CN115022056B - Intelligent network attack behavior handling method for power grid system - Google Patents

Intelligent network attack behavior handling method for power grid system Download PDF

Info

Publication number
CN115022056B
CN115022056B CN202210650557.4A CN202210650557A CN115022056B CN 115022056 B CN115022056 B CN 115022056B CN 202210650557 A CN202210650557 A CN 202210650557A CN 115022056 B CN115022056 B CN 115022056B
Authority
CN
China
Prior art keywords
attack
attacked
domain name
blocking
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210650557.4A
Other languages
Chinese (zh)
Other versions
CN115022056A (en
Inventor
陈一帆
周鹏
兰润芬
邓婵
左勇
吴方方
伍文伟
罗长春
过耀东
侯敏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
Chenzhou Power Supply Co of State Grid Hunan Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Hunan Electric Power Co Ltd
Chenzhou Power Supply Co of State Grid Hunan Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Hunan Electric Power Co Ltd, Chenzhou Power Supply Co of State Grid Hunan Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202210650557.4A priority Critical patent/CN115022056B/en
Publication of CN115022056A publication Critical patent/CN115022056A/en
Application granted granted Critical
Publication of CN115022056B publication Critical patent/CN115022056B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses an intelligent network attack behavior handling method aiming at a power grid system, which comprises the steps of receiving an attack log from a flow sensor when the flow sensor detects an attack behavior; carrying out identification of attack types; firewall access blocking, DHCP access blocking and DNS access blocking are carried out; and carrying out remote early warning in a mail sending mode. The intelligent network attack behavior treatment method for the power grid system can automatically receive the attack log from the flow sensor, intelligently take corresponding countermeasures according to attack types, and treat equipment and systems such as a firewall, a DHCP system, a DNS system and a mail system; therefore, the method can effectively reduce the time of an attack window, improves the safety of the system, and has the advantages of quick response, quick response speed, safety and reliability.

Description

Intelligent network attack behavior handling method for power grid system
Technical Field
The invention belongs to the field of computer network security, and particularly relates to an intelligent network attack behavior treatment method aiming at a power grid system.
Background
Along with the development of economic technology and the improvement of living standard of people, electric energy becomes an indispensable secondary energy source in the production and living of people, and brings endless convenience to the production and living of people. Therefore, ensuring stable and reliable operation of the power system becomes one of the most important tasks of the power system.
At present, the power grid system is increasingly developed towards intellectualization, so that the information network security of the power grid system is particularly important. Currently, more and more aggressive behaviors are directed at the power grid information system. The time interval between the discovery of an attack and the completion of the attack disposition is referred to as the attack window time. The shorter the attack window time, the fewer means an attacker can take, and the less security risk the information system faces.
Currently, for such attacks, the power grid generally uses a flow sensor to detect the attack behavior; after the attack behavior is found, the attacker is treated through a firewall, a DHCP system and a DNS system; this solution has the advantage of lower cost, but has the disadvantage of lacking interaction between the security device and the system, of not being able to respond automatically to the discovered attack, which can only be handled by manual operations by the administrator. Therefore, the attack behavior cannot be guaranteed to be treated in time, and the attack window time is long.
Disclosure of Invention
The invention aims to provide a network attack behavior intelligent treatment method aiming at a power grid system, which is quick in response, fast in coping speed, safe and reliable.
The intelligent network attack behavior treatment method for the power grid system provided by the invention comprises the following steps:
s1, when a flow sensor detects an attack behavior, an attack log is received from the flow sensor;
s2, identifying the attack type according to the attack log obtained in the step S1;
s3, according to the identification result obtained in the step S2, firewall access blocking, DHCP access blocking and DNS access blocking are carried out;
s4, carrying out remote early warning in a mail sending mode.
The step S1 of receiving an attack log from a flow sensor specifically includes the following steps:
setting a log transmission address as a system deployment address on a flow sensor, wherein a transmission protocol is a TCP protocol;
receiving transmission information of a TCP protocol through a Python program;
and decomposing the received attack log according to the strips.
The step S2 of identifying the attack type specifically includes the following steps:
carrying out type identification of attack behaviors one by one;
the type of the identified attack is either an active attack or a passive attack: the active attack is an attack for an attacker to actively access an attacked target, and comprises a WEB attack, a weak password attack and a denial of service attack; the passive attack is an attack of a malicious domain name controlled by an attacker to control an attacked target to access the attacker;
if the attack type is determined to be active attack, checking whether the attack source IP and the attacked IP are both in a monitoring range: if yes, calling a firewall access function, and adding the attack source IP into the blocking range; if not, not performing any operation;
if the attack type is determined to be passive attack, firstly calling a DNS access function, and checking whether the malicious domain name of the attack is listed in a malicious domain name list or not: if yes, directly calling a DHCP access function to isolate the attacked IP; if not, the malicious domain name is added into a malicious domain name list, and then a DHCP access function is called to isolate the attacked IP.
The firewall access blocking in step S3 is configured to block the attack source IP, and specifically includes the following steps:
enabling SSH service on the fireproof wall and modifying an SSH port;
the firewall is accessed through a Python program, and the attack source IP is added to the blocking list of the firewall.
The DHCP access blocking in step S3 is configured to isolate the attacked IP, and specifically includes the following steps:
accessing a DHCP server through a netsh protocol, and inquiring whether the attacked IP exists in the DHCP: if not, directly ending the processing; if so, inquiring an IP section where the attacked IP is located;
and entering an IP section where the attacked IP is positioned, and deleting the address allocated to the attacked IP so as to achieve the effect of isolating the terminal.
The blocking of DNS access in step S3 is used for blocking a malicious domain name, and specifically includes the following steps:
accessing a DNS server through a dnscmd command, and inquiring whether a malicious domain name exists in a malicious domain name list: if so, ending the processing; if not, the malicious domain name is added to the DNS system and the domain name address is directed to 127.0.0.2 to prevent user access.
The method for remotely pre-warning through mail sending in the step S4 specifically comprises the following steps:
accessing a mailbox server through a Python program;
the processing information is sent to an administrator through mail so as to complete remote early warning; the processing information comprises attack type, attack source IP, attacked IP, attack time and disposal condition.
The intelligent network attack behavior treatment method for the power grid system can automatically receive the attack log from the flow sensor, intelligently take corresponding countermeasures according to attack types, and treat equipment and systems such as a firewall, a DHCP system, a DNS system and a mail system; therefore, the method can effectively reduce the time of an attack window, improves the safety of the system, and has the advantages of quick response, quick response speed, safety and reliability.
Drawings
FIG. 1 is a schematic flow chart of the method of the present invention.
Description of the embodiments
A schematic process flow diagram of the method of the present invention is shown in fig. 1: the intelligent network attack behavior treatment method for the power grid system provided by the invention comprises the following steps:
s1, when a flow sensor detects an attack behavior, an attack log is received from the flow sensor; the method specifically comprises the following steps:
setting a log transmission address as a system deployment address on a flow sensor, wherein a transmission protocol is a TCP protocol;
receiving transmission information of a TCP protocol through a Python program;
splitting the received attack log according to the strips;
s2, identifying the attack type according to the attack log obtained in the step S1; the method specifically comprises the following steps:
carrying out type identification of attack behaviors one by one;
the type of the identified attack is either an active attack or a passive attack: the active attack is an attack for an attacker to actively access an attacked target, and comprises a WEB attack, a weak password attack and a denial of service attack; the passive attack is an attack of a malicious domain name controlled by an attacker to control an attacked target to access the attacker;
if the attack type is determined to be active attack, checking whether the attack source IP and the attacked IP are both in a monitoring range: if yes, calling a firewall access function, and adding the attack source IP into the blocking range; if not, not performing any operation;
if the attack type is determined to be passive attack, firstly calling a DNS access function, and checking whether the malicious domain name of the attack is listed in a malicious domain name list or not: if yes, the DHCP access function is called to isolate the attacked IP; if not, adding the malicious domain name into a malicious domain name list, and then calling a DHCP access function to isolate the attacked IP;
s3, according to the identification result obtained in the step S2, firewall access blocking, DHCP access blocking and DNS access blocking are carried out;
the firewall access blocking is used for blocking the attack source IP, and specifically comprises the following steps:
enabling SSH service on the fireproof wall and modifying an SSH port;
accessing a firewall through a Python program, and adding an attack source IP into a blocking list of the firewall;
the DHCP access blocking is used for isolating the attacked IP, and specifically comprises the following steps:
accessing a DHCP server through a netsh protocol, and inquiring whether the attacked IP exists in the DHCP: if not, directly ending the processing; if so, inquiring an IP section where the attacked IP is located;
entering an IP section where the attacked IP is located, deleting an address allocated to the attacked IP so as to achieve the effect of isolating the terminal;
the DNS access blocking is used for blocking the malicious domain name, and specifically comprises the following steps:
accessing a DNS server through a dnscmd command, and inquiring whether a malicious domain name exists in a malicious domain name list: if so, ending the processing; if not, adding the malicious domain name into a DNS system, and pointing the domain name address to 127.0.0.2 so as to prevent the user from accessing;
s4, carrying out remote early warning in a mail sending mode; the method specifically comprises the following steps:
accessing a mailbox server through a Python program;
the processing information is sent to an administrator through mail so as to complete remote early warning; the processing information comprises attack type, attack source IP, attacked IP, attack time and disposal condition.

Claims (2)

1. A network attack behavior intelligent handling method for a power grid system comprises the following steps:
s1, when a flow sensor detects an attack behavior, an attack log is received from the flow sensor; the method specifically comprises the following steps:
setting a log transmission address as a system deployment address on a flow sensor, wherein a transmission protocol is a TCP protocol;
receiving transmission information of a TCP protocol through a Python program;
splitting the received attack log according to the strips;
s2, identifying the attack type according to the attack log obtained in the step S1; the method specifically comprises the following steps:
carrying out type identification of attack behaviors one by one;
the type of the identified attack is either an active attack or a passive attack: the active attack is an attack for an attacker to actively access an attacked target, and comprises a WEB attack, a weak password attack and a denial of service attack; the passive attack is an attack of a malicious domain name controlled by an attacker to control an attacked target to access the attacker;
if the attack type is determined to be active attack, checking whether the attack source IP and the attacked IP are both in a monitoring range: if yes, calling a firewall access function, and adding the attack source IP into the blocking range; if not, not performing any operation;
if the attack type is determined to be passive attack, firstly calling a DNS access function, and checking whether the malicious domain name of the attack is listed in a malicious domain name list or not: if yes, the DHCP access function is called to isolate the attacked IP; if not, adding the malicious domain name into a malicious domain name list, and then calling a DHCP access function to isolate the attacked IP;
s3, according to the identification result obtained in the step S2, firewall access blocking, DHCP access blocking and DNS access blocking are carried out;
the firewall access blocking is used for blocking the attack source IP, and specifically comprises the following steps:
enabling SSH service on the fireproof wall and modifying an SSH port;
accessing a firewall through a Python program, and adding an attack source IP into a blocking list of the firewall;
the DHCP access blocking is used for isolating the attacked IP, and specifically comprises the following steps:
accessing a DHCP server through a netsh protocol, and inquiring whether the attacked IP exists in the DHCP: if not, directly ending the processing; if so, inquiring an IP section where the attacked IP is located;
entering an IP section where the attacked IP is located, deleting an address allocated to the attacked IP so as to achieve the effect of isolating the terminal;
the DNS access blocking is used for blocking the malicious domain name, and specifically comprises the following steps:
accessing a DNS server through a dnscmd command, and inquiring whether a malicious domain name exists in a malicious domain name list: if so, ending the processing; if not, adding the malicious domain name into a DNS system, and pointing the domain name address to 127.0.0.2 so as to prevent the user from accessing;
s4, carrying out remote early warning in a mail sending mode.
2. The intelligent network attack behavior treatment method for the power grid system according to claim 1, wherein the method for performing remote early warning by mail transmission in step S4 specifically comprises the following steps:
accessing a mailbox server through a Python program;
the processing information is sent to an administrator through mail so as to complete remote early warning; the processing information comprises attack type, attack source IP, attacked IP, attack time and disposal condition.
CN202210650557.4A 2022-06-09 2022-06-09 Intelligent network attack behavior handling method for power grid system Active CN115022056B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210650557.4A CN115022056B (en) 2022-06-09 2022-06-09 Intelligent network attack behavior handling method for power grid system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210650557.4A CN115022056B (en) 2022-06-09 2022-06-09 Intelligent network attack behavior handling method for power grid system

Publications (2)

Publication Number Publication Date
CN115022056A CN115022056A (en) 2022-09-06
CN115022056B true CN115022056B (en) 2023-11-21

Family

ID=83073703

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210650557.4A Active CN115022056B (en) 2022-06-09 2022-06-09 Intelligent network attack behavior handling method for power grid system

Country Status (1)

Country Link
CN (1) CN115022056B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916406A (en) * 2014-04-25 2014-07-09 上海交通大学 System and method for detecting APT attacks based on DNS log analysis
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN112165470A (en) * 2020-09-18 2021-01-01 国网辽宁省电力有限公司电力科学研究院 Intelligent terminal access safety early warning system based on log big data analysis
CN114598525A (en) * 2022-03-09 2022-06-07 中国医学科学院阜外医院 IP automatic blocking method and device for network attack

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9294483B2 (en) * 2013-05-03 2016-03-22 John Wong Method and system for mitigation of distributed denial of service (DDOS) attacks
US11223637B2 (en) * 2018-01-07 2022-01-11 Microsoft Technology Licensing, Llc Detecting attacks on web applications using server logs

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916406A (en) * 2014-04-25 2014-07-09 上海交通大学 System and method for detecting APT attacks based on DNS log analysis
CN104811447A (en) * 2015-04-21 2015-07-29 深信服网络科技(深圳)有限公司 Security detection method and system based on attack association
CN112165470A (en) * 2020-09-18 2021-01-01 国网辽宁省电力有限公司电力科学研究院 Intelligent terminal access safety early warning system based on log big data analysis
CN114598525A (en) * 2022-03-09 2022-06-07 中国医学科学院阜外医院 IP automatic blocking method and device for network attack

Also Published As

Publication number Publication date
CN115022056A (en) 2022-09-06

Similar Documents

Publication Publication Date Title
US9699204B2 (en) Abnormal traffic detection apparatus and method based on modbus communication pattern learning
KR101369727B1 (en) Apparatus and method for controlling traffic based on captcha
CN108931968B (en) Network security protection system applied to industrial control system and protection method thereof
CN102035793B (en) Botnet detecting method, device and network security protective equipment
CN104702584A (en) Modbus communication access control method based on rule self-learning
CN111510436B (en) Network security system
CN114257413B (en) Reaction blocking method and device based on application container engine and computer equipment
CN110855697A (en) Active defense method for network security in power industry
CN101621428A (en) Botnet detection method, botnet detection system and related equipment
CN113364799B (en) Method and system for processing network threat behaviors
CN111193738A (en) Intrusion detection method of industrial control system
Kang et al. Cyber threats and defence approaches in SCADA systems
CN115022056B (en) Intelligent network attack behavior handling method for power grid system
Feng et al. Snort improvement on profinet RT for industrial control system intrusion detection
CN114137934A (en) Industrial control system with intrusion detection function and detection method
CN115174242B (en) Data safety transmission control method and system between internal network and external network
CN116668078A (en) Internet intrusion security defense system
US11621972B2 (en) System and method for protection of an ICS network by an HMI server therein
CN114760151B (en) Method and device for acquiring authority of upper computer through PLC
CN116781380A (en) Campus network security risk terminal interception traceability system
KR101343693B1 (en) Network security system and method for process thereof
CN112822211B (en) Power-controlled portable self-learning industrial firewall system, device and use method
Sawada Model-based cybersecurity for control systems: Modeling, design and control
CN117714126A (en) Automatic network safety protection system and method based on artificial intelligence
CN113660666B (en) Bidirectional request response detection method for man-in-the-middle attack

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant