CN114553526A

CN114553526A - Network security vulnerability position detection method and system

Info

Publication number: CN114553526A
Application number: CN202210160499.7A
Authority: CN
Inventors: 郭禹伶; 左晓军; 郗波; 刘惠颖; 刘硕; 史丽鹏
Original assignee: State Grid Corp of China SGCC; Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
Current assignee: State Grid Corp of China SGCC; Electric Power Research Institute of State Grid Hebei Electric Power Co Ltd
Priority date: 2022-02-22
Filing date: 2022-02-22
Publication date: 2022-05-27

Abstract

The invention relates to the technical field of information security, and provides a method and a system for detecting a network security vulnerability position, wherein the method for detecting the network security vulnerability position comprises the following steps: acquiring GPS positioning information of a plurality of monitoring terminals, and constructing a monitoring terminal distribution diagram according to the GPS positioning information; acquiring a target section, and issuing a broadcast instruction to all monitoring terminals in the target section; receiving response information of a monitoring terminal in a target section, wherein the monitoring terminal sending the response information is an online monitoring terminal, and the response information comprises an online monitoring terminal ID; calling a vulnerability database, and sending a vulnerability detection data packet to an online monitoring terminal; receiving feedback information of the online monitoring terminal, wherein the feedback information comprises an online monitoring terminal ID and execution result information, and obtaining the online monitoring terminal ID with security holes according to the feedback information; and displaying the ID of the online monitoring terminal on a distribution diagram of the monitoring terminal. Through the technical scheme, the problem that potential safety hazards exist in the power monitoring network in the prior art is solved.

Description

Network security vulnerability position detection method and system

Technical Field

The invention relates to the technical field of information security, in particular to a method and a system for detecting a network security vulnerability position.

Background

With the development of the internet of things and electronic technology, the power system realizes intelligent management from a monitoring terminal at the bottom layer to management and then to comprehensive operation and maintenance flow management, and various measures such as data mining, processing and operation are applied to efficiently coordinate, schedule and guide various works to realize efficient and safe maintenance work of data center infrastructure. Meanwhile, an open-source framework is usually adopted for development of the monitoring terminal, program bugs inevitably exist, and potential safety hazards exist in the power monitoring network, so that effective detection methods need to be adopted for the bugs.

Disclosure of Invention

The invention provides a method and a system for detecting a network security vulnerability position, which solve the problem of potential safety hazard of a power monitoring network in the related technology.

The technical scheme of the invention is as follows:

in a first aspect, a method for detecting a location of a network security vulnerability includes:

acquiring GPS positioning information of a plurality of monitoring terminals, and constructing a monitoring terminal distribution diagram according to the GPS positioning information;

acquiring a target section, and issuing a broadcast instruction to all monitoring terminals in the target section;

receiving response information of the monitoring terminal in the target section, wherein the monitoring terminal sending the response information is an online monitoring terminal, and the response information comprises an online monitoring terminal ID;

calling a vulnerability database, and sending a vulnerability detection data packet to the online monitoring terminal;

receiving feedback information of the online monitoring terminal, wherein the feedback information comprises an online monitoring terminal ID and execution result information, and obtaining the online monitoring terminal ID with security holes according to the feedback information;

and displaying the ID of the online monitoring terminal on a monitoring terminal distribution diagram.

Further, still include:

obtaining an off-line monitoring terminal ID according to all monitoring terminal ID lists and on-line monitoring terminal IDs in a target section;

and displaying the ID of the off-line monitoring terminal on a monitoring terminal distribution diagram.

Further, the vulnerability database includes at least remote execution vulnerabilities, weak passwords, stack overflows, and/or unauthorized access.

Further, obtaining the target segment specifically includes:

receiving selection mode information input by a user;

when the mode information is selected as a first option, acquiring a midpoint coordinate and a radius input by a user;

and drawing a circle by using the midpoint coordinate and the radius, wherein the target section comprises any monitoring terminal positioned in the circular area.

Further, obtaining the target segment specifically includes:

receiving selection mode information input by a user;

when the mode information is selected as a second option, acquiring a starting point coordinate and an end point coordinate input by a user;

and drawing a circle by taking the connecting line of the starting point coordinate and the end point coordinate as a diameter, wherein the target section comprises any monitoring terminal positioned in the circular area.

Further, obtaining the target segment specifically includes:

receiving selection mode information input by a user;

when the selection mode information is a third option, the monitoring terminal distribution diagram further comprises line topology information; the line topology information is used for representing the line connection relation of a plurality of monitoring terminals; the monitoring terminal is a main node or a branch node on the monitoring terminal distribution diagram;

acquiring a target node input by a user;

when the target node is a main node on a monitoring terminal distribution diagram, the target section comprises all main nodes and branch nodes related to the main node; and when the target node is a branch node on the monitoring terminal distribution diagram, the target section is all branch nodes on a branch line where the branch node is located.

Further, still include:

and when the number of the target nodes is more than two, outputting an amplifying window, and amplifying and displaying the target nodes.

In a second aspect, a network security hole location detection system includes:

the first obtaining unit is used for obtaining the GPS positioning information of the monitoring terminals and constructing a monitoring terminal distribution diagram according to the GPS positioning information;

the first processing unit is used for acquiring a target section and issuing a broadcast instruction to all monitoring terminals in the target section;

the first receiving unit is used for receiving response information of the monitoring terminal in the target section, the monitoring terminal sending the response information is an online monitoring terminal, and the response information comprises an online monitoring terminal ID;

the second processing unit is used for calling a vulnerability database and sending a vulnerability detection data packet to the online monitoring terminal;

the second receiving unit is used for receiving feedback information of the online monitoring terminal, wherein the feedback information comprises an online monitoring terminal ID and execution result information, and the online monitoring terminal ID with security vulnerabilities is obtained according to the feedback information;

and the first display unit is used for displaying the ID of the online monitoring terminal on a monitoring terminal distribution diagram.

Further, still include:

the third processing unit is used for obtaining an off-line monitoring terminal ID according to all the monitoring terminal ID lists and the on-line monitoring terminal IDs in the target section;

and the second display unit is used for displaying the ID of the offline monitoring terminal on a monitoring terminal distribution diagram.

Further, still include:

a third receiving unit for receiving selection mode information input by a user;

the second obtaining unit is used for obtaining the midpoint coordinate and the radius input by the user when the mode information is selected as the first option;

and the fourth processing unit makes a circle by using the midpoint coordinate and the radius, and the target section comprises any monitoring terminal positioned in the circular area.

Further, still include:

a fourth receiving unit for receiving selection mode information input by a user;

a third obtaining unit, configured to obtain a start point coordinate and an end point coordinate input by a user when the selection mode information is the second option;

and the fifth processing unit is used for making a circle by taking the connecting line of the start point coordinate and the end point coordinate as a diameter, and the target section comprises any monitoring terminal positioned in the circular area.

Further, still include:

a fifth receiving unit, configured to receive selection mode information input by a user;

a fourth obtaining unit, configured to obtain a target node input by a user;

the sixth processing unit is used for determining target sections as all main nodes and branch nodes related to the main nodes when the target nodes are the main nodes on the monitoring terminal distribution diagram; and when the target node is a branch node on the monitoring terminal distribution diagram, the target section is all branch nodes on a branch line where the branch node is located.

In a third aspect, a network security hole location detection system includes:

a memory for storing a computer program;

and the processor is used for calling the computer program to realize the network security vulnerability position detection method.

The working principle and the beneficial effects of the invention are as follows:

according to the vulnerability detection method provided by the invention, firstly, a monitoring terminal distribution graph is formed by reading GPS positioning information, and the monitoring terminals in the power monitoring network are integrally displayed. A user (namely, power grid management personnel) can detect the vulnerability of the monitoring terminal in the target section by clicking the target section on the monitoring terminal distribution diagram, and the vulnerability detection result is displayed on the monitoring terminal distribution diagram, so that the management personnel can visually know the monitoring terminal with the security vulnerability and timely overhaul the vulnerability.

The invention realizes the real-time detection of the security loophole of the power monitoring network and ensures the security of the power monitoring network.

Drawings

The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.

FIG. 1 is a flowchart of a vulnerability detection method of the present invention;

FIG. 2 is a schematic diagram of a circuit topology according to the present invention;

FIG. 3 is a schematic structural diagram of a vulnerability detection system in the present invention;

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any inventive step, are intended to be within the scope of the present invention.

As shown in fig. 1, a flowchart of the method for detecting a location of a network security vulnerability in this embodiment includes:

Further, still include:

The off-line monitoring terminals without response information are detected by issuing the broadcast instructions to all the monitoring terminals in the target section, the off-line monitoring terminals are considered to have communication faults, power failure faults or other faults, and the off-line monitoring terminals are displayed on the monitoring terminal distribution diagram, so that the maintenance is convenient to carry out in time, and the reliability of the power monitoring network is ensured.

Remote execution vulnerabilities, weak passwords, stack overflow, and/or unauthorized access are common vulnerabilities of power monitoring networks, and therefore the embodiment focuses on detecting these four vulnerabilities.

Where for a remote execution vulnerability, the server does not filter against the execution function as the user submits the execution command over the internet, resulting in the command being executed without specifying an absolute PATH, an attacker may be allowed to execute a malicious code by changing the $ PATH or other aspects of the program execution environment.

Because the developer writes the source code, the filter is not carried out aiming at the executable special function entry in the code, so that the client can submit the malicious construction statement and submit the malicious construction statement to the server side for execution. In the command injection attack, functions like system (), eval (), exec () and the like are not filtered by a WEB server and are the main reasons for the success of the attack.

Weak passwords (weak passwords) are generally considered weak passwords that are easily guessed by others or broken by a cracking tool. A weak password refers to a password containing only simple numbers and letters, such as "123", "abc", etc., because such passwords are easily broken by others, thus exposing the user's computer to risk and thus not recommending use by the user.

On one hand, due to the carelessness of programmers, unsafe functions such as strcpy and sprintf are used, and the possibility of stack overflow leaks is increased. On the other hand, because the stack stores information such as the return address of the function, if the attacker can arbitrarily overwrite the data on the stack, the attacker is usually meant to modify the execution flow of the program, thereby causing more damage. This attack method is a stack overflowing attack (stack overflowing attacks). The reason for the stack overflow attack is that due to the lack of error detection in the program, the potential operations on the buffer (such as copying of character strings) are from low address to high address in the memory, and the return address of the function call is often just above the buffer (at the bottom of the current stack), which provides the condition for us to override the return address.

Unauthorized access vulnerability is a defect in an address and an authorized page which need security configuration or authority authentication, so that other users can directly access the address and the authorized page, and sensitive information that important authorities can be operated, a database or a website directory and the like are leaked. The present embodiment includes common unauthorized access vulnerabilities, as follows:

(1) jboss unauthorized access

(2) Jenkins unauthorized access

(3) ldap unauthorized Access

(4) Redis unauthorized access

(5) Unauthorized access to an elasticsearch

(6) Unauthorized access of MenCache

(7) Mongodb unauthorized access

(8) Rsync unauthorized access

(9) Zookeeper unauthorized access

(10) Docker unauthorized access

Further, obtaining the target segment specifically includes:

receiving selection mode information input by a user;

In this embodiment, a user may perform vulnerability detection on a plurality of monitoring terminals around a certain monitoring terminal as a center.

Further, obtaining the target segment specifically includes:

receiving selection mode information input by a user;

In this embodiment, according to actual needs, a user can select a plurality of monitoring terminals between two monitoring terminals to perform copper leakage detection.

Further, obtaining the target segment specifically includes:

receiving selection mode information input by a user;

acquiring a target node input by a user;

The line topology diagram is shown in fig. 2 and includes a main line and a branch line, and in this embodiment, on the basis of the line topology diagram, the GPS positioning information of each monitoring terminal is added to obtain a monitoring terminal distribution diagram. Each monitoring terminal is equivalent to a node, the main line is a line formed by the main node and is marked by a bold line, and the branch line is a line formed by the branch nodes.

When a power grid manager clicks a certain main node, the main line in which the main node is located is selected, and all main nodes on the main line are selected; when a power grid manager clicks a certain branch node, the branch line where the power grid manager is located is selected, and all branch nodes on the branch line are selected, so that the power grid manager can flexibly select the leak detection section.

In this embodiment, the drawing of the line topology map can be implemented by using the existing method, and the existing method includes:

1. line topological relation recognition based on power frequency zero-crossing signal and SNR (signal-to-noise ratio) big data analysis

1.1 Signal-to-noise ratio analysis

The signal-to-noise ratio is the ratio of signal strength to noise, and is mainly affected by attenuation and noise inside the channel. In the power line, two main factors affecting signal transmission are attenuation and noise. On the same line, the shorter the signal transmission distance is, the smaller the attenuation and noise are, and the signal-to-noise ratio is larger. Moreover, when the signals are spatially coupled, the attenuation is also relatively large. The field environment features that the lines of the single station area are communicated and relatively close to each other, and are not communicated or relatively far away from the adjacent station areas. Therefore, the station can evaluate the signal-to-noise ratio of the local area to be larger than that of the adjacent area.

1.2 Power frequency zero crossing signal analysis

All the stations have the network ID attribute, the STA station collects neighbor Stations (SNR) and groups the neighbor stations according to the network ID, meanwhile, the STA station power frequency zero-crossing signal deviation is obtained through the STA zero-crossing circuit for correlation analysis, signal detection is a problem of judging whether distortion exists at the zero-crossing point, Digital Differential technology (Digital Differential technology) is generally adopted for detection, namely, difference operation is carried out on a previous sampling value and a current sampling value.

d(t1)＝F(t1)-F(t1-T)

According to the scheme, the CCO is combined with the NTB clock zero-crossing deviation of the identified STA, communication topology information, channel parameters and other characteristic factors, and added with the electrical characteristic quantities (voltage and phase angle) of the station to perform digital filtering and modeling analysis; and (4) dynamically and comprehensively judging the correlation coefficient according to the topological hierarchy of the station and the communication success rate, and distinguishing the station area attributes (the local station area, the non-local station area and the unidentified station area).

2. Line topological relation recognition based on power frequency distortion signal analysis

Based on the research of the power frequency distortion signal analysis technology, all users and phases in the station area can be accurately and reliably identified, misjudgment cannot occur, and the identification rate is high.

A power frequency communication (TWACS) -based platform area identification technology is built in a module and packaged into a special chip, and the method is realized by adopting a current pulse method principle (power frequency distortion technology) and a power line carrier signal method, so that the platform area and a phase identification signal do not cross the platform area, no dead angle exists in point-to-point communication in the platform area, and the identification accuracy rate of the platform area is better than 99.99%; the intelligent metering management main terminal sends a station area identification, and pulse current signals are transmitted to other lines without being interfered by conditions such as common high-voltage threading, common ground series connection, common cable channel series connection and the like in a mode of data current pulse on a power line, so that the signals are ensured not to cross the station area, and the transmission distance is long, so that identification signals can be received on the power line of the whole station area without dead angles, all users and phases in the station area can be accurately and reliably identified, and misjudgment can not occur; at the moment, pulse current signals sent by the distribution area can be collected by branch boxes and meter box side sub-terminals of the whole distribution area, after the pulse current signals are detected by the metering management terminal sub-terminals, distribution area numbers and phase sequence data in the signals are coupled to a communication channel at the tail end through power carriers, the data are stored in a storage area of the metering management terminal sub-terminals in a data form after modulation and demodulation, and the main terminal reads the distribution area and phase marks of each node metering terminal through broadband carriers, so that the identification of the distribution area and phase in the distribution area is realized, and the combing of archive information is realized.

The pulse current is also called as pulsating current, which means current with constant direction and changing intensity. Strictly speaking, the current output by the dc generator is a pulsating current. Except that the magnitude of this change in current intensity is small. Pulsed current is also a current in which a unidirectional (cathodic) current is periodically interrupted by a series of open circuits (no current passing). Unlike commutating current, which does not make the plating part as anode, the power supply is stopped intermittently, and the cathode potential is periodically changed with time due to intermittent interruption of current. The waveform includes square wave, sine wave, triangular wave, sawtooth wave and the like.

The detection of the pulse current signal is a system research test method aiming at the problem of response deviation. Signal detection does not focus strictly on sensory processes, but rather on decision-making processes that emphasize the presence or absence of a stimulus event.

3. Power failure data identification and analysis method

The intelligent diagnostic instrument in the low-voltage transformer area is used for reading the power failure records of the electric meters in batches, and comparing the power failure records with the historical power failure records of the electric power system, so that the household variation relation can be quickly determined.

According to the Q _ GDW _1354-2013 intelligent electric energy meter function specification, the electric energy meter records the total times of power failure and the accumulated power failure time, and the time when the power failure occurs and ends 10 times at last.

And reading historical power failure records of all the electric meters in the target area and the peripheral adjacent areas by using equipment, comparing the historical power failure records with the historical power failure records of the electric power system, finding out the independent power failure record of the target area (the target area has power failure, and the peripheral adjacent areas have no power failure), and determining that the user with the power failure record belongs to the target area. In order to prevent misjudgment caused by inaccurate time setting of the ammeter, the data ratio is compared with the power failure occurrence ending time and the power failure duration correspondingly.

In actual operation and maintenance, the power failure condition of an independent area is very few, so that in normal operation and maintenance, when the switching-off power failure is needed, the switching-off power failure is sequentially performed on the areas at intervals of 5 seconds to 10 seconds, and when the power is restored, the power failure records of different power failure time lengths are generated by all the electric meters.

After the power failure of the transformer area is planned, the host routing module collects data of all household meters under the transformer area, extracts power failure records, signal characteristics and the like of all household meters, compares and analyzes the power failure records of the meter meters and the power failure records of different transformer area terminals, analyzes the power failure starting time, the power failure ending time and the power failure time period respectively, and realizes the identification of the power failure transformer area.

Further, still include:

In this embodiment, the distribution diagram of the monitoring terminal is implemented by using an electronic map, and when a plurality of target nodes are close to each other, the display on the map may overlap, so that the map needs to be zoomed to distinguish the overlapped target nodes. The scaling steps are as follows:

(1) determining that the map zoom level is n-7;

(2) layer 0 tiles are determined. The map zooming level is adjusted to be minimum, the map scale reaches the maximum level at the moment, and the raster picture of the current level is the 0 th layer of tiles;

(3) and cutting the determined layer 0 tile. Cutting the picture from the top left corner of the bottom grid picture obtained in the step 2 according to the rule of from left to right and from top to bottom, and cutting the picture into square tile pictures with the same length and width, wherein the width is 256 pixels and the length is 256 pixels selected in the platform, so that a 0 th layer tile picture array is obtained;

(4) after the 0 th layer of tile array is obtained, combining 2 x 2 pixels to obtain one pixel, further generating a 1 st level map picture, and segmenting the map picture according to the same rule in the step 3 to further obtain a 1 st layer of tile picture array;

(5) and generating a 2 nd level array according to the method of the 3 rd step. According to the method, the multilevel tile array is finally formed till the n-1 layer (the 6 th layer in the embodiment);

(6) a multi-level tile array is stored. By organizing the map tile array at multiple levels in the form of a multi-level folder directory, the tile map is stored under the folder at the corresponding level according to the level in which the tile map is located. The folder directory name of each level is determined by parameters such as the current layer number, the map zooming level, the map longitude and latitude range and the like. For example, the directory name of layer 1 is "1 _500__6__ 7", numeral 1 denotes a layer 1 pyramid tile, 500 denotes map data of 1:500 ten thousand scale, 6 and 7 denote latitude and longitude area ranges, further indicating that the first layer pyramid tile array is composed of 42 map tiles in 6 rows and 7 columns.

(7) When a user sends a map tile data request, the server analyzes the request information, analyzes the information to obtain the current zoom level, the tile data range and other information of the map, and can accurately position the tile files in the specific folder according to the information. When the map tile data is organized and maintained in the mode, efficient access efficiency of the service can be guaranteed, and stability and expandability of the platform are guaranteed.

As shown in fig. 3, a schematic structural diagram of a network security vulnerability location detection system includes:

the second receiving unit is used for receiving feedback information of the online monitoring terminal, wherein the feedback information comprises an online monitoring terminal ID and execution result information, and the online monitoring terminal ID with security holes is obtained according to the feedback information;

Further, still include:

a fourth obtaining unit, configured to obtain a target node input by a user;

Based on the same inventive concept as the above embodiment, this embodiment further provides a network security vulnerability location detection system, including:

a memory for storing a computer program;

The working principle of the network security vulnerability location detection system has been described in detail in the method embodiment, and is not described herein again.

The present invention is not limited to the above preferred embodiments, and any modifications, equivalent substitutions, improvements, etc. within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. A network security hole position detection method is applied to a server of a power monitoring network, the server is in communication connection with a plurality of monitoring terminals, and a GPS positioning module is arranged in each monitoring terminal, and the method is characterized by comprising the following steps:

2. The method for detecting the location of the network security vulnerability according to claim 1, further comprising:

3. The method of claim 1, wherein the vulnerability database comprises at least remote execution vulnerabilities, weak passwords, stack overflows, and/or unauthorized access.

4. The method for detecting the location of the network security vulnerability according to claim 1, wherein the obtaining the target section specifically comprises:

receiving selection mode information input by a user;

5. The method for detecting the location of the network security vulnerability according to claim 1, wherein the obtaining the target section specifically comprises:

receiving selection mode information input by a user;

6. The method for detecting the location of the network security vulnerability according to claim 1, wherein the obtaining the target section specifically comprises:

receiving selection mode information input by a user;

acquiring a target node input by a user;

7. The method according to claim 6, further comprising:

8. Network security hole position detecting system is applied to the server of an electric power monitoring network, server and a plurality of monitor terminal communication connection, be provided with GPS orientation module in the monitor terminal, its characterized in that includes:

9. The network security hole location detection system according to claim 5, further comprising:

10. Network security hole position detecting system, its characterized in that includes:

a memory for storing a computer program;

a processor for invoking the computer program to implement the network security vulnerability location detection method according to any one of claims 1-7.