CN112819336A - Power monitoring system network threat-based quantification method and system - Google Patents
Power monitoring system network threat-based quantification method and system Download PDFInfo
- Publication number
- CN112819336A CN112819336A CN202110149542.5A CN202110149542A CN112819336A CN 112819336 A CN112819336 A CN 112819336A CN 202110149542 A CN202110149542 A CN 202110149542A CN 112819336 A CN112819336 A CN 112819336A
- Authority
- CN
- China
- Prior art keywords
- attack
- quantitative evaluation
- key
- event
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 50
- 238000012544 monitoring process Methods 0.000 title claims abstract description 31
- 238000011002 quantification Methods 0.000 title claims abstract description 18
- 238000011158 quantitative evaluation Methods 0.000 claims abstract description 145
- 238000004364 calculation method Methods 0.000 claims abstract description 7
- 230000008569 process Effects 0.000 claims description 16
- 238000012216 screening Methods 0.000 claims description 16
- 230000002159 abnormal effect Effects 0.000 claims description 14
- 238000007781 pre-processing Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 12
- 238000011156 evaluation Methods 0.000 claims description 7
- 238000012935 Averaging Methods 0.000 claims description 6
- 230000035772 mutation Effects 0.000 claims description 6
- 230000009467 reduction Effects 0.000 claims description 6
- 238000000605 extraction Methods 0.000 claims description 5
- 238000013210 evaluation model Methods 0.000 abstract 4
- 238000001514 detection method Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 238000004422 calculation algorithm Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 238000013139 quantization Methods 0.000 description 4
- 238000012549 training Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
- G06Q50/06—Electricity, gas or water supply
Abstract
The invention discloses a method and a system for quantifying network threats based on a power monitoring system, wherein an attack path is drawn according to alarm information collected by the power monitoring system, the attack path is quantified according to a pre-constructed attack quantification evaluation model based on a key host, an attack quantification evaluation model based on an alarm level, an attack quantification evaluation model based on a key event and an attack quantification evaluation model based on vulnerability exploitation, and scores after each model is processed are summarized to obtain a total threat value of the attack path. The advantages are that: the risk of the attack event is comprehensively and quantitatively scored through four dimensions of the threat degree of the key host, the threat degree of the key event, the alarm level threat degree and the similarity of the vulnerability utilization path, a recommendation scoring table for quantitative evaluation is creatively provided, and multi-dimensional quantitative scoring and calculation of the threat degree of the attack event are realized.
Description
Technical Field
The invention relates to a method and a system for quantifying network threats based on a power monitoring system, and belongs to the technical field of power monitoring systems.
Background
The harm of network attack to the power grid is huge, for example, 12 months and 23 days in 2015, 140 million residents in the capital and subsidiary part of Ukrainian and the west part of Ukran suffer large-scale power failure for several hours, at least three power areas are attacked, and the power areas occupy half of the whole country. Kyivobriengo electric utilities in ukrainian indicate that their companies have suffered a trojan BlackEnergy network intrusion, thus causing 7 substations of 110KV and 23 substations of 35KV to fail, resulting in a power outage.
Most of the attack events existing in the power grid are multi-step attack events, the damage degrees of different multi-step attack events are different, some attacks utilize loopholes with higher risk degree, and some attacks utilize loopholes with lower risk degree. Therefore, how to measure the risk degree of the network attack has important significance for analyzing and deducing the network attack by technicians of the power grid.
The existing risk and threat analysis of the security incident of the power monitoring system is mainly based on a security incident log, the key information of the log is extracted, and an attack path is established, so that the purpose of tracing the security threat attack is achieved, however, after the attack path is generated, due to the lack of visual evaluation on the threat degree of the attack path, the attack path is not beneficial to operation and maintenance personnel to pay attention to the key point of maintenance, dangerous incidents are easy to ignore, and the power monitoring system has great potential safety hazards.
The existing main method for evaluating the network threat situation is to evaluate the network threat situation based on original alarm information generated by IDS, perform correlation analysis on alarms by analyzing logical relations among the alarms, and analyze the network threat situation based on correlation results, but their research assumes that all alarm information represents successful attack behaviors, while in the actual network, a large proportion of alarms are false alarms or irrelevant alarms; and the threat situation is evaluated through a hidden Markov model, IDS alarm information is used as an observation sequence of the hidden Markov model, and the security state of the network is quantitatively evaluated in real time by using the hidden Markov model.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method and a system for quantifying the network threat based on a power monitoring system.
In order to solve the technical problem, the invention provides a power monitoring system network threat-based quantification method, which comprises the following steps:
acquiring alarm log information acquired by a power monitoring system, and drawing an attack path according to the alarm log information;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on a key host, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the key event;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the exploit, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the exploit;
and calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability exploitation, wherein the dimensions comprise the dimension of the key host, the dimension of the alarm level, the dimension of the key event and the dimension of the vulnerability exploitation path.
Further, the processing procedure of the attack quantitative evaluation model based on the key host comprises:
identifying a key host IP by using the alarm information;
traversing each attack path in the alarm information, traversing nodes in each path, and recording as a1 score if the node IP is not in the key host IP sequence; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node in the attack path and the event.
Further, the process of identifying the key host IP by using the original alarm information includes:
preprocessing original alarm information to obtain a dense time sequence, determining a starting point and an end point of abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
Further, the processing procedure of the attack quantitative evaluation model based on the alarm level includes:
traversing each attack path in the alarm information, and for each attack path, obtaining the alarm level of each security event in the attack path and assigning a score to the alarm level, wherein the highest 0-level threat is b1, the highest 1-level threat is b2, and the highest 2-level threat is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
Further, the processing procedure of the attack quantitative evaluation model based on the key events comprises:
extracting logs of various safety devices of the power grid according to the alarm information, and determining key events according to the logs;
traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 point if the alarm content is not matched with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and after the scores of the alarm events of each node in the attack path are calculated, taking the maximum value of the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
Further, the process of determining the key events according to the log includes:
carrying out statistics and extraction on logs of various safety devices in a power grid to form a safety event sequence;
according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events and a flat top event which is sharply reduced after the surge and the continuous fluctuation of a small range, and determining a key event based on a mutation point;
according to the safety event sequence, considering that the alarm quantity does not suddenly increase but slowly increases until a preset quantity threshold value is exceeded, key events based on the threshold value are determined.
Further, the processing procedure of the exploit-based attack quantitative evaluation model includes:
traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1 percent;
screening the first 1% of vulnerability attack paths, setting a threshold value K, and screening out the vulnerability utilization paths with the vulnerability utilization path similarity greater than K;
quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, wherein the quantifying process comprises the following steps: for all CVE loopholes of the paths on the loophole utilization path, searching corresponding CVSS scores of the CVE loopholes by contrasting with a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the loophole utilization path;
and taking the maximum value of the danger degree of all the screened vulnerability paths as a threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model.
A power monitoring system network threat-based quantification system comprises:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the key host and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the alarm level and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed key event-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the key event-based attack quantitative evaluation model;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path to a pre-constructed vulnerability exploitation-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the vulnerability exploitation-based attack quantitative evaluation model;
and the calculation module is used for calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability utilization, wherein the dimensions comprise the key host dimension, the alarm level dimension, the key event dimension and the vulnerability utilization path dimension.
Further, the key host scoring module includes:
the identification module is used for identifying the IP of the key host by utilizing the alarm information;
the first traversal module is used for traversing each attack path in the alarm information and then traversing nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as a1 score; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and the first value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node and the event in the attack path.
Further, the identification module comprises:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
and the judging module is used for determining a starting point and an end point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
Further, the alarm level scoring module comprises:
the second traversal module is used for traversing each attack path in the alarm information, obtaining the alarm level of each security event in the attack path and assigning a score to each attack path, wherein the highest threat level of 0 is b1, the highest threat level of 1 is b2, and the highest threat level of 2 is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and the second value taking module is used for taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
Further, the highlight event scoring module comprises:
the determining module is used for extracting logs of various safety devices of the power grid according to the alarm information and determining key events according to the logs;
the third traversal module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 points if the alarm content does not match with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and the third value taking module is used for taking the maximum value of the scores after calculating the scores of the alarm events of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
Further, the determining module comprises:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on mutation points according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events, and a flat top event which is sharply reduced after the surge and the small-range continuous fluctuation;
and the second determining module is used for determining key events based on the threshold value according to the safety event sequence, considering that the alarm quantity is not suddenly increased but slowly increased until the preset quantity threshold value is exceeded.
Further, the vulnerability exploiting path similarity degree scoring module comprises:
the fourth traversal module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack paths, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1% higher;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold value K and screening out the vulnerability exploitation paths with the vulnerability exploitation path similarity degree larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, and the quantifying process comprises the following steps: for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching CVSS scores corresponding to the vulnerabilities by referring to a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the vulnerability exploitation path;
and the fourth value taking module is used for taking the maximum value of the danger degrees of all the screened vulnerability exploitation paths as the threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model of the vulnerability exploitation.
The invention achieves the following beneficial effects:
according to the method, the threat degree of the attack path is quantized through the multi-dimensional quantization model, and the threat degree of the attack path is visually displayed, so that a power grid technician can intuitively feel the threat degree of the vulnerability exploitation path; the risk of the attack event is comprehensively and quantitatively scored through four dimensions of the threat degree of the key host, the threat degree of the key event, the alarm level threat degree and the similarity of the vulnerability utilization path, a recommendation scoring table for quantitative evaluation is creatively provided, and multi-dimensional quantitative scoring and calculation of the threat degree of the attack event are realized.
Drawings
FIG. 1 is a schematic flow diagram of the present invention;
FIG. 2 is a key host detection identification method;
FIG. 3 is a process diagram of a highlight event monitoring flow;
FIG. 4 is a diagram of an intranet network deployment of an embodiment;
FIG. 5 is a schematic diagram of an attack path;
FIG. 6 is a schematic diagram of an exploit path.
Detailed Description
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides a power monitoring system network threat-based quantification method, which comprises 4 algorithms of scoring an attack path according to a key host, scoring the attack path according to a key event, scoring the attack path according to an alarm level and scoring according to the similarity degree with a vulnerability utilization path, wherein when the total threat value of the attack path is calculated, different weights are set for the score calculated by the scoring algorithm of each dimension, the weights can be manually adjusted, and the suggested weights are given according to the severity and range of influence of each dimension on threat evaluation: the 'alarm level' is weighted by 20%, 'key suspicious device' is weighted by 20%, 'key event' is weighted by 20%, 'vulnerability exploitation path similarity' is weighted by 40%, and the scoring detailed rule of the multi-dimensional quantization algorithm is as follows:
TABLE 1 multidimensional metric Scoring rules
The multidimensional quantification formula of the threat degree of the attack path is as follows: and quantitative scoring of attack paths from different dimensions is realized.
Multidimensional quantization algorithm
The multi-dimensional quantization algorithm described in this patent involves the following concepts:
(1) the alarm level is directly extracted from the original data, the importance degree of the alarm is directly reflected, and if the alarm level of the node in the attack path is high, the attack path is more threatening;
(2) the key event is an alarm event which frequently occurs within a certain time, the abnormal condition may have an attack, and if the alarm event in the attack path is the key event, the attack path is more threatened;
(3) the exploit path is a multi-step attack mode existing in the local area network, and if an existing attack path is similar to the exploit path, the threat level of the attack path is higher. In addition, if the attack path is similar to the more dangerous exploit path, the threat level of the attack path may be higher.
Attack quantitative evaluation method based on key host
The method comprises the steps of firstly identifying key hosts and key host key safety events to obtain key host IPs, and then grading according to drawn attack graphs. Firstly, traversing each attack path in the attack graph, then traversing nodes in each path, and if the node IP is not in the key host IP sequence, marking as 0 score; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as 0.3 point; if the event occurrence time is matched, but the corresponding high-occurrence event of the key host IP is not matched, recording the event occurrence time as 0.7 point; if the corresponding high-occurrence event of the key IP is matched, the score is recorded as 1. And taking the maximum value in the scores according to the matching scores of the nodes and the events in the attack chain, and then obtaining the attack quantitative evaluation score output by the model.
First, a key host is identified. The critical host refers to a condition that the alarm quantity is suddenly increased or exceeds a certain threshold value in a certain time period when the alarm sent or received by each IP is observed, and the IP is called the critical host in the time period. According to whether the IP sends an attack or receives an attack, the key host is divided into a suspicious host and a victim host, and the detection flow of the key host is as follows:
as shown in fig. 2, the key host identification is divided into 4 steps: the device comprises a data preprocessing module, a time sequence training algorithm module, a starting boundary detection module and an ending boundary detection module. The data preprocessing module takes original alarm information as input and processes the original alarm information into a dense time sequence which is taken as the input of a time sequence training module, a starting boundary detection module and an ending boundary detection module; the time sequence training module takes current data as input and determines a threshold value for each IP according to a set threshold parameter; the starting boundary detection module and the ending boundary detection module are core parts and are used for determining a starting point and an ending point of the abnormal number, and the date between the two time points is the non-normal date.
Second, attack quantitative evaluation method based on key events
When the attack path is evaluated according to the key event, firstly traversing each attack path, then traversing each alarm event for each attack path, and if the alarm content is not matched with the key event, marking as 0 score; if the key event is matched, the time is matched again, if the alarm event occurrence time is not matched, the score is recorded as 0.4, and if the time is matched, the relevant IP is matched again; if the type and the occurrence time of the key event are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, marking as 0.7 point, and if the type and the occurrence time of the key event, the source IP and the destination IP of the key event and the source IP and the destination IP in the attack path are matched simultaneously, marking as 1 point. And taking the maximum value after calculating the score of each alarm event in the chain, namely obtaining the key event score of the attack path.
The attack paths form independent chains after being associated, and cannot be directly combined with other chains, so that the key events cannot be observed. Therefore, the key events are analyzed separately and combined with the attack path, and once a certain event in the attack path matches the key event, the doubtful degree of the attack path is increased.
A critical event is a condition in which the number of alarms found in each particular alarm type suddenly increases or exceeds a certain threshold value within a certain time period, and such alarms are referred to as critical events within the time period. A key time monitoring model is introduced below, a statistical analysis method is applied to the model, the model is used for discovering the security events with the characteristics of rapid increase of the number of alarms and the like, and the model comprises two parts, namely log preprocessing and key security event detection. The log preprocessing is mainly used for counting and extracting logs of various safety devices in the smart grid to form a safety event sequence; the key safety event detection is composed of a key event detection algorithm based on catastrophe points and a key safety event detection algorithm based on threshold values, and key safety events with different characteristics are detected. The specific process flow of the model is shown in fig. 3.
The key safety event detection module based on the mutation point takes a safety event sequence of a certain alarm as input, emphasizes on taking the alarm quantity surge event and the alarm quantity sharp reduction event in the adjacent safety events and the flat top event which is sharply reduced after the surge and the small-range continuous fluctuation, and outputs the key safety event of the alarm type. The key safety event detection module based on the threshold takes a safety event sequence of a certain alarm as input, emphasizes that the alarm quantity is not suddenly increased but slowly increased until the safety event exceeds a certain threshold, and outputs the key safety event of the alarm type.
Third, attack quantitative evaluation method based on alarm level
The evaluation method scores the attack path according to the alarm level, calculates the threat value according to the alarm level of the alarm event in the attack path, and further quantitatively evaluates the threat degree. In the alarm log, each alarm event has a corresponding alarm level, the alarm levels have three levels, namely level 0, level 1 and level 2, wherein the threat level 0 is the highest level, and therefore the corresponding score is the highest. The alert level 2 is the lowest and therefore the corresponding score is the lowest. The level 0 alarm is usually an alarm containing intrusion behavior, the level 1 alarm is usually a network abnormal event, and the level 2 alarm is usually a host alarm. The alarm information collected and received by the power monitoring system also contains alarms highly related to the power grid service, such as 'abnormal access related to IEC104 protocol', and the like, and the classification of the alarm level also fully considers the particularity of the power grid network environment, so that the alarm level is significant when being directly applied to the grading of the attack path.
When the alarm level is used for carrying out attack scoring, firstly, each attack path is traversed, then, for each attack path, the alarm level of each security event in the attack path is obtained and assigned with a score, wherein the highest 0-level threat is 1 score, the 1-level threat is 0.5 score, and the 2-level threat is 0 score, then, the score of each security event is taken as the maximum value, and the score is quantified and evaluated for the threat of the attack path.
Attack quantitative evaluation method based on vulnerability exploitation
The vulnerability exploitation means that a user finds a vulnerability which is easy to attack from a target system, and then the vulnerability is used for acquiring authority, so that the target system is controlled, and the vulnerability exploitation is an important mode of network attack. The exploit path describes the process of the exploit. The vulnerability exploiting path is a vulnerability exploiting process, a data structure of the vulnerability exploiting path is represented as a graph structure, wherein nodes represent a single host, edges represent the vulnerability from one host to another host, and specific description of vulnerability information and vulnerability can be obtained from a CVE (content common vulnerability repository).
One attack path corresponds to a plurality of vulnerability utilization paths, the vulnerability utilization paths similar to the attack path are found for the attack path by using a graph similarity algorithm, the attack path is input by the algorithm, the output of the algorithm is a threat value of the attack path in the dimension of the vulnerability utilization path, and the algorithm comprises the following steps:
(1) and traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, and extracting the vulnerability attack paths with the similarity of 1% in front of the similarity ranking according to the ranking mode.
(2) Screening the first 1% of vulnerability attack paths, setting a threshold value K, screening out the vulnerability path with the vulnerability path similarity greater than K, wherein the K value is selected in relation to a specific power grid environment, and K is taken to be 0.5 under a common environment.
(3) And evaluating the danger degree of the selected vulnerability utilization paths, namely quantifying the threat degree of each attack path according to a CVSS scoring rule base, wherein the specific quantification mode is as follows: and for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching cvss scores corresponding to the vulnerabilities according to the scoring rule base, and averaging the cvss scores to obtain the risk degree score of the vulnerability exploitation path.
(4) And (4) taking the maximum value of the risk degree of all the screened vulnerability paths, wherein the value is the score of the attack path in the aspect of vulnerability.
Carrying out the process
Simulating a small LAN environment, network deployment relationship, as shown in FIGS. 4, 5 and 6:
the host 1.1, the host 1.2, the host 1.3 constitute an internal network, and since the host 1.3 hosts the MySQL database, the host 1.3 is more important than the other hosts. An attacker launches an attack from the host computer 1.34 and detects the following attack path in the intranet system.
Meanwhile, the key hosts detected in the internal system are:
the key events detected by the internal system are
The alarm levels detected in the attack path are as follows:
as shown in fig. 6, the vulnerability exploitation path 1 is from host 1.1 to 1.3, with vulnerability numbers cve-2001-1030;
a vulnerability exploitation path 2 from a host computer 1.1 to 1.3, with vulnerability numbers cve-2001 and 0439;
exploit path 3: from host 1.1 to 1.2, to 1.3, leak numbers cve-2002-1359 and cve-2001-1030;
the leak utilization paths 4 from host 1.1 to 1.2 to 1.3, the leak numbers cve-2002 and 1359 and cve-2001 and 0439.
With the attack path as an object, the threat values of the four aspects are quantized:
1. the key host computer: the characteristic of [ alarm type + time + IP ] is satisfied, so the score is 1.0
2. Key events: the score is 0.4 according with the characteristics of the alarm type
3. And (4) alarm level: the alarm level is 0, so the score is 1.0
4. And (3) scoring the vulnerability similarity:
calculating the similarity of the attack path and the vulnerability exploitation path according to a similarity calculation method, selecting the vulnerability exploitation path with the similarity larger than 0.5 and the similarity ranking of 1 percent, and finally screening out two vulnerability exploitation paths (1) and (2), and calculating out the score of the vulnerability similarity to be 0.75 according to the cvss score of cve vulnerability as shown in the following table.
In conclusion, the comprehensive scores of the threat values of the attack graph are as follows: 1.0 × 20% +0.4 × 20% +1.0 × 20% +0.75 × 40% ═ 0.2+0.08+0.2+0.3 ═ 0.78. The score is in line with the expectation of this attack path.
Correspondingly, the invention also provides a system for quantifying the network threat based on the power monitoring system, which comprises:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the key host and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the alarm level and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed key event-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the key event-based attack quantitative evaluation model;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path to a pre-constructed vulnerability exploitation-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the vulnerability exploitation-based attack quantitative evaluation model;
and the calculation module is used for calculating the total threat value of the attack path by utilizing the weight determined in advance according to the severity and range of the influence of each dimension on the threat assessment, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the key host, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the alarm level, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the key event and the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the vulnerability exploitation, wherein the dimensions comprise the key host dimension, the alarm level dimension, the key event dimension and the vulnerability exploitation path dimension.
The key host scoring module includes:
the identification module is used for identifying the IP of the key host by utilizing the alarm information;
the first traversal module is used for traversing each attack path in the alarm information and traversing nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as 0 point; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as 0.3 point; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, recording as 0.7 point; if the corresponding security event of the key IP is matched, marking as 1 point;
and the first value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching scores of the nodes and the events in the attack chain.
The identification module comprises:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
and the judging module is used for determining a starting point and an end point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
The alarm level scoring module comprises:
the second traversal module is used for traversing each attack path in the alarm information, obtaining the alarm level of each security event in the attack path and assigning a score to each attack path, wherein the highest threat of the 0 level is 1 score, the 1 level is 0.5 score, and the 2 level is 0 score;
and the second value taking module is used for taking the maximum value in each security event score as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
The highlight event scoring module comprises:
the determining module is used for extracting logs of various safety devices of the power grid according to the alarm information and determining key events according to the logs;
the third traversal module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording the alarm event as 0 point if the alarm content is not matched with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is 0.4, if the key event type is matched with the occurrence time, the score is 0.7, and if the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is 1;
and the third value taking module is used for taking the maximum value of the scores after the scores of all the alarm events are obtained through calculation as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
The determining module comprises:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on mutation points according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events, and a flat top event which is sharply reduced after the surge and the small-range continuous fluctuation;
and the second determining module is used for determining key events based on the threshold value according to the safety event sequence, considering that the alarm quantity is not suddenly increased but slowly increased until the preset quantity threshold value is exceeded.
The vulnerability exploiting path similarity degree scoring module comprises:
the fourth traversal module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack paths, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1% higher;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold value K and screening out the vulnerability exploitation paths with the vulnerability exploitation path similarity degree larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, and the quantifying process comprises the following steps: for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching CVSS scores corresponding to the vulnerabilities by referring to a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the vulnerability exploitation path;
and the fourth value taking module is used for taking the maximum value of the danger degrees of all the screened vulnerability exploitation paths as the threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model of the vulnerability exploitation.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (14)
1. A quantification method based on a power monitoring system network threat is characterized by comprising the following steps:
acquiring alarm log information acquired by a power monitoring system, and drawing an attack path according to the alarm log information;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on a key host, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the key event;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the exploit, and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the exploit;
and calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability exploitation, wherein the dimensions comprise the dimension of the key host, the dimension of the alarm level, the dimension of the key event and the dimension of the vulnerability exploitation path.
2. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the attack quantification assessment model based on the key host comprises the following steps:
identifying a key host IP by using the alarm information;
traversing each attack path in the alarm information, traversing nodes in each path, and recording as a1 score if the node IP is not in the key host IP sequence; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node in the attack path and the event.
3. The method for quantifying network threats based on a power monitoring system according to claim 1, wherein the process of identifying key host IPs by using original alarm information comprises the following steps:
preprocessing original alarm information to obtain a dense time sequence, determining a starting point and an end point of abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
4. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the attack quantification assessment model based on the alarm level comprises the following steps:
traversing each attack path in the alarm information, and for each attack path, obtaining the alarm level of each security event in the attack path and assigning a score to the alarm level, wherein the highest 0-level threat is b1, the highest 1-level threat is b2, and the highest 2-level threat is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
5. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the attack quantitative evaluation model based on the key events comprises:
extracting logs of various safety devices of the power grid according to the alarm information, and determining key events according to the logs;
traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 point if the alarm content is not matched with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and after the scores of the alarm events of each node in the attack path are calculated, taking the maximum value of the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
6. The method according to claim 1, wherein the process of determining key events from the log comprises:
carrying out statistics and extraction on logs of various safety devices in a power grid to form a safety event sequence;
according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events and a flat top event which is sharply reduced after the surge and the continuous fluctuation of a small range, and determining a key event based on a mutation point;
according to the safety event sequence, considering that the alarm quantity does not suddenly increase but slowly increases until a preset quantity threshold value is exceeded, key events based on the threshold value are determined.
7. The method for quantifying network threats based on the power monitoring system according to claim 1, wherein the processing procedure of the exploit-based attack quantitative evaluation model comprises:
traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1 percent;
screening the first 1% of vulnerability attack paths, setting a threshold value K, and screening out the vulnerability utilization paths with the vulnerability utilization path similarity greater than K;
quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, wherein the quantifying process comprises the following steps: for all CVE loopholes of the paths on the loophole utilization path, searching corresponding CVSS scores of the CVE loopholes by contrasting with a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the loophole utilization path;
and taking the maximum value of the danger degree of all the screened vulnerability paths as a threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model.
8. A quantification system based on power monitoring system network threat, comprising:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the key host and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path to a pre-constructed attack quantitative evaluation model based on the alarm level and outputting a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed key event-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the key event-based attack quantitative evaluation model;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path to a pre-constructed vulnerability exploitation-based attack quantitative evaluation model and outputting a threat quantitative evaluation score of the attack path based on the vulnerability exploitation-based attack quantitative evaluation model;
and the calculation module is used for calculating the total threat value of the attack path by utilizing the weight determined according to the influence of each dimension on the threat evaluation in advance, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level, the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event and the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the vulnerability utilization, wherein the dimensions comprise the key host dimension, the alarm level dimension, the key event dimension and the vulnerability utilization path dimension.
9. The power monitoring system cyber threat-based quantification system of claim 8, wherein the key host scoring module comprises:
the identification module is used for identifying the IP of the key host by utilizing the alarm information;
the first traversal module is used for traversing each attack path in the alarm information and then traversing nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as a1 score; if the node IP is in the key host IP sequence and the event occurrence time is not matched, marking as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, marking as a3 score; if the corresponding security event of the key IP is matched, marking as a4 score; wherein a1 is more than or equal to 0 and more than a2 and more than a3 and more than a4 and less than or equal to 1;
and the first value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node and the event in the attack path.
10. The system of claim 8, wherein the identification module comprises:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
and the judging module is used for determining a starting point and an end point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the end point exceeds a preset threshold value of the IP host, and if so, determining the IP host as a key host.
11. The power monitoring system cyber threat-based quantification system of claim 8, wherein the alarm level scoring module comprises:
the second traversal module is used for traversing each attack path in the alarm information, obtaining the alarm level of each security event in the attack path and assigning a score to each attack path, wherein the highest threat level of 0 is b1, the highest threat level of 1 is b2, and the highest threat level of 2 is b 3; wherein, 1 is more than or equal to b1, b2, b3 and more than or equal to 0;
and the second value taking module is used for taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the alarm level.
12. The power monitoring system cyber threat-based quantification system of claim 8, wherein the milestone score module comprises:
the determining module is used for extracting logs of various safety devices of the power grid according to the alarm information and determining key events according to the logs;
the third traversal module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and recording as c1 points if the alarm content does not match with the key event; if the key event type is matched, time is matched again, if the alarm event occurrence time is not matched, the score is recorded as c2, if the key event type and the occurrence time are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is recorded as c3, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the score is recorded as c 4; wherein c1 is more than or equal to 0 and more than c2 is more than c3 and more than c4 is more than or equal to 1;
and the third value taking module is used for taking the maximum value of the scores after calculating the scores of the alarm events of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key events.
13. The system of claim 8, wherein the means for determining comprises:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on mutation points according to the safety event sequence, considering an alarm quantity surge event and an alarm quantity sharp reduction event in adjacent safety events, and a flat top event which is sharply reduced after the surge and the small-range continuous fluctuation;
and the second determining module is used for determining key events based on the threshold value according to the safety event sequence, considering that the alarm quantity is not suddenly increased but slowly increased until the preset quantity threshold value is exceeded.
14. The method of claim 8, wherein the exploit path similarity score module comprises:
the fourth traversal module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack paths, ranking according to the similarity, and extracting vulnerability attack paths with the similarity ranking 1% higher;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold value K and screening out the vulnerability exploitation paths with the vulnerability exploitation path similarity degree larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path of the selected vulnerability utilization paths according to a CVSS scoring rule base, and the quantifying process comprises the following steps: for all cve vulnerabilities of the paths on the vulnerability exploitation path, searching CVSS scores corresponding to the vulnerabilities by referring to a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the vulnerability exploitation path;
and the fourth value taking module is used for taking the maximum value of the danger degrees of all the screened vulnerability exploitation paths as the threat quantitative evaluation score of the attack path based on the vulnerability quantitative evaluation model of the vulnerability exploitation.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110149542.5A CN112819336B (en) | 2021-02-03 | 2021-02-03 | Quantification method and system based on network threat of power monitoring system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110149542.5A CN112819336B (en) | 2021-02-03 | 2021-02-03 | Quantification method and system based on network threat of power monitoring system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112819336A true CN112819336A (en) | 2021-05-18 |
CN112819336B CN112819336B (en) | 2023-12-15 |
Family
ID=75860921
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110149542.5A Active CN112819336B (en) | 2021-02-03 | 2021-02-03 | Quantification method and system based on network threat of power monitoring system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112819336B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113259176A (en) * | 2021-06-11 | 2021-08-13 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
CN114124552A (en) * | 2021-11-29 | 2022-03-01 | 恒安嘉新(北京)科技股份公司 | Network attack threat level obtaining method, device and storage medium |
CN114726642A (en) * | 2022-04-26 | 2022-07-08 | 东北电力大学 | Quantification system based on network threat of power monitoring system |
CN114866325A (en) * | 2022-05-10 | 2022-08-05 | 国网湖南省电力有限公司 | Prediction method for network attack of power system |
CN114978617A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistical judgment method based on Markov process learning model |
CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
CN115314322A (en) * | 2022-10-09 | 2022-11-08 | 安徽华云安科技有限公司 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
CN117155665A (en) * | 2023-09-04 | 2023-12-01 | 中国信息通信研究院 | Attack tracing method and system |
Citations (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
CN106941502A (en) * | 2017-05-02 | 2017-07-11 | 北京理工大学 | A kind of security measure method and apparatus of internal network |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
CN108256335A (en) * | 2018-02-08 | 2018-07-06 | 北京百度网讯科技有限公司 | For detecting the method and apparatus of loophole |
CN108429766A (en) * | 2018-05-29 | 2018-08-21 | 广西电网有限责任公司 | Network safety situation analyzing and alarming system based on big data and WSN technology |
CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
CN108810025A (en) * | 2018-07-19 | 2018-11-13 | 平安科技(深圳)有限公司 | A kind of security assessment method of darknet, server and computer-readable medium |
US20180357422A1 (en) * | 2016-02-25 | 2018-12-13 | Sas Institute Inc. | Simulated attack generator for testing a cybersecurity system |
CN109191326A (en) * | 2018-08-23 | 2019-01-11 | 东北大学 | The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle |
US20190086938A1 (en) * | 2015-07-27 | 2019-03-21 | Genghiscomm Holdings, LLC | Airborne Relays in Cooperative-MIMO Systems |
CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
CN110011976A (en) * | 2019-03-07 | 2019-07-12 | 中国科学院大学 | A kind of network attack damage capability quantitative estimation method and system |
CN110012120A (en) * | 2019-03-14 | 2019-07-12 | 罗向阳 | A kind of IP City-level location algorithm based on PoP network topology |
CN110545280A (en) * | 2019-09-09 | 2019-12-06 | 北京华赛在线科技有限公司 | quantitative evaluation method based on threat detection accuracy |
CN110620759A (en) * | 2019-07-15 | 2019-12-27 | 公安部第一研究所 | Network security event hazard index evaluation method and system based on multidimensional correlation |
CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
CN111106965A (en) * | 2019-12-25 | 2020-05-05 | 浪潮商用机器有限公司 | Intelligent log analysis method, tool, equipment and medium for complex system |
CN111245807A (en) * | 2020-01-07 | 2020-06-05 | 北京工业大学 | Network situation quantitative evaluation method based on attack chain factor |
CN111859380A (en) * | 2019-04-25 | 2020-10-30 | 北京九州正安科技有限公司 | Zero false alarm detection method for Android App vulnerability |
CN112165485A (en) * | 2020-09-25 | 2021-01-01 | 山东炎黄工业设计有限公司 | Intelligent prediction method for large-scale network security situation |
-
2021
- 2021-02-03 CN CN202110149542.5A patent/CN112819336B/en active Active
Patent Citations (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
US20190086938A1 (en) * | 2015-07-27 | 2019-03-21 | Genghiscomm Holdings, LLC | Airborne Relays in Cooperative-MIMO Systems |
US20180357422A1 (en) * | 2016-02-25 | 2018-12-13 | Sas Institute Inc. | Simulated attack generator for testing a cybersecurity system |
CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
CN106941502A (en) * | 2017-05-02 | 2017-07-11 | 北京理工大学 | A kind of security measure method and apparatus of internal network |
CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
CN108256335A (en) * | 2018-02-08 | 2018-07-06 | 北京百度网讯科技有限公司 | For detecting the method and apparatus of loophole |
CN108429766A (en) * | 2018-05-29 | 2018-08-21 | 广西电网有限责任公司 | Network safety situation analyzing and alarming system based on big data and WSN technology |
CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
CN108810025A (en) * | 2018-07-19 | 2018-11-13 | 平安科技(深圳)有限公司 | A kind of security assessment method of darknet, server and computer-readable medium |
CN109191326A (en) * | 2018-08-23 | 2019-01-11 | 东北大学 | The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle |
CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
CN110011976A (en) * | 2019-03-07 | 2019-07-12 | 中国科学院大学 | A kind of network attack damage capability quantitative estimation method and system |
CN110012120A (en) * | 2019-03-14 | 2019-07-12 | 罗向阳 | A kind of IP City-level location algorithm based on PoP network topology |
CN111859380A (en) * | 2019-04-25 | 2020-10-30 | 北京九州正安科技有限公司 | Zero false alarm detection method for Android App vulnerability |
CN110620759A (en) * | 2019-07-15 | 2019-12-27 | 公安部第一研究所 | Network security event hazard index evaluation method and system based on multidimensional correlation |
CN110545280A (en) * | 2019-09-09 | 2019-12-06 | 北京华赛在线科技有限公司 | quantitative evaluation method based on threat detection accuracy |
CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
CN111106965A (en) * | 2019-12-25 | 2020-05-05 | 浪潮商用机器有限公司 | Intelligent log analysis method, tool, equipment and medium for complex system |
CN111245807A (en) * | 2020-01-07 | 2020-06-05 | 北京工业大学 | Network situation quantitative evaluation method based on attack chain factor |
CN112165485A (en) * | 2020-09-25 | 2021-01-01 | 山东炎黄工业设计有限公司 | Intelligent prediction method for large-scale network security situation |
Non-Patent Citations (1)
Title |
---|
李晓静: ""网络攻击对电力系统可靠性的影响及后果评价"", 《中国优秀硕士学位论文全文数据库 工程科技Ⅱ辑》, no. 01, pages 042 - 2541 * |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113259176B (en) * | 2021-06-11 | 2021-10-08 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
CN113259176A (en) * | 2021-06-11 | 2021-08-13 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
CN114124552A (en) * | 2021-11-29 | 2022-03-01 | 恒安嘉新(北京)科技股份公司 | Network attack threat level obtaining method, device and storage medium |
CN114726642A (en) * | 2022-04-26 | 2022-07-08 | 东北电力大学 | Quantification system based on network threat of power monitoring system |
CN114726642B (en) * | 2022-04-26 | 2023-09-22 | 东北电力大学 | Quantification system based on network threat of power monitoring system |
CN114978617B (en) * | 2022-05-06 | 2023-08-08 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistics judgment method based on Markov process learning model |
CN114978617A (en) * | 2022-05-06 | 2022-08-30 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistical judgment method based on Markov process learning model |
CN114866325B (en) * | 2022-05-10 | 2023-09-12 | 国网湖南省电力有限公司 | Prediction method for network attack of power system |
CN114866325A (en) * | 2022-05-10 | 2022-08-05 | 国网湖南省电力有限公司 | Prediction method for network attack of power system |
CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
CN115314322A (en) * | 2022-10-09 | 2022-11-08 | 安徽华云安科技有限公司 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
CN117155665A (en) * | 2023-09-04 | 2023-12-01 | 中国信息通信研究院 | Attack tracing method and system |
CN117155665B (en) * | 2023-09-04 | 2024-03-12 | 中国信息通信研究院 | Attack tracing method, system, electronic device and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN112819336B (en) | 2023-12-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112819336A (en) | Power monitoring system network threat-based quantification method and system | |
Li | Using genetic algorithm for network intrusion detection | |
CN107239707B (en) | Threat data processing method for information system | |
CN107204876B (en) | Network security risk assessment method | |
CN110909811A (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
CN114584405B (en) | Electric power terminal safety protection method and system | |
CN103782303A (en) | System and method for non-signature based detection of malicious processes | |
Xiao et al. | From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild | |
KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
CN116781430B (en) | Network information security system and method for gas pipe network | |
CN105681274B (en) | A kind of method and device of original alarm information processing | |
CN110830467A (en) | Network suspicious asset identification method based on fuzzy prediction | |
WO2019035120A1 (en) | Cyber threat detection system and method | |
CN115643035A (en) | Network security situation assessment method based on multi-source log | |
CN111049827A (en) | Network system safety protection method, device and related equipment | |
CN110598180A (en) | Event detection method, device and system based on statistical analysis | |
CN115225384B (en) | Network threat degree evaluation method and device, electronic equipment and storage medium | |
CN116842527A (en) | Data security risk assessment method | |
CN115001934A (en) | Industrial control safety risk analysis system and method | |
CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
CN117478433B (en) | Network and information security dynamic early warning system | |
CN117375985A (en) | Method and device for determining security risk index, storage medium and electronic device | |
CN113381980A (en) | Information security defense method and system, electronic device and storage medium | |
CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
CN107623677B (en) | Method and device for determining data security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |