CN117097600A - Security alarm verification method and device, storage medium and computer equipment - Google Patents
Security alarm verification method and device, storage medium and computer equipment Download PDFInfo
- Publication number
- CN117097600A CN117097600A CN202311101844.0A CN202311101844A CN117097600A CN 117097600 A CN117097600 A CN 117097600A CN 202311101844 A CN202311101844 A CN 202311101844A CN 117097600 A CN117097600 A CN 117097600A
- Authority
- CN
- China
- Prior art keywords
- simulation
- power
- verification
- model
- network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012795 verification Methods 0.000 title claims abstract description 150
- 238000000034 method Methods 0.000 title claims abstract description 110
- 238000003860 storage Methods 0.000 title claims abstract description 28
- 238000004088 simulation Methods 0.000 claims abstract description 326
- 230000006399 behavior Effects 0.000 claims abstract description 120
- 238000013507 mapping Methods 0.000 claims abstract description 39
- 238000012544 monitoring process Methods 0.000 claims abstract description 20
- 230000007123 defense Effects 0.000 claims abstract description 11
- 238000004891 communication Methods 0.000 claims description 42
- 230000008569 process Effects 0.000 claims description 41
- 239000000178 monomer Substances 0.000 claims description 16
- 238000004422 calculation algorithm Methods 0.000 claims description 11
- 238000004806 packaging method and process Methods 0.000 claims description 8
- 238000004519 manufacturing process Methods 0.000 claims description 7
- 238000012423 maintenance Methods 0.000 abstract description 8
- 239000010410 layer Substances 0.000 description 32
- 238000005516 engineering process Methods 0.000 description 26
- 238000010586 diagram Methods 0.000 description 22
- 238000012545 processing Methods 0.000 description 16
- 230000006870 function Effects 0.000 description 14
- 230000005540 biological transmission Effects 0.000 description 11
- 238000001514 detection method Methods 0.000 description 9
- 238000007726 management method Methods 0.000 description 9
- 230000001052 transient effect Effects 0.000 description 9
- 238000013461 design Methods 0.000 description 8
- 238000004458 analytical method Methods 0.000 description 7
- 230000008901 benefit Effects 0.000 description 6
- 238000010276 construction Methods 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 5
- 238000009826 distribution Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000005457 optimization Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 206010000117 Abnormal behaviour Diseases 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 4
- 238000013475 authorization Methods 0.000 description 4
- 238000013500 data storage Methods 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 238000005259 measurement Methods 0.000 description 4
- 125000006850 spacer group Chemical group 0.000 description 4
- 230000003068 static effect Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 241000272814 Anser sp. Species 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 238000011217 control strategy Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 238000013178 mathematical model Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 101100499229 Mus musculus Dhrsx gene Proteins 0.000 description 1
- 206010048669 Terminal state Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000005094 computer simulation Methods 0.000 description 1
- 238000013016 damping Methods 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 239000002346 layers by function Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000005070 sampling Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 239000000344 soap Substances 0.000 description 1
- 239000000725 suspension Substances 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0604—Management of faults, events, alarms or notifications using filtering, e.g. reduction of information by using priority, element types, position or time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses a security alarm verification method, a security alarm verification device, a storage medium and computer equipment. Wherein the method comprises the following steps: acquiring network security alarm behaviors, wherein the network security alarm behaviors are obtained by monitoring a security defense system of a power service system; inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior; according to the verification data, determining an identification result of the network security alarm behavior, wherein the identification result comprises: and (5) effectively alarming and invaliding alarming. The invention solves the technical problem that operation and maintenance personnel are difficult to effectively cope with due to massive network security alarm behaviors in the power service system.
Description
Technical Field
The present invention relates to the field of network security, and in particular, to a security alarm verification method, device, storage medium and computer equipment.
Background
The power industry plays an important role in the aspects of stable growth, folk life protection, energy source protection and the like as an economic basis industry, and once damaged, lost functions or data leakage threatens national safety and public benefits. In recent years, security devices deployed in power network environments have also increased year by year, and have been upgraded from traditional IDS, firewalls, etc. to situational awareness, threat intelligence, and various traffic security analysis tools. The safety devices can generate a large number of alarms every day, meanwhile, part of the safety devices have related false alarms and missed alarms due to the reasons of algorithms, sensitivity and the like, and the safety devices bring great challenges to the on-duty network safety operation and maintenance personnel under the conditions of a large number of false alarms and massive alarms.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a safety alarm verification method, a safety alarm verification device, a storage medium and computer equipment, which at least solve the technical problem that operation and maintenance personnel are difficult to effectively cope with due to massive network safety alarm behaviors in a power service system.
According to an aspect of an embodiment of the present invention, there is provided a security alert authentication method including: acquiring network security alarm behaviors, wherein the network security alarm behaviors are obtained by monitoring a security defense system of a power service system; inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior; according to the verification data, determining an identification result of the network security alarm behavior, wherein the identification result comprises: and (5) effectively alarming and invaliding alarming.
Optionally, simulating the terminal equipment of the power service system to obtain a terminal simulation model of the terminal equipment; simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system; simulating the database service in the power business system to obtain a database service simulation model; simulating the power service application of the power service system to obtain a power application simulation model; and constructing a power business digital simulation verification system according to the terminal simulation model, the network simulation model, the database service simulation model and the power application simulation model.
Optionally, the terminal device of the power service system is simulated to obtain a terminal simulation model of the terminal device, including: according to the functional characteristics of the terminal equipment, monomer modeling is carried out on the terminal equipment to obtain a monomer model of the terminal equipment; performing digital simulation on a physical process in the power service system to obtain a digital model of the physical process, wherein performing digital simulation on the physical process comprises: digital-analog hybrid simulation and multi-time scale hybrid simulation; the method comprises the steps of carrying out modularized packaging on a monomer model of terminal equipment according to a digital model of a physical process to obtain a simulation component, wherein the simulation component comprises an external data interface; and carrying out graphical modeling on the power service system according to the simulation component to construct a power service digital simulation verification system.
Optionally, simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system, including: carrying out information layering on a communication system in the power service system to obtain a first information layer corresponding to a general protocol and a second information layer corresponding to a special power protocol; object-oriented modeling is carried out on the first information layer, and a universal protocol simulation model is obtained; performing communication service mapping on the second information layer to obtain a power special protocol simulation model; and generating a network simulation model according to the universal protocol simulation model and the power special protocol simulation model.
Optionally, simulating the database service in the power business system to obtain a database service simulation model, including: and simulating an application program interface and a database system in the power service system to obtain a database service simulation model, wherein the database service simulation model provides simulation data based on a simulation data production algorithm.
Optionally, inputting the network security alarm traffic into the power service digital simulation verification system for simulation verification, generating verification data, including: mapping the network security alarm behavior to a power service digital simulation verification system, and generating a simulation alarm behavior corresponding to the network security alarm behavior in the power service digital simulation verification system; replaying the simulated alarm behavior in the power business digital simulation verification system; and monitoring the operation data of the power business digital simulation verification system to obtain verification data.
Optionally, the network security alarm behavior includes at least one of: and generating an unknown file of the alarm, network security alarm flow and service access behavior.
According to another aspect of the embodiment of the present invention, there is also provided a security alarm verification apparatus, including: the acquisition module is used for acquiring network security alarm behaviors, wherein the network security alarm behaviors are obtained by monitoring a security defense system of the power service system; the simulation module is used for inputting the network security alarm behavior into the power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior; the identification module is used for determining the identification result of the network security alarm behavior according to the verification data, wherein the identification result comprises the following steps: and (5) effectively alarming and invaliding alarming.
According to still another aspect of the embodiment of the present invention, there is further provided a nonvolatile storage medium, where the nonvolatile storage medium includes a stored program, and when the program runs, the device where the nonvolatile storage medium is controlled to execute any one of the above-mentioned security alarm verification methods.
According to still another aspect of the embodiment of the present invention, there is further provided a computer device, where the computer device includes a memory and a processor, the memory is configured to store a program, and the processor is configured to execute the program stored in the memory, where the program executes any one of the above security alert verification methods.
In the embodiment of the invention, the network security alarm behavior is obtained by monitoring a security defense system of a power service system; inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior; according to the verification data, determining an identification result of the network security alarm behavior, wherein the identification result comprises: the method has the advantages that the method effectively alarms and invalidates alarms, achieves the purpose of accurately determining the authenticity, the severity and the influence range of the power network system when the power network system is attacked, achieves the technical effect of alarm verification when the power network system is monitored to be attacked, and further solves the technical problem that operation and maintenance personnel are difficult to effectively cope with due to massive network security alarm behaviors in the power service system.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute a limitation on the application. In the drawings:
FIG. 1 shows a block diagram of the hardware architecture of a computer terminal for a security alert authentication method;
FIG. 2 is a schematic diagram of a security alert verification method provided according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of a data modeling terminal model provided in accordance with an embodiment of the present application;
FIG. 4 is a schematic diagram of a digital-to-analog integrated simulation system provided in accordance with an alternative embodiment of the present application;
FIG. 5 is a schematic diagram of a componentized simulation architecture provided in accordance with an alternative embodiment of the present application;
FIG. 6 is a schematic diagram of a power system communication hierarchy provided in accordance with an alternative embodiment of the present application;
FIG. 7 is a schematic diagram of a protocol generic object model provided in accordance with an alternative embodiment of the present application;
FIG. 8 is a schematic diagram of alert verification and detection model optimization provided in accordance with an alternative embodiment of the present application;
FIG. 9 is a schematic diagram of a security alert verification technique provided in accordance with an alternative embodiment of the present application;
Fig. 10 is a block diagram of a security alarm authentication device according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
In accordance with an embodiment of the present application, a method embodiment of security alert verification is provided, it being noted that the steps illustrated in the flowchart of the figures may be performed in a computer system, such as a set of computer executable instructions, and, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the safety alarm verification method provided by the embodiment of the application can be executed in a mobile terminal, a computer terminal or similar computing devices. Fig. 1 shows a hardware block diagram of a computer terminal for implementing a security alert authentication method. As shown in fig. 1, the computer terminal 10 may include one or more (shown as processor 102a, processor 102b, … …, processor 102 n) processors (which may include, but are not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial BUS (USB) port (which may be included as one of the ports of the BUS), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module or incorporated, in whole or in part, into any of the other elements in the computer terminal 10. As referred to in embodiments of the application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the security alarm verification method in the embodiment of the present application, and the processor executes the software programs and modules stored in the memory 104, thereby executing various functional applications and data processing, that is, implementing the security alarm verification method of the application program. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 10.
Fig. 2 is a flow chart of a security alarm verification method according to an embodiment of the present invention, as shown in fig. 2, the method includes the following steps:
step S202, acquiring network security alarm behaviors, wherein the network security alarm behaviors are obtained by monitoring a security defense system of a power service system.
As an alternative embodiment, the network security alarm behavior may include at least one of: and generating an unknown file of the alarm, network security alarm flow and service access behavior. Wherein, the unknown file generating the alarm may be malicious code or Trojan horse to trigger the alarm; network traffic, possibly network attacks or vulnerability attacks, triggers alarms; the service access behavior, such as login, authorization, access and the like, triggers situation awareness alarms. For the unknown file generating the alarm, the file format and the running environment are firstly judged, meanwhile, the network conditions related to the running of the unknown file can be automatically analyzed, and then the unknown file is mapped into a specific operating system or terminal according to the format, the running environment and the required network environment. Aiming at the alarm flow, the destination IP, the timestamp and the related protocol fields are converted by means of IP domain name mapping and the like, so that the method is suitable for the power service digital simulation alarm verification environment.
Specifically, the network security alarm behaviors can include malware detection, intrusion detection, vulnerability scanning, network anomaly behavior, bandwidth overload, data leakage detection, network traffic anomaly and identity verification anomaly, and the alarm behaviors can help a network administrator to timely discover and cope with potential network security threats, but a power service system in the related technology can obtain massive network security alarm behaviors, wherein phenomena such as false alarm, missing report and the like can exist, and operation and maintenance personnel can spend a great deal of time for investigation and verification, so that the network security of operation and maintenance work and the power service system is very unfavorable.
Step S204, inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior.
As an alternative embodiment, the power business digital simulation verification system may be constructed as follows: simulating terminal equipment of the power service system to obtain a terminal simulation model of the terminal equipment; simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system; simulating the database service in the power business system to obtain a database service simulation model; simulating the power service application of the power service system to obtain a power application simulation model; and constructing a power business digital simulation verification system according to the terminal simulation model, the network simulation model, the database service simulation model and the power application simulation model.
In the above alternative embodiment, the power application simulation construction process includes three core steps: the power business oriented software defined application modeling, the software defined grid automation networking orchestration and UPnP-based power equipment virtualization interfaces.
The software defined application modeling technology facing the power service can be used for uniformly modeling different power services to generate a power service logic model; the software defined power grid automatic networking arrangement technology generates a connection relation model of an actual network component and a power component according to a user defined power service logic model arrangement, sends the model to a power grid operating system (controller), and the controller is mapped into a corresponding physical network and configures and realizes equipment of a data layer to complete an automatic configuration process, so that decoupling between service and a logic network and decoupling between the logic network and the physical network are realized; the power equipment virtualization interface technology based on UPnP virtualizes entity equipment of different manufacturers and different types and using different communication protocols into services in a network, and then realizes unified control of the entity power equipment through discovery, request and response to the services.
The power application definition layer includes applications for various grid functions and business services. The application accesses the controller through the interface, so that not only the intelligent device can be accessed and controlled, but also the generalized power grid state data (including the result data of injecting some applications) of the running control layer can be accessed and updated. These applications may be built modularly and visually by software-defined methods, including, for example, virtual power plants, software-defined power transmission grids, software-defined substations, software-defined distribution networks, etc. Thanks to this layered architecture, new applications and new services can be developed easily in a "soft approach" at the logic level in a software defined grid.
The simulation test platform is used for providing different platform access rights for different users, and an administrator user can adopt a graph-model integrated rapid modeling tool to perform editing functions of adding, deleting and checking the electric power service model library and the element model library so as to provide a simulation environment for a common user to rapidly build through a default service model library. The graph and model integrated modeling tool can quickly generate the predefined business module on a tool graphical interface according to the predefined business model selected by a user so that the user with a certain electric power knowledge background can modify the model to achieve the purpose of increasing or decreasing functions.
Business layer application modeling includes two aspects, business layer knowledge extraction and unified logic model construction. The service layer knowledge extraction firstly classifies power services, such as an intelligent substation system, a dispatching automation system, a power distribution automation system and the like, and performs knowledge summarization on each power service structure and system model respectively to obtain a more common and typical system structure and service flow, namely a service layer application logic model.
The graph-model integrated modeling is carried out, firstly, the electric power business needing to be simulated is determined, then, a user-defined model can be loaded according to the requirement, namely, a user-modified or user-built historical model is added, a corresponding business model can be selected from a business model library, and then, a related basic electric power secondary equipment model is selected from an element model library, so that model selection is completed. The models in the model library can be displayed in a graphical form for selection by a user, and the internal information of the models can be checked and reasonably modified to set related initialization parameters. And finally, determining the topology of the connection structure among the models, and generating a final power application unified logic model facing the power service through a graph and model integrated tool.
The automatic configuration of the power software and hardware resources comprises two core technologies, namely a universal interface technology for shielding the difference between different power equipment and communication equipment and a technology for realizing the automatic configuration of the bottom software and hardware resources.
As an alternative embodiment, the terminal device of the power service system is simulated, and the terminal simulation model of the terminal device can be obtained by the following manner: according to the functional characteristics of the terminal equipment, monomer modeling is carried out on the terminal equipment to obtain a monomer model of the terminal equipment; performing digital simulation on a physical process in the power service system to obtain a digital model of the physical process, wherein performing digital simulation on the physical process comprises: digital-analog hybrid simulation and multi-time scale hybrid simulation; the method comprises the steps of carrying out modularized packaging on a monomer model of terminal equipment according to a digital model of a physical process to obtain a simulation component, wherein the simulation component comprises an external data interface; and carrying out graphical modeling on the power service system according to the simulation component to construct a power service digital simulation verification system.
In the above alternative embodiment, the monomer model may include: the system comprises a data simulation terminal model, a measurement and control terminal model and a protection terminal model. The data simulation terminal is mainly used for realizing the simulation of the generation, transmission, distribution and consumption link terminals of the electric energy of each link of transmission, transformation, distribution and utilization. The simulation technology mainly comprises a virtual data generation strategy, real-time data storage, communication processing, interface design and the like.
The virtual data generation strategy mainly carries out data simulation according to the type of the responded equipment, designs by using PSCAD/EMTDC software, carries out simulation design on each terminal equipment for transmission, transformation, distribution, and comprises performance parameters, link conditions and the like of the equipment under standard conditions, and simultaneously reserves a parameter setting interface for dynamically adjusting the parameters. After virtual data is generated, the generated data is processed according to an object-oriented method, including data types, attributes of data generating equipment and the like, and then stored in real time. The communication processing realizes the data interaction function with other equipment terminals, the model construction process is shown in fig. 3, the virtual data generation strategy is used for generating virtual data, the virtual data is transmitted to the real-time data storage area by the virtual data thread, the data of the real-time data storage area is transmitted to the communication interface by the communication processing thread, and the communication interface is used for carrying out data interaction with other equipment terminals.
The measurement and control terminal mainly monitors and controls the field signals and simultaneously realizes communication transmission of the collected signals. The simulation content mainly comprises information measurement port design, message generation and analysis strategies, control strategy simulation, abstract communication interface design and the like.
The information measuring port is mainly used for collecting and processing data according to a measured object, and comprises the steps of collecting and processing analog quantities such as voltage, current, active power, reactive power and the like, and collecting and processing digital signals such as a relay, a circuit breaker and the like; the message generation strategy is used for packaging the measurement data, generating GOOSE, SV and MMS messages, and analyzing the received messages; the abstract communication interface is used for receiving and sending messages; the control strategy is used for generating different control signals according to different input signals.
The protection terminal comprises a breaker and a protection IED, wherein the breaker mainly receives a tripping signal, calculates the time from the end to the delay end, and sends GOOSE information to other IEDs. Protection IEDs are classified into normal and fault modes. And in a normal mode, the protection IED generates a constant value data packet to the station-level system, sends out a tripping signal in a fault mode, and multicasts the signal to other IEDs. The main content of the protection terminal model comprises sampling value receiving, protocol analyzing and packaging, protection algorithm, action strategy message forming and sending and the like.
The digital simulation is to establish a mathematical model of the physical process of the power system, solve the mathematical model based on a computer technology and a numerical calculation technology, and realize the simulation of the power system. Compared with the physical simulation technology, the digital simulation is not limited by the scale and the structural complexity of the system to be researched, and has the advantages of high calculation speed, flexible use and relatively low cost. The digital simulation technology mainly relates to the following parts: digital-analog hybrid simulation interface, multi-time scale hybrid simulation and parallel computing technology. In power system simulation, when a real object is accessed, the simulation speed is required to be completely consistent with the dynamic response of an actual system, so that a digital simulation real interface needs to be provided. The digital simulation technology comprises three dynamic processes, namely an electromagnetic transient process, an electromechanical transient process and a medium-long term dynamic process, and the multi-time scale hybrid simulation can realize the integration of the electromechanical transient-electromagnetic transient-medium-long term simulation and fuse the three dynamic processes.
The digital-analog comprehensive simulation system is shown in fig. 4, and comprises a digital analog system and a physical analog system. The digital system can be built in RTDS and other equipment, the physical part is formed by combining corresponding equipment, the two are connected through interfaces, and the basic interface algorithm comprises 5 kinds of ideal transformer models, transmission line models, time-varying first-order linear approximation methods, partial circuit replication methods and damping impedance methods.
The terminal state process interweaving coupling of different time scales is difficult to accurately distinguish, dynamic processes of other time scales can be ignored by only adopting any simulation method, the response of each time period of the power system can be regulated by the multi-time scale hybrid simulation, errors are reduced, and the simulation result is more accurate. The simulation system establishes a multi-time scale simulation model, including rapid electromagnetic transient simulation, electromechanical transient simulation, medium-and-long-term dynamic simulation and the like.
The fast electromagnetic transient simulation is used for simulating the fast on-off characteristic of the power electronic equipment, can be simulated by using an FPGA or an RTDS, and can also be controlled by using software and is accessed into an actual control device. The electromagnetic transient simulation needs to perform real-time simulation on the direct current system, and the electromechanical transient simulation performs real-time simulation on the alternating current system. The medium-long term dynamic mainly considers a dynamic response process of a long time after the terminal is disturbed, and the time is from tens of seconds to hours.
In the multi-time scale hybrid real-time simulation system, a real-time simulation model needs to be established in combination with the actual requirements of the simulation precision and the simulation efficiency of the power grid. The simulation models with different time scales are connected through the equivalent models, so that the rapid electromagnetic transient, electromechanical transient simulation and the splicing of the medium-long-term dynamic model are realized.
The modular packaging firstly needs to establish a power simulation software framework; then, carrying out modular design and encapsulation on the monomer model of the terminal equipment; and finally, establishing a normalized external data interface for the simulation component.
The software framework comprises data management, simulation component management, event management, simulation interface management and the like. The data management mainly meets the requirement of the simulation terminal on real-time performance, and the frequent exchange of a large amount of data is completed in the simulation operation period. The event management continuously updates the dynamic execution list according to the event triggering sequence of each simulation component. The simulation component management provides functions of component registration, component initialization, component parameter configuration, component addition and deletion, and the like. Event management provides services such as time management, claim management, etc. for each simulation component on the platform. The simulation interface management provides interface operation for the system simulation process, and the interface operation comprises external trigger events such as starting, operation, suspension, recovery, fault and the like on a human-computer interface. The componentized package comprises packages of a component model and a logic model, and is packaged into corresponding model files according to different functions. The interface adopts XML design criteria, namely, the component model is separated from the component interface, and the component model and the component interface hierarchical structure can be independently expanded. The architecture of the componentization technique is shown in fig. 5, and the integrated simulation software framework may include a plurality of simulation components and an external interface.
The graphical modeling technology encapsulates components with different functions, so that the integration of graph and model is realized, and the terminal is described in a graphical mode. The technology mainly realizes the graph and model integration of the terminal. The drawing and model integration describes the simulation terminal model in a graphic mode, and the drawing of the graphic model and the attribute setting of the module are included. The drawing of the graphics module may be performed in a bitmap fashion to characterize an emulation element or control logic, and the picture of the bitmap may be freely set by the user. The attribute setting of the module mainly comprises basic information setting, input and output parameter setting and monitoring parameter setting. When the graphical modeling is realized, the equipment type of the element is defined, the equipment attribute information is input, the defined primitives are stored, the parallel connection of the primitive layer and the data layer is realized, and the user can select the type, the attribute and the service of the equipment according to the own requirements. The automatic topology analysis technology is used for realizing automatic network topology analysis, and by adding information of a terminal into a graphic primitive, carrying out graphic marking on an endpoint of the equipment, configuring terminal equipment type, port name and equipment ID of each connecting end, setting the terminal equipment type, port name and equipment ID as a tuple, and being capable of being used for automatic connection of topology.
The terminal graphical modeling technology is realized by using UML modeling language, UML is a standardized modeling language, and static structure and dynamic information of system data can be deeply expressed through UML. The UML modeling process adopts an object-oriented modeling mode, and comprises the following specific steps: establishing a demand model, and determining the function demand of the terminal to obtain the main body function; establishing an object model, wherein the object model comprises a static model and a dynamic model, the static model shows the static relation of the structure among the system objects by using three views of class diagrams, object diagrams and package diagrams, and the system is analyzed from the whole to obtain a corresponding structure diagram; the dynamic model uses sequence diagram, state diagram, activity diagram and cooperation diagram to describe object state, transition condition between states and interaction relation between objects; establishing an implementation model, comprising a system software and hardware and a data communication method, wherein the implementation model is expressed in detail through a configuration diagram, the connection relation between the software and the hardware is described, and the constructed components are represented through a component diagram; and detecting the relevance and consistency among the models.
As an optional embodiment, the power network of the power service system is simulated, and the network simulation model corresponding to the power service system may be obtained by the following manner: carrying out information layering on a communication system in the power service system to obtain a first information layer corresponding to a general protocol and a second information layer corresponding to a special power protocol; object-oriented modeling is carried out on the first information layer, and a universal protocol simulation model is obtained; performing communication service mapping on the second information layer to obtain a power special protocol simulation model; and generating a network simulation model according to the universal protocol simulation model and the power special protocol simulation model.
In the above-mentioned alternative embodiment, the network simulation can be used to construct communication behaviors between different objects, performance of protocols, network operation analysis and the like, and can build a rich, accurate, modularized and standard power network model, so as to shield compatibility problems brought by different software or systems and facilitate analysis and test of network behaviors. The power network simulation mainly comprises two parts, namely a general protocol simulation and a power special protocol simulation. The universal protocol simulation refers to a universal base protocol such as TCP/UDP (Transmission control protocol/user datagram protocol) with heavy simulation power service, and an OSI (open systems interface) communication model is constructed through analysis, so that the communication protocol simulation below an application layer is realized through the model. The power-specific protocol describes a complex power-specific communication protocol through a graphic modeling language, automatically converts a communication protocol model into executable simulation codes, and processes a complex modeling process.
Power system communication system hierarchy as shown in fig. 6, the communication protocol of the power system describes the communication architecture of the power system hierarchy, and the whole communication system can be divided into a plurality of layers, and corresponding communication interfaces are arranged between different layers. Such as substations, can be divided into process, spacer and functional layers. The process layer mainly comprises devices such as a sensor, an actuator and the like, realizes data acquisition and control command transmission, and provides a corresponding remote interface; the spacer layer comprises protection and control devices, the function of which is to use the data of the present spacer to act on the primary devices of the present spacer. The station control layer mainly includes functions related to the process and functions related to the interface, such as engineer stations, bus protection, etc.
As shown in fig. 7, the generic object model of the power system protocol mainly includes five parts: server, logical device, logical node, data object, and data attributes. Modeling follows a top-down modeling principle, namely abstracting the actual physical devices in the order of server-logical device-logical node-data object-data attribute. The object-oriented modeling method tightly combines the data with the functional service, can accurately express various complex association relations, has good systemicity and expansibility, and enables the model to be more stable.
The communication service mapping technology mainly comprises specific communication service mapping and abstract communication unified service interfaces. The basis of the specific service mapping is the OSI standard reference model for defining and implementing the protocol mapping required for each layer of functionality, implementing specific types of services and information exchange by different framework combinations, forming different specific communication service mappings. The communication unified service interface mainly defines data class and attribute of the power system protocol, describes and designs corresponding communication service specifications and models, and comprises attribute of common data type, extension method of logic node, definition of data object and the like.
As an alternative embodiment, the database service in the power business system is simulated, and the database service simulation model can be obtained by the following manner: and simulating an application program interface and a database system in the power service system to obtain a database service simulation model, wherein the database service simulation model provides simulation data based on a simulation data production algorithm.
In the above-mentioned alternative embodiment, the application program interface is currently mainly based on HTTP/S protocol, the application program interface format mainly includes REST, SOAP, GRPC, graphQL, user-defined format, and the like, and the application program interface components mainly include a communication protocol, a domain name, a path, a version number, a request mode, a request parameter, a response parameter, an authentication mode, an interface document, and the like, and by implementing the application program interface data service simulation model construction on the components and the access objects thereof.
Database service simulation mainly builds related database systems widely used in power systems, including database systems such as MySQL, oracle, dream, jin Cang and the like. The simulation service environment is accessed and used by constructing a simulation data production algorithm which accords with the format specification of the service system and storing the simulation data production algorithm in a related database system.
As an alternative embodiment, the network security alarm traffic is input into the power service digital simulation verification system for simulation verification, and verification data can be generated by the following way: mapping the network security alarm behavior to a power service digital simulation verification system, and generating a simulation alarm behavior corresponding to the network security alarm behavior in the power service digital simulation verification system; replaying the simulated alarm behavior in the power business digital simulation verification system; and monitoring the operation data of the power business digital simulation verification system to obtain verification data.
In the above alternative embodiment, the replay verification is performed in the power service digital simulation alarm verification environment through three steps of forwarding, mapping and replaying by using the alarm behavior, the alarm traffic and the associated network attack behavior in the real service environment.
Positioning and forwarding alarm behaviors, wherein the alarm behaviors refer to abnormal behaviors triggering alarm rules, and the abnormal behaviors comprise terminal abnormality, network abnormality and system abnormality. Terminal abnormality generally comprises malicious codes, abnormal files, abnormal terminal login access behaviors and the like; the network anomalies comprise various network anomaly accesses, network traffic attacks, vulnerability attacks and the like; system anomalies generally include abnormal access, login, authorization, etc. of services, as well as vulnerability attacks on portions of the service system. The first step is to locate the action entity triggering the alarm through the alarm information of the security device, mainly comprising unknown file, network flow and service access actions (login, authorization, data acquisition, etc.), and to bypass and forward the alarm actions.
The mapping of the alarm behaviors mainly converts the alarm behavior mapping in the actual power service into the alarm behaviors in the simulation environment. The mapping forwarding of the alarm behavior comprises three dimensions, namely: unknown files that generate alarms (possibly malicious codes or Trojan horses to trigger alarms), network traffic (possibly network attacks or vulnerability attacks to trigger alarms), service access behaviors (possibly actions such as login, authorization and access trigger situation awareness alarms). For the unknown file generating the alarm, the file format and the running environment are firstly judged, meanwhile, the network conditions related to the running of the unknown file can be automatically analyzed, and then the unknown file is mapped into a specific operating system or terminal according to the format, the running environment and the required network environment. Aiming at the alarm flow, the destination IP, the timestamp and the related protocol fields are converted by means of IP domain name mapping and the like, so that the method is suitable for the power service digital simulation alarm verification environment.
And replaying the alarm behaviors, namely replaying the converted alarm behaviors (files, flow, abnormal behaviors and the like) through a boundary switch or a router in the power business digital simulation alarm verification environment, and optimizing the behavior characteristics of the invalid alarm behaviors through mapping of the alarm behaviors in a manner of expert authentication and the like so as to be capable of being replayed in the simulation environment successfully.
Step S206, determining the identification result of the network security alarm behavior according to the verification data, wherein the identification result comprises: and (5) effectively alarming and invaliding alarming.
In the above alternative embodiment, the alert verification and detection model optimization technique is shown in fig. 8, and verifies the data and the model sent by the alert behavior forwarding mapping and playback module, so as to identify the valid alert and the invalid alert, and perform optimization of the related detection model according to the alert result, and may provide a third party interface to perform model optimization and iteration for the security device.
The method mainly comprises the following steps: the input of the alarm data and the model is mainly derived from the output of the alarm behavior forwarding mapping and replaying module and part of safety equipment, and meanwhile, the manual input of the safety alarm rule model is supported. The method comprises the steps of replaying and interactive monitoring of alarm behaviors in a simulation environment, simulating and interacting alarm behavior data (attack flow, malicious codes, abnormal behaviors and the like) in a digital simulation alarm verification environment of power service, and monitoring the influence of alarm information on simulation service, so that the effectiveness of the alarm information and a detection model is observed from an actual scene. The identification and the identification of the alarm information are realized by observing the system jitter or abnormal condition of the power business digital simulation alarm verification module under the influence of the alarm behavior and combining with the expert identification result, and the algorithm model of the monitoring perception and prediction type safety equipment or system is optimized according to the identification result, and a third party updating interface is provided.
Mapping and replaying traffic in a simulation system refers to recording traffic data in a real network environment, and restoring and simulating the traffic data in the simulation system according to the same time sequence and content. Specifically, the traffic mapping is to map traffic data in a real network environment to corresponding traffic data in a simulation system, including a source IP address, a destination IP address, a source port, a destination port, a protocol type, and the like; and the flow replay refers to the simulated transmission according to the time sequence and the content of the original flow data in the simulation system so as to restore the data transmission process and the performance in the real network environment. By mapping and replaying the traffic, performance, reliability, security and other indicators of various network scenes and applications can be simulated and evaluated in the simulation system.
Through the steps, the network security alarm behavior is obtained, wherein the network security alarm behavior is obtained by monitoring a security defense system of the power service system; inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior; according to the verification data, determining an identification result of the network security alarm behavior, wherein the identification result comprises: the method has the advantages that the method effectively alarms and invalidates alarms, achieves the purpose of accurately determining the authenticity, the severity and the influence range of the power network system when the power network system is attacked, achieves the technical effect of alarm verification when the power network system is monitored to be attacked, and further solves the technical problem that operation and maintenance personnel are difficult to effectively cope with due to massive network security alarm behaviors in the power service system.
Fig. 9 is a schematic diagram of a security alert verification technique according to an embodiment of the present invention, as shown in fig. 9, the method includes the following steps:
step 1, through simulating terminals, networks, services and applications of a power service system, modeling and simulating power service by adopting an information layering technology, an object-oriented modeling technology, a communication service mapping technology, a component technology, a digital simulation technology, a graphical modeling technology and the like, thereby completing quick construction of a power service simulation environment.
And 2, analyzing the power alarm information, dividing the alarm behavior into terminal virus alarm, flow abnormality alarm, network attack alarm and the like, mapping the alarm behavior, and replaying the mapped alarm behavior in a power service digital simulation environment, wherein the replay of the terminal alarm behavior, the replay of a communication protocol forwarding, the replay of the network attack and the like are included.
And 3, verifying terminal alarms, network alarms and system alarms, and optimizing various alarm detection models.
Through the steps, the construction of the power business digital simulation alarm verification environment is realized, the alarm behavior is forwarded, mapped and replayed, and finally the alarm verification and detection model optimization is carried out. The method and the device realize the technical purpose of accurately determining the authenticity, the severity and the influence range of the power network system when the power network system is attacked, achieve the technical effect of carrying out alarm verification when the power network system is monitored to be attacked, and solve the technical problem of carrying out alarm verification on the threat and the influence of the network attack on the power service.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
From the above description of the embodiments, it will be clear to those skilled in the art that the security alarm verification method according to the above embodiments may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
According to an embodiment of the present invention, there is also provided a security alarm authentication apparatus for implementing the above security alarm authentication method, and fig. 10 is a block diagram of a security alarm authentication apparatus according to an embodiment of the present invention, as shown in fig. 10, including: the secure alert apparatus is described below as an acquisition module 1002, a simulation module 1004, and an identification module 1006.
The obtaining module 1002 is configured to obtain a network security alarm behavior, where the network security alarm behavior is obtained by monitoring a security defense system of the power service system.
The simulation module 1004 is connected to the obtaining module 1002, and is configured to input the network security alarm behavior into the electric power service digital simulation verification system for simulation verification, and generate verification data, where the electric power service digital simulation verification system is a simulation model of the electric power service system, and the electric power service digital simulation verification system is configured to map and replay the network security alarm behavior.
The recognition module 1006 is connected to the simulation module 1004, and configured to determine a recognition result of the network security alarm behavior according to the verification data, where the recognition result includes: and (5) effectively alarming and invaliding alarming.
Here, the above-mentioned obtaining module 1002, the simulation module 1004, and the identification module 1006 correspond to the steps S202 to S206 in embodiment 2, and the three modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to the disclosure of the above-mentioned embodiments. It should be noted that the above-described module may be operated as a part of the apparatus in the computer terminal 10 provided in the embodiment.
Embodiments of the present invention may provide a computer device, optionally in this embodiment, the computer device may be located in at least one network device of a plurality of network devices of a computer network. The computer device includes a memory and a processor.
The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the security alarm verification method and apparatus in the embodiments of the present invention, and the processor executes the software programs and modules stored in the memory, thereby executing various functional applications and data processing, that is, implementing the security alarm verification method described above. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located relative to the processor, which may be connected to the computer terminal via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor may call the information and the application program stored in the memory through the transmission device to perform the following steps: acquiring network security alarm behaviors, wherein the network security alarm behaviors are obtained by monitoring a security defense system of a power service system; inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior; according to the verification data, determining an identification result of the network security alarm behavior, wherein the identification result comprises: and (5) effectively alarming and invaliding alarming.
Optionally, the above processor may further execute program code for: simulating terminal equipment of the power service system to obtain a terminal simulation model of the terminal equipment; simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system; simulating the database service in the power business system to obtain a database service simulation model; simulating the power service application of the power service system to obtain a power application simulation model; and constructing a power business digital simulation verification system according to the terminal simulation model, the network simulation model, the database service simulation model and the power application simulation model.
Optionally, the above processor may further execute program code for: simulating the terminal equipment of the power service system to obtain a terminal simulation model of the terminal equipment, wherein the terminal simulation model comprises the following steps: according to the functional characteristics of the terminal equipment, monomer modeling is carried out on the terminal equipment to obtain a monomer model of the terminal equipment; performing digital simulation on a physical process in the power service system to obtain a digital model of the physical process, wherein performing digital simulation on the physical process comprises: digital-analog hybrid simulation and multi-time scale hybrid simulation; the method comprises the steps of carrying out modularized packaging on a monomer model of terminal equipment according to a digital model of a physical process to obtain a simulation component, wherein the simulation component comprises an external data interface; and carrying out graphical modeling on the power service system according to the simulation component to construct a power service digital simulation verification system.
Optionally, the above processor may further execute program code for: simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system, wherein the network simulation model comprises the following components: carrying out information layering on a communication system in the power service system to obtain a first information layer corresponding to a general protocol and a second information layer corresponding to a special power protocol; object-oriented modeling is carried out on the first information layer, and a universal protocol simulation model is obtained; performing communication service mapping on the second information layer to obtain a power special protocol simulation model; and generating a network simulation model according to the universal protocol simulation model and the power special protocol simulation model.
Optionally, the above processor may further execute program code for: simulating the database service in the power business system to obtain a database service simulation model, wherein the method comprises the following steps of: and simulating an application program interface and a database system in the power service system to obtain a database service simulation model, wherein the database service simulation model provides simulation data based on a simulation data production algorithm.
Optionally, the above processor may further execute program code for: inputting the network security alarm flow into a power service digital simulation verification system for simulation verification, generating verification data, comprising: mapping the network security alarm behavior to a power service digital simulation verification system, and generating a simulation alarm behavior corresponding to the network security alarm behavior in the power service digital simulation verification system; replaying the simulated alarm behavior in the power business digital simulation verification system; and monitoring the operation data of the power business digital simulation verification system to obtain verification data.
Optionally, the above processor may further execute program code for: the network security alarm behavior includes at least one of: and generating an unknown file of the alarm, network security alarm flow and service access behavior.
By adopting the embodiment of the invention, a scheme for verifying the security alarm is provided. The network security alarm behavior is obtained by monitoring a security defense system of the power service system; inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior; according to the verification data, determining an identification result of the network security alarm behavior, wherein the identification result comprises: the method has the advantages that the method effectively alarms and invalidates alarms, achieves the purpose of accurately determining the authenticity, the severity and the influence range of the power network system when the power network system is attacked, achieves the technical effect of alarm verification when the power network system is monitored to be attacked, and further solves the technical problem that operation and maintenance personnel are difficult to effectively cope with due to massive network security alarm behaviors in the power service system.
Those skilled in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute on associated hardware, the program may be stored in a non-volatile storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Embodiments of the present invention also provide a nonvolatile storage medium. Alternatively, in this embodiment, the above-described nonvolatile storage medium may be used to store the program code executed by the security alarm authentication method provided in the above-described embodiment.
Alternatively, in this embodiment, the above-mentioned nonvolatile storage medium may be located in any one of the computer terminals in the computer terminal group in the computer network, or in any one of the mobile terminals in the mobile terminal group.
Optionally, in the present embodiment, the non-volatile storage medium is arranged to store program code for performing the steps of: simulating terminal equipment of the power service system to obtain a terminal simulation model of the terminal equipment; simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system; simulating the database service in the power business system to obtain a database service simulation model; simulating the power service application of the power service system to obtain a power application simulation model; and constructing a power business digital simulation verification system according to the terminal simulation model, the network simulation model, the database service simulation model and the power application simulation model.
Optionally, in the present embodiment, the non-volatile storage medium is arranged to store program code for performing the steps of: simulating the terminal equipment of the power service system to obtain a terminal simulation model of the terminal equipment, wherein the terminal simulation model comprises the following steps: according to the functional characteristics of the terminal equipment, monomer modeling is carried out on the terminal equipment to obtain a monomer model of the terminal equipment; performing digital simulation on a physical process in the power service system to obtain a digital model of the physical process, wherein performing digital simulation on the physical process comprises: digital-analog hybrid simulation and multi-time scale hybrid simulation; the method comprises the steps of carrying out modularized packaging on a monomer model of terminal equipment according to a digital model of a physical process to obtain a simulation component, wherein the simulation component comprises an external data interface; and carrying out graphical modeling on the power service system according to the simulation component to construct a power service digital simulation verification system.
Optionally, in the present embodiment, the non-volatile storage medium is arranged to store program code for performing the steps of: simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system, wherein the network simulation model comprises the following components: carrying out information layering on a communication system in the power service system to obtain a first information layer corresponding to a general protocol and a second information layer corresponding to a special power protocol; object-oriented modeling is carried out on the first information layer, and a universal protocol simulation model is obtained; performing communication service mapping on the second information layer to obtain a power special protocol simulation model; and generating a network simulation model according to the universal protocol simulation model and the power special protocol simulation model.
Optionally, in the present embodiment, the non-volatile storage medium is arranged to store program code for performing the steps of: simulating the database service in the power business system to obtain a database service simulation model, wherein the method comprises the following steps of: and simulating an application program interface and a database system in the power service system to obtain a database service simulation model, wherein the database service simulation model provides simulation data based on a simulation data production algorithm.
Optionally, in the present embodiment, the non-volatile storage medium is arranged to store program code for performing the steps of: inputting the network security alarm flow into a power service digital simulation verification system for simulation verification, generating verification data, comprising: mapping the network security alarm behavior to a power service digital simulation verification system, and generating a simulation alarm behavior corresponding to the network security alarm behavior in the power service digital simulation verification system; replaying the simulated alarm behavior in the power business digital simulation verification system; and monitoring the operation data of the power business digital simulation verification system to obtain verification data.
Optionally, in the present embodiment, the non-volatile storage medium is arranged to store program code for performing the steps of: the network security alarm behavior includes at least one of: and generating an unknown file of the alarm, network security alarm flow and service access behavior.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, for example, may be a logic function division, and may be implemented in another manner, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a non-volatile storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.
Claims (10)
1. A security alert verification method, comprising:
acquiring network security alarm behaviors, wherein the network security alarm behaviors are obtained by monitoring a security defense system of a power service system;
inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system and is used for mapping and replaying the network security alarm behavior;
determining an identification result of the network security alarm behavior according to the verification data, wherein the identification result comprises: and (5) effectively alarming and invaliding alarming.
2. The method as recited in claim 1, further comprising:
simulating terminal equipment of the power service system to obtain a terminal simulation model of the terminal equipment;
Simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system;
simulating the database service in the power business system to obtain a database service simulation model;
simulating the power service application of the power service system to obtain a power application simulation model;
and constructing the power business digital simulation verification system according to the terminal simulation model, the network simulation model, the database service simulation model and the power application simulation model.
3. The method according to claim 2, wherein the simulating the terminal device of the power service system to obtain a terminal simulation model of the terminal device includes:
according to the functional characteristics of the terminal equipment, monomer modeling is carried out on the terminal equipment to obtain a monomer model of the terminal equipment;
performing digital simulation on the physical process in the power service system to obtain a digital model of the physical process, wherein performing digital simulation on the physical process comprises: digital-analog hybrid simulation and multi-time scale hybrid simulation;
the single model of the terminal equipment is subjected to modularized packaging according to the digital model of the physical process to obtain a simulation component, wherein the simulation component comprises an external data interface;
And carrying out graphical modeling on the power service system according to the simulation component to construct the power service digital simulation verification system.
4. The method according to claim 2, wherein the simulating the power network of the power service system to obtain a network simulation model corresponding to the power service system includes:
carrying out information layering on a communication system in the power service system to obtain a first information layer corresponding to a general protocol and a second information layer corresponding to a special power protocol;
performing object-oriented modeling on the first information layer to obtain a universal protocol simulation model;
performing communication service mapping on the second information layer to obtain a power special protocol simulation model;
and generating the network simulation model according to the general protocol simulation model and the power special protocol simulation model.
5. The method according to claim 2, wherein the simulating the database service in the power business system to obtain a database service simulation model includes:
and simulating an application program interface and a database system in the power service system to obtain the database service simulation model, wherein the database service simulation model provides simulation data based on a simulation data production algorithm.
6. The method of claim 1, wherein inputting the network security alarm traffic into a power business digital simulation verification system for simulation verification, generating verification data, comprises:
mapping the network security alarm behavior to the power service digital simulation verification system, and generating a simulation alarm behavior corresponding to the network security alarm behavior in the power service digital simulation verification system;
replaying the simulated alarm behavior in the power business digital simulation verification system;
and monitoring the operation data of the power business digital simulation verification system to obtain the verification data.
7. The method according to any one of claims 1 to 6, wherein the network security alarm behavior comprises at least one of: and generating an unknown file of the alarm, network security alarm flow and service access behavior.
8. A security alert verification apparatus, comprising:
the system comprises an acquisition module, a control module and a control module, wherein the acquisition module is used for acquiring network security alarm behaviors, wherein the network security alarm behaviors are obtained by monitoring a security defense system of a power service system;
the simulation module is used for inputting the network security alarm behavior into a power service digital simulation verification system for simulation verification to generate verification data, wherein the power service digital simulation verification system is a simulation model of the power service system, and the power service digital simulation verification system is used for mapping and replaying the network security alarm behavior;
The identification module is used for determining an identification result of the network security alarm behavior according to the verification data, wherein the identification result comprises: and (5) effectively alarming and invaliding alarming.
9. A non-volatile storage medium, characterized in that the non-volatile storage medium comprises a stored program, wherein the program, when run, controls a device in which the non-volatile storage medium is located to perform the security alert verification method of any one of claims 1 to 7.
10. A computer device comprising a memory for storing a program and a processor for executing the program stored in the memory, wherein the program when executed performs the security alert authentication method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311101844.0A CN117097600A (en) | 2023-08-29 | 2023-08-29 | Security alarm verification method and device, storage medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311101844.0A CN117097600A (en) | 2023-08-29 | 2023-08-29 | Security alarm verification method and device, storage medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117097600A true CN117097600A (en) | 2023-11-21 |
Family
ID=88771409
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311101844.0A Pending CN117097600A (en) | 2023-08-29 | 2023-08-29 | Security alarm verification method and device, storage medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117097600A (en) |
-
2023
- 2023-08-29 CN CN202311101844.0A patent/CN117097600A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| CN109802852B (en) | Method and system for constructing network simulation topology applied to network target range | |
| US11902318B2 (en) | Network visualization, intrusion detection, and network healing | |
| Quincozes et al. | A survey on intrusion detection and prevention systems in digital substations | |
| CN108063753A (en) | A kind of information safety monitoring method and system | |
| Choi et al. | A comparison of ICS datasets for security research based on attack paths | |
| Zhu et al. | Standard function blocks for flexible IED in IEC 61850-based substation automation | |
| CN108319161A (en) | A kind of industry SCADA system emulation platform | |
| Yang et al. | iFinger: Intrusion detection in industrial control systems via register-based fingerprinting | |
| CN109922026A (en) | Monitoring method, device, system and the storage medium of one OT system | |
| Chromik et al. | An integrated testbed for locally monitoring SCADA systems in smart grids | |
| Kołtyś et al. | Shape: A honeypot for electric power substation | |
| Elbez et al. | A cost-efficient software testbed for cyber-physical security in iec 61850-based substations | |
| Siddavatam et al. | An ensemble learning for anomaly identification in SCADA system | |
| CN107819611B (en) | Client test method based on IEC61850 multi-server simulation | |
| Rencelj Ling et al. | Generating threat models and attack graphs based on the IEC 61850 system configuration description language | |
| Sahu et al. | Design of next-generation cyber-physical energy management systems: Monitoring to mitigation | |
| Waagsnes et al. | Intrusion Detection System Test Framework for SCADA Systems. | |
| Siddavatam et al. | Testing and validation of Modbus/TCP protocol for secure SCADA communication in CPS using formal methods | |
| Duman et al. | Factor of security (FoS): quantifying the security effectiveness of redundant smart grid subsystems | |
| Mashima et al. | Towards automated generation of smart grid cyber range for cybersecurity experiments and training | |
| CN117097600A (en) | Security alarm verification method and device, storage medium and computer equipment | |
| Izzuddin et al. | Mapping threats in smart grid system using the mitre att&ck ics framework | |
| Di Pietro et al. | Assessing the impact of cyber attacks on interdependent physical systems | |
| Salazar et al. | Towards a high-fidelity network emulation of IEC 104 SCADA systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |