CN114257414A - Intelligent network security duty method and system - Google Patents

Intelligent network security duty method and system Download PDF

Info

Publication number
CN114257414A
CN114257414A CN202111410097.XA CN202111410097A CN114257414A CN 114257414 A CN114257414 A CN 114257414A CN 202111410097 A CN202111410097 A CN 202111410097A CN 114257414 A CN114257414 A CN 114257414A
Authority
CN
China
Prior art keywords
network security
alarm
alarm information
network
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111410097.XA
Other languages
Chinese (zh)
Inventor
许家余
王伟
杜善慧
申晨
刘浩
宋宜飞
于皓杰
王家冕
姜丹
许辉
延凯
刘伟波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Rizhao Power Supply Co of State Grid Shandong Electric Power Co Ltd
Original Assignee
Rizhao Power Supply Co of State Grid Shandong Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Rizhao Power Supply Co of State Grid Shandong Electric Power Co Ltd filed Critical Rizhao Power Supply Co of State Grid Shandong Electric Power Co Ltd
Priority to CN202111410097.XA priority Critical patent/CN114257414A/en
Publication of CN114257414A publication Critical patent/CN114257414A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H02GENERATION; CONVERSION OR DISTRIBUTION OF ELECTRIC POWER
    • H02JCIRCUIT ARRANGEMENTS OR SYSTEMS FOR SUPPLYING OR DISTRIBUTING ELECTRIC POWER; SYSTEMS FOR STORING ELECTRIC ENERGY
    • H02J13/00Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network
    • H02J13/00006Circuit arrangements for providing remote indication of network conditions, e.g. an instantaneous record of the open or closed condition of each circuitbreaker in the network; Circuit arrangements for providing remote control of switching means in a power distribution network, e.g. switching in and out of current consumers by using a pulse code signal carried by the network characterised by information or instructions transport means between the monitoring, controlling or managing units and monitored, controlled or operated power network element or electrical equipment
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02EREDUCTION OF GREENHOUSE GAS [GHG] EMISSIONS, RELATED TO ENERGY GENERATION, TRANSMISSION OR DISTRIBUTION
    • Y02E60/00Enabling technologies; Technologies with a potential or indirect contribution to GHG emissions mitigation
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/12Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them characterised by data transport means between the monitoring, controlling or managing units and monitored, controlled or operated electrical equipment
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention relates to the technical field of power supply network safety, and provides a network safety intelligent duty method and system. S101, collecting alarms of network security protection equipment to generate network security alarm information, S102, storing the collected network security alarm information to a database, S103, classifying the network security alarm information in the database according to a network attack mode, S104, associating and combining different types of network security alarm information and corresponding alarm events, and S105, auditing the combined network security alarm information, and removing error alarm information or periodic alarm information in the network security alarm information. By the network security intelligent on-duty method and system, the pressure of on-duty personnel can be reduced, and the on-duty efficiency is improved. And secondly, the professional skill threshold of the operator on duty can be reduced, and the alarm research and judgment accuracy is improved.

Description

Intelligent network security duty method and system
Technical Field
The invention relates to the technical field of power supply network safety, in particular to a network safety intelligent duty method and system.
Background
In the power industry, the operation of a power system is monitored in real time through a communication technology, so that the real-time acquisition of power data is realized, but various power supply and distribution equipment access a power grid database through a communication mobile terminal to upload power grid data, and meanwhile, a great challenge is also caused to a power network safety protection system.
Because the quality of safety data generated by various safety protection tools is low at present, the quantity of safety data in a large-scale network is huge by a large amount of manual analysis, more than 10 ten thousand pieces of alarm information can be generated in one network accessed by 100Mpbs every hour, and manual work cannot be processed in time at all. Even if a security event can generate an alarm, the alarm is often annihilated in a large amount of redundant alarms, and how to effectively process the network security alarm and improve the alarm quality is a problem to be solved urgently by large-scale network security protection.
Disclosure of Invention
The invention provides a network security intelligent shift method for removing a large amount of redundant alarms and improving the alarm quality, which comprises the following steps:
s101, collecting alarms of network safety protection equipment to generate network safety alarm information;
s102, storing the acquired network security alarm information into a database;
s103, classifying the network security alarm information in the database according to the mode of network attack;
s104, associating and combining different types of network security alarm information with corresponding alarm events;
and S105, auditing the combined network safety alarm information, and removing error alarm information or periodic alarm information in the network safety alarm information.
Preferably, the step of auditing the combined network security alarm information and removing false alarm information or periodic alarm information in the network security alarm information specifically includes:
s401, collecting an alarm of the network safety protection equipment;
s402, selecting an alarm type with an alarm ratio reaching a set threshold value in the network security alarm information;
s403, selecting a source IP or a target IP with an alarm ratio reaching a threshold value according to the selected alarm type;
s404, counting the time sequences of the selected alarms, and solving the period of each alarm time sequence;
s405, performing hypothesis test on the periods generated by the alarm sequences to determine periodic alarms;
and S406, removing the periodic alarm.
Preferably, the step of classifying the network security alarm information in the database according to the network attack mode includes:
according to the mode of network attack, the network attack is divided into distributed attack from a plurality of source IP addresses to destination IP addresses, attack from one source IP address to a plurality of destination IP addresses and intrusion attack from a single source IP address to a single destination IP address.
Preferably, the network security alarm information includes an alarm rule, a source IP address, a destination IP address, a source port and a destination port;
the database adopts a Mongodb database;
the network safety protection equipment comprises an intrusion prevention system, a flow probe and a firewall.
The invention also provides a network security intelligent duty system, which executes the network security intelligent duty method;
the system comprises a data processing terminal and network safety protection equipment;
the data processing terminal comprises a network security alarm acquisition module, a network security alarm storage module and a network security alarm analysis module;
the network security alarm acquisition module is connected with the network security protection equipment;
the network security alarm acquisition module is used for acquiring the alarm of the network security protection equipment and generating network security alarm information;
the network security alarm storage module is used for storing the acquired network security alarm information into a database;
the network security alarm analysis module is used for classifying the network security alarm information and associating and combining the network security alarm information and the alarm event;
and the data processing terminal is used for auditing the network security alarm information and removing the false alarm information in the network security alarm information.
Preferably, the system further comprises an intelligent linkage module;
the data processing terminal is connected with the network safety protection equipment through the intelligent linkage module;
when the data processing terminal judges that the network security alarm information is judged to be network attack, the data processing terminal sends a linkage signal to the network security protection equipment through the intelligent linkage module to control the network security protection equipment to block an attack address.
Preferably, the system further comprises a front-end display operation module;
and the front-end display operation module is used for displaying the network security alarm information and providing an operation interface for studying and judging the network security alarm information.
Preferably, the data processing terminal further comprises an alarm aggregation module;
and the alarm aggregation module is used for studying and judging the network security alarm information and classifying the network security alarm information according to the network attack mode.
Preferably, the data processing terminal further comprises an alarm removing module;
and the alarm removing module is used for carrying out hypothesis test on the periods generated by the alarm sequences and removing the periodic alarms according to the hypothesis test result.
According to the technical scheme, the invention has the following advantages:
the collected network security alarm information is classified, and the network security alarm information and the alarm event are combined in a correlation mode, so that the network security alarm information is reduced preliminarily, and the false alarm information is further removed through auditing the network security alarm information, so that the network security alarm quantity is reduced. And classifying the network security alarm information according to the network attack mode, and setting a corresponding threshold value for each type of alarm. Periodic alarms and non-periodic alarms can be screened out through the set threshold value, so that the system can identify whether some alarms are periodic and conventional alarms or not, further screening of the alarms of the type can be carried out, and the alarm quality is improved. Through the selection of the source IP or the target IP of which the alarm proportion reaches the threshold value, the time sequence of the selected alarm is counted, the corresponding alarm period is solved according to the time sequence, hypothesis test is carried out on the solved alarm period, and the scientificity of the sought alarm period is ensured. After a certain alarm is determined to be a periodic alarm, the periodic alarm is removed or reduced, and the alarm quality is further improved.
Drawings
In order to more clearly illustrate the technical solution of the present invention, the drawings used in the description will be briefly introduced, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained based on these drawings without inventive labor.
Fig. 1 is a flow chart of a network security intelligent duty method.
FIG. 2 is a flow chart of an implementation of an alarm removal module.
Fig. 3 is a schematic diagram of a network security intelligent duty system.
In the figure: 1. the system comprises a data processing terminal, 2, a network security alarm acquisition module, 3, network security protection equipment, 4, an intelligent linkage module, 5, a network security alarm storage module, 6, a network security alarm analysis module, 7, a front-end display operation module, 8, an alarm removal module and 9, an alarm aggregation module.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The invention provides an intelligent network security duty method, which comprises the following steps as shown in figures 1 to 3:
s101, after the network safety protection device 3 is attacked or abnormal in function, a corresponding alarm is sent out. The alarm comprises the following steps: emergency alerts, primary alerts, secondary alerts, warning alerts, uncertain alerts, false alerts, and periodic alerts. And generating network safety alarm information by collecting the alarm of the network safety protection equipment 3. The network safety protection device 3 is a set of software and hardware devices deployed between the scheduling intranet and the extranet, and between the private network and the public network, and is used for forming a protection barrier on an interface between the intranet and the extranet and between the private network and the public network. The network safety protection equipment 3 comprises a transverse isolation device, a longitudinal encryption authentication device, a firewall, an anti-virus system, an intrusion prevention system, a flow probe and the like.
S102, storing the acquired network security alarm information into a database;
the database adopts an expandable Mongodb database, and the Mongodb database is a database based on distributed file storage and can quickly read or write network security alarm information.
S103, classifying the network security alarm information in the database according to the mode of network attack.
And generating different types of network security alarm information according to different network attacks. Further, the network attacks that occur in practice are classified into three categories: distributed attacks from multiple source IP addresses to destination IP addresses, such as denial of service attacks and the like; attacks from one source IP address to multiple destination IP addresses, such as various scanning attack activities, etc.; intrusion activity from a single source IP address to a single destination IP address, such as hole utilization, password guessing, and the like.
It is further explained that the network security alarm information includes an alarm rule, a source IP address, a destination IP address, a source port and a destination port. The alarm rules include: the network safety equipment name, fault symptom, occurrence position, occurrence time, occurrence reason and other information which send out the alarm. For example, the name of the network security device sending the alarm is an intrusion prevention system, and the fault symptom is a distributed attack from a plurality of source IP addresses to destination IP addresses in a network attack mode.
And S104, associating and combining the network security alarm information of different types with corresponding alarm events.
The alarm event includes: connectivity events, performance events, and dysfunctional events, among others. The method for associating the network security alarm information with the corresponding alarm event comprises the following steps: derivative association, namely dividing the alarms into root alarms and derivative alarms based on the generation relation among the alarms; topology association, namely forming a local end alarm and an opposite end alarm based on a network element topology connection relation; time correlation, the same fault point generates an alarm and has the trigger characteristic of the same time point; causality association, wherein the alarm A causes the alarm B to trigger or the event C occurs, such as the disconnection of an optical cable causes the EMS network element to be disconnected; and link association, wherein the aggregation line has a fault, the whole path network element equipment is triggered to alarm, and a normalized dispatching list is formed.
The method for combining the network security alarm information and the corresponding alarm event comprises the following steps:
1. compression: the same alarm occurring multiple times is compressed into one alarm of the same type.
2. And (3) filtering: false alarms that do not satisfy a given condition are ignored.
3. Inhibition: when the events associated with the alarms are consistent, certain alarms are suppressed, such as ignoring low-level alarms when high-level alarms occur.
4. Counting: and replacing the specified number of repeated alarms into a new type of alarm.
5. Summarizing: the alarm is referenced by its super class.
6. Thinning: a certain alarm is replaced with a more specific sub-category of alarms.
And S105, auditing the combined network safety alarm information, and removing error alarm information or periodic alarm information in the network safety alarm information.
The step of auditing the merged network security alarm information and removing the false alarm information or the periodic alarm information in the network security alarm information specifically comprises the following steps:
s401, collecting an alarm of the network safety protection equipment 3;
s402, selecting an alarm type with an alarm ratio reaching a set threshold value in the network security alarm information;
s403, selecting a source IP or a target IP with an alarm ratio reaching a threshold value according to the selected alarm type;
s404, counting the time sequences of the selected alarms, and solving the period of each alarm time sequence;
s405, performing hypothesis test on the periods generated by the alarm sequences to determine periodic alarms;
and S406, removing the periodic alarm.
Based on the method, the invention correspondingly provides a network security intelligent duty system and a method for implementing the network security intelligent duty method. The system comprises a data processing terminal 1 and a network security protection device 3. The data processing terminal comprises a network security alarm acquisition module 2, a network security alarm storage module 5 and a network security alarm analysis module 6.
The data processing terminal 1 is connected with the network safety protection device 3 through the network safety alarm acquisition module 2, acquires the alarm of the network safety protection device 3 through the network safety alarm acquisition module 2, and generates network safety alarm information. The network security alarm acquisition module 2 adopts a syslog protocol, which is a system log or system record mode, and transmits the system log or system record on the network through an internet protocol (TCP/IP).
The data processing terminal 1 stores the acquired network security alarm information into a database through the network security alarm storage module 5. The data processing terminal 1 classifies the network security alarm information through the network security alarm analysis module 6, and associates and merges the network security alarm information and the alarm event. The data processing terminal 1 is further configured to audit the network security alarm information and remove the false alarm information in the network security alarm information.
It is further explained that the data processing terminal 1 further comprises an alarm aggregation module 9 and an alarm removal module 8. The alarm aggregation module 9 is configured to study and judge the network security alarm information, identify the type of network attack on the network security protection device 3 or the type of alarm occurrence through the alarm aggregation module 9, and classify the network security alarm information according to the mode of network attack or the type of alarm.
The alarm removal module 8 performs hypothesis testing on the periods generated by the alarm sequences, wherein the hypothesis testing is also called statistical hypothesis testing, and is a statistical inference method for judging whether the difference between the samples and the sample and between the sample and the whole is caused by sampling errors or essential differences. And performing hypothesis test on the alarm, and reducing or removing the periodic alarm after determining that the alarm is the periodic alarm. Meanwhile, the alarm removing module 8 is further configured to remove false alarms that do not satisfy the given condition.
The network safety intelligent duty system also comprises an intelligent linkage module 4, and the data processing terminal 1 is connected with the network safety protection equipment 3 through the intelligent linkage module 4. When the data processing terminal 1 judges that the network security alarm information is judged to be a network attack, the data processing terminal 1 sends a linkage signal to the network security protection devices 3 through the intelligent linkage module 4 to control each network security protection device 3 to block the attack address.
The network security intelligent duty system further comprises a front-end display operation module 7, wherein the front-end display operation module 7 displays details of the current network security alarm information by adopting Vue technology, and conducts research and judgment operation on the network security alarm information. Vue is a progressive framework for building user interfaces that can be designed to be applied layer by layer from the bottom up.
The front-end display operation module 7 includes: a display device. The data processing terminal 1 generates alarms with different time sequence relations according to a certain time sequence, displays the network safety alarm information through a display device and provides an operation interface for judging the network safety alarm information.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. An intelligent network security duty method is characterized by comprising the following steps:
s101, collecting alarms of network safety protection equipment to generate network safety alarm information;
s102, storing the acquired network security alarm information into a database;
s103, classifying the network security alarm information in the database according to the mode of network attack;
s104, associating and combining different types of network security alarm information with corresponding alarm events;
and S105, auditing the combined network safety alarm information, and removing error alarm information or periodic alarm information in the network safety alarm information.
2. The network security intelligent on-duty method of claim 1, wherein auditing the merged network security alarm information and removing false alarm information or periodic alarm information in the network security alarm information specifically comprises:
s401, collecting an alarm of the network safety protection equipment;
s402, selecting an alarm type with an alarm ratio reaching a set threshold value in the network security alarm information;
s403, selecting a source IP or a target IP with an alarm ratio reaching a threshold value according to the selected alarm type;
s404, counting the time sequences of the selected alarms, and solving the period of each alarm time sequence;
s405, performing hypothesis test on the periods generated by the alarm sequences to determine periodic alarms;
and S406, removing the periodic alarm.
3. The method of claim 1, wherein the step of classifying the network security alarm information in the database according to the network attack mode comprises:
according to the mode of network attack, the network attack is divided into distributed attack from a plurality of source IP addresses to a destination IP address, attack from one source IP address to a plurality of destination IP addresses and intrusion attack from a single source IP address to a single destination IP address.
4. The network security intelligent duty method of claim 1,
the network safety alarm information comprises an alarm rule, a source IP address, a destination IP address, a source port and a destination port;
the database adopts a Mongodb database;
the network safety protection equipment comprises an intrusion prevention system, a flow probe and a firewall.
5. A network security intelligent duty system, characterized in that the system executes the network security intelligent duty method of any one of claims 1 to 4;
the system comprises a data processing terminal and network safety protection equipment;
the data processing terminal comprises a network security alarm acquisition module, a network security alarm storage module and a network security alarm analysis module;
the network security alarm acquisition module is connected with the network security protection equipment;
the network security alarm acquisition module is used for acquiring the alarm of the network security protection equipment and generating network security alarm information;
the network security alarm storage module is used for storing the acquired network security alarm information into a database;
the network security alarm analysis module is used for classifying the network security alarm information and associating and combining the network security alarm information and the alarm event;
and the data processing terminal is used for auditing the network security alarm information and removing the false alarm information in the network security alarm information.
6. The network security intelligent duty system of claim 5, wherein the system further comprises an intelligent linkage module;
the data processing terminal is connected with the network safety protection equipment through the intelligent linkage module;
when the data processing terminal judges that the network security alarm information is judged to be network attack, the data processing terminal sends a linkage signal to the network security protection equipment through the intelligent linkage module to control the network security protection equipment to block an attack address.
7. The network security intelligent duty system of claim 5, wherein the system further comprises a front-end display operation module;
and the front-end display operation module is used for displaying the network security alarm information and providing an operation interface for studying and judging the network security alarm information.
8. The network security intelligent duty system of claim 5,
the data processing terminal also comprises an alarm aggregation module;
and the alarm aggregation module is used for studying and judging the network security alarm information and classifying the network security alarm information according to the network attack mode.
9. The network security intelligent duty system of claim 5,
the data processing terminal also comprises an alarm removing module;
and the alarm removing module is used for carrying out hypothesis test on the periods generated by the alarm sequences and removing the periodic alarms according to the hypothesis test result.
CN202111410097.XA 2021-11-25 2021-11-25 Intelligent network security duty method and system Pending CN114257414A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111410097.XA CN114257414A (en) 2021-11-25 2021-11-25 Intelligent network security duty method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111410097.XA CN114257414A (en) 2021-11-25 2021-11-25 Intelligent network security duty method and system

Publications (1)

Publication Number Publication Date
CN114257414A true CN114257414A (en) 2022-03-29

Family

ID=80791161

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111410097.XA Pending CN114257414A (en) 2021-11-25 2021-11-25 Intelligent network security duty method and system

Country Status (1)

Country Link
CN (1) CN114257414A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928531A (en) * 2022-05-06 2022-08-19 广西电网有限责任公司 Network security integrated intelligent protection method and device, robot and medium

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227331A (en) * 2008-01-25 2008-07-23 华中科技大学 Method for reducing alarm of network attack detection system by mistake
US20110016528A1 (en) * 2008-08-15 2011-01-20 Venus Info Tech Inc. Method and Device for Intrusion Detection
US20130127618A1 (en) * 2011-11-21 2013-05-23 Daniel Sheleheda Method and apparatus for machine to machine network security monitoring in a communications network
CN103617562A (en) * 2013-12-04 2014-03-05 国家电网公司 System and method for intelligently processing power grid warning messages
WO2016029570A1 (en) * 2014-08-28 2016-03-03 北京科东电力控制系统有限责任公司 Intelligent alert analysis method for power grid scheduling
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN107196804A (en) * 2017-06-01 2017-09-22 国网山东省电力公司信息通信公司 Power system terminal communication access network Centralized Alarm Monitoring system and method
CN107426132A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 The detection method and device of network attack
CN110460558A (en) * 2018-05-07 2019-11-15 南京联成科技发展股份有限公司 A kind of method and system based on the discovery of visual challenge model
CN111541661A (en) * 2020-04-15 2020-08-14 全球能源互联网研究院有限公司 Power information network attack scene reconstruction method and system based on causal knowledge
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium
CN113676464A (en) * 2021-08-09 2021-11-19 国家电网有限公司 Network security log alarm processing method based on big data analysis technology

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101227331A (en) * 2008-01-25 2008-07-23 华中科技大学 Method for reducing alarm of network attack detection system by mistake
US20110016528A1 (en) * 2008-08-15 2011-01-20 Venus Info Tech Inc. Method and Device for Intrusion Detection
US20130127618A1 (en) * 2011-11-21 2013-05-23 Daniel Sheleheda Method and apparatus for machine to machine network security monitoring in a communications network
CN103617562A (en) * 2013-12-04 2014-03-05 国家电网公司 System and method for intelligently processing power grid warning messages
WO2016029570A1 (en) * 2014-08-28 2016-03-03 北京科东电力控制系统有限责任公司 Intelligent alert analysis method for power grid scheduling
CN105681286A (en) * 2015-12-31 2016-06-15 中电长城网际系统应用有限公司 Association analysis method and association analysis system
CN107426132A (en) * 2016-05-23 2017-12-01 腾讯科技(深圳)有限公司 The detection method and device of network attack
CN107196804A (en) * 2017-06-01 2017-09-22 国网山东省电力公司信息通信公司 Power system terminal communication access network Centralized Alarm Monitoring system and method
CN110460558A (en) * 2018-05-07 2019-11-15 南京联成科技发展股份有限公司 A kind of method and system based on the discovery of visual challenge model
WO2021008028A1 (en) * 2019-07-18 2021-01-21 平安科技(深圳)有限公司 Network attack source tracing and protection method, electronic device and computer storage medium
CN111541661A (en) * 2020-04-15 2020-08-14 全球能源互联网研究院有限公司 Power information network attack scene reconstruction method and system based on causal knowledge
CN113676464A (en) * 2021-08-09 2021-11-19 国家电网有限公司 Network security log alarm processing method based on big data analysis technology

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114928531A (en) * 2022-05-06 2022-08-19 广西电网有限责任公司 Network security integrated intelligent protection method and device, robot and medium
CN114928531B (en) * 2022-05-06 2023-09-05 广西电网有限责任公司 Network security integrated intelligent protection method, device, robot and medium

Similar Documents

Publication Publication Date Title
CN112651006B (en) Power grid security situation sensing system
CN102447570B (en) Monitoring device and method based on health degree analysis
CN106371986A (en) Log treatment operation and maintenance monitoring system
US8144599B2 (en) Binary class based analysis and monitoring
CN111756582B (en) Service chain monitoring method based on NFV log alarm
CN109586239B (en) Real-time diagnosis and fault early warning method for intelligent substation
CN110191004B (en) Port detection method and system
CN107547228B (en) Implementation architecture of safe operation and maintenance management platform based on big data
CN112416872A (en) Cloud platform log management system based on big data
CN113271303A (en) Botnet detection method and system based on behavior similarity analysis
CN114996090A (en) Server abnormity detection method and device, electronic equipment and storage medium
CN113671909A (en) Safety monitoring system and method for steel industrial control equipment
CN114257414A (en) Intelligent network security duty method and system
CN102104606B (en) Worm detection method of intranet host
CN110609761B (en) Method and device for determining fault source, storage medium and electronic equipment
CN115550034A (en) Service flow monitoring method and device for distribution network power monitoring system
CN114006719B (en) AI verification method, device and system based on situation awareness
CN111988172B (en) Network information management platform, device and security management method
CN115333915A (en) Network management and control system for heterogeneous host
CN114428715A (en) Log processing method, device and system and storage medium
CN111245796A (en) Big data analysis method for industrial network intrusion detection
CN116204386B (en) Method, system, medium and equipment for automatically identifying and monitoring application service relationship
CN113965486B (en) Line detection method and device for vertically positioning faults
CN113890814B (en) Fault perception model construction and fault perception method and system, equipment and medium
CN115514582B (en) Industrial Internet attack chain correlation method and system based on ATT & CK

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination