CN112819336B - Quantification method and system based on network threat of power monitoring system - Google Patents
Quantification method and system based on network threat of power monitoring system Download PDFInfo
- Publication number
- CN112819336B CN112819336B CN202110149542.5A CN202110149542A CN112819336B CN 112819336 B CN112819336 B CN 112819336B CN 202110149542 A CN202110149542 A CN 202110149542A CN 112819336 B CN112819336 B CN 112819336B
- Authority
- CN
- China
- Prior art keywords
- attack
- key
- score
- threat
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000011002 quantification Methods 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000012544 monitoring process Methods 0.000 title claims abstract description 22
- 238000011158 quantitative evaluation Methods 0.000 claims abstract description 96
- 238000013210 evaluation model Methods 0.000 claims abstract description 9
- 230000008569 process Effects 0.000 claims description 16
- 238000012216 screening Methods 0.000 claims description 15
- 230000002159 abnormal effect Effects 0.000 claims description 14
- 238000007781 pre-processing Methods 0.000 claims description 12
- 238000012545 processing Methods 0.000 claims description 12
- 238000011156 evaluation Methods 0.000 claims description 7
- 241001270131 Agaricus moelleri Species 0.000 claims description 6
- 238000012935 Averaging Methods 0.000 claims description 6
- 230000003247 decreasing effect Effects 0.000 claims description 6
- 238000013139 quantization Methods 0.000 claims description 5
- 238000000605 extraction Methods 0.000 claims description 4
- 230000009467 reduction Effects 0.000 claims description 2
- 238000004364 calculation method Methods 0.000 abstract description 3
- 230000000875 corresponding effect Effects 0.000 description 15
- 238000001514 detection method Methods 0.000 description 14
- 238000004422 calculation algorithm Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 238000012549 training Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000012098 association analyses Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Systems or methods specially adapted for specific business sectors, e.g. utilities or tourism
- G06Q50/06—Electricity, gas or water supply
Abstract
The invention discloses a quantification method and a quantification system for network threats based on a power monitoring system, wherein an attack path is drawn according to alarm information collected by the power monitoring system, and the attack path is quantified according to a pre-constructed attack quantification evaluation model based on a key host, an attack quantification evaluation model based on alarm level, an attack quantification evaluation model based on key event and an attack quantification evaluation model based on vulnerability utilization, and the score processed by each model is summarized to obtain the total threat value of the attack path. The advantages are that: the risk comprehensive quantitative scoring of the attack event is realized through the four dimensions of the threat degree of the key host, the threat degree of the key event, the threat degree of the alarm grade, and the similarity with the vulnerability exploitation path, a suggestion scoring table for quantitative evaluation is creatively provided, and the multi-dimensional quantitative scoring and calculation of the threat degree of the attack event are realized.
Description
Technical Field
The invention relates to a quantification method and a quantification system based on network threat of a power monitoring system, and belongs to the technical field of power monitoring systems.
Background
Most of attack events existing in the power grid at present are multi-step attack events, the hazard degrees of different multi-step attack events are different, some attacks utilize vulnerabilities with higher hazard degrees, and some attacks utilize vulnerabilities with lower hazard degrees. Therefore, how to measure the risk degree of network attack has important significance for network attack analysis and deduction of power grid technicians.
The existing security event risk and threat analysis of the power monitoring system is mainly based on security event logs, log key information is extracted, and an attack path is established, so that the aim of tracing security threat attack is fulfilled, but after the attack path is generated, the risk degree of the attack path is lack of visual evaluation, so that maintenance personnel pay attention to maintenance emphasis, dangerous events are easily ignored, and the power monitoring system has larger potential safety hazard.
The existing main method for evaluating the network threat situation is to evaluate the threat situation of the network based on the original alarm information generated by IDS, perform association analysis on the alarms by analyzing the logic relation between the alarms, and analyze the threat situation of the network based on the association result, but their researches assume that all alarm information represents successful attack behavior, and in the actual network, a large proportion of alarms are false alarms or irrelevant alarms; the method can effectively evaluate the security state of the network, but has great difficulty in reasonably setting model parameters, poor model usability and difficult promotion and use.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provide a quantification method and a quantification system based on network threat of a power monitoring system.
In order to solve the technical problems, the invention provides a quantization method based on network threat of a power monitoring system, which comprises the following steps:
acquiring alarm log information acquired by the power monitoring system, and drawing an attack path according to the alarm log information;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key host, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key host;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the alarm level;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key event;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the exploit, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the exploit;
And calculating the total threat value of the attack path by utilizing the weight determined in advance according to the influence of each dimension on the threat assessment, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key host, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the alarm level, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key event, and the threat quantification assessment score of the attack path based on the attack quantification assessment model of the vulnerability exploitation, wherein the dimensions comprise a key host dimension, an alarm level dimension, a key event dimension and a vulnerability exploitation path dimension.
Further, the processing procedure of the attack quantification assessment model based on the key host comprises the following steps:
identifying a key host IP by using the alarm information;
traversing each attack path in the alarm information, traversing nodes in each path, and marking as a1 score if the node IP is not in the key host IP sequence; if the node IP is in the key host IP sequence but does not match the event occurrence time, the node IP is marked as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, the score is marked as a 3; if the corresponding security event of the key IP is matched, the key IP is marked as a4 score; wherein a1 is more than or equal to 0 and less than a2 is more than or equal to 3 and a4 is more than or equal to 1;
And according to the matching score of each node in the attack path and the event, obtaining the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key host as the maximum value in the scores.
Further, the process of identifying the key host IP using the original alert information includes:
preprocessing the original alarm information to obtain a dense time sequence, determining a starting point and an ending point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the ending point exceeds a preset threshold value of the host computer of the IP, and if so, determining the host computer of the IP as a key host computer.
Further, the processing procedure of the attack quantitative evaluation model based on the alarm level comprises the following steps:
traversing each attack path in the alarm information, and for each attack path, obtaining the alarm grade of each security event in the attack path and assigning a value to the alarm grade, wherein the highest 0-grade threat is b1 score, the highest 1-grade threat is b2 score, and the highest 2-grade threat is b3 score; wherein, 1 is more than or equal to b2 is more than or equal to b3 is more than or equal to 0;
taking the maximum value in the security event scores of each node in the attack path as a threat quantification assessment score of an attack quantification assessment model based on the alarm level of the attack path.
Further, the processing procedure of the attack quantitative evaluation model based on the key event comprises the following steps:
extracting logs of various safety devices of the power grid according to the alarm information, and determining key events according to the logs;
traversing each attack path in the alarm information, traversing each alarm event for each attack path, and marking as c1 score if the alarm content does not match with the key event; if the key event type is matched, the re-matching time is recorded as c2 score if the alarm event occurrence time is not matched, if the key event type and the occurrence time are both matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c3 score, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are both matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c4 score; wherein, c1 is more than or equal to 0 and less than or equal to c2 and less than or equal to c3 and c4 is more than or equal to 1;
and after the scores of the alarm events of each node in the attack path are calculated, taking the maximum value in the scores as a threat quantitative evaluation score of an attack quantitative evaluation model of the attack path based on key events.
Further, the process of determining the key event according to the log includes:
Counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
according to the safety event sequence, considering alarm quantity surge events and alarm quantity sharp-reduction events in adjacent safety events and flat-top events which are subjected to sharp reduction after continuous fluctuation in a small range after surge, and determining key events based on abrupt points;
according to the safety event sequence, the important events based on the threshold are determined by considering that the number of alarms is not suddenly increased but slowly increased until the preset number threshold is exceeded.
Further, the processing procedure of the attack quantification evaluation model based on the exploit comprises the following steps:
traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity of which the ranking is 1 percent;
screening the first 1% of vulnerability attack paths, setting a threshold K, and screening vulnerability utilization paths with vulnerability utilization path similarity larger than K;
quantifying the threat degree of each attack path according to the CVSS scoring rule base for the selected vulnerability exploitation path, wherein the quantifying process comprises the following steps: searching corresponding CVSS scores of all CVE vulnerabilities of the paths on the vulnerability exploitation path by contrasting with a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the vulnerability exploitation path;
And taking the maximum value of the risk degrees of all the screened vulnerability exploiting paths as a threat quantification assessment score of the attack path based on the vulnerability quantification assessment model of the vulnerability.
A power monitoring system network threat based quantification system, comprising:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key host and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level and outputting threat quantitative evaluation scores of the attack quantitative evaluation model of the attack path based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key event;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path into a pre-constructed vulnerability-exploitation-based attack quantitative evaluation model and outputting threat quantitative evaluation scores of the attack path based on the vulnerability-exploitation-based attack quantitative evaluation model;
The computing module is used for computing the total threat value of the attack path by utilizing the weight which is determined in advance according to the influence of each dimension on the threat assessment and the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key host, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the alarm level, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key event and the threat quantification assessment score of the attack path based on the vulnerability exploitation, wherein the dimensions comprise a key host dimension, an alarm level dimension, a key event dimension and a vulnerability exploitation path dimension.
Further, the key host scoring module includes:
the identification module is used for identifying the key host IP by utilizing the alarm information;
the first traversing module is used for traversing each attack path in the alarm information and traversing the nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as a1 score; if the node IP is in the key host IP sequence but does not match the event occurrence time, the node IP is marked as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, the score is marked as a 3; if the corresponding security event of the key IP is matched, the key IP is marked as a4 score; wherein a1 is more than or equal to 0 and less than a2 is more than or equal to 3 and a4 is more than or equal to 1;
The first value taking module is used for taking the maximum value in the scores as the threat quantification evaluation score of the attack path based on the attack quantification evaluation model of the key host according to the matching score of each node in the attack path and the event.
Further, the identification module includes:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
the judging module is used for determining the starting point and the ending point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the ending point exceeds the preset threshold value of the host computer of the IP, and if so, determining that the host computer of the IP is a key host computer.
Further, the alarm level scoring module includes:
the second traversing module is used for traversing each attack path in the alarm information, and for each attack path, the alarm grade of each security event in the attack path is obtained and assigned with a value, wherein the highest 0-grade threat is b1 score, the highest 1-grade threat is b2 score, and the highest 2-grade threat is b3 score; wherein, 1 is more than or equal to b2 is more than or equal to b3 is more than or equal to 0;
and the second value module is used for taking the maximum value in the security event scores of each node in the attack path as a threat quantitative evaluation score of the attack quantitative evaluation model of the attack path based on the alarm level.
Further, the key event scoring module includes:
the determining module is used for extracting logs of various safety equipment of the power grid according to the alarm information and determining key events according to the logs;
the third traversing module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and marking as a c1 score if the alarm content does not match with the key event; if the key event type is matched, the re-matching time is recorded as c2 score if the alarm event occurrence time is not matched, if the key event type and the occurrence time are both matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c3 score, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are both matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c4 score; wherein, c1 is more than or equal to 0 and less than or equal to c2 and less than or equal to c3 and c4 is more than or equal to 1;
and the third value taking module is used for taking the maximum value of the scores after calculating the scores of the alarm events of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event.
Further, the determining module includes:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on abrupt points according to the safety event sequence by considering alarm quantity sharp increasing events and alarm quantity sharp decreasing events in adjacent safety events and flat top events which are sharp decreasing after continuous fluctuation in a small range after sharp increasing;
and the second determining module is used for determining the key event based on the threshold value according to the safety event sequence, considering that the alarm number is not suddenly increased but slowly increased until the preset number threshold value is exceeded.
Further, the exploit path similarity degree scoring module includes:
the fourth traversing module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity of 1% before ranking;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold K and screening vulnerability utilization paths with vulnerability utilization path similarity larger than K;
The CVSS scoring module is used for quantifying the threat degree of each attack path according to the CVSS scoring rule base for the selected vulnerability exploitation path, and the quantifying process comprises the following steps: searching for the CVSS scores corresponding to all cve vulnerabilities of the paths on the vulnerability exploitation path by comparing with the CVSS score rule base, and averaging the CVSS scores to obtain the risk degree score of the vulnerability exploitation path;
and the fourth value module is used for taking the maximum value of the risk degrees of all the screened vulnerability exploiting paths as a threat quantification evaluation score of the attack path based on the vulnerability attack quantification evaluation model.
The invention has the beneficial effects that:
the method quantifies the threat degree of the attack path through the multidimensional quantification model, and intuitively displays the threat degree of the attack path, thereby being beneficial to a power grid technician to intuitively feel the threat degree of the vulnerability exploitation path; the risk comprehensive quantitative scoring of the attack event is realized through the four dimensions of the threat degree of the key host, the threat degree of the key event, the threat degree of the alarm grade, and the similarity with the vulnerability exploitation path, a suggestion scoring table for quantitative evaluation is creatively provided, and the multi-dimensional quantitative scoring and calculation of the threat degree of the attack event are realized.
Drawings
FIG. 1 is a schematic flow chart of the present invention;
FIG. 2 is a critical host detection identification method;
FIG. 3 is a flow chart of a focused event monitoring process;
FIG. 4 is a diagram of an intranet network deployment of an embodiment;
FIG. 5 is a schematic diagram of an attack path;
FIG. 6 is a schematic diagram of an exploit path.
Detailed Description
In order to make the objects, features and advantages of the present invention more comprehensible, the technical solutions in the embodiments of the present invention are described in detail below with reference to the accompanying drawings, and it is apparent that the embodiments described below are only some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention improves a quantification method of network threat based on an electric power monitoring system, which comprises 4 algorithms of scoring an attack path according to a key host, scoring the attack path according to a key event, scoring the attack path according to an alarm level and scoring the attack path according to the similarity degree with an exploit path, wherein when the total threat value of the attack path is calculated, different weights are set for the score calculated by the scoring algorithm of each dimension, the weights can be manually adjusted, and the suggested weights are given according to the severity and the range of the threat evaluation influence of each dimension: the alarm level weight is 20%, the key suspicious equipment weight is 20%, the key event weight is 20%, the exploit path similarity degree weight is 40%, and the grading rule of the multidimensional quantization algorithm is as follows:
TABLE 1 multidimensional metric scoring rules
The multi-dimensional quantification formula of the threat level of the attack path is as follows: the attack path is quantitatively scored from different dimensions.
Multi-dimensional quantization algorithm
The multi-dimensional quantization algorithm described in this patent involves several concepts:
(1) The alarm level is directly extracted from the original data, the importance degree of the alarm is directly reflected, and if the alarm level of the node in the attack path is high, the attack path is more threatening;
(2) The key event is an alarm event frequently occurring in a certain time, the abnormal situation can be attacked, and if the alarm event in the attack path is the key event, the attack path is also more threatening;
(3) The exploit path is a multi-step way of attacking that exists in the local area network, and if an existing attack path is more similar to the exploit path, the threat level of the attack path is higher. In addition, if the attack path is similar to the more dangerous exploit path, the threat level of the attack path is higher.
1. Attack quantitative evaluation method based on key host
The method comprises the steps of firstly identifying key hosts and key host key security events, obtaining the key host IP, and grading according to a drawn attack graph. Firstly traversing each attack path in the attack graph, traversing nodes in each path, and marking the node as 0 score if the node IP is not in the key host IP sequence; if the node IP is in the key host IP sequence but does not match the event occurrence time, the node IP is recorded as 0.3 score; if the event occurrence time is matched, but the corresponding high-occurrence event of the key host IP is not matched, the score is recorded as 0.7; if the corresponding high occurrence of the critical IP is matched, the score is 1. And taking the maximum value in the scores according to the matching scores of the nodes in the attack chain and the events, and quantifying and evaluating the scores for the attack output by the model.
First, a critical host is identified. A critical host refers to a situation in which, when an alarm is observed from or received by each IP, the number of alarms is found to suddenly increase or exceed a certain threshold value within a certain period of time, and such an IP is called a critical host in this period of time. According to whether the IP is the party sending the attack or the party receiving the attack, the key host is divided into a suspicious host and a victim host, and the detection flow of the key host is as follows:
as shown in fig. 2, the key host identification is divided into 4 steps: the device comprises a data preprocessing module, a time sequence training algorithm module, a starting boundary detection module and an ending boundary detection module. The data preprocessing module takes original alarm information as input, processes the original alarm information into a dense time sequence, and takes the dense time sequence as the time sequence training module, and starts the input of the boundary detection module and ends the input of the boundary detection module; the time sequence training module takes past period data as input, and determines a threshold value of each IP according to a set threshold value parameter; the starting boundary detection module and the ending boundary detection module are core parts and are used for determining starting points and ending points of abnormal numbers, and the date between the two time points is the abnormal date.
2. Attack quantitative evaluation method based on key event
When scoring the attack path according to the key event, firstly traversing each attack path, then traversing each alarm event for each attack path, and if the alarm content does not match the key event, marking as 0 score; if the key event is matched, the time is matched again, if the alarm event occurrence time is not matched, the score is recorded as 0.4, and if the time is matched, the related IP is matched again; if the type and the occurrence time of the key event are matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the score is 0.7, and if the type, the occurrence time, the source IP and the destination IP of the key event are simultaneously matched with the source IP and the destination IP in the attack path, the score is 1. And taking the maximum value after calculating the score of each alarm event in the chain, namely obtaining the key event score of the attack path.
The attack paths form independent chains after being correlated, and cannot be directly combined with other chains, so that the key events are not observed. Therefore, the key events are independently analyzed and combined with the attack path, and once one event in the attack path matches the key event, the suspicious degree of the attack path is certainly increased.
An emphasis event refers to a situation in which the number of alarms found suddenly increases or exceeds a certain threshold value during a certain period of time when each specific alarm type is observed, and such alarms are called emphasis events during this period of time. The key time monitoring model is introduced below, the model uses a statistical analysis method, the model is used for finding the security event with the characteristics of rapid increase of the number of alarms and the like, and the model comprises two parts of log preprocessing and key security event detection. The log preprocessing is mainly used for carrying out statistics and extraction on logs of various security devices in the smart grid to form a security event sequence; the key safety event detection comprises a key event detection algorithm based on mutation points and a key safety event detection algorithm based on threshold values, and key safety events with different characteristics are detected. The model specific process flow is shown in fig. 3.
The key security event detection module based on the abrupt point takes a security event sequence of a certain alarm as input, and mainly considers an alarm quantity sharp increase event and an alarm quantity sharp decrease event in adjacent security events and a flat-top event which is subjected to sharp decrease after continuous fluctuation in a small range after sharp increase, and outputs the key security event of the alarm type. The key security event detection module based on the threshold takes the security event sequence of a certain alarm as input, and the key security event of the alarm type is output by focusing on the fact that the number of the alarms is not suddenly increased but slowly increased until the security event exceeds a certain threshold.
3. Attack quantitative evaluation method based on alarm level
The evaluation method scores the attack path according to the alarm level, calculates the threat value according to the alarm level of the alarm event in the attack path, and further quantitatively evaluates the threat level. In the alarm log, each alarm event has a corresponding alarm level, and the alarm levels are three levels, namely 0 level, 1 level and 2 level, wherein the threat level 0 is the highest, and therefore the corresponding score is the highest. The alert level 2 is the lowest and therefore the corresponding score is the lowest. The level 0 alarms are typically alarms containing intrusion behavior, the level 1 alarms are typically network anomalies, and the level 2 alarms are typically host alarms. The alarm information collected and received from the power monitoring system also contains an alarm which is highly related to power grid business such as 'abnormal access related to IEC104 protocol', and the like, and the specificity of the power grid network environment is fully considered by dividing the alarm level, so that the alarm level is directly applied to the scoring of the attack path.
When the alarm level is used for carrying out attack scoring, each attack path is traversed firstly, then, for each attack path, the alarm level of each security event in the attack path is obtained and assigned with a score, wherein the highest 0-level threat is 1 score, the highest 1-level threat is 0.5 score, the highest 2-level threat is 0 score, and then, the score of each security event is maximized, so that the score is quantitatively evaluated for the threat of the attack path.
4. Attack quantitative evaluation method based on exploit
The vulnerability utilization is that a user finds a vulnerability easy to attack from a target system and then obtains permission by using the vulnerability, so that the control of the target system is realized, and the vulnerability utilization is an important mode of network attack. The exploit path describes the process of the exploit. The exploit path refers to the exploit process, the data structure of which is represented as a graph structure, wherein nodes represent single hosts, edges represent exploit from one host to another, and exploit information and specific descriptions of the exploit can be obtained in a CVE vulnerability library.
One attack path corresponds to a plurality of vulnerability exploitation paths, an algorithm of graph similarity is used for finding the vulnerability exploitation paths similar to the attack path, one attack path is input into the algorithm, the output of the algorithm is a threat value of the attack path in the dimension of the vulnerability exploitation path, and the following algorithm steps are as follows:
(1) Traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, and taking out the missing attack paths with the similarity of which the ranking is the first 1% according to the similarity.
(2) And screening the first 1% of vulnerability attack paths, setting a threshold K, screening vulnerability utilization paths with vulnerability utilization path similarity larger than K, wherein the selection of the K value is related to a specific power grid environment, and K=0.5 is taken in a general environment.
(3) Evaluating the threat degree of the selected vulnerability exploitation path, namely quantifying the threat degree of each attack path according to a CVSS scoring rule base, wherein the specific quantification mode is as follows: and searching for the cvss scores corresponding to all cve vulnerabilities of the paths on the vulnerability exploitation path by contrasting with the scoring rule base, and averaging the cvss scores to obtain the risk degree score of the vulnerability exploitation path.
(4) And (5) taking the maximum value of the risk degree of all the screened vulnerability exploiting paths, wherein the maximum value is the score of the attack path in the vulnerability exploiting aspect.
Process of implementation
Simulating a small LAN environment, the network deployment relationship is as shown in FIGS. 4, 5 and 6:
hosts 1.1, 1.2, and 1.3 constitute an internal network, and since host 1.3 hosts MySQL databases, host 1.3 is important relative to other hosts. An attacker initiates an attack from a host 1.34 and detects the following attack path in the intranet system.
Meanwhile, the key hosts detected in the internal system are:
the key events detected by the internal system are as follows
The alarm level detected in the attack path is as follows:
as shown in fig. 6, the exploit path 1 is from host 1.1 to 1.3, and the exploit number is cve-2001-1030;
exploit path 2, from host 1.1 to 1.3, with exploit number cve-2001-0439;
exploit path 3: from host 1.1 to 1.2 to 1.3, vulnerability numbers cve-2002-1359 and cve-2001-1030;
the exploit path 4 is from host 1.1 to host 1.2 to host 1.3, and the exploit numbers are cve-2002-1359 and cve-2001-0439.
Taking an attack path as an object, quantifying threat values in the four aspects:
1. key host: meets the characteristics of [ alarm type + time + IP ], so the score is 1.0 score
2. Key event: meets the alarm type feature, so the score is 0.4 score
3. Alarm level: the alarm level is 0 level, so the score is 1.0
4. Exploit similarity scoring:
and calculating the similarity of the attack path and the exploit path according to a similarity algorithm, selecting exploit paths with the similarity being more than 0.5 and the similarity ranking being 1%, wherein the finally screened exploit paths are (1) and (2), and calculating the score of the similarity of the vulnerability to be 0.75 according to the cvss score of cve vulnerabilities in the following table.
| Vulnerability sequence number | cvss scoring |
| CVE-2001-1030 | 7.5 |
| CVE-2001-0439 | 7.5 |
In summary, the comprehensive score of the attack graph threat value is: 1.0 x 20% +0.4 x 20% +1.0 x 20% +0.75 x 40% = 0.2+0.08+0.2+0.3=0.78. The score corresponds to the expectation of this attack path.
The invention also provides a quantification system based on the network threat of the power monitoring system, which comprises:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key host and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level and outputting threat quantitative evaluation scores of the attack quantitative evaluation model of the attack path based on the alarm level;
the key event scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key event;
The vulnerability exploitation path similarity degree scoring module is used for inputting the attack path into a pre-constructed vulnerability-exploitation-based attack quantitative evaluation model and outputting threat quantitative evaluation scores of the attack path based on the vulnerability-exploitation-based attack quantitative evaluation model;
the computing module is used for computing the total threat value of the attack path by utilizing the weight determined in advance according to the severity and the range of the influence of each dimension on the threat assessment and the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the key host, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the alarm level, the threat quantitative assessment score of the attack path based on the attack quantitative assessment model of the key event and the threat quantitative assessment score of the attack path based on the vulnerability exploitation, wherein the dimensions comprise the key host dimension, the alarm level dimension, the key event dimension and the vulnerability exploitation path dimension.
The key host scoring module comprises:
the identification module is used for identifying the key host IP by utilizing the alarm information;
the first traversing module is used for traversing each attack path in the alarm information and traversing the nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as 0 score; if the node IP is in the key host IP sequence but does not match the event occurrence time, the node IP is recorded as 0.3 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, the score is recorded as 0.7; if the corresponding security event of the key IP is matched, marking as 1 score;
The first value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of the nodes and the events in the attack chain.
The identification module comprises:
the preprocessing module is used for preprocessing the original alarm information to obtain a dense time sequence;
the judging module is used for determining the starting point and the ending point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the ending point exceeds the preset threshold value of the host computer of the IP, and if so, determining that the host computer of the IP is a key host computer.
The alarm level scoring module comprises:
the second traversing module is used for traversing each attack path in the alarm information, and for each attack path, the alarm grade of each security event in the attack path is obtained and assigned with a value, wherein the highest 0-grade threat is 1 score, the highest 1-grade threat is 0.5 score, and the highest 2-grade threat is 0 score;
and the second value module is used for taking the maximum value in the scores of all the security events as a threat quantitative evaluation score of the attack quantitative evaluation model of the attack path based on the alarm level.
The key event scoring module comprises:
The determining module is used for extracting logs of various safety equipment of the power grid according to the alarm information and determining key events according to the logs;
the third traversing module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and marking the alarm event as 0 score if the alarm content is not matched with the key event; if the key event type is matched, the time is re-matched, if the alarm event occurrence time is not matched, the time is recorded as 0.4 score, if the key event type is matched with the occurrence time, the time is recorded as 0.7 score, and if the source IP and the destination IP of the key event are matched with the source IP and the destination IP in the attack path at the same time, the time is recorded as 1 score;
and the third value taking module is used for taking the maximum value in the scores as the threat quantitative evaluation score of the attack path attack quantitative evaluation model based on the key event after the scores of the alarm events are obtained through calculation.
The determining module includes:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on abrupt points according to the safety event sequence by considering alarm quantity sharp increasing events and alarm quantity sharp decreasing events in adjacent safety events and flat top events which are sharp decreasing after continuous fluctuation in a small range after sharp increasing;
And the second determining module is used for determining the key event based on the threshold value according to the safety event sequence, considering that the alarm number is not suddenly increased but slowly increased until the preset number threshold value is exceeded.
The exploit path similarity degree scoring module includes:
the fourth traversing module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity of 1% before ranking;
the screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold K and screening vulnerability utilization paths with vulnerability utilization path similarity larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path according to the CVSS scoring rule base for the selected vulnerability exploitation path, and the quantifying process comprises the following steps: searching for the CVSS scores corresponding to all cve vulnerabilities of the paths on the vulnerability exploitation path by comparing with the CVSS score rule base, and averaging the CVSS scores to obtain the risk degree score of the vulnerability exploitation path;
and the fourth value module is used for taking the maximum value of the risk degrees of all the screened vulnerability exploiting paths as a threat quantification evaluation score of the attack path based on the vulnerability attack quantification evaluation model.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (2)
1. The utility model provides a quantization method based on electric power monitored control system network threat which characterized in that includes:
acquiring alarm log information acquired by the power monitoring system, and drawing an attack path according to the alarm log information;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key host, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key host;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the alarm level;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key event;
inputting the attack path into a pre-constructed attack quantitative evaluation model based on the exploit, and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the exploit;
calculating the total threat value of the attack path by utilizing the weight determined in advance according to the influence of each dimension on the threat assessment, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key host, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the alarm level, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key event, and the threat quantification assessment score of the attack path based on the attack quantification assessment model of the vulnerability exploitation, wherein the dimensions comprise a key host dimension, an alarm level dimension, a key event dimension and a vulnerability exploitation path dimension;
The processing procedure of the attack quantitative evaluation model based on the key host comprises the following steps:
identifying a key host IP by using the alarm information;
traversing each attack path in the alarm information, traversing nodes in each path, and marking as a1 score if the node IP is not in the key host IP sequence; if the node IP is in the key host IP sequence but does not match the event occurrence time, the node IP is marked as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, the score is marked as a 3; if the corresponding security event of the key IP is matched, the key IP is marked as a4 score; wherein a1 is more than or equal to 0 and less than a2 is more than or equal to 3 and a4 is more than or equal to 1;
according to the matching score of each node in the attack path and the event, the maximum value in the score is taken as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host;
the process of identifying the key host IP using the alert information includes:
preprocessing alarm information to obtain a dense time sequence, determining a starting point and an ending point of abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of a time period between the starting point and the ending point exceeds a preset threshold value of a host of the IP, and if so, determining the host of the IP as a key host;
The processing procedure of the attack quantitative evaluation model based on the alarm level comprises the following steps:
traversing each attack path in the alarm information, and for each attack path, obtaining the alarm grade of each security event in the attack path and assigning a value to the alarm grade, wherein the highest 0-grade threat is b1 score, the highest 1-grade threat is b2 score, and the highest 2-grade threat is b3 score; wherein, 1 is more than or equal to b2 is more than or equal to b3 is more than or equal to 0;
taking the maximum value in the security event score of each node in the attack path as the threat quantitative evaluation score of the attack quantitative evaluation model of the attack path based on the alarm level;
the processing procedure of the attack quantitative evaluation model based on the key event comprises the following steps:
extracting logs of various safety devices of the power grid according to the alarm information, and determining key events according to the logs;
traversing each attack path in the alarm information, traversing each alarm event for each attack path, and marking as c1 score if the alarm content does not match with the key event; if the key event type is matched, the re-matching time is recorded as c2 score if the alarm event occurrence time is not matched, if the key event type and the occurrence time are both matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c3 score, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are both matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c4 score; wherein, c1 is more than or equal to 0 and less than or equal to c2 and less than or equal to c3 and c4 is more than or equal to 1;
After calculating the scores of the alarm events of each node in the attack path, taking the maximum value in the scores as threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event;
the process for determining the key event according to the log comprises the following steps:
counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
according to the safety event sequence, considering alarm quantity surge events and alarm quantity sharp-reduction events in adjacent safety events and flat-top events which are subjected to sharp reduction after continuous fluctuation in a small range after surge, and determining key events based on abrupt points;
according to the safety event sequence, considering that the alarm quantity is not suddenly increased but slowly increased until the alarm quantity exceeds a preset quantity threshold value, determining key events based on the threshold value;
the attack quantitative evaluation model processing process based on the exploit comprises the following steps:
traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity of which the ranking is 1 percent;
screening the first 1% of vulnerability attack paths, setting a threshold K, and screening vulnerability utilization paths with vulnerability utilization path similarity larger than K;
Quantifying the threat degree of each attack path according to the CVSS scoring rule base for the selected vulnerability exploitation path, wherein the quantifying process comprises the following steps: searching corresponding CVSS scores of all CVE vulnerabilities of the paths on the vulnerability exploitation paths by contrasting with a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the selected vulnerability exploitation paths;
and taking the maximum value of the risk degrees of all the screened vulnerability exploiting paths as a threat quantification assessment score of the attack path based on the vulnerability quantification assessment model of the vulnerability.
2. A power monitoring system network threat based quantification system, comprising:
the acquisition module is used for acquiring alarm log information acquired by the power monitoring system and drawing an attack path according to the alarm log information;
the key host scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key host and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key host;
the alarm level scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the alarm level and outputting threat quantitative evaluation scores of the attack quantitative evaluation model of the attack path based on the alarm level;
The key event scoring module is used for inputting the attack path into a pre-constructed attack quantitative evaluation model based on the key event and outputting threat quantitative evaluation scores of the attack path based on the attack quantitative evaluation model of the key event;
the vulnerability exploitation path similarity degree scoring module is used for inputting the attack path into a pre-constructed vulnerability-exploitation-based attack quantitative evaluation model and outputting threat quantitative evaluation scores of the attack path based on the vulnerability-exploitation-based attack quantitative evaluation model;
the computing module is used for computing the total threat value of the attack path by utilizing the weight which is determined in advance according to the influence of each dimension on the threat assessment and the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key host, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the alarm level, the threat quantification assessment score of the attack path based on the attack quantification assessment model of the key event and the threat quantification assessment score of the attack path based on the vulnerability exploitation, wherein the dimensions comprise a key host dimension, an alarm level dimension, a key event dimension and a vulnerability exploitation path dimension;
The key host scoring module comprises:
the identification module is used for identifying the key host IP by utilizing the alarm information;
the first traversing module is used for traversing each attack path in the alarm information and traversing the nodes in each path, and if the node IP is not in the key host IP sequence, the node IP is marked as a1 score; if the node IP is in the key host IP sequence but does not match the event occurrence time, the node IP is marked as a2 score; if the event occurrence time is matched, but the corresponding security event of the key host IP is not matched, the score is marked as a 3; if the corresponding security event of the key IP is matched, the key IP is marked as a4 score; wherein a1 is more than or equal to 0 and less than a2 is more than or equal to 3 and a4 is more than or equal to 1;
the first value taking module is used for taking the maximum value in the scores as a threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key host according to the matching score of each node in the attack path and the event;
the identification module comprises:
the preprocessing module is used for preprocessing the alarm information to obtain a dense time sequence;
the judging module is used for determining the starting point and the ending point of the abnormal quantity according to the dense time sequence, judging whether the abnormal quantity of the time period between the starting point and the ending point exceeds a preset threshold value of the host computer of the IP, and if so, determining that the host computer of the IP is a key host computer;
The alarm level scoring module comprises:
the second traversing module is used for traversing each attack path in the alarm information, and for each attack path, the alarm grade of each security event in the attack path is obtained and assigned with a value, wherein the highest 0-grade threat is b1 score, the highest 1-grade threat is b2 score, and the highest 2-grade threat is b3 score; wherein, 1 is more than or equal to b2 is more than or equal to b3 is more than or equal to 0;
the second value module is used for taking the maximum value in the security event scores of each node in the attack path as the threat quantitative evaluation score of the attack quantitative evaluation model of the attack path based on the alarm level;
the key event scoring module comprises:
the determining module is used for extracting logs of various safety equipment of the power grid according to the alarm information and determining key events according to the logs;
the third traversing module is used for traversing each attack path in the alarm information, traversing each alarm event for each attack path, and marking as a c1 score if the alarm content does not match with the key event; if the key event type is matched, the re-matching time is recorded as c2 score if the alarm event occurrence time is not matched, if the key event type and the occurrence time are both matched, but the source IP and the destination IP of the key event are not matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c3 score, and if the key event type, the occurrence time, the source IP and the destination IP of the key event are both matched with the source IP and the destination IP in the attack path, the re-matching time is recorded as c4 score; wherein, c1 is more than or equal to 0 and less than or equal to c2 and less than or equal to c3 and c4 is more than or equal to 1;
The third value taking module is used for taking the maximum value of the scores after calculating the scores of the alarm events of each node in the attack path as the threat quantitative evaluation score of the attack path based on the attack quantitative evaluation model of the key event;
the determining module includes:
the extraction module is used for counting and extracting logs of various safety devices in the power grid to form a safety event sequence;
the first determining module is used for determining key events based on abrupt points according to the safety event sequence by considering alarm quantity sharp increasing events and alarm quantity sharp decreasing events in adjacent safety events and flat top events which are sharp decreasing after continuous fluctuation in a small range after sharp increasing;
the second determining module is used for determining key events based on a threshold value according to the safety event sequence, considering that the alarm number is not suddenly increased but slowly increased until the alarm number exceeds a preset number threshold value;
the exploit path similarity degree scoring module includes:
the fourth traversing module is used for traversing all vulnerability attack paths in the local area network, respectively calculating attack paths with high similarity with the current attack path, ranking according to the similarity, and extracting vulnerability attack paths with the similarity of 1% before ranking;
The screening module is used for screening the first 1% of vulnerability attack paths, setting a threshold K and screening vulnerability utilization paths with vulnerability utilization path similarity larger than K;
the CVSS scoring module is used for quantifying the threat degree of each attack path according to the CVSS scoring rule base for the selected vulnerability exploitation path, and the quantifying process comprises the following steps: searching corresponding CVSS scores of all CVE vulnerabilities of the paths on the vulnerability exploitation paths by contrasting with a CVSS score rule base, and averaging the CVSS scores to obtain a risk degree score of the selected vulnerability exploitation paths;
and the fourth value module is used for taking the maximum value of the risk degrees of all the screened vulnerability exploiting paths as a threat quantification evaluation score of the attack path based on the vulnerability attack quantification evaluation model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110149542.5A CN112819336B (en) | 2021-02-03 | 2021-02-03 | Quantification method and system based on network threat of power monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110149542.5A CN112819336B (en) | 2021-02-03 | 2021-02-03 | Quantification method and system based on network threat of power monitoring system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112819336A CN112819336A (en) | 2021-05-18 |
| CN112819336B true CN112819336B (en) | 2023-12-15 |
Family
ID=75860921
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110149542.5A Active CN112819336B (en) | 2021-02-03 | 2021-02-03 | Quantification method and system based on network threat of power monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112819336B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113259176B (en) * | 2021-06-11 | 2021-10-08 | 长扬科技(北京)有限公司 | Alarm event analysis method and device |
| CN114124552A (en) * | 2021-11-29 | 2022-03-01 | 恒安嘉新(北京)科技股份公司 | Network attack threat level obtaining method, device and storage medium |
| CN114726642B (en) * | 2022-04-26 | 2023-09-22 | 东北电力大学 | Quantification system based on network threat of power monitoring system |
| CN114978617B (en) * | 2022-05-06 | 2023-08-08 | 国网湖北省电力有限公司信息通信公司 | Network attack threat statistics judgment method based on Markov process learning model |
| CN114866325B (en) * | 2022-05-10 | 2023-09-12 | 国网湖南省电力有限公司 | Prediction method for network attack of power system |
| CN115208647A (en) * | 2022-07-05 | 2022-10-18 | 南京领行科技股份有限公司 | Attack behavior handling method and device |
| CN115314322A (en) * | 2022-10-09 | 2022-11-08 | 安徽华云安科技有限公司 | Vulnerability detection confirmation method, device, equipment and storage medium based on flow |
| CN117155665B (en) * | 2023-09-04 | 2024-03-12 | 中国信息通信研究院 | Attack tracing method, system, electronic device and storage medium |
Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
| CN106941502A (en) * | 2017-05-02 | 2017-07-11 | 北京理工大学 | A kind of security measure method and apparatus of internal network |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
| CN108429766A (en) * | 2018-05-29 | 2018-08-21 | 广西电网有限责任公司 | Network safety situation analyzing and alarming system based on big data and WSN technology |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN109191326A (en) * | 2018-08-23 | 2019-01-11 | 东北大学 | The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle |
| CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
| CN110011976A (en) * | 2019-03-07 | 2019-07-12 | 中国科学院大学 | A kind of network attack damage capability quantitative estimation method and system |
| CN110545280A (en) * | 2019-09-09 | 2019-12-06 | 北京华赛在线科技有限公司 | quantitative evaluation method based on threat detection accuracy |
| CN110620759A (en) * | 2019-07-15 | 2019-12-27 | 公安部第一研究所 | Network security event hazard index evaluation method and system based on multidimensional correlation |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN111859380A (en) * | 2019-04-25 | 2020-10-30 | 北京九州正安科技有限公司 | Zero false alarm detection method for Android App vulnerability |
| CN112165485A (en) * | 2020-09-25 | 2021-01-01 | 山东炎黄工业设计有限公司 | Intelligent prediction method for large-scale network security situation |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| IL256934B (en) * | 2015-07-27 | 2022-07-01 | Genghiscomm Holdings Llc | Airborne relays in cooperative-mimo systems |
| US10296748B2 (en) * | 2016-02-25 | 2019-05-21 | Sas Institute Inc. | Simulated attack generator for testing a cybersecurity system |
| CN108256335B (en) * | 2018-02-08 | 2019-06-18 | 北京百度网讯科技有限公司 | Method and apparatus for detecting loophole |
| CN108810025A (en) * | 2018-07-19 | 2018-11-13 | 平安科技(深圳)有限公司 | A kind of security assessment method of darknet, server and computer-readable medium |
| CN110012120A (en) * | 2019-03-14 | 2019-07-12 | 罗向阳 | A kind of IP City-level location algorithm based on PoP network topology |
| CN111106965B (en) * | 2019-12-25 | 2023-04-07 | 浪潮商用机器有限公司 | Intelligent log analysis method, tool, equipment and medium for complex system |
| CN111245807B (en) * | 2020-01-07 | 2022-05-17 | 北京工业大学 | Network situation quantitative evaluation method based on attack chain factor |
-
2021
- 2021-02-03 CN CN202110149542.5A patent/CN112819336B/en active Active
Patent Citations (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368976A (en) * | 2013-07-31 | 2013-10-23 | 电子科技大学 | Network security evaluation device based on attack graph adjacent matrix |
| CN107196910A (en) * | 2017-04-18 | 2017-09-22 | 国网山东省电力公司电力科学研究院 | Threat early warning monitoring system, method and the deployment framework analyzed based on big data |
| CN106941502A (en) * | 2017-05-02 | 2017-07-11 | 北京理工大学 | A kind of security measure method and apparatus of internal network |
| CN107204876A (en) * | 2017-05-22 | 2017-09-26 | 成都网络空间安全技术有限公司 | A kind of network security risk evaluation method |
| CN108429766A (en) * | 2018-05-29 | 2018-08-21 | 广西电网有限责任公司 | Network safety situation analyzing and alarming system based on big data and WSN technology |
| CN108494810A (en) * | 2018-06-11 | 2018-09-04 | 中国人民解放军战略支援部队信息工程大学 | Network security situation prediction method, apparatus and system towards attack |
| CN109191326A (en) * | 2018-08-23 | 2019-01-11 | 东北大学 | The interdependent deposit system network attack methods of risk assessment of power distribution network CPS based on attacker visual angle |
| CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
| CN110011976A (en) * | 2019-03-07 | 2019-07-12 | 中国科学院大学 | A kind of network attack damage capability quantitative estimation method and system |
| CN111859380A (en) * | 2019-04-25 | 2020-10-30 | 北京九州正安科技有限公司 | Zero false alarm detection method for Android App vulnerability |
| CN110620759A (en) * | 2019-07-15 | 2019-12-27 | 公安部第一研究所 | Network security event hazard index evaluation method and system based on multidimensional correlation |
| CN110545280A (en) * | 2019-09-09 | 2019-12-06 | 北京华赛在线科技有限公司 | quantitative evaluation method based on threat detection accuracy |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN112165485A (en) * | 2020-09-25 | 2021-01-01 | 山东炎黄工业设计有限公司 | Intelligent prediction method for large-scale network security situation |
Non-Patent Citations (1)
| Title |
|---|
| "网络攻击对电力系统可靠性的影响及后果评价";李晓静;《中国优秀硕士学位论文全文数据库 工程科技Ⅱ辑》(第01期);第C042-2541页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112819336A (en) | 2021-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112819336B (en) | Quantification method and system based on network threat of power monitoring system | |
| CN112769796B (en) | Cloud network side collaborative defense method and system based on end side edge computing | |
| Ektefa et al. | Intrusion detection using data mining techniques | |
| Li | Using genetic algorithm for network intrusion detection | |
| CN107220549B (en) | Vulnerability risk basic evaluation method based on CVSS | |
| CN103782303A (en) | System and method for non-signature based detection of malicious processes | |
| KR102120214B1 (en) | Cyber targeted attack detect system and method using ensemble learning | |
| CN109376537B (en) | Asset scoring method and system based on multi-factor fusion | |
| CN110545280B (en) | Quantitative evaluation method based on threat detection accuracy | |
| JP2016152594A (en) | Network attack monitoring device, network attack monitoring method, and program | |
| KR101692982B1 (en) | Automatic access control system of detecting threat using log analysis and automatic feature learning | |
| CN105681274B (en) | A kind of method and device of original alarm information processing | |
| WO2019035120A1 (en) | Cyber threat detection system and method | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| Kumar et al. | Feature selection approach for intrusion detection system | |
| CN110598180A (en) | Event detection method, device and system based on statistical analysis | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| Goel et al. | Anomaly based intrusion detection model using supervised machine learning techniques | |
| CN112153062B (en) | Multi-dimension-based suspicious terminal equipment detection method and system | |
| CN111885011B (en) | Method and system for analyzing and mining safety of service data network | |
| CN116074127B (en) | Self-adaptive network security situation assessment system based on big data | |
| CN115664868B (en) | Security level determination method, device, electronic equipment and storage medium | |
| Liu et al. | Defending multiple-user-multiple-target attacks in online reputation systems | |
| CN116451234A (en) | Dynamic trust evaluation algorithm for operating system terminal | |
| Huang et al. | Application of type-2 fuzzy logic to rule-based intrusion alert correlation detection |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |