CN115776409B - Directional acquisition method and system for basic data of industrial network security event - Google Patents
Directional acquisition method and system for basic data of industrial network security event Download PDFInfo
- Publication number
- CN115776409B CN115776409B CN202310043084.6A CN202310043084A CN115776409B CN 115776409 B CN115776409 B CN 115776409B CN 202310043084 A CN202310043084 A CN 202310043084A CN 115776409 B CN115776409 B CN 115776409B
- Authority
- CN
- China
- Prior art keywords
- network security
- event
- target
- acquisition
- security alarm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention relates to a method and a system for directionally collecting basic data of industrial network security events, which are based on the collection of target network security alarm events on various network security devices in an industrial enterprise internal network, and combine target collection strategies corresponding to the target network security alarm events through the construction of a target data collection range and a target collection time window so as to further execute the directional collection of the basic data; the design effectively reduces the time and space range of data acquisition and improves the acquisition efficiency; meanwhile, based on the maximum average duration window value, the retention time range of the data on the acquisition equipment can be effectively determined, and storage pressure caused by backlog of a large amount of data is avoided; and the dynamic adjustment of the acquisition range is realized by the design, the acquisition range is dynamically adjusted based on indexes such as overall network threat indexes, dangerous levels of events, confidence level and the like of the overall network, the accuracy of acquired data is improved, the acquisition of a large amount of invalid data is avoided, and the effective data is ensured to be as free of omission as possible.
Description
Technical Field
The invention relates to a method and a system for directionally collecting basic data of an industrial network security event, belonging to the technical field of industrial network security detection.
Background
The development of industrial internet enables the networks (including IT and OT networks) of industrial enterprises to move from closed isolation to open interconnection, and the exposed surface of industrial control networks is enlarged and the network security threat faced is obviously increased. To better analyze network security events, full-basis data acquisition is a very necessary and efficient solution. By the aid of the storage of the basic data, a data basis is provided for further analysis of the network security events, and analysis and disposal work of the network security events can be effectively supported.
In the industrial enterprise scene, two layers of Ethernet and industrial bus form a core channel for the data communication exchange of the industrial control network. In recent years, in addition to the act of performing an attack through ethernet, exploit and attack events for industrial control networks other than ethernet protocols such as buses frequently occur. Part of network security events can be confirmed by directly studying and judging event data which are found and alarmed by the existing network security equipment in real time, but a large number of network security events are needed to be traced and traced on the basis of the event data of the network security equipment, and secondary studying and judging analysis is carried out on basic data such as logs, flow, buses and the like in a certain time range of the event at the moment, so that the authenticity and the hazard degree of the network security events are finally determined. Therefore, it is necessary to keep basic data of the types of logs, ethernet, industrial bus, etc. in the industrial enterprise scenario for subsequent analysis of the judgment.
Industrial enterprise industrial control data acquisition points are more, and the whole amount of acquired data explodes on a large scale. The total acquisition points of the industrial enterprise industrial control network of a general scale are more than 1 ten thousand, and the real-time signal acquisition period can reach millisecond level. The total collection of log/bus/network traffic data requires large storage and computing resources, while the data directly related to network attack events has a low duty cycle and is difficult to implement on the floor. There is a need to study efficient and targeted methods and systems for basic data collection of industrial network security events to accurately collect basic data related to network security events, and reduce the point location and scale of data collection in a single event, so as to achieve the balance between the storage resources of industrial enterprises and the business requirements for analysis of network security events.
Aiming at the problem of basic data acquisition related to industrial enterprise network security events, the prior technical scheme mainly aims at acquiring logs and Ethernet data. The industry generally collects, stores and analyzes the Ethernet traffic by deploying full traffic collection storage devices, but less relates to industrial bus data. Meanwhile, because the Ethernet full-flow acquisition equipment is difficult to cover all nodes under the influence of implementation and storage resource cost, the prior art cannot effectively cover all network links in an industrial network, and is difficult to support comprehensive network security event analysis and research and judgment requirements.
Disclosure of Invention
The invention aims to solve the technical problem of providing the method for directionally collecting the basic data of the industrial network security event, which adopts a brand new strategy design to analyze and execute data collection from two aspects of network structure dimension and time dimension, thereby not only reducing the data collection range of a single event, but also avoiding the omission of basic data required to be collected.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a method for directionally collecting basic data of an industrial network security event, which is based on the collection of a target network security alarm event on various network security devices in an internal network of an industrial enterprise according to the following steps A to C, and realizes the directional collection of the basic data about the target network security alarm event;
step A, acquiring data results of all preset types corresponding to the target network security alarm event, combining a preset network security event knowledge base, acquiring related data of all preset attack chains associated with the target network security alarm event, forming event analysis result data corresponding to the target network security alarm event, and then entering the step B;
step B, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to event analysis result data corresponding to the target network security alarm event, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, and then entering the step C;
and C, based on a target acquisition strategy corresponding to the target network security alarm event, acquiring basic data of a target data acquisition range corresponding to a target acquisition time window, and realizing the directional acquisition of the basic data about the target network security alarm event.
As a preferred technical scheme of the invention: the step BC is carried out, and after the step B is carried out, the step BC is carried out;
and BC. Aiming at the target acquisition strategy corresponding to the target network security alarm event, combining the obtained historical acquisition strategies, removing a space-time repeated part in the target acquisition strategy, updating the target acquisition strategy, and then entering the step C.
As a preferred technical scheme of the invention: the step D is performed, and after the step C is performed, the step D is performed;
and D, storing the basic data acquired in the step C based on the target network security alarm event and the historical obtained network security alarm events which correspond to the attack chain average duration window t respectively, taking the longest attack chain average duration window t as a period, and clearing the basic data exceeding the period.
As a preferred technical scheme of the invention: the step A comprises the following steps of A1 to A3;
step A1, acquiring the corresponding preset data acquisition results of each type of the target network security alarm event, wherein the data acquisition results comprise event equipment IP/equipment name, event time, event type and confidence coefficient alpha, and then entering a step A2;
a2, based on a network security event knowledge base which stores the corresponding risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain of each type of network security alarm event in advance, acquiring the associated risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain of the target network security alarm event according to the event type of the target network security alarm event, and then entering the step A3;
and A3, forming event analysis result data corresponding to the target network security alarm event by the event equipment IP/equipment name, event time, confidence alpha, risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain corresponding to the target network security alarm event, and then entering the step B.
As a preferred technical scheme of the invention: in the step B, according to event analysis result data corresponding to the target network security alarm event, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to the following steps B1-1 to B1-3, thereby obtaining a target data acquisition range;
step B1-1, calculating to obtain a current overall safety factor c according to the risk level h and the event time in the event analysis result data corresponding to the target network safety alarm event and combining the risk level h and the event time respectively corresponding to each network safety alarm event obtained by history, and then entering the step B1-2;
step B1-2, calculating and obtaining an influence distance L corresponding to the target network security alarm event by combining the multiplication result of the current overall security factor c according to the confidence coefficient alpha, the risk level h and the located attack link section serial number s in event analysis result data corresponding to the target network security alarm event, and then entering the step B1-3;
and B1-3, taking event equipment IP/equipment names in event analysis result data corresponding to the target network security alarm event as a main node, taking an influence distance L corresponding to the target network security alarm event as a target node hop count, and obtaining each node equipment within a target node hop count range from the main node and a path among each node equipment based on an internal network topology structure of an industrial enterprise to form a target data acquisition range.
As a preferred technical scheme of the invention: in the step B1-1, according to the risk level h in the event analysis result data corresponding to the target network security alarm event, combining the risk levels h respectively corresponding to the network security alarm events obtained by the history to obtain the current average risk level;
meanwhile, according to the event time in the event analysis result data corresponding to the target network security alarm event, the number of the network security alarm events in a preset duration period to which the event time belongs is divided by the average number of the network security alarm events in each history preset duration period to be used as the current event frequency level;
and further calculating and obtaining a multiplication result of the average risk level and the event frequency level to form the current overall safety factor c.
As a preferred technical scheme of the invention: in the step B, according to the event time in the event analysis result data corresponding to the target network security alarm event and the attack chain average duration window t, the target acquisition time window is formed by the attack chain average duration window t before and after the event time along the time sequence direction.
In view of the foregoing, the present invention further provides a system for directional collection of basic data of an industrial network security event, which adopts a modular design to efficiently realize directional collection of the designed basic data, so as to not only reduce the data collection range of a single event, but also avoid omission of the basic data required to be collected.
The invention adopts the following technical scheme for solving the technical problems: the invention designs a system of an industrial network security event basic data directional acquisition method, which comprises a network security event acquisition analysis module, a basic data acquisition strategy research and judgment module and a basic data acquisition and storage module;
the network security event acquisition analysis module is used for aiming at a target network security alarm event, executing the step A, obtaining the corresponding preset data acquisition results of each type of the target network security alarm event, combining a preset network security event knowledge base, obtaining the related data of each type of preset attack chains associated with the target network security alarm event, forming event analysis result data corresponding to the target network security alarm event, transmitting the event analysis result data to the basic data acquisition strategy research and judgment module, and then entering the step B;
b, executing a step B by a basic data acquisition strategy research and judgment module according to event analysis result data corresponding to a target network security alarm event, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, transmitting the target acquisition strategy to a basic data acquisition and storage module, and then entering a step BC;
the basic data acquisition and storage module executes a step BC aiming at a target acquisition strategy corresponding to a target network security alarm event, removes a space-time repeated part in the target acquisition strategy by combining each obtained historical acquisition strategy aiming at the target acquisition strategy corresponding to the target network security alarm event, updates the target acquisition strategy, and then enters the step C;
and C, further, aiming at a target acquisition strategy, the basic data acquisition and storage module executes the step C, acquires basic data of a target data acquisition range corresponding to a target acquisition time window based on the target acquisition strategy corresponding to the target network security alarm event, and realizes basic data directional acquisition about the target network security alarm event.
As a preferred technical scheme of the invention: the system comprises a basic data acquisition module, a basic data acquisition storage module, a target acquisition strategy and a target acquisition time window, wherein the basic data acquisition module comprises various types of data acquisition equipment, the basic data acquisition equipment comprises the various types of data acquisition equipment, the basic data acquisition storage module respectively covers node equipment and paths among the node equipment in an internal network topological structure of an industrial enterprise according to the various types of data acquisition equipment in the basic data acquisition equipment, the updated target acquisition strategy is sent to the corresponding various types of data acquisition equipment, basic data acquisition corresponding to the target acquisition time window is respectively executed, and the acquired basic data is returned to the basic data acquisition storage module for storage.
As a preferred technical scheme of the invention: and C, the basic data acquisition and storage module executes the step D to realize basic data storage aiming at the basic data acquired in the step C.
Compared with the prior art, the method and the system for directionally collecting the basic data of the industrial network security event have the following technical effects:
the invention designs a method and a system for directionally collecting basic data of an industrial network security event, which are based on the collection of target network security alarm events on various network security devices in an industrial enterprise internal network, and the method and the system are used for directionally collecting basic data by combining target collection strategies corresponding to the target network security alarm events through the construction of a target data collection range and a target collection time window; the design effectively reduces the time and space range of data acquisition and improves the acquisition efficiency; meanwhile, based on the maximum average duration window value, the retention time range of the data on the acquisition equipment can be effectively determined, and storage pressure caused by backlog of a large amount of data is avoided; and the dynamic adjustment of the acquisition range is realized by the design, the acquisition range is dynamically adjusted based on indexes such as overall network threat indexes, dangerous levels of events, confidence level and the like of the overall network, the accuracy of acquired data is improved, the acquisition of a large amount of invalid data is avoided, and the effective data is ensured to be as free of omission as possible.
Drawings
FIG. 1 is a flow chart of a method for directionally collecting basic data of industrial network security events according to the present invention;
FIG. 2 is a schematic diagram of the architecture of a system for the present invention for designing a method for directional collection of industrial network security event basis data.
Detailed Description
The following describes the embodiments of the present invention in further detail with reference to the drawings.
Aiming at the defects of the existing scheme, the invention provides a method and a system for directionally collecting basic data of an industrial network security event, wherein the specific design thought is as follows:
(1) The scheme firstly describes the corresponding relation between the network topology of the industrial enterprise and the basic data acquisition equipment, namely the network range of each acquisition equipment supporting acquisition. The network topology is made up of points (i.e., devices, which may include IT devices, industrial control devices, etc.) and paths (i.e., communication links, which may include ethernet links, industrial bus links, etc.). The network security event basic data acquisition equipment supports acquisition of data such as logs, configuration, security software analysis results and the like on the point, and full acquisition of Ethernet network traffic and industrial bus link data on the path.
(2) Furthermore, the scheme defines the expression mode of the network security event. On the basis of the description of elements such as event types, event descriptions, danger levels and the like, elements such as an attack link section number, an attack link average duration window and the like are added for the link position of the event in the attack chain on the basis of the description of the elements such as the event types, the event descriptions, the danger levels and the like, and the elements are used for subsequent acquisition strategy configuration. Each type of network security event supports a plurality of detection rules, and each detection rule supports configuration of corresponding confidence level for representing the credibility of the rule result.
(3) When a network security event alarm occurs in the industrial network, the event analysis can obtain the main node influenced by the event alarm. The main node is used as a central node, the scheme provides a directional acquisition method, and the range of node or path data required to be acquired in the event is calculated. The method is based on factors such as a risk level, a confidence coefficient, an attack chain link sequence number and the like corresponding to the network security event type, and the influence distance of the event and a time window needing to be acquired on each distance are calculated by combining the overall environmental factors. And the central node is used as a circle center, and the influence distance is combined, so that the nodes and paths influenced by the network security event can be obtained, and a basic data acquisition strategy is formed.
(4) And comparing the basic data acquisition strategy with the existing acquisition strategy to remove the part with repeated space and time, informing corresponding acquisition equipment, extracting corresponding data, summarizing, storing and archiving, and finally completing the basic data acquisition of the network security event.
(5) And counting the maximum acquisition time window for all network security event types. The longest time length required to be saved for data collection on each collection device is based on the largest collection time window, and the data exceeding the time length can be cleared in time so as to reduce the calculation pressure of the collection device.
Based on the design thought, in practical application, as shown in fig. 1, the method for directionally collecting basic data of the industrial network security event according to the invention specifically includes steps a to C, based on collection of target network security alarm events on various network security devices in an internal network of an industrial enterprise, to implement directional collection of basic data of the target network security alarm events, where the target network security alarm events mainly refer to target network security alarm events generated on existing network security devices such as firewalls, intrusion detection, host audit, etc. in the internal network of the industrial enterprise.
And A, acquiring data results of all preset types corresponding to the target network security alarm event, combining a preset network security event knowledge base, acquiring related data of attack chains of all preset types associated with the target network security alarm event, forming event analysis result data corresponding to the target network security alarm event, and then entering the step B.
In practical applications, the specific design of the step a is as follows, and the step A1 to the step A3 are executed.
Step A1, acquiring the results of preset acquired data of various types corresponding to the target network security alarm event, wherein the results comprise event equipment IP/equipment name, event time, event type and confidence coefficient alpha, and then entering step A2. Here the higher the confidence α, the higher the percentage, the greater the confidence level. Confidence is related to the detection rules of the event, and various detection rules exist for consent type events. The detection rules are more strict and complex, and generally have high confidence, but the detection efficiency is often lower.
And A2, based on a network security event knowledge base which stores the corresponding risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain of each type of network security alarm event in advance, acquiring the associated risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain of the target network security alarm event according to the event type of the target network security alarm event, and then entering the step A3.
Taking the currently mainstream ATT & CK model as an example, an end-to-end attack chain may be composed of 14 policy links, including: 1 scout, 2 information gathering, 3 initial access, 4 execution, 5 persistence, 6 rights promotion, 7 defense circumvention, 8 credential access, 9 discovery, 10 lateral movement, 11 collection, 12 command and control, 13 penetration, 14 impact. The execution of actions for each policy may result in a variety of network security event types. The knowledge base collects and sorts the strategies of the attack chain and the corresponding network security event types. The corresponding link serial number in the attack chain and the dangerous grade of the type network security event can be searched through the network security event type field. The policy links of each attack chain have a certain attack duration, and the average time of each link of one attack chain is recorded as the average duration window t of the attack chain.
And A3, forming event analysis result data corresponding to the target network security alarm event by the event equipment IP/equipment name, event time, confidence alpha, risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain corresponding to the target network security alarm event, and then entering the step B.
And B, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to event analysis result data corresponding to the target network security alarm event, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, and then entering the step BC.
In the practical application, the step B calculates and obtains the influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event as follows from the step B1-1 to the step B1-3, and further obtains the target data acquisition range.
Step B1-1, according to the risk level h in the event analysis result data corresponding to the target network security alarm event, combining the risk levels h corresponding to the network security alarm events obtained by the history to obtain the current average risk level; meanwhile, according to the event time in the event analysis result data corresponding to the target network security alarm event, the number of the network security alarm events in a preset duration period to which the event time belongs is divided by the average number of the network security alarm events in each history preset duration period to be used as the current event frequency level; and then calculating and obtaining the multiplication result of the average risk level and the event frequency level to form the current overall safety factor c, and then entering the step B1-2. Here, the higher the overall security factor value, the higher the event risk level, the greater the number, the worse the environmental security, and the more dangerous in the current network.
And B1-2, calculating and obtaining an influence distance L corresponding to the target network security alarm event by combining the multiplication result of the current overall security factor c according to the confidence coefficient alpha, the risk level h and the located attack link section serial number s in event analysis result data corresponding to the target network security alarm event, rounding and rounding, and then entering the step B1-3.
The higher the credibility of the network security alarm event, the more dangerous the danger level, and the worse the overall security of the network, the wider the node range of potential intrusion, the more links involved in the attack chain, the larger the influence distance, and the more nodes and paths to be acquired. On the contrary, the network security alarm event has poor reliability, low risk level and good overall network security, so that the smaller the association range of the network security alarm event is, the smaller the influence distance is, and the fewer nodes and paths need to be acquired. The influence distance is the highest according to the sequence number of the attack chain link where the influence distance is, the front and back full-chain acquisition is carried out, and the lowest is that only the self node is acquired without the association acquisition.
And B1-3, taking event equipment IP/equipment names in event analysis result data corresponding to the target network security alarm event as a main node, taking an influence distance L corresponding to the target network security alarm event as a target node hop count, and obtaining each node equipment within a target node hop count range from the main node and a path among each node equipment based on an internal network topology structure of an industrial enterprise to form a target data acquisition range.
In the practical application, the step B forms a target acquisition time window according to the event time in the event analysis result data corresponding to the target network security alarm event and the attack chain average duration time window t before and after the event time along the time sequence direction.
And BC. Aiming at the target acquisition strategy corresponding to the target network security alarm event, combining the obtained historical acquisition strategies, removing a space-time repeated part in the target acquisition strategy, updating the target acquisition strategy, and then entering the step C.
And C, based on a target acquisition strategy corresponding to the target network security alarm event, acquiring basic data of a target data acquisition range corresponding to a target acquisition time window, realizing the directional acquisition of the basic data about the target network security alarm event, and then entering the step D.
And D, storing the basic data acquired in the step C based on the target network security alarm event and the historical obtained network security alarm events which correspond to the attack chain average duration window t respectively, taking the longest attack chain average duration window t as a period, and clearing the basic data exceeding the period.
The method for directionally collecting the basic data of the industrial network security event based on the technical scheme further designs a system for realizing the method, and in practical application, as shown in fig. 2, the specific design comprises a network security event collection analysis module, a basic data collection strategy research and judgment module, a basic data collection storage module and basic data collection equipment comprising various types of data collection equipment.
The network security event acquisition analysis module is used for executing the step A to obtain the corresponding preset data acquisition results of the target network security alarm event, combining the preset network security event knowledge base to obtain the related data of the preset attack chains associated with the target network security alarm event, forming event analysis result data corresponding to the target network security alarm event, transmitting the event analysis result data to the basic data acquisition strategy research and judgment module, and then entering the step B.
And B, executing the step B by the basic data acquisition strategy research and judgment module according to event analysis result data corresponding to the target network security alarm event, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to the event analysis result data corresponding to the target network security alarm event, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, transmitting the target acquisition strategy to the basic data acquisition and storage module, and then entering the step BC.
And C, executing a step BC by the basic data acquisition and storage module aiming at a target acquisition strategy corresponding to the target network security alarm event, removing a space-time repeated part in the target acquisition strategy by combining each obtained historical acquisition strategy aiming at the target acquisition strategy corresponding to the target network security alarm event, updating the target acquisition strategy, and then entering the step C.
And C, further, aiming at a target acquisition strategy, the basic data acquisition and storage module executes the step C, acquires basic data of a target data acquisition range corresponding to a target acquisition time window based on the target acquisition strategy corresponding to the target network security alarm event, and realizes basic data directional acquisition about the target network security alarm event.
In the specific design, the basic data acquisition and storage module respectively covers node equipment and paths among the node equipment in the internal network topology structure of the industrial enterprise according to various types of data acquisition equipment in the basic data acquisition equipment, the updated target acquisition strategy is sent to the corresponding various types of data acquisition equipment, basic data acquisition corresponding to a target acquisition time window is respectively executed, acquired basic data is returned to the basic data acquisition and storage module, and the basic data acquisition and storage module executes the step D to realize basic data storage.
In the practical application of the design of the invention, the dynamic and directional acquisition method of the basic data of the industrial network security event is realized, which comprises the calculation of the influence distance and the determination of the time window, and the equipment range and the time range of the basic data to be acquired are defined; and the method for dynamically adjusting the acquisition range based on the overall network threat index, the risk level, the confidence level and other indexes of the event of the overall network is realized, the space-time range of acquisition is effectively reduced, and the feasibility of acquiring the basic data of the event is ensured.
The invention designs the acquisition of the target network security alarm event based on various network security devices in the internal network of the industrial enterprise, and combines the target acquisition strategy corresponding to the target network security alarm event through the construction of the target data acquisition range and the target acquisition time window so as to further execute the directional acquisition of the basic data; the design effectively reduces the time and space range of data acquisition and improves the acquisition efficiency; meanwhile, based on the maximum average duration window value, the retention time range of the data on the acquisition equipment can be effectively determined, and storage pressure caused by backlog of a large amount of data is avoided; and the dynamic adjustment of the acquisition range is realized by the design, the acquisition range is dynamically adjusted based on indexes such as overall network threat indexes, dangerous levels of events, confidence level and the like of the overall network, the accuracy of acquired data is improved, the acquisition of a large amount of invalid data is avoided, and the effective data is ensured to be as free of omission as possible.
The embodiments of the present invention have been described in detail with reference to the drawings, but the present invention is not limited to the above embodiments, and various changes can be made within the knowledge of those skilled in the art without departing from the spirit of the present invention.
Claims (9)
1. A method for directionally collecting basic data of industrial network security events is characterized in that: the method comprises the following steps of A to C, based on the collection of target network security alarm events on various network security devices in an internal network of an industrial enterprise, realizing the directional collection of basic data about the target network security alarm events;
step A, acquiring data results of all preset types corresponding to the target network security alarm event, combining a preset network security event knowledge base, acquiring related data of all preset attack chains associated with the target network security alarm event, forming event analysis result data corresponding to the target network security alarm event, and then entering the step B;
step B, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to event analysis result data corresponding to the target network security alarm event from the step B1-1 to the step B1-3, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, and then entering the step C;
step B1-1, calculating to obtain a current overall safety factor c according to the risk level h and the event time in the event analysis result data corresponding to the target network safety alarm event and combining the risk level h and the event time respectively corresponding to each network safety alarm event obtained by history, and then entering the step B1-2;
step B1-2, calculating and obtaining an influence distance L corresponding to the target network security alarm event by combining the multiplication result of the current overall security factor c according to the confidence coefficient alpha, the risk level h and the located attack link section serial number s in event analysis result data corresponding to the target network security alarm event, and then entering the step B1-3;
b1-3, taking event equipment IP/equipment names in event analysis result data corresponding to a target network security alarm event as a main node, taking an influence distance L corresponding to the target network security alarm event as a target node hop count, and obtaining each node equipment within a target node hop count range from the main node and a path among each node equipment based on an internal network topology structure of an industrial enterprise to form a target data acquisition range;
and C, based on a target acquisition strategy corresponding to the target network security alarm event, acquiring basic data of a target data acquisition range corresponding to a target acquisition time window, and realizing the directional acquisition of the basic data about the target network security alarm event.
2. The method for directionally collecting basic data of industrial network security events according to claim 1, wherein the method comprises the following steps: the step BC is carried out, and after the step B is carried out, the step BC is carried out;
and BC. Aiming at the target acquisition strategy corresponding to the target network security alarm event, combining the obtained historical acquisition strategies, removing a space-time repeated part in the target acquisition strategy, updating the target acquisition strategy, and then entering the step C.
3. The method for directionally collecting basic data of industrial network security events according to claim 2, wherein the method comprises the following steps: the step D is performed, and after the step C is performed, the step D is performed;
and D, storing the basic data acquired in the step C based on the target network security alarm event and the historical obtained network security alarm events which correspond to the attack chain average duration window t respectively, taking the longest attack chain average duration window t as a period, and clearing the basic data exceeding the period.
4. A method for directional collection of industrial network security event basis data according to any one of claims 1 to 3, characterized in that: the step A comprises the following steps of A1 to A3;
step A1, acquiring the corresponding preset data acquisition results of all types of the target network security alarm event, wherein the data acquisition results comprise event equipment IP/equipment name, event time, event type and confidence coefficient alpha, and then entering a step A2;
a2, based on a network security event knowledge base which stores the corresponding risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain of each type of network security alarm event in advance, acquiring the associated risk level h, the sequence number s of the attack chain and the average duration window t of the attack chain of the target network security alarm event according to the event type of the target network security alarm event, and then entering the step A3;
and step A3, forming event analysis result data corresponding to the target network security alarm event by the event equipment IP/equipment name, event time, confidence coefficient alpha, risk level h, the serial number s of the attack link and the average duration window t of the attack link corresponding to the target network security alarm event, and then entering the step B.
5. The method for directionally collecting basic data of industrial network security events according to claim 1, wherein the method comprises the following steps: in the step B1-1, according to the risk level h in the event analysis result data corresponding to the target network security alarm event, combining the risk levels h respectively corresponding to the network security alarm events obtained by the history to obtain the current average risk level;
meanwhile, according to the event time in the event analysis result data corresponding to the target network security alarm event, the number of the network security alarm events in a preset duration period to which the event time belongs is divided by the average number of the network security alarm events in each history preset duration period to be used as the current event frequency level;
and further calculating and obtaining a multiplication result of the average risk level and the event frequency level to form the current overall safety factor c.
6. The method for directionally collecting basic data of industrial network security events according to claim 4, wherein the method comprises the following steps: in the step B, according to the event time in the event analysis result data corresponding to the target network security alarm event and the attack chain average duration window t, the target acquisition time window is formed by the attack chain average duration window t before and after the event time along the time sequence direction.
7. A system for implementing an industrial network security event based data directed collection method as claimed in any one of claims 2 to 6, wherein: the system comprises a network security event acquisition analysis module, a basic data acquisition strategy research and judgment module and a basic data acquisition storage module;
the network security event acquisition analysis module is used for aiming at a target network security alarm event, executing the step A, obtaining the corresponding preset data acquisition results of each type of the target network security alarm event, combining a preset network security event knowledge base, obtaining the related data of each type of preset attack chains associated with the target network security alarm event, forming event analysis result data corresponding to the target network security alarm event, transmitting the event analysis result data to the basic data acquisition strategy research and judgment module, and then entering the step B; b, according to event analysis result data corresponding to the target network security alarm event, calculating and obtaining an influence distance L corresponding to the target network security alarm event according to the following steps B1-1 to B1-3 by the basic data acquisition strategy research and judgment module, further obtaining a target data acquisition range, simultaneously obtaining a target acquisition time window, forming a target acquisition strategy corresponding to the target network security alarm event by the target data acquisition range and the target acquisition time window, transmitting the target acquisition strategy to the basic data acquisition storage module, and then entering the step BC; step B1-1, calculating to obtain a current overall safety factor c according to the risk level h and the event time in the event analysis result data corresponding to the target network safety alarm event and combining the risk level h and the event time respectively corresponding to each network safety alarm event obtained by history, and then entering the step B1-2;
step B1-2, calculating and obtaining an influence distance L corresponding to the target network security alarm event by combining the multiplication result of the current overall security factor c according to the confidence coefficient alpha, the risk level h and the located attack link section serial number s in event analysis result data corresponding to the target network security alarm event, and then entering the step B1-3;
b1-3, taking event equipment IP/equipment names in event analysis result data corresponding to a target network security alarm event as a main node, taking an influence distance L corresponding to the target network security alarm event as a target node hop count, and obtaining each node equipment within a target node hop count range from the main node and a path among each node equipment based on an internal network topology structure of an industrial enterprise to form a target data acquisition range;
the basic data acquisition and storage module executes a step BC aiming at a target acquisition strategy corresponding to a target network security alarm event, removes a space-time repeated part in the target acquisition strategy by combining each obtained historical acquisition strategy aiming at the target acquisition strategy corresponding to the target network security alarm event, updates the target acquisition strategy, and then enters the step C;
and C, further, aiming at a target acquisition strategy, the basic data acquisition and storage module executes the step C, acquires basic data of a target data acquisition range corresponding to a target acquisition time window based on the target acquisition strategy corresponding to the target network security alarm event, and realizes basic data directional acquisition about the target network security alarm event.
8. The system for implementing the method for directionally collecting basic data of industrial network security events according to claim 7, wherein: the system comprises a basic data acquisition module, a basic data acquisition storage module, a target acquisition strategy and a target acquisition time window, wherein the basic data acquisition module comprises various types of data acquisition equipment, the basic data acquisition equipment comprises the various types of data acquisition equipment, the basic data acquisition storage module respectively covers node equipment and paths among the node equipment in an internal network topological structure of an industrial enterprise according to the various types of data acquisition equipment in the basic data acquisition equipment, the updated target acquisition strategy is sent to the corresponding various types of data acquisition equipment, basic data acquisition corresponding to the target acquisition time window is respectively executed, and the acquired basic data is returned to the basic data acquisition storage module for storage.
9. The system for implementing the method for directionally collecting basic data of industrial network security events according to claim 7, wherein: and C, the basic data acquisition and storage module executes the step D to realize basic data storage aiming at the basic data acquired in the step C.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310043084.6A CN115776409B (en) | 2023-01-29 | 2023-01-29 | Directional acquisition method and system for basic data of industrial network security event |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310043084.6A CN115776409B (en) | 2023-01-29 | 2023-01-29 | Directional acquisition method and system for basic data of industrial network security event |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115776409A CN115776409A (en) | 2023-03-10 |
| CN115776409B true CN115776409B (en) | 2023-06-06 |
Family
ID=85393747
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310043084.6A Active CN115776409B (en) | 2023-01-29 | 2023-01-29 | Directional acquisition method and system for basic data of industrial network security event |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115776409B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117806916B (en) * | 2024-02-29 | 2024-07-12 | 中国人民解放军国防科技大学 | Multi-unit server lightweight alarm correlation mining and converging method and system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN115706669A (en) * | 2021-08-04 | 2023-02-17 | 中移动信息技术有限公司 | Network security situation prediction method and system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457524B (en) * | 2011-11-23 | 2013-03-13 | 中国人民解放军国防科学技术大学 | Method for aggregating security situation of hierarchic network |
| CN108234419A (en) * | 2016-12-21 | 2018-06-29 | 江苏神州信源系统工程有限公司 | A kind of network attack monitoring method and device based on big data |
| CN113315771B (en) * | 2021-05-28 | 2023-06-27 | 苗叶 | Safety event alarm device and method based on industrial control system |
| CN113381890B (en) * | 2021-06-08 | 2023-01-13 | 天翼云科技有限公司 | Alarm information association method and device, electronic equipment and readable storage medium |
| CN115277132B (en) * | 2022-07-14 | 2024-06-18 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Network security situation awareness method, device, computer equipment and storage medium |
| CN115225386B (en) * | 2022-07-20 | 2023-05-19 | 广东电网有限责任公司 | Business identification and risk analysis method and system based on event sequence association fusion |
-
2023
- 2023-01-29 CN CN202310043084.6A patent/CN115776409B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110839019A (en) * | 2019-10-24 | 2020-02-25 | 国网福建省电力有限公司 | Network security threat tracing method for power monitoring system |
| CN115706669A (en) * | 2021-08-04 | 2023-02-17 | 中移动信息技术有限公司 | Network security situation prediction method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115776409A (en) | 2023-03-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108616534B (en) | Method and system for preventing DDoS (distributed denial of service) attack of Internet of things equipment based on block chain | |
| CN109413109B (en) | Heaven and earth integrated network oriented security state analysis method based on finite-state machine | |
| CN108494810A (en) | Network security situation prediction method, apparatus and system towards attack | |
| CN110147387B (en) | Root cause analysis method, root cause analysis device, root cause analysis equipment and storage medium | |
| CN111541661A (en) | Power information network attack scene reconstruction method and system based on causal knowledge | |
| CN104539626A (en) | Network attack scene generating method based on multi-source alarm logs | |
| CN105376193B (en) | The intelligent association analysis method and device of security incident | |
| CN115776409B (en) | Directional acquisition method and system for basic data of industrial network security event | |
| Wang et al. | Automatic multi-step attack pattern discovering | |
| EP3623983A1 (en) | Method and device for identifying security threats, storage medium, processor and terminal | |
| CN106254137A (en) | The alarm root-cause analysis system and method for supervisory systems | |
| CN115795330A (en) | Medical information anomaly detection method and system based on AI algorithm | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| CN113225337A (en) | Multi-step attack alarm correlation method, system and storage medium | |
| CN114629674A (en) | Attention mechanism-based industrial control network security risk assessment method | |
| Sun | A New Perspective on Cybersecurity Protection: Research on DNS Security Detection Based on Threat Intelligence and Data Statistical Analysis | |
| CN110139278B (en) | Method of safety type collusion attack defense system under Internet of vehicles | |
| CN116723136A (en) | Network data detection method applying FCM clustering algorithm | |
| CN107479518A (en) | A kind of method and system for automatically generating alarm association rule | |
| Kumar et al. | IIoT-IDS network using inception CNN model | |
| CN101202744A (en) | Devices for self-learned detecting helminth and method thereof | |
| CN117411669A (en) | APT attack stage detection method, system, medium and device based on time convolution network | |
| CN114006744B (en) | LSTM-based power monitoring system network security situation prediction method and system | |
| CN111447168B (en) | Multidimensional network security prediction method | |
| CN113497793A (en) | Model optimization method, alarm event detection method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |