CN116866078A - Network security evaluation method - Google Patents

Network security evaluation method Download PDF

Info

Publication number
CN116866078A
CN116866078A CN202311024679.3A CN202311024679A CN116866078A CN 116866078 A CN116866078 A CN 116866078A CN 202311024679 A CN202311024679 A CN 202311024679A CN 116866078 A CN116866078 A CN 116866078A
Authority
CN
China
Prior art keywords
score
network security
test
preset
audit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311024679.3A
Other languages
Chinese (zh)
Inventor
李东全
史威
丁雨
艾月乔
王禹钦
魏义昕
黑卫春
姜帅
潘志榆
陈瑞波
刘白杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Oil and Gas Pipeline Network Corp
National Pipe Network Group North Pipeline Co Ltd
Original Assignee
China Oil and Gas Pipeline Network Corp
National Pipe Network Group North Pipeline Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Oil and Gas Pipeline Network Corp, National Pipe Network Group North Pipeline Co Ltd filed Critical China Oil and Gas Pipeline Network Corp
Priority to CN202311024679.3A priority Critical patent/CN116866078A/en
Publication of CN116866078A publication Critical patent/CN116866078A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Abstract

The invention provides a network security evaluation method, which belongs to the field of network security evaluation, and comprises the following steps: importing network security test data; scoring the network security test data to obtain a network security score; and comparing the network security score with a preset network security comparison value, and obtaining a conclusion whether the network security reaches the network security standard or not according to the comparison result. The invention can accurately know the network safety index of the current industrial control system, thereby detecting the safety performance of industrial control and ensuring that the industrial production can run normally.

Description

Network security evaluation method
Technical Field
The invention mainly relates to the technical field of network security, in particular to a network security evaluation method.
Background
With rapid development of computer technology and the Internet, and frequent occurrence of network information security events in recent years, network information security problems gradually penetrate into various industries, and become a focus of attention. In order to prevent the occurrence of a security event in advance and avoid loss, network information security assessment becomes a key link for knowing network security performance, information security risk assessment is to analyze the vulnerability of an information system and a network and the threat faced by the system, predict the occurrence probability of the security event and the influence possibly generated by the security event once, and finally obtain the security level, namely the security condition, of the whole information system, so that the security risk assessment is used as a reference for implementing security measures, and the vulnerability is reduced by using the security measures, and the risk is reduced to an acceptable degree, thereby guaranteeing the security of the information system.
The industrial control system is a system composed of various self-control components and process control components for collecting and monitoring real-time data, the network security performance of the industrial control system cannot be accurately detected by the network detection method of the existing industrial control system, the network security index of the existing industrial control system cannot be accurately known, and once the industrial control network security is in loophole, the industrial production operation is affected.
Disclosure of Invention
The invention aims to solve the technical problem of providing a network security evaluation method aiming at the defects of the prior art.
The technical scheme for solving the technical problems is as follows: a network security evaluation method comprises the following steps:
importing network security test data;
scoring the network security test data to obtain a network security score;
and comparing the network security score with a preset network security comparison value, and obtaining a conclusion whether the network security reaches the network security standard or not according to the comparison result.
The other technical scheme for solving the technical problems is as follows: a network security assessment apparatus comprising:
the importing module is used for importing network security test data;
The scoring module is used for scoring the network security test data to obtain a network security score;
and the comparison module is used for comparing the network security score with a preset network security comparison value and obtaining a conclusion whether the network security reaches the network security standard or not according to the comparison result.
Based on the network security evaluation method, the invention also provides a network security evaluation system.
The other technical scheme for solving the technical problems is as follows: a network security assessment system comprising a memory, a processor and a computer program stored in the memory and executable on the processor, which when executed by the processor implements a network security assessment method as described above.
Based on the network security evaluation method, the invention also provides a computer readable storage medium.
The other technical scheme for solving the technical problems is as follows: a computer-readable storage medium storing a computer program which, when executed by a processor, implements the network security assessment method as described above.
The beneficial effects of the invention are as follows: the network security test data is imported, the network security test data is scored to obtain a network security score, the network security score is compared with a preset network security comparison value, and a conclusion whether the network security reaches the network security standard is obtained according to the comparison result, so that the network security index of the current industrial control system can be accurately known, the security performance of industrial control is detected, and normal production operation of industrial production is ensured.
Drawings
Fig. 1 is a schematic flow chart of a network security evaluation method according to an embodiment of the present invention;
fig. 2 is a block diagram of a network security evaluation device according to an embodiment of the present invention.
Detailed Description
The principles and features of the present invention are described below with reference to the drawings, the examples are illustrated for the purpose of illustrating the invention and are not to be construed as limiting the scope of the invention.
Fig. 1 is a flow chart of a network security evaluation method according to an embodiment of the present invention.
As shown in fig. 1, a network security evaluation method includes the following steps:
importing network security test data;
scoring the network security test data to obtain a network security score;
And comparing the network security score with a preset network security comparison value, and obtaining a conclusion whether the network security reaches the network security standard or not according to the comparison result.
It should be appreciated that the results of the network security test (i.e., network security test data) are obtained, and the scores of the network security tests (i.e., network security scores) are calculated based on the results of the network security test (i.e., network security test data).
Preferably, the preset network security contrast value may be 4.
Specifically, the score of the network security test (i.e., the network security score) is compared with a score preset value of the network security test (i.e., a preset network security comparison value), and whether the network security of the industrial control system reaches the network security standard (i.e., the network security evaluation result) is judged according to the comparison result.
In the above embodiment, the network security test data is imported, the network security test data is scored to obtain the network security score, the network security score is compared with the preset network security comparison value, and a conclusion whether the network security reaches the network security standard is obtained according to the comparison result, so that the network security index of the current industrial control system can be accurately known, the security performance of industrial control is detected, and the normal production operation of industrial production is ensured.
Optionally, as an embodiment of the present invention, the scoring the network security test data, and the process of obtaining a network security score includes:
scoring the network security test data by a firewall test to obtain a firewall score;
scoring the network security test data in a network gate test to obtain a network gate score;
scoring the network traffic audit test to the network security test data to obtain a network traffic audit score;
scoring the network security test data by using an operation and maintenance barrier machine test to obtain the scoring of the operation and maintenance barrier machine;
scoring the network security test data by a host security protection test to obtain a host security protection score;
scoring the network security test data by a light gate test to obtain a light gate score;
scoring the network security test data by a USB security defense test to obtain a USB security defense machine score;
judging whether the firewall score is larger than a preset firewall comparison value, if so, updating the firewall score according to a first preset value to obtain an updated firewall score; if not, updating the firewall score according to a second preset value to obtain the updated firewall score;
Judging whether the gate score is larger than a preset gate comparison value, if so, updating the gate score according to the first preset value to obtain an updated gate score; if not, updating the gate score according to the second preset value to obtain the updated gate score;
judging whether the network flow audit score is larger than a preset network flow audit comparison value, if so, updating the network flow audit score according to the first preset value to obtain an updated network flow audit score; if not, updating the network traffic audit score according to the second preset value to obtain the updated network traffic audit score;
judging whether the operation and maintenance fort machine score is larger than a preset operation and maintenance fort machine comparison value, if so, updating the operation and maintenance fort machine score according to the first preset value to obtain an updated operation and maintenance fort machine score; if not, updating the operation and maintenance fort machine score according to the second preset value to obtain the updated operation and maintenance fort machine score;
judging whether the host safety protection score is larger than a preset host safety protection comparison value, if so, updating the host safety protection score according to the first preset value to obtain an updated host safety protection score; if not, updating the host safety protection score according to the second preset value to obtain the updated host safety protection score;
Judging whether the optical gate score is larger than a preset optical gate contrast value, if so, updating the optical gate score according to the first preset value to obtain an updated optical gate score; if not, updating the optical gate score according to the second preset value to obtain the updated optical gate score;
judging whether the USB security defense machine score is larger than a preset USB security defense machine comparison value, if so, updating the USB security defense machine score according to the first preset value to obtain an updated USB security defense machine score; if not, updating the USB security defense machine score according to the second preset value to obtain the updated USB security defense machine score;
and summing the updated firewall score, the updated gatekeeper score, the updated network traffic audit score, the updated operation and maintenance fort machine score, the updated host security protection score, the updated shutter score and the updated USB security defense machine score to obtain a network security score.
Preferably, the preset firewall comparison value, the preset gatekeeper comparison value, the preset network traffic audit comparison value, the preset operation and maintenance fort machine comparison value, the preset host security protection comparison value, the preset shutter comparison value and the preset USB security defense machine comparison value may be 60, the first preset value may be 1, and the second preset value may be 0.
It should be appreciated that network security testing includes: firewall testing, gatekeeper testing, network traffic audit testing, operation and maintenance fort machine testing, host security protection testing, shutter testing, and USB security protection testing.
Specifically, according to firewall test, gatekeeper test, network traffic audit test, operation and maintenance fort machine test, host security protection test, shutter test and USB security protection test, respectively obtaining: a firewall test score (i.e., firewall score), a gatekeeper test score (i.e., gatekeeper score), a network traffic audit test score (i.e., network traffic audit score), an operation and maintenance fort test score (i.e., operation fort score), a host security test score (i.e., host security score), a shutter test score (i.e., shutter score), and a USB security test score (i.e., USB security fort score).
Specifically, whether the firewall test score (i.e., firewall score), the gatekeeper test score (i.e., gatekeeper score), the network traffic audit test score (i.e., network traffic audit score), the operation and maintenance fort machine test score (i.e., operation and maintenance fort machine score), the host security protection test score (i.e., host security protection score), the shutter test score (i.e., shutter score), and the USB security protection test score (i.e., USB security defense machine score) reach the network security standard is determined respectively.
In the above embodiment, the network security test data is scored to obtain the network security score, so that the user can know the current security state of each security test, and the user can adjust the security performance of the industrial control system according to each security test result independently.
Optionally, as one embodiment of the present invention, the network security test data includes firewall performance data, firewall access control information, industrial protocol whitelist information, and intrusion prevention data,
the scoring of the firewall test for the network security test data, and the process of obtaining the firewall score comprises the following steps:
scoring the firewall performance data according to preset firewall performance rules to obtain a firewall performance score;
scoring the firewall access control information according to a preset firewall access control rule to obtain an access control score;
scoring the industrial protocol white list information according to a preset industrial protocol white list rule to obtain an industrial protocol white list score;
scoring the intrusion prevention data according to a preset intrusion prevention rule to obtain an intrusion prevention score;
And summing the firewall performance score, the access control score, the industrial protocol white list score and the intrusion prevention score to obtain a firewall score.
It should be understood that the total score (i.e., firewall score) is the sum of the performance (i.e., firewall performance score), access control (i.e., access control score), industry protocol whitelist (i.e., industry protocol whitelist score), and intrusion prevention (i.e., intrusion prevention score) 4 part scores, each part weight accounting for 25%.
It should be understood that the preset firewall performance rule may be to determine whether a plurality of indexes in the firewall performance data are all qualified, and if not, the test score is 0.
It should be understood that the preset firewall access control rule may be that the access test score is 0 if the access control function is not supported.
It should be understood that the preset industrial protocol whitelist rules may be 5 minutes for each protocol in the industrial whitelist test.
It should be appreciated that the preset intrusion prevention rules may score 1 for each attack accurately identified and intercepted, and that the identification is inaccurate but may intercept attacks by 0.5 points.
It should be appreciated that the score for the firewall test is the sum of a firewall performance test score, a firewall access control test score (i.e., access control score), a firewall industry protocol whitelist test score (i.e., industry protocol whitelist score), and a firewall intrusion prevention test score (i.e., intrusion prevention score).
Specifically, when the firewall performance test is executed, configuring a flow packet, checking the throughput and average time delay of tested equipment, and calculating the firewall performance test score;
when the firewall access control test is executed, the device to be tested is connected, a firewall policy is configured, access control is carried out by using an industrial communication protocol, the on-off condition of data is checked, the access control capability of the device to be tested is verified, and the firewall access control test score (namely, access control score) is calculated;
when the firewall industrial protocol white list test is executed, accessing a detected firewall, sequentially testing different industrial communication protocols, checking learning and resolving capacities of the detected firewall on the different industrial communication protocols, and calculating the firewall industrial protocol white list test score (i.e. an industrial protocol white list score);
when the firewall intrusion prevention test is executed, the tested firewall configures an intrusion prevention policy, an Ethernet tester sends an attack packet, the alarm log information of the tested firewall is checked, and the firewall intrusion prevention test score (namely the intrusion prevention score) is calculated.
Specifically, the firewall test adopts a mode of single equipment access and piece-by-piece equipment test, and the SPIRENT TestCenter C1 is utilized to send a large flow/attack data packet to test the performance and the intrusion prevention function of the industrial firewall; the method comprises the steps of simulating the identification and analysis of CIP and Modbus protocols by using the existing AB PLC, central control PLC and simulation software in a laboratory, and simulating the S7, DNP3 and IEC104 protocols by using a packet playback tool in a computer.
It should be appreciated that firewall performance tests: and configuring a flow packet according to the 1 ten thousand concurrent connections and the 5000/s newly-built connections, continuously transmitting for 5 minutes, checking the throughput of the equipment and the average time delay, and calculating the firewall performance test score.
Specifically, the firewall first access control test: and according to the test topology connection equipment, configuring a test firewall policy through a CIP protocol and executing a ping command, performing access control on the passed protocol, allowing or prohibiting CIP protocol data from passing or prohibiting ping, checking the data on-off condition, verifying the access control capability of the tested equipment, and calculating the firewall access control test score.
It should be appreciated that firewall industry protocol whitelist test: accessing a tested firewall in an actual environment, sequentially testing CIP and Modbus protocols, and checking the learning and analyzing capabilities of the tested firewall on an industrial protocol; and accessing a firewall to be tested in a simulation environment, testing S7, DNP3 and IEC 104 protocols, checking learning and resolving capabilities of the firewall to be tested on industrial protocols, and calculating the whitelist test scores of the industrial protocols of the firewall.
Specifically, firewall intrusion prevention test: the tested industrial firewall configures an intrusion prevention policy, 1 and 2 ports of SPIRENT TestCenter C are respectively connected to corresponding ports of the tested firewall, an attack packet is sent to the port 2 by the port 1, the attack packet type comprises port scanning, flooding, trojan horse, worm virus and other attacks, alarm log information of the tested firewall is checked, and the firewall intrusion prevention test score is calculated.
Specifically, the firewall test score is the sum of a firewall performance test score, a firewall access control test score, an industrial protocol white list test score and an intrusion prevention test score, and each part of weight accounts for 25%; in the firewall performance test, if only one index is unqualified, the performance test score is 0; if the access control function is not supported, the access test score is 0; each protocol in the industrial white list test occupies 5 minutes; in the intrusion prevention test, 1 score is obtained after each attack is accurately identified and intercepted, 0.5 score is obtained after the attack is inaccurately identified but intercepted, the performance score, the access control score, the industrial protocol white list score and the intrusion prevention 4 part score are respectively calculated, and finally the total score of the firewall test is calculated, so that the security index of the firewall can be clearly checked.
In the above embodiment, the firewall score is obtained by scoring the network security test data by performing the firewall test, so that the security index of the firewall can be clearly checked, the network security index of the current industrial control system can be accurately known, the security performance of industrial control is detected, and the normal production operation of industrial production is ensured.
Optionally, as one embodiment of the present invention, the network security test data includes gatekeeper performance data, gatekeeper access control information, gatekeeper function code audit data, gatekeeper address range audit data, and gatekeeper parameter value range audit data,
the scoring of the network security test data for the network gate test, and the process of obtaining the network gate score comprises the following steps:
scoring the gate performance data according to a preset gate performance rule to obtain a gate performance score;
scoring the gatekeeper access control information according to a preset gatekeeper access control rule to obtain a gatekeeper access control score;
scoring the gate function code audit data according to a preset gate function code audit rule to obtain a gate function code audit score;
scoring the gate address range audit data according to a preset gate address range audit rule to obtain a gate address range audit score;
scoring the gate parameter value range audit data according to a preset gate parameter value range audit rule to obtain a gate parameter value range audit score;
and summing the gatekeeper performance score, the gatekeeper access control score, the gatekeeper function code audit score, the gatekeeper address range audit score and the gatekeeper parameter value range audit score to obtain a gatekeeper score.
It should be appreciated that the total score (i.e., gatekeeper score) is the sum of the performance (30%) (i.e., gatekeeper performance score), access control (40%) (i.e., gatekeeper access control score), function code audit (10%) (i.e., gatekeeper function code audit score), address range audit (10%) (i.e., gatekeeper address range audit score), parameter value range audit (10%) (i.e., gatekeeper parameter value range audit score) test 5 part scores.
It should be understood that the preset gatekeeper performance rule may be divided into three bytes of data packets 64, 256, 512 in the test, each of which achieves a throughput of 400Mbps, and is 10 minutes, otherwise 0 minutes.
Specifically, the preset gatekeeper access control rule may be 10 points per support of 4 types in the access control test, the preset gatekeeper function code audit rule may be 2.5 points per support of 4 types of protocols in the industrial protocol function code audit test, the preset gatekeeper address range audit rule may be 2.5 points per support of 4 types of protocols in the industrial protocol address range audit test, and the preset gatekeeper parameter value range audit rule may be 2.5 points per support of 4 types of protocols in the industrial protocol parameter value range test.
It should be appreciated that the gatekeeper test score is the sum of a gatekeeper performance test score, a gatekeeper access control test score, and a gatekeeper industry protocol audit test score.
Specifically, when the performance test of the network gate is executed, the Ethernet tester is used for sending traffic packets with different byte frame lengths, and the ultimate performance of the tested equipment is tested;
when executing the gatekeeper access control test, connecting the tested equipment, configuring a test gatekeeper strategy, performing access control by using an industrial communication protocol, checking the data on-off condition, verifying the access control capability of the tested equipment, and calculating a gatekeeper access control test score;
when the network gate industrial protocol audit test is executed, the tested network gate is accessed in the actual environment, the deep analysis capability of the tested network gate to different industrial communication protocols is checked through different industrial communication protocols and the read-write command is executed, and the network gate industrial protocol audit test score is calculated.
It should be understood that the gatekeeper test employs a single device access and a device-by-device test. The SPIRENT TestCenter C1 is utilized to send flow packets with different frame lengths and different rates to test the ultimate performance of the industrial network gate to be tested; and simulating the analysis and audit functions of each piece of equipment to the CIP, modbus, OPCua, OPCda protocol by using the existing AB PLC, central control PLC and simulation software in the laboratory to simulate the real environment.
Specifically, the performance test of the net gate: transmitting 64, 256 and 512 byte frame length flow packets by using SPIRENT TestCenter C1, testing each frame length from 350Mbps flow, gradually increasing 50Mbps until packet loss occurs or the average time delay is greater than 1ms, and testing the ultimate performance of tested equipment;
Gate access control test: according to the test topology connection equipment, a test gateway strategy is configured through CIP, modbus, OPC ua and OPCda protocols, access control is carried out on the passed protocols, single protocols are allowed or forbidden to pass, the data on-off condition is checked, and the access control capability of the tested equipment is verified;
auditing test of the network gate industrial protocol: and accessing the tested network gate in an actual environment, sequentially passing through CIP, modbus, OPC ua and OPCda protocols, executing read and write commands, and checking the deep analysis capability of the tested network gate on the industrial protocol.
It should be appreciated that the industrial gatekeeper test score is the sum of 30% gatekeeper performance test score, 40% gatekeeper access control test score, 10% function code audit score, 10% address range audit score, and 10% parameter value range audit score.
Specifically, the performance test of the network gate is divided into three byte data packets of 64, 256 and 512, wherein the throughput of each data packet reaches 400Mbps to obtain 10 points, otherwise, the throughput of each data packet is 0 points; the network gate access control tests that each of 4 protocols supports 10 points; 2.5 minutes is obtained for each of 4 protocols for the industrial protocol function code audit test; 2.5 minutes is obtained for each of 4 protocols for industrial protocol address range audit test; 2.5 minutes are obtained for each of 4 protocols tested in the industrial protocol parameter value range, and the safety index of the industrial network gate can be accurately evaluated.
In the above embodiment, the grading of the network security test data is performed to obtain the grading of the network gate, so that the security index of the industrial network gate can be accurately evaluated, the network security index of the current industrial control system can be accurately known, the security performance of industrial control is detected, and the normal production operation of industrial production is ensured.
Optionally, as one embodiment of the invention, the network security test data includes traffic audit performance data, industrial session audit data, security detection data and asset identification information,
the scoring of the network traffic audit test is carried out on the network security test data, and the process for obtaining the network traffic audit score comprises the following steps:
scoring the flow audit performance data according to a preset flow audit performance rule to obtain a flow audit performance score;
scoring the industrial session audit data according to a preset industrial session audit rule to obtain an industrial session audit score;
scoring the safety detection data according to a preset safety detection rule to obtain a safety detection score;
scoring the asset identification information according to a preset asset identification rule to obtain an asset identification score;
And summing the flow audit performance score, the industrial session audit score, the security detection score and the asset identification score to obtain a network flow audit score.
It should be appreciated that the total score (i.e., network traffic audit score) is the sum of the performance (20%) (i.e., traffic audit performance score), industrial session audit (35%) (i.e., industrial session audit score), security detection (25%) (i.e., security detection score), asset identification (20%) (i.e., asset identification score) test 4 part scores.
Specifically, the preset flow audit performance rule may be to divide the performance test into 300, 500, 800 and 1000Mbps flow tests, and if the real-time flow monitored by the device is normal, 20 points are obtained. The preset industrial session audit rule can score the test CIP, modbus, OPCua according to the protocol identification depth, and OPCda, S7, DNP3 and IEC104 can score according to the identification or not, wherein the full score of each protocol is 5. The preset security detection rules may score 1 for each exact recognition of an attack and 0.5 for other attacks (unsuccessful push divided by 2 based on this score). The preset asset identification rules may be to divide the test into items identifying IP address, MAC, equipment brand, asset type, and version 4, one item per identification 5 points.
It should be appreciated that the score of the network traffic audit test (i.e., the network traffic audit score) is the sum of the network traffic audit performance test score (i.e., the traffic audit performance score), the industrial communication protocol session audit test score (i.e., the industrial session audit score), the security detection test score (i.e., the security detection score), and the asset identification score.
Specifically, when the network traffic audit performance test is executed, an Ethernet tester is used for sending a long traffic packet, checking the real-time traffic grabbing capacity of tested equipment, and calculating the network traffic audit performance test score;
when the industrial communication protocol session audit test is executed, the tested equipment is tested to calculate the industrial communication protocol session audit test score through the analysis depth of the industrial communication protocol session in the network;
when the security detection test is executed, the tested equipment configures an attack identification strategy, an Ethernet tester is used for sending an attack packet, alarm log information of the tested equipment is checked, and security detection test scores are calculated.
It should be understood that the service port of the network traffic auditing device is simultaneously accessed to the mirror port of the switch, and SPIRENT TestCenter C is used to access the switch to send different traffic data packets and attack packets, so that the capability of the traffic auditing device for capturing the data packets in real time, identifying industrial protocol sessions, identifying assets and identifying 24 kinds of network attacks is tested.
Specifically, network traffic audit performance test: transmitting 1024-byte frame-length flow packets by using SPIRENT TestCenter C1, respectively transmitting 300Mbps, 500Mbps, 800Mbps and 1000Mbps flow for 1min, and checking the real-time flow grabbing capacity of the tested equipment;
industrial communication protocol session audit test: according to the test topology connection equipment, the laboratory real environment and the simulation environment are utilized, and the test equipment analyzes the analysis depth of industrial protocol sessions passing through CIP, modbus, OPC ua and OPCda in a network;
safety detection test: the tested equipment is configured with an attack identification strategy, 1 port and 2 port of SPIRENT TestCenter C are respectively connected to corresponding ports of a 1# switch, an attack packet is sent to port 2 by port 1, the attack packet type comprises port scanning, flooding, trojan horse, worm virus and other attacks, and the alarm log information of the tested equipment and the pushing condition of the tested equipment to a 360-state sensing platform are checked;
the asset identification test process includes: the IP address, MAC, device brand, asset type, and version are identified.
Specifically, the network traffic audit score is the sum of 20% of the network traffic audit performance test score, 35% of the industrial session audit score, 25% of the security detection score, and 20% of the asset identification score; the network flow audit performance test is divided into 300, 500, 800 and 1000Mbps flow tests, and the real-time flow is normally monitored by equipment to obtain 20 points; the industrial session audit test CIP, modbus, OPCua scores according to the protocol identification depth, and OPCda, S7, DNP3 and IEC104 score according to the identification of whether each protocol is full of 5 points; each time the security detection test accurately identifies an attack, the score is 1, the score is 0.5 for other attacks (unsuccessful pushing is divided by 2 on the basis of the score); the asset identification test is divided into IP address identification, MAC, equipment brand identification, asset type identification and version 4 identification, and each identification is 5 minutes, so that the security performance of network flow audit can be clearly known.
In the above embodiment, the network traffic audit test is scored on the network security test data to obtain the network traffic audit score, so that the security performance of the network traffic audit can be clearly known, the network security index of the current industrial control system can be accurately known, and the normal production operation of industrial production can be ensured.
Optionally, as one embodiment of the invention, the network security test data includes bastion machine performance data and audit management data,
the process for scoring the network security test data by using the operation and maintenance fort machine test to obtain the operation and maintenance fort machine score comprises the following steps:
scoring the performance data of the fort machine according to a preset fort machine performance rule to obtain fort machine performance scores;
scoring the audit management data according to a preset audit management rule to obtain an audit management score;
and summing the performance scores of the fort machines and the audit management scores to obtain operation and maintenance fort machine scores.
It should be appreciated that the total score (i.e., the operation and maintenance fort machine score) is the sum of the performance (60%) (i.e., the fort machine performance score) and the audit management (40%) (i.e., the audit management score) test 2 part scores.
Specifically, the preset fort machine performance rule may be divided into 3 items of the number of simultaneous login users, the number of concurrent graphic connections and the number of concurrent character connections in the test, and each item meets the requirement of 20 minutes. The preset audit management rule can be used for testing 8 functional tests including TELNET, FTP/SFTP, SSH, RDP, VNC/XWINDOW access behavior audit, real-time monitoring, real-time session locking and internal audit, and each function is supported to be 5 points.
It should be appreciated that the operation and maintenance barrier machine test score (i.e., operation and maintenance barrier machine score) is the sum of an operation and maintenance barrier machine performance test score (i.e., barrier machine performance score) and an audit management test score (i.e., audit management score).
Specifically, when executing the performance test of the operation and maintenance fort machine, creating a user to repeatedly log in the fort machine, testing the number of users, the number of concurrent connection of graphics and characters which are allowed to log in simultaneously, and calculating the performance test score of the operation and maintenance fort machine;
when the audit management test is executed, a virtual environment is built, the functions of remote protocol access behavior audit, real-time monitoring, real-time session locking and internal audit are tested by the bastion machine, and audit management test scores are calculated.
It should be understood that the operation and maintenance fort machine test adopts a mode of single equipment access and piece-by-piece equipment test. The computer is utilized to simulate the managed and managed host, a plurality of virtual machines are installed in the physical host, and the performance of the bastion machine running in different systems and the auditing function of various behaviors are tested.
Specifically, the performance test of the operation and maintenance fort machine: creating a plurality of users to repeatedly log in the fort by using the notebook, and testing the number of users, graphics and characters which are allowed to log in simultaneously and the number of concurrent connection;
audit management test: and testing the functions of the bastion machine such as TELNET, FTP/SFTP, SSH, RDP, VNC/XWINDOW access behavior audit, real-time monitoring, real-time session locking, internal audit and the like by utilizing a virtual environment built by the notebook computer.
It should be understood that the operation and maintenance fort machine test score is 40% of the operation and maintenance fort machine performance test score and 60% of the audit management test score, so that the safety performance of the tested equipment can be clearly known, the network safety index of the current industrial control system can be accurately known, and the normal production operation of industrial production can be ensured.
In the above embodiment, the operation and maintenance barrier machine score is obtained by performing the operation and maintenance barrier machine score on the network security test data, so that the security performance of the tested equipment can be clearly known, the network security index of the current industrial control system can be accurately known, and the normal production operation of industrial production can be ensured.
Optionally, as an embodiment of the present invention, the network security test data includes Windows attack instruction test data, linux attack instruction test data, attack scenario test data and PCS compatibility test data,
The scoring of the network security test data for the host security protection test, and the process of obtaining the host security protection score comprises the following steps:
scoring the Windows attack instruction test data according to a preset Windows attack instruction test rule to obtain a Windows attack instruction score;
scoring the Linux attack instruction test data according to a preset Linux attack instruction test rule to obtain a Linux attack instruction score;
scoring the attack scene test data according to a preset attack scene test rule to obtain an attack scene score;
scoring the PCS compatibility test data according to a preset PCS compatibility test rule to obtain a PCS compatibility score;
and summing the Windows attack instruction score, the Linux attack instruction score, the attack scene score and the PCS compatibility score to obtain a host security protection score.
It should be appreciated that the total score (i.e., host security score) is the sum of the Windows attack instruction test (30%) (i.e., windows attack instruction score), linux attack instruction test (20%) (i.e., linux attack instruction score), attack scenario test (25%) (i.e., attack scenario score), and PCS compatibility test (25%) (i.e., PCS compatibility score) 4 part scores.
Specifically, the preset Windows attack instruction test rule may be 5 items in total in the Windows attack instruction test, and each test can be successfully obtained by 5 points. The preset Linux attack instruction test rule can be 5 items in total in Linux attack instruction tests, and each test can be successfully obtained by 5 points. The preset PCS compatibility test rule may be 25 points without any abnormality such as jamming and killing process in the test, or 0 points.
It should be understood that the scoring of the host security test (i.e., host security scoring) is: the sum of the attack instruction test score (i.e., the Windows attack instruction score and the Linux attack instruction score), the attack scenario test score (i.e., the attack scenario score), and the compatibility test score (i.e., the PCS compatibility score).
Specifically, when the attack instruction test is executed, the protection terminal is installed on each version system, the test instruction is executed, whether the protection terminal is recorded in a log is checked, and the attack instruction test score is calculated;
when the attack scene test is executed, the protection terminal is installed on each version of system, an attack instruction or a playback virus packet is executed, whether the protection terminal pops up an alarm or not is checked, and the attack scene test score is calculated;
And when the compatibility test is executed, the protection terminal and the upper software are operated simultaneously, and whether the upper software operates normally or not is calculated to calculate a compatibility test score.
It should be understood that, the host security protection test uses a computer to install win10, win7, win vista, win xp and 5 versions of virtual machines of the winning kylin, the tested software is installed in each system, runs simultaneously with the upper software of the PCS, and uses the command line to execute the audit function and compatibility of the normal/abnormal command test protection terminal.
Specifically, attack instruction test: installing the protection terminal on each version system, executing a test instruction, and checking whether the protection terminal is recorded in a log;
attack scenario test: installing the protection terminal on each version system, executing an attack instruction or playing back a virus packet, and checking whether the protection terminal pops up an alarm;
compatibility test: and (3) operating the protection terminal and PCS upper software for 2 days simultaneously, and observing whether the PCS software operates normally or not.
It should be understood that the host security protection test score is the sum of 40% of the attack instruction test score, 40% of the attack scenario test score and 20% of the compatibility test score, so that the protection capability of the host security protection can be clearly understood.
In the above embodiment, the scoring of the host safety protection test is performed on the network safety test data to obtain the host safety protection score, so that the protection capability of the host safety protection can be clearly known, the network safety index of the current industrial control system can be accurately known, and the normal production operation of industrial production can be ensured.
Optionally, as one embodiment of the present invention, the network security test data includes shutter performance data and spot acquisition forwarding data,
the scoring of the network security test data by the optical gate test, and the process of obtaining the optical gate score comprises the following steps:
scoring the grid gate performance data according to a preset grid gate performance rule to obtain a grid gate performance score;
scoring the point location acquisition forwarding data according to a preset point location acquisition forwarding rule to obtain point location acquisition forwarding scores;
and summing the optical gate performance score and the point location acquisition forwarding score to obtain an optical gate score.
It should be appreciated that the score of the shutter test (i.e., the shutter score) is the sum of the shutter performance test score (i.e., the shutter performance score) and the spot acquisition forwarding test score (i.e., the spot acquisition forwarding score).
Specifically, when the gate closing performance test is executed, sending different byte frame length flow packets by using the Ethernet tester, testing the limit performance of tested equipment, and calculating a gate closing performance test score;
When the point location acquisition forwarding test is executed, the client acquires multi-point location data from the server through an industrial communication protocol, the maximum point location number is supported and forwarded by the test, and the point location acquisition forwarding test score is calculated.
It should be appreciated that shutter testing employs a single device access, device-by-device test. The SPIRENT TestCenter C1 is utilized to send flow packets with different frame lengths and different rates to test the limit performance of the tested optical gate; the multi-point data forwarding test optical gate point position acquisition forwarding capacity is simulated by computer software.
Specifically, the preset optical gate performance rule may be to send a 64, 256, 512 byte frame length flow packet by using SPIRENT TestCenter C1, and each frame length is tested from 350Mbps flow, and the 50Mbps is gradually increased until packet loss occurs or the average time delay is greater than 1ms, so as to test the ultimate performance of the tested device.
Specifically, the preset point location collecting and forwarding rule may be that the device is connected according to a test topology, and the client collects multi-point location data to the server through CIP, modbus, OPC ua and OPCda protocols, so that the test supports forwarding of the maximum point location number.
It should be appreciated that the shutter test score is the sum of 50% of the shutter performance test score and 50% of the point acquisition forwarding test score, and that the shutter safety index can be observed.
In the above embodiment, the scoring of the optical gate test is performed on the network security test data to obtain the optical gate score, so that the security index of the gate can be observed, the network security index of the current industrial control system can be accurately known, and the normal production operation of industrial production is ensured.
Optionally, as an embodiment of the present invention, the network security test data includes hardware check information, device function check information and compatibility test data,
the scoring of the network security test data for the USB security defense test, and the scoring process of the USB security defense machine comprises the following steps:
scoring the hardware inspection information according to a preset hardware inspection rule to obtain a hardware inspection score;
scoring the equipment function checking information according to a preset equipment function checking rule to obtain equipment function checking scores;
scoring the compatibility test data according to a preset compatibility test rule to obtain a compatibility score;
and summing the hardware check score, the equipment function check score and the compatibility score to obtain a USB security defending machine score.
It should be appreciated that the total score (i.e., USB security defense score) is the sum of the system hardware check (i.e., hardware check score), device function check (60%) (i.e., device function check score), compatibility test (20%) (i.e., compatibility score) 3 part scores.
Specifically, the preset hardware checking rule may be 5 minutes per item in the test, and 1 minute is reserved for each item lacking a hardware checking function. The preset device function checking rule can support 6 points for each item in the test, otherwise, 0 points. The preset compatibility test rule can be used for testing 20 points available for supporting various U disks, and one button is less identified for 5 points.
It should be appreciated that the score of the USB security defense test is the sum of the system hardware check test score (i.e., hardware check score), the device function check test score (i.e., device function check score), and the compatibility score.
Specifically, when the system hardware checking test is executed, the test equipment is accessed to a computer, the functional response of the authorized USB flash disk and the unauthorized USB flash disk is checked, and the system hardware checking test score is calculated;
when the device function checking test is executed, the test device checks the management and defending functions of the access USB flash disk, and the computing device function checking test score.
It should be understood that the USB security defense test is that the tested device is directly connected with the computer host, connected with the USB flash disk, and the test device manages the USB flash disk and the internal files thereof.
Specifically, system hardware inspection test: the test equipment is connected with a computer to check the function response of the authorized USB flash disk and the unauthorized USB flash disk;
Device function inspection test: the test equipment has the functions of managing and defending the access USB flash disk, and the like, and can clearly embody the safety performance of USB safety defense.
In the embodiment, the management function of the equipment on the USB flash disk and the internal files thereof can be tested, and the network security index of the current industrial control system can be accurately known, so that the security performance of industrial control is detected, and the normal production operation of industrial production is ensured.
Optionally, as an embodiment of the present invention, the process of comparing the cyber-security score with a preset cyber-security comparison value and obtaining a conclusion whether the cyber-security reaches the cyber-security standard according to the comparison result includes:
comparing the network security score with a preset network security comparison value, and if the network security score is larger than the preset network security comparison value, obtaining a conclusion that the network security reaches a network security standard; and if the network security score is smaller than or equal to the preset network security comparison value, a conclusion that the network security does not reach the network security standard is obtained.
Specifically, if the score of the network security test (i.e., the network security score) is greater than the score preset value of the network security test (i.e., the preset network security contrast value), judging that the network security of the industrial control system reaches the network security standard;
If the score of the network security test (i.e. the network security score) is smaller than or equal to the score preset value of the network security test (i.e. the preset network security contrast value), judging that the network security of the industrial control system does not reach the network security standard.
In the above embodiment, the network security score is compared with the preset network security comparison value, and a conclusion about whether the network security reaches the network security standard is obtained according to the comparison result, so that the network security index of the current industrial control system can be accurately known, the security performance of the industrial control system is detected, and the normal production operation of industrial production is ensured.
Alternatively, as another embodiment of the present invention, the present invention includes: obtaining a network security test result; calculating the score of the network security test according to the result of the network security test; comparing the grading of the network security test with a grading preset value of the network security test, and judging whether the network security of the industrial control system reaches the network security standard according to the comparison result; if the grading of the network security test is larger than the grading preset value of the network security test, judging that the grading reaches the network security standard; if the grading of the network safety test is smaller than or equal to the grading preset value of the network safety test, judging that the grading does not reach the network safety standard, and accurately knowing the network safety index of the current industrial control system, so that the safety performance of the industrial control system is detected, and the normal production operation of industrial production is ensured.
Optionally, as another embodiment of the present invention, the present invention solves the technical problem that the network detection method of the existing industrial control system cannot accurately detect the network security of the industrial control system.
Optionally, as another embodiment of the present invention, compared with the prior art, the present invention has the beneficial effects that by obtaining the result of the network security test, calculating the score of the network security test according to the result of the network security test, comparing the score of the network security test with the score preset value of the network security test, and judging whether the network security of the industrial control system reaches the network security standard according to the comparison result; the network safety index of the current industrial control system can be accurately known, so that the safety performance of the industrial control system is detected, and the normal production operation of industrial production is ensured.
Fig. 2 is a block diagram of a network security evaluation device according to an embodiment of the present invention.
Alternatively, as another embodiment of the present invention, as shown in fig. 2, a network security evaluation apparatus includes:
the importing module is used for importing network security test data;
The scoring module is used for scoring the network security test data to obtain a network security score;
and the comparison module is used for comparing the network security score with a preset network security comparison value and obtaining a conclusion whether the network security reaches the network security standard or not according to the comparison result.
Alternatively, another embodiment of the present invention provides a network security evaluation system including a memory, a processor, and a computer program stored in the memory and executable on the processor, which when executed by the processor, implements the network security evaluation method as described above. The system may be a computer or the like.
Alternatively, another embodiment of the present invention provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the network security evaluation method as described above.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the apparatus and units described above may refer to corresponding procedures in the foregoing method embodiments, which are not described herein again.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the embodiment of the present application.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (10)

1. The network security evaluation method is characterized by comprising the following steps of:
Importing network security test data;
scoring the network security test data to obtain a network security score;
and comparing the network security score with a preset network security comparison value, and obtaining a conclusion whether the network security reaches the network security standard or not according to the comparison result.
2. The network security assessment method according to claim 1, wherein the scoring the network security test data to obtain a network security score comprises:
scoring the network security test data by a firewall test to obtain a firewall score;
scoring the network security test data in a network gate test to obtain a network gate score;
scoring the network traffic audit test to the network security test data to obtain a network traffic audit score;
scoring the network security test data by using an operation and maintenance barrier machine test to obtain the scoring of the operation and maintenance barrier machine;
scoring the network security test data by a host security protection test to obtain a host security protection score;
scoring the network security test data by a light gate test to obtain a light gate score;
scoring the network security test data by a USB security defense test to obtain a USB security defense machine score;
Judging whether the firewall score is larger than a preset firewall comparison value, if so, updating the firewall score according to a first preset value to obtain an updated firewall score; if not, updating the firewall score according to a second preset value to obtain the updated firewall score;
judging whether the gate score is larger than a preset gate comparison value, if so, updating the gate score according to the first preset value to obtain an updated gate score; if not, updating the gate score according to the second preset value to obtain the updated gate score;
judging whether the network flow audit score is larger than a preset network flow audit comparison value, if so, updating the network flow audit score according to the first preset value to obtain an updated network flow audit score; if not, updating the network traffic audit score according to the second preset value to obtain the updated network traffic audit score;
judging whether the operation and maintenance fort machine score is larger than a preset operation and maintenance fort machine comparison value, if so, updating the operation and maintenance fort machine score according to the first preset value to obtain an updated operation and maintenance fort machine score; if not, updating the operation and maintenance fort machine score according to the second preset value to obtain the updated operation and maintenance fort machine score;
Judging whether the host safety protection score is larger than a preset host safety protection comparison value, if so, updating the host safety protection score according to the first preset value to obtain an updated host safety protection score; if not, updating the host safety protection score according to the second preset value to obtain the updated host safety protection score;
judging whether the optical gate score is larger than a preset optical gate contrast value, if so, updating the optical gate score according to the first preset value to obtain an updated optical gate score; if not, updating the optical gate score according to the second preset value to obtain the updated optical gate score;
judging whether the USB security defense machine score is larger than a preset USB security defense machine comparison value, if so, updating the USB security defense machine score according to the first preset value to obtain an updated USB security defense machine score; if not, updating the USB security defense machine score according to the second preset value to obtain the updated USB security defense machine score;
and summing the updated firewall score, the updated gatekeeper score, the updated network traffic audit score, the updated operation and maintenance fort machine score, the updated host security protection score, the updated shutter score and the updated USB security defense machine score to obtain a network security score.
3. The network security assessment method of claim 2, wherein the network security test data comprises firewall performance data, firewall access control information, industrial protocol whitelist information, and intrusion prevention data,
the scoring of the firewall test for the network security test data, and the process of obtaining the firewall score comprises the following steps:
scoring the firewall performance data according to preset firewall performance rules to obtain a firewall performance score;
scoring the firewall access control information according to a preset firewall access control rule to obtain an access control score;
scoring the industrial protocol white list information according to a preset industrial protocol white list rule to obtain an industrial protocol white list score;
scoring the intrusion prevention data according to a preset intrusion prevention rule to obtain an intrusion prevention score;
and summing the firewall performance score, the access control score, the industrial protocol white list score and the intrusion prevention score to obtain a firewall score.
4. The network security assessment method of claim 2, wherein the network security test data comprises gatekeeper performance data, gatekeeper access control information, gatekeeper function code audit data, gatekeeper address range audit data, and gatekeeper parameter value range audit data,
The scoring of the network security test data for the network gate test, and the process of obtaining the network gate score comprises the following steps:
scoring the gate performance data according to a preset gate performance rule to obtain a gate performance score;
scoring the gatekeeper access control information according to a preset gatekeeper access control rule to obtain a gatekeeper access control score;
scoring the gate function code audit data according to a preset gate function code audit rule to obtain a gate function code audit score;
scoring the gate address range audit data according to a preset gate address range audit rule to obtain a gate address range audit score;
scoring the gate parameter value range audit data according to a preset gate parameter value range audit rule to obtain a gate parameter value range audit score;
and summing the gatekeeper performance score, the gatekeeper access control score, the gatekeeper function code audit score, the gatekeeper address range audit score and the gatekeeper parameter value range audit score to obtain a gatekeeper score.
5. The network security assessment method of claim 2, wherein the network security test data comprises traffic audit performance data, industrial session audit data, security detection data, and asset identification information,
The scoring of the network traffic audit test is carried out on the network security test data, and the process for obtaining the network traffic audit score comprises the following steps:
scoring the flow audit performance data according to a preset flow audit performance rule to obtain a flow audit performance score;
scoring the industrial session audit data according to a preset industrial session audit rule to obtain an industrial session audit score;
scoring the safety detection data according to a preset safety detection rule to obtain a safety detection score;
scoring the asset identification information according to a preset asset identification rule to obtain an asset identification score;
and summing the flow audit performance score, the industrial session audit score, the security detection score and the asset identification score to obtain a network flow audit score.
6. The network security assessment method of claim 2, wherein the network security test data comprises bastion machine performance data and audit management data,
the process for scoring the network security test data by using the operation and maintenance fort machine test to obtain the operation and maintenance fort machine score comprises the following steps:
scoring the performance data of the fort machine according to a preset fort machine performance rule to obtain fort machine performance scores;
Scoring the audit management data according to a preset audit management rule to obtain an audit management score;
and summing the performance scores of the fort machines and the audit management scores to obtain operation and maintenance fort machine scores.
7. The network security evaluation method of claim 2, wherein the network security test data comprises Windows attack instruction test data, linux attack instruction test data, attack scenario test data, and PCS compatibility test data,
the scoring of the network security test data for the host security protection test, and the process of obtaining the host security protection score comprises the following steps:
scoring the Windows attack instruction test data according to a preset Windows attack instruction test rule to obtain a Windows attack instruction score;
scoring the Linux attack instruction test data according to a preset Linux attack instruction test rule to obtain a Linux attack instruction score;
scoring the attack scene test data according to a preset attack scene test rule to obtain an attack scene score;
scoring the PCS compatibility test data according to a preset PCS compatibility test rule to obtain a PCS compatibility score;
And summing the Windows attack instruction score, the Linux attack instruction score, the attack scene score and the PCS compatibility score to obtain a host security protection score.
8. The network security assessment method of claim 2, wherein the network security test data comprises shutter performance data and point acquisition forwarding data,
the scoring of the network security test data by the optical gate test, and the process of obtaining the optical gate score comprises the following steps:
scoring the grid gate performance data according to a preset grid gate performance rule to obtain a grid gate performance score;
scoring the point location acquisition forwarding data according to a preset point location acquisition forwarding rule to obtain point location acquisition forwarding scores;
and summing the optical gate performance score and the point location acquisition forwarding score to obtain an optical gate score.
9. The network security assessment method according to claim 2, wherein the network security test data includes hardware check information, device function check information, and compatibility test data,
the scoring of the network security test data for the USB security defense test, and the scoring process of the USB security defense machine comprises the following steps:
Scoring the hardware inspection information according to a preset hardware inspection rule to obtain a hardware inspection score;
scoring the equipment function checking information according to a preset equipment function checking rule to obtain equipment function checking scores;
scoring the compatibility test data according to a preset compatibility test rule to obtain a compatibility score;
and summing the hardware check score, the equipment function check score and the compatibility score to obtain a USB security defending machine score.
10. The network security assessment method according to claim 1, wherein the process of comparing the network security score with a preset network security comparison value and obtaining a conclusion as to whether network security meets a network security standard according to the comparison result comprises:
comparing the network security score with a preset network security comparison value, and if the network security score is larger than the preset network security comparison value, obtaining a conclusion that the network security reaches a network security standard; and if the network security score is smaller than or equal to the preset network security comparison value, a conclusion that the network security does not reach the network security standard is obtained.
CN202311024679.3A 2023-08-15 2023-08-15 Network security evaluation method Pending CN116866078A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311024679.3A CN116866078A (en) 2023-08-15 2023-08-15 Network security evaluation method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311024679.3A CN116866078A (en) 2023-08-15 2023-08-15 Network security evaluation method

Publications (1)

Publication Number Publication Date
CN116866078A true CN116866078A (en) 2023-10-10

Family

ID=88223672

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311024679.3A Pending CN116866078A (en) 2023-08-15 2023-08-15 Network security evaluation method

Country Status (1)

Country Link
CN (1) CN116866078A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117119460A (en) * 2023-10-23 2023-11-24 西安航空学院 Industrial Internet network security detection system and method based on cloud computing

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117119460A (en) * 2023-10-23 2023-11-24 西安航空学院 Industrial Internet network security detection system and method based on cloud computing
CN117119460B (en) * 2023-10-23 2024-02-02 西安航空学院 Industrial Internet network security detection system and method based on cloud computing

Similar Documents

Publication Publication Date Title
US10587647B1 (en) Technique for malware detection capability comparison of network security devices
Mukhopadhyay et al. A comparative study of related technologies of intrusion detection & prevention systems
CN107295021B (en) Security detection method and system of host based on centralized management
CN112184091B (en) Industrial control system security threat assessment method, device and system
CN112235241B (en) Industrial control honeypot feature extraction method, system and medium based on fuzzy test
WO2006071985A2 (en) Threat scoring system and method for intrusion detection security networks
CN109167794B (en) Attack detection method for network system security measurement
CN116866078A (en) Network security evaluation method
CN111049827A (en) Network system safety protection method, device and related equipment
Qin et al. Worm detection using local networks
CN112291280A (en) Network flow monitoring and auditing method and system
CN111526109B (en) Method and device for automatically detecting running state of web threat recognition defense system
KR20170091989A (en) System and method for managing and evaluating security in industry control network
Wang et al. Threat Analysis of Cyber Attacks with Attack Tree+.
Dressler et al. Flow-based worm detection using correlated honeypot logs
CN116318783B (en) Network industrial control equipment safety monitoring method and device based on safety index
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
Saini et al. Vulnerability and Attack Detection Techniques: Intrusion Detection System
Yang et al. Design a hybrid flooding attack defense scheme under the cloud computing environment
EP4135281A1 (en) Industrial control system safety analysis method and apparatus, and computer-readable medium
KR20210141198A (en) Network security system that provides security optimization function of internal network
Park et al. Intrusion Detection System for industrial network
CN114301796A (en) Verification method, device and system for predicting situation awareness
CN112311815A (en) Monitoring, auditing and anti-cheating method and system under training competition
CN112637217B (en) Active defense method and device of cloud computing system based on bait generation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination