CN114037270A - Industrial control safety evaluation system and method - Google Patents
Industrial control safety evaluation system and method Download PDFInfo
- Publication number
- CN114037270A CN114037270A CN202111315919.6A CN202111315919A CN114037270A CN 114037270 A CN114037270 A CN 114037270A CN 202111315919 A CN202111315919 A CN 202111315919A CN 114037270 A CN114037270 A CN 114037270A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- information
- vulnerability
- control vulnerability
- keyword
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 238000011156 evaluation Methods 0.000 title claims abstract description 60
- 238000012545 processing Methods 0.000 claims description 55
- 238000010606 normalization Methods 0.000 claims description 47
- 238000001914 filtration Methods 0.000 claims description 35
- 238000000605 extraction Methods 0.000 claims description 27
- 238000004590 computer program Methods 0.000 claims description 11
- 238000003058 natural language processing Methods 0.000 claims description 11
- 230000010354 integration Effects 0.000 claims description 7
- 230000010365 information processing Effects 0.000 claims description 6
- 238000007689 inspection Methods 0.000 description 9
- 238000012015 optical character recognition Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 3
- 239000000126 substance Substances 0.000 description 3
- 238000013528 artificial neural network Methods 0.000 description 2
- 238000013527 convolutional neural network Methods 0.000 description 2
- 125000004122 cyclic group Chemical group 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 description 2
- 206010067484 Adverse reaction Diseases 0.000 description 1
- 102100032202 Cornulin Human genes 0.000 description 1
- 101000920981 Homo sapiens Cornulin Proteins 0.000 description 1
- 230000006838 adverse reaction Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 235000013361 beverage Nutrition 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000012854 evaluation process Methods 0.000 description 1
- 238000002372 labelling Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000002035 prolonged effect Effects 0.000 description 1
- 238000012163 sequencing technique Methods 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0639—Performance analysis of employees; Performance analysis of enterprise or organisation operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/50—Information retrieval; Database structures therefor; File system structures therefor of still image data
- G06F16/53—Querying
- G06F16/535—Filtering based on additional data, e.g. user or group profiles
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/50—Information retrieval; Database structures therefor; File system structures therefor of still image data
- G06F16/53—Querying
- G06F16/538—Presentation of query results
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/50—Information retrieval; Database structures therefor; File system structures therefor of still image data
- G06F16/58—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
- G06F16/583—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually using metadata automatically derived from the content
- G06F16/5846—Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually using metadata automatically derived from the content using extracted text
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q50/00—Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
- G06Q50/04—Manufacturing
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Data Mining & Analysis (AREA)
- Strategic Management (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- Economics (AREA)
- Library & Information Science (AREA)
- Entrepreneurship & Innovation (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- Development Economics (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Health & Medical Sciences (AREA)
- Primary Health Care (AREA)
- General Health & Medical Sciences (AREA)
- Game Theory and Decision Science (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Manufacturing & Machinery (AREA)
- Computer And Data Communications (AREA)
Abstract
The application discloses an industrial control safety evaluation system and method. And industrial control vulnerability information is stored in the industrial control vulnerability database. The terminal equipment is used for acquiring image information of the industrial control equipment in the industrial control system and sending the image information to the query server. The query server is used for matching the industrial control vulnerability information corresponding to the image information from the industrial control vulnerability library according to the image information, generating a query result based on the matched industrial control vulnerability information, and returning the query result to the terminal equipment. The terminal equipment is also used for evaluating the safety of the industrial control system based on the query result. The industrial control safety evaluation system can evaluate the safety of the industrial control system according to the image information of the industrial control equipment, and the safety evaluation of the industrial control system is realized on the premise that the industrial control system and the industrial control network have little influence on the work.
Description
Technical Field
The application relates to the field of industrial control, in particular to an industrial control safety evaluation system and method.
Background
The industrial control system is an automatic control system consisting of a computer and an industrial process control component. Industrial control systems include a variety of industrial control devices, such as programmable logic controllers and the like. The safety of industrial control systems is becoming more and more important.
Currently, safety inspection evaluation tools are available to evaluate the safety of industrial control systems. The method comprises two modes of passive flow analysis and active network detection. However, passively analyzing the industrial control network traffic based on the safety inspection and evaluation tool requires a worker to configure a mirror image port of a communication device in the industrial control network, and the mirror image port may have a certain influence on the stability of the original industrial control network (referred to as the industrial control network for short). In addition, the industrial control network is actively scanned based on the safety inspection evaluation tool, and the scanning process may bring certain influence to the stable operation of the industrial control network and may directly influence the work of the industrial control equipment.
Disclosure of Invention
In order to solve the technical problem, the application provides an industrial control security assessment system and method, which are used for performing security assessment on an industrial control system on the basis of not influencing the stability of an original industrial control network.
In order to achieve the above purpose, the technical solutions provided in the embodiments of the present application are as follows:
the embodiment of the application provides an industrial control safety evaluation system, the industrial control safety evaluation system includes: the system comprises terminal equipment, an inquiry server and an industrial control leak library; the industrial control vulnerability database stores industrial control vulnerability information;
the terminal device is used for acquiring image information of industrial control equipment in an industrial control system and sending the image information to the query server;
the query server is used for matching the industrial control vulnerability information corresponding to the image information from the industrial control vulnerability library according to the image information, generating a query result based on the matched industrial control vulnerability information, and returning the query result to the terminal equipment;
and the terminal equipment is also used for evaluating the safety of the industrial control system based on the query result.
Optionally, the query server includes: the system comprises an image information extraction module, a keyword filtering module, an information normalization module and an information search and result integration module;
the image information extraction module is used for identifying character information in the image information by using a preset intelligent algorithm and sending the character information to the keyword filtering module;
the keyword filtering module is used for filtering the text information based on a preset filtering rule, acquiring keyword information in the text information and sending the keyword information to the information normalization module;
the information normalization module is used for performing normalization processing on the keyword information to obtain query keyword information;
the information searching and result integrating module is used for receiving the query keyword information, matching the industrial control vulnerability information corresponding to the query keyword information from the industrial control vulnerability library based on the query keyword information, processing the matched industrial control vulnerability information based on a preset rule to generate a query result, and returning the query result to the terminal equipment.
Optionally, the system further comprises: a vulnerability collection and processing server;
and the vulnerability collecting and processing server is used for updating the industrial control vulnerability information of the industrial control vulnerability library.
Optionally, the vulnerability collection and processing server includes: the system comprises a vulnerability information collection module, a natural language processing module and a vulnerability normalization module;
the vulnerability information collection module is used for periodically collecting preselected industrial control vulnerability information and sending the preselected industrial control vulnerability information to the natural language processing module;
the natural language processing module is used for carrying out invalid information processing, vulnerability attribute extraction and incidence relation acquisition on the preselected industrial control vulnerability information; the incidence relation comprises the incidence relation between the preselected industrial control vulnerability information and the industrial control vulnerability information in the industrial control vulnerability library and the incidence relation between the preselected industrial control vulnerability information when the preselected industrial control vulnerability information is multiple;
and the vulnerability normalization module is used for carrying out normalization processing on the preselected industrial control vulnerability information, acquiring newly added industrial control vulnerability information, and adding the newly added industrial control vulnerability information to the industrial control vulnerability library based on the vulnerability attributes and the incidence relation.
Optionally, the information normalization module is specifically configured to perform normalization processing on keyword information with the same meaning but different expression forms, perform normalization processing on keyword information with the same version number, perform normalization processing on keyword information of the same type having inclusion relations, and acquire query keyword information.
Optionally, the preset filtering rule is specifically a keyword for filtering out the information of the industrial control equipment; the industrial control equipment information at least comprises one or more of industrial control equipment manufacturer name, industrial control equipment series, industrial control equipment product model, industrial control equipment order number, hardware version number in the industrial control equipment and firmware version number in the industrial control equipment.
Optionally, the preset rule at least comprises one or more of a sorting rule, a coincidence finding rule, a summary information extraction rule and a vulnerability detail extraction rule; the sorting rules at least comprise time sorting rules or heat sorting rules.
Optionally, the industrial control vulnerability information at least comprises one or more of an industrial control vulnerability name, product information with industrial control vulnerability, industrial control vulnerability description information, industrial control vulnerability tracking process information and an industrial control vulnerability source;
the product information with industrial control vulnerabilities at least comprises one or more of product names, product models and product versions; the industrial control vulnerability tracking process information at least comprises one or more items of industrial control vulnerability discovery time, industrial control vulnerability patching time and industrial control vulnerability information propagation heat.
Optionally, the query server, the industrial control vulnerability library and the vulnerability collection and processing server communicate with each other in a remote procedure call mode based on a network.
The embodiment of the application also provides an industrial control safety assessment method, which is applied to a server and comprises the following steps:
receiving image information of industrial control equipment, wherein the image information is acquired and transmitted by terminal equipment;
matching industrial control vulnerability information corresponding to the image information from a preset industrial control vulnerability library according to the image information, and generating a query result based on the matched industrial control vulnerability information, wherein the industrial control vulnerability information is stored in the industrial control vulnerability library;
and feeding back the query result to the terminal equipment so that the terminal equipment evaluates the safety of the industrial control equipment based on the query result.
In a possible implementation manner, the matching, according to the image information, industrial control vulnerability information corresponding to the image information from a preset industrial control vulnerability library, and generating a query result based on the matched industrial control vulnerability information includes:
recognizing the character information in the image information by using a preset intelligent algorithm;
filtering the text information based on a preset filtering rule to obtain keyword information in the text information;
normalizing the keyword information to obtain query keyword information;
matching the industrial control vulnerability information corresponding to the query keyword information from the preset industrial control vulnerability library based on the query keyword information, and processing the matched industrial control vulnerability information based on a preset rule to generate a query result.
In one possible implementation, the method further includes:
and updating the preset industrial control vulnerability information of the industrial control vulnerability database.
In a possible implementation manner, the updating preset industrial control vulnerability information of the industrial control vulnerability database includes:
collecting preselected industrial control vulnerability information periodically;
carrying out invalid information processing, vulnerability attribute extraction and incidence relation acquisition on the preselected industrial control vulnerability information; the incidence relation comprises the incidence relation between the preselected industrial control vulnerability information and the industrial control vulnerability information in the industrial control vulnerability library and the incidence relation between the preselected industrial control vulnerability information when the preselected industrial control vulnerability information is multiple;
and carrying out normalization processing on the preselected industrial control vulnerability information to obtain newly increased industrial control vulnerability information, and updating the preset industrial control vulnerability information of the industrial control vulnerability library by using the newly increased industrial control vulnerability information based on the vulnerability attributes and the incidence relation.
In a possible implementation manner, the normalizing the keyword information to obtain query keyword information includes:
and normalizing the keyword information with the same meaning but different expression forms, normalizing the keyword information with the same version number, and normalizing the keyword information with the same type and inclusion relation to obtain the query keyword information.
In a possible implementation manner, the preset filtering rule is specifically a keyword for filtering out information of the industrial control device; the industrial control equipment information at least comprises one or more of industrial control equipment manufacturer name, industrial control equipment series, industrial control equipment product model, industrial control equipment order number, hardware version number in the industrial control equipment and firmware version number in the industrial control equipment.
In a possible implementation manner, the preset rule at least includes one or more of a sorting rule, a coincidence finding rule, a summary information extraction rule and a vulnerability detail extraction rule; the sorting rules at least comprise time sorting rules or heat sorting rules.
In a possible implementation manner, the industrial control vulnerability information at least comprises one or more of an industrial control vulnerability name, product information with the industrial control vulnerability, industrial control vulnerability description information, industrial control vulnerability tracking process information and an industrial control vulnerability source;
the product information with industrial control vulnerabilities at least comprises one or more of product names, product models and product versions; the industrial control vulnerability tracking process information at least comprises one or more items of industrial control vulnerability discovery time, industrial control vulnerability patching time and industrial control vulnerability information propagation heat.
In a possible implementation manner, the query server, the industrial control vulnerability database and the vulnerability collection and processing server are communicated with each other through a remote procedure call mode based on a network.
The embodiment of the present application further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to implement all or part of the steps of the above-mentioned industrial control security assessment method.
The embodiment of the present application further provides a non-transitory computer readable storage medium, in which a computer program is stored, and when executed by a processor, the computer program implements all or part of the steps of the industrial control safety assessment method.
According to the technical scheme, the method has the following beneficial effects:
the embodiment of the application provides an industrial control safety evaluation system and method. And the industrial control vulnerability database stores industrial control vulnerability information. The terminal equipment is used for acquiring image information of the industrial control equipment in the industrial control system and sending the image information to the query server. The query server is used for matching the industrial control vulnerability information corresponding to the image information from the industrial control vulnerability library according to the image information, generating a query result based on the matched industrial control vulnerability information, and returning the query result to the terminal equipment. The terminal equipment is also used for evaluating the safety of the industrial control system based on the query result. The industrial control safety evaluation system provided by the embodiment of the application can evaluate the safety of the industrial control system according to the image information of the industrial control equipment. Because the shooting industrial control equipment has little influence on the industrial control system and the industrial control network, the safety evaluation of the industrial control system is realized on the premise of having little influence on the work of the industrial control system and the industrial control network.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an industrial control security evaluation system according to an embodiment of the present disclosure;
FIG. 2 is a schematic structural diagram of another industrial control safety evaluation system provided in an embodiment of the present application;
fig. 3 is a schematic diagram of an image of an industrial control device according to an embodiment of the present disclosure;
fig. 4 is a flowchart of an industrial control safety evaluation method according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, embodiments accompanying the drawings are described in detail below.
For the convenience of understanding and explaining the technical solutions of the embodiments of the present application, the following description is made first on the background of the embodiments of the present application.
The industrial control system is an automatic control system consisting of a computer and an industrial process control component. Industrial control systems include a variety of industrial control devices, such as programmable logic controllers and the like. The safety of industrial control systems is becoming more and more important.
Currently, safety evaluators can communicate with workers associated with an industrial control system face to face in a questionnaire manner to learn about the safety of the industrial control system. And taking the information communicated with the working personnel as the original input information of the safety evaluation to carry out the safety evaluation of the industrial control system. However, the information obtained based on the questionnaire may have a deficiency in accuracy and completeness, and after communication, the security assessment personnel needs to deal with a large amount of document combing work, resulting in high labor cost in the whole security assessment process.
In addition, a safety check evaluation tool can be utilized to evaluate the safety of the industrial control system. The safety evaluation by using the safety inspection evaluation tool mainly comprises two modes of passive flow analysis and active network detection. The safety inspection and evaluation tool is used for carrying out safety evaluation on the industrial control system, so that safety evaluation personnel can be prevented from processing a large amount of document combing work. However, passively analyzing the industrial control network traffic based on the safety inspection and evaluation tool requires a worker to configure a mirror image port of a communication device in the industrial control network, and the mirror image port may have a certain influence on the stability of the original industrial control network. For enterprises with sensitive process flows, a scheme for accessing a safety inspection and evaluation tool to an industrial control network to acquire flow needs a long approval process, so that the time of safety evaluation work can be prolonged. In addition, the industrial control network is actively scanned based on the safety inspection evaluation tool, and the scanning process may also bring certain influence to the stable operation of the industrial control network and may directly influence the work of the industrial control equipment.
Based on this, the embodiment of the application provides an industrial control safety evaluation system and a method, and the industrial control safety evaluation system comprises terminal equipment, an inquiry server and an industrial control leak library. And the industrial control vulnerability database stores industrial control vulnerability information. The terminal equipment is used for acquiring image information of the industrial control equipment in the industrial control system and sending the image information to the query server. The query server is used for matching the industrial control vulnerability information corresponding to the image information from the industrial control vulnerability library according to the image information, generating a query result based on the matched industrial control vulnerability information, and returning the query result to the terminal equipment. The terminal equipment is also used for evaluating the safety of the industrial control system based on the query result. The industrial control safety evaluation system provided by the embodiment of the application can evaluate the safety of the industrial control system according to the image information of the industrial control equipment. Because the shooting industrial control equipment has little influence on the industrial control system and the industrial control network, the safety evaluation of the industrial control system is realized on the premise of having little influence on the work of the industrial control system and the industrial control network.
In order to facilitate understanding of the industrial control safety evaluation system provided by the embodiment of the present application, the following detailed description is made with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a schematic structural diagram of an industrial control safety evaluation system according to an embodiment of the present application.
The industrial control safety evaluation system comprises: the system comprises a terminal device 101, a query server 102 and an industrial control vulnerability library 103. The industrial control vulnerability database 103 stores industrial control vulnerability information.
The terminal device 101 is configured to obtain image information of an industrial control device in an industrial control system, and send the image information to the query server 102.
As an alternative example, the terminal device 101 is a mobile terminal device, such as a mobile phone. As another alternative example, the terminal device 101 is a computer terminal. In specific implementation, the application program in the mobile phone or the web browser on the computer may obtain the image information of the industrial control device in the industrial control system, and send the image information to the query server 102.
The industrial control equipment is equipment in an industrial control system, such as a remote terminal unit RTU, a programmable logic controller PLC, equipment in a distributed control system, equipment in an operator station and the like.
The image information of the industrial control equipment is an image of the industrial control equipment or a video of the industrial control equipment. In specific implementation, the part with the text information of the industrial control equipment is photographed or recorded to obtain an image or a video of the industrial control equipment.
After the terminal device 101 sends the image information to the query server 102, the query server 102 is configured to match industrial control vulnerability information corresponding to the image information from the industrial control vulnerability database 103 according to the image information, generate a query result based on the matched industrial control vulnerability information, and return the query result to the terminal device 101.
It is understood that the image information is the raw input data to the query server 102. The query server 102 can match the industrial control vulnerability information corresponding to the image information from the industrial control vulnerability database 103 through the image information.
The industrial control vulnerability database 103 is used for storing, updating and associating industrial control vulnerability information. The industrial control vulnerability information at least comprises one or more of industrial control vulnerability name, product information with industrial control vulnerability, industrial control vulnerability description information, industrial control vulnerability tracking process information and industrial control vulnerability source.
The product information with industrial control bugs at least comprises one or more items of product names, product models and product versions. The industrial control vulnerability tracking process information at least comprises one or more items of industrial control vulnerability discovery time, patching time of the industrial control vulnerability and information propagation heat degree of the industrial control vulnerability.
In one possible implementation, the query server 102 includes: an image information extraction module 1021, a keyword filtering module 1022, an information normalization module 1023, and an information search and result integration module 1024.
The image information extracting module 1021 is configured to identify text information in the image information by using a preset intelligent algorithm, and send the text information to the keyword filtering module 1022.
As an alternative example, the preset intelligent algorithm may be any one of intelligent optical character recognition OCR algorithms, such as an OCR algorithm based on a convolutional neural network CNN, an OCR algorithm based on a cyclic neural network RNN, an OCR algorithm based on a convolutional cyclic neural network CRNN, an OCR algorithm based on a time-series classification CTC, and the like. The extracted text information is input to the keyword filtering module 1022 in the form of a character string.
The keyword filtering module 1022 is configured to filter the text information based on a preset filtering rule, acquire keyword information in the text information, and send the keyword information to the information normalization module 1023.
The preset filtering rule is specifically to filter out keywords except the industrial control equipment information. The industrial control equipment information at least comprises one or more of industrial control equipment manufacturer name, industrial control equipment series, industrial control equipment product model number, industrial control equipment order number, hardware version number in the industrial control equipment and firmware version number in the industrial control equipment.
As an optional example, the extracted text information is filtered based on a regular expression technology, a character string irrelevant to industrial control vulnerability information is removed, and keyword information is extracted. The keyword information includes a substring having a higher hit rate among the valid strings. The keyword filtering module 1022 can extract keyword information in the text information, and based on the keyword information, the number of times of invalid query can be reduced, so that the hit rate of matching the industrial control vulnerability information and the quality of the industrial control vulnerability information are improved, the query complexity is reduced, and the working efficiency of the whole industrial control security evaluation process is effectively improved.
And the information normalization module 1023 is used for performing normalization processing on the keyword information to obtain query keyword information.
In specific implementation, the information normalization module 1023 is specifically configured to perform normalization processing on keyword information with the same meaning but different expression forms, perform normalization processing on keyword information indicating the same version number, perform normalization processing on keyword information having an inclusion relationship, and acquire query keyword information.
The method comprises the steps of carrying out normalization processing on keyword information which has the same meaning and different expression forms, and specifically, uniformly expressing the keyword information which has the same meaning and different expression forms by using the same expression form.
The method comprises the steps of normalizing key information which represents the same version number, specifically, representing the key information which represents the same version number by using the same version number.
The method for normalizing the keyword information of the same type with the inclusion relationship specifically comprises the following steps: sorting the inclusion relations among the screened keyword information of the same type, wherein the most detailed keyword information can cover the rest keyword information of the same type, and then retaining the most detailed keyword information of the same type and discarding the rest keyword information of the same type. Wherein, the same type keyword information is the keyword information which indicates that the meaning belongs to the same type. For example, the obtained keyword information is Siemens CPU314C-2PN/DP, SIMATIC, and S7-300, which all belong to the family of industrial control devices, and are the same type of keyword information. The Siemens CPU314C-2PN/DP is the most detailed series of information among the three, and covers SIMATIC and S7-300. Therefore, the series information may be expressed by using the Siemens CPU314C-2PN/DP as it is instead of SIMATIC and S7-300.
It can be understood that the query efficiency can be improved by performing normalization processing on the keyword information.
The information search and result integration module 1024 is configured to receive the query keyword information, match the industrial control vulnerability information corresponding to the query keyword information from the industrial control vulnerability database 103 based on the query keyword information, process the matched industrial control vulnerability information based on a preset rule to generate a query result, and return the query result to the terminal device 101.
It can be understood that at least one piece of industrial control vulnerability information corresponds to the matched query keyword information. Before generating a query result, the matched industrial control vulnerability information needs to be processed based on a preset rule. The preset rules at least comprise one or more of sorting rules, coincidence checking rules, summary information extraction rules and vulnerability detail extraction rules. The ordering rules include at least temporal ordering rules or thermal ordering rules.
And processing the matched industrial control vulnerability information based on a preset rule, generating a query result, and returning the query result to the terminal device 101.
After the terminal device 101 receives the query result sent by the query server 102, the terminal device 101 is further configured to evaluate the security of the industrial control system based on the query result.
In the industrial control security evaluation system provided in the embodiment of the present application, the terminal device 101 sends the image information to the query server, and the query server extracts the text information in the image information based on the intelligent OCR algorithm by using the image information extraction module, and then performs the keyword filtering and normalization processing on the extracted text information by using the keyword filtering module and the information normalization module to generate the query keyword information. And finally, inquiring the industrial control vulnerability information matched with the keyword information from the industrial control vulnerability library by using an information search and result integration module, and further processing the industrial control vulnerability information based on a preset rule and generating an inquiry result. And returning the query result to the terminal equipment for displaying, and evaluating the safety of the industrial control system by using the query result. The industrial control safety evaluation system provided by the embodiment of the application can evaluate the safety of the industrial control system according to the image information of the industrial control equipment. Because the shooting industrial control equipment has little influence on the industrial control system and the industrial control network, the safety evaluation of the industrial control system is realized on the premise of having little influence on the work of the industrial control system and the industrial control network.
Referring to fig. 2, fig. 2 is a schematic structural diagram of another industrial control safety evaluation system provided in the embodiment of the present application. In addition to the terminal device 101, the query server 102 and the industrial control vulnerability library 103 shown in fig. 1, the system further comprises: vulnerability collection and processing server 104. And the vulnerability collecting and processing server 104 is used for updating the industrial control vulnerability information of the industrial control vulnerability database 103.
It is to be appreciated that the industrial control vulnerability library 103 is associated with a query server 102 and a vulnerability collection and processing server 104.
In one possible implementation, the vulnerability collection and processing server 104 includes: a vulnerability information collection module 1041, a natural language processing module 1042 and a vulnerability normalization module 1043.
The vulnerability information collection module 1041 is configured to collect preselected industrial control vulnerability information periodically, and send the preselected industrial control vulnerability information to the natural language processing module 1042.
In specific implementation, the vulnerability information collection module 1041 collects the public industrial control vulnerability information through multiple modes and channels, thereby improving timeliness, comprehensiveness, integrity and multidimensional property of the vulnerability information stored in the industrial vulnerability database, and continuously increasing the data and quality of the industrial control vulnerability information stored in the whole industrial vulnerability database.
As an optional example, the vulnerability information collection module 1041 continuously and automatically collects industrial control vulnerability information disclosed by the internet, including: the method comprises the steps of disclosing industrial control vulnerability information disclosed by a vulnerability library, industrial control vulnerability information disclosed by a personal blog, industrial control vulnerability information disclosed by a research institution, industrial control vulnerability information disclosed by an authority institution and the like. The public vulnerability library is, for example, a common vulnerability disclosure CVE, a national information security vulnerability sharing platform CNVD, a national information security vulnerability library CNNVD, a national industrial information security vulnerability library CICSVD, and the like.
As another optional example, the vulnerability information collection module 1041 receives original industrial control vulnerability information manually submitted by security researchers.
The same vulnerability may be described in different forms due to different channels, such as open vulnerability libraries, personal blogs, security companies, research institutions or authorities. Therefore, after the vulnerability information is collected through different channels, the collected industrial control vulnerability information needs to be processed. In specific implementation, the collected industrial control vulnerability information is processed through the natural language processing module 1042 and the vulnerability normalization module 1043.
And the natural language processing module 1042 is used for performing invalid information processing, vulnerability attribute extraction and incidence relation acquisition on the preselected industrial control vulnerability information.
The incidence relation comprises the incidence relation of preselected industrial control vulnerability information and the industrial control vulnerability information in the industrial control vulnerability library and the incidence relation of the preselected industrial control vulnerability information when the preselected industrial control vulnerability information is multiple.
And the vulnerability normalization module 1043 is configured to perform normalization processing on the preselected industrial control vulnerability information, obtain newly added industrial control vulnerability information, and add the newly added industrial control vulnerability information to the industrial control vulnerability library 103 based on the vulnerability attribute and the association relationship.
And the vulnerability normalization module 1043 is utilized to perform normalization processing on the preselected industrial control vulnerability information, so that redundant vulnerability information can be reduced. For example, after a web crawler acquires two pieces of industrial control vulnerability information at the same time in the CVE and the CNNVD, the two pieces of industrial control vulnerability information are confirmed to be the same vulnerability by the association relationship information of the CVE-ID and the CNNVD-ID. Therefore, after the processing of the vulnerability normalization module, a piece of industrial control vulnerability information is added in the industrial control vulnerability database, and the CVE-ID, the CNNVD-ID and the related description information are recorded in the record, so that the industrial control vulnerability redundant information is effectively reduced.
The vulnerability collection and processing server 104 is used for performing comprehensive processing such as normalization, labeling, heat tracking and the like on the collected industrial control vulnerability information based on a natural language processing technology, and newly adding, updating and optimizing the industrial control vulnerability information in the industrial control vulnerability database 103.
The query server 102, the industrial control vulnerability library 103 and the vulnerability collection and processing server 104 adopt HTTP, database network interfaces or custom network interfaces to perform remote procedure call or information exchange, so that the query server 102, the industrial control vulnerability library 103 and the vulnerability collection and processing server 104 can be deployed on one server or can be flexibly deployed on a plurality of servers.
Based on the industrial control safety assessment system that this application embodiment provided, need not security assessment personnel to master professional field knowledge such as a large amount of industry manufacturers, product series model, also need not master the complicated operation flow of safety inspection toolbox. The industrial control leak information corresponding to the image information can be quickly obtained only by photographing or recording the industrial control equipment to obtain the image information of the industrial control equipment, and the safety evaluation is carried out on the industrial control system, so that the technical threshold of safety evaluation personnel is lowered.
In order to facilitate understanding of the industrial control safety evaluation system provided by the embodiment of the present application, an exemplary application scenario thereof is described below with reference to fig. 3. Referring to fig. 3, fig. 3 is a schematic diagram of an image of an industrial control device according to an embodiment of the present disclosure.
As shown in fig. 3, the image of the industrial control device is a picture of the industrial control device. And the terminal equipment sends the picture to the query server. The image information extraction module of the query server performs OCR algorithm processing on the picture shown in fig. 3 to extract character information. The extracted text information comprises: CPU314C-2PN/DP, SIEMENS, SIMATIC, S7-300, 314-6EH04-0AB0, SF, BF1, BF2, RUN, STOP, 0, 1, 2, 3, 4, 5, 6, 7, DI8xDC24V, AI5/A02x12Bit and other character information.
Inputting the extracted character information into a keyword filtering module, wherein the stored keyword information comprises: CPU314C-2PN/DP, SIEMENS, SIMATIC, S7-300, 314-6EH04-0AB 0. And carrying out normalization processing through an information normalization module to generate query keyword information. And matching the industrial control vulnerability information corresponding to the query keyword information from the industrial control vulnerability library through an information search and result integration module, and processing the matched industrial control vulnerability information based on a time sequencing rule, a coincidence check rule, a summary information extraction rule and a vulnerability detail extraction rule to generate a query result. The final query results obtained are as follows:
“data”:{
{“keyword”:“S7-300”,“vul_info”:
{ "index": 1 "," name ": "Siemens SIMATTC PLC uses a plaintext unverified protocol vulnerability", "dateTime": 2011-06-10 "," riskLevel ": "low", "description": "siemens SIMATTC S7 series PLCs are used in a variety of industrial fields including energy, water conservancy, oil, gas, chemical, building automation, and manufacturing industries. The interface of S7300/400 allows the use of plaintext protocols for Siemens and non-Siemens products, and changing protocols would cause compatibility problems for the products. "},
{ "index": 2 "," name ": "Siemens S7-300 hardcoded credential vulnerabilities", "dateTime": 2011-08-03 "," riskLevel ": "high", "description": "siemens SIMATTC S7 series PLCs are used in a variety of industrial fields including energy, water conservancy, oil, gas, chemical, building automation, and manufacturing industries. An attacker can implement a command shell using the credentials of the PLC, the shell having the ability to access internal diagnostic functions in the S7-300 PLC of some older versions of firmware. These PLCs include S7-300 PLC followed by an integration of the Profinet interface before 10 months 2009 and IM15x Profinet PLC. "},
{ "index": 3 "," name ": "Siemens SIMATTC S7-300 CPU OB module security hole", "dateTime": 2015-10-01 "," riskLevel ": "high", "description": "Siemens SIMATTC S7-300 CPU device" is a modular controller for discrete and continuous control of industrial environments, such as manufacturing, food and beverage, and chemical industries, from Siemens (Siemens) of Germany. The S7-300 PLC program adopts a structured program, the program is divided into a plurality of modules, and each module completes the corresponding function. In combination, a complex control system can be realized. Just like the higher level language, the functions of the features are implemented in subroutines. Just like a high-level language, a subprogram is used for realizing a specific function, and then each subprogram is called through a main program, so that a complex program can be realized. The OB module corresponds to a subroutine and is responsible for calling other modules. An OB module security hole exists in Siemens SIMATTC S7-300 CPU equipment. A remote attacker submits a malformed message of a special sequence by utilizing a vulnerability and sends the malformed message to an Ethernet or a local serial port, so that an application program is crashed, a denial of service attack (various adverse reactions such as denial of service or incapability of downloading a program and the like occur to a PLC) is caused, and the PLC is required to be restarted to recover work. "}
It should be noted that, because a large number of vulnerabilities exist in siemens S7-300 series industrial control PLC, only the first three vulnerability information of the query result are intercepted for exemplary illustration in the embodiment of the present application.
It can be understood that the query result includes three pieces of ordered industrial control vulnerability information, and each piece of industrial control vulnerability information includes: the industrial control vulnerability name ', product information with industrial control vulnerability, industrial control vulnerability description information ' description ' and industrial control vulnerability tracking process information. The industrial control vulnerability tracking process information comprises industrial control vulnerability discovery time 'dateTime' and industrial control vulnerability information propagation heat 'riskLevel'.
The product information with industrial control bugs at least comprises one or more items of product names, product models and product versions. For example, the product information stating that the industrial control vulnerability exists in the security vulnerability of the Siemens SIMATTC S7-300 CPU OB module is the Siemens SIMATTC S7-300 CPU OB module.
It can be understood that the higher the risk level of the industrial control vulnerability information, i.e., "riskLevel", is, the worse the security of the industrial control device is.
And finally, returning the obtained query result to the terminal equipment. The safety evaluation method comprises the steps that the terminal device carries out safety evaluation on the industrial control system, specifically, safety evaluation is carried out on the industrial control device in the industrial control system, and the safety of the industrial control system is evaluated through the safety evaluation on the industrial control device. For example, when the risk level of an industrial control device in an industrial control system is high, it is determined that the safety of the industrial control device is poor, and the industrial control device needs to be replaced with a safer device.
Based on the industrial control safety evaluation system provided by the embodiment, the embodiment of the application further provides an industrial control safety evaluation method. The industrial control safety evaluation method is explained below with reference to the drawings.
Referring to fig. 4, fig. 4 is a flowchart of an industrial control safety evaluation method according to an embodiment of the present application. The method is applied to the server side and is specifically executed by an inquiry server in the server side. As shown in fig. 4, the method includes S401-S403:
s401: and receiving image information of the industrial control equipment, wherein the image information is acquired and transmitted by the terminal equipment.
S402: and matching the industrial control vulnerability information corresponding to the image information from a preset industrial control vulnerability library according to the image information, and generating a query result based on the matched industrial control vulnerability information, wherein the industrial control vulnerability information is stored in the industrial control vulnerability library.
S403: and feeding back the query result to the terminal equipment so that the terminal equipment evaluates the safety of the industrial control equipment based on the query result.
In a possible implementation manner, matching, in S402, industrial control vulnerability information corresponding to the image information from a preset industrial control vulnerability library according to the image information, and generating a query result based on the matched industrial control vulnerability information includes:
recognizing the character information in the image information by using a preset intelligent algorithm;
filtering the text information based on a preset filtering rule to obtain keyword information in the text information;
normalizing the keyword information to obtain query keyword information;
matching the industrial control vulnerability information corresponding to the query keyword information from the preset industrial control vulnerability library based on the query keyword information, and processing the matched industrial control vulnerability information based on a preset rule to generate a query result.
In a possible implementation manner, an embodiment of the present application further provides another industrial control security evaluation method, where in the method, in addition to the foregoing S401 to S403, the method further includes updating industrial control vulnerability information of the industrial control vulnerability library. In specific implementation, the server also comprises a vulnerability collecting and processing server, and industrial control vulnerability information of the industrial control vulnerability library is updated by the vulnerability collecting and processing server in the server.
In a possible implementation manner, the updating preset industrial control vulnerability information of the industrial control vulnerability database includes:
collecting preselected industrial control vulnerability information periodically;
carrying out invalid information processing, vulnerability attribute extraction and incidence relation acquisition on the preselected industrial control vulnerability information; the incidence relation comprises the incidence relation between the preselected industrial control vulnerability information and the industrial control vulnerability information in the industrial control vulnerability library and the incidence relation between the preselected industrial control vulnerability information when the preselected industrial control vulnerability information is multiple;
and carrying out normalization processing on the preselected industrial control vulnerability information to obtain newly increased industrial control vulnerability information, and updating the preset industrial control vulnerability information of the industrial control vulnerability library by using the newly increased industrial control vulnerability information based on the vulnerability attributes and the incidence relation.
In a possible implementation manner, the normalizing the keyword information to obtain query keyword information includes:
and normalizing the keyword information with the same meaning but different expression forms, normalizing the keyword information with the same version number, and normalizing the keyword information with the same type and inclusion relation to obtain the query keyword information.
In a possible implementation manner, the preset filtering rule is specifically a keyword for filtering out information of the industrial control device; the industrial control equipment information at least comprises one or more of industrial control equipment manufacturer name, industrial control equipment series, industrial control equipment product model, industrial control equipment order number, hardware version number in the industrial control equipment and firmware version number in the industrial control equipment.
In a possible implementation manner, the preset rule at least includes one or more of a sorting rule, a coincidence finding rule, a summary information extraction rule and a vulnerability detail extraction rule; the sorting rules at least comprise time sorting rules or heat sorting rules.
In a possible implementation manner, the industrial control vulnerability information at least comprises one or more of an industrial control vulnerability name, product information with the industrial control vulnerability, industrial control vulnerability description information, industrial control vulnerability tracking process information and an industrial control vulnerability source;
the product information with industrial control vulnerabilities at least comprises one or more of product names, product models and product versions; the industrial control vulnerability tracking process information at least comprises one or more items of industrial control vulnerability discovery time, industrial control vulnerability patching time and industrial control vulnerability information propagation heat.
In a possible implementation manner, the query server, the industrial control vulnerability database and the vulnerability collection and processing server are communicated with each other through a remote procedure call mode based on a network.
In addition, an electronic device is provided in an embodiment of the present application, and includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement all or part of the steps of the above-mentioned industrial control security assessment method.
In addition, the present application provides a non-transitory computer readable storage medium, in which a computer program is stored, where the computer program is executed by a processor to implement all or part of the steps of the industrial control safety assessment method.
It should be noted that the industrial control security evaluation method provided in this embodiment may be applied to an industrial control security evaluation system, and the industrial control security evaluation system may be the industrial control security evaluation system provided in the above embodiment, and for the description of the relevant functions and principles of the industrial control security evaluation system, reference may be made to the above embodiment, and details are not repeated herein.
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. The method disclosed by the embodiment corresponds to the system disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the system part for description.
It should also be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (20)
1. An industrial control security assessment system, comprising: the system comprises terminal equipment, an inquiry server and an industrial control leak library; the industrial control vulnerability database stores industrial control vulnerability information;
the terminal device is used for acquiring image information of industrial control equipment in an industrial control system and sending the image information to the query server;
the query server is used for matching the industrial control vulnerability information corresponding to the image information from the industrial control vulnerability library according to the image information, generating a query result based on the matched industrial control vulnerability information, and returning the query result to the terminal equipment;
and the terminal equipment is also used for evaluating the safety of the industrial control system based on the query result.
2. The industrial control security assessment system according to claim 1, wherein said query server comprises: the system comprises an image information extraction module, a keyword filtering module, an information normalization module and an information search and result integration module;
the image information extraction module is used for identifying character information in the image information by using a preset intelligent algorithm and sending the character information to the keyword filtering module;
the keyword filtering module is used for filtering the text information based on a preset filtering rule, acquiring keyword information in the text information and sending the keyword information to the information normalization module;
the information normalization module is used for performing normalization processing on the keyword information to obtain query keyword information;
the information searching and result integrating module is used for receiving the query keyword information, matching the industrial control vulnerability information corresponding to the query keyword information from the industrial control vulnerability library based on the query keyword information, processing the matched industrial control vulnerability information based on a preset rule to generate a query result, and returning the query result to the terminal equipment.
3. The industrial control security assessment system of claim 1, further comprising: a vulnerability collection and processing server;
and the vulnerability collecting and processing server is used for updating the industrial control vulnerability information of the industrial control vulnerability library.
4. The industrial control security assessment system according to claim 3, wherein said vulnerability collection and processing server comprises: the system comprises a vulnerability information collection module, a natural language processing module and a vulnerability normalization module;
the vulnerability information collection module is used for periodically collecting preselected industrial control vulnerability information and sending the preselected industrial control vulnerability information to the natural language processing module;
the natural language processing module is used for carrying out invalid information processing, vulnerability attribute extraction and incidence relation acquisition on the preselected industrial control vulnerability information; the incidence relation comprises the incidence relation between the preselected industrial control vulnerability information and the industrial control vulnerability information in the industrial control vulnerability library and the incidence relation between the preselected industrial control vulnerability information when the preselected industrial control vulnerability information is multiple;
and the vulnerability normalization module is used for carrying out normalization processing on the preselected industrial control vulnerability information, acquiring newly added industrial control vulnerability information, and adding the newly added industrial control vulnerability information to the industrial control vulnerability library based on the vulnerability attributes and the incidence relation.
5. The industrial control security evaluation system of claim 2, wherein the information normalization module is specifically configured to perform normalization processing on the keyword information with the same meaning but different expression forms, perform normalization processing on the keyword information with the same version number, perform normalization processing on the keyword information with the same type having an inclusion relationship, and obtain the query keyword information.
6. The industrial control safety evaluation system according to claim 2, wherein the preset filtering rule is a key word for filtering out information of the industrial control equipment; the industrial control equipment information at least comprises one or more of industrial control equipment manufacturer name, industrial control equipment series, industrial control equipment product model, industrial control equipment order number, hardware version number in the industrial control equipment and firmware version number in the industrial control equipment.
7. The industrial control security evaluation system according to claim 2, wherein the preset rules at least include one or more of a sorting rule, a coincidence finding rule, a summary information extraction rule and a vulnerability detail extraction rule; the sorting rules at least comprise time sorting rules or heat sorting rules.
8. The industrial control security assessment system according to any one of claims 1-7, wherein the industrial control vulnerability information at least comprises one or more of industrial control vulnerability name, product information with industrial control vulnerability, industrial control vulnerability description information, industrial control vulnerability tracking process information and industrial control vulnerability source;
the product information with industrial control vulnerabilities at least comprises one or more of product names, product models and product versions; the industrial control vulnerability tracking process information at least comprises one or more items of industrial control vulnerability discovery time, industrial control vulnerability patching time and industrial control vulnerability information propagation heat.
9. The industrial control security assessment system according to any one of claims 1-7, wherein said query server, said industrial control vulnerability library and said vulnerability collection and processing server communicate via a network-based remote procedure call.
10. An industrial control safety assessment method is applied to a server side, and comprises the following steps:
receiving image information of industrial control equipment, wherein the image information is acquired and transmitted by terminal equipment;
matching industrial control vulnerability information corresponding to the image information from a preset industrial control vulnerability library according to the image information, and generating a query result based on the matched industrial control vulnerability information, wherein the industrial control vulnerability information is stored in the industrial control vulnerability library;
and feeding back the query result to the terminal equipment so that the terminal equipment evaluates the safety of the industrial control equipment based on the query result.
11. The method according to claim 10, wherein the matching of the industrial control vulnerability information corresponding to the image information from a preset industrial control vulnerability library according to the image information and the generation of the query result based on the matched industrial control vulnerability information comprises:
recognizing the character information in the image information by using a preset intelligent algorithm;
filtering the text information based on a preset filtering rule to obtain keyword information in the text information;
normalizing the keyword information to obtain query keyword information;
matching the industrial control vulnerability information corresponding to the query keyword information from the preset industrial control vulnerability library based on the query keyword information, and processing the matched industrial control vulnerability information based on a preset rule to generate a query result.
12. The method of claim 10, further comprising:
and updating the preset industrial control vulnerability information of the industrial control vulnerability database.
13. The method according to claim 12, wherein the updating of the preset industrial control vulnerability information of the industrial control vulnerability library comprises:
collecting preselected industrial control vulnerability information periodically;
carrying out invalid information processing, vulnerability attribute extraction and incidence relation acquisition on the preselected industrial control vulnerability information; the incidence relation comprises the incidence relation between the preselected industrial control vulnerability information and the industrial control vulnerability information in the industrial control vulnerability library and the incidence relation between the preselected industrial control vulnerability information when the preselected industrial control vulnerability information is multiple;
and carrying out normalization processing on the preselected industrial control vulnerability information to obtain newly increased industrial control vulnerability information, and updating the preset industrial control vulnerability information of the industrial control vulnerability library by using the newly increased industrial control vulnerability information based on the vulnerability attributes and the incidence relation.
14. The method according to claim 11, wherein the normalizing the keyword information to obtain query keyword information comprises:
and normalizing the keyword information with the same meaning but different expression forms, normalizing the keyword information with the same version number, and normalizing the keyword information with the same type and inclusion relation to obtain the query keyword information.
15. The method according to claim 11, wherein the preset filtering rule is specifically to filter out keywords other than industrial control device information; the industrial control equipment information at least comprises one or more of industrial control equipment manufacturer name, industrial control equipment series, industrial control equipment product model, industrial control equipment order number, hardware version number in the industrial control equipment and firmware version number in the industrial control equipment.
16. The method according to claim 11, wherein the preset rules at least include one or more of a sorting rule, a coincidence finding rule, a summary information extraction rule and a vulnerability detail extraction rule; the sorting rules at least comprise time sorting rules or heat sorting rules.
17. The method according to any one of claims 10 to 16, wherein the industrial control vulnerability information at least comprises one or more of industrial control vulnerability name, product information of existing industrial control vulnerability, industrial control vulnerability description information, industrial control vulnerability tracking process information and industrial control vulnerability source;
the product information with industrial control vulnerabilities at least comprises one or more of product names, product models and product versions; the industrial control vulnerability tracking process information at least comprises one or more items of industrial control vulnerability discovery time, industrial control vulnerability patching time and industrial control vulnerability information propagation heat.
18. The method of any one of claims 10-16, wherein the query server, the industrial control vulnerability library, and the vulnerability collection and processing server communicate via a network-based remote procedure call.
19. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements all or part of the steps of the method according to any one of claims 10 to 18 when executing the program.
20. A non-transitory computer readable storage medium, having a computer program stored thereon, wherein the computer program, when executed by a processor, implements all or part of the steps of any of the methods of claims 10-18.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111315919.6A CN114037270A (en) | 2021-11-08 | 2021-11-08 | Industrial control safety evaluation system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111315919.6A CN114037270A (en) | 2021-11-08 | 2021-11-08 | Industrial control safety evaluation system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114037270A true CN114037270A (en) | 2022-02-11 |
Family
ID=80136666
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111315919.6A Pending CN114037270A (en) | 2021-11-08 | 2021-11-08 | Industrial control safety evaluation system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114037270A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174276A (en) * | 2022-09-07 | 2022-10-11 | 国网江西省电力有限公司电力科学研究院 | Vulnerability mining method and system for competitive industrial control system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101158948A (en) * | 2006-10-08 | 2008-04-09 | 中国科学院软件研究所 | Text content filtering method and system |
| CN101867870A (en) * | 2010-06-12 | 2010-10-20 | 宇龙计算机通信科技(深圳)有限公司 | Information push method, server, terminal and system |
| CN107239705A (en) * | 2017-05-25 | 2017-10-10 | 中国东方电气集团有限公司 | A kind of contactless industrial control system or the static leakage location of equipment and detection method |
| CN110069400A (en) * | 2019-03-16 | 2019-07-30 | 平安普惠企业管理有限公司 | Loophole test report generation method, device, computer equipment and storage medium |
| CN110958243A (en) * | 2019-11-28 | 2020-04-03 | 米哈游科技(上海)有限公司 | Network vulnerability submitting method and device, storage medium and electronic equipment |
| CN111294347A (en) * | 2020-01-22 | 2020-06-16 | 奇安信科技集团股份有限公司 | Safety management method and system for industrial control equipment |
| CN113609261A (en) * | 2021-08-25 | 2021-11-05 | 北京华云安信息技术有限公司 | Vulnerability information mining method and device based on knowledge graph of network information security |
-
2021
- 2021-11-08 CN CN202111315919.6A patent/CN114037270A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101158948A (en) * | 2006-10-08 | 2008-04-09 | 中国科学院软件研究所 | Text content filtering method and system |
| CN101867870A (en) * | 2010-06-12 | 2010-10-20 | 宇龙计算机通信科技(深圳)有限公司 | Information push method, server, terminal and system |
| CN107239705A (en) * | 2017-05-25 | 2017-10-10 | 中国东方电气集团有限公司 | A kind of contactless industrial control system or the static leakage location of equipment and detection method |
| CN110069400A (en) * | 2019-03-16 | 2019-07-30 | 平安普惠企业管理有限公司 | Loophole test report generation method, device, computer equipment and storage medium |
| CN110958243A (en) * | 2019-11-28 | 2020-04-03 | 米哈游科技(上海)有限公司 | Network vulnerability submitting method and device, storage medium and electronic equipment |
| CN111294347A (en) * | 2020-01-22 | 2020-06-16 | 奇安信科技集团股份有限公司 | Safety management method and system for industrial control equipment |
| CN113609261A (en) * | 2021-08-25 | 2021-11-05 | 北京华云安信息技术有限公司 | Vulnerability information mining method and device based on knowledge graph of network information security |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115174276A (en) * | 2022-09-07 | 2022-10-11 | 国网江西省电力有限公司电力科学研究院 | Vulnerability mining method and system for competitive industrial control system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111104521B (en) | Anti-fraud detection method and detection system based on graph analysis | |
| CN111274227B (en) | Database auditing system and method based on cluster analysis and association rule | |
| CN104899324A (en) | Sample training system based on IDC (internet data center) harmful information monitoring system | |
| CN110659282A (en) | Data route construction method and device, computer equipment and storage medium | |
| CN113409555B (en) | Real-time alarm linkage method and system based on Internet of things | |
| CN113706100B (en) | Real-time detection and identification method and system for Internet of things terminal equipment of power distribution network | |
| CN110020161B (en) | Data processing method, log processing method and terminal | |
| CN110928864A (en) | Scientific research project management method and system | |
| CN113918526A (en) | Log processing method and device, computer equipment and storage medium | |
| CN112559526A (en) | Data table export method and device, computer equipment and storage medium | |
| CN114037270A (en) | Industrial control safety evaluation system and method | |
| CN104636386A (en) | Information monitoring method and device | |
| CN112288317B (en) | Industrial big data analysis platform and method based on multi-source heterogeneous data governance | |
| CN113672978A (en) | Enterprise electronic standing book financial data acquisition method based on block chain technology | |
| CN116383786B (en) | Big data information supervision system and method based on Internet of things | |
| CN112182065A (en) | Asset management system and method based on automatic acquisition and multi-source import | |
| CN117555858A (en) | Digital archive safe storage and retrieval system | |
| CN116680261A (en) | Data reporting method, system and device | |
| CN115952211A (en) | Data processing method and system based on artificial intelligence | |
| CN110457897A (en) | A kind of database security detection method based on communication protocol and SQL syntax | |
| CN115658072A (en) | Data blood margin analysis method, device, equipment and computer readable storage medium | |
| CN114579809A (en) | Event analysis method and device, electronic equipment and storage medium | |
| CN104216986A (en) | Device and method for improving data query efficiency through pre-operation according to data update period | |
| CN111224823B (en) | Method based on different network log analysis | |
| CN210804423U (en) | Website information acquisition and release platform system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Country or region after: China Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant after: QAX Technology Group Inc. Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Applicant before: QAX Technology Group Inc. Country or region before: China Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. |
|
| CB02 | Change of applicant information |