CN112822213A - Attack evidence obtaining and tracing method for power monitoring system - Google Patents
Attack evidence obtaining and tracing method for power monitoring system Download PDFInfo
- Publication number
- CN112822213A CN112822213A CN202110176274.6A CN202110176274A CN112822213A CN 112822213 A CN112822213 A CN 112822213A CN 202110176274 A CN202110176274 A CN 202110176274A CN 112822213 A CN112822213 A CN 112822213A
- Authority
- CN
- China
- Prior art keywords
- network
- characteristic parameters
- monitoring system
- data
- power monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 46
- 238000000034 method Methods 0.000 title claims abstract description 28
- 230000002159 abnormal effect Effects 0.000 claims abstract description 49
- 238000004458 analytical method Methods 0.000 claims abstract description 36
- 230000006399 behavior Effects 0.000 claims description 34
- 238000004590 computer program Methods 0.000 claims description 21
- 238000005516 engineering process Methods 0.000 claims description 17
- 230000000903 blocking effect Effects 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 230000006855 networking Effects 0.000 claims description 5
- 238000012360 testing method Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 12
- 238000007726 management method Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000013480 data collection Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010248 power generation Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an attack evidence obtaining and tracing method for a power monitoring system, which comprises the following steps: collecting network flow data in the power monitoring system; performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data; and if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data stream. The embodiment of the application can analyze the characteristics of the network flow data to obtain the characteristic parameters, and when the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, the network attack is judged to exist, and the source tracing can be carried out, so that the safety of the power monitoring system can be simply and effectively ensured.
Description
Technical Field
The invention relates to the technical field of electric power safety, in particular to an attack evidence obtaining and tracing method for an electric power monitoring system.
Background
The power monitoring system is used for monitoring and controlling the power production and supply process, plays an important role in monitoring and controlling the services of power generation, power transmission, power transformation, power distribution, scheduling and the like based on computer and network technology, can reduce the operation cost of the services, and improves the production efficiency.
However, in recent years, attacks on the power monitoring system are increasing, but the security of the power monitoring system is low due to the problems of lack of security protection, mismatch of human posts and the like of the current power monitoring system. .
Disclosure of Invention
In view of the above, the present invention provides an attack evidence obtaining and tracing method for a power monitoring system, which aims to solve the problem of security of the existing power monitoring system.
The invention is realized by adopting the following scheme: an attack forensics and traceability method for a power monitoring system comprises the following steps:
collecting network flow data in the power monitoring system;
performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data;
and if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data stream.
Further, the performing the feature analysis on the network flow data to obtain the feature parameters of the network flow data specifically includes:
performing characteristic analysis on each piece of the network flow data to obtain an analysis result;
and according to the analysis result, obtaining one or more characteristic parameters of the start time and the end time of the stream data, the source IP address, the destination IP address, the source port, the destination port, the protocol type, the flow information and the data content.
Further, after the characteristic parameter is matched with the pre-stored abnormal characteristic parameter, the method further comprises the following steps:
and determining a target alarm mode matched with the abnormal characteristic parameters, and generating corresponding prompt information according to the target alarm mode.
Further, the step of determining a target alarm mode matched with the abnormal characteristic parameters and generating corresponding prompt information according to the target alarm mode comprises
Determining a target alarm type and an alarm grade matched with the abnormal characteristic parameters;
and generating corresponding prompt information according to the alarm type and the alarm grade.
Further, the method further comprises:
analyzing the data content in each piece of stream data, and determining corresponding operation behaviors;
if the operation behavior is abnormal, determining a destination IP address according to the characteristic parameters;
and blocking the operation behavior acting on the terminal where the destination IP address is located in a preset mode.
Further, the blocking the operation behavior acting on the terminal where the destination IP address is located in a preset manner specifically includes: sending a network disconnection instruction to a terminal where the destination IP address is located so as to block the operation behavior; and the network disconnection instruction is used for indicating the terminal where the destination IP address is located to close the physical networking port.
Further, the tracing the network data stream includes:
and determining an attack source of the network data stream based on a link test technology, a log recording technology or an ICMP message technology.
The invention also provides an attack evidence obtaining and tracing system for the power monitoring system, which specifically comprises the following steps:
the acquisition module is used for acquiring network flow data in the power monitoring system;
the characteristic analysis module is used for carrying out characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data;
and the judging module is used for judging that network attack exists and tracing the network data stream if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database.
The invention also provides a terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the method as described above when executing the computer program.
The invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described above.
Compared with the prior art, the invention has the following beneficial effects: the invention collects the network flow data in the power monitoring system; performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data; and if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data stream. The characteristic analysis can be carried out on the network flow data to obtain the characteristic parameters, and when the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, the existence of the network attack is judged, and the source tracing is carried out, so that the safety of the power monitoring system can be simply and effectively ensured.
Drawings
Fig. 1 is a schematic flow chart of a method according to an embodiment of the present invention.
Fig. 2 is a flowchart illustrating a safety management method of a power monitoring system according to another embodiment of the present invention.
Fig. 3 is a schematic structural diagram of a safety management device of a power monitoring system according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a safety management device of a power monitoring system according to another embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.
Detailed Description
The invention is further explained below with reference to the drawings and the embodiments.
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
Referring to fig. 1, a safety management method of an electric power monitoring system according to an embodiment of the present application includes:
and S101, collecting network flow data in the power monitoring system.
Specifically, network data in the power monitoring system can be collected at a network inlet and a network outlet of the power monitoring system through a network data collector, and the network data is stored.
Step S102, carrying out characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data.
Specifically, in the process of collecting network flow data, each piece of flow data can be collected by a flow data collection technology, and the characteristic parameter of each piece of flow data can be obtained by performing characteristic analysis on each piece of collected flow data.
In one embodiment, the performing the feature analysis on the network flow data to obtain the feature parameter of the network flow data includes: performing characteristic analysis on each piece of the network flow data to obtain an analysis result; and according to the analysis result, obtaining one or more characteristic parameters of the start time and the end time of the stream data, the source IP address, the destination IP address, the source port, the destination port, the protocol type, the flow information and the data content.
Specifically, each piece of stream data may be restored according to the stream protocol, so as to obtain one or more characteristic parameters of the start time and the end time of each piece of stream data, the source IP address, the destination IP address, the source port, the destination port, the protocol type, the traffic information, and the data content.
And step S103, if the characteristic parameters are matched with abnormal characteristic parameters in a preset database, judging that network attack exists, and tracing the network data stream.
Specifically, storing abnormal characteristic parameters in a preset database, judging that network attack exists when the characteristic parameters are matched with the abnormal characteristic parameters, and tracing the network data stream.
In an application scenario, if a preset database is stored to contain abnormal characteristic parameters and normal operation behavior characteristics of abnormal attack flow, when characteristic parameters such as start time and end time, a source IP address, a destination IP address, a source port, a destination port, a protocol type, flow information and the like in flow data are matched with the abnormal characteristic parameters of the pre-stored abnormal attack flow, the existence of network attack is judged, and the network data flow is traced; or analyzing the operation behavior of the stream data according to the data content in the stream data, judging that the network attack exists when the operation behavior to be executed by the stream data is not matched with the normal operation behavior in the preset database, and tracing the network data stream to find the attack source of the network data stream.
In one embodiment, the tracing the network data stream includes: and determining an attack source of the network data stream based on a link test technology, a log recording technology or an ICMP message technology.
Specifically, tracing the network data stream may determine an attack source according to a tracing algorithm. If tracing can be performed according to the link test technology, a tracing program is added in advance, a last hop path of the data stream is searched according to the tracing program, and hop-by-hop backtracking is performed until an attack source is found; or, all data packets passing through the router can be stored based on a log recording technology, and when the network attack is determined, whether the network attack data packet is in the storage information can be checked on the previous-hop router, if so, the network attack data packet passes through the router, and the router is on the path of the network attack; otherwise, the network attack path is not followed. And then, inquiring hop by hop, and finally constructing a network attack path and tracking to a network attack source. In the process of storing all the data packets passing through the router, the data packets can be stored after being compressed by a compression algorithm in order to save space. Or, when determining network attack, the message technology based on ICMP generates ICMP traceback (iTrace) messages at a certain probability through a router in a data packet, where one iTrace message is composed of next hop information, previous hop information, a timestamp and other information, and after a destination host receives a sufficient number of iTrace messages sent by an attacker, a forwarding path of the messages can be constructed, so as to determine an attack source.
In one embodiment, when a new abnormal feature parameter is received, the new abnormal feature parameter is stored in the database to update the abnormal feature parameter in the database.
In one embodiment, after the characteristic parameter is matched with the pre-stored abnormal characteristic parameter, the method further comprises the following steps: and determining a target alarm mode matched with the abnormal characteristic parameters, and generating corresponding prompt information according to the target alarm mode.
Specifically, after the characteristic parameters are matched with the pre-stored abnormal characteristic parameters, if the abnormal characteristic parameters are matched with the alarm mode in advance, the matched alarm mode is used as a target alarm mode, and corresponding prompt information is generated according to the target alarm mode. And if the abnormal characteristic parameters do not match with the alarm mode in advance, taking the preset alarm mode as a target alarm mode, and generating corresponding prompt information according to the target alarm mode. The alarm mode includes but is not limited to voice, system display prompt, mail prompt and the like.
In one embodiment, the determining a target alarm mode matched with the abnormal characteristic parameter and generating corresponding prompt information according to the target alarm mode includes: determining a target alarm type and an alarm grade matched with the abnormal characteristic parameters; and generating corresponding prompt information according to the alarm type and the alarm grade.
Specifically, the alarm mode and the alarm level of the abnormal characteristic parameter may be preset, and when it is determined which abnormal characteristic parameter the stream data belongs to, the target alarm type and the alarm level matched with the abnormal characteristic parameter are determined, and the alarm is performed in the target alarm mode and at the corresponding alarm level.
In an embodiment, referring to fig. 2, the security management method further includes steps S201 to S203:
step S201, analyzing the data content in each piece of stream data, and determining a corresponding operation behavior.
Specifically, in a network attack, many malicious behaviors are hidden in specific data contents, and the data contents in the streaming data can be analyzed to analyze the operation behaviors corresponding to the data contents.
And step S202, if the operation behavior has abnormal operation behavior, determining a destination IP address according to the characteristic parameters.
Specifically, if the analyzed operation behavior is the same as the preset abnormal operation behavior, the destination IP address in the parameter feature is obtained.
Step S203, blocking the operation behavior acting on the terminal where the destination IP address is located in a preset manner.
Specifically, the corresponding operation behavior is blocked in a preset mode, and the operation behavior is to control the operation behavior corresponding to the terminal where the destination IP address is located, so that the safety of the power monitoring system can be protected.
In one embodiment, the blocking the operation behavior acting on the terminal where the destination IP address is located in a preset manner includes: sending a network disconnection instruction to a terminal where the destination IP address is located so as to block the operation behavior; and the network disconnection instruction is used for indicating the terminal where the destination IP address is located to close the physical networking port.
Specifically, a network disconnection instruction for closing a physical networking port of the terminal where the destination IP address is located may be sent to the terminal, and a prompt may be given to a relevant user.
In another embodiment, the blocking the operation behavior acting on the terminal where the destination IP address is located in a preset manner includes: the operational behaviour is blocked by sending an ethernet clash frame to the terminal where the destination IP address is located.
The embodiment of the application acquires network flow data in the power monitoring system; performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data; and if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data stream. The characteristic analysis can be carried out on the network flow data to obtain the characteristic parameters, and when the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, the existence of the network attack is judged, and the source tracing can be carried out, so that the safety of the power monitoring system can be simply and effectively ensured.
Corresponding to the safety management method of the power monitoring system described in the above embodiment, fig. 3 shows a structural block diagram of a safety management device of the power monitoring system provided in the embodiment of the present application, and for convenience of description, only the relevant parts of the embodiment of the present application are shown. Referring to fig. 3, the apparatus includes:
the acquisition module 301 is configured to acquire network flow data in the power monitoring system;
a feature analysis module 302, configured to perform feature analysis on the network flow data to obtain feature parameters of the network flow data;
the determining module 303 is configured to determine that a network attack exists and trace the source of the network data stream if the characteristic parameter matches an abnormal characteristic parameter in a preset database.
In one embodiment, the feature analysis module comprises:
the analysis unit is used for carrying out feature analysis on each piece of the network flow data to obtain an analysis result;
and the obtaining unit is used for obtaining one or more characteristic parameters in the starting time and the ending time of the stream data, the source IP address, the destination IP address, the source port, the destination port, the protocol type, the flow information and the data content according to the analysis result.
In one embodiment, as shown in fig. 4, the security management device further comprises an alarm module;
the alarm module 304 is configured to determine a target alarm mode matched with the abnormal characteristic parameter after the characteristic parameter is matched with a pre-stored abnormal characteristic parameter, and generate corresponding prompt information according to the target alarm mode.
In one embodiment, the alarm module is specifically configured to: determining a target alarm type and an alarm grade matched with the abnormal characteristic parameters; and generating corresponding prompt information according to the alarm type and the alarm grade.
In one embodiment, the security management apparatus further comprises:
the content analysis module is used for analyzing the data content in each piece of stream data and determining the corresponding operation behavior;
the determining module is used for determining a destination IP address according to the characteristic parameters if the abnormal operation behaviors exist in the operation behaviors;
and the blocking module is used for blocking the operation behavior acting on the terminal where the destination IP address is located in a preset mode.
In one embodiment, the blocking module is specifically configured to: sending a network disconnection instruction to a terminal where the destination IP address is located so as to block the operation behavior; and the network disconnection instruction is used for indicating the terminal where the destination IP address is located to close the physical networking port.
In one embodiment, the tracing the network data stream includes: and determining an attack source of the network data stream based on a link test technology, a log recording technology or an ICMP message technology.
The embodiment of the application acquires network flow data in the power monitoring system; performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data; and if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data stream. The characteristic analysis can be carried out on the network flow data to obtain the characteristic parameters, and when the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, the existence of the network attack is judged, and the source tracing can be carried out, so that the safety of the power monitoring system can be simply and effectively ensured.
As shown in fig. 5, an embodiment of the present invention further provides a terminal device 500 including: a processor 501, a memory 502 and a computer program 503, such as a safety management program of a power monitoring system, stored in the memory 502 and operable on the processor 501. The processor 501 implements the steps in the safety management method embodiments of each power monitoring system described above when executing the computer program 703. The processor 501, when executing the computer program 503, implements the functions of the modules in the above-described apparatus embodiments.
Illustratively, the computer program 703 may be partitioned into one or more modules that are stored in the memory 502 and executed by the processor 501 to implement the present invention. The one or more modules may be a series of computer program instruction segments capable of performing specific functions, which are used for describing the execution process of the computer program 703 in the terminal device 500. For example, the computer program 503 may be divided into an acquisition module, a feature analysis module, and a determination module, and specific functions of each module have been described in the foregoing embodiments, which are not described herein again.
The terminal device 500 may be a desktop Computer, a notebook Computer, a super Mobile Personal Computer (UMPC), an electric device, a netbook, a Personal Digital Assistant (PDA), a wearable device, an Augmented Reality (AR)/Virtual Reality (VR) device, a Mobile phone, a robot, or other computing devices. The computing device may include, but is not limited to, a processor 501, a memory 502. Those skilled in the art will appreciate that fig. 5 is merely an example of a terminal device 500 and is not intended to limit the terminal device 500 and may include more or fewer components than those shown, or some components may be combined, or different components, for example, the terminal device may also include input output devices, network access devices, buses, etc.
The Processor 501 may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 502 may be an internal storage unit of the terminal device 500, such as a hard disk or a memory of the terminal device 500. The memory 502 may also be an external storage device of the terminal device 500, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the terminal device 500. Further, the memory 502 may also include both an internal storage unit and an external storage device of the terminal device 500. The memory 502 is used for storing the computer programs and other programs and data required by the terminal device. The memory 502 may also be used to temporarily store data that has been output or is to be output.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing is directed to preferred embodiments of the present invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof, and the scope thereof is determined by the claims that follow. However, any simple modification, equivalent change and modification of the above embodiments according to the technical essence of the present invention are within the protection scope of the technical solution of the present invention.
Claims (10)
1. An attack forensics and traceability method for a power monitoring system is characterized by comprising the following steps:
collecting network flow data in the power monitoring system;
performing characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data;
and if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database, judging that the network attack exists, and tracing the network data stream.
2. The attack forensics and traceability method for the power monitoring system according to claim 1, wherein the performing the feature analysis on the network flow data to obtain the feature parameters of the network flow data specifically comprises:
performing characteristic analysis on each piece of the network flow data to obtain an analysis result;
and according to the analysis result, obtaining one or more characteristic parameters of the start time and the end time of the stream data, the source IP address, the destination IP address, the source port, the destination port, the protocol type, the flow information and the data content.
3. The attack forensics and traceability method for the power monitoring system according to claim 1, further comprising, after the characteristic parameter is matched with the pre-stored abnormal characteristic parameter:
and determining a target alarm mode matched with the abnormal characteristic parameters, and generating corresponding prompt information according to the target alarm mode.
4. The method according to claim 3, wherein the step of determining a target alarm mode matched with the abnormal characteristic parameter and generating corresponding prompt information according to the target alarm mode comprises
Determining a target alarm type and an alarm grade matched with the abnormal characteristic parameters;
and generating corresponding prompt information according to the alarm type and the alarm grade.
5. The attack forensics and traceability method for the power monitoring system according to claim 2, further comprising:
analyzing the data content in each piece of stream data, and determining corresponding operation behaviors;
if the operation behavior is abnormal, determining a destination IP address according to the characteristic parameters;
and blocking the operation behavior acting on the terminal where the destination IP address is located in a preset mode.
6. The attack forensics and traceability method for the power monitoring system according to claim 5, wherein the blocking of the operation behavior acting on the terminal where the destination IP address is located is performed in a preset manner specifically: sending a network disconnection instruction to a terminal where the destination IP address is located so as to block the operation behavior; and the network disconnection instruction is used for indicating the terminal where the destination IP address is located to close the physical networking port.
7. The attack forensics and traceability method for the power monitoring system according to any one of claims 1 to 6, wherein the tracing the network data flow comprises:
and determining an attack source of the network data stream based on a link test technology, a log recording technology or an ICMP message technology.
8. An attack forensics and traceability system for a power monitoring system, comprising:
the acquisition module is used for acquiring network flow data in the power monitoring system;
the characteristic analysis module is used for carrying out characteristic analysis on the network flow data to obtain characteristic parameters of the network flow data;
and the judging module is used for judging that network attack exists and tracing the network data stream if the characteristic parameters are matched with the abnormal characteristic parameters in the preset database.
9. A terminal device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110176274.6A CN112822213A (en) | 2021-02-07 | 2021-02-07 | Attack evidence obtaining and tracing method for power monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110176274.6A CN112822213A (en) | 2021-02-07 | 2021-02-07 | Attack evidence obtaining and tracing method for power monitoring system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112822213A true CN112822213A (en) | 2021-05-18 |
Family
ID=75864553
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110176274.6A Pending CN112822213A (en) | 2021-02-07 | 2021-02-07 | Attack evidence obtaining and tracing method for power monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112822213A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095217A (en) * | 2021-11-06 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Evidence obtaining and tracing method and system for failing host snapshot |
| CN114866298A (en) * | 2022-04-21 | 2022-08-05 | 武汉大学 | Power engineering control system network attack tracing method combining packet marking and packet log |
| CN117040932A (en) * | 2023-10-09 | 2023-11-10 | 国网思极网安科技(北京)有限公司 | Rapid evidence obtaining method and system for tracing network attack |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010152773A (en) * | 2008-12-26 | 2010-07-08 | Mitsubishi Electric Corp | Attack determination device, and attack determination method and program |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
-
2021
- 2021-02-07 CN CN202110176274.6A patent/CN112822213A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2010152773A (en) * | 2008-12-26 | 2010-07-08 | Mitsubishi Electric Corp | Attack determination device, and attack determination method and program |
| CN106656922A (en) * | 2015-10-30 | 2017-05-10 | 阿里巴巴集团控股有限公司 | Flow analysis based protective method and device against network attack |
| CN110445770A (en) * | 2019-07-18 | 2019-11-12 | 平安科技(深圳)有限公司 | Attack Source positioning and means of defence, electronic equipment and computer storage medium |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114095217A (en) * | 2021-11-06 | 2022-02-25 | 北京天融信网络安全技术有限公司 | Evidence obtaining and tracing method and system for failing host snapshot |
| CN114866298A (en) * | 2022-04-21 | 2022-08-05 | 武汉大学 | Power engineering control system network attack tracing method combining packet marking and packet log |
| CN114866298B (en) * | 2022-04-21 | 2023-03-24 | 武汉大学 | Power engineering control system network attack tracing method combining packet marking and packet log |
| CN117040932A (en) * | 2023-10-09 | 2023-11-10 | 国网思极网安科技(北京)有限公司 | Rapid evidence obtaining method and system for tracing network attack |
| CN117040932B (en) * | 2023-10-09 | 2024-04-02 | 国网思极网安科技(北京)有限公司 | Rapid evidence obtaining method and system for tracing network attack |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112822213A (en) | Attack evidence obtaining and tracing method for power monitoring system | |
| WO2021121244A1 (en) | Alarm information generation method and apparatus, electronic device, and storage medium | |
| CN112468488A (en) | Industrial anomaly monitoring method and device, computer equipment and readable storage medium | |
| CN111935061B (en) | Industrial control host and network security protection implementation method thereof | |
| EP2924943B1 (en) | Virus detection method and device | |
| CN107612890B (en) | Network monitoring method and system | |
| CN111177729B (en) | Program bug test method and related device | |
| CN104778042A (en) | Stream data processing method based on event stream processing and plug-in type development framework | |
| CN114172709B (en) | Network multi-step attack detection method, device, equipment and storage medium | |
| CN112272186A (en) | Network flow detection framework, method, electronic equipment and storage medium | |
| CN112822291A (en) | Monitoring method and device for industrial control equipment | |
| US20160205118A1 (en) | Cyber black box system and method thereof | |
| CN112241439A (en) | Attack organization discovery method, device, medium and equipment | |
| Tabrizi et al. | A model-based intrusion detection system for smart meters | |
| CN114785567B (en) | Flow identification method, device, equipment and medium | |
| CN110535881A (en) | Industrial network attack traffic detection method and server | |
| CN110830500B (en) | Network attack tracking method and device, electronic equipment and readable storage medium | |
| CN112738003B (en) | Malicious address management method and device | |
| CN114598512A (en) | Honeypot-based network security guarantee method and device and terminal equipment | |
| CN112769762B (en) | Distributed efficient Internet of things equipment access method | |
| CN113676497A (en) | Data blocking method and device, electronic equipment and storage medium | |
| CN113709129A (en) | White list generation method, device and system based on traffic learning | |
| CN113992404B (en) | Attack evidence recording method and device | |
| CN115834229A (en) | Message security detection method, device and storage medium | |
| CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210518 |