CN116800633A - Multi-attribute-based industrial Internet security situation evaluation system - Google Patents

Multi-attribute-based industrial Internet security situation evaluation system Download PDF

Info

Publication number
CN116800633A
CN116800633A CN202211308628.9A CN202211308628A CN116800633A CN 116800633 A CN116800633 A CN 116800633A CN 202211308628 A CN202211308628 A CN 202211308628A CN 116800633 A CN116800633 A CN 116800633A
Authority
CN
China
Prior art keywords
data
calculation
vulnerability
unit
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211308628.9A
Other languages
Chinese (zh)
Inventor
郑忠斌
凌颖
黄海艇
杨俊�
彭新
阮大治
孙学伟
张楠笛
冯源
张旻
冯益民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial Internet Innovation Center Shanghai Co ltd
Original Assignee
Industrial Internet Innovation Center Shanghai Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial Internet Innovation Center Shanghai Co ltd filed Critical Industrial Internet Innovation Center Shanghai Co ltd
Priority to CN202211308628.9A priority Critical patent/CN116800633A/en
Publication of CN116800633A publication Critical patent/CN116800633A/en
Pending legal-status Critical Current

Links

Abstract

The application discloses an industrial Internet security situation evaluation system based on multiple attributes, which relates to the field of Internet security evaluation and comprises a data acquisition unit, a data storage unit, a data screening unit, a data calculation unit, a data judgment unit, a data transmission unit and a central control processing unit; the data acquisition unit is used for scanning the hardware information and the software information of the host respectively and acquiring scanned data; the data storage unit is used for respectively storing and backing up the data acquired by the data acquisition unit and the data calculated by the data calculation unit; the data screening unit is used for classifying and identifying the stored data and removing useless information; the data calculation unit is used for calculating the risk value of the classified data; the multi-attribute-based industrial Internet security situation evaluation system can accurately judge the Internet security level, and further can accurately evaluate the industrial Internet security situation.

Description

Multi-attribute-based industrial Internet security situation evaluation system
Technical Field
The application relates to an internet security evaluation technology, in particular to an industrial internet security situation evaluation system based on multiple attributes.
Background
In the aspect of industrial Internet security situation evaluation, multi-attribute comprehensive evaluation is a method for comprehensively evaluating an evaluation object by referring to a plurality of evaluation indexes.
The current industrial Internet security situation evaluation is based on subjective preference information given by an evaluator or the weight coefficient is directly given by the evaluator according to experience, so that the experience judgment of the evaluator can be embodied, the relative importance degree of the attribute generally does not violate the common sense of people, but the randomness is larger, and the decision accuracy and reliability are slightly poor.
Disclosure of Invention
The application aims to provide an industrial Internet security situation evaluation system based on multiple attributes, which aims to solve the defects in the prior art.
In order to achieve the above object, the present application provides the following technical solutions: the industrial Internet security situation evaluation system based on multiple attributes comprises a data acquisition unit, a data storage unit, a data screening unit, a data calculation unit, a data judgment unit, a data transmission unit and a central control processing unit;
the data acquisition unit is used for scanning the hardware information and the software information of the host respectively and acquiring scanned data;
the data storage unit is used for respectively storing and backing up the data acquired by the data acquisition unit and the data calculated by the data calculation unit;
the data screening unit is used for classifying and identifying the stored data and removing useless information;
the data calculation unit is used for calculating the risk value of the classified data;
the data judging unit is used for judging the risk value and classifying the risk level;
the data transmission unit is used for transmitting the data acquired by the data acquisition unit;
the central control processing unit is used for controlling the data acquisition unit to start data acquisition work, and after receiving the data of the data screening unit, the central control processing unit processes the data and sends the processed data to the data calculation unit for data calculation.
Further, the output end of the data acquisition unit is connected with the input end of the data transmission unit, the output end of the data transmission unit is connected with the input end of the data storage unit and the input end of the data screening unit respectively, the output end of the data storage unit is connected with the input end of the central control processing unit, the output end of the data screening unit is connected with the input end of the central control processing unit, the output end of the central control processing unit is connected with the input end of the data acquisition unit and the input end of the data calculation unit respectively, the output end of the data calculation unit is connected with the input end of the data judgment unit and the input end of the data storage unit respectively, and the output end of the data judgment unit is connected with the input end of the central control processing unit.
Further, the data acquisition unit comprises a first input module, a hardware information scanning module, a software information scanning module, a scanning algorithm model and a first output module, wherein the input end of the first input module is connected with the output end of the central control processing unit, the output end of the first input module is respectively connected with the input ends of the hardware information scanning module and the software information scanning module, the output ends of the hardware information scanning module and the software information scanning module are both connected with the input end of the scanning algorithm model, the output end of the scanning algorithm model is connected with the input end of the first output module, and the output end of the first output module is connected with the input end of the data transmission unit.
Further, the scanning algorithm model adopts the following algorithm steps:
s1, defining a threshold value, wherein the threshold value is defined by a user in an interactive mode;
s2, scanning the database by using a window with a fixed size w, and filtering the data according to a threshold defined by a user; for (list=0, list < lastone; list++// scan from first record to end of database; for (j=0, j < w, j++// with each new entry window record compared to the previous w-1 records; { strfirst=dataset (list+j); strnew=dataset (list+w);
s3, filtering, namely comparing the two records to see whether the judging condition is met or not, and filtering;
if (judging condition 1)// judging condition 1 is to judge whether two records come from the same data source, if yes, not comparing and jumping to the next record, if not, judging condition 2;
if (judging condition 2)/judging condition 1 is met, judging condition 2 is that judging whether the length of two records and the difference degree of characters are larger than a threshold value defined by a user, if so, jumping to the next record, otherwise, comparing the two records by using a q-gram algorithm, and judging whether the two records meet the similar condition;
q-gram (strw, strtmp); comparing the two records by using a q-gram algorithm, judging whether the two records meet similar conditions, if so, adding the two records into a similar queue, and otherwise, finishing the comparison of the two records;
the new record ends with the first w-1 records in the window, which moves down.
Further, the data screening unit comprises a second input module, a data asset identification module, a vulnerability identification module, a threat identification module, a useless information identification module and a second output module, wherein the input end of the second input module is connected with the output end of the data transmission unit, the output end of the second input module is sequentially connected with the input ends of the useless information identification module, the data asset identification module, the vulnerability identification module and the threat identification module, and the output ends of the useless information identification module, the data asset identification module, the vulnerability identification module and the threat identification module are all connected with the input end of the second output module, and the output end of the second output module is connected with the input end of the central control processing unit.
Further, the vulnerability identification module is composed of four parts:
first, single point vulnerability computation: the calculation of single point vulnerability is the calculation basis of the whole hierarchy, so the calculation accuracy of single point vulnerability determines the calculation accuracy of other hierarchies, the single point vulnerability carries out assignment calculation according to a CVSS (universal vulnerability assessment system), the CVSS (universal vulnerability assessment system) is developed by NIAC, a standard which is open and can be freely adopted by product manufacturers is maintained by FIRST, the software vulnerability is divided into basic measurement, time measurement and environment measurement, the calculation of the CVSS is completed through rolling iteration of the three measurement dimensions, a specific calculation formula is described in the CVSS, and is not repeated herein. Finally, according to the CVSS rule, the value range of the single-point vulnerability is [0,3];
second, host vulnerability computation: the host vulnerability calculation is completed according to the single-point vulnerability calculation, and the specific calculation formula is as follows:
V(h)=log 2 vs (2), where Vs represents the statistical sum of single point vulnerabilities on the host and V (h) represents the host vulnerability calculation result, i.e., the logarithmic value of Vs based on 2. This is done by restricting the value range of the first step calculation result of host vulnerability, namely restricting the first step calculation result to [0,4 ]]If Vs is greater than 16, then V (h) is considered to be 4, otherwise calculated according to equation (2) above;
thirdly, calculating business vulnerability;
according to the vulnerability assessment model, the business vulnerability calculation is completed according to the host vulnerability calculation result and by combining the importance of the host in the business, and the specific calculation formula is as follows:
wherein V (hi) represents a host vulnerability calculation result related to the service, and related to the service mainly includes three aspects, namely, a host is a service deployment host, i.e., a service is deployed on the host, and the host is a flow host, i.e., flow interaction of the service needs to be completed through the type of host, such as a soft switch device; the host is a transmission host, that is, the signaling interaction of the service needs to be completed by the host of the type, and thetai represents the weight adjustment coefficient of the host in the service. Obtained by normalizing the importance of the host Bi, bi represents the importance of the host in the service, the importance of the host depends on the type of the host, and the importance of the data in the host
Where V represents a network vulnerability calculation result, V (S) represents a vulnerability calculation result of a certain service in the network, phi represents a weight adjustment coefficient of the certain service in the network, wi represents an importance of the certain service in the network by normalizing the importance Wi of the service in the network, and the importance of the service in the network is also dependent on a plurality of factors like the importance of a host, where the importance of the service in the network is calculated according to the service usage capability, i.e., wi represents an average number of times the service is used in one day.
Further, the data calculation unit comprises a third input module, a possibility calculation model, a loss calculation model, a risk value calculation model and a third output module, wherein the input end of the third input module is connected with the output end of the central control processing unit, the output end of the third output module is respectively connected with the input ends of the possibility calculation model and the loss calculation model, the output ends of the possibility calculation model and the loss calculation model are both connected with the input end of the risk value calculation model, the output end of the risk value calculation model is connected with the input end of the third output module, and the output end of the third output module is connected with the input end of the data judgment unit.
Further, the likelihood calculation model has the following calculation formula: probability of occurrence of a security event = L (T, V);
the loss calculation model has the following calculation formula: loss after occurrence of a security event = F (Ia, va);
the risk value calculation model has the following calculation formula: risk value = R (L (T, V), F (Ia, va)); wherein R represents a security risk calculation function, A represents an asset, T represents a threat, V represents a network vulnerability, ia represents an asset value, va represents a severity of the vulnerability, L represents a possibility of occurrence of a security event, and F represents a loss after the occurrence of the security event.
Compared with the prior art, the multi-attribute-based industrial Internet security situation evaluation system provided by the application can accurately judge the Internet security level, and further can accurately evaluate the industrial Internet security situation, so that a high reference value is improved for subsequent risk treatment.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments described in the present application, and other drawings may be obtained according to these drawings for a person having ordinary skill in the art.
FIG. 1 is a schematic block diagram of an industrial Internet security situation assessment system based on multiple attributes;
FIG. 2 is a schematic block diagram of a data acquisition unit of the present application;
FIG. 3 is a schematic block diagram of a data screening unit of the present application;
fig. 4 is a schematic block diagram of a data calculation unit of the present application.
Reference numerals illustrate:
1. a data acquisition unit; 11. a hardware information scanning module; 12. a software information scanning module; 13. scanning an algorithm model; 2. a data storage unit; 3. a data screening unit; 31. a data asset identification module; 32. a vulnerability identification module; 33. a threat identification module; 34. a garbage identification module; 4. a data calculation unit; 41. a likelihood calculation model; 42. a loss calculation model; 43. a risk value calculation model; 5. a data determination unit; 6. a data transmission unit; 7. and a central control processing unit.
Detailed Description
In order to make the technical scheme of the present application better understood by those skilled in the art, the present application will be further described in detail with reference to the accompanying drawings.
Referring to fig. 1-4, an industrial internet security situation evaluation system based on multiple attributes includes a data acquisition unit 1, a data storage unit 2, a data screening unit 3, a data calculation unit 4, a data determination unit 5, a data transmission unit 6 and a central control processing unit 7; the data acquisition unit 1 is used for scanning the hardware information and the software information of the host computer respectively and acquiring scanned data; the data storage unit 2 is used for respectively storing and backing up the data acquired by the data acquisition unit 1 and the data calculated by the data calculation unit 4; a data screening unit 3 for classifying and identifying the stored data and removing useless information; a data calculation unit 4 for calculating a risk value of the classified data; a data judging unit 5 for judging the risk value and classifying the risk level; a data transmission unit 6, configured to transmit the data acquired by the data acquisition unit 1; the central control processing unit 7 is used for controlling the data acquisition unit 1 to start data acquisition, and after receiving the data of the data screening unit 3, the data are processed and sent to the data calculation unit 4 for data calculation.
The output end of the data acquisition unit 1 is connected with the input end of the data transmission unit 6, the output end of the data transmission unit 6 is respectively connected with the input end of the data storage unit 2 and the input end of the data screening unit 3, the output end of the data storage unit 2 is connected with the input end of the central control processing unit 7, the output end of the data screening unit 3 is connected with the input end of the central control processing unit 7, the output end of the central control processing unit 7 is respectively connected with the input end of the data acquisition unit 1 and the input end of the data calculation unit 4, the output end of the data calculation unit 4 is respectively connected with the input end of the data judgment unit 5 and the input end of the data storage unit 2, and the output end of the data judgment unit 5 is connected with the input end of the central control processing unit 7.
The data acquisition unit 1 comprises a first input module, a hardware information scanning module 11, a software information scanning module 12, a scanning algorithm model 13 and a first output module, wherein the input end of the first input module is connected with the output end of the central control processing unit 7, the output end of the first input module is respectively connected with the input ends of the hardware information scanning module 11 and the software information scanning module 12, the output ends of the hardware information scanning module 11 and the software information scanning module 12 are both connected with the input end of the scanning algorithm model 13, the output end of the scanning algorithm model 13 is connected with the input end of the first output module, and the output end of the first output module is connected with the input end of the data transmission unit 6.
The scan algorithm model 13 employs the algorithm steps as follows:
s1, defining a threshold value, wherein the threshold value is defined by a user in an interactive mode;
s2, scanning the database by using a window with a fixed size w, and filtering the data according to a threshold defined by a user; for (list=0, list < lastone; list++// scan from first record to end of database; for (j=0, j < w, j++// with each new entry window record compared to the previous w-1 records; { strfirst=dataset (list+j); strnew=dataset (list+w);
s3, filtering, namely comparing the two records to see whether the judging condition is met or not, and filtering;
if (judging condition 1)// judging condition 1 is to judge whether two records come from the same data source, if yes, not comparing and jumping to the next record, if not, judging condition 2;
if (judging condition 2)/judging condition 1 is met, judging condition 2 is that judging whether the length of two records and the difference degree of characters are larger than a threshold value defined by a user, if so, jumping to the next record, otherwise, comparing the two records by using a q-gram algorithm, and judging whether the two records meet the similar condition;
q-gram (strw, strtmp); comparing the two records by using a q-gram algorithm, judging whether the two records meet similar conditions, if so, adding the two records into a similar queue, and otherwise, finishing the comparison of the two records;
the new record ends with the first w-1 records in the window, which moves down.
The data screening unit 3 comprises a second input module, a data asset identification module 31, a vulnerability identification module 32, a threat identification module 33, and a garbage identification module 34 and a second output module, wherein the input end of the second input module is connected with the output end of the data transmission unit 6, the output end of the second input module is sequentially connected with the input ends of the garbage identification module 34, the data asset identification module 31, the vulnerability identification module 32 and the threat identification module 33, the output ends of the garbage identification module 34, the data asset identification module 31, the vulnerability identification module 32 and the threat identification module 33 are all connected with the input end of the second output module, and the output end of the second output module is connected with the input end of the central control processing unit 7.
The vulnerability identification module consists of four parts:
first, single point vulnerability computation: the calculation of single point vulnerability is the calculation basis of the whole hierarchy, so the calculation accuracy of single point vulnerability determines the calculation accuracy of other hierarchies, the single point vulnerability carries out assignment calculation according to a CVSS (universal vulnerability assessment system), the CVSS (universal vulnerability assessment system) is developed by NIAC, a standard which is open and can be freely adopted by product manufacturers is maintained by FIRST, the software vulnerability is divided into basic measurement, time measurement and environment measurement, the calculation of the CVSS is completed through rolling iteration of the three measurement dimensions, a specific calculation formula is described in the CVSS, and is not repeated herein. Finally, according to the CVSS rule, the value range of the single-point vulnerability is [0,3];
second, host vulnerability computation: the host vulnerability calculation is completed according to the single-point vulnerability calculation, and the specific calculation formula is as follows:
V(h)=log 2 vs (2), where Vs represents the statistical sum of single point vulnerabilities on the host and V (h) represents the host vulnerability calculation result, i.e., the logarithmic value of Vs based on 2. This is done by restricting the value range of the first step calculation result of host vulnerability, namely restricting the first step calculation result to [0,4 ]]If Vs is greater than 16, then V (h) is considered to be 4, otherwise calculated according to equation (2) above;
thirdly, calculating business vulnerability;
according to the vulnerability assessment model, the business vulnerability calculation is completed according to the host vulnerability calculation result and by combining the importance of the host in the business, and the specific calculation formula is as follows:
wherein V (hi) represents a host vulnerability calculation result related to the service, and related to the service mainly includes three aspects, namely, a host is a service deployment host, i.e., a service is deployed on the host, and the host is a flow host, i.e., flow interaction of the service needs to be completed through the type of host, such as a soft switch device; the host is a transmission host, that is, the signaling interaction of the service needs to be completed by the host of the type, and thetai represents the weight adjustment coefficient of the host in the service. The method is characterized in that the method is obtained through normalization processing of the importance Bi of the host, bi represents the importance of the host in the service, the importance of the host depends on the type of the host, the importance of data in the host and other factors, in order to ensure the accuracy and the conciseness of quantitative calculation, the importance is set to be a fixed value according to the above description by combining expert experience, and V(s) represents the service vulnerability assessment calculation result;
fourth, network vulnerability calculation: the network vulnerability calculation is completed according to the service vulnerability calculation result by combining the importance calculation of the service in the network, and the specific formula is as follows:
wherein V represents the network vulnerability calculation result, V (S) represents the vulnerability calculation result of a certain service in the network, phi represents a certain industryThe weight adjustment coefficient in the network is calculated by normalizing the importance Wi of the service in the network, wi represents the importance of a certain service in the network, and the importance of the service in the network is also dependent on a plurality of factors like the importance of a host, wherein the importance of the service in the network is calculated according to the service used capacity, i.e. Wi represents the average number of times the service is used in one day.
The data calculation unit 4 includes a third input module, a likelihood calculation model 41, a loss calculation model 42, a risk value calculation model 43, and a third output module, where an input end of the third input module is connected to an output end of the central control processing unit 7, output ends of the third output module are connected to input ends of the likelihood calculation model 41 and the loss calculation model 42, respectively, output ends of the likelihood calculation model 41 and the loss calculation model 42 are both connected to an input end of the risk value calculation model 43, an output end of the risk value calculation model 43 is connected to an input end of the third output module, and an output end of the third output module is connected to an input end of the data determination unit 5.
The likelihood calculation model 41 calculates the following formula: probability of occurrence of a security event = L (T, V);
the loss calculation model 42 calculates the following formula: loss after occurrence of a security event = F (Ia, va);
the risk value calculation model 43 has the following calculation formula: risk value = R (L (T, V), F (Ia, va));
wherein R represents a security risk calculation function, T represents a threat, V represents network vulnerability, ia represents asset value, va represents severity of vulnerability, L represents possibility of occurrence of a security event, and F represents loss after occurrence of the security event;
the risk value calculation model 43 obtains a final risk value by a phase method or a matrix method, and a process of calculating a risk value based on the matrix method is described as follows: assume that the risk value of asset A1 calculates the input information, specifically as follows: asset value: a1 =2, threat occurrence frequency: t1=2, vulnerability severity: vulnerability v1=2.
The process of calculation using the matrix method is specifically as follows: step one, calculating the occurrence probability of the security event, and constructing a security event occurrence probability matrix as shown in the following table
A security event occurrence probability matrix, wherein the security event occurrence probability value=6 is determined by comparing the threat occurrence frequency value with the vulnerability severity value in the matrix;
step two, grading the occurrence probability of the security event, establishing a classification table of the occurrence probability of the security event, grading the occurrence probability of the security event obtained through calculation, and comparing and determining the occurrence probability of the security event with the value=2 as shown in the following table
Grading the occurrence probability of the security event;
step three, calculating the loss of the security event, and constructing a security event loss matrix as shown in the following table
A security event loss matrix, wherein the security event loss value=5 is determined by comparing the security event loss matrix with the vulnerability severity value according to the asset value;
dividing the security event loss level, establishing a security event loss level dividing table, dividing the calculated security event loss value into levels, as shown in the following table,
determining a security event loss class value = 1;
grading the loss of the security event;
step five, calculating a risk value, firstly constructing a risk matrix, as shown in the following table, and then determining a safety event risk value=6 according to the calculated result, namely the safety event occurrence probability grade value=2, the safety event loss grade value=1, and inquiring the risk matrix table;
a risk matrix;
step six, judging the result, and firstly establishing a risk level dividing table as shown in the following table. Then, the risk level is determined to be 2 by checking against a risk level dividing table
Risk grade division;
step seven, outputting, namely obtaining a risk value=6 of the asset A1 according to calculation, wherein the risk level is 2;
wherein, the higher the risk level, the higher the risk, as exemplified in the following table:
working principle: when in use, the central control processing unit 7 instructs the hardware information scanning module 11 and the software information scanning module 12 in the data acquisition unit 1 to scan the source IP address, the destination IP address, the protocol number, the source port, the destination port, the service type, the interface index, SSHD, SQL, HTTP and the like of the host one by one, the hardware information scanning module 11 and the software information scanning module 12 reduce the same data matching times through the scanning algorithm model 13, thereby effectively improving the data scanning speed, the scanning algorithm model 13 transmits scanned data to the data transmission unit 6 through the first output module, the data transmission unit 6 firstly transmits the obtained original data to the data storage unit 2 for backup, and then transmits the original data to the second input module in the data screening unit 3, the second input module classifies and identifies the original data sequentially through the garbage identification module 34, the data asset identification module 31, the vulnerability identification module 32 and the threat identification module 33, the garbage identification module 34, the data asset identification module 31, the vulnerability identification module 32 and the threat identification module 33 transmit the identified information to the central control processing unit 7 through the second output module, the central control processing unit 7 removes the garbage identification module 34, transmits the information identified by the remaining data asset identification module 31, the vulnerability identification module 32 and the threat identification module 33 to the third input module in the data computing unit 4, the third input module transmits the data information of the data asset identification module 31, the vulnerability identification module 32 and the threat identification module 33 to the likelihood computing model 41 and the loss computing model 42 respectively for computation, obtains the respective values and transmits the values to the risk value computing model 43, the risk value calculation model 43 obtains a final risk value through a phase multiplication or matrix method, and then the risk value is transmitted to the data judgment unit 5 through the third output module, and the data judgment unit 5 obtains a final risk level according to the risk value, so that the purpose of accurately evaluating the security situation of the industrial Internet is achieved.
While certain exemplary embodiments of the present application have been described above by way of illustration only, it will be apparent to those of ordinary skill in the art that modifications may be made to the described embodiments in various different ways without departing from the spirit and scope of the application. Accordingly, the drawings and description are to be regarded as illustrative in nature and not as restrictive of the scope of the application, which is defined by the appended claims.

Claims (8)

1. The industrial Internet security situation evaluation system based on the multiple attributes is characterized by comprising a data acquisition unit (1), a data storage unit (2), a data screening unit (3), a data calculation unit (4), a data judgment unit (5), a data transmission unit (6) and a central control processing unit (7);
the data acquisition unit (1) is used for scanning the hardware information and the software information of the host respectively and acquiring scanned data;
the data storage unit (2) is used for respectively storing and backing up the data acquired by the data acquisition unit (1) and the data calculated by the data calculation unit (4);
the data screening unit (3) is used for classifying and identifying the stored data and removing useless information;
a data calculation unit (4) for calculating a risk value of the classified data;
a data determination unit (5) for determining the risk value and classifying the risk level;
the data transmission unit (6) is used for transmitting the data acquired by the data acquisition unit (1);
the central control processing unit (7) is used for controlling the data acquisition unit (1) to start data acquisition, and after receiving the data of the data screening unit (3), the data are processed and then sent to the data calculation unit (4) for data calculation.
2. The multi-attribute-based industrial internet security situation evaluation system according to claim 1, wherein the output end of the data acquisition unit (1) is connected with the input end of the data transmission unit (6), the output end of the data transmission unit (6) is connected with the input end of the data storage unit (2) and the input end of the data screening unit (3), the output end of the data storage unit (2) is connected with the input end of the central control processing unit (7), the output end of the data screening unit (3) is connected with the input end of the central control processing unit (7), the output end of the central control processing unit (7) is connected with the input end of the data acquisition unit (1) and the input end of the data calculation unit (4), the output end of the data calculation unit (4) is connected with the input end of the data determination unit (5) and the input end of the data storage unit (2), and the output end of the data determination unit (5) is connected with the input end of the central control processing unit (7).
3. The multi-attribute-based industrial internet security situation evaluation system according to claim 1, wherein the data acquisition unit (1) comprises a first input module, a hardware information scanning module (11), a software information scanning module (12), a scanning algorithm model (13) and a first output module, wherein the input end of the first input module is connected with the output end of the central control processing unit (7), the output end of the first input module is respectively connected with the input ends of the hardware information scanning module (11) and the software information scanning module (12), the output ends of the hardware information scanning module (11) and the software information scanning module (12) are both connected with the input end of the scanning algorithm model (13), the output end of the scanning algorithm model (13) is connected with the input end of the first output module, and the output end of the first output module is connected with the input end of the data transmission unit (6).
4. A multi-attribute based industrial internet security posture assessment system according to claim 3, wherein said scanning algorithm model (13) employs the algorithm steps of:
s1, defining a threshold value, wherein the threshold value is defined by a user in an interactive mode;
s2, scanning the database by using a window with a fixed size w, and filtering the data according to a threshold defined by a user; for (list=0, list < lastone; list++// scan from first record to end of database; for (j=0, j < w, j++// with each new entry window record compared to the previous w-1 records; { strfirst=dataset (list+j); strnew=dataset (list+w);
s3, filtering, namely comparing the two records to see whether the judging condition is met or not, and filtering;
if (judging condition 1)// judging condition 1 is to judge whether two records come from the same data source, if yes, not comparing and jumping to the next record, if not, judging condition 2;
if (judging condition 2)/judging condition 1 is met, judging condition 2 is that judging whether the length of two records and the difference degree of characters are larger than a threshold value defined by a user, if so, jumping to the next record, otherwise, comparing the two records by using a q-gram algorithm, and judging whether the two records meet the similar condition;
q-gram (strw, strtmp); comparing the two records by using a q-gram algorithm, judging whether the two records meet similar conditions, if so, adding the two records into a similar queue, and otherwise, finishing the comparison of the two records;
the new record ends with the first w-1 records in the window, which moves down.
5. The multi-attribute-based industrial internet security situation assessment system according to claim 1, wherein the data screening unit (3) comprises a second input module, a data asset identification module (31), a vulnerability identification module (32), a threat identification module (33) and a useless information identification module (34) and a second output module, the input end of the second input module is connected with the output end of the data transmission unit (6), the output end of the second input module is sequentially connected with the input ends of the useless information identification module (34), the data asset identification module (31), the vulnerability identification module (32) and the threat identification module (33), and the output ends of the useless information identification module (34), the data asset identification module (31), the vulnerability identification module (32) and the threat identification module (33) are all connected with the input end of the second output module, and the output end of the second output module is connected with the input end of the central control processing unit (7).
6. The multi-attribute based industrial internet security posture assessment system of claim 5, wherein the vulnerability identification module is comprised of four parts:
first, single point vulnerability computation: the calculation of single point vulnerability is the calculation basis of the whole hierarchy, so the calculation accuracy of single point vulnerability determines the calculation accuracy of other hierarchies, the single point vulnerability carries out assignment calculation according to a CVSS (universal vulnerability assessment system), the CVSS (universal vulnerability assessment system) is developed by NIAC, a standard which is open and can be freely adopted by product manufacturers is maintained by FIRST, the software vulnerability is divided into basic measurement, time measurement and environment measurement, the calculation of the CVSS is completed through rolling iteration of the three measurement dimensions, a specific calculation formula is described in the CVSS, and is not repeated herein. Finally, according to the CVSS rule, the value range of the single-point vulnerability is [0,3];
second, host vulnerability computation: the host vulnerability calculation is completed according to the single-point vulnerability calculation, and the specific calculation formula is as follows:
V(h)=log 2 vs (2) wherein Vs represents the statistical sum of single point vulnerabilities on the host and V (h) represents the host vulnerability calculation result, i.e., the logarithmic value of Vs based on 2. This is done by restricting the value range of the first step calculation result of host vulnerability, namely restricting the first step calculation result to [0,4 ]]If Vs is greater than 16, then V (h) is considered to be 4, otherwise calculated according to equation (2) above;
thirdly, calculating business vulnerability;
according to the vulnerability assessment model, the business vulnerability calculation is completed according to the host vulnerability calculation result and by combining the importance of the host in the business, and the specific calculation formula is as follows:
wherein V (hi) represents the result of calculation of vulnerability of the host associated with the service, which is mainly expressed in three aspects, namely that the host is a service deployment host, i.e. the service is deployed on the host, and the host is a flow host, i.e. the flow interaction of the service needs to be completed by the type of host, e.g.Soft switching devices, etc.; the host is a transmission host, that is, the signaling interaction of the service needs to be completed by the host of the type, and thetai represents the weight adjustment coefficient of the host in the service. The method is characterized in that the method is obtained through normalization processing of the importance Bi of the host, bi represents the importance of the host in the service, the importance of the host depends on the type of the host, the importance of data in the host and other factors, in order to ensure the accuracy and the conciseness of quantitative calculation, the importance is set to be a fixed value according to the above description by combining expert experience, and V(s) represents the service vulnerability assessment calculation result;
fourth, network vulnerability calculation: the network vulnerability calculation is completed according to the service vulnerability calculation result by combining the importance calculation of the service in the network, and the specific formula is as follows:
where V represents a network vulnerability calculation result, V (S) represents a vulnerability calculation result of a certain service in the network, phi represents a weight adjustment coefficient of the certain service in the network, wi represents an importance of the certain service in the network by normalizing the importance Wi of the service in the network, and the importance of the service in the network is also dependent on a plurality of factors like the importance of a host, where the importance of the service in the network is calculated according to the service usage capability, i.e., wi represents an average number of times the service is used in one day.
7. The multi-attribute-based industrial internet security situation assessment system according to claim 1, wherein the data calculation unit (4) comprises a third input module, a likelihood calculation model (41), a loss calculation model (42), a risk value calculation model (43) and a third output module, the input end of the third input module is connected with the output end of the central control processing unit (7), the output end of the third output module is respectively connected with the input ends of the likelihood calculation model (41) and the loss calculation model (42), the output ends of the likelihood calculation model (41) and the loss calculation model (42) are both connected with the input end of the risk value calculation model (43), the output end of the risk value calculation model (43) is connected with the input end of the third output module, and the output end of the third output module is connected with the input end of the data determination unit (5).
8. The multi-attribute based industrial internet security posture assessment system of claim 7, wherein the likelihood calculation model (41) calculates the formula: probability of occurrence of a security event = L (T, V);
the loss calculation model (42) has the following calculation formula: loss after occurrence of a security event = F (Ia, va);
the risk value calculation model (43) has the following calculation formula: risk value = R (L (T, V), F (Ia, va));
wherein R represents a security risk calculation function, A represents an asset, T represents a threat, V represents a network vulnerability, ia represents an asset value, va represents a severity of the vulnerability, L represents a possibility of occurrence of a security event, and F represents a loss after the occurrence of the security event.
CN202211308628.9A 2022-10-25 2022-10-25 Multi-attribute-based industrial Internet security situation evaluation system Pending CN116800633A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211308628.9A CN116800633A (en) 2022-10-25 2022-10-25 Multi-attribute-based industrial Internet security situation evaluation system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211308628.9A CN116800633A (en) 2022-10-25 2022-10-25 Multi-attribute-based industrial Internet security situation evaluation system

Publications (1)

Publication Number Publication Date
CN116800633A true CN116800633A (en) 2023-09-22

Family

ID=88042595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211308628.9A Pending CN116800633A (en) 2022-10-25 2022-10-25 Multi-attribute-based industrial Internet security situation evaluation system

Country Status (1)

Country Link
CN (1) CN116800633A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117527663A (en) * 2023-11-22 2024-02-06 北京有略安全技术有限公司 Automatic detection system for network security level protection

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117527663A (en) * 2023-11-22 2024-02-06 北京有略安全技术有限公司 Automatic detection system for network security level protection

Similar Documents

Publication Publication Date Title
EP3622402B1 (en) Real time detection of cyber threats using behavioral analytics
Patgiri et al. An investigation on intrusion detection system using machine learning
US20210392152A1 (en) Intrusion detection using robust singular value decomposition
US9699042B2 (en) Systems and methods of classifying sessions
JP2019521422A (en) Method, apparatus and computer readable medium for detecting abnormal user behavior related application data
CN110912737A (en) Dynamic perception performance early warning method based on hybrid model
CN112839014B (en) Method, system, equipment and medium for establishing abnormal visitor identification model
CN110933115B (en) Analysis object behavior abnormity detection method and device based on dynamic session
CN113762377B (en) Network traffic identification method, device, equipment and storage medium
CN112597141B (en) Network flow detection method based on public opinion analysis
CN116800633A (en) Multi-attribute-based industrial Internet security situation evaluation system
CN114615016A (en) Enterprise network security assessment method and device, mobile terminal and storage medium
CN110097120B (en) Network flow data classification method, equipment and computer storage medium
WO2021262344A1 (en) Method and apparatus to detect scripted network traffic
CN110149303B (en) Party-school network security early warning method and early warning system
Fukuda On the use of weighted syslog time series for anomaly detection
CN112115794A (en) Method for detecting wearing condition of safety helmet based on deep learning
CN113630425B (en) Financial data safe transmission method for multiple power bodies
CN117807590B (en) Information security prediction and monitoring system and method based on artificial intelligence
CN109617925A (en) It is a kind of for the protection of network attack, the setting method of interval mark and system
CN113347180B (en) Risk analysis method for network security three-synchronization process of computer application system
CN117040912B (en) Network security operation and maintenance management method and system based on data analysis
CN116886380B (en) Botnet detection method and system
CN117376030B (en) Flow anomaly detection method, device, computer equipment and readable storage medium
CN117610591B (en) Operation monitoring method suitable for intelligent code scanning terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination