CN115102738B - Equipment base station health situation perception system and method based on network attack trend - Google Patents

Equipment base station health situation perception system and method based on network attack trend Download PDF

Info

Publication number
CN115102738B
CN115102738B CN202210679718.2A CN202210679718A CN115102738B CN 115102738 B CN115102738 B CN 115102738B CN 202210679718 A CN202210679718 A CN 202210679718A CN 115102738 B CN115102738 B CN 115102738B
Authority
CN
China
Prior art keywords
network attack
network
vulnerability
equipment
control computer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210679718.2A
Other languages
Chinese (zh)
Other versions
CN115102738A (en
Inventor
刘智勇
陈良汉
洪超
钟海维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Hongrui Information Technology Co Ltd
Original Assignee
Zhuhai Hongrui Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhuhai Hongrui Information Technology Co Ltd filed Critical Zhuhai Hongrui Information Technology Co Ltd
Priority to CN202210679718.2A priority Critical patent/CN115102738B/en
Publication of CN115102738A publication Critical patent/CN115102738A/en
Application granted granted Critical
Publication of CN115102738B publication Critical patent/CN115102738B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/147Network analysis or design for predicting network behaviour
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a system and a method for sensing health situation of a device base station based on network attack tendency, comprising the following steps of S100: constructing a network attack early warning model; establishing association relations between different network attacks and different equipment vulnerabilities; step S200: identifying and judging vulnerability incidence relation existing among network attacks; step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value for the equipment terminal of the current industrial control computer; step S400: calculating a second network attack trend value for the current industrial control computer equipment terminal; step S500: integrating the first network attack trend value and the second network attack trend value to obtain a comprehensive network attack trend value of the current industrial control computer equipment end; and feeding back early warning information to a base station connected with the industrial control computer equipment terminal based on the comprehensive network attack trend value.

Description

Equipment base station health situation perception system and method based on network attack trend
Technical Field
The invention relates to the technical field of information security, in particular to a system and a method for sensing health situation of a device base station based on network attack tendency.
Background
The industrial control computer equipment end which sends the control instruction to the industrial control equipment through the connecting base station is vital in the whole industrial control process, and once the industrial control computer equipment end continuously suffers network attack and the network attack is in a trend, the accuracy of the control instruction sent to the industrial control equipment by the industrial control computer equipment end is lower, and the possibility that the instruction is tampered and stolen is higher;
generally, different computer devices have different presentation modes of internal vulnerabilities due to the problem of configuration, and similarly, because of different configuration problems, the vulnerability repair capabilities of different computer devices under different network attacks are different, and the network attack trend is analyzed and mastered, namely the problem between vulnerability repair and network attack presented by different computer device ends under different network attacks is analyzed.
Disclosure of Invention
The invention aims to provide a system and a method for sensing health situation of a device base station based on network attack tendency, so as to solve the problems in the background technology.
In order to solve the technical problems, the invention provides the following technical scheme: a health situation perception method of a device base station based on a network attack trend comprises the following steps:
step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;
step S200: based on the incidence relation between each network attack and different equipment bugs, identifying and judging the bug incidence relation existing between each network attack; capturing the associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;
step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value phi on the current industrial control computer equipment side based on the incidence relation distribution condition among a plurality of early warning network attacks 1
Step S400: calculating a second correlation vulnerability corresponding to a plurality of early warning network attacks on the basis of analyzing the repair time of all correlation vulnerabilities corresponding to the early warning network attacksNetwork attack tendency value phi 2
Step S500: integrating the first network attack trend value and the second network attack trend value to obtain a comprehensive network attack trend value phi of the current industrial control computer equipment end Heald =φ 1 ×φ 2 (ii) a When the integrated network attack trend value phi Heald And when the value is greater than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technical personnel to overhaul and maintain the equipment of the industrial control computer equipment end.
Further, step S100 includes:
step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is subjected to different network attacks historically; respectively converting each equipment performance parameter into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of each equipment operation data of the industrial control computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;
step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different networks from the historical operation logs; acquiring equipment bugs existing at an equipment end of the industrial control computer when different types of network attacks appear based on the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;
step S103: and respectively searching all equipment vulnerabilities with incidence relation to each network attack to respectively obtain an incidence vulnerability set corresponding to different network attacks.
Further, step S200 includes:
step S201: for each kind of network attack, respectively, other different kinds of network attacks which have the same equipment vulnerability and distinguish the equipment vulnerability between the corresponding associated vulnerability sets are found,preliminarily judging that vulnerability incidence relation exists between the current type of network attack and other types of network attacks corresponding to the current type of network attack; if the network attack A exists, preliminarily judging that the set of the network attacks with vulnerability association relation to the network attack A is A '= { A' 1 ,A′ 2 ,…,A′ v }; wherein, A' 1 ,A′ 2 ,…,A′ v Respectively representing 1 st, 2 nd, 8230and v kinds of network attacks which preliminarily judge that a vulnerability incidence relation exists between the network attack A;
step S202: if q associated network attacks A' q Same association vulnerability set with network attack A
Figure BDA0003695913690000021
Comprises the following steps:
Figure BDA0003695913690000031
wherein, P A Representing an associated vulnerability set corresponding to the network attack A;
Figure BDA0003695913690000032
denotes network attack A' q A corresponding association vulnerability set; the respective difference association loophole sets are as follows:
Figure BDA0003695913690000033
Figure BDA0003695913690000034
wherein, P' A Represents a set P A And set of
Figure BDA0003695913690000035
The differences between the vulnerability sets are correlated;
Figure BDA0003695913690000036
presentation setCombination of Chinese herbs
Figure BDA0003695913690000037
And collections
Figure BDA0003695913690000038
The vulnerability sets are related in a distinguishing way;
calculating q network attack A' q Vulnerability correlation value with network attack A
Figure BDA0003695913690000039
Figure BDA00036959136900000310
Wherein card (P' A )、
Figure BDA00036959136900000311
card(P A ) Respectively represent a set P' A Set of
Figure BDA00036959136900000312
Collection of
Figure BDA00036959136900000313
Set P A The number of internal equipment bugs is set;
the above-mentioned procedure of calculating the vulnerability correlation value is equivalent to that in two network attacks presenting correlation, the probability that the selected device vulnerability is not the device vulnerability possessed by both network attacks is calculated first, and the greater the probability is, the greater the possibility that the attack of the other network attack starts to take effect when the vulnerability of one of the network attacks is repaired;
step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; obtaining a new set A'; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identifications between the network attacks A and the network attacks in the new set A';
the purpose of analyzing and identifying the associated network attack is to make a technical cushion for subsequently calculating a network attack trend value and analyze a network attack trend which can cause harm to an industrial control computer equipment end; analyzing and identifying the associated network attacks because the attack damage to the computer equipment is effective and accurate when the network attacks often having the associated relationship present a trend in the actual process, and because the defense capability and the repair capability presented by different network attacks are different due to self configuration of different computer equipment; the method has the advantages that the device vulnerability overlapping part and the device vulnerability non-overlapping part corresponding to the network attacks exist among the associated network attacks, when one network attack starts to attack the computer device to take effect and the computer device starts to repair the device vulnerability corresponding to the network attack, the network attack presenting the association relation with the network attack continuously suffers, further secondary damage is often brought to the computer device, and when the device vulnerability brought by the current network attack is not completely repaired, the possibility that other network attacks presenting the association relation with the current network attack on the computer device end attack to take effect is higher.
Step S204: and respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack.
Further, step S300 includes:
step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer 1 ,a 2 ,…,a n }; wherein, a 1 ,a 2 ,…,a n Respectively representing the 1 st, 2 nd, 8230that the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is larger than the threshold value of the early warning matching score;
step S302: set of early warning network attacks { a 1 ,a 2 ,…,a n Performing associated network attack inquiry on each early warning network attack in the }; respectively accumulated to obtain a set { a 1 ,a 2 ,…,a n Associated network attack number of each early warning network attack in the }
Figure BDA0003695913690000041
Obtaining a first network attack trend value
Figure BDA0003695913690000042
The larger the first network attack trend value obtained through the calculation is, the larger the number of other network attacks which can generate attack effect on the current computer equipment end is suffered while the vulnerability repair is started in the current computer equipment is, and the larger the network attack hidden danger to be suffered by the current computer equipment end is.
Further, step S400 includes:
step S401: step S302: separately obtain the sets { a 1 ,a 2 ,…,a n Attacking the corresponding equipment vulnerability set by each network in the software; performing vulnerability category integration on all the associated vulnerability sets to obtain all the associated vulnerabilities existing at the equipment end of the current industrial control computer, wherein all the associated vulnerabilities comprise { b } 1 ,b 2 ,…,b n }; wherein, b 1 ,b 2 ,…,b n Respectively representing 1 st, 2 nd, \ 8230and n equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the industrial control computer equipment end, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;
step S402: respectively accumulating and early warning network attack sets { a) for vulnerabilities of each equipment 1 ,a 2 ,…,a n There is associated network attack number value in the memory; setting a relevant network attack number threshold value, and sequencing all equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number values to obtain an equipment vulnerability sequence;
step S403: according to setting upSequentially setting the equipment vulnerabilities in the equipment vulnerability sequence as target equipment vulnerabilities according to the arrangement sequence of the equipment vulnerabilities in the equipment vulnerability sequence; sequentially acquiring the attack set { a in the early warning network 1 ,a 2 ,…,a n And (c) a pre-warning network attack subset with no association relation with the target equipment vulnerability 1 ,c 2 ,…,c z }; wherein, c 1 ,c 2 ,…,c z Respectively representing 1 st, 2 nd, 8230and z kinds of network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target device bug according to response time of different kinds of network attacks on data influence generated by industrial control computer device end g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side 1 ,c 2 ,…,c z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer
Figure BDA0003695913690000051
Respectively gathering the early warning network attacks acquired each time into subsets { c 1 ,c 2 ,…,c z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer
Figure BDA0003695913690000052
Bug fix time t corresponding to current target device bug g Carrying out comparison;
step S404: sequentially accumulating in each early warning network attack subset { c 1 ,c 2 ,…,c z In the method, the response time of causing data influence on the industrial computer equipment end is less than the bug repair time t corresponding to the current target equipment bug g The number of network attacks; calculating a second network attack trend value:
Figure BDA0003695913690000053
wherein k is f When the target device is bug at the f-th time, the corresponding obtained f-th early warning network attack subset { c } 1 ,c 2 ,…,c z In (c) } the (c) is,the response time is less than the bug repair time t corresponding to the current f-th target equipment bug g The network attack figure of (1);
the larger the calculated second network attack trend value is, the higher the possibility that the current computer device is subjected to other network attacks which can generate attack effect on the current computer device side is.
In order to better realize the method, a health situation perception system of the equipment base station based on the network attack trend is also provided, and the system comprises a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;
the data analysis management module is used for acquiring various equipment operation data of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks, and constructing a network attack early warning model; the system is used for collecting historical running logs of the industrial control computer equipment end and establishing association relations between different network attacks and different equipment bugs;
the associated network attack identification and judgment module is used for receiving the data repeated by the data analysis and management module and identifying and judging the vulnerability association relationship existing between the network attacks based on the association relationship between the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;
the real-time detection module is used for carrying out early warning prediction on the network attack on the basis of real-time operation data of each piece of equipment on the basis of the industrial control computer equipment through the network attack early warning model;
the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment terminal;
and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing technical personnel of carrying out equipment maintenance and repair on the industrial control computer equipment end.
Further, the data analysis management module comprises a network attack early warning model building unit and a correlation vulnerability analysis unit;
the network attack early warning model establishing unit is used for establishing a network attack early warning model based on operation data of various equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;
the correlation vulnerability analysis unit is used for acquiring a historical operating log of the industrial computer equipment end and extracting a vulnerability repairing instruction executed when the industrial computer equipment end appears based on different types of network attacks from the historical operating log; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction; and completing the establishment of the association relation between the acquired equipment vulnerability and the corresponding network attack.
Further, the correlation network attack identification and judgment module comprises a vulnerability correlation relationship preliminary judgment unit and a vulnerability correlation value calculation unit;
the vulnerability association relation primary judgment unit is used for searching other different network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding association vulnerability set and preliminarily judging that vulnerability association relation exists between the current type of network attack and the corresponding other types of network attacks;
and the vulnerability correlation value calculating unit is used for receiving the data in the vulnerability correlation preliminary judgment unit, calculating vulnerability correlation values between the network attacks which preliminarily judge that the vulnerability correlation exists between the vulnerability correlation values, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are greater than or equal to the vulnerability correlation value threshold value.
Furthermore, the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;
the first network attack trend value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack trend value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among a plurality of early warning network attacks;
and the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, and calculating a second network attack trend value for the current industrial control computer equipment terminal.
Compared with the prior art, the invention has the following beneficial effects: the invention can realize the prediction calculation of the network attack trend of the current computer equipment end, and indirectly judge the accuracy of the control instruction sent to the industrial control equipment by the current industrial control computer equipment end according to the calculated network attack trend value; because the network attack is usually stronger in purpose and pertinence, the method can avoid real-time judgment and prediction of the network attack, and the equipment information safety of the network attack can be predicted by considering the current network attack situation and the self-repairing capability from the viewpoint of a computing equipment end, and the process is reflected by a network attack trend value, wherein the larger the network attack trend value is, the lower the safety performance of the current computer equipment is, the higher the possibility that the information is stolen and tampered is; the application can improve the detection efficiency of the safety performance of the computer equipment, and reduce the situation of control deviation or control errors when the safety performance of the computer equipment is reduced and brought about in the process of controlling the industrial control equipment.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic structural diagram of a health situation awareness system of a device base station based on network attack tendency according to the present invention;
fig. 2 is a schematic flow diagram of the method for sensing health status of a device base station based on network attack trend according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Referring to fig. 1-2, the present invention provides a technical solution: a health situation perception method of a device base station based on a network attack trend comprises the following steps:
step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;
wherein, step S100 includes:
step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is subjected to different network attacks historically; respectively converting various equipment performance parameters into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of various equipment operation data of an industrial computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;
step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different networks from the historical operation logs; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;
step S103: respectively searching all equipment vulnerabilities with which association exists for each network attack, and respectively obtaining association vulnerability sets corresponding to different network attacks;
step S200: based on the incidence relation between each network attack and different equipment vulnerabilities, identifying and judging the vulnerability incidence relation existing between the network attacks; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;
wherein, step S200 includes:
step S201: respectively searching other different kinds of network attacks which have the same equipment vulnerability and differ equipment vulnerability between the network attacks and the corresponding associated vulnerability set, and preliminarily judging that vulnerability association relations exist between the current kind of network attacks and the corresponding other kinds of network attacks;
for example, an associated vulnerability set corresponding to a network attack X is { vulnerability 1, vulnerability 2, vulnerability 3, vulnerability 4}; an associated vulnerability set corresponding to the network attack Y is { vulnerability 2, vulnerability 3, vulnerability 5 and vulnerability 6}; the same equipment vulnerability { vulnerability 2, vulnerability 3} and the different equipment vulnerability { vulnerability 1, vulnerability 5, vulnerability 6} exist between the network attack X and the network attack Y, so that the vulnerability incidence relation exists between the network attack X and the network attack Y is preliminarily judged;
if the network attack A exists, preliminarily judging that the set of the network attacks with vulnerability association relation to the network attack A is A '= { A' 1 ,A′ 2 ,…,A′ v }; wherein, A' 1 ,A′ 2 ,…,A′ v Respectively representing 1 st, 2 nd, 8230th and v kinds of network attacks which preliminarily judge that a vulnerability association relationship exists between the network attack A;
step S202: if q associated network attacks A' q Same association vulnerability set with network attack A
Figure BDA0003695913690000081
Comprises the following steps:
Figure BDA0003695913690000082
wherein, P A Representing a networkAttacking the relevant vulnerability set corresponding to the A;
Figure BDA0003695913690000083
denotes network attack A' q A corresponding associated vulnerability set; the respective difference association loophole sets are as follows:
Figure BDA0003695913690000084
Figure BDA0003695913690000091
wherein, P' A Represents a set P A And collections
Figure BDA0003695913690000092
The vulnerability sets are related in a distinguishing way;
Figure BDA0003695913690000093
representation collection
Figure BDA0003695913690000094
And collections
Figure BDA0003695913690000095
The vulnerability sets are related in a distinguishing way; calculating q network attack A' q Vulnerability association value with network attack A
Figure BDA0003695913690000096
Figure BDA0003695913690000097
Wherein, card (P' A )、
Figure BDA0003695913690000098
card(P A ) Respectively represent a set P' A Set of
Figure BDA0003695913690000099
Collection of
Figure BDA00036959136900000910
Set P A The number of internal equipment bugs is set;
for example, a network attack X corresponds to an associated vulnerability set P A Is { vulnerability 1, vulnerability 2, vulnerability 3, vulnerability 4}; associated vulnerability set corresponding to network attack Y
Figure BDA00036959136900000915
Is { vulnerability 2, vulnerability 3, vulnerability 5, vulnerability 6};
preliminarily judging that vulnerability association exists between the network attack X and the network attack Y;
same association vulnerability set between network attack X and network attack Y
Figure BDA00036959136900000911
Is { vulnerability 2, vulnerability 3}; difference correlation vulnerability set P 'of network attack X' A Is { vulnerability 1, vulnerability 4}; differentiated association vulnerability sets for network attack Y
Figure BDA00036959136900000912
Is { vulnerability 5, vulnerability 6};
the vulnerability correlation value between the network attack X and the network attack Y is
Figure BDA00036959136900000913
Figure BDA00036959136900000914
Step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; obtaining a new set A'; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identification between the network attacks A and the network attacks in the new set A'.
Step S204: respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack;
step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value phi on the current industrial control computer equipment side based on the incidence relation distribution condition among a plurality of early warning network attacks 1
Wherein, step S300 includes:
step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer 1 ,a 2 ,…,a n }; wherein, a 1 ,a 2 ,…,a n Respectively representing the 1 st, 2 nd, 8230that the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is larger than the threshold value of the early warning matching score;
step S302: set of early warning network attacks { a 1 ,a 2 ,…,a n Carrying out associated network attack query on each early warning network attack in the station; respectively accumulated to obtain a set { a 1 ,a 2 ,…,a n Associated network attack number of each early warning network attack in the }
Figure BDA0003695913690000101
Obtaining a first network attack trend value
Figure BDA0003695913690000102
Step S400: based on the analysis of the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, a second network attack trend value phi is calculated on the current industrial control computer equipment side 2
Wherein, step S400 includes:
step S401: step S302: separately obtain the sets { a 1 ,a 2 ,…,a n Attacking the corresponding equipment vulnerability set by each network in the software; and (4) integrating all the associated vulnerability sets into vulnerability categories to obtain all the associated vulnerabilities existing at the equipment side of the current industrial control computer, wherein all the associated vulnerabilities comprise { b 1 ,b 2 ,…,b n }; wherein, b 1 ,b 2 ,…,b n Respectively representing 1 st, 2 nd, \ 8230and n equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the equipment end of the industrial control computer, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;
step S402: respectively accumulating and early warning network attacks { a) to each equipment vulnerability 1 ,a 2 ,…,a n There are associated network attack number values in the memory; setting a relevant network attack number threshold value, and sequencing all the equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number values to obtain an equipment vulnerability sequence;
step S403: sequentially setting each device vulnerability in the device vulnerability sequence as a target device vulnerability according to the arrangement sequence of each device vulnerability in the device vulnerability sequence; sequentially acquiring the attack set { a in the early warning network 1 ,a 2 ,…,a n In the item, an early warning network attack subset { c) which does not have an incidence relation with the target equipment vulnerability exists 1 ,c 2 ,…,c z }; wherein, c 1 ,c 2 ,…,c z Respectively representing 1 st, 2 nd, 8230and z kinds of network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target device bug according to response time of different kinds of network attacks on data influence generated by industrial control computer device end g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side 1 ,c 2 ,…,c z Response time of each network attack in the } causing data influence on industrial computer equipment end
Figure BDA0003695913690000111
Respectively gathering the early warning network attack subsets { c) obtained each time 1 ,c 2 ,…,c z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer
Figure BDA0003695913690000112
Bug fix time t corresponding to current target device bug g Carrying out comparison;
step S404: sequentially accumulating in each early warning network attack subset { c 1 ,c 2 ,…,c z In the method, the response time of causing data influence on the equipment end of the industrial control computer is less than the bug repair time t corresponding to the current bug of the target equipment g The number of network attacks; calculating a second network attack trend value:
Figure BDA0003695913690000113
wherein k is f When the set f-th target equipment is vulnerable, the correspondingly obtained f-th early warning network attack subset { c } 1 ,c 2 ,…,c z In the method, the response time is less than the bug repair time t corresponding to the current f-th target equipment bug g The network attack figure of (1);
step S500: integrating the first network attack tendency value and the second network attack tendency value to obtain a comprehensive network attack tendency value phi of the current industrial control computer equipment end Heald =φ 1 ×φ 2 (ii) a When the integrated network attack trend value phi Heald And when the value is larger than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.
In order to better realize the method, a health situation perception system of the equipment base station based on the network attack trend is also provided, and the system comprises a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;
the data analysis management module is used for acquiring various equipment operation data of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks, and constructing a network attack early warning model; the system is used for acquiring historical running logs of the equipment end of the industrial control computer and establishing association relation between different network attacks and different equipment bugs;
the data analysis management module comprises a network attack early warning model establishing unit and a correlation vulnerability analysis unit;
the network attack early warning model establishing unit is used for establishing a network attack early warning model based on operation data of various equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;
the correlated vulnerability analyzing unit is used for acquiring a historical operating log of the industrial computer equipment end and extracting vulnerability repairing instructions executed when the industrial computer equipment end is attacked based on different networks from the historical operating log; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction; completing the establishment of an incidence relation between the obtained equipment vulnerability and the corresponding network attack;
the relevant network attack identification and judgment module is used for receiving the heavy data of the data analysis and management module and identifying and judging the vulnerability relevant relation existing among the network attacks based on the relevant relation among the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;
the relevant network attack identification and judgment module comprises a vulnerability relevant relationship preliminary judgment unit and a vulnerability relevant value calculation unit;
the vulnerability incidence relation primary judgment unit is used for searching other different types of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding incidence vulnerability set for each type of network attack and preliminarily judging that the vulnerability incidence relation exists between the current type of network attack and the corresponding other types of network attacks;
a vulnerability correlation value calculation unit for receiving data in the vulnerability correlation preliminary judgment unit, calculating vulnerability correlation values between network attacks which preliminarily judge that the vulnerability correlation exists between the network attacks, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are greater than or equal to the vulnerability correlation value threshold value
The real-time detection module is used for carrying out early warning prediction on network attack on each real-time equipment operation data of the industrial control computer equipment through the network attack early warning model;
the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment side;
the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;
the first network attack tendency value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack tendency value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among a plurality of early warning network attacks;
the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks and calculating a second network attack trend value for the current industrial control computer equipment side;
and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.
It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. A health situation perception method of a device base station based on a network attack trend is characterized by comprising the following steps:
step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;
the step S100 includes:
step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks; respectively converting each equipment performance parameter into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of each equipment operation data of an industrial control computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;
step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different networks from the historical operation logs; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear based on the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;
step S103: respectively searching all equipment vulnerabilities with which association exists for each network attack, and respectively obtaining association vulnerability sets corresponding to different network attacks;
step S200: based on the incidence relation between each network attack and different equipment bugs, identifying and judging the bug incidence relation existing between each network attack; capturing the associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;
step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value Y for the current industrial control computer equipment terminal based on the incidence relation distribution condition among the plurality of early warning network attacks 1
Step S400: calculating a second network attack trend value Y for the current industrial control computer equipment terminal based on the analysis of the repair time of all the associated vulnerabilities corresponding to the early warning network attacks 2
Step S500: integrating the first network attack tendency value and the second network attack tendency value to obtain a comprehensive network attack tendency value Y of the current industrial control computer equipment end Heald =Y 1 ×Y 2 (ii) a When the integrated network attack trend value Y Heald And when the value is larger than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.
2. The method for sensing health status of base station of equipment based on network attack trend as claimed in claim 1, wherein the step S200 comprises:
step S201: respectively searching other different kinds of network attacks which have the same equipment vulnerability and differ equipment vulnerability between the network attacks and the corresponding associated vulnerability set, and preliminarily judging that vulnerability association relations exist between the current kind of network attacks and the corresponding other kinds of network attacks; if a network attack A exists, preliminarily judging that a set formed by network attacks with vulnerability association relation between the network attack A and the network attack A is A '= { A' 1 ,A’ 2 ,…,A’ v }; wherein, A' 1 ,A’ 2 ,…,A’ v Respectively representing 1 st, 2 nd, 8230th and v kinds of network attacks which preliminarily judge that a vulnerability association relationship exists between the network attack A;
step S202: if the q-th correlation network attacks A' q Same association vulnerability set with network attack A
Figure FDA0003974858800000021
Comprises the following steps:
Figure FDA0003974858800000022
wherein, P A Representing an associated vulnerability set corresponding to the network attack A;
Figure FDA0003974858800000023
denotes network attack A' q A corresponding association vulnerability set; the respective difference association loophole sets are as follows:
Figure FDA0003974858800000024
Figure FDA0003974858800000025
wherein, P' A Representation set P A And set of
Figure FDA0003974858800000026
The differences between the vulnerability sets are correlated;
Figure FDA0003974858800000027
representation collection
Figure FDA0003974858800000028
And set of
Figure FDA0003974858800000029
The differences between the vulnerability sets are correlated;
calculating q network attack A' q Vulnerability association value with network attack A
Figure FDA00039748588000000210
Figure FDA00039748588000000211
Wherein card (P' A )、
Figure FDA00039748588000000212
card(P A ) Respectively represent a set P' A Set of
Figure FDA00039748588000000213
Collection
Figure FDA00039748588000000214
Set P A The number of vulnerabilities of the internal equipment;
step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; get new set A "; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identifications between the network attacks A and the network attacks in the new set A';
step S204: and respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack.
3. The method for sensing health status of base station of equipment based on network attack tendency as claimed in claim 1, wherein the step S300 comprises:
step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer 1 ,a 2 ,…,a n }; wherein, a 1 ,a 2 ,…,a n Respectively indicating that the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is greater than 1,2, \ 8230of the threshold value of the early warning matching score, and n network attacks;
step S302: set of early warning network attacks { a 1 ,a 2 ,…,a n Carrying out associated network attack query on each early warning network attack in the station; respectively accumulated to obtain a set { a 1 ,a 2 ,…,a n Associated network attack number of each early warning network attack in the station
Figure FDA0003974858800000031
Obtaining a first network attack trend value
Figure FDA0003974858800000032
4. The network attack trend based equipment base station health situation awareness method according to claim 3, wherein the step S400 comprises:
step S401: step S302: separately obtain the sets { a 1 ,a 2 ,…,a n Attacking the corresponding equipment vulnerability set by each network in the software; and integrating the vulnerability types of all the associated vulnerability sets to obtain all the associated vulnerabilities existing at the equipment side of the current industrial control computer, wherein all the associated vulnerabilities comprise { b 1 ,b 2 ,…,b n }; wherein, b 1 ,b 2 ,…,b n Respectively representing 1 st, 2 nd, \ 8230and n equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the industrial control computer equipment end, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;
step S402: respectively accumulating and early warning network attack sets { a) for vulnerabilities of each equipment 1 ,a 2 ,…,a n There are associated network attack number values in the memory; setting a relevant network attack number threshold value, and sequencing all equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number value to obtain an equipment vulnerability sequence;
step S403: sequentially setting the device vulnerabilities in the device vulnerability sequence as target device vulnerabilities according to the arrangement sequence of the device vulnerabilities in the device vulnerability sequence; sequentially acquiring the attack set { a in the early warning network 1 ,a 2 ,…,a n And (c) a pre-warning network attack subset (c) without incidence relation with the target equipment vulnerability in the set 1 ,c 2 ,…,c z }; wherein, c 1 ,c 2 ,…,c z Respectively representing 1 st, 2 nd, 8230and z kinds of network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target equipment bug in response time of different kinds of network attacks on data influence generated by industrial control computer equipment g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side 1 ,c 2 ,…,c z Response time of each network attack in the } causing data influence on industrial computer equipment end
Figure FDA0003974858800000041
Respectively collecting the early warning network attack subsets { c) acquired each time 1 ,c 2 ,…,c z Response time of each network attack in the } causing data influence on industrial computer equipment end
Figure FDA0003974858800000042
Bug fix time t corresponding to current target device bug g Comparing;
step S404: sequentially accumulating in each early warning network attack subset { c } 1 ,c 2 ,…,c z In the method, the response time of causing data influence on the equipment end of the industrial control computer is less than the bug repair time t corresponding to the current bug of the target equipment g The number of network attacks; calculating a second network attack trend value:
Figure FDA0003974858800000043
wherein k is f When the set f-th target equipment is vulnerable, the correspondingly obtained f-th early warning network attack subset { c } 1 ,c 2 ,…,c z In the method, the response time is less than the bug repair time t corresponding to the current f-th target equipment bug g The network attack number.
5. The health situation awareness system for the network attack trend-based equipment base station, which is applied to the health situation awareness method for the network attack trend-based equipment base station according to any one of claims 1 to 4, is characterized by comprising a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;
the data analysis management module is used for acquiring operation data of each piece of equipment before the equipment end of the industrial control computer is subjected to different network attacks historically, and constructing a network attack early warning model; the system is used for collecting historical running logs of the industrial control computer equipment end and establishing association relations between different network attacks and different equipment bugs;
the associated network attack identification and judgment module is used for receiving the heavy data of the data analysis and management module and identifying and judging the vulnerability association relationship existing between the network attacks based on the association relationship between the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;
the real-time detection module is used for carrying out early warning prediction on network attack on each real-time equipment operation data of the industrial control computer equipment through the network attack early warning model;
the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment terminal;
and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing a technician to overhaul and maintain the equipment of the industrial control computer equipment end.
6. The system for sensing health status of equipment base stations based on network attack tendency as claimed in claim 5, wherein the data analysis management module comprises a network attack early warning model establishing unit and an associated vulnerability analyzing unit;
the network attack early warning model establishing unit is used for establishing a network attack early warning model based on the operation data of each piece of equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;
the correlated vulnerability analyzing unit is used for acquiring a historical running log of the industrial computer equipment end and extracting vulnerability repairing instructions executed by the industrial computer equipment end when different types of network attacks occur in the historical running log; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instructions; and completing the establishment of the association relation between the acquired equipment vulnerability and the corresponding network attack.
7. The system as claimed in claim 5, wherein the correlation network attack recognition and determination module comprises a vulnerability correlation preliminary determination unit and a vulnerability correlation value calculation unit;
the vulnerability incidence relation preliminary judgment unit is used for searching other different types of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding incidence vulnerability set and preliminarily judging whether the vulnerability incidence relation exists between the current type of network attack and the corresponding other types of network attacks;
the vulnerability correlation value calculating unit is used for receiving the data in the vulnerability correlation preliminary judging unit, calculating vulnerability correlation values between the network attacks which preliminarily judge that the vulnerability correlation exists between the network attacks, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are larger than or equal to the vulnerability correlation value threshold value.
8. The network attack trend based equipment base station health situation awareness method according to claim 5, wherein the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;
the first network attack tendency value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack tendency value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among the plurality of early warning network attacks;
and the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, and calculating a second network attack trend value for the current industrial control computer equipment terminal.
CN202210679718.2A 2022-06-15 2022-06-15 Equipment base station health situation perception system and method based on network attack trend Active CN115102738B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210679718.2A CN115102738B (en) 2022-06-15 2022-06-15 Equipment base station health situation perception system and method based on network attack trend

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210679718.2A CN115102738B (en) 2022-06-15 2022-06-15 Equipment base station health situation perception system and method based on network attack trend

Publications (2)

Publication Number Publication Date
CN115102738A CN115102738A (en) 2022-09-23
CN115102738B true CN115102738B (en) 2023-02-10

Family

ID=83290061

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210679718.2A Active CN115102738B (en) 2022-06-15 2022-06-15 Equipment base station health situation perception system and method based on network attack trend

Country Status (1)

Country Link
CN (1) CN115102738B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103595131A (en) * 2013-11-15 2014-02-19 国家电网公司 On-line monitoring system of transformer device of transformer substation
CN106843132A (en) * 2017-03-24 2017-06-13 河南柯尼达智能停车设备有限公司 A kind of three-dimensional parking device fault early warning system
WO2017189587A1 (en) * 2016-04-26 2017-11-02 Acalvio Technologies, Inc. Threat engagement and deception escalation
CN108388233A (en) * 2018-03-21 2018-08-10 北京科技大学 A kind of industry control field device concealed attack detection method
CN109818985A (en) * 2019-04-11 2019-05-28 江苏亨通工控安全研究院有限公司 A kind of industrial control system loophole trend analysis and method for early warning and system
CN110798484A (en) * 2019-11-13 2020-02-14 珠海市鸿瑞信息技术股份有限公司 Industrial control protocol characteristic attack filtering and analyzing system
CN111600859A (en) * 2020-05-08 2020-08-28 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting distributed denial of service attack

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103595131A (en) * 2013-11-15 2014-02-19 国家电网公司 On-line monitoring system of transformer device of transformer substation
WO2017189587A1 (en) * 2016-04-26 2017-11-02 Acalvio Technologies, Inc. Threat engagement and deception escalation
CN106843132A (en) * 2017-03-24 2017-06-13 河南柯尼达智能停车设备有限公司 A kind of three-dimensional parking device fault early warning system
CN108388233A (en) * 2018-03-21 2018-08-10 北京科技大学 A kind of industry control field device concealed attack detection method
CN109818985A (en) * 2019-04-11 2019-05-28 江苏亨通工控安全研究院有限公司 A kind of industrial control system loophole trend analysis and method for early warning and system
CN110798484A (en) * 2019-11-13 2020-02-14 珠海市鸿瑞信息技术股份有限公司 Industrial control protocol characteristic attack filtering and analyzing system
CN111600859A (en) * 2020-05-08 2020-08-28 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for detecting distributed denial of service attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"面向大规模工控网络的关键路径分析方法";张耀方、张哲宇、曲海阔、张格、王子博;《网络与信息安全学报》;20211215;第7卷(第06期);第31-43页 *
基于攻击模式识别的网络安全态势评估方法;王坤等;《计算机应用》;20160110(第01期);全文 *

Also Published As

Publication number Publication date
CN115102738A (en) 2022-09-23

Similar Documents

Publication Publication Date Title
CN111609883B (en) Communication machine room protection monitoring management system based on big data
CN108053318B (en) Method and device for identifying abnormal transactions
CN109509093B (en) Transaction security control method and system based on main body portrait
CN111800430B (en) Attack group identification method, device, equipment and medium
CN114742477B (en) Enterprise order data processing method, device, equipment and storage medium
CN115865649B (en) Intelligent operation and maintenance management control method, system and storage medium
CN116071030B (en) Electronic signature data access safety control system based on Internet
CN109859030A (en) Methods of risk assessment, device, storage medium and server based on user behavior
CN116823233B (en) User data processing method and system based on full-period operation and maintenance
CN114880312B (en) Flexibly-set application system service data auditing method
CN115102738B (en) Equipment base station health situation perception system and method based on network attack trend
CN114111352A (en) Carbide furnace vacuumizing system abnormity detection method and system
CN114298558A (en) Electric power network safety studying and judging system and studying and judging method thereof
CN118041587A (en) Network security test evaluation system and method
CN116842264A (en) Platform intelligent personalized information pushing system
CN116596510A (en) Operation and maintenance fault management method, system, terminal equipment and storage medium
CN115134159A (en) Safety alarm analysis optimization method
CN113162891B (en) Attack flow rapid identification system, method, computer readable medium and equipment
CN114372497A (en) Multi-modal security data classification method and classification system
CN113055368A (en) Web scanning identification method and device and computer storage medium
CN116432240B (en) Method, device, server and system for detecting sensitive data of intranet terminal
CN114584342B (en) Network vulnerability recognition and detection system based on data analysis
CN115510489A (en) Shared intelligent laboratory system based on correlation analysis data secret transmission
CN115967542B (en) Intrusion detection method, device, equipment and medium based on human factor
CN112688944B (en) Local area network security state detection method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Liu Zhiyong

Inventor after: Chen Lianghan

Inventor after: Hong Chao

Inventor after: Zhong Haiwei

Inventor before: Chen Lianghan

Inventor before: Hong Chao

Inventor before: Zhong Haiwei

CB03 Change of inventor or designer information
GR01 Patent grant
GR01 Patent grant