CN112995122A - Industrial control network security data visualization system and equipment - Google Patents
Industrial control network security data visualization system and equipment Download PDFInfo
- Publication number
- CN112995122A CN112995122A CN202010219923.1A CN202010219923A CN112995122A CN 112995122 A CN112995122 A CN 112995122A CN 202010219923 A CN202010219923 A CN 202010219923A CN 112995122 A CN112995122 A CN 112995122A
- Authority
- CN
- China
- Prior art keywords
- data
- industrial control
- network security
- control network
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013079 data visualisation Methods 0.000 title claims abstract description 32
- 238000005516 engineering process Methods 0.000 claims abstract description 24
- 231100000279 safety data Toxicity 0.000 claims abstract description 21
- 238000007418 data mining Methods 0.000 claims abstract description 13
- 238000012544 monitoring process Methods 0.000 claims abstract description 13
- 238000005065 mining Methods 0.000 claims abstract description 10
- 239000000523 sample Substances 0.000 claims abstract description 9
- 238000001514 detection method Methods 0.000 claims abstract description 8
- 230000000007 visual effect Effects 0.000 claims abstract description 6
- 238000013500 data storage Methods 0.000 claims description 13
- 238000007781 pre-processing Methods 0.000 claims description 8
- 230000007246 mechanism Effects 0.000 claims description 7
- 238000012545 processing Methods 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 230000011218 segmentation Effects 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 4
- 238000004458 analytical method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012800 visualization Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000000034 method Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 230000005611 electricity Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- ZLIBICFPKPWGIZ-UHFFFAOYSA-N pyrimethanil Chemical compound CC1=CC(C)=NC(NC=2C=CC=CC=2)=N1 ZLIBICFPKPWGIZ-UHFFFAOYSA-N 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/26—Visual data mining; Browsing structured data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Databases & Information Systems (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The application provides a visual system of industrial control network security data and equipment, the system includes: the data acquisition module is used for acquiring network security data generated by the industrial control equipment by utilizing a host probe technology, a flow monitoring technology and an anomaly detection technology; the data mining module is electrically connected with the data acquisition module and is used for mining the acquired network security data; and the data visualization module is electrically connected with the data mining module and is used for graphically representing the mined industrial control safety data so as to show the industrial control safety data and the variation trend of the industrial control safety data. By the aid of the system, data acquisition and mining efficiency and data visualization quality can be improved.
Description
Technical Field
The application relates to the field of network security, in particular to an industrial control network security data visualization system and equipment.
Background
Compared with the traditional information security, the industrial control system security has unique characteristics. The industrial control system is initially a special system, an operating system and a communication protocol of the industrial control system are greatly different from those of a common system, compared with an open internet environment, the industrial control system is relatively independent, the industrial control system is designed to complete various real-time control functions at the beginning, and the problem of safety protection is not considered.
However, with the development of computer and network technologies, along with the trend of "industrial 4.0", "two-way integration", and "internet +", the network security problem of the traditional industrial control system (for short, industrial control security) has become a serious challenge for enterprise and national security, and is concerned by more and more enterprises and governments, the industrial control system has been developed after undergoing a closed state for a long time, and the industrial control system exposes itself on the internet through network interconnection, so that the system itself is easily attacked by viruses, trojans, and hackers from the enterprise management network or the internet, and key infrastructure, important systems, etc. controlled by the industrial control system have huge security risks and hidden dangers.
On one hand, the situation visualization technology of the traditional network security enterprise mainly describes the host exposed at the internet end, the threat situation of the business host placed in the enterprise office network and the operation condition of the host, so as to form the network security situation display. On the other hand, the traditional industrial field monitoring is displayed by taking a control mode operation state generated by a certain industrial control system as a monitoring point. From the above, the conventional network security technology does not combine the characteristics of the industrial control system.
Disclosure of Invention
In view of this, an object of the present application is to provide an industrial control network security data visualization system and an apparatus, so as to solve the problems of low data acquisition and mining efficiency and poor data visualization quality in the prior art.
Based on the above purpose, the present application provides an industrial control network security data visualization system, which includes:
the data acquisition module is used for acquiring network security data generated by the industrial control equipment by utilizing a host probe technology, a flow monitoring technology and an anomaly detection technology;
the data mining module is electrically connected with the data acquisition module and is used for mining the acquired network security data;
and the data visualization module is electrically connected with the data mining module and is used for graphically representing the mined industrial control safety data so as to show the industrial control safety data and the variation trend of the industrial control safety data.
In one embodiment, the data acquisition module comprises:
the host probe unit is used for probing host information in a passive monitoring mode so as to acquire the running state security configuration or alarm log of the host;
the traffic monitoring unit is used for sniffing the network running state by adopting a network traffic mirroring technology and acquiring network threats and original information by combining an abnormal rule detection mechanism and an original traffic extraction mechanism;
and the message queue unit is used for transmitting and acquiring network information in real time by adopting a Kafka high-performance message queue.
Kafka is an open source stream processing platform developed by the Apache software foundation, written in Scala and Java. Kafka is a high throughput distributed publish-subscribe messaging system that can handle real-time streaming data. These data are typically addressed by handling logs and log aggregations due to throughput requirements. This is a viable solution to the limitations of logging data like the Elasticsearch and off-line analysis systems, but requiring real-time processing. The purpose of Kafka is to unify online and offline message processing through the parallel loading mechanism of the Elasticsearch, and also to provide real-time messages through clustering.
In one embodiment, the data mining module comprises:
the data preprocessing unit is used for preprocessing and converting the network information passing through the Kafka to obtain industrial control network security data;
and the clustering and classifying unit is electrically connected with the data preprocessing unit and is used for clustering and classifying the industrial control network safety data and storing the clustered and classified industrial control network safety data into a database.
In one embodiment, the data visualization module comprises:
the micro-service interface unit is used for building a micro-service interface by adopting a Spring closed framework and providing front-end calling;
and the visual component unit is electrically connected with the micro-service interface unit and is used for constructing the front end by adopting Angularlarts, Echarts, D3JS and Threejs.
In one embodiment, the system further comprises:
and the data storage module is electrically connected with the data acquisition module and is used for storing the acquired network security data by utilizing the relational data and NOSQL big data storage technology.
In one embodiment, the data storage module comprises:
and the big data storage unit is used for storing mass logs by adopting an elastic search non-relational database and performing word segmentation processing according to the network threat keywords.
An apparatus comprising at least one industrial control network security data visualization system as described in any one of the above.
The application provides a visual system of industrial control network security data and equipment, the system includes: the data acquisition module is used for acquiring network security data generated by the industrial control equipment by utilizing a host probe technology, a flow monitoring technology and an anomaly detection technology; the data mining module is electrically connected with the data acquisition module and is used for mining the acquired network security data; and the data visualization module is electrically connected with the data mining module and is used for graphically representing the mined industrial control safety data so as to show the industrial control safety data and the variation trend of the industrial control safety data. By the aid of the system, data acquisition and mining efficiency and data visualization quality can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a schematic structural diagram of an industrial control network security data visualization system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an industrial control asset location of an industrial control network security data visualization system according to an embodiment of the present application;
fig. 3 is a schematic diagram of industrial control vulnerabilities of an industrial control network security data visualization system according to an embodiment of the present application;
fig. 4 is a schematic supply chain analysis diagram of an industrial control network security data visualization system according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is further described in detail below with reference to the accompanying drawings in combination with specific embodiments.
It should be noted that technical terms or scientific terms used in the embodiments of the present application should have a general meaning as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar terms in this disclosure is not intended to indicate any order, quantity, or importance, but rather is used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item listed before the word covers the element or item listed after the word and its equivalents, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
In order to facilitate understanding of the present application, the following keywords are required to be described, specifically as follows:
industrial control terminal: the system refers to a host machine for running various industrial control software under an industrial control environment, and comprises an engineer station, an operator station and the like.
An industrial control system: the system mainly utilizes the combination of electronics, electricity, machinery and software to realize the automatic process control in a certain industrial field.
An industrial control protocol: and the protocol used when the uplink and downlink host machines transmit communication messages on the industrial control host machine or the laboratory host machine is indicated.
The invention aims to provide a system for carrying out data visualization on the industrial control network security.
The purpose of the invention can be realized by the following technical scheme:
with reference to fig. 1, an industrial control network security data visualization system is used for displaying detailed data related to network security of an industrial control system and corresponding variation trend, and the system includes:
the data acquisition module is used for collecting network information and network safety information generated by the industrial control equipment by utilizing a host probe technology, a flow monitoring technology and an anomaly detection technology;
the data mining module is used for mining industrial control network safety data acquired by data;
the data storage module is used for storing the acquired data by utilizing the relational data and NOSQL big data storage technology;
the data visualization module is used for graphically representing the mined and calculated industrial control safety data and displaying specific industrial control safety data and the change trend of the industrial control safety data;
the data acquisition module further comprises:
the host probe unit is used for probing host information in a passive monitoring mode so as to acquire the running state security configuration or alarm log of the host;
the traffic monitoring unit adopts a network traffic mirroring technology, sniffs the running state of the network, combines an abnormal rule detection mechanism and an original traffic extraction mechanism to acquire network threats and original information;
the message queue unit adopts a Kafka high-performance message queue to transmit the acquired information in real time;
the data mining module further comprises:
the data preprocessing unit is used for preprocessing and converting the data passing through the Kafka;
the clustering and classifying unit is used for clustering and classifying the preprocessed industrial control network safety data and storing the clustered and classified data into a database;
the data storage module further comprises:
the big data storage unit is used for storing mass logs by adopting an elastic search non-relational database and performing word segmentation processing according to network threat keywords;
the data visualization module further comprises:
the micro-service interface unit is used for building a micro-service interface by adopting a Springbound framework and providing front-end calling;
and the visual component unit adopts Angularlarts, Echarts, D3JS and Threejs for front-end construction.
As can be seen from fig. 2 to 4, the present application has the following advantages:
1) the data acquisition module adopts a host probe, log collection and flow mirror multimode acquisition, and is more comprehensive and effective compared with the traditional method of only collecting log alarm information;
2) the message queue is used for carrying out load balance on the data of a plurality of sources, so that the efficiency and the quality of data acquisition are further improved;
3) the mining module firstly preprocesses the data and then performs clustering and classification, so that the mining effect is enhanced, and the quality of the mined data is improved;
4) the whole system is divided into four parts of data acquisition, data mining, data storage and data visualization, and the whole system is mutually decoupled and is convenient to maintain;
5) the visualization unit comprises advanced visualization tools such as Angularlarts, Echarts, D3JS and Threejs, so that the data visualization effect is guaranteed;
6) and tracking an 'attack chain' in the process of fusing network security attack, carrying out visual analysis and drawing, and deeply perceiving APT attack.
While the present application has been described in conjunction with specific embodiments thereof, many alternatives, modifications, and variations of these embodiments will be apparent to those of ordinary skill in the art in light of the foregoing description. The embodiments of the present application are intended to embrace all such alternatives, modifications and variances that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, substitutions, improvements, and the like that may be made without departing from the spirit and principles of the application are intended to be included within the scope of the application.
Claims (7)
1. An industrial control network security data visualization system, characterized in that the system comprises:
the data acquisition module is used for acquiring network security data generated by the industrial control equipment by utilizing a host probe technology, a flow monitoring technology and an anomaly detection technology;
the data mining module is electrically connected with the data acquisition module and is used for mining the acquired network security data;
and the data visualization module is electrically connected with the data mining module and is used for graphically representing the mined industrial control safety data so as to show the industrial control safety data and the variation trend of the industrial control safety data.
2. The industrial control network security data visualization system according to claim 1, wherein the data acquisition module comprises:
the host probe unit is used for probing host information in a passive monitoring mode so as to acquire the running state security configuration or alarm log of the host;
the traffic monitoring unit is used for sniffing the network running state by adopting a network traffic mirroring technology and acquiring network threats and original information by combining an abnormal rule detection mechanism and an original traffic extraction mechanism;
and the message queue unit is used for transmitting and acquiring network information in real time by adopting a Kafka high-performance message queue.
3. The industrial control network security data visualization system according to claim 1, wherein the data mining module comprises:
the data preprocessing unit is used for preprocessing and converting the network information passing through the Kafka to obtain industrial control network security data;
and the clustering and classifying unit is electrically connected with the data preprocessing unit and is used for clustering and classifying the industrial control network safety data and storing the clustered and classified industrial control network safety data into a database.
4. The industrial control network security data visualization system according to claim 1, wherein the data visualization module comprises:
the micro-service interface unit is used for building a micro-service interface by adopting a Spring closed framework and providing front-end calling;
and the visual component unit is electrically connected with the micro-service interface unit and is used for constructing the front end by adopting Angularlarts, Echarts, D3JS and Threejs.
5. The industrial control network security data visualization system according to claim 1, wherein the system further comprises:
and the data storage module is electrically connected with the data acquisition module and is used for storing the acquired network security data by utilizing the relational data and NOSQL big data storage technology.
6. The industrial control network security data visualization system according to claim 1, wherein the data storage module comprises:
and the big data storage unit is used for storing mass logs by adopting an elastic search non-relational database and performing word segmentation processing according to the network threat keywords.
7. An apparatus, characterized in that the apparatus comprises at least an industrial control network security data visualization system as claimed in any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010219923.1A CN112995122B (en) | 2020-03-25 | 2020-03-25 | Industrial control network safety data visualization system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010219923.1A CN112995122B (en) | 2020-03-25 | 2020-03-25 | Industrial control network safety data visualization system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112995122A true CN112995122A (en) | 2021-06-18 |
| CN112995122B CN112995122B (en) | 2024-03-08 |
Family
ID=76344214
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010219923.1A Active CN112995122B (en) | 2020-03-25 | 2020-03-25 | Industrial control network safety data visualization system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112995122B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108646722A (en) * | 2018-07-18 | 2018-10-12 | 杭州安恒信息技术股份有限公司 | A kind of industrial control system information security simulation model and terminal |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN109840415A (en) * | 2018-12-29 | 2019-06-04 | 江苏博智软件科技股份有限公司 | A kind of industry control network Security Situation Awareness Systems |
| WO2020037634A1 (en) * | 2018-08-24 | 2020-02-27 | 哈尔滨工程大学计算机科学与技术学院 | Information monitoring system and method for industrial control device network, computer readable storage medium, and computer device |
-
2020
- 2020-03-25 CN CN202010219923.1A patent/CN112995122B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108646722A (en) * | 2018-07-18 | 2018-10-12 | 杭州安恒信息技术股份有限公司 | A kind of industrial control system information security simulation model and terminal |
| WO2020037634A1 (en) * | 2018-08-24 | 2020-02-27 | 哈尔滨工程大学计算机科学与技术学院 | Information monitoring system and method for industrial control device network, computer readable storage medium, and computer device |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN109840415A (en) * | 2018-12-29 | 2019-06-04 | 江苏博智软件科技股份有限公司 | A kind of industry control network Security Situation Awareness Systems |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112995122B (en) | 2024-03-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11516248B2 (en) | Security system for detection and mitigation of malicious communications | |
| CN107172022B (en) | APT threat detection method and system based on intrusion path | |
| CN102594623B (en) | The data detection method of fire compartment wall and device | |
| CN111343169B (en) | System and method for gathering security resources and sharing information under industrial control environment | |
| CN103593613A (en) | Method, terminal, server and system for computer virus detection | |
| CN110543506A (en) | Data analysis method and device, electronic equipment and storage medium | |
| CN109446042B (en) | Log management method and system for intelligent electric equipment | |
| CN110855461A (en) | Log analysis method based on association analysis and rule base | |
| CN110149303B (en) | Party-school network security early warning method and early warning system | |
| CN111800292A (en) | Early warning method and device based on historical flow, computer equipment and storage medium | |
| CN113179267B (en) | Network security event correlation analysis method and system | |
| CN104836815B (en) | A kind of security incident retrogressive method and system based on log analysis function | |
| CN113312321A (en) | Abnormal monitoring method for traffic and related equipment | |
| CN112732539A (en) | Data responsibility adjustment early warning method and system based on personnel organization and post information transaction | |
| CN112995122B (en) | Industrial control network safety data visualization system | |
| Ding et al. | A data-driven based security situational awareness framework for power systems | |
| CN115484326A (en) | Method, system and storage medium for processing data | |
| CN114282903A (en) | City multisource data overall process integrated management system | |
| Klinkhamhom et al. | Threat Hunting for Digital Forensic Using GRR Rapid Response with NIST Framework | |
| CN107819601A (en) | A kind of safe O&M service architecture quickly and efficiently based on Spark | |
| Xu et al. | Research on condition monitoring platform for mineral processing equipment based on industrial cloud | |
| US20240121268A1 (en) | Using Neural Networks to Process Forensics and Generate Threat Intelligence Information | |
| US20240064163A1 (en) | System and method for risk-based observability of a computing platform | |
| TWI776157B (en) | Relay information real-time management system and method thereof | |
| RU92550U1 (en) | PASSWORD MANAGEMENT SYSTEM FOR ENCRYPTED FILES AND ARCHIVES (OPTIONS) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: Room 01, floor 1, building 104, No. 3 minzhuang Road, Haidian District, Beijing 100195 Applicant after: Changyang Technology (Beijing) Co.,Ltd. Address before: 100195 2nd floor, building 3, yuquanhuigu phase II, No.3 minzhuang Road, Haidian District, Beijing Applicant before: CHANGYANG TECH (BEIJING) Co.,Ltd. Country or region before: China |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |