CN115085965B - Power system information network attack risk assessment method, device and equipment - Google Patents

Power system information network attack risk assessment method, device and equipment Download PDF

Info

Publication number
CN115085965B
CN115085965B CN202210445277.XA CN202210445277A CN115085965B CN 115085965 B CN115085965 B CN 115085965B CN 202210445277 A CN202210445277 A CN 202210445277A CN 115085965 B CN115085965 B CN 115085965B
Authority
CN
China
Prior art keywords
risk
index
parameter
target
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210445277.XA
Other languages
Chinese (zh)
Other versions
CN115085965A (en
Inventor
叶婉琦
张佳发
江家伟
王斌
梁段
谢娇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Southern Power Grid Digital Grid Research Institute Co Ltd
Priority to CN202210445277.XA priority Critical patent/CN115085965B/en
Publication of CN115085965A publication Critical patent/CN115085965A/en
Application granted granted Critical
Publication of CN115085965B publication Critical patent/CN115085965B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a power system information network attack risk assessment method, a device, a computer readable storage medium and a computer program product. The method comprises the following steps: acquiring target security situation data of a target risk point; determining a target security index in the target security situation data, and determining a risk degree parameter of the target security index according to an index change parameter of the target security index; if the risk degree parameter of the target safety index meets the parameter quantification condition, calculating the risk quantification parameter of the target safety index; and determining an attack risk assessment result of the target risk point based on the risk degree parameter and the risk quantification parameter of the target security index. By adopting the method provided by the embodiment of the application, the evaluation efficiency of evaluating the attack risk suffered by the risk point can be improved.

Description

Power system information network attack risk assessment method, device and equipment
Technical Field
The present application relates to the technical field of power system information networks, and in particular, to a method, an apparatus, a computer device, a computer readable storage medium and a computer program product for evaluating risk of an attack on a power system information network.
Background
At present, the information network of the power system is applied with modern information technologies such as mobile interconnection, artificial intelligence and the like and advanced communication technologies, and all links of the power system can be interconnected and interacted with each other by people and machines, so that a large amount of security situation data is generated. In the traditional technology, single-dimension security situation data in an information network of a power system are mainly collected, and attack risk assessment is carried out based on the security situation data.
However, the various security situation data are inconsistent in expression, lack of uniform constraint and index of effective and accurate data cross-correlation references, and are unfavorable for deep mining and application of the security situation data, so that the efficiency of evaluating the attack risk represented by the security situation data is low, and the evaluation support of the security situation covering the comprehensive power system information network cannot be formed later.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a power system information network attack risk assessment method, apparatus, computer device, computer readable storage medium, and computer program product that can improve the assessment efficiency of assessing attack risk suffered by each risk point in a power system information network.
In a first aspect, the application provides a risk assessment method for an information network of a power system. The method comprises the following steps:
acquiring target security situation data of a target risk point;
Determining a target security index in the target security situation data, and determining a risk degree parameter of the target security index according to an index change parameter of the target security index;
If the risk degree parameter of the target safety index meets the parameter quantization condition, calculating the risk quantization parameter of the target safety index;
and determining an attack risk assessment result of the target risk point based on the risk degree parameter of the target security index and the risk quantification parameter.
In one embodiment, the determining the target security indicator in the target security posture data includes:
performing index analysis on the target security situation data, and determining each security index contained in the target security situation data and index attribute information of each security index;
determining importance parameters corresponding to the safety indexes according to the index attribute information;
and determining the target safety index from the safety indexes based on the importance parameter.
In one embodiment, the determining the risk level parameter of the target safety index according to the index change parameter of the target safety index includes:
determining parameters before index change and parameters after index change of the target safety index;
calculating an index quotient of the parameter before index change and the parameter after index change;
And determining the logarithmic value of the index quotient, and determining the opposite number of the logarithmic value as a risk degree parameter of the target safety index.
In one embodiment, the method further comprises:
Determining a preset risk degree parameter matched with the target safety index;
if the risk degree parameter of the target safety index is larger than the preset risk degree parameter, determining that the risk degree parameter of the target safety index meets a parameter quantification condition;
and if the risk degree parameter of the target security index is smaller than or equal to the preset risk degree parameter, determining that the target risk point is free of attack risk.
In one embodiment, the calculating risk quantization parameters of the target security indicator includes:
determining a plurality of sub-safety indexes contained in the target safety index;
For each sub-safety index, determining sub-quantization parameters corresponding to the sub-safety indexes according to parameters before sub-index change and parameters after sub-index change of the sub-safety index;
Determining the index weight matched with each sub-safety index;
and carrying out weighted summation on each sub-safety index according to the sub-quantization parameter and the index weight of the sub-safety index to obtain the risk quantization parameter of the target safety index.
In one embodiment, the determining the attack risk assessment result of the target risk point based on the risk degree parameter and the risk quantization parameter of the target security index includes:
if the risk quantization parameter is smaller than a first quantization value and the risk degree parameter is smaller than a first degree value, determining that the attack risk of the target risk point is negligible attack;
If the risk quantization parameter is greater than the first quantization value and less than the second quantization value, and the risk degree parameter is greater than the first degree value and less than the second degree value, determining that the attack risk of the target risk point is a slight attack; the first quantized value is smaller than the second quantized value, and the first degree value is smaller than the second degree value;
if the risk quantization parameter is greater than the second quantization value and less than a third quantization value, and the risk degree parameter is greater than the second degree value and less than a third degree value, determining that the attack risk of the target risk point is a moderate attack; the second quantized value is smaller than the third quantized value, and the second degree value is smaller than the third degree value;
If the risk quantization parameter is greater than the third quantization value and less than a fourth quantization value, and the risk degree parameter is greater than the third degree value and less than a fourth degree value, determining that the attack risk of the target risk point is a slight serious attack; the third quantized value is smaller than the fourth quantized value, and the third degree value is smaller than the fourth degree value;
if the risk quantization parameter is greater than the fourth quantization value and less than a fifth quantization value, and the risk degree parameter is greater than the fourth degree value and less than a fifth degree value, determining that the attack risk of the target risk point is a moderate serious attack; the fourth quantization value is less than the fifth quantization value, and the fourth degree value is less than the fifth degree value;
And if the risk quantization parameter is greater than the fifth quantization value and the risk degree parameter is greater than the fifth degree value, determining that the attack risk of the target risk point is a serious attack.
In a second aspect, the application further provides a risk assessment device for the power system information network attack.
The device comprises:
the acquisition module is used for acquiring target security situation data of the target risk points;
The calculation module is used for determining a target safety index in the target safety situation data, and determining a risk degree parameter of the target safety index according to an index change parameter of the target safety index;
the quantization module is used for calculating the risk quantization parameter of the target safety index if the risk degree parameter of the target safety index meets the parameter quantization condition;
And the evaluation module is used for determining an attack risk evaluation result of the target risk point based on the risk degree parameter of the target safety index and the risk quantification parameter.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the method described above when the processor executes the computer program.
In a fourth aspect, the present application also provides a computer-readable storage medium. The computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the method described above.
In a fifth aspect, the present application also provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the steps of the method described above.
The power system information network attack risk assessment method, the device, the computer equipment, the computer readable storage medium and the computer program product are used for acquiring target security situation data of target risk points; determining a target security index in the target security situation data, and determining a risk degree parameter of the target security index according to an index change parameter of the target security index, thereby calculating a risk quantization parameter of the target security index if the risk degree parameter of the target security index meets a parameter quantization condition, and further determining an attack risk assessment result of the target risk point based on the risk degree parameter of the target security index and the risk quantization parameter. By adopting the method of the embodiment, the attack risk can be described through the risk degree parameter, the attack risk can be quantitatively described through the risk quantification parameter, and the evaluation efficiency of evaluating the attack risk suffered by the target risk point is improved.
Drawings
FIG. 1 is an application environment diagram of a power system information network risk of attack assessment method in one embodiment;
FIG. 2 is a flow chart of a method for risk assessment of an information network attack of a power system according to an embodiment;
FIG. 3 is a schematic diagram of monitoring security posture data in one embodiment;
FIG. 4 is a schematic diagram of monitoring security posture data in another embodiment;
FIG. 5 is a diagram illustrating torsional relationships of various security posture data in one embodiment;
FIG. 6 is a schematic diagram of a system architecture of a power system information network in one embodiment;
FIG. 7 is a block diagram of an electrical power system information network risk of attack assessment device in one embodiment;
fig. 8 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
It should be noted that, all kinds of security situation data related to the present application are information and data fully authorized by each party. In one embodiment, the power system information network attack risk assessment method provided by the application can be applied to an application environment as shown in fig. 1. Wherein the terminals 102, 106 communicate with the server 104 via a network. The data storage system may store data that the server 104 needs to process. The data storage system may be integrated on the server 104 or may be located on a cloud or other network server.
Specifically, data transmission is performed between the terminals 102 and 106, between the terminals 102 and the server 104, and between the terminals 106 and the server 104 via data transmission paths, and risk points are provided on a plurality of data transmission paths. The server 104 determines a target risk point from a plurality of risk points of the power system information network, acquires target security situation data of the target risk point, determines a target security index in the target security situation data, and determines a risk degree parameter of the target security index according to an index change parameter of the target security index; if the risk degree parameter of the target safety index meets the parameter quantification condition, calculating the risk quantification parameter of the target safety index; and determining an attack risk assessment result of the target risk point based on the risk degree parameter and the risk quantification parameter of the target security index. Therefore, the server 104 can comprehensively analyze and monitor the security of the data transmission according to the attack risk assessment result.
The terminals 102 and 106 may be terminals disposed in a power system information network, and may be, but not limited to, various desktop computers, notebook computers, smart phones, tablet computers, and portable wearable devices, which may be smart watches, smart bracelets, and the like. The server 104 may be implemented as a stand-alone server or as a server cluster of multiple servers.
In one embodiment, as shown in fig. 2, a method for evaluating risk of an attack on an information network of a power system is provided, and the method is applied to the server 104 in fig. 1 for illustration, and includes the following steps:
step S202, acquiring target security situation data of target risk points.
The data transmission can be carried out among various devices of the power system information network through the data transmission channel, and in the data transmission process, the attack risk of attack can exist at the data transmission key points, so that the data of the data transmission key points can be comprehensively monitored and analyzed to judge and early warn the possibility threat which will appear at present and in the future, and the evaluation support for the safety situation of the power system information network which covers the whole is formed.
The data transmission key points in the power system information network are called risk points, and transmission data of the risk points are called security situation data. The risk points needing attack risk assessment are called target risk points, and transmission data of the target risk points are called target security situation data.
In one embodiment, in order to form an evaluation support for covering the security situation of the comprehensive power system information network, a plurality of data monitoring points can be set in the power system information network according to actual technical requirements, and each data monitoring point can monitor and obtain corresponding security situation data. And comprehensively monitoring security situation data of various monitoring elements of the plurality of data monitoring points. The monitoring elements comprise terminal security situation monitoring, data security situation monitoring, attack security situation monitoring, file security situation monitoring, flow security situation monitoring, application security situation monitoring and the like. The following table shows the respective monitoring elements and the corresponding acquisition modes:
Sequence number Monitoring elements Element collection method
1 Terminal security situation monitoring Terminal Agent
2 Data security situation monitoring Terminal Agent and DPI
3 Attack security situation monitoring DPI, log parsing
4 File security situation monitoring DPI (deep packet inspection) and sandbox
5 Flow security situation monitoring DPI、DFI
6 Application security posture monitoring Scanning
The terminal Agent refers to terminal software or hardware entity. DPI (DEEP PACKET Inspection) refers to a deep Inspection technology based on data packets, and performs deep Inspection on different network application layer loads, and determines validity of the message through payload Inspection of the message. In the data security situation monitoring process, an Agent acquisition mode is applied to terminal data leakage acquisition, and a DPI mode is applied to network data leakage acquisition. Log parsing (log parsing) refers to converting unstructured logs into structured logs for subsequent log mining. Sandboxes (Sandboxie) are virtual system programs that typically monitor program behavior by intercepting system calls and control and limit the use of computer resources by the program according to user-defined policies, such as writing to a registry, reading from and writing to disk, and the like. DFI (Deep Flow Inspection) refers to an application recognition technology based on traffic behavior, and uses a flow as a basic research object to extract characteristics of the flow, such as flow size, flow speed, etc., from huge network flow data. Scanning refers to evaluating system risk, either manually or using specific automated software tools, for security vulnerabilities that may cause damage to the system.
In one embodiment, referring to fig. 3, multiple types of security posture data may be collected and monitored by multiple security data sources. The security data source comprises host equipment, network equipment, security equipment, cloud platform and mobile application, and terminal security situation monitoring, data security situation monitoring, attack security situation monitoring, file security situation monitoring, flow security situation monitoring and application security situation monitoring are realized by adopting terminal Agent, DPI and log analysis and scanning modes, so that monitored data can be distributed to corresponding platforms for data processing through message queues, and in a specific example, the data can be sent to security supervision, automatic operation and maintenance, flow platform, IT monitoring, intelligent calling, service operation monitoring platform, resource panoramic monitoring, on-line security, IT resource management and other platforms.
According to the various monitoring elements described above, the security posture data available may include the following types: terminal security posture data, data security posture data, attack security posture data, file security posture data, traffic security posture data, application security posture data and the like. The target security posture data is at least one of the above-described types of security posture data.
In one embodiment, the comprehensive security situation data monitoring is performed on different IT assets in the power system information network, and the comprehensive situation awareness monitoring view angle is constructed mainly by covering original logs, flow logs, index data, supporting tool monitoring data, various business fusion data and the like.
Specifically, referring to fig. 4, log, traffic, etc. of the security device and the network device may be monitored, where log monitoring mainly includes: attack information monitoring, alarm information monitoring, log monitoring, VPN monitoring, honeypot monitoring, and IP blocking when attack risk exists. The flow monitoring mainly comprises: traffic monitoring, application monitoring, malicious file monitoring, network data leakage prevention monitoring and the like. Monitoring a host device, mainly comprising: baseline checking, host monitoring, vulnerability patch monitoring and business system monitoring. The monitoring of the terminal equipment mainly comprises the following steps: terminal monitoring and terminal data leakage prevention, wherein the terminal software of the terminal equipment is monitored, and the terminal software mainly comprises software information in a terminal software white list.
In one embodiment, through omnibearing monitoring on an information network of a power system, various types of security situation data are obtained, and torsion relations of the various types of security situation data are shown in fig. 5, the various types of security situation data are monitored safely through a security monitoring platform through a data monitoring matched tool, and unified management is performed on the security situation data through various management platforms.
Specifically, the data monitoring kit mainly comprises: terminal security system, internet security monitoring, malicious file detection equipment, terminal data leakage prevention, a baseline checking system, a flow analysis system, a network security vulnerability library, network data leakage prevention and other tools.
And carrying out corresponding safety monitoring on various data monitoring indexes by the matched tool for data monitoring to obtain various safety situation data. The data monitoring index mainly comprises: the system comprises a supporting system application log, a terminal security index, a malicious file detection index, a terminal data leakage prevention index, a baseline checking system index, a flow analysis system index, a network security vulnerability library index, a network data leakage prevention index and the like. The safety monitoring of the safety monitoring platform to the data mainly comprises the following aspects: terminal security detection early warning, security alarm, internet application security early warning, flow monitoring early warning, network security monitoring early warning, data monitoring early warning, user information, organization structure, user login, CMDB configuration information, authority management, security data and the like. The CMDB (Configuration Management Database) refers to a configuration management database, which contains the information of the full life cycle of the configuration items and the relationship among the configuration items, including physical relationship, real-time communication relationship, non-real-time communication relationship and dependency relationship.
After various security situation data are obtained, unified management is carried out on the security situation data through various platforms. The platform mainly comprises a basic platform, operation and maintenance flow management, IT monitoring, visualization, unified portals and the like. The basic platform comprises a plurality of functions of user login, user information, organization information, CMBD, authority management, short message notification and the like, and security situation data monitored by the security monitoring platform are written back into the basic platform for storage, and the basic platform mainly comprises: logging in check data, notifying sending data, asset security configuration attribute and the like, and synchronizing the data in the basic platform with security situation data monitored by the security monitoring platform, wherein the method mainly comprises the following steps: user information synchronization, organization structure synchronization, CMDB information synchronization, rights information synchronization, and the like. The operation and maintenance flow management is mainly used for managing the safety alarm transfer work order, and comprises the steps of processing the safety alarm transfer work order and synchronizing the processing result of the transfer work order with the safety situation data monitored by the safety monitoring platform. The IT monitoring is mainly used for monitoring desktop and anti-virus index data pushed by the safety monitoring platform. The visualization is mainly used for carrying out visual management on all safety monitoring indexes pushed by the safety monitoring platform. The unified portal is mainly used for carrying out unified management on the safety bulletin message, the attack number, the safety alarm and the backlog which are pushed by the safety monitoring platform.
Specifically, according to attribute information of each data monitoring point, the attribute information includes, but is not limited to, information such as a position where the data monitoring point is located, a data type of monitored security situation data, and the like, a data transmission key point is determined from a plurality of data monitoring points, and is used as a target risk point. Thus, the target security situation data of the target risk point is obtained.
Step S204, determining a target security index in the target security situation data, and determining a risk degree parameter of the target security index according to an index change parameter of the target security index.
The security situation data comprises a plurality of security indexes. The target security index is a security index representing the change condition of the target security situation data. The index change parameter of the target security index refers to index data of the target security index before being attacked or suspected to be attacked and index data of the target security index after being attacked or suspected to be attacked. The risk degree parameter is used for representing the attacked risk degree of the target risk point corresponding to the target security situation data.
According to different data refinement degrees represented by the safety indexes, the safety indexes can be provided with a plurality of dimensions or levels, and can be specifically set according to actual technical requirements. In a specific example, the target security posture data may be attack security posture data, the target security index of the attack security posture data may be a network throughput index, and the network throughput index may be further represented by a channel utilization index and a network delay index, so the network throughput index may be referred to as a first-level index of the attack security posture data, and the channel utilization index and the network delay index may be referred to as a second-level index of the attack security posture data. It is understood that the target security index may also be referred to as a primary index of the target security posture data.
Specifically, after determining the target security index in the target security situation data, the risk degree parameter of the target security index may be calculated and determined according to the index data of the target security index before being attacked or suspected to be attacked and the index data after being attacked or suspected to be attacked.
In one embodiment, a network entropy corresponding to the target security index may be calculated, and the risk degree parameter of the target security index is represented by adopting the network entropy. The network entropy can describe the security of the network, and the smaller the value of the network entropy is, the safer the network is.
Step S206, if the risk degree parameter of the target safety index meets the parameter quantization condition, calculating the risk quantization parameter of the target safety index.
In one embodiment, after calculating the risk level parameter for determining the target safety index, it is further determined whether the parameter quantization condition is satisfied, that is, whether the next calculation process is required, based on the risk level parameter. The parameter quantization condition refers to a condition that needs to be met by a risk degree parameter of the target security index for performing the next processing, and may be specifically set according to actual technical needs.
Specifically, the predetermined risk degree parameter matched with the target safety index may be determined, and if the risk degree parameter of the target safety index is greater than the predetermined risk degree parameter, it is determined that the risk degree parameter of the target safety index meets the parameter quantization condition. At this time, further quantization processing is required to determine the risk degree represented by the target safety index. If the risk degree parameter of the target safety index is smaller than or equal to the preset risk degree parameter, determining that the target risk point is free of attack risk, and no subsequent processing is needed. The predetermined risk degree parameter may also be set according to actual technical requirements, and in a specific example, may be set to 0.
In one embodiment, the quantization processing manner may be determined according to actual technical needs, in this embodiment, a sub-security index of the target security index may be determined, and risk quantization is performed on the target security index by calculating a network entropy corresponding to the sub-security index. The sub-safety indexes of the target safety indexes are secondary indexes matched with the target safety situation data. In one specific example, the sub-security indicators of the network throughput indicator are a channel utilization indicator and a network delay indicator.
Step S208, determining an attack risk assessment result of the target risk point based on the risk degree parameter and the risk quantification parameter of the target security index.
Specifically, after the risk degree parameter and the risk quantization parameter of the target security index are calculated and determined, the attack risk assessment result of the target risk point can be determined, so that corresponding risk countermeasures or precautionary measures can be adopted subsequently according to the attack risk assessment result of the target risk point.
In the power system information network attack risk assessment method, target security situation data of target risk points are obtained; determining a target security index in the target security situation data, and determining a risk degree parameter of the target security index according to an index change parameter of the target security index, thereby calculating a risk quantization parameter of the target security index if the risk degree parameter of the target security index meets a parameter quantization condition, and further determining an attack risk assessment result of the target risk point based on the risk degree parameter of the target security index and the risk quantization parameter. By adopting the method of the embodiment, the attack risk can be described through the risk degree parameter, the attack risk can be quantitatively described through the risk quantification parameter, and the evaluation efficiency of evaluating the attack risk suffered by the target risk point is improved.
In one embodiment, determining the target security index in the target security posture data to deep mine and apply the target security posture data, where determining the target security index in the target security posture data in step S204 may specifically include:
step S302, index analysis is carried out on the target security situation data, and each security index contained in the target security situation data and index attribute information of each security index are determined.
In one embodiment, security indexes contained in security situation data of different types may be preset, and association relations between the security situation data and the security indexes may be stored correspondingly. Therefore, according to the association relation between the security situation data and the security indexes, index analysis can be carried out on the target security situation data, each security index contained in the target security situation data is determined, and index attribute information of each security index is determined. The index attribute information includes, but is not limited to, information such as an index data change range, an index data change speed, a hazard level and the like of the safety index.
In one embodiment, the operation of configuring the security indicators for the target security posture data may be further performed, so as to determine each security indicator included in the target security posture data, and determine index attribute information of each security indicator. Specifically, the security index configuration operation may be a configuration operation performed after the user performs index analysis on the target security posture data. Thus, determination of the security index can be made based on the security index configuration operation.
Step S304, determining importance parameters corresponding to the safety indexes according to the index attribute information.
In one embodiment, the importance parameter is used to characterize the importance level of the security indicator, and may be represented by a specific numerical value, where the higher the importance level of the security indicator, the greater the numerical value of the importance parameter. The importance parameters corresponding to the safety indexes can be determined according to the index attribute information. Specifically, the larger the index data change amplitude, the faster the index data change speed, and the higher the hazard level, the more important the safety index, and the larger the corresponding importance parameter value.
Step S306, determining a target safety index from the safety indexes based on the importance parameters.
In one embodiment, the safety indexes may be sorted according to the importance parameters corresponding to the safety indexes in descending order, and the predetermined number of safety indexes sorted in front are selected as the target safety indexes. Wherein the predetermined number may be set according to actual technical needs. For example, one or a plurality of the above-described components may be provided.
If there are multiple target security indexes, the method according to the embodiment of the present application is performed sequentially for each target security index, and attack risk assessment is performed by integrating risk degree parameters and risk quantization parameters corresponding to the multiple target security indexes.
In this embodiment, by extracting and determining each security index of the target security situation data, and determining the target security index after sorting the importance of the security indexes, unimportant security indexes can be removed, and security indexes with representativeness and higher importance degree are selected for calculation processing, so that the data processing efficiency can be effectively improved, and the accuracy of attack risk assessment can be improved.
In one embodiment, determining the risk level parameter of the target safety index according to the index change parameter of the target safety index in step S204 includes:
Step S402, determining the parameter before the index change and the parameter after the index change of the target safety index.
In step S404, an index quotient of the parameter before the index change and the parameter after the index change is calculated.
In step S406, the logarithmic value of the indicator quotient is determined, and the opposite number of the logarithmic value is determined as the risk level parameter of the target safety indicator.
Specifically, the pre-index parameter of the target safety index may be represented as λ 1, and the pre-index parameter of the target safety index may be represented as λ 2. The index quotient of the index pre-change parameter and the index post-change parameter is denoted as lambda 21. The risk degree parameter of the target safety index, namely the network entropy of the target safety index, is expressed as delta Y, and the calculation formula is as follows:
ΔY=-log221)
In a specific example, the target security index is a network throughput index, and the risk degree parameter of the target security index is denoted as Δy s, and then the risk degree parameter is denoted as:
ΔYs=-log2(Q2/Qg)-(-log2(Q1/Qg))=-log2(Q2/Q1)
Where Q g represents the maximum throughput of the network, and Q 1、Q2 represents the pre-index-change throughput and the post-index-change throughput before and after the attack, respectively. And determining that the preset risk degree parameter matched with the target security index is 0, and if the calculation result of delta Y s is 0, indicating that the network attack does not cause any threat, then no subsequent calculation is needed. If the calculation result of Δy s is greater than 0, it is determined that the parameter quantization condition is satisfied.
In one embodiment, if the risk level parameter of the target safety index meets the parameter quantization condition, the risk quantization parameter of the target safety index needs to be calculated, which specifically includes:
in step S502, a plurality of sub-security indexes included in the target security index are determined.
The sub-safety indexes of the target safety indexes are secondary indexes matched with the target safety situation data. Specifically, a plurality of sub-security indicators included in the target security indicator are determined.
Step S504, for each sub-safety index, determining the sub-quantization parameters corresponding to the sub-safety indexes according to the pre-sub-index parameter and the post-sub-index parameter of the sub-safety index.
The network entropy corresponding to each sub-security index is called a sub-quantization parameter corresponding to each sub-security index, and the calculation mode of the network entropy is the same as that of step S402 to step S406. The sub-quantization parameter may be expressed as Δy i'.
The pre-change parameters and the post-change parameters of the sub-safety indexes need to be determined in combination with the index types of the sub-safety indexes.
In a specific example, when the sub-security index is a channel utilization index, parameters before the initial sub-index is changed and parameters after the initial sub-index is changed need to be calculated and determined according to the total amount of data transmitted in each sampling period, the network bandwidth and the data packet transmission time interval, and then normalization processing is performed on the parameters before the initial sub-index is changed and the parameters after the initial sub-index is changed to determine parameters before the sub-index is changed and parameters after the sub-index is changed respectively. Specifically, the calculation formulas of parameters before and after the initial sub-index change are as follows:
Pi=[Ni/Ti]/N
wherein N i represents the total amount of transmitted data in the ith sampling time, and N represents the network bandwidth; t i denotes a packet transmission time interval.
The channel utilization index before network attack is represented as P 1, the channel utilization index after network attack is represented as P 2, and sub-quantization parameters corresponding to the channel utilization index can be calculated after normalization processing is carried out on the two parameters, and the sub-quantization parameters are specifically represented as delta Y u', and the calculation formula is as follows:
ΔYu′=-log2P2-(-log2P1)=-log2(P2/P1)
In a specific example, when the sub-security index is a network delay index, parameters before the initial sub-index is changed and parameters after the initial sub-index is changed need to be calculated and determined according to the data packet transmission time interval, and then normalization processing is performed on the parameters before the initial sub-index is changed and the parameters after the initial sub-index is changed to determine the parameters before the sub-index is changed and the parameters after the sub-index is changed respectively. Specifically, the calculation formulas of parameters before and after the initial sub-index change are as follows:
Ti=TR(i)-TT(i)
Wherein T R (i) and T T (i) represent time stamps of data packet transmission and reception, respectively.
After normalization processing, parameters before and after sub-index change are expressed as:
Wherein, T represents the actual time delay, T 0 represents the initial time delay, and delta 0 represents the parameter preset value.
The network delay index before network attack is represented as delta 1, the network delay index after network attack is represented as delta 2, the sub-quantization parameter corresponding to the calculated network delay index is represented as delta Y δ', and the calculation formula is as follows:
ΔYδ′=-log2δ2-(-log2δ1)=-log221)
Step S506, determining the index weight of each sub-safety index.
Specifically, according to the actual technical needs, the index weights matched with the sub-safety indexes of different types are preset, so that the index weights matched with the sub-safety indexes can be determined according to the preset index weights matched with the sub-safety indexes of different types. Wherein the index weight may be denoted as w i.
Step S508, according to the sub-quantization parameters and the index weights of the sub-safety indexes, the sub-safety indexes are weighted and summed to obtain the risk quantization parameters of the target safety indexes.
Specifically, the sub-quantization parameters of the sub-safety indexes are multiplied by the index weights matched with the sub-safety indexes, and all the sub-safety indexes are multiplied and then summed, so that the risk quantization parameters of the target safety indexes can be obtained. Wherein, the risk quantization parameter of the target safety index may be expressed as Δy i, and the calculation formula is expressed as:
In a specific example, the sub-security indexes of the target security index include a channel utilization index and a network delay index, the index weight of the channel utilization index is denoted as w u, the index weight of the network delay index is denoted as w δ, and the risk quantization parameter of the target security index is denoted as:
ΔYi=wu×ΔY′u+wδ×ΔY′δ
In this embodiment, by calculating the risk quantization parameter of the target security index, the risk degree corresponding to the target security index is quantitatively described, and the larger the value of the risk quantization parameter is, the larger the security risk of the target point is, which is favorable for improving the efficiency of attack risk assessment on the target risk point.
In one embodiment, the risk of attack may be described hierarchically based on specific values of risk quantification parameters and risk level parameters in order to take countermeasures that match the risk of attack. Specifically, determining an attack risk assessment result of the target risk point based on the risk degree parameter of the target security index and the risk quantification parameter, the hierarchical description of the attack risk may specifically include:
If the risk quantization parameter is smaller than the first quantization value and the risk degree parameter is smaller than the first degree value, determining that the attack risk of the target risk point is negligible attack.
If the risk quantization parameter is greater than the first quantization value and less than the second quantization value, and the risk degree parameter is greater than the first degree value and less than the second degree value, determining that the attack risk of the target risk point is a slight attack. The first quantized value is smaller than the second quantized value, and the first degree value is smaller than the second degree value.
And if the risk quantization parameter is larger than the second quantization value and smaller than the third quantization value, and the risk degree parameter is larger than the second degree value and smaller than the third degree value, determining that the attack risk of the target risk point is a medium attack. The second quantized value is smaller than the third quantized value, and the second degree value is smaller than the third degree value.
If the risk quantization parameter is greater than the third quantization value and less than the fourth quantization value, and the risk degree parameter is greater than the third degree value and less than the fourth degree value, determining that the attack risk of the target risk point is a slight serious attack. The third quantization value is smaller than the fourth quantization value, and the third degree value is smaller than the fourth degree value.
And if the risk quantization parameter is larger than the fourth quantization value and smaller than the fifth quantization value, and the risk degree parameter is larger than the fourth degree value and smaller than the fifth degree value, determining that the attack risk of the target risk point is a moderate serious attack. The fourth quantization value is less than the fifth quantization value, and the fourth degree value is less than the fifth degree value.
If the risk quantization parameter is greater than the fifth quantization value and the risk degree parameter is greater than the fifth degree value, determining that the attack risk of the target risk point is a serious attack.
The first quantized value, the second quantized value, the third quantized value, the fourth quantized value, the fifth quantized value, the first degree value, the second degree value, the third degree value, the fourth degree value and the fifth degree value can be set according to actual technical requirements. In addition, more or fewer levels may be provided according to actual technical needs, and the above-described level setting is merely exemplary as one of the embodiments.
In a specific example, the target security index is a network throughput index, the sub-security index of the network throughput index is a channel utilization index and a network delay index, the risk level parameter of the target security index is Δy s, the risk quantization parameter is Δy i, the first quantization value is set to 0.05, the second quantization value is set to 0.25, the third quantization value is set to 1.00, the fourth quantization value is set to 1.75, the fifth quantization value is set to 3.30, the first level value is set to 5%, the second level value is set to 20%, the third level value is set to 50%, the fourth level value is set to 70%, and the fifth level value is set to 90%. The hierarchical description of attack risk may specifically include:
When DeltaY i is less than 0.05 and DeltaY S is less than 5%, the attack risk is almost not attacked and can be ignored;
When 0.05 < DeltaY i < 0.25 and 5% < DeltaY S < 20%, the attack risk is a slight attack;
When delta Y i is more than 0.25 and less than 1.00, and delta Y S is more than 20 percent and less than 50 percent, the attack risk is a moderate attack;
when 1.00 < DeltaY i < 1.75 and 50% < DeltaY S < 70%, the attack risk is a slight serious attack;
when delta Y i is less than 3.30 and delta Y S is less than 90% and more than 70%, the attack risk is moderate and serious;
When deltay i is greater than 3.30 and deltay S is greater than 90%, it indicates that the attack risk is serious and the network is almost paralyzed.
In this embodiment, by performing hierarchical evaluation on the attack risk, the evaluation efficiency may be improved, and according to the evaluated level, the efficiency of determining the countermeasure may also be improved, thereby improving the security of the entire power system information network.
The application will be described in further detail with reference to the accompanying drawings and a specific embodiment. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
In a specific embodiment, the method for evaluating the risk of the electric power system information network under attack is applied to the electric power system information network, and from the angles of full coverage of all applications and full coverage of all threats, a plurality of data acquisition points of security situation data are determined by network areas and all areas facing network security risk dimensions, so that network security situation full factor perception of the electric power system information network is realized, the acquired security situation data are further processed to evaluate the risk of attack in real time, and accordingly evaluation support for the security situation of the electric power system information network which covers comprehensively is formed later, and the security of the whole electric power system information network is improved.
Referring to fig. 6, a system architecture of the power system information network includes a power monitoring system, an internet data center (INTEMET DATA CENTER, IDC), an integrated data network, an internet access area, and the internet, wherein an office lan and an intranet switching platform are involved. The system architecture is provided with 4 main risk points, and specifically comprises:
Risk point 1: the internet can attack the external application of the company, steal data, tamper content and the like; risk point 2: the business applications of the company have the problems of potential loopholes, weak passwords, control authorities and the like, and are utilized by internal and external personnel; risk point 3: inside and outside personnel maliciously violate, bypass or penetrate access control defined by deployed safety protection equipment and protection strategies; risk point 4: threats such as illegal access, illegal use of media, collapse control and virus spreading of various terminals in an office local area network.
According to the system architecture, information such as collection, monitoring and analysis, hazard degree and the like of security situation data of various types of monitoring scenes under various risk points is predetermined, and the security situation data collection, monitoring and analysis mainly comprises collection, monitoring and analysis of security situation data of 21 subclasses scenes of 5 major classes such as attack invasion, vulnerability exploitation, access control, stiff wood vermicular events, operating system abnormality and the like. The specific table is shown below:
/>
wherein, the larger the corresponding value of the hazard degree is, the higher the hazard degree is. Taking the scenario of attack invasion and Internet attack as an example, determining a target risk point of the power system information network as a risk point 1, wherein the target security situation data is attack security situation data. The power system information network attack risk assessment method aiming at the risk point specifically comprises the following steps:
Acquiring target security situation data of a target risk point; in one embodiment, attack security posture data in risk point 1 is obtained.
Determining a target security index in the target security situation data; in one embodiment, index analysis is performed on attack security situation data, and each security index contained in the attack security situation data and index attribute information of each security index are determined; determining importance parameters corresponding to the safety indexes according to the index attribute information; and sequencing the safety indexes based on the importance parameters, and determining the safety index with the forefront importance from the safety indexes as a target safety index, wherein the target safety index comprises a network throughput index.
Determining a risk degree parameter of the target safety index according to the index change parameter of the target safety index; in one embodiment, the target security index is a network throughput index, and the risk degree parameter of the target security index is denoted as Δy s, and the risk degree parameter is denoted as:
ΔYs=-log2(Q2/Qg)-(-log2(Q1/Qg))=-log2(Q2/Q1)
Where Q g represents the maximum throughput of the network, and Q 1、Q2 represents the pre-index-change throughput and the post-index-change throughput before and after the attack, respectively.
And determining that the preset risk degree parameter matched with the network throughput index is 0, and if the calculation result of delta Y s is 0, indicating that the network attack does not cause any threat, then no subsequent calculation is needed. If the calculation result of Δy s is greater than 0, it is determined that the parameter quantization condition is satisfied, and the following steps are continued.
Calculating risk quantization parameters of the target safety indexes; in one embodiment, the sub-security indicators that determine the network throughput indicator include a channel utilization indicator and a network delay indicator.
And for the channel utilization index, calculating and determining parameters before the initial sub-index changes and parameters after the initial sub-index changes according to the total amount of transmitted data, the network bandwidth and the data packet transmission time interval in each sampling period, and then carrying out normalization processing on the parameters before the initial sub-index changes and the parameters after the initial sub-index changes to respectively determine the parameters before the sub-index changes and the parameters after the sub-index changes. Specifically, the calculation formulas of parameters before and after the initial sub-index change are as follows:
Pi=[Ni/Ti]/N
wherein N i represents the total amount of transmitted data in the ith sampling time, and N represents the network bandwidth; t i denotes a packet transmission time interval.
The channel utilization index before network attack is represented as P 1, the channel utilization index after network attack is represented as P 2, and sub-quantization parameters corresponding to the channel utilization index can be calculated after normalization processing is carried out on the two parameters, and the sub-quantization parameters are specifically represented as delta Y u', and the calculation formula is as follows:
ΔYu′=-log2P2-(-log2P1)=-log2(P2/P1)
and for the network delay index, calculating and determining parameters before the initial sub-index change and parameters after the initial sub-index change according to the data packet transmission time interval, and carrying out normalization processing on the parameters before the initial sub-index change and the parameters after the initial sub-index change to respectively determine the parameters before the sub-index change and the parameters after the sub-index change. Specifically, the calculation formulas of parameters before and after the initial sub-index change are as follows:
Ti=TR(i)-TT(i)
Wherein T R (i) and T T (i) represent time stamps of data packet transmission and reception, respectively.
After normalization processing, parameters before and after sub-index change are expressed as:
Wherein, T represents the actual time delay, T 0 represents the initial time delay, and delta 0 represents the parameter preset value.
The network delay index before network attack is represented as delta 1, the network delay index after network attack is represented as delta 2, the sub-quantization parameter corresponding to the calculated network delay index is represented as delta Y δ', and the calculation formula is as follows:
ΔYδ′=-log2δ2-(-log2δ1)=-log221)
Determining that the index weight of the channel utilization index is w u and the index weight of the network delay index is w δ, and then, the risk quantization parameter of the network throughput index is expressed as follows:
ΔYi=wu×ΔY′u+wδ×ΔY′δ
And determining an attack risk assessment result of the target risk point based on the risk degree parameter and the risk quantification parameter of the target security index. In one embodiment, when Δy i < 0.05 and Δy S < 5%, the risk of attack is negligible with little attack; when 0.05 < DeltaY i < 0.25 and 5% < DeltaY S < 20%, the attack risk is a slight attack; when delta Y i is more than 0.25 and less than 1.00, and delta Y S is more than 20 percent and less than 50 percent, the attack risk is a moderate attack; when 1.00 < DeltaY i < 1.75 and 50% < DeltaY S < 70%, the attack risk is a slight serious attack; when delta Y i is less than 3.30 and delta Y S is less than 90% and more than 70%, the attack risk is moderate and serious; when deltay i is greater than 3.30 and deltay S is greater than 90%, it indicates that the attack risk is serious and the network is almost paralyzed. Therefore, the countermeasure matched with the attack risk can be timely adopted in the follow-up according to the attack risk assessment result of the target risk point, and the safety of the whole power system information network is further improved.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least a part of the steps or stages in other steps or other steps.
Based on the same inventive concept, the application also provides a power system information network attack risk assessment device for realizing the power system information network attack risk assessment method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the device for risk assessment of an attack on a power system information network provided below may be referred to the limitation of the method for risk assessment of an attack on a power system information network in the above description, and will not be repeated here.
In one embodiment, as shown in fig. 7, there is provided a power system information network attack risk assessment apparatus 700, including: an acquisition module 710, a calculation module 720, a quantization module 730, and an evaluation module 740, wherein:
And the acquiring module 710 is configured to acquire target security situation data of the target risk point.
The calculating module 720 is configured to determine a target security index in the target security situation data, and determine a risk degree parameter of the target security index according to an index change parameter of the target security index.
And a quantization module 730, configured to calculate a risk quantization parameter of the target security indicator if the risk degree parameter of the target security indicator meets a parameter quantization condition.
The evaluation module 740 is configured to determine an attack risk evaluation result of the target risk point based on the risk degree parameter of the target security indicator and the risk quantization parameter.
In one embodiment, the calculating module 720 is further configured to perform index analysis on the target security posture data, and determine each security index included in the target security posture data and index attribute information of each security index; determining importance parameters corresponding to the safety indexes according to the index attribute information; and determining the target safety index from the safety indexes based on the importance parameter.
In one embodiment, the calculating module 720 is further configured to determine a pre-index parameter and a post-index parameter of the target safety index; calculating an index quotient of the parameter before index change and the parameter after index change; and determining the logarithmic value of the index quotient, and determining the opposite number of the logarithmic value as a risk degree parameter of the target safety index.
In one embodiment, the quantization module 730 is further configured to determine a predetermined risk level parameter matched by the target security indicator; if the risk degree parameter of the target safety index is larger than the preset risk degree parameter, determining that the risk degree parameter of the target safety index meets a parameter quantification condition; and if the risk degree parameter of the target security index is smaller than or equal to the preset risk degree parameter, determining that the target risk point is free of attack risk.
In one embodiment, the quantization module 730 is further configured to determine a plurality of sub-security indicators included in the target security indicator; for each sub-safety index, determining sub-quantization parameters corresponding to the sub-safety indexes according to parameters before sub-index change and parameters after sub-index change of the sub-safety index; determining the index weight matched with each sub-safety index; and carrying out weighted summation on each sub-safety index according to the sub-quantization parameter and the index weight of the sub-safety index to obtain the risk quantization parameter of the target safety index.
In one embodiment, the evaluation module 740 is configured to determine that the attack risk of the target risk point is a negligible attack if the risk quantization parameter is smaller than a first quantization value and the risk level parameter is smaller than a first level value; if the risk quantization parameter is greater than the first quantization value and less than the second quantization value, and the risk degree parameter is greater than the first degree value and less than the second degree value, determining that the attack risk of the target risk point is a slight attack; the first quantized value is smaller than the second quantized value, and the first degree value is smaller than the second degree value; if the risk quantization parameter is greater than the second quantization value and less than a third quantization value, and the risk degree parameter is greater than the second degree value and less than a third degree value, determining that the attack risk of the target risk point is a moderate attack; the second quantized value is smaller than the third quantized value, and the second degree value is smaller than the third degree value; if the risk quantization parameter is greater than the third quantization value and less than a fourth quantization value, and the risk degree parameter is greater than the third degree value and less than a fourth degree value, determining that the attack risk of the target risk point is a slight serious attack; the third quantized value is smaller than the fourth quantized value, and the third degree value is smaller than the fourth degree value; if the risk quantization parameter is greater than the fourth quantization value and less than a fifth quantization value, and the risk degree parameter is greater than the fourth degree value and less than a fifth degree value, determining that the attack risk of the target risk point is a moderate serious attack; the fourth quantization value is less than the fifth quantization value, and the fourth degree value is less than the fifth degree value; and if the risk quantization parameter is greater than the fifth quantization value and the risk degree parameter is greater than the fifth degree value, determining that the attack risk of the target risk point is a serious attack.
The respective modules in the power system information network attack risk assessment device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one embodiment, a computer device is provided, which may be a server, and the internal structure of which may be as shown in fig. 8. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The database of the computer device is used for storing power system information network attack risk assessment data. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a method for evaluating risk of an electrical power system information network being attacked.
It will be appreciated by those skilled in the art that the structure shown in FIG. 8 is merely a block diagram of some of the structures associated with the present inventive arrangements and is not limiting of the computer device to which the present inventive arrangements may be applied, and that a particular computer device may include more or fewer components than shown, or may combine some of the components, or have a different arrangement of components.
In an embodiment a computer device is provided comprising a memory and a processor, the memory having stored therein a computer program, the processor performing the steps of the method described above when the computer program is executed.
In one embodiment, a computer readable storage medium is provided, having stored thereon a computer program which, when executed by a processor, implements the steps of the method described above.
In an embodiment, a computer program product is provided comprising a computer program which, when executed by a processor, implements the steps of the method described above.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magneto-resistive random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (PHASE CHANGE Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in various forms such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), etc. The databases referred to in the embodiments provided herein may include at least one of a relational database and a non-relational database. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processor referred to in the embodiments provided in the present application may be a general-purpose processor, a central processing unit, a graphics processor, a digital signal processor, a programmable logic unit, a data processing logic unit based on quantum computing, or the like, but is not limited thereto.
The technical features of the above-described embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above-described embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The foregoing examples illustrate only a few embodiments of the application and are described in detail herein without thereby limiting the scope of the application. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the application, which are all within the scope of the application. Accordingly, the scope of the application should be assessed as that of the appended claims.

Claims (10)

1. A method for evaluating risk of an attack on an information network of an electric power system, the method comprising:
acquiring target security situation data of a target risk point;
Performing index analysis on the target security situation data, and determining each security index contained in the target security situation data and index attribute information of each security index, wherein the index attribute information comprises index data change amplitude, index data change speed and hazard degree;
determining importance parameters corresponding to the safety indexes according to the index attribute information;
determining a target safety index from the safety indexes based on the importance parameters, and determining parameters before index change and parameters after index change of the target safety index;
calculating an index quotient of the parameter before index change and the parameter after index change;
Determining a logarithmic value of the index quotient, and determining the opposite number of the logarithmic value as a risk degree parameter of the target safety index, wherein the risk degree parameter is used for determining whether risk quantization processing is needed for the target safety index;
If the risk degree parameter of the target safety index meets the parameter quantification condition, determining a plurality of sub-safety indexes contained in the target safety index;
For each sub-security index, determining a sub-quantization parameter corresponding to each sub-security index according to a pre-sub-index change parameter and a post-sub-index change parameter of the sub-security index, wherein the sub-quantization parameter refers to network entropy corresponding to each sub-security index;
Determining the index weight matched with each sub-safety index;
According to the sub-quantization parameters and the index weights of the sub-safety indexes, carrying out weighted summation on each sub-safety index to obtain risk quantization parameters of the target safety index;
and determining an attack risk assessment result of the target risk point based on the risk degree parameter of the target security index and the risk quantification parameter.
2. The method according to claim 1, wherein the method further comprises:
Determining a preset risk degree parameter matched with the target safety index;
if the risk degree parameter of the target safety index is larger than the preset risk degree parameter, determining that the risk degree parameter of the target safety index meets a parameter quantification condition;
and if the risk degree parameter of the target security index is smaller than or equal to the preset risk degree parameter, determining that the target risk point is free of attack risk.
3. The method of claim 1, wherein the determining the attack risk assessment result for the target risk point based on the risk level parameter and the risk quantification parameter of the target security indicator comprises:
if the risk quantization parameter is smaller than a first quantization value and the risk degree parameter is smaller than a first degree value, determining that the attack risk of the target risk point is negligible attack;
If the risk quantization parameter is greater than the first quantization value and less than the second quantization value, and the risk degree parameter is greater than the first degree value and less than the second degree value, determining that the attack risk of the target risk point is a slight attack; the first quantized value is smaller than the second quantized value, and the first degree value is smaller than the second degree value;
if the risk quantization parameter is greater than the second quantization value and less than a third quantization value, and the risk degree parameter is greater than the second degree value and less than a third degree value, determining that the attack risk of the target risk point is a moderate attack; the second quantized value is smaller than the third quantized value, and the second degree value is smaller than the third degree value;
If the risk quantization parameter is greater than the third quantization value and less than a fourth quantization value, and the risk degree parameter is greater than the third degree value and less than a fourth degree value, determining that the attack risk of the target risk point is a slight serious attack; the third quantized value is smaller than the fourth quantized value, and the third degree value is smaller than the fourth degree value;
if the risk quantization parameter is greater than the fourth quantization value and less than a fifth quantization value, and the risk degree parameter is greater than the fourth degree value and less than a fifth degree value, determining that the attack risk of the target risk point is a moderate serious attack; the fourth quantization value is less than the fifth quantization value, and the fourth degree value is less than the fifth degree value;
And if the risk quantization parameter is greater than the fifth quantization value and the risk degree parameter is greater than the fifth degree value, determining that the attack risk of the target risk point is a serious attack.
4. The method of claim 1, wherein the target security posture data comprises at least one of terminal security posture data, data security posture data, attack security posture data, file security posture data, traffic security posture data, and application security posture data.
5. An electrical power system information network risk of attack assessment apparatus, the apparatus comprising:
the acquisition module is used for acquiring target security situation data of the target risk points;
The computing module is used for carrying out index analysis on the target security situation data and determining each security index contained in the target security situation data and index attribute information of each security index, wherein the index attribute information comprises index data change amplitude, index data change speed and hazard degree; determining importance parameters corresponding to the safety indexes according to the index attribute information; determining a target safety index from the safety indexes based on the importance parameters, and determining parameters before index change and parameters after index change of the target safety index; calculating an index quotient of the parameter before index change and the parameter after index change; determining a logarithmic value of the index quotient, and determining the opposite number of the logarithmic value as a risk degree parameter of the target safety index, wherein the risk degree parameter is used for determining whether risk quantization processing is needed for the target safety index;
The quantization module is used for determining a plurality of sub-safety indexes contained in the target safety index if the risk degree parameter of the target safety index meets the parameter quantization condition; for each sub-security index, determining a sub-quantization parameter corresponding to each sub-security index according to a pre-sub-index change parameter and a post-sub-index change parameter of the sub-security index, wherein the sub-quantization parameter refers to network entropy corresponding to each sub-security index; determining the index weight matched with each sub-safety index; according to the sub-quantization parameters and the index weights of the sub-safety indexes, carrying out weighted summation on each sub-safety index to obtain risk quantization parameters of the target safety index;
And the evaluation module is used for determining an attack risk evaluation result of the target risk point based on the risk degree parameter of the target safety index and the risk quantification parameter.
6. The apparatus of claim 5, wherein the computing module is further configured to determine a predetermined risk level parameter to which the target security indicator matches; if the risk degree parameter of the target safety index is larger than the preset risk degree parameter, determining that the risk degree parameter of the target safety index meets a parameter quantification condition; and if the risk degree parameter of the target security index is smaller than or equal to the preset risk degree parameter, determining that the target risk point is free of attack risk.
7. The apparatus of claim 5, wherein the evaluation module is further configured to determine that the risk of attack of the target risk point is a negligible attack if the risk quantization parameter is less than a first quantization value and the risk level parameter is less than a first level value; if the risk quantization parameter is greater than the first quantization value and less than the second quantization value, and the risk degree parameter is greater than the first degree value and less than the second degree value, determining that the attack risk of the target risk point is a slight attack; the first quantized value is smaller than the second quantized value, and the first degree value is smaller than the second degree value; if the risk quantization parameter is greater than the second quantization value and less than a third quantization value, and the risk degree parameter is greater than the second degree value and less than a third degree value, determining that the attack risk of the target risk point is a moderate attack; the second quantized value is smaller than the third quantized value, and the second degree value is smaller than the third degree value; if the risk quantization parameter is greater than the third quantization value and less than a fourth quantization value, and the risk degree parameter is greater than the third degree value and less than a fourth degree value, determining that the attack risk of the target risk point is a slight serious attack; the third quantized value is smaller than the fourth quantized value, and the third degree value is smaller than the fourth degree value; if the risk quantization parameter is greater than the fourth quantization value and less than a fifth quantization value, and the risk degree parameter is greater than the fourth degree value and less than a fifth degree value, determining that the attack risk of the target risk point is a moderate serious attack; the fourth quantization value is less than the fifth quantization value, and the fourth degree value is less than the fifth degree value; and if the risk quantization parameter is greater than the fifth quantization value and the risk degree parameter is greater than the fifth degree value, determining that the attack risk of the target risk point is a serious attack.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 4 when the computer program is executed.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 4.
10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the steps of the method of any of claims 1 to 4.
CN202210445277.XA 2022-04-26 2022-04-26 Power system information network attack risk assessment method, device and equipment Active CN115085965B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210445277.XA CN115085965B (en) 2022-04-26 2022-04-26 Power system information network attack risk assessment method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210445277.XA CN115085965B (en) 2022-04-26 2022-04-26 Power system information network attack risk assessment method, device and equipment

Publications (2)

Publication Number Publication Date
CN115085965A CN115085965A (en) 2022-09-20
CN115085965B true CN115085965B (en) 2024-05-03

Family

ID=83247890

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210445277.XA Active CN115085965B (en) 2022-04-26 2022-04-26 Power system information network attack risk assessment method, device and equipment

Country Status (1)

Country Link
CN (1) CN115085965B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095494A (en) * 2012-12-31 2013-05-08 北京邮电大学 Risk evaluation method of electric power communication network
CN104392391A (en) * 2014-11-14 2015-03-04 国家电网公司 Power grid running safety risk quantification method
CN105763562A (en) * 2016-04-15 2016-07-13 全球能源互联网研究院 Electric power information network vulnerability threat evaluation model establishment method faced to electric power CPS risk evaluation and evaluation system based on the model
CN107204876A (en) * 2017-05-22 2017-09-26 成都网络空间安全技术有限公司 A kind of network security risk evaluation method
CN110943983A (en) * 2019-11-22 2020-03-31 南京邮电大学 Network security prevention method based on security situation awareness and risk assessment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103095494A (en) * 2012-12-31 2013-05-08 北京邮电大学 Risk evaluation method of electric power communication network
CN104392391A (en) * 2014-11-14 2015-03-04 国家电网公司 Power grid running safety risk quantification method
CN105763562A (en) * 2016-04-15 2016-07-13 全球能源互联网研究院 Electric power information network vulnerability threat evaluation model establishment method faced to electric power CPS risk evaluation and evaluation system based on the model
CN107204876A (en) * 2017-05-22 2017-09-26 成都网络空间安全技术有限公司 A kind of network security risk evaluation method
CN110943983A (en) * 2019-11-22 2020-03-31 南京邮电大学 Network security prevention method based on security situation awareness and risk assessment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种优化的实时网络安全风险量化方法;李伟明;雷杰;董静;李之棠;;计算机学报(第04期);205-216 *

Also Published As

Publication number Publication date
CN115085965A (en) 2022-09-20

Similar Documents

Publication Publication Date Title
US11750659B2 (en) Cybersecurity profiling and rating using active and passive external reconnaissance
Kumar et al. A Distributed framework for detecting DDoS attacks in smart contract‐based Blockchain‐IoT Systems by leveraging Fog computing
US20220014560A1 (en) Correlating network event anomalies using active and passive external reconnaissance to identify attack information
US10560483B2 (en) Rating organization cybersecurity using active and passive external reconnaissance
CN110149327B (en) Network security threat warning method and device, computer equipment and storage medium
CN105009132A (en) Event correlation based on confidence factor
US20210360032A1 (en) Cybersecurity risk analysis and anomaly detection using active and passive external reconnaissance
Taveras SCADA live forensics: real time data acquisition process to detect, prevent or evaluate critical situations
Eden et al. A forensic taxonomy of SCADA systems and approach to incident response
US20230362200A1 (en) Dynamic cybersecurity scoring and operational risk reduction assessment
US20210281609A1 (en) Rating organization cybersecurity using probe-based network reconnaissance techniques
US20160269431A1 (en) Predictive analytics utilizing real time events
CN112749097B (en) Performance evaluation method and device for fuzzy test tool
CN108234426B (en) APT attack warning method and APT attack warning device
US20230283641A1 (en) Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement
CN115580448A (en) Industrial control network malicious code detection method, system, equipment and storage medium
CN112925805A (en) Big data intelligent analysis application method based on network security
CN117424743A (en) Data processing method and device, electronic equipment and storage medium
CN115632884B (en) Network security situation perception method and system based on event analysis
CN115085965B (en) Power system information network attack risk assessment method, device and equipment
CN115827379A (en) Abnormal process detection method, device, equipment and medium
CN112953895B (en) Attack behavior detection method, device and equipment and readable storage medium
CN114826727A (en) Flow data acquisition method and device, computer equipment and storage medium
CN114268481A (en) Method, device, equipment and medium for processing illegal external connection information of intranet terminal
CN113824736A (en) Asset risk handling method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant