CN116405328B - Multistage linkage network security supervision system and method for power monitoring system - Google Patents
Multistage linkage network security supervision system and method for power monitoring system Download PDFInfo
- Publication number
- CN116405328B CN116405328B CN202310673313.2A CN202310673313A CN116405328B CN 116405328 B CN116405328 B CN 116405328B CN 202310673313 A CN202310673313 A CN 202310673313A CN 116405328 B CN116405328 B CN 116405328B
- Authority
- CN
- China
- Prior art keywords
- module
- monitoring system
- network
- threat information
- linkage
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 85
- 238000000034 method Methods 0.000 title claims abstract description 32
- 230000007123 defense Effects 0.000 claims abstract description 28
- 238000004088 simulation Methods 0.000 claims abstract description 19
- 238000004458 analytical method Methods 0.000 claims abstract description 16
- 238000011156 evaluation Methods 0.000 claims description 34
- 238000004364 calculation method Methods 0.000 claims description 29
- 230000006870 function Effects 0.000 claims description 10
- 239000004973 liquid crystal related substance Substances 0.000 claims description 8
- 230000003993 interaction Effects 0.000 claims description 7
- 230000004913 activation Effects 0.000 claims description 5
- 238000001994 activation Methods 0.000 claims description 5
- 230000008447 perception Effects 0.000 claims description 4
- 230000001186 cumulative effect Effects 0.000 claims 1
- 230000000694 effects Effects 0.000 description 7
- 230000001965 increasing effect Effects 0.000 description 5
- 238000001514 detection method Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000006399 behavior Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000000903 blocking effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000002708 enhancing effect Effects 0.000 description 3
- 230000001737 promoting effect Effects 0.000 description 3
- 238000004445 quantitative analysis Methods 0.000 description 3
- 101100001676 Emericella variicolor andK gene Proteins 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000010606 normalization Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000007621 cluster analysis Methods 0.000 description 1
- 239000002131 composite material Substances 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000008092 positive effect Effects 0.000 description 1
- 230000007474 system interaction Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0876—Aspects of the degree of configuration automation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y04—INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
- Y04S—SYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
- Y04S40/00—Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
- Y04S40/20—Information technology specific aspects, e.g. CAD, simulation, modelling, system security
Abstract
The invention relates to a network security supervision system and method of a multistage linkage power monitoring system, wherein the system comprises a three-layer framework of a headquarter part, a network province part and a ground city part; the province part and the city part are at least provided with: the system comprises a flow monitoring module, a security threat sensing module, an alarm linkage module and a trusted defense linkage module; the headquarter section is provided with at least: the device comprises an analysis module, a pushing module and an online simulation module. The invention can realize multistage linkage and improve the network security monitoring and disposal capacity of the power distribution automation monitoring system.
Description
Technical Field
The invention relates to the technical field of power distribution network safety, in particular to a network safety supervision system and method for a multi-level linkage power monitoring system.
Background
To address increasingly prominent network security issues, a variety of security devices are used to monitor a large number of risk events, security against the network, including intrusion detection systems, firewalls, vulnerability detection systems, and the like. These devices are limited to taking local detection and protection measures for attack, and lack of effective cooperation between devices, so that a network administrator cannot accurately locate a network vulnerability, cannot timely discover a malicious attack, and cannot comprehensively grasp the network security state.
The network security situation sensing process is to extract network data by sensing network environment, evaluate network security state and predict future development trend by understanding the data, obtain the evaluated and predicted data for making decision, and finally take corresponding measures to perform active defense, and feed back to the network environment to realize security protection, thereby improving network defense capacity.
The construction of the network security situation awareness model is divided into three parts, namely network environment awareness, situation understanding and situation prediction.
Network context awareness perceives network state by extracting network data. For complex and dynamic network environments and a lot of complicated data, researchers collect network data by adopting technologies such as antivirus software, vulnerability scanning, penetration testing, network scanning, password cracking tools, firewalls, intrusion detection systems and the like, or collect network data by means of asset lists, risk identification, investigation, event response reports and the like. In order to obtain comprehensive and accurate network data, researchers often preprocess raw data by using methods such as conditional random fields, evolutionary neural networks, cluster analysis and the like to extract the network data.
The situation understanding is to integrate the extracted network data, analyze the correlation between the data, locate the network weakness, evaluate the possibility of occurrence of the security event, obtain the evaluation data to make a decision, and perform active defense. The method is characterized in that the method is a core of network security situation awareness, researchers analyze different data by adopting different methods, wherein the method comprises an adaptive resonance theoretical model, a Bayesian network classifier, a game model and the like.
The situation prediction is based on network data output by situation understanding, predicts network security conditions, obtains prediction data to make decisions, and executes active defense. The method is a target of network security situation awareness, and not only is a network threat attack and the next action of an attacker predicted, but also dependence on data integrity is overcome, and the development trend of the network security state is predicted.
The prior patent publication CN112751927A discloses a network security monitoring system in a power monitoring system, which describes main functional points, module functions and methods of the network security monitoring system in the power monitoring system, and solves the problems that the network security situation of a single information system is monitored, and the current situations of linkage, pushing and dynamic starting of a plurality of system alarm information cannot be solved. The prior patent publication CN115250191A discloses a network security emergency response method, which is characterized in that after a client edits a short message, a system verifies user authority and issues a blocking instruction to blocking IP address equipment, and is a traditional blocking checking and killing method in a network security protection means.
Disclosure of Invention
The invention aims to solve the technical problem of providing a network security supervision system and method for a multi-stage linkage power monitoring system, which can realize multi-stage linkage and improve the network security monitoring and disposal capacity of a power distribution automation monitoring system.
The technical scheme adopted for solving the technical problems is as follows: the network safety supervision system of the multi-level linkage power monitoring system comprises a headquarter part, a network province part and a ground city part;
the provincial part and the local market part are at least configured with: the flow monitoring module is used for monitoring network flow of the power distribution automation monitoring system; the safety threat sensing module is used for sensing threat information of a host, a network, a terminal and an application in the power distribution automation monitoring system; the alarm linkage module is used for generating alarm information when the threat information is perceived, and uploading the alarm information and the threat information to the headquarter part together; the trusted defense linkage module is used for automatically triggering a trusted defense function based on a trusted computing method when threat information is perceived;
the headquarter section is provided with at least: the analysis module is used for analyzing according to the received threat information and determining the position of the threat information, the voltage level and the line position of the power grid network where the threat information is located and the equipment attribute information; the pushing module is used for pushing the analyzed threat information to a provincial part bordering the position where the threat information is located, and pushing the received alarm information to a local city part connected with the line position of the power grid network where the threat information is located; and the online simulation module is used for quickly establishing a terminal software and hardware environment based on the received threat information to perform online simulation.
The headquarter section is further configured with: a quantity configuration suggestion module for distributing the total asset value of the equipment in the automatic monitoring system according to the region rangef 1 Network total flow in t time of distribution automation monitoring system in region rangef 2 Automatic monitoring system for power distribution in regionTotal flow of plaintext data in t-thf 3 The distribution automation monitoring system in the region range interacts with other systems to request and be requested the total timesf 4 Trusted computing authentication interaction times used in distribution automation monitoring system in region rangef 5 Network security risk event occurrence times in distribution automation monitoring system in region rangef 6 And determining the number of the partial start-up of the province and the city in the regional scope.
The quantity configuration suggestion module includes: a score calculation unit for calculating a security situation comprehensive score in the region rangecThe calculation mode is as follows:c=F(f 1 ,f 2 ,f 3 ,f 4 ,f 5 ,f 6 ) Wherein, the method comprises the steps of, wherein,F() Carrying out normalization processing on each index, carrying out weight assignment on each index and summing; a comparison unit for comprehensively scoring the security situationcComparing with the median of the scores of the combined sample sets within the geographical range being enabled; the quantity determining module is used for comprehensively scoring in the safety situationcAnd when the number is smaller than the median, calculating the increased number of the net province part and the city part.
The quantity determination module is used for determining the quantity of the liquid crystal display byThe number of activations of the provincial part and the municipality part is calculated, wherein,U k represented as the number of activations suggested by the number determination module,K 1 ,K 2 andK 3 respectively represent the intensity coefficients of the increased number of values,e k representing the deviation of the system quantity enabled by the object with the current moment adjustment object system quantity and the security situation comprehensive score c as the system quantity enabled by the object with the median>Represented as an integrated deviation (c) and,kthe number of deviations is indicated and,e k -e k-1 representing the difference between the current time offset and the previous time offset.
The headquarter section is further configured with: the multistage linkage evaluation module, multistage linkage evaluation module includes: the first evaluation unit is used for evaluating the dynamic coverage rate of the safety monitoring points; the second evaluation unit is used for evaluating the credible defense density of the terminal; and the third evaluation unit is used for evaluating the timeliness of the emergency alarm linkage.
The first evaluation unit is used for evaluating the data byCalculating dynamic coverage rate of safety monitoring pointsDCM。
The second evaluation unit is used for evaluating the quality of the productComputing terminal trust defense densityT2D2, wherein, the method comprises the steps of,T i represent the firstiThe number of class-terminals,nthe number of terminal types is indicated,w i represent the firstiThe security weight of the class of terminals,Sindicating the area of the geographical area.
The third evaluation unit is used for evaluating the quality of the productCalculating timeliness of emergency alert linkageTCAWherein, the method comprises the steps of, wherein,d m indicating the calendar days of the current month,kthe number of alarms in the current month is indicated,t d indicating the number of hours from the alert to the alert being uploaded to the headquarter section,t w and representing the business assessment window time.
The technical scheme adopted for solving the technical problems is as follows: a network security supervision method of a multi-stage linkage power monitoring system is applied to the multi-stage linkage power monitoring system network security supervision system, and comprises the following steps:
the security threat perception module of the provincial part or the local market part perceives threat information, transmits the threat information to the alarm linkage module, and automatically triggers the trusted defense linkage module to perform a trusted defense function based on a trusted computing method;
the alarm linkage module generates alarm information and reports the alarm information and threat information to a headquarter part;
the analysis module of the headquarter part analyzes the received threat information and determines the position of the threat information, the voltage level and the line position of the power grid network where the threat information is located and the equipment attribute information;
the headquarter pushes threat information to a provincial part bordering the position where the threat information is located through a pushing module, and pushes alarm information to a local city part connected with the line position of the power grid network where the threat information is located;
the headquarter inputs threat information into an online simulation module, and rapidly establishes a terminal software and hardware environment to perform online simulation.
Advantageous effects
Due to the adoption of the technical scheme, compared with the prior art, the invention has the following advantages and positive effects: the invention uses an internal multistage linkage mechanism, not only can sense security threat, but also can timely alarm and interact, and can quickly establish on-line simulation of threat information, thereby forming a good innovative effect of combining threat discovery, threat alarm and threat quick analysis, and improving the network security monitoring and handling capability of the power distribution automation monitoring system. The multi-level linkage evaluation index and the calculation method provided by the invention can dynamically evaluate the linkage effect of each system, give out the method and the efficiency of linkage between the systems from the perspective of quantitative analysis, and are beneficial to promoting coordination linkage between the systems and enhancing interactivity. The invention can evaluate the comprehensive score of the security situation according to the regional division, and gives out a calculation method for the starting proposal quantity of the provincial part and the local market part, the user can self-define the division region to evaluate the security situation, a more flexible regional division method is provided, and furthermore, the invention gives out a quantitative calculation method for suggesting to increase the starting quantity of the provincial part and the local market part (i.e. subsystems), and the adjustment process can be automatically implemented.
Drawings
FIG. 1 is an organization diagram of a multi-stage linked power monitoring system network security supervision system according to an embodiment of the present invention;
FIG. 2 is a block diagram of a province part and a city part in an embodiment of the invention;
fig. 3 is a block diagram of a headquarter portion in an embodiment of the invention.
Detailed Description
The invention will be further illustrated with reference to specific examples. It is to be understood that these examples are illustrative of the present invention and are not intended to limit the scope of the present invention. Further, it is understood that various changes and modifications may be made by those skilled in the art after reading the teachings of the present invention, and such equivalents are intended to fall within the scope of protection defined in the present application.
The embodiment of the invention relates to a multistage linkage network safety supervision system of a power monitoring system, which is shown in fig. 1 and comprises a headquarter part, a network province part and a ground city part. Wherein, the province part and the city part are at least configured with: the flow monitoring module is used for monitoring network flow of the power distribution automation monitoring system; the safety threat sensing module is used for sensing threat information of a host, a network, a terminal and an application in the power distribution automation monitoring system; the alarm linkage module is used for generating alarm information when the threat information is perceived, and uploading the alarm information and the threat information to the headquarter part together; the trusted defense linkage module is used for automatically triggering a trusted defense function based on a trusted computing method when threat information is perceived; the headquarter section is provided with at least: the analysis module is used for analyzing according to the received threat information and determining the position of the threat information, the voltage level and the line position of the power grid network where the threat information is located and the equipment attribute information; the pushing module is used for pushing the analyzed threat information to a provincial part bordering the position where the threat information is located, and pushing the received alarm information to a local city part connected with the line position of the power grid network where the threat information is located; and the online simulation module is used for quickly establishing a terminal software and hardware environment based on the received threat information to perform online simulation.
The network security supervision system of the multi-level linkage power monitoring system of the embodiment establishes a cooperative linkage mechanism, achieves the purposes of threat information sharing, headquarter unified convergence and threat information mastering at the first time, and can send push information only to the network province part and the local city part related to the threat information, so that a calculation strategy and a method are dynamically started, and moderate security benefit is obtained under the condition of considering the cost.
Taking a power distribution automation monitoring system as an example, the embodiment can construct a system structure connection mode of three layers of headquarter-net province-ground city according to a three-level deployment mode of the power distribution monitoring system, and the system structure connection mode realizes multi-level linkage functions including pushing shared alarm information, starting trusted verification, threat information pushing and the like by cooperatively matching a flow monitoring module, a security threat sensing module, an alarm linkage module, a trusted defense linkage module, an analysis module, a pushing module and an online simulation module.
The flow monitoring module is used for monitoring network flow of the power distribution automation monitoring system and comprises plaintext data and ciphertext data, wherein interaction data of the terminal equipment and the cloud equipment are IEC60870-101 104 protocol, the flow monitoring module is packaged into E text format on the basis of original service message protocol, and the packaged message is sent to a headquarter part.
The security threat perception module can perceive security threats of a host, a network, a terminal and an application in the power distribution automation monitoring system, wherein the security threats comprise vulnerability states, malicious program access behaviors, security access authentication success rates, network intrusion behaviors and security policy configuration conditions.
The alarm linkage module is used for generating alarm information and sending/receiving the alarm information, and can send the locally generated alarm information to the headquarter portion and simultaneously receive the alarm information pushed by the headquarter portion.
The trusted defense linkage module is a module based on a trusted computing method. When the security threat occurs locally, the trusted defense linkage module automatically triggers a trusted defense function, and specifically, enables a behavior measurement function for terminals in an area range near the geographic position where the security threat occurs.
The analysis module analyzes the received threat information and determines the position of the threat information, the voltage level and the line position of the power grid network of the threat information and the equipment attribute information.
The pushing module pushes the analyzed threat information to a network province part bordering the position where the threat information is located, and pushes the received alarm information to a city part connected with the line position of the power grid network where the threat information is located, so that the aim of personalized pushing is fulfilled.
The on-line simulation module is a module capable of establishing a terminal software and hardware environment to perform quick on-line simulation, and can provide information for security analysis personnel to perform quick analysis.
According to the embodiment, the internal linkage mechanism is used by the modules, so that safety threat can be perceived, timely alarm interaction can be realized, threat information can be quickly established in an online simulation mode, a good effect of combining threat discovery, threat alarm and threat quick analysis is formed, and the network safety monitoring and handling capacity of the power distribution automation monitoring system is improved.
In addition, the headquarter part is configured with a quantity configuration suggestion module, and the quantity configuration suggestion module can output quantity suggestions started by the provincial part and the local market part in the region range according to the total asset value of the power distribution automation equipment in the region range, the total network flow in the t time, the total plaintext data flow, the system interaction request times, the trusted computing authentication interaction times and the safety risk event occurrence times.
The quantity configuration suggestion module includes: a score calculation unit for calculating a security situation comprehensive score in the region rangecThe calculation mode is as follows:c=F(f 1 ,f 2 ,f 3 ,f 4 ,f 5 ,f 6 ) Wherein, the method comprises the steps of, wherein,f 1 for the total asset value of equipment in the power distribution automation system within the geographic area,f 2 for the total network flow in the time t of the distribution automation monitoring system in the region range,f 3 for the plaintext number in the time t of the distribution automation monitoring system in the region rangeBased on the total flow rate,f 4 for the total number of requests and requests that the distribution automation monitoring system interacts with other systems within the geographic area,f 5 for the trusted calculation of the authentication interaction times in the distribution automation monitoring system in the region range,f 6 for the occurrence times of network security risk events in the distribution automation monitoring system in the region range,F() Carrying out normalization processing on each index, carrying out weight assignment on each index and summing; a comparison unit for comprehensively scoring the security situationcComparing the median of the calculated scores of the combined sample sets within the geographic region being enabled as stored in the system, assuming a security situation composite scorecIf the number is greater than or equal to the median, the current number of the net province part and the ground city part is reserved; the quantity determining module is used for comprehensively scoring in the safety situationcWhen the number of the network province part and the city part is smaller than the median, calculating the starting number of the network province part and the city part, and particularly the starting numberU k The calculation mode of (a) is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,U k represented as the number of activations suggested by the number determination module,K 1 ,K 2 andK 3 respectively represent the intensity coefficients of the increased number of values,e k the system quantity deviation of the current moment adjustment object system starting quantity and the system quantity started by the object with the security situation comprehensive score c being the median is represented,represented as an integrated deviation (c) and,kthe number of deviations is indicated and,e k -e k-1 representing the difference between the current time offset and the previous time offset.
According to the method, the safety situation comprehensive score is evaluated according to regional division, a calculation method of the system starting suggestion quantity is provided, a user can self-define the division region to evaluate the safety situation, a more flexible regional division method is provided, further, a quantitative calculation method of the suggestion of increasing the subsystem starting quantity is provided, and the adjustment process can be automatically implemented.
The headquarter part is also provided with a multi-stage linkage evaluation module, and the dynamic coverage rate of the safety monitoring points can be achieved through the multi-stage linkage evaluation moduleDCMTerminal trust defense densityT2D2. Emergency alert linkage timelinessTCAAnd evaluating the linkage state and the linkage level of the system.
The multistage linkage evaluation module in this embodiment includes: a first evaluation unit for dynamically covering the safety monitoring pointsDCMEvaluating; a second evaluation unit for credible defense density of the terminalT2D2, evaluating; a third evaluation unit for linking timeliness of emergency alarmTCAEvaluation was performed.
When the first evaluation unit evaluates the dynamic coverage rate of the safety monitoring points, calculation is performedtIn the time range, the safety monitoring point coverage situation is calculated by the following steps:
wherein the number of subsystems repeatedly enabled is indicated intRepeated samples counted over time.
When the second evaluation unit evaluates the terminal credible defense density, the second evaluation unit is used fortIn the time range, counting the proportion of the terminal weight which starts the trusted technology to defend the security threat in the target region range, wherein the specific calculation method comprises the following steps:
wherein, the liquid crystal display device comprises a liquid crystal display device,T i represent the firstiThe number of class-terminals,nindicates the number of terminal categories, including DTU, FTU, fault indicator, etc.,w i represent the firstiThe security weight of the class of terminals,Sindicating the area of the geographical area.
Timeliness of third evaluation unit to emergency alert linkageTCAWhen evaluation is carried out, the timeliness of pushing the emergency alarm event to the headquarter part is counted in the current month time range, and the specific calculation method is as follows:
wherein, the liquid crystal display device comprises a liquid crystal display device,d m indicating the calendar days of the current month,kthe number of alarms in the current month is indicated,t d indicating the number of hours from the alert to the alert being uploaded to the headquarter section,t w and representing the preset service check window time.
The multi-level linkage evaluation mode provided by the embodiment can dynamically evaluate the linkage effect of each system, gives out the method and the efficiency of linkage among the systems from the perspective of quantitative analysis, is beneficial to promoting coordination linkage among the systems and enhancing interactivity.
The multistage linkage power monitoring system network safety supervision system based on the embodiment mainly comprises the following steps of:
s1, a security threat perception module of a provincial part or a local market part perceives threat information, the threat information is transmitted to an alarm linkage module, and a trusted defense linkage module is automatically triggered to execute a trusted defense function based on a trusted computing method;
s2, the alarm linkage module generates alarm information and reports the alarm information and threat information to a headquarter part;
s3, analyzing the received threat information by an analysis module of the headquarter part, and determining the position of the threat information, the voltage level and the line position of the power grid network where the threat information is located and the equipment attribute information;
s4, pushing threat information to a provincial part bordering the position where the threat information is located by a headquarter part through a pushing module, and pushing alarm information to a local city part connected with the line position of a power grid network where the threat information is located;
s5, the headquarter part inputs threat information into an online simulation module, rapidly establishes a terminal software and hardware environment to perform online simulation, and provides the terminal software and hardware environment for security analysis personnel to perform rapid analysis.
It is easy to find that the invention uses the internal multistage linkage mechanism, not only can sense the security threat, but also can timely alarm and interact, and can quickly establish on-line simulation of threat information, thereby forming a good innovation effect of combining threat discovery, threat alarm and threat quick analysis, and improving the network security monitoring and handling capability of the distribution automation monitoring system. The multi-level linkage evaluation index and the calculation method provided by the invention can dynamically evaluate the linkage effect of each system, give out the method and the efficiency of linkage between the systems from the perspective of quantitative analysis, and are beneficial to promoting coordination linkage between the systems and enhancing interactivity. The invention can evaluate the security situation comprehensive score according to the regional division, and give a calculation method of the system starting proposal quantity, the user can self-define the division region to evaluate the security situation, a more flexible regional division method is provided, and furthermore, the invention gives a quantitative calculation method of the proposal for increasing the subsystem starting quantity, and the adjustment process can be automatically implemented.
Claims (6)
1. The network safety supervision system of the multi-level linkage power monitoring system is characterized by comprising a three-layer framework of a headquarter part, a network province part and a ground city part;
the provincial part and the local market part are at least configured with: the flow monitoring module is used for monitoring network flow of the power distribution automation monitoring system; the safety threat sensing module is used for sensing threat information of a host, a network, a terminal and an application in the power distribution automation monitoring system; the alarm linkage module is used for generating alarm information when the threat information is perceived, and uploading the alarm information and the threat information to the headquarter part together; the trusted defense linkage module is used for automatically triggering a trusted defense function based on a trusted computing method when threat information is perceived;
the headquarter section is provided with at least: the analysis module is used for analyzing according to the received threat information and determining the position of the threat information, the voltage level and the line position of the power grid network where the threat information is located and the equipment attribute information; the pushing module is used for pushing the analyzed threat information to a provincial part bordering the position where the threat information is located, and pushing the received alarm information to a local city part connected with the line position of the power grid network where the threat information is located; the on-line simulation module is used for rapidly establishing a terminal software and hardware environment based on the received threat information to perform on-line simulation;
the headquarter section is further configured with: a quantity configuration suggestion module for distributing the total asset value f of the equipment in the automatic monitoring system according to the region range 1 Network total flow f in time t of distribution automation monitoring system in region range 2 Clear text data total flow f in time t of distribution automation monitoring system in region range 3 The distribution automation monitoring system in the region range interacts with other systems to request and be requested for total times f 4 Trusted computing authentication interaction times f used in distribution automation monitoring system in region range 5 Network security risk event occurrence frequency f in distribution automation monitoring system in region range 6 Determining the number of subsystems started by the province part and the city part in the regional range;
the quantity configuration suggestion module includes: the score calculating unit is used for calculating the security situation comprehensive score c in the region range in the following calculation mode: c=f (F 1 ,f 2 ,f 3 ,f 4 ,f 5 ,f 6 ) Wherein F () represents that each index is normalized, and each index is assigned with weight and summed; the comparison unit is used for comparing the security situation comprehensive score c with the median of the calculated scores of the combined sample sets in the region range which is being started; the quantity determining module is used for calculating the quantity of subsystems started by the network province part and the city part when the security situation comprehensive score c is smaller than the median; the quantity determination module is used for determining the quantity of the liquid crystal display byCalculating a number of enabled subsystems of the provincial and the municipality portions, wherein U k Representing the number of activations, K, suggested by the number determination module 1 ,K 2 And K 3 Intensity coefficients, e, respectively representing the added number values k Representing the deviation of the system quantity enabled by the object with the current moment adjustment object system quantity and the security situation comprehensive score c as the system quantity enabled by the object with the median>Expressed as cumulative deviation, k represents the number of deviations, e k -e k-1 Representing the difference between the current time offset and the previous time offset.
2. The multi-stage linked power monitoring system network security supervision system according to claim 1, wherein the headquarter section is further configured with: the multistage linkage evaluation module, multistage linkage evaluation module includes: the first evaluation unit is used for evaluating the dynamic coverage rate of the safety monitoring points; the second evaluation unit is used for evaluating the credible defense density of the terminal; and the third evaluation unit is used for evaluating the timeliness of the emergency alarm linkage.
3. The multi-stage linked power monitoring system network security supervision system according to claim 2, wherein the first evaluation unit is configured to perform the first evaluation byAnd calculating the dynamic coverage DCM of the security monitoring points.
4. The multi-stage linked power monitoring system network security supervision system according to claim 2, wherein the second evaluation unit is configured to perform the evaluation byCalculating the trusted defense density T2D2 of the terminal, wherein T i Representing class iThe number of terminals, n represents the number of terminal types, w i The security weight of the i-th class of terminal is represented, and S represents the area of the regional range.
5. The multistage-linked power monitoring system network safety supervision system according to claim 2, wherein the third evaluation unit is configured to perform the following stepsCalculating timeliness TCA of emergency alert linkage, wherein d m Representing calendar days of the current month, k represents alarming times of the current month, t d Indicating the number of hours from the alarm to the time of uploading the alarm to the headquarter, t w And representing the business assessment window time.
6. A multistage linkage network security supervision method for a power monitoring system, which is characterized by being applied to the multistage linkage network security supervision system of the power monitoring system according to any one of claims 1 to 5, comprising the following steps:
the security threat perception module of the provincial part or the local market part perceives threat information, transmits the threat information to the alarm linkage module, and automatically triggers the trusted defense linkage module to perform a trusted defense function based on a trusted computing method;
the alarm linkage module generates alarm information and reports the alarm information and threat information to a headquarter part;
the analysis module of the headquarter part analyzes the received threat information and determines the position of the threat information, the voltage level and the line position of the power grid network where the threat information is located and the equipment attribute information;
the headquarter pushes threat information to a provincial part bordering the position where the threat information is located through a pushing module, and pushes alarm information to a local city part connected with the line position of the power grid network where the threat information is located;
the headquarter part inputs threat information into an online simulation module, and rapidly establishes a terminal software and hardware environment to perform online simulation;
the total part quantity configuration suggestion module is used for distributing the total asset value f of equipment in the automatic monitoring system according to the region range 1 Network total flow f in time t of distribution automation monitoring system in region range 2 Clear text data total flow f in time t of distribution automation monitoring system in region range 3 The distribution automation monitoring system in the region range interacts with other systems to request and be requested for total times f 4 Trusted computing authentication interaction times f used in distribution automation monitoring system in region range 5 Network security risk event occurrence frequency f in distribution automation monitoring system in region range 6 Determining the number of subsystems started by the province part and the city part in the regional range;
the quantity configuration suggestion module calculates a security situation comprehensive score c in the region range through a score calculation unit in the following calculation mode: c=f (F 1 ,f 2 ,f 3 ,f 4 ,f 5 ,f 6 ) Wherein F () represents that each index is normalized, and each index is assigned with weight and summed; the quantity configuration suggestion module compares the security situation comprehensive score c with the median of the calculated scores of the combined sample sets in the region range which is being started through a comparison unit; the quantity configuration suggestion module calculates the quantity of subsystems started by the net province part and the ground city part through the quantity determination module when the security situation comprehensive score c is smaller than the median, and the calculation mode is as follows:wherein U is k Representing the number of activations, K, suggested by the number determination module 1 ,K 2 And K 3 Intensity coefficients, e, respectively representing the added number values k Representing the deviation of the system quantity enabled by the object with the current moment adjustment object system quantity and the security situation comprehensive score c as the system quantity enabled by the object with the median>Represented asAccumulated deviation, k represents the deviation amount, e k -e k-1 Representing the difference between the current time offset and the previous time offset.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310673313.2A CN116405328B (en) | 2023-06-08 | 2023-06-08 | Multistage linkage network security supervision system and method for power monitoring system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310673313.2A CN116405328B (en) | 2023-06-08 | 2023-06-08 | Multistage linkage network security supervision system and method for power monitoring system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116405328A CN116405328A (en) | 2023-07-07 |
| CN116405328B true CN116405328B (en) | 2023-08-08 |
Family
ID=87016527
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310673313.2A Active CN116405328B (en) | 2023-06-08 | 2023-06-08 | Multistage linkage network security supervision system and method for power monitoring system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116405328B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187771A (en) * | 2015-07-31 | 2015-12-23 | 山东创德软件技术有限公司 | Plant-level comprehensive supervision platform |
| CN109587124A (en) * | 2018-11-21 | 2019-04-05 | 国家电网有限公司 | Processing method, the device and system of electric power networks |
| CN112953005A (en) * | 2021-02-20 | 2021-06-11 | 国网上海能源互联网研究院有限公司 | Safety monitoring system suitable for distribution secondary system |
| CN113037745A (en) * | 2021-03-06 | 2021-06-25 | 国网河北省电力有限公司信息通信分公司 | Intelligent substation risk early warning system and method based on security situation awareness |
| CN114143348A (en) * | 2021-11-30 | 2022-03-04 | 中国电力科学研究院有限公司 | Electric power Internet of things security defense method and system, storage medium and server |
| CN115883236A (en) * | 2022-12-10 | 2023-03-31 | 国网福建省电力有限公司 | Power grid intelligent terminal cooperative attack monitoring system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8856936B2 (en) * | 2011-10-14 | 2014-10-07 | Albeado Inc. | Pervasive, domain and situational-aware, adaptive, automated, and coordinated analysis and control of enterprise-wide computers, networks, and applications for mitigation of business and operational risks and enhancement of cyber security |
-
2023
- 2023-06-08 CN CN202310673313.2A patent/CN116405328B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187771A (en) * | 2015-07-31 | 2015-12-23 | 山东创德软件技术有限公司 | Plant-level comprehensive supervision platform |
| CN109587124A (en) * | 2018-11-21 | 2019-04-05 | 国家电网有限公司 | Processing method, the device and system of electric power networks |
| CN112953005A (en) * | 2021-02-20 | 2021-06-11 | 国网上海能源互联网研究院有限公司 | Safety monitoring system suitable for distribution secondary system |
| CN113037745A (en) * | 2021-03-06 | 2021-06-25 | 国网河北省电力有限公司信息通信分公司 | Intelligent substation risk early warning system and method based on security situation awareness |
| CN114143348A (en) * | 2021-11-30 | 2022-03-04 | 中国电力科学研究院有限公司 | Electric power Internet of things security defense method and system, storage medium and server |
| CN115883236A (en) * | 2022-12-10 | 2023-03-31 | 国网福建省电力有限公司 | Power grid intelligent terminal cooperative attack monitoring system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116405328A (en) | 2023-07-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220124108A1 (en) | System and method for monitoring security attack chains | |
| CN110620759B (en) | Multi-dimensional association-based network security event hazard index evaluation method and system | |
| US20220078210A1 (en) | System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US7172118B2 (en) | System and method for overcoming decision making and communications errors to produce expedited and accurate group choices | |
| CN112073389B (en) | Cloud host security situation awareness system, method, device and storage medium | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| Bhattacharjee et al. | $ QnQ $ Q n Q: Quality and Quantity Based Unified Approach for Secure and Trustworthy Mobile Crowdsensing | |
| CN112153047B (en) | Block chain-based network security operation and maintenance and defense method and system | |
| CN111786950A (en) | Situation awareness-based network security monitoring method, device, equipment and medium | |
| Baig | Multi-agent systems for protecting critical infrastructures: A survey | |
| CN110620696A (en) | Grading method and device for enterprise network security situation awareness | |
| Li et al. | Time series association state analysis method for attacks on the smart internet of electric vehicle charging network | |
| Sen et al. | On using contextual correlation to detect multi-stage cyber attacks in smart grids | |
| CN115378711A (en) | Industrial control network intrusion detection method and system | |
| Zheng et al. | Smart grid: Cyber attacks, critical defense approaches, and digital twin | |
| CN116405328B (en) | Multistage linkage network security supervision system and method for power monitoring system | |
| CN115632884B (en) | Network security situation perception method and system based on event analysis | |
| Li et al. | A distributed intrusion detection model based on cloud theory | |
| CN115766235A (en) | Network security early warning system and early warning method | |
| Madsen et al. | Evaluating the impact of intrusion sensitivity on securing collaborative intrusion detection networks against SOOA | |
| CN113836564A (en) | Block chain-based networked automobile information safety system | |
| Cerullo et al. | Enabling convergence of physical and logical security through intelligent event correlation | |
| Zhang et al. | Network security situation awareness technology based on multi-source heterogeneous data | |
| Dai et al. | Research on power mobile Internet security situation awareness model based on zero trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |