CN112905548A - Safety audit system and method - Google Patents
Safety audit system and method Download PDFInfo
- Publication number
- CN112905548A CN112905548A CN202110320994.5A CN202110320994A CN112905548A CN 112905548 A CN112905548 A CN 112905548A CN 202110320994 A CN202110320994 A CN 202110320994A CN 112905548 A CN112905548 A CN 112905548A
- Authority
- CN
- China
- Prior art keywords
- log
- logs
- violation
- audit
- query
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012550 audit Methods 0.000 title claims abstract description 110
- 238000000034 method Methods 0.000 title claims abstract description 32
- 238000004458 analytical method Methods 0.000 claims abstract description 72
- 238000012545 processing Methods 0.000 claims abstract description 39
- 238000012216 screening Methods 0.000 claims description 24
- 230000006399 behavior Effects 0.000 claims description 16
- 238000007726 management method Methods 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 12
- 238000012544 monitoring process Methods 0.000 claims description 10
- 230000009471 action Effects 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 7
- 230000006870 function Effects 0.000 claims description 7
- 238000012986 modification Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 230000000737 periodic effect Effects 0.000 claims description 3
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010219 correlation analysis Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/3006—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is distributed, e.g. networked systems, clusters, multiprocessor systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/18—File system types
- G06F16/1805—Append-only file systems, e.g. using logs or journals to store data
- G06F16/1815—Journaling file systems
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a security audit system and a method, and the method comprises the following steps: the log acquisition module is used for acquiring logs to be processed from the SCADA system; the logs to be processed comprise a standard protocol supporting network equipment log, a dumb terminal equipment log, an SCADA software log and a network flow log; the log processing module is used for performing data processing operation on the log to be processed in a queue and multithreading mixed mode to obtain a standardized log; the data processing operation comprises standardization processing and data completion processing; the log analysis module is used for carrying out exception analysis on the standardized logs according to a preset alarm strategy and violation analysis rules to obtain violation logs and compliance logs; the violation log comprises an alarm log and a violation behavior; the log display module is used for displaying the violation logs and the compliance logs in a preset display form through a user operation interface of the SCADA system; the preset display form comprises alarm query and report query.
Description
Technical Field
The application relates to the field of security audit, in particular to a security audit system and a security audit method.
Background
Logs in an SCADA (Supervisory Control And Data Acquisition) system not only comprise host, network And flow, but also logs of SCADA self-service, such as logs of operation, login And Control of SCADA software, field equipment And dumb terminal logs of PLC/RTU And the like, And only if all related logs are collected, log analysis, event backtracking And safety early warning, whether misoperation, malicious operation or system self-fault is caused can be quickly positioned after an accident occurs.
In the prior art, on one hand, in an oil and gas pipeline SCADA system project, the auditing data of a host, a network, flow and an SCADA are inconsistent to the externally provided interfaces, the data formats are incompatible with each other, the correlation analysis of logs is difficult to realize, the collection of partial log types is only realized in the current market, and a safety auditing technology covering all logs is not provided; on the other hand, the SCADA system already forms a log file in a project, and the SCADA system has a high requirement on real-time performance and the like during operation.
Disclosure of Invention
In view of this, an object of the present application is to provide a security audit system and method, which are used to solve the problem of how to implement SCADA system security audit in the prior art.
In a first aspect, an embodiment of the present application provides a security audit system, which is applied to an SCADA system of a data acquisition and monitoring control system, and includes:
the log acquisition module is used for acquiring logs to be processed from the SCADA system; the logs to be processed comprise a standard protocol supporting network equipment log, a dumb terminal equipment log, an SCADA software log and a network flow log;
the log processing module is used for performing data processing operation on the log to be processed in a queue and multithreading mixed mode to obtain a standardized log; the data processing operation comprises standardization processing and data completion processing;
the log analysis module is used for carrying out exception analysis on the standardized logs according to a preset alarm strategy and violation analysis rules to obtain violation logs and compliance logs; the violation log comprises an alarm log and a violation behavior;
the log display module is used for displaying the violation logs and the compliance logs in a preset display form through a user operation interface of the SCADA system; the preset display form comprises alarm query and report query.
In some embodiments, the log analysis module comprises:
the log screening unit is used for screening the audit logs from the standardized logs according to preset audit log screening conditions and recording the audit logs into an audit log library;
the first analysis unit is used for screening alarm logs according to a preset alarm strategy and attribute information of the audit logs aiming at the audit logs in the audit log library and adding error level marks to the alarm logs; the error level marks comprise a general level, a severe level and a dangerous level;
and the second analysis unit is used for determining the illegal action corresponding to the abnormal audit log and the log data source corresponding to the illegal action according to the rule for analyzing the illegal action and the incidence relation between the audit logs aiming at the audit logs except the alarm log in the audit log library.
In some embodiments, the log analysis module further comprises:
the rule violation management unit is used for updating the rule violation analysis rule; the rule types of the violation analysis rules comprise keyword analysis rules, association relation rules, periodic rules and time-limiting rules; the authority types of the violation analysis rules comprise administrator rules and user-defined rules.
In some embodiments, the log analysis module further comprises:
and the query rule management unit is used for setting a plurality of query rules and query keywords corresponding to the query rules aiming at the violation logs and the compliance logs, and associating the audit logs meeting the query rules in the violation logs and the compliance logs with the query keywords corresponding to the query rules.
In some embodiments, the log presentation module comprises:
the violation inquiry unit is used for sorting the violation logs according to types and levels to obtain a violation log list and displaying the violation log list on a user operation interface of the SCADA system;
the report query unit is used for performing management operation of the log report according to the log report instruction; the log report instruction is generated by clicking a function key on a user operation interface of the SCADA system by a user; the management operation comprises new creation, automatic generation, preview, export, modification and deletion.
In a second aspect, an embodiment of the present application provides a security audit method, which is applied to a SCADA system of a data acquisition and monitoring control system, and includes:
collecting logs to be processed from an SCADA system; the logs to be processed comprise a standard protocol supporting network equipment log, a dumb terminal equipment log, an SCADA software log and a network flow log;
performing data processing operation on the log to be processed in a mode of mixing queues and multiple threads to obtain a standardized log; the data processing operation comprises standardization processing and data completion processing;
according to a preset alarm strategy and violation analysis rules, carrying out exception analysis on the standardized logs to obtain violation logs and compliance logs; the violation log comprises an alarm log and a violation behavior;
displaying the violation logs and the compliance logs in a preset display form through a user operation interface of the SCADA system; the preset display form comprises alarm query and report query.
In some embodiments, according to a preset alarm policy and a violation analysis rule, performing an anomaly analysis on the standardized log to obtain a violation log and a compliance log, including:
screening audit logs from the standardized logs according to preset audit log screening conditions, and recording the audit logs into an audit log library;
aiming at an audit log in an audit log library, screening out an alarm log according to a preset alarm strategy and attribute information of the audit log, and adding an error level mark to the alarm log; the error level marks comprise a general level, a severe level and a dangerous level;
and aiming at audit logs except the alarm logs in an audit log library, determining violation behaviors corresponding to abnormal audit logs and log data sources corresponding to the violation behaviors according to violation analysis rules and the incidence relation between the audit logs.
In some embodiments, the method further comprises:
and setting a plurality of query rules and query keywords corresponding to the query rules aiming at the violation logs and the compliance logs, and associating the audit logs meeting the query rules in the violation logs and the compliance logs with the query keywords corresponding to the query rules.
In a third aspect, an embodiment of the present application provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the steps of the method in any one of the second aspects.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, performs the steps of the method in any one of the above second aspects.
The safety audit system and the safety audit method provided by the embodiment of the application realize centralized collection of logs of a host, a network, flow and service of the SCADA through the technology, and carry out normalized processing, analysis and display, thereby realizing real-time monitoring and early warning of software and hardware safety conditions of the SCADA system. The security audit system and the security audit method provided by the embodiment of the application improve the security of software and hardware of the SCADA system, thereby improving the reliability and stability of the SCADA system.
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained from the drawings without inventive effort.
FIG. 1 is a schematic structural diagram of a security audit system provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a log analysis module according to an embodiment of the present disclosure;
FIG. 3 is a schematic flow chart illustrating a security audit method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all the embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides a security audit system, which is applied to a SCADA system of a data acquisition and monitoring control system, as shown in fig. 1, and includes:
the log acquisition module 10 is used for acquiring logs to be processed from the SCADA system; the logs to be processed comprise a standard protocol supporting network equipment log, a dumb terminal equipment log, an SCADA software log and a network flow log;
the log processing module 11 is configured to perform data processing operation on the to-be-processed log in a queue and multithreading mixed manner to obtain a standardized log; the data processing operation comprises standardization processing and data completion processing;
the log analysis module 12 is configured to perform anomaly analysis on the standardized logs according to a preset alarm policy and violation analysis rules to obtain violation logs and compliance logs; the violation log comprises an alarm log and violation behaviors;
the log display module 13 is used for displaying the violation logs and the compliance logs in a preset display form through a user operation interface of the SCADA system; the preset display form comprises alarm query and report query.
Specifically, the logs to be processed mainly collect software running logs of the SCADA system, PLC/PTU dumb terminal information logs under the SCADA system, network traffic collection logs, and network device logs supporting standard protocols (such as SNMP Trap, syslog protocol, etc.).
The log acquisition module finally realizes that a friendly operation interface is provided for a user, the user can configure an acquisition mode on the operation interface, and can also configure respective parameters of a syslog mode and an SNMP Trap mode, such as a monitoring port number, a data packet processing thread number and the like.
The log collection module is connected with a socket to trigger corresponding UDP (User data packet Protocol) or TCP (Transmission Control Protocol) monitoring service, analyzes a data packet received in the monitoring process, and analyzes the time of collecting the log information, the source IP address of the log information, the source host name of the log information, the log collection mode and the original log content by combining the actual operation condition of the system.
The log acquisition module acquires and then uniformly stores the logs to be processed, the log processing module automatically calls the logs to be processed which are stored in a centralized mode, and standardized processing is carried out in a mode of combining queues and multiple threads.
The log information of the logs to be processed collected by the log collection module is usually from different devices or systems, and the collected logs are naturally different due to different manufacturer definitions, so that the collected logs need to be subjected to uniform standardized processing in order to facilitate data storage and log analysis in the next step. The standardization and data completion of the log to be processed are performed according to a preset standard log information format, for example, fields included in the standard log information format include generation time, end time, duration, acquisition time, acquisition source, log type, log level, source address, original device name, source port, original MAC address, destination device name, destination port, destination MAC address, protocol, session ID, device name, device IP, device type, application number, application name, module number, operator account, operator name, account attribution, operation type number, operation type, function number, action, operation result, operation content, operation condition, operation object, log content, and log sensitivity level.
The log analysis module is mainly used for screening the audit logs, managing an alarm strategy and violation rules and analyzing log data, and determining the violation logs in the audit logs.
The log display module displays the violation logs and the rest logs (namely, compliance logs) analyzed by the log analysis module through a user operation interface of the SCADA system, wherein the display modes can be alarm query and report query, and can also perform other related log query operations through operation.
In some embodiments, the log analysis module 12, as shown in fig. 2, includes:
a log screening unit 121, configured to screen an audit log from the standardized logs according to a preset audit log screening condition, and enter the audit log into an audit log library;
a first analysis unit 122, configured to, for an audit log in an audit log library, screen out an alarm log according to a preset alarm policy and attribute information of the audit log, and add an error level flag to the alarm log; the error level marks comprise a general level, a serious level and a dangerous level;
and the second analysis unit 123 is configured to determine, for audit logs other than the alarm log in the audit log library, a violation behavior corresponding to the abnormal audit log and a log data source corresponding to the violation behavior according to the violation analysis rule and an association relationship between each audit log.
Specifically, because the standardized logs may exist in logs irrelevant to the audit, the log screening module is required to further screen the standardized logs according to audit information in the standardized logs and preset audit log screening conditions, and logs meeting the audit log screening conditions are recorded into an audit log library as audit logs.
The first analysis unit is mainly used for analyzing and identifying logs generated by alarm information generated by software and hardware in the SCADA system in the operation process, taking the logs as alarm logs, re-judging error levels according to the alarm information contained in the alarm logs in a preset alarm strategy, and adding corresponding error level marks into the alarm logs.
The second analysis unit is used for analyzing and identifying abnormal and illegal behaviors aiming at the logs which are left by excluding the alarm logs in the audit logs. The second analysis unit comprises an analysis model which is generated according to the basic principle of log audit, the analysis model deeply excavates time, places, people, objects, actions, processing operations and the like related to logs, generalizes rules and characteristics, and analyzes and identifies violation behaviors according to violation analysis rules.
In some embodiments, the log analysis module 12 further includes:
a violation rule management unit 124, configured to update the violation analysis rule; the rule types of the violation analysis rules comprise keyword analysis rules, association relation rules, periodic rules and time-limiting rules; the authority types of the violation analysis rules comprise administrator rules and user-defined rules.
Specifically, for the violation analysis rule in the second analysis unit in the log analysis module, both an administrator and a user may perform rule management within a certain authority, where the violation analysis rule includes a keyword analysis rule that uses some keywords as violation analysis, an association relationship that exists with the identified violation or alarm log as an association relationship rule for the violation analysis, and a rule that follows a certain period or has a time limit.
In some embodiments, the log analysis module 12 further includes:
and the query rule management unit 125 is configured to set a plurality of query rules and query keywords corresponding to the query rules for the violation logs and the compliance logs, and associate the audit logs meeting the query rules in the violation logs and the compliance logs with the query keywords corresponding to the query rules.
Specifically, various audit rules are newly established and configured and are used as query rules in the process of auditing early warning and an audit report. Matching the illegal logs and the compliance logs according to the query rule, and associating the matched logs with the query keywords corresponding to the query rule, so that a user can quickly find required logs on a user operation interface of the SCADA system through the query keywords or generate a report according to the query keywords.
In some embodiments, the log displaying module 13 includes:
the violation query unit 131 is configured to sort the violation logs according to types and levels to obtain a violation log list, and display the violation log list on a user operation interface of the SCADA system;
the report query unit 132 is configured to perform a management operation on the log report according to the log report instruction; the log report instruction is generated by clicking a function key on a user operation interface of the SCADA system by a user; the management operations include new creation, automatic generation, preview, export, modification and deletion.
Specifically, the violation inquiry unit sorts the violation logs according to type and level to obtain a violation log list, and calls a user operation interface of the SCADA system to display the violation log list, wherein the violation log list is convenient for a user to check, provides a level screening button, and further has an automatic refreshing function so as to present the latest violation log list to the user.
The report query unit is used for performing functions of creating, automatically generating, previewing, exporting, modifying, deleting and the like of the log report according to a log report instruction generated by a functional key clicked on a user operation interface of the SCADA system by a user.
The embodiment of the present application further provides a security audit method, which is applied to an SCADA system of a data acquisition and monitoring control system, as shown in fig. 3, and includes the following steps:
s301, collecting logs to be processed from an SCADA system; the logs to be processed comprise a standard protocol supporting network equipment log, a dumb terminal equipment log, an SCADA software log and a network flow log;
step S302, performing data processing operation on the log to be processed in a queue and multithreading mixed mode to obtain a standardized log; the data processing operation comprises standardization processing and data completion processing;
step S303, carrying out anomaly analysis on the standardized logs according to a preset alarm strategy and violation analysis rules to obtain violation logs and compliance logs; the violation log comprises an alarm log and violation behaviors;
step S304, displaying the violation logs and the compliance logs in a preset display form through a user operation interface of the SCADA system; the preset display form comprises alarm query and report query.
In some embodiments, step S303, comprises:
3031, screening audit logs from the standardized logs according to preset audit log screening conditions, and recording the audit logs into an audit log library;
step 3032, aiming at the audit logs in the audit log library, screening out alarm logs according to a preset alarm strategy and attribute information of the audit logs, and adding error level marks to the alarm logs; the error level marks comprise a general level, a serious level and a dangerous level;
step 3033, aiming at the audit logs except the alarm logs in the audit log library, determining the violation behavior corresponding to the abnormal audit log and the log data source corresponding to the violation behavior according to the violation analysis rule and the incidence relation between the audit logs.
In some embodiments, the method further comprises:
step 305, setting a plurality of query rules and query keywords corresponding to the query rules for the violation logs and the compliance logs, and associating the audit logs meeting the query rules in the violation logs and the compliance logs with the query keywords corresponding to the query rules.
Corresponding to the security auditing method in fig. 1, an embodiment of the present application further provides a computer device 400, as shown in fig. 4, the device includes a memory 401, a processor 402, and a computer program stored in the memory 401 and executable on the processor 402, where the processor 402 implements the security auditing method when executing the computer program.
Specifically, the memory 401 and the processor 402 can be general-purpose memory and processor, which are not limited specifically, and when the processor 402 runs a computer program stored in the memory 401, the security audit method can be executed, so that the problem of how to implement the security audit of the SCADA system in the prior art is solved.
Corresponding to the security auditing method in fig. 1, the present application also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor performs the steps of the security auditing method described above.
Specifically, the storage medium can be a general storage medium, such as a mobile disk, a hard disk, and the like, when a computer program on the storage medium is run, the security audit method can be executed, and the problem of how to implement security audit of the SCADA system in the prior art is solved. The security audit system and the security audit method provided by the embodiment of the application improve the security of software and hardware of the SCADA system, thereby improving the reliability and stability of the SCADA system.
In the embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments provided in the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus once an item is defined in one figure, it need not be further defined and explained in subsequent figures, and moreover, the terms "first", "second", "third", etc. are used merely to distinguish one description from another and are not to be construed as indicating or implying relative importance.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present application, and are used for illustrating the technical solutions of the present application, but not limiting the same, and the scope of the present application is not limited thereto, and although the present application is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope disclosed in the present application; such modifications, changes or substitutions do not depart from the spirit and scope of the present disclosure, which should be construed in light of the above teachings. Are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A safety audit system is applied to a SCADA system of a data acquisition and monitoring control system and comprises:
the log acquisition module is used for acquiring logs to be processed from the SCADA system; the logs to be processed comprise a standard protocol supporting network equipment log, a dumb terminal equipment log, an SCADA software log and a network flow log;
the log processing module is used for performing data processing operation on the log to be processed in a queue and multithreading mixed mode to obtain a standardized log; the data processing operation comprises standardization processing and data completion processing;
the log analysis module is used for carrying out exception analysis on the standardized logs according to a preset alarm strategy and violation analysis rules to obtain violation logs and compliance logs; the violation log comprises an alarm log and a violation behavior;
the log display module is used for displaying the violation logs and the compliance logs in a preset display form through a user operation interface of the SCADA system; the preset display form comprises alarm query and report query.
2. The system of claim 1, wherein the log analysis module comprises:
the log screening unit is used for screening the audit logs from the standardized logs according to preset audit log screening conditions and recording the audit logs into an audit log library;
the first analysis unit is used for screening alarm logs according to a preset alarm strategy and attribute information of the audit logs aiming at the audit logs in the audit log library and adding error level marks to the alarm logs; the error level marks comprise a general level, a severe level and a dangerous level;
and the second analysis unit is used for determining the illegal action corresponding to the abnormal audit log and the log data source corresponding to the illegal action according to the rule for analyzing the illegal action and the incidence relation between the audit logs aiming at the audit logs except the alarm log in the audit log library.
3. The system of claim 2, wherein the log analysis module further comprises:
the rule violation management unit is used for updating the rule violation analysis rule; the rule types of the violation analysis rules comprise keyword analysis rules, association relation rules, periodic rules and time-limiting rules; the authority types of the violation analysis rules comprise administrator rules and user-defined rules.
4. The system of claim 2, wherein the log analysis module further comprises:
and the query rule management unit is used for setting a plurality of query rules and query keywords corresponding to the query rules aiming at the violation logs and the compliance logs, and associating the audit logs meeting the query rules in the violation logs and the compliance logs with the query keywords corresponding to the query rules.
5. The system of claim 1, wherein the journal presentation module comprises:
the violation inquiry unit is used for sorting the violation logs according to types and levels to obtain a violation log list and displaying the violation log list on a user operation interface of the SCADA system;
the report query unit is used for performing management operation of the log report according to the log report instruction; the log report instruction is generated by clicking a function key on a user operation interface of the SCADA system by a user; the management operation comprises new creation, automatic generation, preview, export, modification and deletion.
6. A safety audit method is applied to a SCADA system of a data acquisition and monitoring control system, and comprises the following steps:
collecting logs to be processed from an SCADA system; the logs to be processed comprise a standard protocol supporting network equipment log, a dumb terminal equipment log, an SCADA software log and a network flow log;
performing data processing operation on the log to be processed in a mode of mixing queues and multiple threads to obtain a standardized log; the data processing operation comprises standardization processing and data completion processing;
according to a preset alarm strategy and violation analysis rules, carrying out exception analysis on the standardized logs to obtain violation logs and compliance logs; the violation log comprises an alarm log and a violation behavior;
displaying the violation logs and the compliance logs in a preset display form through a user operation interface of the SCADA system; the preset display form comprises alarm query and report query.
7. The method of claim 6, wherein performing anomaly analysis on the standardized log according to a preset alarm policy and a violation analysis rule to obtain a violation log and a compliance log, comprises:
screening audit logs from the standardized logs according to preset audit log screening conditions, and recording the audit logs into an audit log library;
aiming at an audit log in an audit log library, screening out an alarm log according to a preset alarm strategy and attribute information of the audit log, and adding an error level mark to the alarm log; the error level marks comprise a general level, a severe level and a dangerous level;
and aiming at audit logs except the alarm logs in an audit log library, determining violation behaviors corresponding to abnormal audit logs and log data sources corresponding to the violation behaviors according to violation analysis rules and the incidence relation between the audit logs.
8. The method of claim 7, wherein the method further comprises:
and setting a plurality of query rules and query keywords corresponding to the query rules aiming at the violation logs and the compliance logs, and associating the audit logs meeting the query rules in the violation logs and the compliance logs with the query keywords corresponding to the query rules.
9. A computer arrangement comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the steps of the method according to any of the preceding claims 6-8 are implemented when the computer program is executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of the preceding claims 6-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110320994.5A CN112905548B (en) | 2021-03-25 | 2021-03-25 | Security audit system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110320994.5A CN112905548B (en) | 2021-03-25 | 2021-03-25 | Security audit system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112905548A true CN112905548A (en) | 2021-06-04 |
| CN112905548B CN112905548B (en) | 2023-12-08 |
Family
ID=76106565
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110320994.5A Active CN112905548B (en) | 2021-03-25 | 2021-03-25 | Security audit system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112905548B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113190418A (en) * | 2021-07-01 | 2021-07-30 | 奇安信科技集团股份有限公司 | Log receiving method and device, electronic equipment and storage medium |
| CN114116614A (en) * | 2021-11-30 | 2022-03-01 | 平安养老保险股份有限公司 | Log storage method and device, computer equipment and storage medium |
| CN114297718A (en) * | 2021-12-30 | 2022-04-08 | 北京明朝万达科技股份有限公司 | Data protection system, method, electronic device and readable medium |
| CN115080355A (en) * | 2022-07-20 | 2022-09-20 | 北京未来智安科技有限公司 | Method and device for generating monitoring log |
| CN115460072A (en) * | 2022-08-25 | 2022-12-09 | 浪潮云信息技术股份公司 | Log processing system integrating log collection, analysis, storage and service |
| CN115550063A (en) * | 2022-11-23 | 2022-12-30 | 天津安华易科技发展有限公司 | Network information security supervision method and system |
| CN116028461A (en) * | 2023-01-06 | 2023-04-28 | 北京志行正科技有限公司 | Log audit system based on big data |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657900A (en) * | 2013-11-19 | 2015-05-27 | 中国石油天然气股份有限公司 | Oil and gas pipeline regulation and control business support system and implementation method thereof |
| US20150293801A1 (en) * | 2014-04-15 | 2015-10-15 | Lsis Co., Ltd. | Apparatus, system and method for application log data processing |
| CN107209511A (en) * | 2015-02-24 | 2017-09-26 | 东芝三菱电机产业系统株式会社 | Monitor control device |
| CN107408070A (en) * | 2014-12-12 | 2017-11-28 | 微软技术许可有限责任公司 | More transaction journals in distributed memory system |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN109376532A (en) * | 2018-10-31 | 2019-02-22 | 云南电网有限责任公司 | Power network security monitoring method and system based on the analysis of ELK log collection |
| CN109471846A (en) * | 2018-11-02 | 2019-03-15 | 中国电子科技网络信息安全有限公司 | User behavior auditing system and method on a kind of cloud based on cloud log analysis |
| US20190171633A1 (en) * | 2017-11-13 | 2019-06-06 | Lendingclub Corporation | Multi-system operation audit log |
| WO2019140828A1 (en) * | 2018-01-17 | 2019-07-25 | 平安科技(深圳)有限公司 | Electronic apparatus, method for querying logs in distributed system, and storage medium |
| CN111030850A (en) * | 2019-11-28 | 2020-04-17 | 中冶南方(武汉)自动化有限公司 | SCADA system data acquisition period control method and device |
| CN112394163A (en) * | 2020-12-14 | 2021-02-23 | 昆仑数智科技有限责任公司 | Crude oil water content analysis method and device |
-
2021
- 2021-03-25 CN CN202110320994.5A patent/CN112905548B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104657900A (en) * | 2013-11-19 | 2015-05-27 | 中国石油天然气股份有限公司 | Oil and gas pipeline regulation and control business support system and implementation method thereof |
| US20150293801A1 (en) * | 2014-04-15 | 2015-10-15 | Lsis Co., Ltd. | Apparatus, system and method for application log data processing |
| CN107408070A (en) * | 2014-12-12 | 2017-11-28 | 微软技术许可有限责任公司 | More transaction journals in distributed memory system |
| CN107209511A (en) * | 2015-02-24 | 2017-09-26 | 东芝三菱电机产业系统株式会社 | Monitor control device |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| US20190171633A1 (en) * | 2017-11-13 | 2019-06-06 | Lendingclub Corporation | Multi-system operation audit log |
| WO2019140828A1 (en) * | 2018-01-17 | 2019-07-25 | 平安科技(深圳)有限公司 | Electronic apparatus, method for querying logs in distributed system, and storage medium |
| CN109376532A (en) * | 2018-10-31 | 2019-02-22 | 云南电网有限责任公司 | Power network security monitoring method and system based on the analysis of ELK log collection |
| CN109471846A (en) * | 2018-11-02 | 2019-03-15 | 中国电子科技网络信息安全有限公司 | User behavior auditing system and method on a kind of cloud based on cloud log analysis |
| CN111030850A (en) * | 2019-11-28 | 2020-04-17 | 中冶南方(武汉)自动化有限公司 | SCADA system data acquisition period control method and device |
| CN112394163A (en) * | 2020-12-14 | 2021-02-23 | 昆仑数智科技有限责任公司 | Crude oil water content analysis method and device |
Non-Patent Citations (3)
| Title |
|---|
| 张艳明: "基于Hadoop的SCADA系统异常行为分析系统设计与实现", 中国优秀硕士学位论文全文数据库信息科技辑, pages 177 - 182 * |
| 李文杰;厉罡;: "浅谈如何构建原油储运SCADA系统", 油气田地面工程, no. 05 * |
| 马荣所;: "浅析油气管道中SCADA系统的应用", 数字技术与应用, no. 07 * |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113190418A (en) * | 2021-07-01 | 2021-07-30 | 奇安信科技集团股份有限公司 | Log receiving method and device, electronic equipment and storage medium |
| CN114116614A (en) * | 2021-11-30 | 2022-03-01 | 平安养老保险股份有限公司 | Log storage method and device, computer equipment and storage medium |
| CN114297718A (en) * | 2021-12-30 | 2022-04-08 | 北京明朝万达科技股份有限公司 | Data protection system, method, electronic device and readable medium |
| CN115080355A (en) * | 2022-07-20 | 2022-09-20 | 北京未来智安科技有限公司 | Method and device for generating monitoring log |
| CN115460072A (en) * | 2022-08-25 | 2022-12-09 | 浪潮云信息技术股份公司 | Log processing system integrating log collection, analysis, storage and service |
| CN115550063A (en) * | 2022-11-23 | 2022-12-30 | 天津安华易科技发展有限公司 | Network information security supervision method and system |
| CN115550063B (en) * | 2022-11-23 | 2023-03-14 | 天津安华易科技发展有限公司 | Network information security supervision method and system |
| CN116028461A (en) * | 2023-01-06 | 2023-04-28 | 北京志行正科技有限公司 | Log audit system based on big data |
| CN116028461B (en) * | 2023-01-06 | 2023-09-19 | 北京志行正科技有限公司 | Log audit system based on big data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112905548B (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112905548B (en) | Security audit system and method | |
| US12106229B2 (en) | Advanced intelligence engine for identifying an event of interest | |
| CN108933791B (en) | Intelligent optimization method and device based on power information network safety protection strategy | |
| CN112651006B (en) | Power grid security situation sensing system | |
| CN112995196B (en) | Method and system for processing situation awareness information in network security level protection | |
| KR101007899B1 (en) | Pattern discovery in a network security system | |
| US20050021683A1 (en) | Method and apparatus for correlating network activity through visualizing network data | |
| JP5066544B2 (en) | Incident monitoring device, method, and program | |
| CN110300100A (en) | The association analysis method and system of log audit | |
| CN112256542B (en) | eBPF-based micro-service system performance detection method, device and system | |
| CN114640548A (en) | Network security sensing and early warning method and system based on big data | |
| KR101174635B1 (en) | The automated defense system for the malicious code and the method thereof | |
| CN114143160A (en) | Cloud platform automation operation and maintenance system | |
| CN113946822A (en) | Security risk monitoring method, system, computer device and storage medium | |
| CN113411199A (en) | Safety test method and system for intelligent equal-protection evaluation | |
| CN111901138B (en) | Visual auditing method for illegal access of industrial network | |
| CN111261271B (en) | Service availability diagnosis method and device for video monitoring environment | |
| CN113194087A (en) | Safety risk high-intensity monitoring system for different information domains | |
| CN112565000A (en) | Evaluation method and device for centralized processing of network security equipment logs | |
| CN112995019B (en) | Method for displaying network security situation awareness information and client | |
| KR102267411B1 (en) | A system for managing security of data by using compliance | |
| CN113556350B (en) | Network security equipment robustness testing method and system and readable storage medium | |
| CN118409932A (en) | Log information management method, device, equipment and storage medium | |
| CN116471093A (en) | Safety risk high-intensity monitoring system for different information domains | |
| CN117596009A (en) | Local security management system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20220328 Address after: Room 1501, Gehua building, No.1 Qinglong Hutong, Dongcheng District, Beijing Applicant after: Kunlun Digital Technology Co.,Ltd. Applicant after: CHINA NATIONAL PETROLEUM Corp. Address before: Room 1501, Gehua building, 1 Qinglong Hutong, Dongcheng District, Beijing Applicant before: Kunlun Digital Technology Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |