019-12-06 北京华赛在线科技有限公司 quantitative evaluation method based on threat detection accuracy
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
CN110839019A (en) * 2019-10-24 2020-02-25 国网福建省电力有限公司 Network security threat tracing method for power monitoring system
CN111106965A (en) * 2019-12-25 2020-05-05 浪潮商用机器有限公司 Intelligent log analysis method, tool, equipment and medium for complex system
CN111245807A (en) * 2020-01-07 2020-06-05 北京工业大学 Network situation quantitative evaluation method based on attack chain factor
CN111859380A (en) * 2019-04-25 2020-10-30 北京九州正安科技有限公司 Zero false alarm detection method for Android App vulnerability
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103368976A (en) * 2013-07-31 2013-10-23 电子科技大学 Network security evaluation device based on attack graph adjacent matrix
US20190086938A1 (en) * 2015-07-27 2019-03-21 Genghiscomm Holdings, LLC Airborne Relays in Cooperative-MIMO Systems
US20180357422A1 (en) * 2016-02-25 2018-12-13 Sas Institute Inc. Simulated attack generator for testing a cybersecurity system
CN107196910A (en) * 2017-04-18 2017-09-22 国网山东省电力公司电力科学研究院 Threat early warning monitoring system, method and the deployment framework analyzed based on big data
CN106941502A (en) * 2017-05-02 2017-07-11 北京理工大学 A kind of security measure method and apparatus of internal network
CN107204876A (en) * 2017-05-22 2017-09-26 成都网络空间安全技术有限公司 A kind of network security risk evaluation method
CN108256335A (en) * 2018-02-08 2018-07-06 北京百度网讯科技有限公司 For detecting the method and apparatus of loophole
CN108429766A (en) * 2018-05-29 2018-08-21 广西电网有限责任公司 Network safety situation analyzing and alarming system based on big data and WSN technology
CN108494810A (en) * 2018-06-11 2018-09-04 中国人民解放军战略支援部队信息工程大学 Network security situation prediction method, apparatus and system towards attack
CN108810025A (en) * 2018-07-19 2018-11-13 平安科技(深圳)有限公司 A kind of security assessment method of darknet, server and computer-readable medium
CN109191326A (en) * 2018-08-23 2019-01-11 东北大学 The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle
CN109639670A (en) * 2018-12-10 2019-04-16 北京威努特技术有限公司 A kind of industry control network security postures quantitative estimation method of knowledge based map
CN110011976A (en) * 2019-03-07 2019-07-12 中国科学院大学 A kind of network attack damage capability quantitative estimation method and system
CN110012120A (en) * 2019-03-14 2019-07-12 罗向阳 A kind of IP City-level location algorithm based on PoP network topology
CN111859380A (en) * 2019-04-25 2020-10-30 北京九州正安科技有限公司 Zero false alarm detection method for Android App vulnerability
CN110620759A (en) * 2019-07-15 2019-12-27 公安部第一研究所 Network security event hazard index evaluation method and system based on multidimensional correlation
CN110545280A (en) * 2019-09-09 2019-12-06 北京华赛在线科技有限公司 quantitative evaluation method based on threat detection accuracy
CN110839019A (en) * 2019-10-24 2020-02-25 国网福建省电力有限公司 Network security threat tracing method for power monitoring system
CN111106965A (en) * 2019-12-25 2020-05-05 浪潮商用机器有限公司 Intelligent log analysis method, tool, equipment and medium for complex system
CN111245807A (en) * 2020-01-07 2020-06-05 北京工业大学 Network situation quantitative evaluation method based on attack chain factor
CN112165485A (en) * 2020-09-25 2021-01-01 山东炎黄工业设计有限公司 Intelligent prediction method for large-scale network security situation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李晓静: ""网络攻击对电力系统可靠性的影响及后果评价"", 《中国优秀硕士学位论文全文数据库 工程科技Ⅱ辑》, no. 01, pages 042 - 2541 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113259176B (en) * 2021-06-11 2021-10-08 长扬科技(北京)有限公司 Alarm event analysis method and device
CN113259176A (en) * 2021-06-11 2021-08-13 长扬科技(北京)有限公司 Alarm event analysis method and device
CN114124552A (en) * 2021-11-29 2022-03-01 恒安嘉新(北京)科技股份公司 Network attack threat level obtaining method, device and storage medium
CN114726642A (en) * 2022-04-26 2022-07-08 东北电力大学 Quantification system based on network threat of power monitoring system
CN114726642B (en) * 2022-04-26 2023-09-22 东北电力大学 Quantification system based on network threat of power monitoring system
CN114978617B (en) * 2022-05-06 2023-08-08 国网湖北省电力有限公司信息通信公司 Network attack threat statistics judgment method based on Markov process learning model
CN114978617A (en) * 2022-05-06 2022-08-30 国网湖北省电力有限公司信息通信公司 Network attack threat statistical judgment method based on Markov process learning model
CN114866325B (en) * 2022-05-10 2023-09-12 国网湖南省电力有限公司 Prediction method for network attack of power system
CN114866325A (en) * 2022-05-10 2022-08-05 国网湖南省电力有限公司 Prediction method for network attack of power system
CN115208647A (en) * 2022-07-05 2022-10-18 南京领行科技股份有限公司 Attack behavior handling method and device
CN115314322A (en) * 2022-10-09 2022-11-08 安徽华云安科技有限公司 Vulnerability detection confirmation method, device, equipment and storage medium based on flow
CN117155665A (en) * 2023-09-04 2023-12-01 中国信息通信研究院 Attack tracing method and system
CN117155665B (en) * 2023-09-04 2024-03-12 中国信息通信研究院 Attack tracing method, system, electronic device and storage medium

Also Published As

Publication number Publication date
CN112819336B (en) 2023-12-15

Similar Documents

Publication Publication Date Title
CN112819336A (en) Power monitoring system network threat-based quantification method and system
Li Using genetic algorithm for network intrusion detection
CN107239707B (en) Threat data processing method for information system
CN107204876B (en) Network security risk assessment method
CN110909811A (en) OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system
CN114584405B (en) Electric power terminal safety protection method and system
CN103782303A (en) System and method for non-signature based detection of malicious processes
Xiao et al. From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild
KR101692982B1 (en) Automatic access control system of detecting threat using log analysis and automatic feature learning
CN116781430B (en) Network information security system and method for gas pipe network
CN105681274B (en) A kind of method and device of original alarm information processing
CN110830467A (en) Network suspicious asset identification method based on fuzzy prediction
WO2019035120A1 (en) Cyber threat detection system and method
CN115643035A (en) Network security situation assessment method based on multi-source log
CN111049827A (en) Network system safety protection method, device and related equipment
CN110598180A (en) Event detection method, device and system based on statistical analysis
CN115225384B (en) Network threat degree evaluation method and device, electronic equipment and storage medium
CN116842527A (en) Data security risk assessment method
CN115001934A (en) Industrial control safety risk analysis system and method
CN110598959A (en) Asset risk assessment method and device, electronic equipment and storage medium
CN117478433B (en) Network and information security dynamic early warning system
CN117375985A (en) Method and device for determining security risk index, storage medium and electronic device
CN113381980A (en) Information security defense method and system, electronic device and storage medium
CN115659351B (en) Information security analysis method, system and equipment based on big data office
CN107623677B (en) Method and device for determining data security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant