CN114493339A - Power grid information safety early warning system based on data feature extraction - Google Patents

Power grid information safety early warning system based on data feature extraction Download PDF

Info

Publication number
CN114493339A
CN114493339A CN202210139033.9A CN202210139033A CN114493339A CN 114493339 A CN114493339 A CN 114493339A CN 202210139033 A CN202210139033 A CN 202210139033A CN 114493339 A CN114493339 A CN 114493339A
Authority
CN
China
Prior art keywords
early warning
data
information
model
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202210139033.9A
Other languages
Chinese (zh)
Inventor
刘惠颖
左晓军
郗波
郭禹伶
侯波涛
常杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
State Grid Hebei Energy Technology Service Co Ltd
Original Assignee
State Grid Corp of China SGCC
Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
State Grid Hebei Energy Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd, State Grid Hebei Energy Technology Service Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202210139033.9A priority Critical patent/CN114493339A/en
Publication of CN114493339A publication Critical patent/CN114493339A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0631Resource planning, allocation, distributing or scheduling for enterprises or organisations
    • G06Q10/06311Scheduling, planning or task assignment for a person or group
    • G06Q10/063114Status monitoring or status determination for a person or group
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/252Integrating or interfacing systems involving database management systems between a Database Management System and a front-end application
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q50/00Information and communication technology [ICT] specially adapted for implementation of business processes of specific business sectors, e.g. utilities or tourism
    • G06Q50/06Energy or water supply

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Human Resources & Organizations (AREA)
  • Economics (AREA)
  • Theoretical Computer Science (AREA)
  • Strategic Management (AREA)
  • General Physics & Mathematics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Physics & Mathematics (AREA)
  • Tourism & Hospitality (AREA)
  • Databases & Information Systems (AREA)
  • General Business, Economics & Management (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Educational Administration (AREA)
  • Development Economics (AREA)
  • Health & Medical Sciences (AREA)
  • Game Theory and Decision Science (AREA)
  • Public Health (AREA)
  • Water Supply & Treatment (AREA)
  • General Health & Medical Sciences (AREA)
  • Primary Health Care (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种基于数据特征提取的电网信息安全预警系统包括:包括:大数据采集层、攻击信息特征提取存储层、数据分析层以及决策层;其中,所述大数据采集层实现对基础设施运行数据、信息系统运行数据以及信息网络运行数据的实时采集,并同步收集内部数据和外部数据;所述攻击信息特征提取存储层用于用于提取当前电网攻击情报的运行特征,实现攻击特征信息的提取和记录;所述数据分析层用于实现采集数据的高效集成、计算和分析;所述决策层用于实现信息网络风险的及时预警。本发明现了电力信息网络运行态势全面感知、运行风险实时预警和预警事件及时处置。

Figure 202210139033

The invention discloses a power grid information security early warning system based on data feature extraction, comprising: a big data collection layer, an attack information feature extraction storage layer, a data analysis layer and a decision-making layer; wherein, the big data collection layer realizes Real-time collection of facility operation data, information system operation data and information network operation data, and synchronous collection of internal data and external data; the attack information feature extraction storage layer is used to extract the operation features of the current power grid attack intelligence, and realize the attack feature Extraction and recording of information; the data analysis layer is used to realize efficient integration, calculation and analysis of collected data; the decision layer is used to realize timely early warning of information network risks. The invention realizes the comprehensive perception of the operation situation of the power information network, the real-time early warning of the operation risk and the timely disposal of the early warning events.

Figure 202210139033

Description

一种基于数据特征提取的电网信息安全预警系统A power grid information security early warning system based on data feature extraction

技术领域technical field

本发明涉及电力系统安全领域,尤其涉及一种基于数据特征提取的电网信息安全预警系统。The invention relates to the field of power system security, in particular to a power grid information security early warning system based on data feature extraction.

背景技术Background technique

当前,物联网、云计算、大数据等新技术日新月异,我们已经步入Web6.0时代,智慧地球、互联网+、自媒体等新概念不断产生,信息网络在各领域各行业实现了全覆盖、全普及、全应用。信息网络的新发展、新应用所带来的问题是:数据的数量级迅速加大、数据的类型更为复杂、数据的来源愈加多样、病毒和攻击事件更加隐蔽。为了及时应对大数据环境下的安全攻击,有效遏制各类网络攻击,真正做到“魔高一尺,道高一丈”,亟待研究大数据环境下的网络安全态势感知技术,发挥大数据技术的海量存储、并行计算、高效查询等特点优势,突破传统态势感知模型的设备局限性大、数据融合能力差、数据挖掘水平弱等“瓶颈”问题,构建面向大数据的网络安全态势感知模型,建立与大数据环境相匹配的安全防护框架,实现多源多类型数据高效获取、海量数据高速融合、分析模型智能有效、数据挖掘准确可靠、态势展示类型丰富、应急响应决策合理的目标要求,为各领域各部门信息技术的发展应用保驾护航。At present, new technologies such as the Internet of Things, cloud computing, and big data are changing with each passing day. We have entered the Web6.0 era. New concepts such as smart earth, Internet+, and self-media are constantly emerging. Information networks have achieved full coverage in various fields and industries. Full popularity and full application. The problems brought about by the new development and new applications of the information network are: the order of magnitude of data is rapidly increasing, the types of data are more complex, the sources of data are more and more diverse, and the virus and attack events are more hidden. In order to respond to security attacks in the big data environment in a timely manner, effectively curb various network attacks, and truly achieve "the magic height is one foot, the road is one foot high", it is urgent to study the network security situational awareness technology in the big data environment, and give full play to the big data technology. It breaks through the "bottleneck" problems of traditional situational awareness models such as large equipment limitations, poor data fusion capabilities, and weak data mining levels, and builds a big data-oriented network security situational awareness model. Establish a security protection framework that matches the big data environment to achieve the goals of efficient acquisition of multi-source and multi-type data, high-speed fusion of massive data, intelligent and effective analysis models, accurate and reliable data mining, rich types of situation display, and reasonable emergency response decision-making. The development and application of information technology in various fields and departments is escorted.

网络与信息安全直接关乎公司电网安全生产和业务正常运转,公司面临日益严峻的内外部信息安全形势,亟需提高“本质安全”水平,开创安全保障新局面。随着公司信息化水平的不断提升,对电力信息网络提出了更高的标准和需求,公司需要改变在故障发生之后进行告警和抢修的被动管理模式,实现在故障发生前就进行风险预警和智能运维的电力信息网络主动管理模式,这有利于提升电力信息网络应对安全风险的能力,为智能电网乃至全球能源互联网的建设添砖加瓦。Network and information security are directly related to the safe production of the company's power grid and the normal operation of its business. The company is facing an increasingly severe internal and external information security situation. It is urgent to improve the level of "intrinsic security" and create a new situation of security protection. With the continuous improvement of the company's informatization level, higher standards and requirements are put forward for the power information network. The company needs to change the passive management mode of alarming and emergency repair after a fault occurs, so as to realize risk warning and intelligent management before the fault occurs. The active management mode of the power information network for operation and maintenance is conducive to improving the ability of the power information network to deal with security risks, and contributes to the construction of the smart grid and even the global energy Internet.

发明内容SUMMARY OF THE INVENTION

本发明为了解决以上问题,提供了一种基于数据特征提取的电网信息安全预警系统。In order to solve the above problems, the present invention provides a power grid information security early warning system based on data feature extraction.

为实现上述目的,本发明所采用的技术方案如下:For achieving the above object, the technical scheme adopted in the present invention is as follows:

一种基于数据特征提取的电网信息安全预警系统,包括:大数据采集层、数据分析层以及决策层;A power grid information security early warning system based on data feature extraction, comprising: a big data collection layer, a data analysis layer and a decision-making layer;

其中,所述大数据采集层实现对基础设施运行数据、信息系统运行数据以及信息网络运行数据的实时采集,并同步收集内部数据和外部数据;Wherein, the big data collection layer realizes real-time collection of infrastructure operation data, information system operation data and information network operation data, and synchronously collects internal data and external data;

所述数据分析层用于实现采集数据的高效集成、计算和分析;The data analysis layer is used to realize efficient integration, calculation and analysis of collected data;

所述决策层用于实现信息网络风险的及时预警。The decision-making layer is used to realize timely early warning of information network risks.

可选的,所述数据分析层包括集成模块、计算模块以及分析模块,其中,所述集成模块用于对所述大数据采集层的数据集成,即进行数据抽取、数据转换以及数据清洗,所述计算模块用于处理对集成后的数据进行批量数据处理以及流数据处理,所述分析模块用于对所述计算后的数据进行分析。Optionally, the data analysis layer includes an integration module, a calculation module, and an analysis module, wherein the integration module is used for data integration of the big data collection layer, that is, data extraction, data conversion, and data cleaning. The calculation module is used to process batch data processing and stream data processing on the integrated data, and the analysis module is used to analyze the calculated data.

可选的,所述分析模块包括分析库模块以及预警模型,所述分析库模块用于提供分析模型,所述预警模型根据所述分析模型实现电力信息主动风险预警管理,所述分析库模块包括状态预警模型、阈值预警模型、快变预警模型、评价预警模型以及分级预警模型。Optionally, the analysis module includes an analysis library module and an early warning model, the analysis library module is used to provide an analysis model, and the early warning model implements active risk early warning management of power information according to the analysis model, and the analysis library module includes: State early warning model, threshold early warning model, fast change early warning model, evaluation early warning model and graded early warning model.

可选的,所述预警模型包括基础构架评价模型、实时可靠性模型以及历史运行评价模型,其中,所述基础构架评价模型通过拓扑发现技术得到信息网络拓扑架构,然后对拓扑架构中的所有基础设施进行重要性评估并采集其监控指标;所述实时可靠性模型对信息系统主要页面的实时监控指标以及监控页面响应以及响应时长;所述历史运行评价模型基于信息系统历史运行情况,用于历史告警数量和历史告警级别。Optionally, the early warning model includes a basic framework evaluation model, a real-time reliability model and a historical operation evaluation model, wherein the basic framework evaluation model obtains the information network topology framework through topology discovery technology, and then analyzes all the basic frameworks in the topology framework. The importance of the facility is evaluated and its monitoring indicators are collected; the real-time reliability model responds to the real-time monitoring indicators of the main pages of the information system and the response and response time of the monitoring pages; the historical operation evaluation model is based on the historical operation of the information system and is used for historical Number of alarms and historical alarm severity.

可选的,所述状态预警模型包括硬件、软件、基础支撑资源以及虚拟资源,用于每隔一段时间(对所有信息资源探测一次,并判断其状态。Optionally, the state early warning model includes hardware, software, basic support resources and virtual resources, and is used for detecting all information resources at regular intervals (once, and judging their states.

可选的,所述阈值预警模型用于做预警阈值判断,其算法如下:Optionally, the threshold early warning model is used to make early warning threshold judgment, and its algorithm is as follows:

Figure BDA0003505802670000031
Figure BDA0003505802670000031

Figure BDA0003505802670000032
Figure BDA0003505802670000032

其中,T0max和T0min分别为上阈值和下阈值的初始值,t为当前日期,h为当前时间,m为天数,n为小时数。根据以上算法,信息资源的指标阈值T在上阈值Tmax和下阈值Tmin之间。Among them, T 0max and T 0min are the initial values of the upper threshold and the lower threshold, respectively, t is the current date, h is the current time, m is the number of days, and n is the number of hours. According to the above algorithm, the index threshold T of the information resource is between the upper threshold T max and the lower threshold T min .

可选的,所述快变预警模型用于对非正常突变进行预警,其算法如下:Optionally, the fast-changing early warning model is used for early warning of abnormal mutation, and its algorithm is as follows:

Figure BDA0003505802670000033
Figure BDA0003505802670000033

其中,Si表示第i台设备的负载,α为快变阈值由用户配置;Among them, Si represents the load of the i -th device, and α is the fast-changing threshold configured by the user;

Figure BDA0003505802670000034
Figure BDA0003505802670000034

其中Rmax和Rmin分别为经过数据清洗的历史运行数据最大值和最小值,A为历史数据的平均值,L代表指标的合理运行范围。Among them, R max and R min are the maximum and minimum values of historical operating data after data cleaning, respectively, A is the average value of historical data, and L represents the reasonable operating range of the indicator.

可选的,所述评价预警模型用于实现基础设施的评价,评价预警算法如下:Optionally, the evaluation and early warning model is used to realize the evaluation of infrastructure, and the evaluation and early warning algorithm is as follows:

Figure BDA0003505802670000041
Figure BDA0003505802670000041

基于用户自定义设置的初始得分S0,各级别信息网络事件的数量m/n/p、权重α和扣分值f,可得到信息资源的最终评价得分S,并根据分数高低进行风险预警。Based on the initial score S 0 set by the user, the number m/n/p, weight α and deduction value f of each level of information network events, the final evaluation score S of the information resource can be obtained, and risk early warning can be carried out according to the score.

可选的,所述分级预警模型用于将预警事件分为指标级、基础设施级和信息网络级。Optionally, the hierarchical early warning model is used to classify early warning events into index level, infrastructure level and information network level.

可选的,所述决策层包括资源管理模块、风险预警模块、决策分析模块。Optionally, the decision-making layer includes a resource management module, a risk early warning module, and a decision analysis module.

本发明与现有技术相比,所取得的技术进步在于:Compared with the prior art, the technical progress achieved by the present invention is:

基于数据特征提取的电网信息安全预警系统实现了电力信息网络运行态势全面感知、运行风险实时预警和预警事件及时处置。通过所有可获取的信息实时评估网络的安全情境态势,为网络安全管理员的决策分析提供依据,将不安全因素带来的风险和损失降到最低。该模型在提高网络的监控能力、应急响应能力和预测网络安全的发展趋势等方面都具有重要的意义,为电力、通信等系统的信息安全提供了有力保障,具有良好的应用效果。The power grid information security early warning system based on data feature extraction realizes comprehensive awareness of the power information network operation situation, real-time early warning of operation risks and timely disposal of early warning events. Real-time assessment of the security situation of the network through all available information provides a basis for network security administrators' decision-making and analysis, and minimizes the risks and losses caused by unsafe factors. The model is of great significance in improving the network monitoring ability, emergency response ability and predicting the development trend of network security. It provides a strong guarantee for the information security of power and communication systems, and has good application effects.

附图说明Description of drawings

附图用来提供对本发明的进一步理解,并且构成说明书的一部分,与本发明的实施例一起用于解释本发明,并不构成对本发明的限制。The accompanying drawings are used to provide a further understanding of the present invention, and constitute a part of the specification, and are used to explain the present invention together with the embodiments of the present invention, and do not constitute a limitation to the present invention.

在附图中:In the attached image:

图1为本发明的结构示意图。FIG. 1 is a schematic structural diagram of the present invention.

具体实施方式Detailed ways

下面这几个具体的实施例可以相互结合,对于相同或相似的概念或过程可能在某些实施例中不再赘述。下面将结合附图,对本发明的实施例进行描述。The following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present invention will be described below with reference to the accompanying drawings.

需要注意的是,这里所使用的术语仅是为了描述具体实施方式,而非意图限制根据本申请的示例性实施方式。如在这里所使用的,除非上下文另外明确指出,否则单数形式也意图包括复数形式,此外,还应当理解的是,当在本说明书中使用术语“包含”和/或“包括”时,其指明存在特征、步骤、操作、器件、组件和/或它们的组合。It should be noted that the terminology used herein is for the purpose of describing specific embodiments only, and is not intended to limit the exemplary embodiments according to the present application. As used herein, unless the context clearly dictates otherwise, the singular is intended to include the plural as well, furthermore, it is to be understood that when the terms "comprising" and/or "including" are used in this specification, it indicates that There are features, steps, operations, devices, components and/or combinations thereof.

如图1所示,本发明公开了一种基于数据特征提取的电网信息安全预警系统,包括:大数据采集层、攻击信息特征提取存储层、数据分析层以及决策层;As shown in FIG. 1 , the present invention discloses a power grid information security early warning system based on data feature extraction, including: a big data collection layer, an attack information feature extraction storage layer, a data analysis layer and a decision-making layer;

其中,大数据采集层实现对基础设施运行数据、信息系统运行数据以及信息网络运行数据的实时采集,并同步收集内部数据和外部数据;其中,内部数据为:包括信誉情报和攻击情报,信誉情报包括URL、IP地址、域名,攻击情报包括攻击源、攻击工具、漏洞、采取的方式,其主要是指对内部异常行为进行监控,内部异常行为造成的破坏是导致安全事故的主要因素,外部攻击者发起APT攻击,其中的部分环节需要通过“内部行走”才能接触到敏感数据,从而实现盗取或破坏的目的。企业内部的威胁源包括可能准备离职的有恶意的内部人员、内部人员长期慢速的信息泄露等,内部攻击也可能由具备内部访问权限的合作伙伴或者第三方发起。通过制定不同的情景,获取样本,建立正常行为模型,并分析内部网络流量或终端服务器上的行为,可及早发现异常。内部情景主要指“主体”到“客体”的访问行为情景,主体是人或应用,客体是应用或数据。情景包含的因素有5W(Who、When、Where、What、How),常见的异常情景有:登录异常行为,包括异常时间、频繁登录失败等行为;业务违规行为,包括高频业务访问、业务绕行等;电网外部威胁情报包括登录异常行为和业务违规行为,登录异常行为包括异常时间和频繁登录失败行为,业务违规行为包括高频业务访问和业务绕行。Among them, the big data collection layer realizes the real-time collection of infrastructure operation data, information system operation data and information network operation data, and simultaneously collects internal data and external data; among them, the internal data is: including reputation intelligence and attack intelligence, reputation intelligence Including URLs, IP addresses, domain names, attack intelligence includes attack sources, attack tools, vulnerabilities, and methods used. It mainly refers to monitoring internal abnormal behaviors. The damage caused by internal abnormal behaviors is the main factor leading to security incidents. External attacks The attacker initiates an APT attack, and some of the links need to “walk inside” to access sensitive data, so as to achieve the purpose of stealing or destroying. Threat sources within the enterprise include malicious insiders who may be ready to leave, long-term slow information leakage of insiders, etc. Internal attacks may also be initiated by partners or third parties with internal access rights. By formulating different scenarios, taking samples, modeling normal behavior, and analyzing internal network traffic or behavior on terminal servers, anomalies can be detected early. Internal scenario mainly refers to the access behavior scenario from "subject" to "object", the subject is a person or an application, and the object is an application or data. The factors included in the scenario are 5W (Who, When, Where, What, How). Common abnormal scenarios include: abnormal login behavior, including abnormal time, frequent login failures, etc.; business violations, including high-frequency business access, business circumvention, etc. Power grid external threat intelligence includes abnormal login behaviors and business violations, abnormal login behaviors include abnormal time and frequent login failure behaviors, and business violations include high-frequency business access and business detours.

外部数据为针对外部攻击,主要通过获取威胁情报,依靠专业的安全分析团队,综合分析之后形成情报的处置决策,并通过网络安全设备或终端上的安全软件来执行决策,实现针对高级攻击的防范,整个过程可以通过设备自动执行。威胁情报一般包括信誉情报(“坏”的URL、IP地址、域名等)、攻击情报(攻击源、攻击工具、利用的漏洞、采取的方式等)等。通常可以从安全服务厂商、CERT、防病毒厂商、政府机构和安全组织机构得到安全预警通告、漏洞通告、威胁通告等,这些都属于典型的安全威胁情报。External data is aimed at external attacks, mainly through obtaining threat intelligence, relying on a professional security analysis team, after comprehensive analysis, the intelligence disposal decision is formed, and the decision is executed through the network security device or the security software on the terminal to realize the prevention against advanced attacks. , the whole process can be performed automatically by the device. Threat intelligence generally includes reputation intelligence ("bad" URLs, IP addresses, domain names, etc.), attack intelligence (attack sources, attack tools, exploited vulnerabilities, methods taken, etc.). Security warning notices, vulnerability notices, threat notices, etc. can usually be obtained from security service vendors, CERTs, antivirus vendors, government agencies, and security organizations, which are typical security threat intelligence.

攻击信息特征提取存储层用于用于提取当前电网攻击情报的运行特征,实现攻击特征信息的提取和记录;The attack information feature extraction storage layer is used to extract the operation features of the current power grid attack intelligence, and realize the extraction and recording of the attack feature information;

数据分析层用于实现采集数据的高效集成、计算和分析;The data analysis layer is used to achieve efficient integration, calculation and analysis of collected data;

决策层用于实现信息网络风险的及时预警。The decision-making layer is used to realize timely early warning of information network risks.

具体的,攻击信息特征提取存储层以电网大数据存储模块的电网攻击情报为基础,结合当前电力系统的拓扑结构、运行状态和历史数据确定关键断面,采用主特征、辅助特征和数值特征相结合的方法全面提取当前电网的攻击特征信息,攻击特征信息包括SNMPThreat、RPC Threat、FTP Threat、HTTP Threat、TELNET Threat和DNS Threat。Specifically, the attack information feature extraction storage layer is based on the power grid attack intelligence of the power grid big data storage module, combined with the topology, operation status and historical data of the current power system to determine key sections, and uses a combination of main features, auxiliary features and numerical features. The method comprehensively extracts the attack feature information of the current power grid, and the attack feature information includes SNMPThreat, RPC Threat, FTP Threat, HTTP Threat, TELNET Threat and DNS Threat.

攻击信息特征提取存储层获取到攻击信息特征后自行存储,以后如果再次遭遇此种攻击时可以通过匹配攻击信息特征,迅速匹配,然后快速作出预警。Attack information feature extraction The storage layer obtains the attack information features and stores them by itself. If such an attack is encountered again in the future, it can match the attack information features quickly, and then quickly give an early warning.

数据分析层包括集成模块、计算模块以及分析模块,其中,集成模块用于对大数据采集层的数据集成,即进行数据抽取、数据转换以及数据清洗,计算模块用于处理对集成后的数据进行批量数据处理以及流数据处理,分析模块用于对计算后的数据进行分析。The data analysis layer includes an integration module, a calculation module and an analysis module. The integration module is used for data integration of the big data collection layer, that is, data extraction, data conversion and data cleaning, and the calculation module is used to process the integrated data. Batch data processing and stream data processing, the analysis module is used to analyze the calculated data.

分析模块包括分析库模块以及预警模型,分析库模块用于提供分析模型,预警模型根据分析模型实现电力信息主动风险预警管理,分析库模块包括状态预警模型、阈值预警模型、快变预警模型、评价预警模型以及分级预警模型。The analysis module includes the analysis library module and the early warning model. The analysis library module is used to provide the analysis model. The early warning model realizes the active risk early warning management of power information according to the analysis model. Early warning model and graded early warning model.

预警模型包括基础构架评价模型、实时可靠性模型以及历史运行评价模型,其中,基础构架评价模型通过拓扑发现技术得到信息网络拓扑架构,然后对拓扑架构中的所有基础设施进行重要性评估并采集其监控指标。基础设施包括主机设备、网络设备、安全设备、存储设备、数据库以及中间件等。The early warning model includes an infrastructure evaluation model, a real-time reliability model, and a historical operation evaluation model. The infrastructure evaluation model obtains the information network topology structure through topology discovery technology, and then evaluates the importance of all infrastructures in the topology structure and collects them. Monitor metrics. The infrastructure includes host equipment, network equipment, security equipment, storage equipment, database, and middleware.

实时可靠性模型基于对信息系统主要页面的实时监控指标,以及页面是否有响应及响应时长,设计了信息系统实时可靠性评价模型。信息系统可靠性评价基于主动探测系统的探测结果,主动探测系统按照5min/次的披露对信息系统及其各个主要页面进行探测,反馈结果为目标页面是否有响应及目标系统的页面响应时间;Real-time reliability model Based on the real-time monitoring indicators of the main pages of the information system, and whether the page has a response and the response time, a real-time reliability evaluation model of the information system is designed. The information system reliability evaluation is based on the detection results of the active detection system. The active detection system detects the information system and its main pages according to 5min/time disclosure, and the feedback results are whether the target page has a response and the page response time of the target system;

历史运行评价模型基于信息系统历史运行情况,用于历史告警数量和历史告警级别。The historical operation evaluation model is based on the historical operation of the information system and is used for the number and severity of historical alarms.

状态预警模型包括硬件、软件、基础支撑资源、虚拟资源等,是电力信息网络的基础组成部分。每隔一段时间(一般是30s~5min)对所有信息资源探测一次,根据相关资源是否响应来判断其状态,主要包括以下3类:The state early warning model includes hardware, software, basic support resources, virtual resources, etc., and is the basic component of the power information network. All information resources are probed every once in a while (usually 30s to 5min), and their status is judged according to whether the relevant resources respond, mainly including the following three categories:

1)正常状态:每次探测信息资源均响应;1) Normal state: every time the information resource is detected, it responds;

2)失联状态:连续3次探测均无响应,需要及时告警;2) Disconnected state: no response for 3 consecutive detections, and a timely alarm is required;

3)不稳定状态:介于正常状态和失联状态之间,多次探测无响应,但达不到失联状态的条件,需要进行风险预警。3) Unstable state: between the normal state and the disconnected state, there is no response to multiple detections, but the condition of the disconnected state is not reached, and a risk warning is required.

其中,硬件可以包括:PC服务器、刀片机、小型机、工控机、专用服务器、磁盘阵列、磁带库、光盘库、路由器、交换机、负载均衡器、集线器、无线接入设备、协议转换器、存储光纤交换机、网络电路、数据转输通道接口、防火墙、防病毒网关设备、入侵监测设备、入侵防御设备、流量监测设备、漏洞扫描设备、VPN设备、网络隔离设备、其他安全设备、台式机、手持终端、笔记本电脑、工作站、平板电脑、专用终端、云终端、打印机、数字式绘图仪、复印机、传真机、影印一体机、扫描仪、投影仪、屏幕设备、显示器、鼠标、键盘、音箱、移动存储、其他外部设备、内存、CPU、磁盘、网卡、HBA卡、UPS电池、端口、逻辑CPU、文件系统、安装软件、关键进程、存储卷、物理VLAN、链路、路由等。The hardware may include: PC servers, blade machines, minicomputers, industrial computers, dedicated servers, disk arrays, tape libraries, optical disc libraries, routers, switches, load balancers, hubs, wireless access devices, protocol converters, storage Optical switch, network circuit, data transfer channel interface, firewall, anti-virus gateway equipment, intrusion monitoring equipment, intrusion prevention equipment, traffic monitoring equipment, vulnerability scanning equipment, VPN equipment, network isolation equipment, other security equipment, desktop, handheld Terminals, notebook computers, workstations, tablet computers, dedicated terminals, cloud terminals, printers, digital plotters, copiers, fax machines, photocopiers, scanners, projectors, screen devices, monitors, mice, keyboards, speakers, mobile Storage, other external devices, memory, CPU, disks, network cards, HBA cards, UPS batteries, ports, logical CPUs, file systems, installed software, critical processes, storage volumes, physical VLANs, links, routing, etc.

软件可以包括:业务系统、数据库、操作系统、中间件、集群软件、存储备份软件、运维管理软件、工具软件、办公自动化软件、邮件服务器软件、Web服务器软件、FTP服务器软件、其他基础软件、数据库复制软件等。Software can include: business system, database, operating system, middleware, cluster software, storage backup software, operation and maintenance management software, tool software, office automation software, mail server software, Web server software, FTP server software, other basic software, Database replication software, etc.

基础支撑资源可以包括:Basic support resources can include:

VLAN、IP、域名、防火墙策略、电源负载、负载均衡策略、账号权限、机柜空间、机房空间、配线架端口、机房、物资仓库、办公场所等。VLAN, IP, domain name, firewall policy, power load, load balancing policy, account permissions, cabinet space, computer room space, patch panel ports, computer room, material warehouse, office space, etc.

虚拟资源可以包括:资源组、资源池、虚拟主机。Virtual resources can include: resource groups, resource pools, and virtual hosts.

阈值预警模型用于做预警阈值判断,传统的信息资源运行阈值是通过统一标准或运维人员凭经验手动设置的,如果探测指标在阈值范围内,则认为信息资源处于正常状态;反之,如果探测指标超出了阈值范围,则认为监测对象符合预警条件,生成预警事件。随着信息网络的动态扩展,人为设置的固定阈值极易与实际情况不符,导致发生误预警和不预警。阈值预警方法基于大数据技术,通过对历史数据的有效分析,得到信息资源指标正常运行范围,并根据分析结果自适应设置阈值,具体算法如下:The threshold early warning model is used to make early warning threshold judgments. The traditional operating thresholds of information resources are manually set by unified standards or operation and maintenance personnel based on experience. If the detection indicators are within the threshold range, the information resources are considered to be in a normal state; otherwise, if the detection If the indicator exceeds the threshold range, it is considered that the monitoring object meets the early warning conditions, and an early warning event is generated. With the dynamic expansion of the information network, the artificially set fixed thresholds can easily be inconsistent with the actual situation, resulting in false early warning and no early warning. The threshold early warning method is based on big data technology. Through effective analysis of historical data, the normal operating range of information resource indicators is obtained, and the threshold is set adaptively according to the analysis results. The specific algorithm is as follows:

Figure BDA0003505802670000081
Figure BDA0003505802670000081

Figure BDA0003505802670000082
Figure BDA0003505802670000082

其中,T0max和T0min分别为上阈值和下阈值的初始值,t为当前日期,h为当前时间,m为天数,n为小时数。根据以上算法,信息资源的指标阈值T在上阈值Tmax和下阈值Tmin之间。上阈值和下阈值是基于人工设置的初始阈值和信息资源近期运行数据计算得来,确保与实际情况相符。同时,信息网络管理人员可以通过权重K对信息资源指标阈值进行调整,以弥补系统的不足。Among them, T 0max and T 0min are the initial values of the upper threshold and the lower threshold, respectively, t is the current date, h is the current time, m is the number of days, and n is the number of hours. According to the above algorithm, the index threshold T of the information resource is between the upper threshold T max and the lower threshold T min . The upper and lower thresholds are calculated based on the manually set initial thresholds and recent operating data of information resources to ensure that they are consistent with the actual situation. At the same time, information network managers can adjust the threshold of information resource indicators through the weight K to make up for the deficiencies of the system.

快变预警模型用于对非正常突变进行预警,某些信息网络故障会导致信息资源指标出现非正常突变,但这种突变在正常阈值范围内,常规的预警手段难以识别。快变预警包括横向预警和纵向预警2种方式,通过识别信息资源指标的非正常突变进行预警。横向预警指的是与同类信息资源比较形成的预警,如果某个信息资源与同一环境的其他信息资源指标相差过大,就需要进行预警。具体算法如下:The fast-changing early warning model is used for early warning of abnormal mutations. Some information network failures will cause abnormal mutations in information resource indicators, but such mutations are within the normal threshold range, and conventional early warning methods are difficult to identify. Rapid-change early warning includes two methods: horizontal early warning and vertical early warning. Early warning is carried out by identifying abnormal changes in information resource indicators. Horizontal early warning refers to the early warning formed by comparing with similar information resources. If a certain information resource is too different from other information resource indicators in the same environment, early warning is required. The specific algorithm is as follows:

Figure BDA0003505802670000091
Figure BDA0003505802670000091

其中,S i表示第i台设备的负载,α为快变阈值由用户配置;该算法通过计算某台设备负载和整个集群负载均值的差额判断该设备是否需要进行预警。Among them, S i represents the load of the i-th device, and α is the fast-changing threshold configured by the user; the algorithm determines whether the device needs to be warned by calculating the difference between the load of a device and the average load of the entire cluster.

纵向预警指的是与自身历史数据进行比较形成的预警,主要基于大数据统计分析技术,对历史数据进行挖掘分析,并将分析结果应用到信息网络风险预警模型。通过对指标的历史运行数据进行数据清洗,将异常值剔除,然后对历史数据进行统计分析,确定其最大值、最小值和平均值,以确定指标的合理运行范围。纵向预警算法如下:Vertical early warning refers to the early warning formed by comparing with its own historical data. It is mainly based on big data statistical analysis technology, mining and analyzing historical data, and applying the analysis results to the information network risk early warning model. Through data cleaning of the historical operating data of the indicator, outliers are eliminated, and then the historical data is statistically analyzed to determine its maximum, minimum and average values to determine the reasonable operating range of the indicator. The vertical early warning algorithm is as follows:

Figure BDA0003505802670000092
Figure BDA0003505802670000092

其中,Rmax和Rmin分别为经过数据清洗的历史运行数据最大值和最小值,A为历史数据的平均值,L代表指标的合理运行范围。Among them, R max and R min are the maximum and minimum values of historical operating data after data cleaning, respectively, A is the average value of historical data, and L represents the reasonable operating range of the indicator.

评价预警模型用于实现基础设施的评价,以指标的评价为基础,实现基础设施的评价;以基础设施的评价为基础,分析信息网络拓扑架构,实现信息网络的基础架构评价;以主动探测指标,包括系统页面是否有响应及响应时长指标为基础,实现信息系统可靠性评价;以信息系统的基础架构评价、信息系统可靠性评价为基础,实现信息网络风险评价和预警。评价预警算法如下:The evaluation and early warning model is used to realize the evaluation of the infrastructure, based on the evaluation of the indicators, to realize the evaluation of the infrastructure; based on the evaluation of the infrastructure, to analyze the topology of the information network to realize the evaluation of the infrastructure of the information network; to actively detect the indicators , including whether there is a response on the system page and the response time index, to realize the reliability evaluation of the information system; based on the evaluation of the infrastructure of the information system and the reliability of the information system, to realize the risk assessment and early warning of the information network. The evaluation and early warning algorithm is as follows:

Figure BDA0003505802670000093
Figure BDA0003505802670000093

基于用户自定义设置的初始得分S0,各级别信息网络事件的数量m/n/p、权重α和扣分值f,可得到信息资源的最终评价得分S,并根据分数高低进行风险预警。Based on the initial score S 0 set by the user, the number m/n/p, weight α and deduction value f of each level of information network events, the final evaluation score S of the information resource can be obtained, and risk early warning can be carried out according to the score.

分级预警模型将预警事件分为指标级、基础设施级和信息网络级。其中最基础的预警事件均为指标级;如果某台基础设施有多个指标出现预警,则将相关预警事件归并为一个基础设施级预警事件;如果有信息网络核心节点或多个普通节点出现预警,则将相关预警事件归并为一个信息网络级预警事件。预警事件的分级策略可以辅助管理人员识别不同预警事件的重要性,并对之进行有效应对。The hierarchical early warning model divides early warning events into index level, infrastructure level and information network level. The most basic early warning events are all at the indicator level; if an early warning occurs on multiple indicators of a certain infrastructure, the related early warning events will be merged into one infrastructure-level early warning event; , the related early warning events are grouped into an information network-level early warning event. The classification strategy of early warning events can assist managers to identify the importance of different early warning events and respond effectively to them.

因此,基于数据特征提取的电网信息安全预警系统实现了电力信息网络运行态势全面感知、运行风险实时预警和预警事件及时处置。通过所有可获取的信息实时评估网络的安全情境态势,为网络安全管理员的决策分析提供依据,将不安全因素带来的风险和损失降到最低。该模型在提高网络的监控能力、应急响应能力和预测网络安全的发展趋势等方面都具有重要的意义,为电力、通信等系统的信息安全提供了有力保障,具有良好的应用效果Therefore, the power grid information security early warning system based on data feature extraction realizes comprehensive awareness of the power information network operation situation, real-time early warning of operation risks and timely disposal of early warning events. Real-time assessment of the security situation of the network through all available information provides a basis for network security administrators' decision-making and analysis, and minimizes the risks and losses caused by unsafe factors. The model is of great significance in improving the network monitoring ability, emergency response ability and predicting the development trend of network security. It provides a strong guarantee for the information security of power, communication and other systems, and has good application effects.

最后应说明的是:以上所述仅为本发明的优选实施例而已,并不用于限制本发明,尽管参照前述实施例对本发明进行了详细的说明,对于本领域的技术人员来说,其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明权利要求保护的范围之内。Finally, it should be noted that the above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Although the present invention has been described in detail with reference to the foregoing embodiments, for those skilled in the art, the The technical solutions described in the foregoing embodiments may be modified, or some technical features thereof may be equivalently replaced. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention shall be included within the scope of protection of the claims of the present invention.

Claims (10)

1. The utility model provides a power grid information safety early warning system based on data characteristic draws which characterized in that includes: the system comprises a big data acquisition layer, an attack information characteristic extraction storage layer, a data analysis layer and a decision layer;
the big data acquisition layer acquires infrastructure operation data, information system operation data and information network operation data in real time and synchronously acquires internal data and external data;
the attack information characteristic extraction storage layer is used for extracting the operation characteristics of the current power grid attack information and realizing the extraction and recording of attack characteristic information;
the data analysis layer is used for realizing efficient integration, calculation and analysis of collected data;
and the decision layer is used for realizing the timely early warning of the information network risk.
2. The power grid information safety early warning system based on data feature extraction as claimed in claim 1, wherein: the data analysis layer comprises an integration module, a calculation module and an analysis module, wherein the integration module is used for integrating data of the big data acquisition layer, namely performing data extraction, data conversion and data cleaning, the calculation module is used for processing batch data processing and stream data processing on the integrated data, and the analysis module is used for analyzing the calculated data.
3. The power grid information safety early warning system based on data feature extraction as claimed in claim 2, wherein: the analysis module comprises an analysis base module and an early warning model, the analysis base module is used for providing an analysis model, the early warning model realizes active risk early warning management of electric power information according to the analysis model, and the analysis base module comprises a state early warning model, a threshold early warning model, a quick change early warning model, an evaluation early warning model and a grading early warning model.
4. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the early warning model comprises a basic framework evaluation model, a real-time reliability model and a historical operation evaluation model, wherein the basic framework evaluation model obtains an information network topology framework through a topology discovery technology, then performs importance evaluation on all infrastructure in the topology framework and acquires monitoring indexes of the infrastructure; the real-time reliability model monitors the real-time monitoring index of the main page of the information system and monitors the page response and the response duration; the historical operation evaluation model is based on the historical operation condition of the information system and is used for the historical alarm quantity and the historical alarm level.
5. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the state early warning model comprises hardware, software, basic supporting resources and virtual resources and is used for detecting all information resources once every a period of time and judging the states of the information resources.
6. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the threshold early warning model is used for judging an early warning threshold, and the algorithm is as follows:
Figure FDA0003505802660000021
Figure FDA0003505802660000022
T∈[Tmin,Tmax]
wherein, T0maxAnd T0minAre initial values of an upper threshold and a lower threshold respectively, t is the current date, h is the current time, m is the number of days, and n is the number of hours. According to the algorithm, the index threshold T of the information resource is the upper threshold TmaxAnd a lower threshold TminIn the meantime.
7. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the quick change early warning model is used for early warning abnormal sudden change, and the algorithm is as follows:
Figure FDA0003505802660000023
wherein S isiRepresenting the load of the ith equipment, and alpha is a fast-changing threshold value configured by a user;
Figure FDA0003505802660000024
wherein R ismaxAnd RminThe data are respectively the maximum value and the minimum value of historical operating data after data cleaning, A is the average value of the historical data, and L represents the reasonable operating range of the index.
8. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the evaluation early warning model is used for realizing the evaluation of infrastructure, and the evaluation early warning algorithm is as follows:
Figure FDA0003505802660000031
initial score S based on user-defined setting0And obtaining the final evaluation score S of the information resources according to the number m/n/p, the weight alpha and the deduction value f of the information network events at each level, and carrying out risk early warning according to the score.
9. The power grid information safety early warning system based on data feature extraction as claimed in claim 3, wherein: the hierarchical early warning model is used for dividing early warning events into an index level, an infrastructure level and an information network level.
10. The power grid information safety early warning system based on data feature extraction as claimed in claim 6, wherein: the decision layer comprises a resource management module, a risk early warning module and a decision analysis module.
CN202210139033.9A 2022-02-15 2022-02-15 Power grid information safety early warning system based on data feature extraction Withdrawn CN114493339A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210139033.9A CN114493339A (en) 2022-02-15 2022-02-15 Power grid information safety early warning system based on data feature extraction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210139033.9A CN114493339A (en) 2022-02-15 2022-02-15 Power grid information safety early warning system based on data feature extraction

Publications (1)

Publication Number Publication Date
CN114493339A true CN114493339A (en) 2022-05-13

Family

ID=81481358

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210139033.9A Withdrawn CN114493339A (en) 2022-02-15 2022-02-15 Power grid information safety early warning system based on data feature extraction

Country Status (1)

Country Link
CN (1) CN114493339A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242502A (en) * 2022-07-21 2022-10-25 广东电网有限责任公司 Power system network security risk evaluation method, device, equipment and medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242502A (en) * 2022-07-21 2022-10-25 广东电网有限责任公司 Power system network security risk evaluation method, device, equipment and medium
CN115242502B (en) * 2022-07-21 2024-03-08 广东电网有限责任公司 Method, device, equipment and medium for evaluating network security risk of power system

Similar Documents

Publication Publication Date Title
WO2023216641A1 (en) Security protection method and system for power terminal
CN108646722B (en) Information security simulation model and terminal of industrial control system
CN108429651B (en) Flow data detection method and device, electronic equipment and computer readable medium
CN102123149B (en) Service-oriented large-scale network security situational assessment device and method
CN106778253A (en) Threat context aware information security Initiative Defense model based on big data
CN104852927A (en) Safety comprehensive management system based on multi-source heterogeneous information
CN102970164A (en) Cloud platform management monitoring system and method
CN117155625A (en) Computer network monitoring system
Huang et al. Knowledge discovery from big data for intrusion detection using LDA
CN110661811A (en) Firewall policy management method and device
WO2021098313A1 (en) Blockchain-based host security monitoring method and apparatus, medium and electronic device
CN114362994B (en) Safety risk identification method for operation behavior of multi-layer heterogeneous granularity intelligent aggregation railway system
CN114553537A (en) An abnormal flow monitoring method and system for industrial Internet
CN112165470A (en) Intelligent terminal access safety early warning system based on log big data analysis
CN114640548A (en) Network security sensing and early warning method and system based on big data
CN104378364B (en) A kind of Cooperative Analysis method at information security management center
CN103544438B (en) A kind of user awareness virus report analytical approach for cloud security system
Songma et al. Classification via k-means clustering and distance-based outlier detection
Xue et al. Prediction of computer network security situation based on association rules mining
Lee et al. A study on efficient log visualization using d3 component against apt: How to visualize security logs efficiently?
CN114493339A (en) Power grid information safety early warning system based on data feature extraction
CN116030943A (en) Big data intelligent operation and maintenance control system and method
CN112596984B (en) Data security situation awareness system in business weak isolation environment
CN205510080U (en) A safety control platform for catenet
CN116939589A (en) Student internet monitoring system based on campus wireless network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20220513

WW01 Invention patent application withdrawn after publication