CN117676587A - Method, device and equipment for confirming security level of power trusted wireless local area network - Google Patents

Method, device and equipment for confirming security level of power trusted wireless local area network Download PDF

Info

Publication number
CN117676587A
CN117676587A CN202311754689.2A CN202311754689A CN117676587A CN 117676587 A CN117676587 A CN 117676587A CN 202311754689 A CN202311754689 A CN 202311754689A CN 117676587 A CN117676587 A CN 117676587A
Authority
CN
China
Prior art keywords
security
test
evaluation
safety
level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311754689.2A
Other languages
Chinese (zh)
Inventor
张慧
梅文明
李宏发
徐文涛
高凯强
宋彦斌
汪莞乔
张光耀
关璐瑶
庞九凤
肖子洋
徐相森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
China Electric Power Research Institute Co Ltd CEPRI
Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Information and Telecommunication Co Ltd
China Electric Power Research Institute Co Ltd CEPRI
Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd
Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Information and Telecommunication Co Ltd, China Electric Power Research Institute Co Ltd CEPRI, Information and Telecommunication Branch of State Grid Fujian Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Hebei Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Jiangxi Electric Power Co Ltd, Information and Telecommunication Branch of State Grid Jibei Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202311754689.2A priority Critical patent/CN117676587A/en
Publication of CN117676587A publication Critical patent/CN117676587A/en
Pending legal-status Critical Current

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

The invention relates to a method for confirming the security level of an electric power credible wireless local area network, which comprises the steps of taking a target security level as the current security test level of an evaluation area to be tested; according to the current security test grade and the service property of the to-be-evaluated area, determining the security test case of the to-be-evaluated area, performing local area network security test on the to-be-evaluated area by using the security test case to obtain the security grade result of the to-be-evaluated area, and according to the target security grade and the security grade result of the to-be-evaluated area, determining the local area network security grade of the to-be-evaluated area. The invention can perform corresponding security level test according to the difference of the power service, accurately determine the security level of the power service, provide reference for developing the power credible wireless local area network technology type selection of the differentiated security power service, and meet the security test requirement caused by the differentiation of different power services. The invention also relates to a device, equipment and storage medium for confirming the security level of the power trusted wireless local area network.

Description

Method, device and equipment for confirming security level of power trusted wireless local area network
Technical Field
The present invention relates to the field of power systems, and in particular, to a method, an apparatus, and a device for confirming a security level of a wireless local area network with trusted power.
Background
With the continuous deep construction of a novel power system and the digital transformation of a company, challenges and pressures of power grid operation guarantee and equipment safety operation and maintenance are continuously increased, intelligent operation and maintenance and lean management requirements of a transformer substation (a converter station) are continuously improved, requirements of transformer service on accurate acquisition, efficient transmission and safe and reliable utilization of data are continuously improved, and the transformer substation is divided into a control area (a safe I area), a non-control area (a safe II area) and a management information area (a safe IV area). The I area, the II area and the IV area have high security requirements on an access network.
At present, a network security standard structure WAPI technology is adopted in a transformer substation to develop large-scale test point application, but WAPI has a plurality of problems including: the security problems of management frame and control frame exposure, such as security risk, certificate issuing mechanism, authentication flow, etc., are easily suffered from third party attack, network disconnection can cause transmission interruption of power transformation business, even can cause damage to primary and secondary equipment bodies of power transformation, and because the difference of power business is different to the demand of security test grade, how to satisfy the different business differentiation security test demands, and the security of accurate measurement power business is the technical problem that needs to be solved at present.
Disclosure of Invention
Aiming at the problem of evaluating the security level of the power wireless local area network, the invention provides a method, a device and equipment for confirming the security level of the power trusted wireless local area network.
In a first aspect, the present invention provides a method for confirming the security level of a wireless local area network with trusted electric power, the method comprising:
acquiring a target security level of an evaluation area to be tested in a transformer substation, and taking the target security level as a current security test level of the evaluation area to be tested;
determining a security test case of the evaluation area to be tested according to the current security test grade and the service property of the evaluation area to be tested, and performing local area network security test on the evaluation area to be tested by using the security test case to obtain a security grade result of the evaluation area to be tested;
and confirming the local area network security level of the evaluation area to be tested according to the target security level of the evaluation area to be tested and the security level result.
Further, the determining a security test case of the evaluation area to be tested according to the current security test level and the service property of the evaluation area to be tested, and performing a local area network security test on the evaluation area to be tested by using the security test case to obtain a security level result of the evaluation area to be tested specifically includes:
S1, acquiring a corresponding safety evaluation item set according to the current safety test grade;
s2, determining safety test items in the safety evaluation item set according to the business property of the to-be-evaluated area;
s3, determining a safety test case of the evaluation area to be tested according to the safety test item, and testing the evaluation area to be tested by utilizing the safety test case to obtain test scores of the safety test item respectively;
s4, determining whether the security level of the evaluation area to be tested passes the current security test level according to the test score of the security test item;
if yes, judging whether a preset evaluation completion condition is met;
if yes, taking the current security test grade as a security grade result of the evaluation area to be tested, if not, taking the next security test grade as the current security test grade, and returning to S1;
if not, judging whether a preset evaluation completion condition is met;
if yes, taking the last security test grade as a security grade result of the evaluation area to be tested;
if not, the previous security test level is used as the current security test level, and the S1 is returned.
Further, the preset evaluation completion condition includes that the current security test level is the highest security test level, or the current security test level is the lowest security test level, or the evaluation area to be evaluated passes the last security test level.
Further, the determining, according to the service property of the to-be-evaluated area, the security test item in the security test item set specifically includes:
extracting a sub-service label and a sub-service label value from the service class of the evaluation area to be tested;
dividing the sub-service into a plurality of sub-service groups according to each sub-service label and sub-service label value; calculating the sum of the tag values of all the sub-service groups, and determining the sub-service group corresponding to the maximum sum of the tag values of the sub-service groups as a target sub-service group;
calculating the matching value of the label of the target sub-service group and the label of each security evaluation item in the security evaluation item set to obtain service related values of the target sub-service group and the security evaluation item;
and taking the safety evaluation item corresponding to the maximum service related value as the safety evaluation item of the evaluation area to be tested.
Further, in the step S3, determining a security test case of the evaluation area to be tested according to the security test item specifically includes:
And matching corresponding matching rules for the tags of the safety test items and the safety test cases from a test case matching library according to the tags of the safety test items and the tags of the safety test cases, wherein the matching rules are determined according to the coverage of the safety test cases to the safety test items.
Further, the security test level comprises a security primary level, a security secondary level and a security tertiary level;
the safety evaluation item set comprises a safety primary test item set, a safety secondary test item set and a safety tertiary test item set;
the safety primary test item set comprises data frame confidentiality and data frame integrity;
the safety secondary test item set comprises data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity;
the set of security tertiary test items includes data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity, control frame confidentiality and control frame integrity.
In a second aspect, the present invention also provides a device for confirming the security level of a wireless local area network with trusted electric power, which comprises:
the acquisition module is used for acquiring a target security level of an evaluation area to be tested in the transformer substation and taking the target security level as a current security test level of the evaluation area to be tested;
The evaluation module is used for determining a security test case of the evaluation area to be tested according to the current security test grade and the service property of the evaluation area to be tested, and carrying out local area network security test on the evaluation area to be tested by using the security test case to obtain a security grade result of the evaluation area to be tested;
and the confirmation module is used for confirming the local area network security level of the evaluation area to be tested according to the target security level of the evaluation area to be tested and the security level result.
Further, the evaluation module comprises a first evaluation unit, a second evaluation unit, a third evaluation unit, a fourth evaluation unit and a fifth evaluation unit;
the first evaluation unit is used for acquiring a corresponding safety evaluation item set according to the current safety test grade;
the second evaluation unit is used for determining safety test items in the safety evaluation item set according to the business properties of the to-be-evaluated area;
the third evaluation unit is used for determining a safety test case of the evaluation area to be tested according to the safety test item, and testing the evaluation area to be tested by utilizing the safety test case to obtain the test score of the safety test item respectively;
The fourth evaluation unit is used for determining whether the security level of the evaluation area to be tested passes the current security test level according to the test score of the security test item;
if yes, judging whether a preset evaluation completion condition is met;
if yes, taking the current security test grade as a security grade result of the evaluation area to be tested;
if not, returning the next safety test grade to the first evaluation unit as the current safety test grade;
if not, judging whether a preset evaluation completion condition is met;
if yes, taking the last security test grade as a security grade result of the evaluation area to be tested;
and if not, returning the previous safety test grade to the first evaluation unit as the current safety test grade.
Further, the preset evaluation completion condition includes that the current security test level is the highest security test level, or the current security test level is the lowest security test level, or the evaluation area to be evaluated passes the last security test level.
Further, the second evaluation unit is specifically configured to extract a sub-service tag and a sub-service tag value from the service class of the evaluation area to be tested;
Dividing the sub-service into a plurality of sub-service groups according to each sub-service label and sub-service label value; calculating the sum of the tag values of all the sub-service groups, and determining the sub-service group corresponding to the maximum sum of the tag values of the sub-service groups as a target sub-service group;
calculating the matching value of the label of the target sub-service group and the label of each security evaluation item in the security evaluation item set to obtain service related values of the target sub-service group and the security evaluation item;
and taking the safety evaluation item corresponding to the maximum service related value as the safety evaluation item of the evaluation area to be tested.
Further, the third evaluation unit is specifically configured to match, according to the tag of the security test item and the tag of the security test case, a corresponding matching rule for the tag of the security test item and the tag of the security test case from a test case matching library, where the matching rule is determined according to coverage of the security test case to the security test item.
Further, the security test level comprises a security primary level, a security secondary level and a security tertiary level;
the safety evaluation item set comprises a safety primary test item set, a safety secondary test item set and a safety tertiary test item set;
The safety primary test item set comprises data frame confidentiality and data frame integrity;
the safety secondary test item set comprises data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity;
the set of security tertiary test items includes data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity, control frame confidentiality and control frame integrity. In a third aspect, the present invention also provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the method for confirming the security level of the power trusted wireless local area network according to any one of the first aspects when executing the computer program.
In a fourth aspect, the present invention also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements the seed power trusted wireless local area network security level confirmation method of any one of the first aspects.
The invention provides a method for confirming the security level of an electric power credible wireless local area network, which comprises the steps of obtaining a target security level of an evaluation area to be tested in a transformer substation, and taking the target security level as a current security test level of the evaluation area to be tested; determining a security test case of the to-be-evaluated area according to the current security test grade and the service property of the to-be-evaluated area, performing local area network security test on the to-be-evaluated area by using the security test case to obtain a security grade result of the to-be-evaluated area, and determining the local area network security grade of the to-be-evaluated area according to the target security grade of the to-be-evaluated area and the security grade result. The invention can perform corresponding security level test according to the difference of the power service, accurately determine the security level of the power service, provide reference for developing the power credible wireless local area network technology type selection of the differentiated security power service, and meet the security test requirement caused by the differentiation of different power services.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the invention. In the drawings:
fig. 1 is a flow chart of a method for confirming the security level of an electric power trusted wireless local area network according to an embodiment of the present invention;
fig. 2 is a schematic diagram of an architecture of an electric power trusted wireless lan system in a method for confirming a security level of an electric power trusted wireless lan according to another embodiment of the present invention;
fig. 3 is a schematic diagram of air interface transmission of an electric power trusted wireless local area network in a method for confirming a security level of the electric power trusted wireless local area network according to another embodiment of the present invention;
fig. 4 is a schematic diagram of a security level evaluation flow of an electric power trusted wireless local area network in a security level confirmation method of the electric power trusted wireless local area network according to another embodiment of the present invention;
fig. 5 is a schematic block diagram of a security level confirmation device for a wireless local area network with trusted electric power according to another embodiment of the present invention.
Detailed Description
The invention will be described in detail below with reference to the drawings in connection with embodiments. It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other.
The following detailed description is exemplary and is intended to provide further details of the invention. Unless defined otherwise, all technical terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments in accordance with the invention.
Embodiment one:
the following will describe a method for confirming the security level of an electric power trusted wireless local area network according to an embodiment of the present invention with reference to fig. 1, which specifically includes the following steps:
110. and obtaining the target security level of the evaluation area to be tested in the transformer substation, and taking the target security level as the current security test level of the evaluation area to be tested.
Specifically, the transformer substation is divided into a control area (safe I area), a non-control area (safe II area) and a management information large area (safe IV area), wherein the I area, the II area and the IV area have high safety requirements on an access network. According to the safety area which the evaluation area to be tested specifically belongs to, different safety areas have different requirements on safety.
120. And determining a security test case of the region to be evaluated according to the current security test level and the service property of the region to be evaluated, and carrying out local area network security test on the region to be evaluated by using the security test case to obtain a security level result of the region to be evaluated.
130. And confirming the local area network security level of the evaluation area to be tested according to the target security level and the security level result of the evaluation area to be tested.
Specifically, when the security level result of the evaluation area to be tested is not lower than the target security level, the evaluation area to be tested meets the security level authentication of the power credible wireless local area network.
Based on the above embodiment, specifically, step 120 specifically includes:
121. and acquiring a corresponding safety evaluation item set according to the current safety test grade.
122. And determining the safety test items in the safety evaluation item set according to the business properties of the to-be-evaluated area.
123. And determining a safety test case of the region to be evaluated according to the safety test items, and testing the region to be evaluated by utilizing the safety test case to obtain the test scores of the safety test items respectively.
124. And determining whether the security level of the evaluation area to be tested passes the current security test level according to the test score of the security test item.
If so, judging whether the preset evaluation completion condition is met.
And if so, taking the current security test grade as a security grade result of the region to be evaluated.
If not, the next security test level is taken as the current security test level, and the process returns to 121.
If not, judging whether a preset evaluation completion condition is met;
if yes, the last security test grade is used as a security grade result of the area to be evaluated.
If not, the previous security test level is taken as the current security test level, and the process returns to 121.
Based on the above embodiment, specifically, the preset evaluation completion condition includes that the current security test level is the highest security test level, or that the current security test level is the lowest security test level, or that the evaluation area to be evaluated has passed the last security test level.
Based on the above embodiment, specifically, step 122 specifically includes:
and extracting the sub-service labels and sub-service label values from the service categories of the evaluation areas to be tested.
And dividing the sub-service into a plurality of sub-service groups according to the sub-service label and the sub-service label value.
Calculating the sum of the label values of the sub-service groups, and determining the sub-service group corresponding to the maximum sum of the label values of the sub-service groups as a target sub-service group.
Calculating the matching value of the label of the target sub-service group and the label of each security evaluation item in the security evaluation item set to obtain the service related value of the target sub-service group and the security evaluation item;
and taking the security evaluation item corresponding to the maximum service related value as the security evaluation item of the area to be evaluated.
Based on the above embodiment, specifically, the security test case in the determination of the area to be evaluated according to the security test item in 123 specifically includes:
according to the label of the safety test item and the label of the safety test case, matching corresponding matching rules for the label of the safety test item and the label of the safety test case in a test case matching library, wherein the matching rules are determined according to the coverage of the safety test case to the safety test item.
Based on the above embodiments, specifically, the security test level includes a security primary, a security secondary, and a security tertiary.
The safety evaluation item set comprises a safety primary test item set, a safety secondary test item set and a safety tertiary test item set.
The security level one test item set includes data frame confidentiality and data frame integrity.
The security secondary test item set includes data frame confidentiality, data frame integrity, management frame confidentiality, and management frame integrity.
The set of security three-level test items includes data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity, control frame confidentiality and control frame integrity.
The method for confirming the security level of the wireless local area network with the trusted electric power comprises the steps of obtaining a target security level of an evaluation area to be tested in a transformer substation, and taking the target security level as a current security test level of the evaluation area to be tested; determining a security test case of the to-be-evaluated area according to the current security test grade and the service property of the to-be-evaluated area, performing local area network security test on the to-be-evaluated area by using the security test case to obtain a security grade result of the to-be-evaluated area, and determining the local area network security grade of the to-be-evaluated area according to the target security grade of the to-be-evaluated area and the security grade result. The invention can perform corresponding security level test according to the difference of the power service, accurately determine the security level of the power service, provide reference for developing the power credible wireless local area network technology type selection of the differentiated security power service, and meet the security test requirement caused by the differentiation of different power services.
Embodiment two:
the following will describe a method for confirming the security level of an electric trusted wireless local area network according to an embodiment of the present invention with reference to fig. 2 to 4, which specifically includes the following steps:
100. and obtaining the target security level of the evaluation area to be tested in the transformer substation, and taking the target security level as the current security test level of the evaluation area to be tested.
Specifically, the transformer substation is divided into a control area (safe I area), a non-control area (safe II area) and a management information large area (safe IV area), wherein the I area, the II area and the IV area have high safety requirements on an access network. According to the safety area which the evaluation area to be tested specifically belongs to, different safety areas have different requirements on safety.
200. And acquiring a corresponding safety evaluation item set according to the current safety test grade.
300. And determining the safety test items in the safety evaluation item set according to the business properties of the to-be-evaluated area.
300. And determining a safety test case of the region to be evaluated according to the safety test items, and testing the region to be evaluated by utilizing the safety test case to obtain the test scores of the safety test items respectively.
Specifically, according to the label of the safety test item and the label of the safety test case, matching corresponding matching rules are matched for the label of the safety test item and the label of the safety test case in a test case matching library, and the matching rules are determined according to the coverage of the safety test case to the safety test item.
Specifically, the security test level includes a security primary, a security secondary, and a security tertiary.
The safety evaluation item set comprises a safety primary test item set, a safety secondary test item set and a safety tertiary test item set.
The security level one test item set includes data frame confidentiality and data frame integrity.
The security secondary test item set includes data frame confidentiality, data frame integrity, management frame confidentiality, and management frame integrity.
The set of security three-level test items includes data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity, control frame confidentiality and control frame integrity.
400. And determining whether the security level of the evaluation area to be tested passes the current security test level according to the test score of the security test item.
If so, judging whether the preset evaluation completion condition is met.
And if so, taking the current security test grade as a security grade result of the region to be evaluated.
If not, returning to 200 by taking the next security test level as the current security test level.
If not, judging whether a preset evaluation completion condition is met;
if yes, the last security test grade is used as a security grade result of the area to be evaluated.
If not, the previous security test level is used as the current security test level, and the process returns to 200.
Specifically, as one of the wireless transmission links, the wireless local area network with trusted power meets the requirements related to the secure communication network, namely, the requirements of equal protection. Based on the above, according to the technical characteristics and the safety requirements of the power trusted wireless local area network, the safety overall architecture suitable for the technical characteristics of the power trusted wireless local area network is further planned and proposed by referring to the four aspects of the requirements of the security of the communication link, the security of the regional boundary, the security of the computing environment, the security of management and control and the like.
1) Communication link security includes power wireless local area network air interface security and wired link security between devices of the power wireless local area network.
2) The regional boundary safety comprises boundary safety functions such as access control, intrusion prevention, safety audit and the like provided by an end side and a center side. The end-side area boundary refers to an area boundary between a station and user equipment and between a station and an access point. The center side area boundary comprises an area boundary between an access point and a station, and between a network access control unit and a power service system and between a network.
3) The computing environment safety comprises the computing environment safety functions of user access control, host intrusion prevention, data integrity, confidentiality and the like of the end side and the center side, and the safety risks generated by the operations of accessing, configuring, using equipment and the like when a user uses a site, an access point and a wireless access control unit are prevented, so that the protection targets of access authority safety management, abnormal behavior identification and sensitive data leakage prevention are achieved.
4) The management and control safety comprises the functions of centralized management, safety control, safety monitoring and the like provided by the power wireless local area network.
A power trusted wireless local area network system architecture is shown in fig. 2. The wireless local area network air interface of electric power should adopt SM2 algorithm to carry on the two-way identity authentication to the website, access point apparatus, guarantee the authenticity of the apparatus identity; adopting SM1/SM3/SM4 algorithm to ensure the integrity of data in the communication process; and the confidentiality of important data in the communication process is ensured by adopting an SM1/SM4 algorithm. The certificate issuing system is responsible for issuing a digital certificate used for identity authentication, and the electric power trusted wireless local area network should use a certificate issuing system of a national electric network company unified password service platform, hereinafter referred to as a secret service platform.
For different wireless local area network systems, the safety of the regional boundary, the safety of the computing environment and the safety of management and control can all meet the safety protection requirement through corresponding safety enhancement measures, and the air interface safety of the wireless local area network with the safety of the communication link is related to the degree of whether the frame structure of the MAC layer of the wireless local area network technology can be autonomously defined or not.
The air interface of the power trusted wireless local area network is between the station MAC layer and the access point MAC layer, and the air interface safety problem of the wireless transmission link of the power trusted wireless local area network is solved according to the domestic commercial password requirement and related technical schemes. The access point and the station should perform two-way authentication based on the electric power trusted wireless local area network certificate, and establish connection under the control of the network access control unit after verification of the certificate. The air interface of the power trusted wireless local area network should adopt a domestic commercial cryptographic algorithm to provide integrity and confidentiality protection for the MAC frame body, so as to prevent malicious users from stealing data information from the air interface or impersonating access points, site equipment and the like. As shown in fig. 3.
The method for evaluating the security level of the power trusted wireless local area network provided by the embodiment determines the security level of the power trusted wireless local area network according to the integrity and confidentiality protection degree of the data frame, the management frame and the control frame in the MAC frame. The integrity and confidentiality protection capability of the power trusted wireless local area network air interface for MAC frames can be divided into three security levels as shown in table 1 from low to high.
TABLE 1
The main difference between different security classes is the different protection of air interface management frames and control frames.
1. Grade one: only air interface data frame confidentiality and integrity protection is provided.
2. Grade two: confidentiality and integrity protection of air interface data frames and management frames may be provided.
3. Grade three: confidentiality and integrity protection for data frames, management frames, and control frames is comprehensively provided.
A flow chart for evaluating the security level of the power trusted wireless local area network is shown in fig. 4. The link layer of a wireless local area network has 3 types of frames, namely data frames, management frames and control frames. Any manipulation of these frames, either directly or indirectly, destroys the confidentiality, integrity, bi-directional authentication, and availability of data is considered an attack.
1) Data frame: (Data Frame, carrier carrying Data) for transmitting Data in contention and non-contention periods.
2) Management frame: (Management Frame, e.g., beacon Frame, probe Request Frame) is mainly used for negotiation between STA and AP, control of relationship, such as association, authentication, synchronization, etc.
3) Control frame: (Control Frame, e.g., RTS Frame, CTS Frame, ACK Frame) is used for handshake communication and forward acknowledgement during contention, ending non-contention period, etc.
Step 1: and judging whether the wireless local area network is attacked because of data frame leakage, thereby judging whether the power wireless local area network meets the requirement of the first level of the security level.
The data packets are used to carry higher level numbers such as IP data packets, ISO7 layer protocols. It is responsible for transferring data between workstations. The data frame contains data information which needs to be transmitted by a user, and leakage of the data frame can directly lead to leakage of the user information.
The testing method comprises the following steps: if the data frame is in a plaintext form without encryption, an attacker can easily acquire plaintext data information through a packet grasping tool and intercept important information of a user. If the data frame is encrypted by the commercial password, an attacker cannot obtain the data information of the user even if the attacker acquires the ciphertext of the data frame, so that the power wireless local area network is judged to meet the first-level requirement of the security level.
Step 2: and judging whether the wireless local area network is attacked because of management frame leakage, thereby judging whether the power wireless local area network meets the requirement of the second level of the security level.
The management frame is responsible for network supervision, mainly for joining or exiting the wireless network, and handling transfer matters of connections between access points. Management frame leakage easily causes information leakage of MAC address, SSID and the like, and is easy to be attacked by DDOS.
Test case 1: an attacker obtains the MAC plaintext address of an access point and then sends a large number of attack messages to a target access point, so that network link congestion and system resource exhaustion of an attacked target are caused. If the management frame is encrypted by the commercial password, an attacker cannot acquire the MAC address of the plaintext, so that the attacker cannot disconnect the wireless local area network by adopting attack modes such as DDOS and the like, and the power wireless local area network is judged to meet the requirement of the security level two.
Step 3: judging whether the wireless local area network is attacked because of the leakage of the control frame, thereby judging whether the electric wireless local area network meets the requirement of the third level of the security level.
The control frame is usually used together with the data frame, is responsible for the clearing of the area, the acquisition of the channel and the maintenance of the carrier sense, and responds positively after the data frame is received, thereby promoting the reliability of the data transmission between the workstations. The control frames contain only header information and are transmitted at the lowest basic rate to ensure that the control frames are received by the devices within each network. The control frame leakage may suffer from RTS/CTS flooding attack, ACK/BA/BAR flooding attack, CF-END flooding attack, NDPA flooding attack, malformed message attack, ultra-large Duration and other attacks, resulting in network interruption or large data error rate and affecting the transmission of power service information.
Test case 2: the two communication parties need to follow a virtual carrier sense mechanism, a wireless medium is reserved through an RTS/CTS interaction process, and after receiving the RTS and/or CTS, other wireless devices in the communication range delay to send data frames according to information carried by the RTS and/or CTS. RTS/CTS flooding attacks exploit the vulnerability of virtual carrier sense mechanisms, and an attacker can block communication of legitimate wireless devices in a wireless local area network by flooding RTS and/or CTS. If the control frame is encrypted, an attacker cannot block the communication of legal wireless devices in the wireless local area network by flooding RTS and/or CTS, so as to judge that the power wireless local area network meets the requirement of the third level of the security level.
Test case 3: the ACK data packet needs to be sent at the correct time, and the advantages of the ACK attack include no power suppression of an attacker, low power consumption and imperceptibility of attack concealment by the attacker; or by the fake receiver, fake bitmap and other information, send fake Block ACK to the client, so that the data of the client cannot be normally transmitted, and a large amount of packet loss occurs; and then, or by impersonating the client, the BAR is sent to the receiver, and the size of the receiving window and the initial sequence number of the receiving window are changed, so that the frame from the sender is discarded by the receiver, and the receiver cannot receive the data frame. If the control frame is encrypted, an attacker cannot flood and send an ACK data packet and imitate Block ACK or BAR, and the wireless local area network cannot be subjected to the problems of high error rate or data frame transmission failure and the like caused by control frame leakage, so that the power wireless local area network is judged to meet the requirement of the third level of security.
500. And confirming the local area network security level of the evaluation area to be tested according to the target security level and the security level result of the evaluation area to be tested.
Specifically, when the security level result of the evaluation area to be tested is not lower than the target security level, the evaluation area to be tested meets the security level authentication of the power credible wireless local area network.
According to the second embodiment, the corresponding security level test can be performed according to the difference of the power service, the security level of the power service can be accurately determined, a reference basis is provided for developing the power credible wireless local area network technology type selection of the difference security power service, and the security test requirement caused by the difference of different power services is met.
Embodiment III:
the following will be a description of an apparatus for confirming a security level of an electric trusted wireless lan according to an embodiment of the present invention with reference to fig. 5, where the apparatus includes:
the acquisition module is used for acquiring the target security level of the evaluation area to be tested in the transformer substation and taking the target security level as the current security test level of the evaluation area to be tested.
The evaluation module is used for determining a security test case of the region to be evaluated according to the current security test grade and the service property of the region to be evaluated, and carrying out local area network security test on the region to be evaluated by using the security test case to obtain a security grade result of the region to be evaluated.
And the confirmation module is used for confirming the local area network security level of the evaluation area to be tested according to the target security level and the security level result of the evaluation area to be tested.
Based on the above embodiment, further, the evaluation module includes a first evaluation unit, a second evaluation unit, a third evaluation unit, a fourth evaluation unit, and a fifth evaluation unit;
the first evaluation unit is used for acquiring a corresponding safety evaluation item set according to the current safety test grade.
And the second evaluation unit is used for determining the safety test items in the safety evaluation item set according to the business properties of the evaluation area to be tested.
The third evaluation unit is used for determining the safety test cases of the areas to be evaluated according to the safety test items, testing the areas to be evaluated by using the safety test cases, and respectively obtaining the test scores of the safety test items.
And the fourth evaluation unit is used for determining whether the security level of the evaluation area to be tested passes the current security test level according to the test score of the security test item.
If so, judging whether the preset evaluation completion condition is met.
And if so, taking the current security test grade as a security grade result of the region to be evaluated.
If the current safety test grade is not met, the next safety test grade is used as the current safety test grade, and the first evaluation unit is returned.
If not, judging whether the preset evaluation completion condition is met.
If yes, the last security test grade is used as a security grade result of the area to be evaluated.
And if not, returning the previous safety test grade to the first evaluation unit as the current safety test grade.
Based on the above embodiment, specifically, the preset evaluation completion condition includes that the current security test level is the highest security test level, or that the current security test level is the lowest security test level, or that the evaluation area to be evaluated has passed the last security test level.
Based on the above embodiment, further, the second evaluation unit is specifically configured to extract a sub-service tag and a sub-service tag value from the service class of the to-be-evaluated area.
And dividing the sub-service into a plurality of sub-service groups according to each sub-service label and the sub-service label value.
And calculating the sum of the label values of all the sub-service groups, and determining the sub-service group corresponding to the maximum sum of the label values of the sub-service groups as a target sub-service group.
And calculating the matching value of the label of the target sub-service group and the label of each security evaluation item in the security evaluation item set to obtain the service related value of the target sub-service group and the security evaluation item.
And taking the security evaluation item corresponding to the maximum service related value as the security evaluation item of the area to be evaluated.
Based on the above embodiment, further, the third evaluation unit is specifically configured to match, according to the tag of the security test item and the tag of the tested security test case, a matching rule corresponding to the tag of the security test item and the tag of the security test case in the test case matching library, where the matching rule is a rule for determining coverage of the security test case to the security test item.
Further, the security test level includes a security primary, a security secondary, and a security tertiary, based on the above embodiments.
The safety evaluation item set comprises a safety primary test item set, a safety secondary test item set and a safety tertiary test item set.
The security level one test item set includes data frame confidentiality and data frame integrity.
The security secondary test item set includes data frame confidentiality, data frame integrity, management frame confidentiality, and management frame integrity.
The set of security three-level test items includes data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity, control frame confidentiality and control frame integrity.
According to the third embodiment, the corresponding security level test can be performed according to the difference of the power service, the security level of the power service can be accurately determined, a reference basis is provided for developing the power credible wireless local area network technology type selection of the difference security power service, and the security test requirement caused by the difference of different power services is met.
Embodiment four:
in addition, the embodiment of the invention comprises a computer device, which comprises a memory and a processor, wherein the memory stores a computer program, and the processor realizes the power trusted wireless local area network security level confirmation method according to any one of the technical schemes when executing the computer program.
Fifth embodiment:
the embodiment of the invention also comprises a computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, and the computer program realizes the method for confirming the security level of the power trusted wireless local area network according to any one of the technical schemes when being executed by a processor.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the invention can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
The above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (10)

1. A method for confirming the security level of a wireless local area network with trusted electric power, the method comprising:
acquiring a target security level of an evaluation area to be tested in a transformer substation, and taking the target security level as a current security test level of the evaluation area to be tested;
determining a security test case of the evaluation area to be tested according to the current security test grade and the service property of the evaluation area to be tested, and performing local area network security test on the evaluation area to be tested by using the security test case to obtain a security grade result of the evaluation area to be tested;
and confirming the local area network security level of the evaluation area to be tested according to the target security level of the evaluation area to be tested and the security level result.
2. The method according to claim 1, wherein the determining the security test case of the evaluation area to be tested according to the current security test level and the service property of the evaluation area to be tested, and performing a local area network security test on the evaluation area to be tested by using the security test case, to obtain a security level result of the evaluation area to be tested, specifically includes:
s1, acquiring a corresponding safety evaluation item set according to the current safety test grade;
S2, determining safety test items in the safety evaluation item set according to the business property of the to-be-evaluated area;
s3, determining a safety test case of the evaluation area to be tested according to the safety test item, and testing the evaluation area to be tested by utilizing the safety test case to obtain test scores of the safety test item respectively;
s4, determining whether the security level of the evaluation area to be tested passes the current security test level according to the test score of the security test item;
if yes, judging whether a preset evaluation completion condition is met;
if yes, taking the current security test grade as a security grade result of the evaluation area to be tested, if not, taking the next security test grade as the current security test grade, and returning to S1;
if not, judging whether a preset evaluation completion condition is met;
if yes, taking the last security test grade as a security grade result of the evaluation area to be tested;
if not, the previous security test level is used as the current security test level, and the S1 is returned.
3. The method according to claim 2, wherein the preset evaluation completion condition includes that a current security test level is a highest security test level, or that the current security test level is a lowest security test level, or that the evaluation area to be evaluated has passed a last security test level.
4. The method according to claim 2, wherein the determining the security test items in the security assessment item set according to the service property of the to-be-assessed area specifically includes:
extracting a sub-service label and a sub-service label value from the service class of the evaluation area to be tested;
dividing the sub-service into a plurality of sub-service groups according to each sub-service label and sub-service label value; calculating the sum of the tag values of all the sub-service groups, and determining the sub-service group corresponding to the maximum sum of the tag values of the sub-service groups as a target sub-service group;
calculating the matching value of the label of the target sub-service group and the label of each security evaluation item in the security evaluation item set to obtain service related values of the target sub-service group and the security evaluation item;
and taking the safety evaluation item corresponding to the maximum service related value as the safety evaluation item of the evaluation area to be tested.
5. The method of claim 4, wherein the determining, in S3, the security test case of the evaluation area to be tested according to the security test item specifically includes:
and matching corresponding matching rules for the tags of the safety test items and the safety test cases from a test case matching library according to the tags of the safety test items and the tags of the safety test cases, wherein the matching rules are determined according to the coverage of the safety test cases to the safety test items.
6. The method of claim 2, wherein the step of determining the position of the substrate comprises,
the safety test level comprises a safety primary level, a safety secondary level and a safety tertiary level;
the safety evaluation item set comprises a safety primary test item set, a safety secondary test item set and a safety tertiary test item set;
the safety primary test item set comprises data frame confidentiality and data frame integrity;
the safety secondary test item set comprises data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity;
the set of security tertiary test items includes data frame confidentiality, data frame integrity, management frame confidentiality and management frame integrity, control frame confidentiality and control frame integrity.
7. A power trusted wireless local area network security level verification apparatus, the apparatus comprising:
the acquisition module is used for acquiring a target security level of an evaluation area to be tested in the transformer substation and taking the target security level as a current security test level of the evaluation area to be tested;
the evaluation module is used for determining a security test case of the evaluation area to be tested according to the current security test grade and the service property of the evaluation area to be tested, and carrying out local area network security test on the evaluation area to be tested by using the security test case to obtain a security grade result of the evaluation area to be tested;
And the confirmation module is used for confirming the local area network security level of the evaluation area to be tested according to the target security level of the evaluation area to be tested and the security level result.
8. The apparatus of claim 7, wherein the evaluation module comprises a first evaluation unit, a second evaluation unit, a third evaluation unit, a fourth evaluation unit, and a fifth evaluation unit;
the first evaluation unit is used for acquiring a corresponding safety evaluation item set according to the current safety test grade;
the second evaluation unit is used for determining safety test items in the safety evaluation item set according to the business properties of the to-be-evaluated area;
the third evaluation unit is used for determining a safety test case of the evaluation area to be tested according to the safety test item, and testing the evaluation area to be tested by utilizing the safety test case to obtain the test score of the safety test item respectively;
the fourth evaluation unit is used for determining whether the security level of the evaluation area to be tested passes the current security test level according to the test score of the security test item;
if yes, judging whether a preset evaluation completion condition is met;
If yes, taking the current security test grade as a security grade result of the evaluation area to be tested;
if not, returning the next safety test grade to the first evaluation unit as the current safety test grade;
if not, judging whether a preset evaluation completion condition is met;
if yes, taking the last security test grade as a security grade result of the evaluation area to be tested;
and if not, returning the previous safety test grade to the first evaluation unit as the current safety test grade.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the power trusted wireless local area network security level confirmation method of any one of claims 1 to 6 when the computer program is executed.
10. A computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the power trusted wireless local area network security level confirmation method of any one of claims 1 to 6.
CN202311754689.2A 2023-12-19 2023-12-19 Method, device and equipment for confirming security level of power trusted wireless local area network Pending CN117676587A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311754689.2A CN117676587A (en) 2023-12-19 2023-12-19 Method, device and equipment for confirming security level of power trusted wireless local area network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311754689.2A CN117676587A (en) 2023-12-19 2023-12-19 Method, device and equipment for confirming security level of power trusted wireless local area network

Publications (1)

Publication Number Publication Date
CN117676587A true CN117676587A (en) 2024-03-08

Family

ID=90078794

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311754689.2A Pending CN117676587A (en) 2023-12-19 2023-12-19 Method, device and equipment for confirming security level of power trusted wireless local area network

Country Status (1)

Country Link
CN (1) CN117676587A (en)

Similar Documents

Publication Publication Date Title
Zhang et al. Physical-layer authentication for Internet of Things via WFRFT-based Gaussian tag embedding
He et al. Cyber security analysis and protection of wireless sensor networks for smart grid monitoring
KR101048510B1 (en) Method and apparatus for enhancing security in Zigbee wireless communication protocol
CN107005927A (en) Cut-in method, equipment and the system of user equipment (UE)
Aziz et al. A lightweight and compromise‐resilient authentication scheme for IoTs
CN101588244A (en) Method and system for authenticating network device
CN106888092A (en) Information processing method and device
KR20170104180A (en) Electronic apparatus and method for performing authentication between electronic apparatuses
Singh et al. On the IEEE 802.11 i security: a denial‐of‐service perspective
CN115550069B (en) Intelligent charging system of electric automobile and safety protection method thereof
Qian et al. ACSP: A novel security protocol against counting attack for UHF RFID systems
Xu et al. Improving the security of wireless communications on high-speed trains by efficient authentication in SCN-R
Daily et al. Securing CAN traffic on J1939 networks
CN112333631A (en) WIFI access position signal consensus system based on block chain
US20120036355A1 (en) Method and system for encrypting and decrypting transaction in power network
CN1750456B (en) Cookie-based mechanism providing lightweight authentication of layer-2 frames
Kim et al. Malicious data frame injection attack without seizing association in IEEE 802.11 wireless LANs
CN103441989B (en) A kind of authentication, information processing method and device
KR20130057678A (en) Apparatus for verifying certificate and method thereof, and recording medium storing program for executing method of the same in computer
CN107835168A (en) A kind of authentication method being multiplied based on client information sequence spreading matrix transposition
CN116170806B (en) Smart power grid LWM2M protocol security access control method and system
Thanu Detection of primary user emulation attacks in cognitive radio networks
CN117676587A (en) Method, device and equipment for confirming security level of power trusted wireless local area network
Patel et al. Analysis of SCADA Security models
CN109803255B (en) Mobile data information safety communication system and method for digital workshop

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination