CN115776409A - Industrial network security event basic data directional acquisition method and system - Google Patents
Industrial network security event basic data directional acquisition method and system Download PDFInfo
- Publication number
- CN115776409A CN115776409A CN202310043084.6A CN202310043084A CN115776409A CN 115776409 A CN115776409 A CN 115776409A CN 202310043084 A CN202310043084 A CN 202310043084A CN 115776409 A CN115776409 A CN 115776409A
- Authority
- CN
- China
- Prior art keywords
- network security
- event
- target
- acquisition
- security alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and a system for directionally acquiring basic data of an industrial network security event, which are based on the acquisition of a target network security alarm event on various network security devices in an internal network of an industrial enterprise, and combine a target acquisition strategy corresponding to the target network security alarm event through the construction of a target data acquisition range and a target acquisition time window so as to execute the directional acquisition of the basic data; the design effectively reduces the time and space range of data acquisition and improves the acquisition efficiency; meanwhile, based on the maximum average duration window value, the retention time range of the data on the acquisition equipment can be effectively determined, and the storage pressure caused by the overstock of a large amount of data is avoided; and the design realizes dynamic adjustment of the acquisition range, the acquisition range is dynamically adjusted based on indexes such as overall network threat indexes, danger levels of events, confidence degrees and the like of the whole network, the accuracy of data acquisition is improved, the acquisition of a large amount of invalid data is avoided, and the omission of effective data is ensured as far as possible.
Description
Technical Field
The invention relates to a method and a system for directionally acquiring basic data of an industrial network security event, and belongs to the technical field of industrial network security detection.
Background
The development of industrial internet enables the networks of industrial enterprises (including IT and OT networks) to move from closed isolation to open interconnection, and the exposed area of industrial control networks is enlarged, and the network security threat is increased significantly. To better analyze network security events, full-scale basic data collection is a necessary and efficient solution. Through the retention of the basic data, a data base is provided for further analysis of the network security event, and the analysis and disposal work of the network security event can be effectively supported.
In the industrial enterprise scene, two layers of Ethernet and industrial bus form a core channel of industrial control network data communication exchange. In recent years, in addition to the behavior of attacks via ethernet, vulnerabilities and attack incidents have frequently occurred for industrial control networks of non-ethernet protocols such as buses. Part of network security events can be confirmed by directly studying and judging event data discovered and alarmed in real time by the existing network security equipment, but still a large number of network security events need to be examined and analyzed for the second time by studying and judging basic data such as logs, flow, buses and the like in a certain time range of the event on the basis of the event data of the network security equipment, so that the authenticity and the hazard degree of the network security events are finally determined, and the network security events are traced and tracked. Therefore, basic data of types such as logs, ethernet, industrial buses and the like in industrial enterprise scenes need to be retained for subsequent study and judgment analysis.
Industrial control data of industrial enterprises are many in acquisition points, and full-scale data acquisition is exploded. The total collection point positions of the industrial control network of the industrial enterprise with the common scale exceed 1 ten thousand, and the real-time signal collection period can reach millisecond level. The full-collection log/bus/network traffic data has large requirements on storage and computing resources, and the data directly related to the network attack event has low proportion and is difficult to be implemented on the ground. There is a need to research an efficient and directional method and system for acquiring basic data of an industrial network security event, so as to accurately acquire basic data related to the network security event and reduce the point location and scale of data acquisition in a single event, thereby achieving the balance between the storage and calculation resources of an industrial enterprise and the analysis service requirements of the network security event.
Aiming at the problem of basic data acquisition related to network security events of industrial enterprises, the existing technical scheme mainly aims at acquiring logs and Ethernet data. The industry generally collects, stores and analyzes ethernet traffic by deploying full-traffic collection and storage devices, and is less involved in industrial bus data. Meanwhile, because of the influence of implementation and resource cost storage, the Ethernet full-flow acquisition equipment is difficult to cover all nodes, so that the prior art cannot effectively cover all network links in an industrial network, and is difficult to support the comprehensive analysis and study requirements of network security events.
Disclosure of Invention
The invention aims to solve the technical problem of providing a method for directionally acquiring the basic data of the industrial network security events, which adopts a brand-new strategy design to analyze and perform data acquisition from two aspects of network structure dimension and time dimension, thereby not only reducing the data acquisition range of a single event, but also avoiding the omission of the basic data required to be acquired.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a method for directionally acquiring basic data of an industrial network security event, which comprises the following steps of A to C, and realizes the directional acquisition of the basic data of the target network security alarm event based on the acquisition of the target network security alarm event on various network security devices in an internal network of an industrial enterprise;
step A, acquiring preset data results of various types corresponding to a target network security alarm event, acquiring preset attack chain related data of various types related to the target network security alarm event by combining a preset network security event knowledge base, forming event analysis result data corresponding to the target network security alarm event, and entering step B;
b, according to event analysis result data corresponding to the target network security alarm event, calculating to obtain an influence distance L corresponding to the target network security alarm event, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, and then entering the step C;
and C, acquiring basic data of a target acquisition time window corresponding to the target data acquisition range based on a target acquisition strategy corresponding to the target network security alarm event, and realizing the directional acquisition of the basic data related to the target network security alarm event.
As a preferred technical scheme of the invention: step BC is also included, after step B is executed, step BC is entered;
and step BC, aiming at a target acquisition strategy corresponding to the target network security alarm event, combining the obtained historical acquisition strategies, removing a space-time repeated part in the target acquisition strategy, updating the target acquisition strategy, and then entering the step C.
As a preferred technical scheme of the invention: step D is also included, after step C is executed, step D is entered;
and D, respectively corresponding to the average duration window t of the attack chain in which the target network security alarm event is located based on the target network security alarm event and each network security alarm event obtained in history, taking the average duration window t of the attack chain in which the target network security alarm event is located as a period, storing the basic data acquired in the step C, and removing the basic data exceeding the period.
As a preferred technical scheme of the invention: the step A comprises the following steps A1 to A3;
a1, acquiring preset data acquisition results of various types corresponding to a target network security alarm event, including an event device IP/device name, event time, an event type and a confidence coefficient alpha, and then entering A2;
step A2, based on a network security event knowledge base which stores a risk level h, a link serial number s of an attack link and an average duration window t of the attack link corresponding to each type of network security alarm event in advance, obtaining the risk level h, the link serial number s of the attack link and the average duration window t of the attack link associated with the target network security alarm event according to the event type of the target network security alarm event, and then entering step A3;
and A3, forming event analysis result data corresponding to the target network security alarm event by using an event equipment IP/equipment name, event time, confidence coefficient alpha, danger level h, link sequence number s of the attacked chain and average duration time window t of the attacked chain corresponding to the target network security alarm event, and entering the step B.
As a preferred technical scheme of the invention: in the step B, according to the event analysis result data corresponding to the target network security alarm event, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to the following steps B1-1 to B1-3, and further obtaining a target data acquisition range;
b1-1, calculating to obtain a current overall safety factor c according to the danger level h and the event time in the event analysis result data corresponding to the target network safety alarm event and according to the danger level h and the event time respectively corresponding to each network safety alarm event obtained in history, and then entering the step B1-2;
b1-2, calculating to obtain an influence distance L corresponding to the target network security alarm event according to a confidence coefficient alpha, a danger level h and an attack chain link serial number s in the event analysis result data corresponding to the target network security alarm event and a multiplication result of the current overall security factor c, and then entering the step B1-3;
and B1-3, taking the IP/equipment name of the event equipment in the event analysis result data corresponding to the target network security alarm event as a main node, taking the influence distance L corresponding to the target network security alarm event as the hop count of the target node, and obtaining each node equipment and the path among each node equipment within the hop count range of the target node from the main node based on the internal network topological structure of the industrial enterprise to form a target data acquisition range.
As a preferred technical scheme of the invention: in the step B1-1, according to the risk level h in the event analysis result data corresponding to the target network security alarm event, combining the risk level h corresponding to each network security alarm event obtained in history to obtain the current average risk level;
meanwhile, according to the event time in the event analysis result data corresponding to the target network security alarm event, taking the number of network security alarm events in a preset time period to which the event time belongs and the result of dividing the average number of the network security alarm events in each historical preset time period as the current event frequency level;
and calculating to obtain a multiplication result of the average risk level and the event frequency level to form a current overall safety factor c.
As a preferred technical scheme of the invention: and in the step B, according to the event time in the event analysis result data corresponding to the target network security alarm event and the average duration window t of the attack chain, the average duration window t of the attack chain before and after the event time along the time sequence direction forms a target acquisition time window.
Correspondingly, the technical problem to be solved by the invention is to provide a system of the method for directionally acquiring the basic data of the industrial network security event, which adopts a modular design to efficiently realize the directional acquisition of the designed basic data, thereby not only reducing the data acquisition range of a single event, but also avoiding the omission of the basic data required to be acquired.
In order to solve the technical problems, the invention adopts the following technical scheme: the invention designs a system of an industrial network security incident basic data directional acquisition method, which comprises a network security incident acquisition and analysis module, a basic data acquisition strategy study and judgment module and a basic data acquisition and storage module;
the network security event acquisition and analysis module is used for executing the step A aiming at a target network security alarm event, acquiring preset data acquisition results of various types corresponding to the target network security alarm event, acquiring relevant data of attack chains of various types related to the target network security alarm event by combining a preset network security event knowledge base, forming event analysis result data corresponding to the target network security alarm event, sending the event analysis result data to the basic data acquisition strategy study and judgment module, and then entering the step B;
b, the basic data acquisition strategy studying and judging module executes the step B according to the event analysis result data corresponding to the target network security alarm event, calculates and obtains an influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event, further obtains a target data acquisition range, simultaneously obtains a target acquisition time window, forms a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, sends the target acquisition strategy to the basic data acquisition and storage module, and then enters the step BC;
the basic data acquisition and storage module executes a step BC according to a target acquisition strategy corresponding to a target network security alarm event, removes a space-time repeated part in the target acquisition strategy according to the target acquisition strategy corresponding to the target network security alarm event by combining all obtained historical acquisition strategies, updates the target acquisition strategy and then enters a step C;
and further executing the step C by the basic data acquisition and storage module aiming at the target acquisition strategy, acquiring basic data of a target acquisition time window corresponding to the target data acquisition range based on the target acquisition strategy corresponding to the target network security alarm event, and realizing the directional acquisition of the basic data related to the target network security alarm event.
As a preferred technical scheme of the invention: the basic data acquisition and storage module sends the updated target acquisition strategy to the corresponding data acquisition equipment according to the node equipment and the paths among the node equipment in the internal network topology structure of the industrial enterprise covered by the data acquisition equipment of each type in the basic data acquisition equipment, respectively executes the basic data acquisition of the corresponding target acquisition time window, and returns the acquired basic data to the basic data acquisition and storage module for storage.
As a preferred technical scheme of the invention: and C, the basic data acquisition and storage module executes the step D to store the basic data aiming at the basic data acquired in the step C.
Compared with the prior art, the directional acquisition method and the system for the basic data of the industrial network security event have the following technical effects by adopting the technical scheme:
the invention designs a method and a system for directionally acquiring basic data of an industrial network security event, which are based on the acquisition of a target network security alarm event on various network security equipment in an internal network of an industrial enterprise, and combine a target acquisition strategy corresponding to the target network security alarm event through the construction of a target data acquisition range and a target acquisition time window so as to execute the directional acquisition of the basic data; the design effectively reduces the time and space range of data acquisition and improves the acquisition efficiency; meanwhile, based on the maximum average duration window value, the retention time range of the data on the acquisition equipment can be effectively determined, and the storage pressure caused by the backlog of a large amount of data is avoided; and the design realizes dynamic adjustment of the acquisition range, the acquisition range is dynamically adjusted based on indexes such as overall network threat indexes, danger levels of events, confidence degrees and the like of the whole network, the accuracy of data acquisition is improved, the acquisition of a large amount of invalid data is avoided, and the omission of effective data is ensured as far as possible.
Drawings
FIG. 1 is a schematic flow chart of a method for directionally acquiring basic data of an industrial network security event according to the present invention;
FIG. 2 is a schematic diagram of the architecture of the system for designing the method for directionally acquiring the basic data of the industrial network security event according to the present invention.
Detailed Description
The following description will explain embodiments of the present invention in further detail with reference to the accompanying drawings.
Aiming at the defects of the existing scheme, the invention provides a method and a system for directionally acquiring basic data of an industrial network security incident, which have the following specific design ideas:
(1) The scheme firstly describes the corresponding relation between the network topology of the industrial enterprise and the basic data acquisition equipment, namely the network range of each acquisition equipment supporting acquisition. The network topology is made up of points (i.e., devices, which may include IT devices, industrial control devices, etc.) and paths (i.e., communication links, which may include Ethernet links, industrial bus links, etc.). The network security event basic data acquisition equipment supports acquisition of data such as logs, configuration and security software analysis results on points, and full acquisition of Ethernet network traffic and industrial bus link data on a path.
(2) Furthermore, the scheme defines the expression mode of the network security event. On the basis of the description of the elements such as event type, event description, danger level and the like, each type of network security event increases the elements such as the node sequence number of an attack chain, the average duration time window of the attack chain and the like aiming at the link position of the event in the attack chain, and is used for subsequent acquisition strategy configuration. Each type of network security event supports multiple detection rules, and each detection rule supports configuration of corresponding confidence coefficient for representing credibility of the rule result.
(3) When network security event alarm occurs in the industrial network, the event analysis can obtain the main nodes influenced by the event. By taking the main node as a central node, the scheme provides a directional acquisition method for calculating the range of the node or path data required to be acquired by the event. The method is based on the elements such as risk level, confidence degree, attack chain link serial number and the like corresponding to the type of the network security event, and is combined with the overall environmental factor to calculate the influence distance of the event and the time window needing to be collected on each distance. And by taking the central node as the circle center and combining the influence distance, the node and the path influenced by the network security event can be obtained, so that a basic data acquisition strategy is formed.
(4) And comparing the basic data acquisition strategy with the historical existing acquisition strategy, removing the repeated part of time and space, then informing corresponding acquisition equipment, extracting corresponding data, summarizing, storing and archiving, and finally completing basic data acquisition of a network security event.
(5) The maximum acquisition time window is counted for all network security event types. The longest time length required for storing the data acquired by each acquisition device is based on the maximum acquisition time window, and the data exceeding the time length can be removed in time so as to reduce the storage pressure of the acquisition devices.
Based on the above design thought, in practical application, as shown in fig. 1, the method for directionally acquiring basic data of an industrial network security event according to the present invention specifically includes the following steps a to C, and based on acquisition of a target network security alarm event on various network security devices in an internal network of an industrial enterprise, the method realizes directional acquisition of basic data of the target network security alarm event, where the target network security alarm event mainly refers to a target network security alarm event generated on network security devices such as a firewall, intrusion detection, host audit and the like existing in the internal network of the industrial enterprise.
Step A, acquiring preset data acquisition results of various types corresponding to the target network security alarm event, acquiring preset attack chain related data associated with the target network security alarm event by combining a preset network security event knowledge base to form event analysis result data corresponding to the target network security alarm event, and entering step B.
In practical applications, the step a is specifically designed to perform the following steps A1 to A3.
Step A1, acquiring preset data acquisition results of various types corresponding to a target network security alarm event, including an event device IP/device name, event time, an event type and a confidence coefficient alpha, and then entering step A2. Here the confidence a, percentage, the higher the value the greater the confidence level. The confidence level is related to the detection rule of the event, and various detection rules exist for the event of the consent type. Detection rules are more strict and complex, generally speaking, the confidence is high, but the detection efficiency is often low.
And step A2, based on a network security event knowledge base which stores a risk level h, a link serial number s of an attack link and an average duration window t of the attack link corresponding to each type of network security alarm event in advance, acquiring the risk level h, the link serial number s of the attack link and the average duration window t of the attack link associated with the target network security alarm event according to the event type of the target network security alarm event, and then entering the step A3.
Taking the current mainstream ATT & CK model as an example, an end-to-end attack chain can be composed of 14 policy links, including: 1 scout, 2 information gathering, 3 initial visit, 4 execution, 5 persistence, 6 privilege elevation, 7 defense avoidance, 8 credential visit, 9 discovery, 10 lateral movement, 11 collection, 12 command and control, 13 penetration, 14 impact. The execution of actions for each policy may result in a variety of network security event types. And the knowledge base collects and arranges the strategy of the attack chain and the corresponding network security event type. The corresponding link sequence number in the attack chain and the danger level of the type of network security event can be searched through the type field of the network security event. The strategy links of each attack chain have certain attack duration, and the average time of each link of one attack chain is recorded as the average duration window t of the attack chain.
And step A3, forming event analysis result data corresponding to the target network security alarm event by using the event equipment IP/equipment name, the event time, the confidence coefficient alpha, the danger level h, the node sequence number s of the attack chain where the target network security alarm event is located and the average duration time window t of the attack chain where the target network security alarm event is located, and then entering the step B.
And B, calculating to obtain an influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, and then entering the step BC.
In practical application, according to the event analysis result data corresponding to the target network security alarm event, the influence distance L corresponding to the target network security alarm event is calculated and obtained according to the following steps B1-1 to B1-3, and further the target data acquisition range is obtained.
B1-1, according to the danger level h in the event analysis result data corresponding to the target network safety alarm event, combining the danger level h corresponding to each network safety alarm event obtained in history to obtain the current average danger level; meanwhile, according to the event time in the event analysis result data corresponding to the target network security alarm event, taking the number of network security alarm events in a preset time period to which the event time belongs and the result of dividing the average number of the network security alarm events in each historical preset time period as the current event frequency level; and calculating to obtain a multiplication result of the average risk level and the event frequency level to form a current overall safety factor c, and then entering the step B1-2. Here, the higher the overall safety factor value is, the higher the level and the larger the number of the risk of the event in the current network are, and the worse and the more dangerous the environmental safety is.
And B1-2, calculating to obtain an influence distance L corresponding to the target network security alarm event by using the confidence coefficient alpha, the danger level h and the node number s of the attack chain in the event analysis result data corresponding to the target network security alarm event and combining the multiplication result of the current overall security factor c, rounding off, and then entering the step B1-3.
The higher the reliability of the network security alarm event, the more dangerous the danger level, and the worse the overall security of the network, it indicates that the range of the potentially invasive node is wider, the more links involved in the attack chain are, the larger the influence distance is, and the more nodes and paths need to be collected. Otherwise, the network security alarm event has poor reliability, low risk level and good overall network security, and the smaller the association range of the network security alarm event, the smaller the influence distance, the fewer the nodes and paths to be acquired. The highest influence distance is acquired in a front-back full chain mode according to the serial number of the nodes of the attack chain, and the lowest influence distance is acquired only by the nodes of the attack chain without associated acquisition.
And B1-3, taking the IP/equipment name of the event equipment in the event analysis result data corresponding to the target network security alarm event as a main node, taking the influence distance L corresponding to the target network security alarm event as the hop count of the target node, and obtaining each node equipment and the path among each node equipment within the hop count range of the target node from the main node based on the internal network topological structure of the industrial enterprise to form a target data acquisition range.
And in the practical application of the step B, according to the event time in the event analysis result data corresponding to the target network security alarm event and the average duration window t of the attack chain, the average duration window t of the attack chain before and after the event time along the time sequence direction forms a target acquisition time window.
And step BC, aiming at a target acquisition strategy corresponding to the target network security alarm event, combining the obtained historical acquisition strategies, removing a space-time repeated part in the target acquisition strategy, updating the target acquisition strategy, and then entering the step C.
And C, acquiring basic data of a target acquisition time window corresponding to the target data acquisition range based on a target acquisition strategy corresponding to the target network security alarm event, realizing directional acquisition of the basic data of the target network security alarm event, and then entering the step D.
And D, based on the target network security alarm event and the historical network security alarm events, respectively corresponding to the average duration window t of the attack chain, taking the average duration window t of the longest attack chain as a period, storing the basic data acquired in the step C, and removing the basic data exceeding the period.
In practical application, as shown in fig. 2, the specific design includes a network security event acquisition and analysis module, a basic data acquisition strategy study and judgment module, a basic data acquisition and storage module, and a basic data acquisition device including various types of data acquisition devices.
The network security event acquisition and analysis module is used for executing the step A aiming at a target network security alarm event, acquiring preset data acquisition results of various types corresponding to the target network security alarm event, acquiring preset attack chain related data associated with the target network security alarm event by combining a preset network security event knowledge base, forming event analysis result data corresponding to the target network security alarm event, sending the event analysis result data to the basic data acquisition strategy study and judgment module, and entering the step B.
And B, executing step B by the basic data acquisition strategy judging module according to event analysis result data corresponding to the target network security alarm event, calculating to obtain an influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, sending the target acquisition strategy to the basic data acquisition storage module, and then entering step BC.
And C, executing the step BC by the basic data acquisition and storage module aiming at a target acquisition strategy corresponding to the target network security alarm event, removing a space-time repeated part in the target acquisition strategy by combining the acquired historical acquisition strategies aiming at the target acquisition strategy corresponding to the target network security alarm event, updating the target acquisition strategy, and entering the step C.
And further executing the step C by the basic data acquisition and storage module aiming at the target acquisition strategy, acquiring basic data of a target acquisition time window corresponding to the target data acquisition range based on the target acquisition strategy corresponding to the target network security alarm event, and realizing the directional acquisition of the basic data related to the target network security alarm event.
In the specific design, the basic data acquisition and storage module sends the updated target acquisition strategy to corresponding various types of data acquisition equipment according to node equipment and paths among the node equipment in an internal network topological structure of the industrial enterprise, which are covered by the various types of data acquisition equipment in the basic data acquisition equipment, respectively executes basic data acquisition corresponding to a target acquisition time window, returns the acquired basic data to the basic data acquisition and storage module, and the basic data acquisition and storage module executes the step D to realize basic data storage.
In the design of practical application, the dynamic and directional acquisition method of the basic data of the industrial network security incident is realized, the calculation of the influence distance and the determination of the time window are included, and the equipment range and the time range of the basic data to be acquired are determined; and the method for dynamically adjusting the acquisition range of indexes such as the overall network threat index, the risk level of the event, the confidence coefficient and the like based on the whole network is realized, the acquisition space-time range is effectively reduced, and the feasibility of acquiring the event basic data is ensured.
The invention designs the collection of target network security alarm events on various network security devices in an internal network of an industrial enterprise, combines a target collection strategy corresponding to the target network security alarm event through the construction of a target data collection range and a target collection time window, and further executes the directional collection of basic data; the design effectively reduces the time and space range of data acquisition and improves the acquisition efficiency; meanwhile, based on the maximum average duration window value, the retention time range of the data on the acquisition equipment can be effectively determined, and the storage pressure caused by the overstock of a large amount of data is avoided; and the design realizes dynamic adjustment of the acquisition range, the acquisition range is dynamically adjusted based on indexes such as overall network threat indexes, danger levels of events, confidence degrees and the like of the whole network, the accuracy of data acquisition is improved, the acquisition of a large amount of invalid data is avoided, and the omission of effective data is ensured as far as possible.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the gist of the present invention.
Claims (10)
1. A method for directionally acquiring basic data of an industrial network security event is characterized by comprising the following steps: based on the acquisition of target network security alarm events on various network security devices in the internal network of the industrial enterprise, realizing the directional acquisition of basic data about the target network security alarm events according to the following steps A to C;
step A, acquiring preset data results of various types corresponding to a target network security alarm event, acquiring preset attack chain related data of various types related to the target network security alarm event by combining a preset network security event knowledge base, forming event analysis result data corresponding to the target network security alarm event, and entering step B;
b, calculating to obtain an influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event, further obtaining a target data acquisition range and a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, and entering the step C;
and C, acquiring basic data of a target acquisition time window corresponding to the target data acquisition range based on a target acquisition strategy corresponding to the target network security alarm event, and realizing the directional acquisition of the basic data related to the target network security alarm event.
2. The method for directionally acquiring the basic data of the industrial network security events according to claim 1, wherein the method comprises the following steps: step BC is also included, after step B is executed, step BC is entered;
and step BC, aiming at the target acquisition strategy corresponding to the target network security alarm event, removing a space-time repeated part in the target acquisition strategy by combining the acquired historical acquisition strategies, updating the target acquisition strategy, and then entering the step C.
3. The method for directionally acquiring the basic data of the industrial network security events according to claim 2, characterized in that: step D is also included, after step C is executed, step D is entered;
and D, respectively corresponding to the average duration window t of the attack chain in which the target network security alarm event is located based on the target network security alarm event and each network security alarm event obtained in history, taking the average duration window t of the attack chain in which the target network security alarm event is located as a period, storing the basic data acquired in the step C, and removing the basic data exceeding the period.
4. The method for directionally acquiring the basic data of the industrial network security events according to any one of claims 1 to 3, wherein the method comprises the following steps: the step A comprises the following steps A1 to A3;
a1, acquiring preset data acquisition results of various types corresponding to a target network security alarm event, including an event device IP/device name, event time, an event type and a confidence coefficient alpha, and then entering A2;
step A2, based on a network security event knowledge base which stores a risk level h, a link serial number s of an attack link and an average duration window t of the attack link corresponding to each type of network security alarm event in advance, obtaining the risk level h, the link serial number s of the attack link and the average duration window t of the attack link associated with the target network security alarm event according to the event type of the target network security alarm event, and then entering step A3;
and step A3, forming event analysis result data corresponding to the target network security alarm event by using the event equipment IP/equipment name, the event time, the confidence coefficient alpha, the danger level h, the node sequence number s of the attack chain where the target network security alarm event is located and the average duration time window t of the attack chain where the target network security alarm event is located, and then entering the step B.
5. The method for directionally acquiring the basic data of the industrial network security events according to claim 4, wherein the method comprises the following steps: in the step B, according to the event analysis result data corresponding to the target network security alarm event, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to the following steps B1-1 to B1-3, and further obtaining a target data acquisition range;
b1-1, calculating to obtain a current overall safety factor c according to the danger level h and the event time in the event analysis result data corresponding to the target network safety alarm event and according to the danger level h and the event time respectively corresponding to each network safety alarm event obtained in history, and then entering the step B1-2;
b1-2, calculating to obtain an influence distance L corresponding to the target network security alarm event by using the confidence coefficient alpha, the danger level h and the node number s of the attack chain in the event analysis result data corresponding to the target network security alarm event and combining the multiplication result of the current overall security factor c, and then entering the step B1-3;
and B1-3, taking the IP/equipment name of the event equipment in the event analysis result data corresponding to the target network security alarm event as a main node, taking the influence distance L corresponding to the target network security alarm event as the hop count of the target node, and obtaining each node equipment and the path among each node equipment within the hop count range of the target node from the main node based on the internal network topological structure of the industrial enterprise to form a target data acquisition range.
6. The method for directionally acquiring the basic data of the industrial network security events according to claim 5, wherein the method comprises the following steps: in the step B1-1, according to the risk level h in the event analysis result data corresponding to the target network security alarm event, combining the risk level h corresponding to each network security alarm event obtained in history to obtain the current average risk level;
meanwhile, according to the event time in the event analysis result data corresponding to the target network security alarm event, dividing the number of network security alarm events in the preset time period to which the event time belongs by the average number of network security alarm events in each historical preset time period as the current event frequency level;
and further calculating to obtain a multiplication result of the average risk level and the event frequency level, and forming a current overall safety factor c.
7. The method for directionally acquiring the basic data of the industrial network security events according to claim 4, wherein the method comprises the following steps: and in the step B, according to the event time in the event analysis result data corresponding to the target network security alarm event and the average duration window t of the attack chain, the average duration window t of the attack chain before and after the event time along the time sequence direction forms a target acquisition time window.
8. A system for implementing the method for directionally acquiring the basic data of the industrial network security events, which is described in any one of claims 2 to 7, is characterized in that: the system comprises a network security event acquisition and analysis module, a basic data acquisition strategy study and judgment module and a basic data acquisition and storage module;
the network security event acquisition and analysis module is used for executing the step A aiming at a target network security alarm event, acquiring preset data acquisition results of various types corresponding to the target network security alarm event, acquiring relevant data of attack chains of various types related to the target network security alarm event by combining a preset network security event knowledge base, forming event analysis result data corresponding to the target network security alarm event, sending the event analysis result data to the basic data acquisition strategy study and judgment module, and then entering the step B;
b, the basic data acquisition strategy studying and judging module executes a step B according to event analysis result data corresponding to the target network security alarm event, calculates and obtains an influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event, further obtains a target data acquisition range, simultaneously obtains a target acquisition time window, forms a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, sends the target acquisition strategy to a basic data acquisition and storage module, and then enters a step BC;
the basic data acquisition and storage module executes a step BC according to a target acquisition strategy corresponding to a target network security alarm event, removes a space-time repeated part in the target acquisition strategy according to the target acquisition strategy corresponding to the target network security alarm event by combining all obtained historical acquisition strategies, updates the target acquisition strategy and then enters a step C;
and further executing the step C by the basic data acquisition and storage module aiming at the target acquisition strategy, acquiring basic data of a target acquisition time window corresponding to the target data acquisition range based on the target acquisition strategy corresponding to the target network security alarm event, and realizing the directional acquisition of the basic data related to the target network security alarm event.
9. The system for realizing the directional acquisition method of the basic data of the industrial network security event according to the claim 8 is characterized in that: the basic data acquisition and storage module sends the updated target acquisition strategy to corresponding various types of data acquisition equipment according to the paths among the node equipment and the node equipment in the internal network topology structure of the industrial enterprise covered by the various types of data acquisition equipment in the basic data acquisition equipment, respectively executes the basic data acquisition of the corresponding target acquisition time window, and returns the acquired basic data to the basic data acquisition and storage module for storage.
10. The system for realizing the directional acquisition method of the basic data of the industrial network security event according to the claim 8 is characterized in that: and C, the basic data acquisition and storage module executes the step D to store the basic data aiming at the basic data acquired in the step C.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310043084.6A CN115776409B (en) | 2023-01-29 | 2023-01-29 | Directional acquisition method and system for basic data of industrial network security event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310043084.6A CN115776409B (en) | 2023-01-29 | 2023-01-29 | Directional acquisition method and system for basic data of industrial network security event |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115776409A true CN115776409A (en) | 2023-03-10 |
| CN115776409B CN115776409B (en) | 2023-06-06 |
Family
ID=85393747
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310043084.6A Active CN115776409B (en) | 2023-01-29 | 2023-01-29 | Directional acquisition method and system for basic data of industrial network security event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115776409B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117806916A (en) * | 2024-02-29 | 2024-04-02 | 中国人民解放军国防科技大学 | Multi-unit server lightweight alarm correlation mining and converging method and system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457524A (en) * | 2011-11-23 | 2012-05-16 | 中国人民解放军国防科学技术大学 | Method for aggregating security situation of hierarchic network |
| CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN113315771A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Safety event warning device and method based on industrial control system |
| CN115225386A (en) * | 2022-07-20 | 2022-10-21 | 广东电网有限责任公司 | Business identification and risk analysis method and system based on event sequence correlation fusion |
| CN115277132A (en) * | 2022-07-14 | 2022-11-01 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Network security situation awareness method and device, computer equipment and storage medium |
| WO2022257423A1 (en) * | 2021-06-08 | 2022-12-15 | 天翼云科技有限公司 | Warning information association method and apparatus, and electronic device and readable storage medium |
| CN115706669A (en) * | 2021-08-04 | 2023-02-17 | 中移动信息技术有限公司 | Network security situation prediction method and system |
-
2023
- 2023-01-29 CN CN202310043084.6A patent/CN115776409B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457524A (en) * | 2011-11-23 | 2012-05-16 | 中国人民解放军国防科学技术大学 | Method for aggregating security situation of hierarchic network |
| CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN113315771A (en) * | 2021-05-28 | 2021-08-27 | 苗叶 | Safety event warning device and method based on industrial control system |
| WO2022257423A1 (en) * | 2021-06-08 | 2022-12-15 | 天翼云科技有限公司 | Warning information association method and apparatus, and electronic device and readable storage medium |
| CN115706669A (en) * | 2021-08-04 | 2023-02-17 | 中移动信息技术有限公司 | Network security situation prediction method and system |
| CN115277132A (en) * | 2022-07-14 | 2022-11-01 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Network security situation awareness method and device, computer equipment and storage medium |
| CN115225386A (en) * | 2022-07-20 | 2022-10-21 | 广东电网有限责任公司 | Business identification and risk analysis method and system based on event sequence correlation fusion |
Non-Patent Citations (1)
| Title |
|---|
| 王晋东;杨豪璞;张恒巍;李涛;: "面向APT攻击的攻击行为动态评估方法", 系统仿真学报 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117806916A (en) * | 2024-02-29 | 2024-04-02 | 中国人民解放军国防科技大学 | Multi-unit server lightweight alarm correlation mining and converging method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115776409B (en) | 2023-06-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108494810B (en) | Attack-oriented network security situation prediction method, device and system | |
| CN112073411B (en) | Network security deduction method, device, equipment and storage medium | |
| CN109413109B (en) | Heaven and earth integrated network oriented security state analysis method based on finite-state machine | |
| CN111541661A (en) | Power information network attack scene reconstruction method and system based on causal knowledge | |
| CN111193728B (en) | Network security evaluation method, device, equipment and storage medium | |
| CN112491860A (en) | Industrial control network-oriented collaborative intrusion detection method | |
| CN106254137A (en) | The alarm root-cause analysis system and method for supervisory systems | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| CN112261042B (en) | Anti-seepage system based on attack hazard assessment | |
| CN115225384B (en) | Network threat degree evaluation method and device, electronic equipment and storage medium | |
| CN114629674A (en) | Attention mechanism-based industrial control network security risk assessment method | |
| CN115378711A (en) | Industrial control network intrusion detection method and system | |
| CN109995558A (en) | Failure information processing method, device, equipment and storage medium | |
| CN116015983B (en) | Network security vulnerability analysis method and system based on digital twin | |
| CN115776409A (en) | Industrial network security event basic data directional acquisition method and system | |
| Bian et al. | Network security situational assessment model based on improved AHP_FCE | |
| Grottke et al. | On the efficiency of sampling and countermeasures to critical-infrastructure-targeted malware campaigns | |
| CN116208416A (en) | Attack link mining method and system for industrial Internet | |
| CN111191230A (en) | Fast network attack backtracking mining method based on convolutional neural network and application | |
| CN114006744B (en) | LSTM-based power monitoring system network security situation prediction method and system | |
| CN111447168B (en) | Multidimensional network security prediction method | |
| CN114338441A (en) | Analysis method for intelligently identifying service link based on service flow | |
| CN113497793A (en) | Model optimization method, alarm event detection method, device and equipment | |
| CN117579388B (en) | Risk assessment method, system, equipment and medium for intelligent network interconnection industrial control system | |
| CN113032774A (en) | Training method, device and equipment of anomaly detection model and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |