CN115150125A - Network security situation sensing system suitable for power system - Google Patents
Network security situation sensing system suitable for power system Download PDFInfo
- Publication number
- CN115150125A CN115150125A CN202210563891.6A CN202210563891A CN115150125A CN 115150125 A CN115150125 A CN 115150125A CN 202210563891 A CN202210563891 A CN 202210563891A CN 115150125 A CN115150125 A CN 115150125A
- Authority
- CN
- China
- Prior art keywords
- behavior
- user
- module
- network security
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Alarm Systems (AREA)
Abstract
The invention relates to network security monitoring, in particular to a network security situation perception system suitable for a power system, which comprises a server, wherein the server acquires user historical behavior data through a user behavior data acquisition module, constructs a behavior database based on the user historical behavior data by using a behavior database construction module, performs association analysis on the behavior database through a database association analysis module, constructs a behavior feature set based on user identity based on an association analysis result by using a behavior feature set construction module, and constructs a behavior feature base based on role authorization based on the behavior feature set by using the behavior feature base construction module; the technical scheme provided by the invention can effectively overcome the defects that the fusion association analysis of the multi-dimensional user behavior data cannot be carried out and a network security perception system combining active perception and passive defense is lacked in the prior art.
Description
Technical Field
The invention relates to network security monitoring, in particular to a network security situation sensing system suitable for an electric power system.
Background
With the increasing development of informatization of the power system, the operating efficiency of the power system is continuously improved, convenience is brought to users, and meanwhile, the potential safety hazard of the power system is increased. The emergence of viruses enables people to be aware of risks in the coupling of information systems and physical systems, and meanwhile, the security problem of the CPPS causes wide attention of scholars at home and abroad.
In addition, as the complexity of the power system gradually increases, data fusion and security situation awareness gradually become a hot research problem in the field of power system security. Therefore, processing massive heterogeneous log data of the power system by means of a data analysis technology becomes a feasible scheme. When mass data is processed, distributed computing has more obvious advantages than the traditional single computer, for example, analysis and mining work of data can be simultaneously completed by a plurality of computers through Hadoop. However, the current log analysis strategy still cannot be well applied to the power information system, and is used as an important basis for determining the risk level and early warning of the power information system, and the security situation awareness is also an important part in the system security field.
At present, the security defense of the power information system mainly has the following defects: firstly, the traditional security defense can only resist security threats from a certain aspect, so that individual 'security defense islands' are formed, fusion association analysis cannot be performed on massive multidimensional information data, a synergistic effect cannot be generated, and the data cannot be an effective basis for upper-layer security decision; secondly, most of the traditional security defense is to analyze and monitor the occurring attack behavior by analyzing logs of some security devices, and basically, the traditional security defense is a passive defense idea, lacks the capability of active perception and linkage early warning, and takes corresponding measures after detecting a network attack event, and the attack often causes irreparable loss in the late time.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects in the prior art, the invention provides the network security situation awareness system suitable for the power system, and the system can effectively overcome the defects that the prior art cannot perform fusion association analysis on multi-dimensional user behavior data and lacks a network security awareness system combining active awareness and passive defense.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a network security situation perception system suitable for an electric power system comprises a server, wherein the server collects user historical behavior data through a user behavior data collection module, and constructs a behavior database based on the user historical behavior data by using a behavior database construction module;
the server acquires all network security log files through a log file acquisition module, performs partition storage on the network security log files through a log file partition storage module, performs security filtering on the network security log files stored in the partition storage mode through a log file filtering module, performs log analysis on the network security log files obtained through filtering through a log file analysis module, and judges the current network security risk level through a risk level judgment module based on the identification judgment result of user behaviors and the log analysis result.
Preferably, the behavior feature set constructing module performs abstraction processing on the association analysis result, extracts feature values of daily behaviors of the user, and constructs a behavior feature set based on the identity of the user.
Preferably, the behavior feature library construction module performs cluster analysis on the behavior feature set by combining the authorization information of the user role to construct a behavior feature library based on role authorization.
Preferably, the behavior feature library construction module performs cluster analysis on the behavior feature set by adopting a K-means algorithm or an SVM algorithm.
Preferably, the user behavior identification module compares the user behavior with the behavior database, and if no similar user behavior is found in the behavior database, the user behavior is determined to be a high-risk behavior;
and the user behavior identification module judges the role authorization corresponding to the user behavior based on the behavior feature library, and if the role authorization exceeds the authorization information of the actual user role, the user behavior is judged to be a high-risk behavior.
Preferably, the user behavior identification module performs outlier analysis on the user behavior based on the role authorization corresponding to the user behavior, and determines whether the user behavior is a high-risk behavior.
Preferably, the log file partition storage module distinguishes sources of the obtained network security log files by adopting a Flume-Interceptor, and sends the network security log files with the distinguished sources to different kafka data cache queues for partition storage.
Preferably, the log file filtering module performs security filtering on the network security log files stored in the partition through a system white list, and sends the network security log files meeting the security filtering requirement to the log file analysis module.
Preferably, the log file analysis module analyzes the network security log file based on a user-defined rule, predicts an attack route of an attacker according to an analysis result, and constructs a log file analysis model to further perform log analysis on the network security log file.
Preferably, the log file analysis model includes an extractor for extracting and performing parameter analysis on the network security log file, a trainer for performing model training by using analysis parameters obtained by the extractor, a retraining machine for performing continuous iterative model training on the log file analysis model, and a detector for determining whether a model training termination condition is satisfied.
(III) advantageous effects
Compared with the prior art, the network security situation sensing system applicable to the power system provided by the invention has the following beneficial effects:
1) By acquiring historical behavior data of a user, constructing a behavior database based on the historical behavior data of the user, performing association analysis on the behavior database, constructing a behavior feature set based on the identity of the user based on an association analysis result, constructing a behavior feature library based on role authorization based on the behavior feature set, and finally performing identification and judgment on the behavior of the user based on the behavior database and the behavior feature library, fusion association analysis can be performed on the multi-dimensional behavior data of the user to form identification and judgment on the behavior of the user;
2) By carrying out partition storage on the network security log file, carrying out security filtering on the network security log file stored in the partition, carrying out log analysis on the network security log file obtained by filtering, and finally judging the current network security risk level based on the identification judgment result and the log analysis result of the user behavior, a network security sensing system of 'active sensing + passive defense' is constructed, so that the network security of the power information system can be better ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
FIG. 1 is a schematic diagram of the system of the present invention;
FIG. 2 is a schematic flow chart of fusion association analysis performed on multi-dimensional user behavior data according to the present invention;
fig. 3 is a schematic flow chart of network security situation awareness based on a network security log file in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A network security situation awareness system suitable for an electric power system comprises a server, wherein the server collects user historical behavior data through a user behavior data collection module, a behavior database construction module is used for constructing a behavior database based on the user historical behavior data, the server performs association analysis on the behavior database through a database association analysis module, a behavior feature set based on user identity is constructed through a behavior feature set construction module based on association analysis results, a behavior feature base based on role authorization is constructed through a behavior feature base construction module, and the server identifies and judges user behaviors through a user behavior identification module based on the behavior database and the behavior feature base.
And the behavior feature set construction module is used for abstracting the correlation analysis result, extracting the feature value of the daily behavior of the user and constructing a behavior feature set based on the identity of the user.
And the behavior characteristic library construction module performs cluster analysis on the behavior characteristic set by combining the authorization information of the user role to construct a behavior characteristic library based on role authorization. The behavior feature library construction module performs cluster analysis on the behavior feature set by adopting a K-means algorithm or an SVM algorithm.
The user behavior identification module identifies and judges the user behavior based on the behavior database and the behavior feature library, and comprises the following steps:
the user behavior identification module compares the user behavior with the behavior database, and judges the user behavior to be high-risk behavior if similar user behavior is not found in the behavior database;
and the user behavior identification module judges the role authorization corresponding to the user behavior based on the behavior feature library, and if the role authorization exceeds the authorization information of the actual user role, the user behavior is judged to be a high-risk behavior.
In addition, the user behavior identification module performs outlier analysis on the user behavior based on the role authorization corresponding to the user behavior, and judges whether the user behavior is a high-risk behavior.
According to the technical scheme, historical behavior data of the user are collected, a behavior database is built based on the historical behavior data of the user, association analysis is conducted on the behavior database, a behavior feature set based on the identity of the user is built based on the association analysis result, a behavior feature base based on role authorization is built based on the behavior feature set, and finally the user behavior is identified and judged based on the behavior database and the behavior feature base, so that fusion association analysis can be conducted on the multi-dimensional user behavior data, and identification and judgment on the user behavior are formed.
By the technical scheme, an active sensing network security sensing system of 'user historical behavior data acquisition, behavior database construction, behavior characteristic set construction, behavior characteristic library construction and user behavior identification and judgment' is constructed.
As shown in fig. 1 and fig. 3, the server obtains all network security log files through the log file obtaining module, and performs partitioned storage on the network security log files by using the log file partition storage module, and performs security filtering on the network security log files stored in the partitioned storage through the log file filtering module, and performs log analysis on the network security log files obtained through filtering by using the log file analyzing module.
The log file partition storage module distinguishes the source of the obtained network security log file by adopting a flash-Interceptor, and sends the network security log file with the source distinguished to different kafka data cache queues for partition storage.
And the log file filtering module is used for safely filtering the network security log files stored in the partition mode through a system white list and sending the network security log files meeting the security filtering requirement to the log file analysis module.
The log file analysis module analyzes the network security log file based on the user-defined rule, predicts an attack route of an attacker according to an analysis result, and constructs a log file analysis model to further perform log analysis on the network security log file.
In the technical scheme, the log file analysis model comprises an extractor, a trainer, a retraining device and a detector, wherein the extractor is used for extracting the network security log file and analyzing parameters, the trainer is used for performing model training by using analysis parameters obtained by the extractor, the retraining device is used for performing continuous iterative model training on the log file analysis model, and the detector is used for judging whether a model training termination condition is met.
According to the technical scheme, the network security log file is stored in a partitioned mode, the network security log file stored in the partitioned mode is subjected to security filtering, log analysis is carried out on the network security log file obtained through filtering, the current network security risk level is finally judged based on the identification judgment result of user behaviors and the log analysis result, and a ' passive defense ' network security sensing system ' of ' log file acquisition, log file partitioned storage, log file security filtering, log file analysis and log file analysis ' is constructed.
As shown in fig. 1, the server determines the current network security risk level based on the recognition determination result of the user behavior and the log analysis result through the risk level determination module.
Through the technical means, a network security perception system of 'active perception + passive defense' is constructed, so that the network security of the power information system can be better guaranteed.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A network security situation awareness system suitable for an electric power system is characterized in that: the server acquires user historical behavior data through a user behavior data acquisition module, constructs a behavior database based on the user historical behavior data through a behavior database construction module, performs association analysis on the behavior database through a database association analysis module, constructs a behavior feature set based on user identity through a behavior feature set construction module based on an association analysis result, constructs a behavior feature base based on role authorization through the behavior feature base construction module, and identifies and judges user behaviors through a user behavior identification module based on the behavior database and the behavior feature base;
the server acquires all network security log files through a log file acquisition module, performs partition storage on the network security log files through a log file partition storage module, performs security filtering on the network security log files stored in the partition storage mode through a log file filtering module, performs log analysis on the network security log files obtained through filtering through a log file analysis module, and judges the current network security risk level through a risk level judgment module based on the identification judgment result of user behaviors and the log analysis result.
2. The system according to claim 1, wherein the system comprises: the behavior feature set construction module performs abstract processing on the association analysis result, extracts the feature value of the daily behavior of the user, and constructs a behavior feature set based on the user identity.
3. The system of claim 2, wherein the system comprises: the behavior feature library construction module performs cluster analysis on the behavior feature set by combining the authorization information of the user role to construct a behavior feature library based on role authorization.
4. The system according to claim 3, wherein the system comprises: and the behavior feature library construction module adopts a K-means algorithm or an SVM algorithm to perform cluster analysis on the behavior feature set.
5. The system according to claim 3, wherein the system comprises: the user behavior identification module compares the user behavior with the behavior database, and if similar user behavior is not found in the behavior database, the user behavior is judged to be high-risk behavior;
and the user behavior identification module judges the role authorization corresponding to the user behavior based on the behavior feature library, and judges the user behavior as high-risk behavior if the role authorization exceeds the authorization information of the actual user role.
6. The system of claim 5, wherein the system comprises: and the user behavior identification module performs outlier analysis on the user behavior based on the role authorization corresponding to the user behavior and judges whether the user behavior is a high-risk behavior.
7. The system according to claim 1, wherein the system comprises: the log file partition storage module distinguishes sources of the obtained network security log files by adopting a flash-Interceptor, and sends the network security log files with the distinguished sources to different kafka data cache queues for partition storage.
8. The system according to claim 7, wherein: the log file filtering module carries out safety filtering on the network safety log files stored in the partition mode through a system white list and sends the network safety log files meeting the safety filtering requirements to the log file analysis module.
9. The system of claim 8, wherein the system comprises: the log file analysis module analyzes the network security log file based on the user-defined rule, predicts an attack route of an attacker according to an analysis result, and constructs a log file analysis model to further perform log analysis on the network security log file.
10. The system of claim 9, wherein the system comprises: the log file analysis model comprises an extractor for extracting the network security log file and analyzing parameters, a trainer for performing model training by using analysis parameters obtained by the extractor, a retraining device for performing continuous iterative model training on the log file analysis model, and a detector for judging whether a model training termination condition is met.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210563891.6A CN115150125A (en) | 2022-05-23 | 2022-05-23 | Network security situation sensing system suitable for power system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210563891.6A CN115150125A (en) | 2022-05-23 | 2022-05-23 | Network security situation sensing system suitable for power system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115150125A true CN115150125A (en) | 2022-10-04 |
Family
ID=83406339
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210563891.6A Pending CN115150125A (en) | 2022-05-23 | 2022-05-23 | Network security situation sensing system suitable for power system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115150125A (en) |
-
2022
- 2022-05-23 CN CN202210563891.6A patent/CN115150125A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112769796B (en) | Cloud network side collaborative defense method and system based on end side edge computing | |
CN103368979B (en) | Network security verifying device based on improved K-means algorithm | |
CN107391598B (en) | Automatic threat information generation method and system | |
CN112804196A (en) | Log data processing method and device | |
CN108833185B (en) | Network attack route restoration method and system | |
CN111669375A (en) | Online safety situation assessment method and system for power industrial control terminal | |
CN116662989B (en) | Security data analysis method and system | |
CN115766189B (en) | Multichannel isolation safety protection method and system | |
CN110602109A (en) | Application layer DDoS attack detection and defense method based on multi-feature entropy | |
CN110276195A (en) | A kind of smart machine intrusion detection method, equipment and storage medium | |
CN113516565A (en) | Intelligent alarm processing method and device for power monitoring system based on knowledge base | |
CN110149303B (en) | Party-school network security early warning method and early warning system | |
Milan et al. | Reducing false alarms in intrusion detection systems–a survey | |
He et al. | Ensemble feature selection for improving intrusion detection classification accuracy | |
CN111490976B (en) | Dynamic baseline management and monitoring method for industrial control network | |
CN111709021B (en) | Attack event identification method based on mass alarms and electronic device | |
CN117478403A (en) | Whole scene network security threat association analysis method and system | |
CN115118525B (en) | Internet of things safety protection system and protection method thereof | |
CN115150125A (en) | Network security situation sensing system suitable for power system | |
Liao et al. | Research on network intrusion detection method based on deep learning algorithm | |
Xu | Research on network intrusion detection method based on machine learning | |
Liao et al. | An Intelligent Cyber Threat Classification System | |
CN112312590A (en) | Equipment communication protocol identification method and device | |
CN111475380A (en) | Log analysis method and device | |
CN117609990B (en) | Self-adaptive safety protection method and device based on scene association analysis engine |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |