CN115150125A - Network security situation sensing system suitable for power system - Google Patents

Network security situation sensing system suitable for power system Download PDF

Info

Publication number
CN115150125A
CN115150125A CN202210563891.6A CN202210563891A CN115150125A CN 115150125 A CN115150125 A CN 115150125A CN 202210563891 A CN202210563891 A CN 202210563891A CN 115150125 A CN115150125 A CN 115150125A
Authority
CN
China
Prior art keywords
behavior
user
module
network security
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210563891.6A
Other languages
Chinese (zh)
Inventor
张�浩
程卫东
周飞
程金松
孙长春
魏卫
温永亮
成秋芬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huanshang Power Supply Co of State Grid Anhui Electric Power Co Ltd
Original Assignee
Huanshang Power Supply Co of State Grid Anhui Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huanshang Power Supply Co of State Grid Anhui Electric Power Co Ltd filed Critical Huanshang Power Supply Co of State Grid Anhui Electric Power Co Ltd
Priority to CN202210563891.6A priority Critical patent/CN115150125A/en
Publication of CN115150125A publication Critical patent/CN115150125A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Alarm Systems (AREA)

Abstract

The invention relates to network security monitoring, in particular to a network security situation perception system suitable for a power system, which comprises a server, wherein the server acquires user historical behavior data through a user behavior data acquisition module, constructs a behavior database based on the user historical behavior data by using a behavior database construction module, performs association analysis on the behavior database through a database association analysis module, constructs a behavior feature set based on user identity based on an association analysis result by using a behavior feature set construction module, and constructs a behavior feature base based on role authorization based on the behavior feature set by using the behavior feature base construction module; the technical scheme provided by the invention can effectively overcome the defects that the fusion association analysis of the multi-dimensional user behavior data cannot be carried out and a network security perception system combining active perception and passive defense is lacked in the prior art.

Description

Network security situation sensing system suitable for power system
Technical Field
The invention relates to network security monitoring, in particular to a network security situation sensing system suitable for an electric power system.
Background
With the increasing development of informatization of the power system, the operating efficiency of the power system is continuously improved, convenience is brought to users, and meanwhile, the potential safety hazard of the power system is increased. The emergence of viruses enables people to be aware of risks in the coupling of information systems and physical systems, and meanwhile, the security problem of the CPPS causes wide attention of scholars at home and abroad.
In addition, as the complexity of the power system gradually increases, data fusion and security situation awareness gradually become a hot research problem in the field of power system security. Therefore, processing massive heterogeneous log data of the power system by means of a data analysis technology becomes a feasible scheme. When mass data is processed, distributed computing has more obvious advantages than the traditional single computer, for example, analysis and mining work of data can be simultaneously completed by a plurality of computers through Hadoop. However, the current log analysis strategy still cannot be well applied to the power information system, and is used as an important basis for determining the risk level and early warning of the power information system, and the security situation awareness is also an important part in the system security field.
At present, the security defense of the power information system mainly has the following defects: firstly, the traditional security defense can only resist security threats from a certain aspect, so that individual 'security defense islands' are formed, fusion association analysis cannot be performed on massive multidimensional information data, a synergistic effect cannot be generated, and the data cannot be an effective basis for upper-layer security decision; secondly, most of the traditional security defense is to analyze and monitor the occurring attack behavior by analyzing logs of some security devices, and basically, the traditional security defense is a passive defense idea, lacks the capability of active perception and linkage early warning, and takes corresponding measures after detecting a network attack event, and the attack often causes irreparable loss in the late time.
Disclosure of Invention
Technical problem to be solved
Aiming at the defects in the prior art, the invention provides the network security situation awareness system suitable for the power system, and the system can effectively overcome the defects that the prior art cannot perform fusion association analysis on multi-dimensional user behavior data and lacks a network security awareness system combining active awareness and passive defense.
(II) technical scheme
In order to achieve the purpose, the invention is realized by the following technical scheme:
a network security situation perception system suitable for an electric power system comprises a server, wherein the server collects user historical behavior data through a user behavior data collection module, and constructs a behavior database based on the user historical behavior data by using a behavior database construction module;
the server acquires all network security log files through a log file acquisition module, performs partition storage on the network security log files through a log file partition storage module, performs security filtering on the network security log files stored in the partition storage mode through a log file filtering module, performs log analysis on the network security log files obtained through filtering through a log file analysis module, and judges the current network security risk level through a risk level judgment module based on the identification judgment result of user behaviors and the log analysis result.
Preferably, the behavior feature set constructing module performs abstraction processing on the association analysis result, extracts feature values of daily behaviors of the user, and constructs a behavior feature set based on the identity of the user.
Preferably, the behavior feature library construction module performs cluster analysis on the behavior feature set by combining the authorization information of the user role to construct a behavior feature library based on role authorization.
Preferably, the behavior feature library construction module performs cluster analysis on the behavior feature set by adopting a K-means algorithm or an SVM algorithm.
Preferably, the user behavior identification module compares the user behavior with the behavior database, and if no similar user behavior is found in the behavior database, the user behavior is determined to be a high-risk behavior;
and the user behavior identification module judges the role authorization corresponding to the user behavior based on the behavior feature library, and if the role authorization exceeds the authorization information of the actual user role, the user behavior is judged to be a high-risk behavior.
Preferably, the user behavior identification module performs outlier analysis on the user behavior based on the role authorization corresponding to the user behavior, and determines whether the user behavior is a high-risk behavior.
Preferably, the log file partition storage module distinguishes sources of the obtained network security log files by adopting a Flume-Interceptor, and sends the network security log files with the distinguished sources to different kafka data cache queues for partition storage.
Preferably, the log file filtering module performs security filtering on the network security log files stored in the partition through a system white list, and sends the network security log files meeting the security filtering requirement to the log file analysis module.
Preferably, the log file analysis module analyzes the network security log file based on a user-defined rule, predicts an attack route of an attacker according to an analysis result, and constructs a log file analysis model to further perform log analysis on the network security log file.
Preferably, the log file analysis model includes an extractor for extracting and performing parameter analysis on the network security log file, a trainer for performing model training by using analysis parameters obtained by the extractor, a retraining machine for performing continuous iterative model training on the log file analysis model, and a detector for determining whether a model training termination condition is satisfied.
(III) advantageous effects
Compared with the prior art, the network security situation sensing system applicable to the power system provided by the invention has the following beneficial effects:
1) By acquiring historical behavior data of a user, constructing a behavior database based on the historical behavior data of the user, performing association analysis on the behavior database, constructing a behavior feature set based on the identity of the user based on an association analysis result, constructing a behavior feature library based on role authorization based on the behavior feature set, and finally performing identification and judgment on the behavior of the user based on the behavior database and the behavior feature library, fusion association analysis can be performed on the multi-dimensional behavior data of the user to form identification and judgment on the behavior of the user;
2) By carrying out partition storage on the network security log file, carrying out security filtering on the network security log file stored in the partition, carrying out log analysis on the network security log file obtained by filtering, and finally judging the current network security risk level based on the identification judgment result and the log analysis result of the user behavior, a network security sensing system of 'active sensing + passive defense' is constructed, so that the network security of the power information system can be better ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the invention, and that for a person skilled in the art, other drawings can be derived from them without inventive effort.
FIG. 1 is a schematic diagram of the system of the present invention;
FIG. 2 is a schematic flow chart of fusion association analysis performed on multi-dimensional user behavior data according to the present invention;
fig. 3 is a schematic flow chart of network security situation awareness based on a network security log file in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
A network security situation awareness system suitable for an electric power system comprises a server, wherein the server collects user historical behavior data through a user behavior data collection module, a behavior database construction module is used for constructing a behavior database based on the user historical behavior data, the server performs association analysis on the behavior database through a database association analysis module, a behavior feature set based on user identity is constructed through a behavior feature set construction module based on association analysis results, a behavior feature base based on role authorization is constructed through a behavior feature base construction module, and the server identifies and judges user behaviors through a user behavior identification module based on the behavior database and the behavior feature base.
And the behavior feature set construction module is used for abstracting the correlation analysis result, extracting the feature value of the daily behavior of the user and constructing a behavior feature set based on the identity of the user.
And the behavior characteristic library construction module performs cluster analysis on the behavior characteristic set by combining the authorization information of the user role to construct a behavior characteristic library based on role authorization. The behavior feature library construction module performs cluster analysis on the behavior feature set by adopting a K-means algorithm or an SVM algorithm.
The user behavior identification module identifies and judges the user behavior based on the behavior database and the behavior feature library, and comprises the following steps:
the user behavior identification module compares the user behavior with the behavior database, and judges the user behavior to be high-risk behavior if similar user behavior is not found in the behavior database;
and the user behavior identification module judges the role authorization corresponding to the user behavior based on the behavior feature library, and if the role authorization exceeds the authorization information of the actual user role, the user behavior is judged to be a high-risk behavior.
In addition, the user behavior identification module performs outlier analysis on the user behavior based on the role authorization corresponding to the user behavior, and judges whether the user behavior is a high-risk behavior.
According to the technical scheme, historical behavior data of the user are collected, a behavior database is built based on the historical behavior data of the user, association analysis is conducted on the behavior database, a behavior feature set based on the identity of the user is built based on the association analysis result, a behavior feature base based on role authorization is built based on the behavior feature set, and finally the user behavior is identified and judged based on the behavior database and the behavior feature base, so that fusion association analysis can be conducted on the multi-dimensional user behavior data, and identification and judgment on the user behavior are formed.
By the technical scheme, an active sensing network security sensing system of 'user historical behavior data acquisition, behavior database construction, behavior characteristic set construction, behavior characteristic library construction and user behavior identification and judgment' is constructed.
As shown in fig. 1 and fig. 3, the server obtains all network security log files through the log file obtaining module, and performs partitioned storage on the network security log files by using the log file partition storage module, and performs security filtering on the network security log files stored in the partitioned storage through the log file filtering module, and performs log analysis on the network security log files obtained through filtering by using the log file analyzing module.
The log file partition storage module distinguishes the source of the obtained network security log file by adopting a flash-Interceptor, and sends the network security log file with the source distinguished to different kafka data cache queues for partition storage.
And the log file filtering module is used for safely filtering the network security log files stored in the partition mode through a system white list and sending the network security log files meeting the security filtering requirement to the log file analysis module.
The log file analysis module analyzes the network security log file based on the user-defined rule, predicts an attack route of an attacker according to an analysis result, and constructs a log file analysis model to further perform log analysis on the network security log file.
In the technical scheme, the log file analysis model comprises an extractor, a trainer, a retraining device and a detector, wherein the extractor is used for extracting the network security log file and analyzing parameters, the trainer is used for performing model training by using analysis parameters obtained by the extractor, the retraining device is used for performing continuous iterative model training on the log file analysis model, and the detector is used for judging whether a model training termination condition is met.
According to the technical scheme, the network security log file is stored in a partitioned mode, the network security log file stored in the partitioned mode is subjected to security filtering, log analysis is carried out on the network security log file obtained through filtering, the current network security risk level is finally judged based on the identification judgment result of user behaviors and the log analysis result, and a ' passive defense ' network security sensing system ' of ' log file acquisition, log file partitioned storage, log file security filtering, log file analysis and log file analysis ' is constructed.
As shown in fig. 1, the server determines the current network security risk level based on the recognition determination result of the user behavior and the log analysis result through the risk level determination module.
Through the technical means, a network security perception system of 'active perception + passive defense' is constructed, so that the network security of the power information system can be better guaranteed.
The above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (10)

1. A network security situation awareness system suitable for an electric power system is characterized in that: the server acquires user historical behavior data through a user behavior data acquisition module, constructs a behavior database based on the user historical behavior data through a behavior database construction module, performs association analysis on the behavior database through a database association analysis module, constructs a behavior feature set based on user identity through a behavior feature set construction module based on an association analysis result, constructs a behavior feature base based on role authorization through the behavior feature base construction module, and identifies and judges user behaviors through a user behavior identification module based on the behavior database and the behavior feature base;
the server acquires all network security log files through a log file acquisition module, performs partition storage on the network security log files through a log file partition storage module, performs security filtering on the network security log files stored in the partition storage mode through a log file filtering module, performs log analysis on the network security log files obtained through filtering through a log file analysis module, and judges the current network security risk level through a risk level judgment module based on the identification judgment result of user behaviors and the log analysis result.
2. The system according to claim 1, wherein the system comprises: the behavior feature set construction module performs abstract processing on the association analysis result, extracts the feature value of the daily behavior of the user, and constructs a behavior feature set based on the user identity.
3. The system of claim 2, wherein the system comprises: the behavior feature library construction module performs cluster analysis on the behavior feature set by combining the authorization information of the user role to construct a behavior feature library based on role authorization.
4. The system according to claim 3, wherein the system comprises: and the behavior feature library construction module adopts a K-means algorithm or an SVM algorithm to perform cluster analysis on the behavior feature set.
5. The system according to claim 3, wherein the system comprises: the user behavior identification module compares the user behavior with the behavior database, and if similar user behavior is not found in the behavior database, the user behavior is judged to be high-risk behavior;
and the user behavior identification module judges the role authorization corresponding to the user behavior based on the behavior feature library, and judges the user behavior as high-risk behavior if the role authorization exceeds the authorization information of the actual user role.
6. The system of claim 5, wherein the system comprises: and the user behavior identification module performs outlier analysis on the user behavior based on the role authorization corresponding to the user behavior and judges whether the user behavior is a high-risk behavior.
7. The system according to claim 1, wherein the system comprises: the log file partition storage module distinguishes sources of the obtained network security log files by adopting a flash-Interceptor, and sends the network security log files with the distinguished sources to different kafka data cache queues for partition storage.
8. The system according to claim 7, wherein: the log file filtering module carries out safety filtering on the network safety log files stored in the partition mode through a system white list and sends the network safety log files meeting the safety filtering requirements to the log file analysis module.
9. The system of claim 8, wherein the system comprises: the log file analysis module analyzes the network security log file based on the user-defined rule, predicts an attack route of an attacker according to an analysis result, and constructs a log file analysis model to further perform log analysis on the network security log file.
10. The system of claim 9, wherein the system comprises: the log file analysis model comprises an extractor for extracting the network security log file and analyzing parameters, a trainer for performing model training by using analysis parameters obtained by the extractor, a retraining device for performing continuous iterative model training on the log file analysis model, and a detector for judging whether a model training termination condition is met.
CN202210563891.6A 2022-05-23 2022-05-23 Network security situation sensing system suitable for power system Pending CN115150125A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210563891.6A CN115150125A (en) 2022-05-23 2022-05-23 Network security situation sensing system suitable for power system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210563891.6A CN115150125A (en) 2022-05-23 2022-05-23 Network security situation sensing system suitable for power system

Publications (1)

Publication Number Publication Date
CN115150125A true CN115150125A (en) 2022-10-04

Family

ID=83406339

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210563891.6A Pending CN115150125A (en) 2022-05-23 2022-05-23 Network security situation sensing system suitable for power system

Country Status (1)

Country Link
CN (1) CN115150125A (en)

Similar Documents

Publication Publication Date Title
CN112769796B (en) Cloud network side collaborative defense method and system based on end side edge computing
CN103368979B (en) Network security verifying device based on improved K-means algorithm
CN107391598B (en) Automatic threat information generation method and system
CN112804196A (en) Log data processing method and device
CN108833185B (en) Network attack route restoration method and system
CN111669375A (en) Online safety situation assessment method and system for power industrial control terminal
CN116662989B (en) Security data analysis method and system
CN115766189B (en) Multichannel isolation safety protection method and system
CN110602109A (en) Application layer DDoS attack detection and defense method based on multi-feature entropy
CN110276195A (en) A kind of smart machine intrusion detection method, equipment and storage medium
CN113516565A (en) Intelligent alarm processing method and device for power monitoring system based on knowledge base
CN110149303B (en) Party-school network security early warning method and early warning system
Milan et al. Reducing false alarms in intrusion detection systems–a survey
He et al. Ensemble feature selection for improving intrusion detection classification accuracy
CN111490976B (en) Dynamic baseline management and monitoring method for industrial control network
CN111709021B (en) Attack event identification method based on mass alarms and electronic device
CN117478403A (en) Whole scene network security threat association analysis method and system
CN115118525B (en) Internet of things safety protection system and protection method thereof
CN115150125A (en) Network security situation sensing system suitable for power system
Liao et al. Research on network intrusion detection method based on deep learning algorithm
Xu Research on network intrusion detection method based on machine learning
Liao et al. An Intelligent Cyber Threat Classification System
CN112312590A (en) Equipment communication protocol identification method and device
CN111475380A (en) Log analysis method and device
CN117609990B (en) Self-adaptive safety protection method and device based on scene association analysis engine

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination