CN116132161B - Threat analysis and assessment method for power monitoring system - Google Patents

Abstract

The invention relates to a threat analysis and evaluation method for an electric power monitoring system, which is characterized by comprising the following steps: the method comprises the steps of calculating safety characteristic parameter weights based on absolute association degrees, calculating safety characteristic parameter risks based on three dimensions of information safety and calculating comprehensive threat assessment values of the power monitoring system. The method comprises the steps of firstly summarizing collected safety feature parameters, establishing an observation matrix by utilizing the safety feature parameters as a basis for threat analysis and evaluation, calculating the safety feature parameter weight by utilizing absolute association degree, then using CIA triples as analysis tuples to finish calculation of the safety feature parameter risks of the power monitoring system, and finally utilizing global influence weights of the safety feature parameters obtained by calculation and risk evaluation values respectively caused by attacks in CIA three dimensions to obtain comprehensive threat evaluation values of the power monitoring system and updating in real time. Has the advantages of scientific and reasonable method, strong applicability and good effect.

Description

Threat analysis and assessment method for power monitoring system

Technical Field

The invention belongs to the technical field of network security, and relates to a threat analysis and assessment method for an electric power monitoring system.

Background

In the prior art, an electric power monitoring system refers to intelligent equipment and a system which play a role in monitoring and controlling in the electric power production and transmission process, and are used for supporting the safe and stable operation of the electric power system and ensuring the reliable supply of electric power. The functions of the power monitoring system comprise user management, data acquisition and processing, event recording, fault alarming, remote signaling, remote control, remote measurement and the like. With the increasingly wide application of computer information technology in the power industry, the power monitoring system inevitably becomes a target of various network attacks due to the vulnerability and importance of the power monitoring system. Therefore, threat analysis and evaluation are performed on the power monitoring system, the safety of the power system is improved, and the problem to be solved in the field is to be solved in a urgent need. The threat analysis and evaluation method for the power monitoring system at present mainly has the following problems:

(1) The existing threat analysis method needs to scan system resources such as system logs in real time, which may cause overload of equipment;

(2) In the existing threat analysis method, when unified formatting is performed on multi-source heterogeneous data, the situation of carrying out false clipping on useful information can occur;

(3) Because of the complexity of the power monitoring system itself, the system may have delayed responses to some attacks, which may be unacceptable for certain devices with high real-time requirements.

Disclosure of Invention

The invention aims to overcome the defects of the prior art and provides a threat analysis and evaluation method for an electric power monitoring system, which can evaluate the influence degree and range of an attack on a target and can optimize in real-time and reliability.

The aim of the invention is optimally realized by the following technical scheme: a threat analysis and assessment method for an electric power monitoring system, the method comprising: the method comprises the steps of calculating safety characteristic parameter weights based on absolute association, calculating safety characteristic parameter risks based on information safety three dimensions and calculating comprehensive threat assessment values of a power monitoring system.

Further, the calculation of the security feature parameter weight based on the absolute association degree is to calculate the influence value of the security feature parameter in the network global, collect the collected security feature parameter, use the security feature parameter to establish an observation matrix as the basis of threat analysis and evaluation, and set m security feature parameters in total, where the m security feature parameters include system log analysis, attack alarm information, equipment abnormality analysis and comprehensive risk analysis, and the established observation matrix A is expressed as:

the i-th column of the matrix a, i=1, 2,..m, represents the influence value of the i-th security feature parameter at the T, t=1, 2,..t, moment, for making the data of each group more comparable to the element x of the matrix a _i (t) performing initial value operation according to the formula (2) to obtain x _i ′(t)：

Wherein x is _i (t) is the influence value, x of the ith safety feature parameter at the time t _i (1) For the impact value of the ith security feature parameter at time t=1, i.e. the first row element of matrix a, an initialized matrix a' is thus obtained:

calculating the association coefficient of each sub-item based on a matrix A 'and forming an association matrix, wherein the first column in the matrix A' is a reference sequence, namely X ₁ ＝{x ₁ ′(1),x ₁ ′(2),...,x ₁ ′(T)}＝{1,x ₁ ′(2),...,x ₁ 'T', the remaining columns being comparison sequences, X _i ＝{x _i ′(1),x _i ′(2),...,x _i ′(T)}＝{1,x _i ′(2),...,x _i ' T } i=2, 3,..m, one subtracting from the reference sequence by equations (4), (5)Generating Δx ₁ (t) one subtraction of the comparison sequence to yield Δx _i (t)：

Δx ₁ (t)＝x ₁ ′(t)-x ₁ ′(t-1)，t＝2,3,....,T (4)

Δx _i (t)＝x _i ′(t)-x _i ′(t-1),i＝2,3,...,m；t＝2,3,...,T (5)

Then calculate the association coefficient gamma _i (t)：

Thereby obtaining an association matrix R:

obtaining any two safety characteristic parameters according to formulas (8), (9) and (10)And->Correlation between->

Thereby obtaining a new association matrix R':

the matrix R 'is a non-negative symmetric matrix of m x m, provided that the matrix R' has a maximum eigenvalue lambda _max And there is a feature vector P such that lambda _max P＝R′P,P＝[ω ₁ ,ω ₂ ,...,ω _m ] ^T Wherein ω is _i And (3) representing the global influence weight of the ith security feature parameter, wherein i=1, 2,..m, and calculating the global influence weight of the m security feature parameters on the network according to the global influence weight.

Further, the calculation of the security feature parameter risk based on information security three dimensions is to realize the calculation of the security feature parameter risk value of the power monitoring system when the power monitoring system handles the attack, and the CIA triples are used, namely: confidentiality (importance), integrity (Integrity), availability (Availability) as analysis tuples, for element a in the underlying propagation hierarchy tuple ₁ ,a ₂ ,...,a _n The importance comparison is carried out as shown in a specific formula (12):

wherein u is _jk 、v _jk And w _jk The confidentiality fuzzy matrix M can be obtained by comparing the results of the elements with three dimensions of confidentiality, integrity and availability _C Integrity fuzzy matrix M _I And availability ambiguity matrix M _A ：

Judging whether the matrix meets the fuzzy consistency, if the matrix is a fuzzy inconsistent matrix, adjusting the matrix into the fuzzy consistency matrix, and designating the difference between two rows of corresponding elements in the matrix as a constant according to the judging principle of the fuzzy consistency matrix, wherein the fuzzy consistency matrix is as follows:

wherein u is _fg ,u _fh ,u _gh ∈M _c ，v _fg ,v _fh ,v _gh ∈M _I ，w _fg ,w _fh ,w _gh ∈M _A F=1, 2, ··, n, g=1, 2, the terms, n, h=1, 2, n, f +.g +.h, the matrix is normalized according to equation (17):

wherein u' _fg 、v′ _fg And w' _fg Respectively represent the fuzzy matrix M in three dimensions of confidentiality, integrity and availability _C 、M _I And M _A A result of the element unification processing;

calculating threat assessment index of attack in CIA three dimensions:

after threat evaluation indexes of different dimensions are calculated, attack is performed on risk evaluation values f respectively caused by CIA three-dimensions _C 、f _I And f _A The calculation formula is as follows:

wherein the value of the function T (x) increases with the number of attacks x, and the expression is defined as:

and accordingly, the calculation of the safety characteristic parameter risk of the power monitoring system is completed.

Further, the comprehensive threat assessment value of the power monitoring system is calculated by using the global influence weight omega of the m security feature parameters obtained by calculation _i I=1, 2,..m, and risk assessment value f by attack on CIA three-dimension, respectively _C 、f _I And f _A Finally, the comprehensive threat assessment value CT of the power monitoring system is obtained and updated in real time, and the calculation method is shown as a formula (21):

wherein x is _i (t) is the influence value, omega, of the ith safety feature parameter at the time t _i Global impact weight representing the i-th security feature parameter, i=1, 2,.. _C 、f _I And f _A Is a risk evaluation value respectively caused by attacks in CIA three-dimension, and alpha, beta and χ are respectively used for measuring f _C 、f _I And f _A Is a weight of (2).

The threat analysis and assessment method for the power monitoring system comprises the steps of firstly summarizing collected safety feature parameters, establishing an observation matrix by using the safety feature parameters, calculating the safety feature parameter weight by using absolute association, then using CIA triplets as analysis tuples, completing calculation of the risk of the safety feature parameters of the power monitoring system, and finally obtaining comprehensive threat assessment values of the power monitoring system by using global influence weights of the safety feature parameters obtained by calculation and risk assessment values respectively caused by attacks in CIA three dimensions. The influence degree and range of the attack on the target can be evaluated, and the real-time performance and reliability can be optimized. Has the advantages of scientific and reasonable method, strong applicability and good effect.

Drawings

FIG. 1 is a flow chart of a threat analysis and assessment method for an electrical monitoring system according to the present invention.

Detailed Description

The invention will be further described with reference to the drawings and the detailed description.

Referring to fig. 1, the threat analysis and assessment method for a power monitoring system provided by the invention includes: the method comprises the following specific contents of calculating the safety characteristic parameter weight based on the absolute association degree, calculating the safety characteristic parameter risk based on the information safety three dimensions and calculating the comprehensive threat assessment value of the power monitoring system:

1) Calculation of security feature parameter weights based on absolute relevance

In order to calculate the influence value of the security feature parameter in the network global, summarizing the collected security feature parameter, and taking the collected security feature parameter as the basis of threat analysis and evaluation, establishing an observation matrix by using the security feature parameter, and setting m security feature parameters in total, wherein the m security feature parameters comprise system log analysis, attack alarm information, equipment abnormality analysis and comprehensive risk analysis, and the established observation matrix A is expressed as:

the i-th column of the matrix a, i=1, 2,..m, represents the influence value of the i-th security feature parameter at the T, t=1, 2,..t, moment, for making the data of each group more comparable to the element x of the matrix a _i (t) performing initial value operation according to the formula (2) to obtain x _i ′(t)：

Wherein x is _i (t) is the influence value, x of the ith safety feature parameter at the time t _i (1) For the impact value of the ith security feature parameter at time t=1, i.e. the first row element of matrix a, an initialized matrix a' is thus obtained:

calculating the association coefficient of each sub-item based on a matrix A 'and forming an association matrix, wherein the first column in the matrix A' is a reference sequence, namely X ₁ ＝{x ₁ ′(1),x ₁ ′(2),...,x ₁ ′(T)}＝{1,x ₁ ′(2),...,x ₁ 'T', the remaining columns being comparison sequences, X _i ＝{x _i ′(1),x _i ′(2),...,x _i ′(T)}＝{1,x _i ′(2),...,x _i ' s (T) }, i=2, 3,..m, generating Deltax by one time subtracting the reference sequence by the formulas (4), (5) ₁ (t) one subtraction of the comparison sequence to yield Δx _i (t)：

Δx ₁ (t)＝x ₁ ′(t)-x ₁ ′(t-1)，t＝2,3,....,T (4)

Δx _i (t)＝x _i ′(t)-x _i ′(t-1),i＝2,3,...,m；t＝2,3,...,T (5)

Then calculate the association coefficient gamma _i (t)：

Thereby obtaining an association matrix R:

obtaining any two safety characteristic parameters according to formulas (8), (9) and (10)And->Correlation between->

Thereby obtaining a new association matrix R':

the matrix R 'is a non-negative symmetric matrix of m x m, provided that the matrix R' has a maximum eigenvalue lambda _max And there is a feature vector P such that lambda _max P＝R′P,P＝[ω ₁ ,ω ₂ ,...,ω _m ] ^T Wherein ω is _i Representing global influence weights of the ith security feature parameter, i=1, 2..m, and accordingly completing calculation of the global influence weights of the m security feature parameters on the network;

2) Information security three-dimensional based security feature parameter risk calculation

In order to realize the calculation of the risk value of the safety characteristic parameter of the power monitoring system when coping with the attack, CIA triples are used, namely: confidentiality (importance), integrity (Integrity), availability (Availability) as analysis tuples, for element a in the underlying propagation hierarchy tuple ₁ ,a ₂ ,...,a _n The importance comparison is carried out as shown in a specific formula (12):

wherein u is _jk 、v _jk And w _jk The confidentiality fuzzy matrix M can be obtained by comparing the results of the elements with three dimensions of confidentiality, integrity and availability _C Integrity fuzzy matrix M _I And availability ambiguity matrix M _A ：

Judging whether the matrix meets the fuzzy consistency, if the matrix is a fuzzy inconsistent matrix, adjusting the matrix into the fuzzy consistency matrix, and designating the difference between two rows of corresponding elements in the matrix as a constant according to the judging principle of the fuzzy consistency matrix, wherein the fuzzy consistency matrix is as follows:

wherein u is _fg ,u _fh ,u _gh ∈M _c ，v _fg ,v _fh ,v _gh ∈M _I ，w _fg ,w _fh ,w _gh ∈M _A F=1, 2, ··, n, g=1, 2, the terms, n, h=1, 2, n, f +.g +.h, the matrix is normalized according to equation (17):

wherein u' _fg 、v′ _fg And w' _fg Respectively represent the fuzzy matrix M in three dimensions of confidentiality, integrity and availability _C 、M _I And M _A A result of the element unification processing;

calculating threat assessment index of attack in CIA three dimensions:

after threat evaluation indexes of different dimensions are calculated, attack is performed on risk evaluation values f respectively caused by CIA three-dimensions _C 、f _I And f _A The calculation formula is as follows:

wherein the value of the function T (x) increases with the number of attacks x, and the expression is defined as:

the calculation of the safety characteristic parameter risk of the power monitoring system is completed according to the risk;

3) Calculation of comprehensive threat assessment value of power monitoring system

Global impact weight omega of m security feature parameters obtained by calculation _i I=1, 2,..m, and risk assessment value f by attack on CIA three-dimension, respectively _C 、f _I And f _A Finally, the comprehensive threat assessment value CT of the power monitoring system is obtained and updated in real time, and the calculation method is shown as a formula (21):

wherein x is _i (t) is the influence value, omega, of the ith safety feature parameter at the time t _i Global impact weight representing the i-th security feature parameter, i=1, 2,.. _C 、f _I And f _A Is a risk evaluation value respectively caused by attacks in CIA three-dimension, and alpha, beta and χ are respectively used for measuring f _C 、f _I And f _A Is a weight of (2).

The software programs to which the present invention applies are organized according to automation, network and computer processing techniques, familiar to those skilled in the art.

The detailed description of the invention is not intended to be exhaustive or to limit the scope of the claims, and other substantially equivalent substitutions will now occur to those skilled in the art from the teachings of the present embodiments without the exercise of inventive faculty, and are within the scope of the invention.

Claims (1)

1. A threat analysis and evaluation method for an electric power monitoring system is characterized in that: the method comprises the steps of calculating safety characteristic parameter weights based on absolute association, calculating safety characteristic parameter risks based on three dimensions of information safety and calculating comprehensive threat assessment values of a power monitoring system;

the calculation of the security feature parameter weight based on the absolute association degree is to calculate the influence value of the security feature parameter in the network global, collect the collected security feature parameter, use the security feature parameter to establish an observation matrix as the basis of threat analysis and evaluation, and set m security feature parameters in total, wherein the m security feature parameters comprise system log analysis, attack alarm information, equipment abnormality analysis and comprehensive risk analysis, and the established observation matrix A is expressed as:

wherein, the ith column, i of matrix AThe values of the influence of the ith safety feature parameter at T, t=1, 2,.. _i (t) performing initial value operation according to the formula (2) to obtain x _i ′(t)：

Wherein x is _i (t) is the influence value, x of the ith safety feature parameter at the time t _i (1) For the impact value of the ith security feature parameter at time t=1, i.e. the first row element of matrix a, an initialized matrix a' is thus obtained:

calculating the association coefficient of each sub-item based on a matrix A 'and forming an association matrix, wherein the first column in the matrix A' is a reference sequence, namely X ₁ ＝{x ₁ ′(1),x ₁ ′(2),...,x ₁ ′(T)}＝{1,x ₁ ′(2),...,x ₁ 'T', the remaining columns being comparison sequences, X _i ＝{x _i ′(1),x _i ′(2),...,x _i ′(T)}＝{1,x _i ′(2),...,x _i ' s (T) }, i=2, 3,..m, generating Deltax by one time subtracting the reference sequence by the formulas (4), (5) ₁ (t) one subtraction of the comparison sequence to yield Δx _i (t)：

Δx ₁ (t)＝x ₁ ′(t)-x ₁ ′(t-1)，t＝2,3,....,T (4)

Δx _i (t)＝x _i ′(t)-x _i ′(t-1),i＝2,3,...,m；t＝2,3,...,T (5)

Then calculate the association coefficient gamma _i (t)：

Thereby obtaining an association matrix R:

obtaining any two safety characteristic parameters according to formulas (8), (9) and (10)And->Correlation between->

Thereby obtaining a new association matrix R':

the matrix R 'is a non-negative symmetric matrix of m x m, provided that the matrix R' has a maximum eigenvalue lambda _max And there is a feature vector P such that lambda _max P＝R′P,P＝[ω ₁ ,ω ₂ ,...,ω _m ] ^T Wherein ω is _i Representing the security feature parameter of item iGlobal impact weight, i=1, 2,..m, accordingly, the calculation of the global influence weight of the m security feature parameters on the network is completed;

the calculation of the security feature parameter risk based on information security three dimensions is the calculation of the security feature parameter risk value of the power monitoring system when the power monitoring system is in response to attack, and CIA triples are used, namely: confidentiality (importance), integrity (Integrity), availability (Availability) as analysis tuples, for element a in the underlying propagation hierarchy tuple ₁ ,a ₂ ,...,a _n The importance comparison is carried out as shown in a specific formula (12):

wherein u is _jk 、v _jk And w _jk The confidentiality fuzzy matrix M can be obtained by comparing the results of the elements with three dimensions of confidentiality, integrity and availability _C Integrity fuzzy matrix M _I And availability ambiguity matrix M _A ：

Judging whether the matrix meets the fuzzy consistency, if the matrix is a fuzzy inconsistent matrix, adjusting the matrix into the fuzzy consistency matrix, and designating the difference between two rows of corresponding elements in the matrix as a constant according to the judging principle of the fuzzy consistency matrix, wherein the fuzzy consistency matrix is as follows:

wherein u is _fg ,u _fh ,u _gh ∈M _c ，v _fg ,v _fh ,v _gh ∈M _I ，w _fg ,w _fh ,w _gh ∈M _A F=1, 2, ··, n, g=1, 2, the terms, n, h=1, 2, n, f +.g +.h, the matrix is normalized according to equation (17):

wherein u' _fg 、v′ _fg And w' _fg Respectively represent the fuzzy matrix M in three dimensions of confidentiality, integrity and availability _C 、M _I And M _A A result of the element unification processing;

calculating threat assessment index of attack in CIA three dimensions:

after threat evaluation indexes of different dimensions are calculated, attack is performed on risk evaluation values f respectively caused by CIA three-dimensions _C 、f _I And f _A The calculation formula is as follows:

wherein the value of the function T (x) increases with the number of attacks x, and the expression is defined as:

the calculation of the safety characteristic parameter risk of the power monitoring system is completed according to the risk;

the calculation of the comprehensive threat assessment value of the power monitoring system is to utilize the global influence weight omega of m security feature parameters obtained by calculation _i I=1, 2,..m, and risk assessment value f by attack on CIA three-dimension, respectively _C 、f _I And f _A Finally, the comprehensive threat assessment value CT of the power monitoring system is obtained and updated in real time, and the calculation method is shown as a formula (21):

wherein x is _i (t) is the influence value, omega, of the ith safety feature parameter at the time t _i Global impact weight representing the i-th security feature parameter, i=1, 2,.. _C 、f _I And f _A Is a risk evaluation value respectively caused by attacks in CIA three-dimension, and alpha, beta and χ are respectively used for measuring f _C 、f _I And f _A Is a weight of (2).