CN114598506B - Industrial control network security risk tracing method and device, electronic equipment and storage medium - Google Patents
Industrial control network security risk tracing method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114598506B CN114598506B CN202210162006.3A CN202210162006A CN114598506B CN 114598506 B CN114598506 B CN 114598506B CN 202210162006 A CN202210162006 A CN 202210162006A CN 114598506 B CN114598506 B CN 114598506B
- Authority
- CN
- China
- Prior art keywords
- equipment
- network
- industrial control
- event
- alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/069—Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Abstract
The embodiment of the application discloses an industrial control network security risk tracing method, an industrial control network security risk tracing device, electronic equipment and a computer readable storage medium, which are used for rapidly and accurately positioning a network risk position in an industrial control network when a security event occurs. The method comprises the following steps: acquiring network communication data of an industrial control network, log data of an industrial control host and state data of network equipment, wherein the industrial control network comprises the industrial control host and the network equipment; carrying out alarm processing according to the network communication data, the log data and the state data to obtain alarm event information, wherein the alarm event information comprises alarm events and equipment assets associated with the alarm events; acquiring tracing parameters, wherein the tracing parameters comprise a tracing time range, equipment assets and names of alarm events; and determining a target equipment asset associated with the alarm event, a communication behavior list accessed by the equipment hidden trouble and a security event list associated with the alarm event according to the traceability parameters.
Description
Technical Field
The application belongs to the technical field of industrial control networks, and particularly relates to an industrial control network security risk tracing method, an industrial control network security risk tracing device, electronic equipment and a computer readable storage medium.
Background
With the continuous popularization and deep advancement of industrial internet, the structure of industrial control network is increasingly complex, and the types of network devices of industrial control network are increasingly more and more numerous. Industrial control networks involve more network devices and network communication protocols are more complex than IT networks.
Currently, when a network security event (such as a virus, an external network tool, a device fault or a production abnormality) occurs, it is difficult to locate or trace out a network risk location due to characteristics such as a complex structure of an industrial control network.
Disclosure of Invention
The embodiment of the application provides an industrial control network security risk tracing method, an industrial control network security risk tracing device, electronic equipment and a computer readable storage medium, which can rapidly and accurately locate a network risk position in an industrial control network.
In a first aspect, an embodiment of the present application provides an industrial control network security risk tracing method, including:
acquiring network communication data of an industrial control network, log data of an industrial control host and state data of network equipment, wherein the industrial control network comprises the industrial control host and the network equipment;
carrying out alarm processing according to the network communication data, the log data and the state data to obtain alarm event information, wherein the alarm event information comprises alarm events and equipment assets associated with the alarm events;
acquiring tracing parameters, wherein the tracing parameters comprise a tracing time range, equipment assets and names of alarm events;
and determining a target equipment asset associated with the alarm event, a communication behavior list accessed by the equipment hidden trouble and a security event list associated with the alarm event according to the traceability parameters.
As can be seen from the above, in the embodiment of the present application, alarm processing is performed according to network communication data, log data and status data, and when an alarm event occurs, tracing is performed according to relevant information of the alarm event, so as to locate an associated equipment asset and a security event that may occur.
In some possible implementations of the first aspect, determining, based on the traceability parameter, a target device asset associated with the alert event, a list of accessed communication behaviors of the device hidden trouble, and a list of security events associated with the alert event includes:
searching the network communication behavior of the equipment asset and the associated target equipment asset;
searching for a security event associated with the name of the alarm event and generating a security event list;
according to the network communication behavior, the target equipment asset and the alarm event information, calculating the security risk coefficient of the equipment asset and the security risk coefficient of the target equipment asset;
and generating a communication behavior list accessed by the hidden trouble of the equipment according to the security risk coefficient and the tracing time range.
In some possible implementations of the first aspect, calculating a security risk factor for the device asset based on the network communication behavior, the target device asset, and the alarm event information includes:
calculating deducted safety coefficients of the equipment assets according to the grade coefficients of the alarm events, the total number of event occurrence, the event restoration difficulty coefficient and the event duration days;
obtaining the safety coefficient of the equipment asset according to the deducted safety coefficient;
obtaining a safety risk coefficient of the equipment asset according to the safety coefficient, the importance level of the equipment asset, the importance level of the target equipment asset and the total number of the equipment hidden trouble events;
the network communication behavior comprises the total number of equipment hidden trouble events, and the alarm event information comprises a grade coefficient, the total number of event occurrence, an event restoration difficulty coefficient and event duration days.
In some possible implementations of the first aspect, obtaining network communication data of the industrial control network, log data of the industrial control host, and status data of the network device includes:
acquiring network communication data of an industrial control network acquired by a flow probe assembly;
acquiring log data acquired by an industrial control host probe assembly;
status data of the network device acquired by the remote probe assembly is acquired.
In some possible implementations of the first aspect, the log data includes an operating state of the industrial control host, a process, an industrial control software log, a system configuration, and an operation log, and the state data includes an operating state of the network device and a network state.
In a second aspect, an embodiment of the present application provides an industrial control network security risk tracing device, including:
the data acquisition module is used for acquiring network communication data of the industrial control network, log data of the industrial control host and state data of network equipment, and the industrial control network comprises the industrial control host and the network equipment;
the alarm module is used for carrying out alarm processing according to the network communication data, the log data and the state data to obtain alarm event information, wherein the alarm event information comprises alarm events and equipment assets associated with the alarm events;
the parameter acquisition module is used for acquiring traceability parameters, wherein the traceability parameters comprise traceability time ranges, equipment assets and names of alarm events;
and the traceability module is used for determining a target equipment asset and equipment hidden trouble visited communication behavior list associated with the alarm event and a security event list associated with the alarm event according to the traceability parameters.
In some possible implementations of the second aspect, the tracing module is specifically configured to:
searching the network communication behavior of the equipment asset and the associated target equipment asset;
searching for a security event associated with the name of the alarm event and generating a security event list;
according to the network communication behavior, the target equipment asset and the alarm event information, calculating the security risk coefficient of the equipment asset and the security risk coefficient of the target equipment asset;
and generating a communication behavior list accessed by the hidden trouble of the equipment according to the security risk coefficient and the tracing time range.
In some possible implementations of the second aspect, the tracing module is specifically configured to:
calculating deducted safety coefficients of the equipment assets according to the grade coefficients of the alarm events, the total number of event occurrence, the event restoration difficulty coefficient and the event duration days;
obtaining the safety coefficient of the equipment asset according to the deducted safety coefficient;
obtaining a safety risk coefficient of the equipment asset according to the safety coefficient, the importance level of the equipment asset, the importance level of the target equipment asset and the total number of the equipment hidden trouble events;
the network communication behavior comprises the total number of equipment hidden trouble events, and the alarm event information comprises a grade coefficient, the total number of event occurrence, an event restoration difficulty coefficient and event duration days.
In a third aspect, embodiments of the present application provide an electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing a method according to any one of the first aspects described above when the computer program is executed by the processor.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium storing a computer program which, when executed by a processor, implements a method as in any one of the first aspects described above.
In a fifth aspect, embodiments of the present application provide a computer program product, which, when run on an electronic device, causes the electronic device to perform the method of any one of the first aspects.
It will be appreciated that the advantages of the second to fifth aspects may be found in the relevant description of the first aspect, and are not described here again.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the following description will briefly introduce the drawings that are needed in the embodiments or the description of the prior art, it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of an industrial control network security risk tracing method provided in an embodiment of the present application;
fig. 2 is a schematic block diagram of a structure of an industrial control network security risk tracing device provided in an embodiment of the present application;
fig. 3 is a schematic block diagram of an industrial control network security risk tracing system provided in an embodiment of the present application;
fig. 4 is a schematic block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth, such as particular system configurations, techniques, etc. in order to provide a thorough understanding of the embodiments of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present application with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in this specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in this specification and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
In addition, in the description of the present application and the appended claims, the terms "first," "second," "third," and the like are used merely to distinguish between descriptions and are not to be construed as indicating or implying relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
The industrial control network security tracing method provided by the embodiment of the application can be applied to electronic equipment such as monitoring nodes. Among them, the industrial control network includes various types of devices, for example, an industrial control host, a security device, an industrial control device, and a network device, where the network device may include a switch, a router, a gateway, and the like. And deploying a plurality of monitoring nodes in the industrial control network. According to the method and the device for monitoring the fault risk, the monitoring probes are deployed at each network node in the industrial control network, and the equipment security risk tracing result in the industrial control network is obtained according to the related data reported by the monitoring probes, so that the fault risk monitoring modification of the large industrial control network in the security operation can be facilitated.
The embodiment of the application does not limit the specific type of the electronic equipment applied by the industrial control network security tracing method.
Referring to fig. 1, a flow chart of an industrial control network security risk tracing method provided in an embodiment of the present application may include the following steps:
step S101, network communication data of an industrial control network, log data of an industrial control host and state data of network equipment are obtained, and the industrial control network comprises the industrial control host and the network equipment.
In a specific application, the network communication flow can be collected by a flow probe assembly deployed in the network, and the collected network communication data can include information such as abnormal operation instructions of a communication protocol, protocol function codes and the like. The log data can be collected by an industrial control component probe component deployed on the industrial control host, and the industrial control host probe component collects running state information such as CPU utilization rate, memory utilization rate, disk utilization rate and the like of the industrial control host, and information such as running process, system configuration, error log and operation log of a Window/Linux system and the like. The log data may include, but is not limited to, log data including operating state of an industrial control host, processes, industrial control software logs, system configuration, and operation logs. The status data of the network device may be collected by a remote probe assembly deployed on the network device, and information such as the running status of the device, and the status of the network may be collected by the remote probe assembly, the network device, and a management protocol SNMP, SSH, TELNET supported by the security device. The status data may include an operational status of the network device, a network status, and the like.
And step S102, carrying out alarm processing according to the network communication data, the log data and the state data to obtain alarm event information, wherein the alarm event information comprises alarm events and equipment assets associated with the alarm events.
After the related data are collected, the related data are calculated and compared with preset alarm rules, and if the related data accord with the preset alarm rules, alarm event information is output.
The alarm rule may, for example, include that the data contains or does not contain certain data, for example, if the network communication data contains or does not contain a type of data, it is determined that the corresponding alarm rule is satisfied, and an alarm event is output; the method can also comprise that the data is smaller than or larger than a threshold value, or in a certain numerical range, for example, if the CPU utilization rate in the log data exceeds a certain threshold value, the corresponding alarm rule is judged to be met, and an alarm event is output.
The alert indicator may include, for example, whether a change has occurred in the network communication connection, whether a threshold has been exceeded, a state change, whether the target object is in a preset list (i.e., whether the access object is legal, and typically not allowed to access the target object), and whether the characteristic value (i.e., some preset specific value or parameter) is included.
In some embodiments, for repeated alarm events, the relevant information of the repeated alarm event may be calculated by data aggregation based on the alarm asset and the alarm event field, and the alarm event and the original event information may be correlated. The original event information refers to data for generating an alarm event, such as network communication data, log data, status data, and the like.
The alarm event information may include, but is not limited to, alarm events, equipment assets associated with the alarm events, alarm levels, alarm types, alarm summaries, and alarm times.
Step S103, acquiring traceability parameters, wherein the traceability parameters comprise traceability time ranges, equipment assets and names of alarm events.
The traceability parameters can be parameters input by the operation and maintenance personnel according to the alarm event after the system outputs the related information of the alarm event, or can be parameters automatically generated by the system according to the alarm event. In particular applications, equipment assets are typically embodied to refer to an anomalous device, and in particular, an IP address of the anomalous device.
Step S104, determining a target equipment asset associated with the alarm event, a communication behavior list accessed by the equipment hidden trouble and a security event list associated with the alarm event according to the traceability parameters.
In some embodiments, first, the network communication behavior of the device asset and the associated target device asset are looked up based on the IP of the device asset. The target device asset associated with the IP of the device asset may be derived based on network communication behavior and the network topology map. The network communication behavior between the equipment asset and the equipment can be known through the network communication behavior, and the connection relation of each network node in the industrial control network, namely the network link, can be known through the network topology diagram. In this way, the abnormal equipment and related equipment associated with the abnormal equipment can be found out through network communication behaviors and network topology, and then the equipment periodic infection chain is obtained.
Then, a security event associated with the name of the alarm event is looked up and a security event list is generated. Security events are system generated, for example, security events may include, but are not limited to, viruses, foreign network attacks, equipment failures, and production anomalies, among others.
Then, according to the network communication behavior, the target equipment asset and the alarm event information, the security risk coefficient of the equipment asset and the security risk coefficient of the target equipment asset are calculated.
Specifically, the network communication behavior comprises the total number of equipment hidden trouble events, and the alarm event information comprises a grade coefficient, the total number of event occurrence, an event repair difficulty coefficient and event duration days. Firstly, calculating the deducted safety coefficient of the equipment asset according to the grade coefficient of the alarm event, the total number of event occurrence, the event repair difficulty coefficient and the event duration number of days, namely the event grade coefficient, the total number of event occurrence, the repair difficulty coefficient, the duration number of days and the deducted safety coefficient. And obtaining the safety coefficient of the equipment asset according to the deducted safety coefficient. In this way, the deducted security coefficients of the device asset (i.e. the abnormal device) and the associated target device can be calculated, and the security coefficient of each device is deducted on the basis of the initial security coefficient according to the deducted security coefficients of the respective devices, so as to obtain a new security coefficient of each device. And then, according to the safety coefficient, the importance level of the equipment asset, the importance level of the target equipment asset and the total number of the equipment hidden trouble events, obtaining the safety risk coefficient of the equipment asset, namely, equipment importance, associated equipment importance, equipment safety coefficient, equipment hidden trouble event total number=equipment risk coefficient.
And then, generating a communication behavior list accessed by the hidden danger of the equipment according to the security risk coefficient and the tracing time range. Specifically, according to the safety risk coefficient and the double-end equipment of the network communication behavior generated in the traceability time range, an equipment hidden danger accessed communication behavior list is generated.
As can be seen from the above, in the embodiment of the present application, alarm processing is performed according to network communication data, log data and status data, and when an alarm event occurs, tracing is performed according to relevant information of the alarm event, so as to locate an associated equipment asset and a security event that may occur.
It should be understood that the sequence number of each step in the foregoing embodiment does not mean the sequence of execution sequence, and the execution sequence of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of the present application.
Corresponding to the industrial control network security risk tracing method described in the above embodiments, fig. 2 shows a structural block diagram of the industrial control network security risk tracing device provided in the embodiments of the present application, and for convenience of explanation, only the portions relevant to the embodiments of the present application are shown.
Referring to fig. 2, the apparatus includes:
the data acquisition module 21 is configured to acquire network communication data of an industrial control network, log data of an industrial control host, and status data of network devices, where the industrial control network includes the industrial control host and the network devices;
the alarm module 22 is configured to perform alarm processing according to the network communication data, the log data and the status data, so as to obtain alarm event information, where the alarm event information includes an alarm event and equipment assets associated with the alarm event;
the parameter obtaining module 23 is configured to obtain a tracing parameter, where the tracing parameter includes a tracing time range, a device asset, and a name of an alarm event;
the traceability module 24 is configured to determine, according to the traceability parameter, a target equipment asset associated with the alarm event, a list of accessed communication behaviors of equipment hidden trouble, and a list of security events associated with the alarm event.
In some possible implementations, the tracing module is specifically configured to: searching the network communication behavior of the equipment asset and the associated target equipment asset; searching for a security event associated with the name of the alarm event and generating a security event list; according to the network communication behavior, the target equipment asset and the alarm event information, calculating the security risk coefficient of the equipment asset and the security risk coefficient of the target equipment asset; and generating a communication behavior list accessed by the hidden trouble of the equipment according to the security risk coefficient and the tracing time range.
In some possible implementations, the tracing module is specifically configured to: calculating deducted safety coefficients of the equipment assets according to the grade coefficients of the alarm events, the total number of event occurrence, the event restoration difficulty coefficient and the event duration days; obtaining the safety coefficient of the equipment asset according to the deducted safety coefficient; obtaining a safety risk coefficient of the equipment asset according to the safety coefficient, the importance level of the equipment asset, the importance level of the target equipment asset and the total number of the equipment hidden trouble events;
the network communication behavior comprises the total number of equipment hidden trouble events, and the alarm event information comprises a grade coefficient, the total number of event occurrence, an event restoration difficulty coefficient and event duration days.
In some possible implementations, the data acquisition module is specifically configured to: acquiring network communication data of an industrial control network acquired by a flow probe assembly; acquiring log data acquired by an industrial control host probe assembly; status data of the network device acquired by the remote probe assembly is acquired.
In some possible implementations, the log data includes an operating state of the industrial control host, a process, an industrial control software log, a system configuration, an operation log, an operating system vulnerability and patch, a network connection, a network service, a network communication, a security protection state, and the like, and the state data includes an operating state and a network state of the network device.
In order to better describe the technical solution provided by the embodiments of the present application, an exemplary description is provided below in connection with the industrial control network security risk tracing system shown in fig. 3.
Referring to fig. 3, the industrial control network security risk tracing system may include an information acquisition module 31, an alarm module 32, and a security risk tracing module 33. The information acquisition module 31 is connected with the alarm module 32, and the alarm module 32 is connected with the security risk tracing module 33.
The information collection module 31 is configured to collect relevant data of each device. Illustratively, relevant data of devices such as an industrial control host, a control device, a network device, a security device and the like is collected. Specifically, the information collecting module 31 receives log data of the industrial control host reported by the industrial control host probe, receives network communication data reported by the flow probe, and receives status data reported by the remote probe. And, the received data are subjected to data normalization processing, and each data is associated with a corresponding equipment asset.
The alarm module 32 is configured to perform alarm processing on the data collected by the information collection module 31 based on a preset alarm rule, and output an alarm event and related information of the alarm event. Further, risk disposition suggestions may also be given based on the alert event.
The security risk tracing module 33 is configured to perform security risk tracing according to the information related to the alarm event output by the alarm module 32 and the network topology diagram of the industrial control network, and quickly locate the source of the network security risk.
In particular, the security risk tracing module 33 may discover all known devices through traffic or ARP traffic caches by monitoring nodes, which may be sources of security risk propagation.
When the security risk is generated, the communication behaviors and the historical security events generated in the historical period of all the associated devices in the current network are searched, and the reduced range is further screened to check the risk sources one by one based on the data.
And matching the hidden danger event characteristics of the equipment at the opposite end of the target equipment by analyzing the network communication access behavior and the communication behavior log (comprising the source IP, the target IP and the target port) generated by the source equipment to the target equipment, and calculating the equipment risk coefficient of the equipment. The security risk source which is most likely to be true is obtained through equipment risk comparison.
When the security risk event is found, information such as all network communication behaviors and operation behaviors generated by the current equipment at a certain time is displayed through time line association by means of information such as historical operation states, security events and configuration systems, and the equipment infection period chain is obtained.
When the process production equipment generates fault alarm, the upper computer is associated through the control equipment, and risk tracing is performed on the current industrial control network; the method comprises the steps of forming a time sequence trend by recording a network communication connection tree of an upper computer, historical running states of control equipment, configuration files of the control equipment, production process measurement point data and communication operation behaviors of the upper computer, combining the time sequence trend according to time nodes, generating a base line trend, and carrying out abnormal positioning of risk points by comparing a safety base line.
It should be noted that, because the content of information interaction and execution process between the above devices/units is based on the same concept as the method embodiment of the present application, specific functions and technical effects thereof may be found in the method embodiment section, and will not be described herein again.
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 4, the electronic apparatus 4 of this embodiment includes: at least one processor 40 (only one is shown in fig. 4), a memory 41, and a computer program 42 stored in the memory 41 and executable on the at least one processor 40, the processor 40 implementing the steps in any of the various target tracking method embodiments described above when executing the computer program 42.
The electronic device 4 may be a computing device such as a desktop computer, a notebook computer, a palm computer, a cloud server, etc. The electronic device may include, but is not limited to, a processor 40, a memory 41. It will be appreciated by those skilled in the art that fig. 4 is merely an example of the electronic device 4 and is not meant to be limiting of the electronic device 4, and may include more or fewer components than shown, or may combine certain components, or different components, such as may also include input-output devices, network access devices, etc.
The processor 40 may be a central processing unit (Central Processing Unit, CPU), the processor 40 may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 41 may in some embodiments be an internal storage unit of the electronic device 4, such as a hard disk or a memory of the electronic device 4. The memory 41 may in other embodiments also be an external storage device of the electronic device 4, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash Card (Flash Card) or the like, which are provided on the electronic device 4. Further, the memory 41 may also include both an internal storage unit and an external storage device of the electronic device 4. The memory 41 is used for storing an operating system, application programs, boot loader (BootLoader), data, other programs, etc., such as program codes of the computer program. The memory 41 may also be used for temporarily storing data that has been output or is to be output.
It will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-described division of the functional units and modules is illustrated, and in practical application, the above-described functional distribution may be performed by different functional units and modules according to needs, i.e. the internal structure of the apparatus is divided into different functional units or modules to perform all or part of the above-described functions. The functional units and modules in the embodiment may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit, where the integrated units may be implemented in a form of hardware or a form of a software functional unit. In addition, specific names of the functional units and modules are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present application. The specific working process of the units and modules in the above system may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
The embodiment of the application also provides electronic equipment, which comprises: at least one processor, a memory, and a computer program stored in the memory and executable on the at least one processor, which when executed by the processor performs the steps of any of the various method embodiments described above.
Embodiments of the present application also provide a computer readable storage medium storing a computer program which, when executed by a processor, implements steps that may implement the various method embodiments described above.
Embodiments of the present application provide a computer program product which, when run on an electronic device, causes the electronic device to perform steps that may be performed in the various method embodiments described above.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the present application implements all or part of the flow of the method of the above embodiments, and may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer readable storage medium, where the computer program, when executed by a processor, may implement the steps of each of the method embodiments described above. Wherein the computer program comprises computer program code which may be in source code form, object code form, executable file or some intermediate form etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code to a photographing device/terminal apparatus, recording medium, computer Memory, read-Only Memory (ROM), random access Memory (RAM, random Access Memory), electrical carrier signals, telecommunications signals, and software distribution media. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, electronic device, and method may be implemented in other manners. For example, the apparatus/electronic device embodiments described above are merely illustrative, e.g., the division of the modules or units is merely a logical function division, and there may be additional divisions in actual implementation, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application, and are intended to be included in the scope of the present application.
Claims (10)
1. The industrial control network security risk tracing method is characterized by comprising the following steps of:
acquiring network communication data of an industrial control network, log data of an industrial control host and state data of network equipment, wherein the industrial control network comprises the industrial control host and the network equipment;
performing alarm processing according to the network communication data, the log data and the state data to obtain alarm event information, wherein the alarm event information comprises an alarm event and equipment assets associated with the alarm event;
acquiring traceability parameters, wherein the traceability parameters comprise a traceability time range, the equipment asset and the name of the alarm event;
determining a target equipment asset, an equipment hidden trouble visited communication behavior list and a security event list associated with the alarm event according to the traceability parameters;
according to the traceability parameter, determining a target equipment asset, an equipment hidden trouble visited communication behavior list and a security event list associated with the alarm event, wherein the target equipment asset, the equipment hidden trouble visited communication behavior list and the security event list are associated with the alarm event, and the method comprises the following steps:
searching the network communication behavior of the equipment asset and the associated target equipment asset;
searching a security event associated with the name of the alarm event, and generating the security event list;
according to the network communication behavior, the target equipment asset and the alarm event information, calculating a safety risk coefficient of the equipment asset and a safety risk coefficient of the target equipment asset;
and generating the accessed communication behavior list of the hidden trouble of the equipment according to the security risk coefficient and the tracing time range.
2. The method of claim 1, wherein calculating a security risk factor for the device asset based on the network communication behavior, the target device asset, and the alarm event information comprises:
calculating the deducted safety coefficient of the equipment asset according to the grade coefficient of the alarm event, the total number of event occurrence, the event restoration difficulty coefficient and the event duration days;
obtaining a security coefficient of the equipment asset according to the deducted security coefficient;
obtaining a safety risk coefficient of the equipment asset according to the safety coefficient, the importance level of the equipment asset, the importance level of the target equipment asset and the total number of equipment hidden trouble events;
the network communication behavior comprises the total number of equipment hidden trouble events, and the alarm event information comprises the grade coefficient, the total number of event occurrence, the event restoration difficulty coefficient and the event duration days.
3. The method of claim 1, wherein obtaining network communication data of the industrial control network, log data of the industrial control host, and status data of the network device comprises:
acquiring the network communication data of the industrial control network acquired by a flow probe assembly;
acquiring the log data acquired by the industrial control host probe assembly;
and acquiring the state data of the network equipment acquired by a remote probe assembly.
4. The method of claim 3, wherein the log data comprises an operational state of the industrial control host, a process, an industrial control software log, a system configuration, and an operation log, and the status data comprises an operational state and a network state of the network device.
5. An industrial control network security risk traceability device, which is characterized by comprising:
the system comprises a data acquisition module, a control module and a control module, wherein the data acquisition module is used for acquiring network communication data of an industrial control network, log data of an industrial control host and state data of network equipment, and the industrial control network comprises the industrial control host and the network equipment;
the alarm module is used for carrying out alarm processing according to the network communication data, the log data and the state data to obtain alarm event information, wherein the alarm event information comprises alarm events and equipment assets associated with the alarm events;
the parameter acquisition module is used for acquiring traceability parameters, wherein the traceability parameters comprise a traceability time range, the equipment asset and the name of the alarm event;
the traceability module is used for determining a target equipment asset and equipment hidden trouble visited communication behavior list associated with the alarm event and a safety event list associated with the alarm event according to the traceability parameters;
wherein, the traceability module is specifically configured to:
searching the network communication behavior of the equipment asset and the associated target equipment asset;
searching a security event associated with the name of the alarm event, and generating the security event list;
according to the network communication behavior, the target equipment asset and the alarm event information, calculating a safety risk coefficient of the equipment asset and a safety risk coefficient of the target equipment asset;
and generating the accessed communication behavior list of the hidden trouble of the equipment according to the security risk coefficient and the tracing time range.
6. The apparatus of claim 5, wherein the tracing module is specifically configured to:
calculating the deducted safety coefficient of the equipment asset according to the grade coefficient of the alarm event, the total number of event occurrence, the event restoration difficulty coefficient and the event duration days;
obtaining a security coefficient of the equipment asset according to the deducted security coefficient;
obtaining a safety risk coefficient of the equipment asset according to the safety coefficient, the importance level of the equipment asset, the importance level of the target equipment asset and the total number of equipment hidden trouble events;
the network communication behavior comprises the total number of equipment hidden trouble events, and the alarm event information comprises the grade coefficient, the total number of event occurrence, the event restoration difficulty coefficient and the event duration days.
7. The apparatus of claim 5, wherein the data acquisition module is specifically configured to:
acquiring the network communication data of the industrial control network acquired by a flow probe assembly;
acquiring the log data acquired by the industrial control host probe assembly;
and acquiring the state data of the network equipment acquired by a remote probe assembly.
8. The apparatus of claim 7, wherein the log data comprises an operating state of the industrial control host, a process, an industrial control software log, a system configuration, and an operation log, and the status data comprises an operating state and a network state of the network device.
9. An electronic device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the method of any one of claims 1 to 4 when executing the computer program.
10. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210162006.3A CN114598506B (en) | 2022-02-22 | 2022-02-22 | Industrial control network security risk tracing method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210162006.3A CN114598506B (en) | 2022-02-22 | 2022-02-22 | Industrial control network security risk tracing method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114598506A CN114598506A (en) | 2022-06-07 |
| CN114598506B true CN114598506B (en) | 2023-06-30 |
Family
ID=81804359
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210162006.3A Active CN114598506B (en) | 2022-02-22 | 2022-02-22 | Industrial control network security risk tracing method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114598506B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113765704B (en) * | 2021-08-10 | 2022-09-27 | 广州天懋信息系统股份有限公司 | Private network data acquisition method, device, equipment and storage medium |
| CN116318969B (en) * | 2023-03-15 | 2024-01-26 | 中国华能集团有限公司北京招标分公司 | Multi-element equipment log access method |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109462599A (en) * | 2018-12-13 | 2019-03-12 | 烽台科技(北京)有限公司 | A kind of honey jar management system |
| CN113034028A (en) * | 2021-04-13 | 2021-06-25 | 上海汉邦京泰数码技术有限公司 | Responsibility traceability confirmation system |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212338B (en) * | 2006-12-30 | 2012-03-14 | 上海复旦光华信息科技股份有限公司 | Detecting probe interlock based network security event tracking system and method |
| US8624727B2 (en) * | 2008-01-28 | 2014-01-07 | Saigh And Son, Llc | Personal safety mobile notification system |
| US9536410B2 (en) * | 2014-12-30 | 2017-01-03 | Alarm.Com Incorporated | Digital fingerprint tracking |
| CN110764969A (en) * | 2019-10-25 | 2020-02-07 | 新华三信息安全技术有限公司 | Network attack tracing method and device |
| CN111490970A (en) * | 2020-02-19 | 2020-08-04 | 西安交大捷普网络科技有限公司 | Tracing analysis method for network attack |
| CN111858482B (en) * | 2020-07-15 | 2021-10-15 | 北京市燃气集团有限责任公司 | Attack event tracing and tracing method, system, terminal and storage medium |
| CN112636978A (en) * | 2020-12-23 | 2021-04-09 | 深信服科技股份有限公司 | Security event processing method, device, equipment and computer readable storage medium |
| CN113672939A (en) * | 2021-08-23 | 2021-11-19 | 杭州安恒信息技术股份有限公司 | Method, device, equipment and medium for analyzing terminal behavior alarm traceability |
-
2022
- 2022-02-22 CN CN202210162006.3A patent/CN114598506B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109462599A (en) * | 2018-12-13 | 2019-03-12 | 烽台科技(北京)有限公司 | A kind of honey jar management system |
| CN113034028A (en) * | 2021-04-13 | 2021-06-25 | 上海汉邦京泰数码技术有限公司 | Responsibility traceability confirmation system |
Non-Patent Citations (1)
| Title |
|---|
| 安全数据的自动化猎捕和多源告警的溯源研究;邓志东、唐振营、李慧芹、谢瑞楠、刘爽;《信息记录材料》;90-93 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114598506A (en) | 2022-06-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114598506B (en) | Industrial control network security risk tracing method and device, electronic equipment and storage medium | |
| CN111178760B (en) | Risk monitoring method, risk monitoring device, terminal equipment and computer readable storage medium | |
| CN111277332B (en) | Performance state detection method and device of optical module in engineering application and electronic equipment | |
| CN112653669B (en) | Network terminal security threat early warning method, system and network terminal management device | |
| CN111404909A (en) | Security detection system and method based on log analysis | |
| CN113671909A (en) | Safety monitoring system and method for steel industrial control equipment | |
| CN108322452A (en) | Network closes rule detection method, device, equipment and medium | |
| CN114338372A (en) | Network information security monitoring method and system | |
| EP3242240B1 (en) | Malicious communication pattern extraction device, malicious communication pattern extraction system, malicious communication pattern extraction method and malicious communication pattern extraction program | |
| CN107682354B (en) | Network virus detection method, device and equipment | |
| CN112600719A (en) | Alarm clustering method, device and storage medium | |
| CN111526109B (en) | Method and device for automatically detecting running state of web threat recognition defense system | |
| CN108965318B (en) | Method and device for detecting unauthorized access equipment IP in industrial control network | |
| CN111193727A (en) | Operation monitoring system and operation monitoring method | |
| JP7396371B2 (en) | Analytical equipment, analytical methods and analytical programs | |
| CN110943864B (en) | Network anomaly positioning method and device of distributed storage system | |
| CN112650180A (en) | Safety warning method, device, terminal equipment and storage medium | |
| CN114500247B (en) | Industrial control network fault diagnosis method and device, electronic equipment and readable storage medium | |
| JP2017199250A (en) | Computer system, analysis method of data, and computer | |
| CN104881354A (en) | Cloud disk monitoring method and device | |
| CN112104523B (en) | Detection method, device and equipment for flow transparent transmission and storage medium | |
| CN114189361A (en) | Situation awareness method, device and system for defending threats | |
| CN109302401B (en) | Information security protection method and device | |
| CN112583825A (en) | Method and device for detecting abnormality of industrial system | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |