KR101943900B1 - An integrated management system and method for managing one or more power generation company and determining whether the power generation company is abnormal - Google Patents

Abstract

Disclosed in an integrated management system and method for managing one or more power generation companies and determining whether the power generation companies have abnormal situations by receiving data from the power generation companies, analyzing the received data, determining whether an abnormal situation occurred, and helping to resolve the situation quickly. In addition, the present invention is capable of checking where the abnormal situation has occurred among a power generation company management server of the company and a control server of the company, and of performing an appropriate response to the abnormal situation.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an integrated management system for a power generation company that manages one or more power generation companies and determines whether or not a power generation company is abnormal,

The present invention relates to a power generation company integrated management system and method thereof, and more particularly, it relates to a power generation company integrated management system and method thereof that receives data from a power generation company, analyzes the data, determines whether an abnormal situation occurs in a power generation company, The present invention relates to an integrated management system for a power generation company that manages one or more development companies and determines whether or not the development companies are abnormal.

In thermal power generation plants, factory production lines, buildings, and large-scale air conditioning facilities, there are a vast number of electronic and mechanical parts as well as pipelines connecting the parts.

In order to operate properly in such a plant, it is necessary to solve the problem promptly in the event of a problem, in addition to abnormal situation detection, power saving operation and timely maintenance.

Japanese Patent Publication No. 4402613 (registered on November 6, 2009) discloses a system and a method for easily and accurately discriminating whether or not a plant state is abnormal in order to meet the needs of such an industrial site.

However, these techniques only determine whether the plant status is normal or abnormal, can not solve various problems arising in transmitting and receiving data from the plant, and improve the management convenience in the process of managing one or more plants or generation companies And does not disclose any technology to make it possible.

Japanese Patent Publication No. 4402613 (registered on November 6, 2009)

Therefore, a first object of the present invention to solve such a problem is to determine whether a first abnormal situation has occurred in a power generation company, and to determine whether a second abnormal situation occurs in a power generation company management server receiving data from the power generation company , It is possible to determine whether a third abnormal situation occurs in the control server for managing the generation company management server and to manage the policy for one or more firewalls so that the user and the manager can improve convenience in using and managing the firewall policy It is to provide an integrated management system for a power generation company that manages the above-mentioned power generation companies and determines whether or not the power generation companies are abnormal.

The second objective is to determine whether a first abnormal situation has occurred in the power generation company, determine whether a second abnormal situation occurs in the power generation company management server receiving data from the power generation company, Managing one or more development companies that can improve the convenience of users and administrators to use and manage firewall policies by managing policy for one or more firewalls, And to provide an integrated management method for the power generation company to judge whether or not the power generation company is in charge.

According to another aspect of the present invention, there is provided a power generation company integrated management system for managing at least one power generation company, wherein the power generation company integrated management system includes a first raw data collection unit for collecting raw data from a generation company in real- A raw management server including a first control unit for controlling the first raw data collecting unit and a raw data backup unit for storing the raw data, the raw data collected by the first raw data collecting unit, A second control unit for controlling the second raw data collecting unit, a data storing unit for storing the raw data received by the second raw data collecting unit, a second raw data collecting unit receiving the raw data from the raw data collecting unit, Analyzing the data to determine whether the raw data is the current A malicious code penetration determination unit for determining whether malicious code is infiltrated into the generation management server, a status information storage unit for storing status information for each piece of raw data, and a transmission / Wherein the control server includes at least one firewall for blocking transmission / reception of data when the control server including the communication unit, the generation management server, and the control server is not a predetermined user in the data transmitting / receiving process, and the control server controls the firewall And an integrated management system for a generation company.

The raw data analysis unit analyzes the raw data received from the generation management server to extract generation operation operation data and outputs the status information corresponding to the raw data stored in the situation information storage unit corresponding to the generation operation data And determines whether the abnormal situation is a situation occurring in the development management server or in the control server itself when it is determined that the abnormal situation is a result of judging a situation corresponding to the generation operation data, When the raw data analysis unit determines that the abnormal situation has occurred in the generation company, the first raw data collection unit controls not to collect the raw data from the generation company, and the second control unit controls the raw data analysis unit For operation data When the raw data analysis unit determines that the abnormal situation is occurring in the generation company or the generation management server, the communication unit controls the communication unit to transmit the situation to the administrator When the raw data analysis unit determines that the abnormal situation occurs in the control server itself, whether the malicious code penetration determination unit has determined that the malicious code has infiltrated the malicious code, The malicious code penetration determination unit determines that the malicious code has infiltrated the malicious code, and if the malicious code penetration determination unit determines that the malicious code has infiltrated the malicious code, Judging part malicious nose If the raw data analysis unit determines that the abnormality is generated in the generation management server, the second raw data collection unit may perform the first raw data collection It is possible to control not to receive the additional raw data.

The firewall controller performs a simulation on the new firewall policy received from the administrator terminal, examines a problem occurring in performing the new firewall policy as a result of the simulation, adds the new firewall policy received from the administrator terminal, The new firewall policy and the existing firewall policy are compared with each other to compare the existing firewall policy and the new firewall policy is compared with the existing firewall policy to compare the new firewall policy and the existing firewall policy, The new firewall policy and the existing firewall policy are compared with each other, and if the similarity is less than or equal to a predetermined first reference value, the new firewall policy and the existing firewall policy are determined to be similar, And the above- The new firewall policy and the existing firewall policy are deleted, and when it is determined that there is no problem even if the same part is deleted in any one of the policies, the new firewall policy and the existing firewall policy are deleted, Judges whether the new firewall policy or the existing firewall policy is not to be used for data transmission and reception when the degree of similarity judged by the comparison is larger than a preset first reference value, And deletes the existing firewall policy. If the usage amount of the existing firewall policy is less than a second reference value, the second control unit deletes the existing firewall policy, Problems arising during the execution of policies Group include the communication can be controlled so as to sent to the administrator terminal.

Wherein the malicious code penetration determination unit comprises a malicious code information storage module storing malicious code information, a malicious code information storing module for storing code information generated in a data transmitting / receiving process between the control server and the generation management server, A malicious code determination module for determining whether or not the malicious code is compared with the information; and a malicious code determination module for comparing the malicious code with the malicious code information stored in the malicious code information storage module, A malicious code for transmitting the code information predicted by the new malicious code to the sandbox when the second control unit resets the control server but does not solve the abnormal situation, An information prediction module and an application performing the same function as the control server And a sandbox for determining the malicious code as a malicious code and transmitting a determination result to the malicious code information prediction module if an abnormal phenomenon occurs as a result of execution of the code of the application, The malicious code information storing module sets the malicious code to the malicious code when the malicious code information prediction module determines that the code is determined to be malicious code from the sandbox, Can be stored as malicious code.

According to another aspect of the present invention, there is provided a method of generating a raw data, the method comprising: collecting raw data from a generation company in real time using a wire communication; Receiving raw data collected by the first raw data collecting unit from a generation managing server using wireless communication; storing the raw data received by the second raw data collecting unit in a data storing unit; Analyzing the raw data received by the second raw data collection unit to grasp the current status of the generation source from which the raw data is collected, determining whether the malicious code penetration determination unit has infiltrated malicious code into the generation management server, The situation information storage unit storing the status information for each raw data and the one If on the firewall is not a user in the predetermined data transmission procedure between the baljeonsa management server and control server, and provides a baljeonsa integrated management method comprising the step of blocking the data transmission and reception.

Wherein the raw data analyzing unit analyzes the raw data received by the second raw data collecting unit and grasps the current state of the power generation source in which the raw data is collected, Analyzing the data to extract generation operation data; determining, by the raw data analysis unit, a situation corresponding to the generation operation data by using the status information for each raw data stored in the situation information storage unit; Determining whether the abnormal situation is occurring in the generation management server or in the control server itself when the data analysis unit determines that the abnormal situation corresponds to the generation operation data; In the case of the first control unit controls the first raw data collecting unit not to collect the raw data from the generation source when the raw data analyzing unit determines that the first raw data collecting unit collects the raw data from the generation company, Controlling the communication unit to transmit to the administrator terminal in real time; and when the raw data analysis unit determines that the abnormal situation occurs in the generation company or the generation management server, And the raw data analysis unit determines that the malicious code penetration determination unit has infiltrated the malicious code when the raw data analysis unit determines that the abnormal situation occurs in the control server itself In relation to whether , The second control unit confirms the malicious code penetration determination unit, and if the malicious code penetration determination unit determines that the malicious code has infiltrated, the communication unit transmits the content to the predetermined administrator terminal The second control unit controlling the communication unit; controlling the second control unit to reset the power of the control server when the malicious coat penetration determination unit does not determine that the malicious code has infiltrated; The second control unit controls the second raw data collecting unit such that the second raw data collecting unit does not receive the raw data collected by the first raw data collecting unit, . ≪ / RTI >

The step of blocking data transmission / reception when the one or more firewalls is not a predetermined user in data transmission / reception process between the generation management server and the control server may include performing a simulation on a new firewall policy received from the administrator terminal The firewall control unit compares the new firewall policy received from the administrator terminal with the existing firewall policy that is currently being executed, and determines whether the similarity degree Wherein the firewall controller performs a new firewall policy when the similarity determined by comparing the new firewall policy and the existing firewall policy is less than or equal to a predetermined first reference value, Further analyzing a portion of the firewall controller determined to be similar to the new firewall policy and the existing firewall policy if the similarity determined by comparing the firewall policy and the existing firewall policy is equal to or less than a predetermined first reference value, As a result, when the firewall control unit determines that there is no problem even if a portion determined to be similar in either of the new firewall policy and the existing firewall policy is deleted, the firewall control unit determines whether the new firewall policy or the existing firewall policy If the degree of similarity determined by comparing the new firewall policy and the existing firewall policy exceeds a predetermined first reference value, performing either the new firewall policy or the existing firewall policy Do not data Determining whether the new firewall policy and the existing firewall policy are favorable for reception; determining whether the new firewall policy and the existing firewall policy are favorable for data transmission / reception, Wherein the firewall controller deletes an existing firewall policy, the firewall controller determines an existing firewall policy usage amount, and the firewall controller deletes the existing firewall policy if the usage amount of the existing firewall policy is less than a second reference value, And the second control unit may control the communication unit so that the communication unit transmits to the administrator terminal a problem that occurs in the process of performing the new firewall policy examined by the firewall control unit.

If the raw data analysis unit determines that the abnormal situation occurs in the control server itself, it is determined whether the malicious code penetration determination unit has determined that the malicious code has infiltrated, Wherein the malicious code information storage module stores malicious code information, and the malicious code determination module transmits code information generated in a data transmission / reception process between the control server and the generation management server to the malicious code information storage module Determining whether or not the malicious code is infiltrated with the malicious code; comparing the malicious code information with stored malicious code information to determine whether the malicious code is infected; The malicious code determination module may determine that the malicious code When the second control unit determines that the malicious code is not a malicious code and the malicious code information stored in the malicious code information storage module is compared with the code information and the second control unit resets the control server, The malicious code information prediction module estimates the code as a new malicious code and transmits the code information estimated as a new malicious code to the sandbox, and the sandbox uses an application performing the same function as the control server The method comprising the steps of: executing the code; determining that the sandbox is the malicious code if an abnormal phenomenon occurs as a result of executing the code of the application; and transmitting the determination content to the malicious code information prediction module And the malicious code information prediction module detects the malicious code from the sandbox to the nose The malicious code information storage module sets the malicious code as the malicious code and stores the malicious code as the code information set as the malicious code.

According to the integrated management system and method for managing one or more developed inventions of the present invention described above and determining whether or not the developed company is abnormal, it is possible to determine whether a first abnormal situation has occurred in the developed company, It is possible to determine whether or not a second abnormal situation has occurred in the generation management server, and it can be determined whether a third abnormal situation occurs in the control server managing the generation management server, and by managing the policy for one or more firewalls, Has the effect of improving convenience in using and managing the firewall policy.

FIG. 1 is a diagram showing a schematic configuration of a power generation company integrated management system, which is an embodiment of the present invention.
2 is a diagram showing a schematic configuration of a generation management server which is a constitution of the present invention.
3 is a diagram showing a schematic configuration of a control server which is a constitution of the present invention.
4 is a diagram showing a schematic configuration of a malicious code penetration determination unit, which is an embodiment of the present invention.
FIG. 5 is a flowchart illustrating a method of integrated management of a power generation company, which is an embodiment of the present invention.
FIG. 6 is a diagram illustrating an example of a result of a new firewall policy simulation of a firewall controller displayed by an administrator terminal according to an embodiment of the present invention.
FIG. 7 illustrates an example in which an amount of usage of an existing firewall policy of the firewall control unit is determined, an excess utilization threshold firewall is identified, and an administrator terminal displays the content.
FIG. 8 is an example of an embodiment of the present invention in which an amount of usage of an existing firewall policy of the firewall control unit is judged, an existing firewall policy without use history is identified, and an administrator terminal displays the content.
9 is a diagram illustrating an example in which a firewall controller examines an existing firewall policy, identifies a firewall policy at a subsequent stage including a firewall policy at a previous stage, and displays the corresponding details at an administrator terminal.
FIG. 10 is a diagram for explaining how a firewall controller checks the frequency of use of an existing firewall policy and controls a firewall so that a frequently used policy is applied first. FIG.
FIG. 11 is a diagram illustrating an example in which the firewall controller determines the similarity with the existing firewall policy in the process of simulating a new firewall policy, and displays the determination result of the administrator terminal.
FIG. 12 is a diagram illustrating an exemplary embodiment of the present invention. Referring to FIG. 12, a firewall controller examines an existing firewall policy, connects an existing first firewall policy to an existing second firewall policy, This is an example displayed by the terminal.
FIG. 13 is another example of the display of the result of the new firewall policy simulation of the firewall control unit according to an embodiment of the present invention.

It is to be understood that the words or words used in the present specification and claims are not to be construed in a conventional or dictionary sense and that the inventor can properly define the concept of a term in order to best describe the user's invention And should be construed in light of the meanings and concepts consistent with the technical idea of the present invention.

Throughout the specification, when an element is referred to as " comprising ", it means that it can include other elements as well, without excluding other elements unless specifically stated otherwise. In addition, the term " "... "," ... Unit, "" module, "" device, "and the like refer to a unit that processes at least one function or operation, which may be implemented as a combination of hardware and / or software.

The terms used in the embodiments of the present invention will be briefly described, and these embodiments will be described in detail.

Although the terms used in the embodiments of the present invention have been selected in consideration of the functions of the present invention, the present invention is not limited thereto and can be varied depending on the intention or the precedent of the artisan skilled in the art, . Also, in certain cases, some terms are arbitrarily selected by the applicant, and in this case, the meaning thereof will be described in detail in the description of the corresponding embodiments. Therefore, the terms used in the embodiments should be defined based on the meaning of the term, not on the name of a simple term, and on the contents of the embodiments throughout.

In an embodiment of the present invention, terms including ordinal numbers such as first, second, etc. may be used to describe various elements, but the elements are not limited to these terms. The terms are used only for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be referred to as a second component, and similarly, the second component may also be referred to as a first component. And / or < / RTI > includes any combination of a plurality of related listed items or any of a plurality of related listed items.

Further, in the embodiments of the present invention, the singular expressions include plural expressions unless the context clearly indicates otherwise.

Furthermore, in the embodiments of the present invention, terms such as " comprises " or " having ", etc. are intended to specify the presence of stated features, integers, steps, operations, elements, parts, or combinations thereof, Steps, operations, elements, components, or combinations of elements, numbers, steps, operations, components, parts, or combinations thereof.

Also, in the embodiments of the present invention, 'module' or 'sub' performs at least one function or operation, and may be implemented in hardware or software, or a combination of hardware and software. In addition, a plurality of 'modules' or a plurality of 'parts' may be integrated into at least one module except for 'module' or 'module' which needs to be implemented by specific hardware, and may be implemented by at least one processor.

Further, in the embodiment of the present invention, when a part is referred to as being " connected " with another part, it is not limited to a case where it is " directly connected " And the like.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.

FIG. 1 is a diagram showing a schematic configuration of a power generation company integrated management system according to an embodiment of the present invention. FIG. 2 is a diagram showing a schematic configuration of a power generation management server, which is a constitution of the present invention. 1 is a diagram showing a schematic configuration of a control server which is a configuration.

1 to 3, the integrated generation management system for managing one or more generation companies 10 may include a generation management server 100, a control server 200, and a firewall 20.

In the entire specification, the power generation company 10 may refer to a power generation company, a power generation equipment of a power generation company, and the like.

Here, the generation management server 100 may include a first raw data collection unit 110, a first control unit 120, and a raw data backup unit 130.

The first raw data collecting unit 110 can collect raw data from the generator 10 in real time using wired communication.

In this case, the raw data correspond to RPM, Cylinder temperature, Lube oil pressure, Ready for start condition, etc. related to the power generation engine. HFO / DO level, Pump status, Generator synchro voltage, ampere, power (kW) And pf and the like.

Also, the first controller 120 may control the first raw data collecting unit 110. [

The raw data backup unit 130 may store raw data.

That is, the generation management server 100 can collect and store raw data in real time from the generation company 10 through wired communication. The reason for using the wire communication is that the security company 10 is a national infrastructure and security is important, and the risk of hacking is lower than that of wireless communication.

Therefore, the generation management server 100 using wired communication has an advantage that the risk of hacking is lower than the case of using wireless communication.

The control server 200 includes a second raw data collection unit 210, a second control unit 220, a data storage unit 230, a raw data analysis unit 240, a malicious code penetration determination unit 250, An information storage unit 260, a communication unit 270, and a firewall control unit 280. [

Here, the second raw data collecting unit 210 may receive the raw data collected by the first raw data collecting unit 110 from the generation managing server 100 using wireless communication.

The second control unit 220 may control the second raw data collection unit 210.

In addition, the data storage unit 230 may store the raw data received by the second raw data collection unit 210.

The raw data analysis unit 240 can analyze the raw data received by the second raw data collection unit 210 to determine the current state of the generation source 10 from which raw data has been collected.

In addition, the malicious code penetration determination unit 250 may determine whether or not the malicious code is infiltrated into the generation management server 100. [

That is, the malicious code penetration determination unit 250 can determine whether the malicious code has infiltrated the generation management server 100.

The status information storage unit 260 may store status information for each raw data.

Here, the status information for each raw data means status information for the generation source 10 corresponding to the raw data.

In addition, the communication unit 270 can transmit / receive data to / from a predetermined administrator terminal (not shown).

Here, data transmission / reception with a predetermined administrator terminal (not shown) can be realized through various wireless communication methods.

The administrator terminal (not shown) may be implemented by various electronic devices such as a smart phone, a smart watch, a smart glass, a tablet PC, and a notebook PC. An administrator terminal (not shown) And a communication module capable of performing a wireless communication scheme.

The firewall control unit 280 may control the firewall 20.

Here, the firewall 20 may be configured as one or more than two, and may block data transmission / reception in a case where the user is not a predetermined user in data transmission / reception process between the generation management server 100 and the control server 200.

In addition, the firewall 20 is installed at a front end of the internal network, and can prevent malicious codes and the like on the Internet from being propagated to the internal network.

That is, the firewall 20 protects the internal network from the external network including the Internet network. Firewall policies for controlling packets are set in the firewall 20, and the firewall 20 is allowed according to a preset firewall policy Lt; RTI ID = 0.0 > network. ≪ / RTI >

More specifically, the raw data analysis unit 240 can analyze the raw data received from the generation management server 100 and extract the generated operation data.

Pump status, Generator synchro voltage, ampere, power (kW), and pf (kW) are related to the auxiliary machinery in terms of RPM, cylinder temperature, Lube oil pressure, And the like.

 The raw data analysis unit 240 can determine the situation corresponding to the generation operation data by using the status information for each raw data stored in the situation information storage unit 260.

If the raw data analysis unit 240 determines that the situation corresponding to the generation operation data is abnormal, the raw data analysis unit 240 determines whether the abnormal situation occurs in the situation management server 200 itself occurring in the generation management server 100 It can be judged.

When the raw data analysis unit 240 determines that an abnormal situation has occurred in the development company 10, the first control unit 120 controls the firstraw data collection unit 110 not to collect raw data from the generation company 10 can do.

As a result, raw data is not collected from the generation company 10 in which an abnormal situation occurs, and it is possible to prevent a situation in which erroneous control commands are input by collecting erroneous raw data.

The second control unit 220 controls the communication unit 270 to transmit the situation corresponding to the generation operation data determined by the raw data analysis unit 240 to the administrator terminal (not shown) previously stored in the communication unit 270 in real time can do.

Thus, the manager can confirm the situation corresponding to the power generation operation data in real time, and can issue an appropriate command to the situation.

If the raw data analysis unit 240 determines that an abnormal situation has occurred in the development company 10 or the development company management server 100, the second control unit 220 determines that the communication unit 270 has not yet established a predetermined administrator terminal (not shown) So that the content can be transmitted.

As described above, the administrator can confirm in real time that an abnormal situation has occurred in the generation company 10 or the generation company management server 100, and when a problem occurs in the generation company 10 or the generation company management server 100 , There is an effect that it can respond quickly.

If the raw data analysis unit 240 determines that an abnormal situation occurs in the control server 200 itself, the second control unit 220 determines that the malicious code penetration determination unit 250 has infiltrated the malicious code The determination by the malicious code penetration determination unit 250 can be confirmed.

That is, when the malicious code penetration determination unit 250 determines that an abnormal situation has occurred in the control server 200, the second control unit 220 determines whether the malicious code is infiltrated into the control server 200 .

 If the malicious code penetration determination unit 250 determines that the malicious code has infiltrated the control server 200 as a result of the checking by the second control unit 220, It is possible to control the contents to be transmitted to the terminal (not shown).

Accordingly, the administrator can quickly check the situation of the malicious code infiltrated into the control server 200, and the administrator can quickly arrange the malicious code expert in the control server 200.

 If the malicious code penetration determination unit does not determine that the malicious code has infiltrated the second control unit 220, the second control unit 220 may control the power supply of the control server 200 to be reset.

That is, when the control server 200 operates normally, an overload occurs in the control server 200 and an error may occur. Therefore, the power of the control server 200 is reset.

Even if the control server 200 resets the power because the raw data of the generation company 10 is stored by the raw data backup unit 130 unless an abnormal situation occurs in the generation company 10 or the generation company management server 100 , There is no problem that the control server 200 loses data during the resetting time.

If the raw data analysis unit 240 determines that an abnormal situation has occurred in the generation management server 100, the second control unit 220 determines that the secondraw data collection unit 210 has collected the firstraw data collection unit 110 You can control not to receive raw data.

As a result, the control server 200 does not collect raw data from the generation managing server 100 in which an abnormal situation occurs. Therefore, it is possible to prevent a situation in which erroneous control commands are input by collecting erroneous raw data.

The firewall control unit 280 may perform a simulation on the new firewall policy received from the administrator terminal (not shown).

This simulation can be implemented by virtually performing wireless communication so that an administrator terminal (not shown) corresponds to the new firewall policy.

As a result of the simulation of the firewall control unit 280, the firewall control unit 280 can review the problems occurring in the process of executing the new firewall policy.

More specifically, the firewall control unit 280 may compare the new firewall policy received from the administrator terminal (not shown) with the existing firewall policy currently in operation to determine the similarity.

The degree of similarity can be determined by the firewall control unit 280 using the IP address of the source, the IP address of the destination, and the service port

If the degree of similarity determined by comparing the new firewall policy and the existing firewall policy is less than or equal to a preset first reference value, the firewall control unit 280 may implement the new firewall policy.

Also, if the similarity determined by comparing the new firewall policy and the existing firewall policy is less than or equal to a predetermined first reference value, the firewall control unit 280 may further analyze the new firewall policy and the portion determined to be similar to the existing firewall policy .

If the firewall controller 280 determines that there is no problem even if the firewall controller 280 deletes the portion determined to be similar to the new firewall policy or the existing firewall policy as a result of the further analysis by the firewall controller 280, It is possible to delete the portion determined to be similar in either the policy or the existing firewall policy.

That is, as a result of further analysis by the firewall control unit 280, it is determined that a part of the new firewall policy among the new firewall policy and the existing firewall policy is similar to a part of the existing firewall policy, If the firewall control unit 280 determines that there is no problem even if the user deletes the new firewall policy, the firewall control unit 280 may implement the new firewall policy except for a part of the new firewall policy.

Also, the firewall control unit 280 may perform all of the new firewall policies, but may delete some of the existing firewall policies, instead of executing the new firewall policies except for a part of the new firewall policies.

In other words, the firewall control unit 280 can prevent the new firewall policy and the similar part of the existing firewall policy from being overlapped and applied.

 If the similarity determined by comparing the new firewall policy and the existing firewall policy exceeds the predetermined first reference value, the firewall control unit 280 performs either the new firewall policy or the existing firewall policy It can be judged whether data transmission / reception is advantageous.

That is, the firewall control unit 280 can determine whether the new firewall policy or the existing firewall policy is not performed in favor of data transmission / reception, considering the data transmission / reception speed, the packet, the load on the memory, and the like.

Here, the first reference value can be arbitrarily set by the administrator.

 Also, the firewall control unit 280 can delete the policy that it is determined that it is not desirable to perform the policy.

More specifically, if the firewall control unit 280 determines that it is advantageous to maintain the existing firewall policy without implementing the new firewall policy, the firewall control unit 280 can maintain the existing firewall policy without performing the new firewall policy have.

If the firewall controller 280 determines that it is advantageous to perform the new firewall policy and delete the existing firewall policy, the firewall controller 280 may implement the new firewall policy and delete the existing firewall policy.

Also, the firewall control unit 280 can determine the usage amount of the existing firewall policy.

More specifically, if the usage amount of the existing firewall policy determined by the firewall control unit 280 is less than the second reference value, the firewall control unit 280 can delete the existing firewall policy.

That is, if the firewall control unit 280 determines that the existing firewall policy is not systematically meaningful because the usage amount of the existing firewall policy is less than the second reference value as a result of the determination by the firewall control unit 280, Can delete an existing firewall policy.

The second control unit 220 may control the communication unit 270 to transmit a problem to the administrator terminal (not shown) that occurs during the process of performing the new firewall policy that the firewall control unit 280 has reviewed.

Accordingly, the administrator can confirm the problem occurring when the new firewall policy is executed even if the new firewall policy is not actually implemented, and can establish the firewall policy more efficiently by doing so.

Here, the second reference value can be arbitrarily set by the administrator.

4 is a diagram showing a schematic configuration of a malicious code penetration determination unit, which is an embodiment of the present invention.

4, the malicious code penetration determination unit 250 includes a malicious code information storage module 251, a malicious code determination module 252, a malicious code information estimation module 253, a sandbox 254, And an analysis module 255. [

The malicious code information storage module 251 may store malicious code information.

Here, the malicious code information may include the feature vectors of the malicious code, the type of the malicious code, and the like.

The malicious code determination module 252 compares the malicious code information stored in the malicious code information storage module 251 with the code information generated in the data transmission / reception process between the control server 200 and the generation management server 100, It is possible to determine whether the code generated in the process of transmitting / receiving data between the control server 200 and the generation management server 100 is a malicious code.

The malicious code information prediction module 253 compares the code information with the malicious code information stored in the malicious code information storage module 251 so that the malicious code determination module 252 If the second control unit 220 determines that the corresponding code is not a malicious code and resets the control server 200 but the abnormal situation occurring in the control server 200 is not resolved, the corresponding code is predicted as a new malicious code , And send the code information predicted by the new malicious code to the sandbox 254.

The sandbox 254 may execute the code using an application that performs the same function as the control server 200. [

That is, the sandbox 254 can execute a code corresponding to the code information received from the malicious code information prediction module 253 by using an application that performs the same function as the control server 200. [

 If an abnormal phenomenon occurs in the control server 200 as a result of execution of an application code in the sandbox 254, the sandbox 254 determines the malicious code as a malicious code and transmits the determination content to the malicious code information prediction module 253).

When the malicious code information prediction module 253 receives the fact that the malicious code information prediction module 253 has determined that the code is determined as a malicious code from the sandbox 254, the malicious code information storage module 251 sets the malicious code as a malicious code, Can be stored as a malicious code.

In addition, the malicious code analysis module 255 can perform static analysis, dynamic analysis, and diffusion way analysis.

Here, the static analysis of the malicious code analysis module 255 can be performed by analyzing patterns, hash values, strings, and the like of the malicious code. In addition, the static analysis of the malicious code analysis module 255 can be performed by analyzing the structure of a PE (Portable Executable), analyzing an IAT (Import Address Table), determining a file type, verifying a vaccine diagnosis, Ring, string verification, and the like, thereby extracting the characteristic information of the malicious code.

The malicious code analysis module 255 can determine whether or not the malicious code is packed, encrypted, obfuscated, and divided in order to deal with the packing, encryption, obfuscation, and divisional application malicious codes in the static analysis process , The malicious code analysis module 255 can perform unpacking or decoding of malicious code when packing, encryption, obfuscation and segmentation are applied to the malicious code in the static analysis process.

Various information derived from the static analysis process of the malicious code analysis module 255 may be stored in the malicious code information storage module 251.

The dynamic analysis of the malicious code analysis module 255 can analyze the malicious code behavior of the PE file format and extract the characteristic information of each malicious code type (dropper, downloader, etc.) Script property information can be extracted.

In addition, the malicious code analysis module 255 can analyze a malicious code modification through compression or encryption using a polymorphic technique in a dynamic analysis process, Analysis of the applied malicious code can be performed, and API monitoring and malicious behavior can be analyzed using the API hooking technology in the system to extract characteristic information of the malicious code.

Various information derived from the dynamic analysis process of the malicious code analysis module 255 may be stored in the malicious code information storage module 251. [

FIG. 5 is a flowchart illustrating a method of integrated management of a power generation company, which is an embodiment of the present invention.

5, the first raw data collection unit 110 may collect raw data in real time from the power generation company 10 using wired communication (S530)

The raw data backup unit 130 may store the raw data (S531)

The second raw data collecting unit 210 may receive the raw data collected by the first raw data collecting unit 110 from the generation managing server 100 using the wireless communication (S532)

The data storage unit 230 may store the raw data received by the second raw data collection unit 210 (S533)

The raw data analysis unit 240 may analyze the raw data received by the second raw data collection unit 210 to determine the current status of the generation source 10 from which the raw data is collected (S534)

More specifically, the raw data analysis unit 240 analyzes the raw data received from the generation management server 100, and extracts the generated operation data.

The status information corresponding to the generation operation data may be determined using the status information for each raw data stored in the status information storage unit 260.

When the raw data analysis unit 240 determines that the situation corresponding to the generation operation data is abnormal, it is determined whether the abnormal situation occurs in the situation management server 200 itself occurring in the generation management server 100 It can be judged.

When the raw data analysis unit 240 determines that an abnormal situation has occurred in the development company 10, the first control unit 120 controls the firstraw data collection unit 110 so as not to collect raw data from the generation company 10 can do.

The second control unit 220 controls the communication unit 270 so that the communication unit 270 transmits a situation corresponding to the generated power generation operation data determined by the raw data analysis unit 240 to the administrator terminal (not shown) can do.

If the raw data analysis unit 240 determines that an abnormal situation has occurred in the development company 10 or the development company management server 100, the communication unit 270 transmits the content to the administrator terminal (not shown) 2 control unit 220 can control the communication unit 270.

When the raw data analysis unit 240 determines that an abnormal situation occurs in the control server 200 itself, it is determined that the malicious code penetration determination unit 250 determines that the malicious code has infiltrated the malicious code, The second control unit 220 can confirm the determination by the determination unit 250.

More specifically, the malicious code information storage module 251 may store malicious code information.

The malicious code determination module 252 compares the malicious code information stored in the malicious code information storage module 251 with the code information generated in the process of transmitting and receiving data between the control server 200 and the generation management server 100, It is possible to judge whether or not it is malicious code.

If it is determined that the malicious code penetration determination unit 250 has infiltrated the malicious code as a result of the checking by the second control unit 220, the communication unit 270 transmits the content to the predetermined administrator terminal (not shown) The control unit 220 can control the communication unit 270.

When the malicious code penetration determination unit does not determine that the malicious code has infiltrated, the second control unit 220 may control the power of the control server 200 to be reset.

More specifically, when the malicious code determination module 252 compares the code information with malicious code information stored in the malicious code information storage module 251, it is determined that the malicious code is not a malicious code, and the second control unit 220 The malicious code information prediction module 253 transmits the code information predicted by the new malicious code to the sandbox 254 in the case where the server 200 is reset but the abnormal situation is not resolved can do.

In addition, the sandbox 254 may execute the code using an application that performs the same function as the control server 200. [

If an anomaly occurs as a result of executing the application code, the sandbox 254 can determine the code as a malicious code.

Also, the sandbox 254 can transmit the determination content to the malicious code information prediction module 253.

If the malicious code information prediction module 253 receives the information that the code has been determined as a malicious code from the sandbox 254, the malicious code information storage module 251 sets the code as a malicious code, The set code information can be stored as malicious code.

When the raw data analysis unit 240 determines that an abnormal situation has occurred in the generation management server 100, the second raw data collection unit 210 does not receive the raw data collected by the firstraw data collection unit 110 The second control unit 220 may control the second raw data collecting unit 210.

The malicious code penetration determination unit 250 may determine whether the malicious code is infiltrated into the generation management server 100 (S535)

That is, the malicious code penetration determination unit 250 can determine whether malicious code has infiltrated the generation management server 100. [

In addition, the situation information storage unit 260 may store the status information for each raw data (S536)

If the one or more firewalls 20 are not the predetermined user in the data transmission / reception process between the generation management server 100 and the control server 200, the data transmission / reception can be blocked (S537)

More specifically, the firewall control unit 280 can perform simulation on a new firewall policy input from an administrator terminal (not shown).

Also, as a result of the simulation, the firewall control unit 280 can examine problems occurring in the process of executing the new firewall policy.

The similarity can be determined by comparing the new firewall policy received from the administrator terminal (not shown) with the existing firewall policy that is being performed by the firewall control unit 280.

In addition, if the degree of similarity determined by comparing the new firewall policy and the existing firewall policy is less than or equal to a preset first reference value, the firewall control unit 280 can implement the new firewall policy.

If the similarity determined by comparing the new firewall policy with the existing firewall policy is equal to or less than the preset first reference value, the firewall control unit 280 adds a new firewall policy and a portion determined to be similar to the existing firewall policy Can be analyzed.

As a result of the additional analysis, if the firewall control unit 280 determines that there is no problem even if a similar part is deleted in either the new firewall policy or the existing firewall policy, if the firewall control unit 280 determines that the new firewall policy and the existing firewall policy It is possible to delete the part judged to be similar in any one of them.

If the degree of similarity determined by comparing the new firewall policy and the existing firewall policy exceeds the preset first reference value, the firewall control unit 280 determines whether the new firewall policy or the existing firewall policy is not performed, .

In addition, the firewall control unit 280 may determine that it is advantageous to not perform the new firewall policy or the existing firewall policy, as a result of the determination by the firewall control unit 280, that the firewall control unit 280 can delete the policy.

Then, the firewall control unit 280 can determine the usage amount of the existing firewall policy.

Also, if the usage amount of the existing firewall policy is less than the second reference value, the firewall control unit 280 can delete the existing firewall policy.

The second control unit 220 can control the communication unit 270 so that the communication unit 270 transmits a problem occurring in the process of performing the new firewall policy examined by the firewall control unit 280 to the administrator terminal have.

FIG. 6 is a diagram illustrating an example of a result of a new firewall policy simulation of a firewall controller displayed by an administrator terminal according to an embodiment of the present invention.

6, the firewall control unit 280 can simulate a new firewall policy received from an administrator terminal (not shown) and transmit the simulation result to the administrator terminal (not shown) through the communication unit 270 The control unit 220 can control the communication unit 270.

The administrator terminal (not shown) may display a new firewall policy simulation result 30 as shown in FIG. 6, and an administrator terminal (not shown) may include a display module.

Through the result received at the administrator terminal (not shown), the administrator can visually confirm the result, and the administrator can judge whether a new firewall policy is implemented or not through the new firewall policy simulation.

FIG. 7 illustrates an example in which an amount of usage of an existing firewall policy of the firewall control unit is determined, an excess utilization threshold firewall is identified, and an administrator terminal displays the content.

Referring to FIG. 7, the firewall control unit 280 can determine the load on each firewall in the process of determining the usage amount of the existing firewall policy. When the load on the firewall exceeds the predetermined usage threshold, the firewall control unit 280 compares the load on each firewall with a preset usage threshold, and if the load on the firewall exceeds the predetermined usage threshold, The second control unit 220 may control the communication unit 270 so that the communication unit 270 transmits information on the communication unit 270 to an administrator terminal (not shown).

When the firewall control unit 280 determines that the user is disconnected from the firewall in the process of determining the load on each firewall, the communication unit 270 notifies the administrator terminal (not shown) The second control unit 220 may control the communication unit 270 to transmit the control information.

7, the administrator terminal (not shown) can display the firewall 31 whose load on the firewall exceeds the predetermined usage threshold, and the administrator terminal (not shown) The user can display the disconnected firewall 32.

This allows administrators to visually identify firewalls whose load on the firewall has exceeded a pre-established usage threshold and whose firewalls have been disconnected from the user.

FIG. 8 is an example of an embodiment of the present invention in which an amount of usage of an existing firewall policy of the firewall control unit is judged, an existing firewall policy without use history is identified, and an administrator terminal displays the content.

Referring to FIG. 8, the firewall control unit 280 can determine an existing firewall policy that does not have a history of use by determining the usage amount of the existing firewall policy.

The second control unit 220 may control the communication unit 270 to transmit the content of the existing firewall policy having no use record to the administrator terminal (not shown).

In addition, the administrator terminal (not shown) can display the contents of the existing firewall policy having no history of use as shown in FIG.

Therefore, the administrator can easily confirm an existing firewall policy that does not have a history of use.

9 is a diagram illustrating an example in which a firewall controller examines an existing firewall policy, identifies a firewall policy at a subsequent stage including a firewall policy at a previous stage, and displays the corresponding details at an administrator terminal.

Throughout the specification, in the case of shearing, it can mean the preceding, and in the case of the rear end it can mean back.

Referring to FIG. 9, in the process of determining the usage amount of the existing firewall policy, the firewall control unit 280 determines the content and the number of the firewall policy (same policy) determined as the same policy, the back policy (shadow policy) The contents and the number of the backward policy (redundant policy) including the previous policy, and the number of the redundant policy which is the sum of the same policy, the shadow policy and the redundant policy, and the content of the redundant policy can be calculated.

The second control unit 220 may control the communication unit 270 to transmit the information calculated by the firewall control unit 280 to the administrator terminal (not shown).

As shown in FIG. 8, the administrator terminal (not shown) has the contents and the number of the same policy, the content and the number of the shadow policy, the contents and the number of the redundant policy, and the redundant policy which is the sum of the shadow policy and the redundant policy The number and the contents of the redundancy policy can be displayed.

This allows administrators to more easily manage firewall policies.

FIG. 10 is a diagram for explaining how a firewall controller checks the frequency of use of an existing firewall policy and controls a firewall so that a frequently used policy is applied first. FIG.

Referring to FIG. 10, the firewall control unit 280 can examine the frequency of use of the firewall policy.

As a result of the examination, the firewall control unit 280 can control the firewall policy such that the firewall policy having the highest frequency of use is given the highest priority.

The second control unit 220 may control the communication unit 270 so that the communication unit 270 transmits the examination and control results of the firewall control unit 280 to the administrator terminal (not shown).

The administrator terminal (not shown) can display the review and control results of the firewall control unit 280 as shown in FIG.

This enables administrators to easily check the frequency of use of firewall policies.

FIG. 11 is a diagram illustrating an example in which the firewall controller determines the similarity with the existing firewall policy in the process of simulating a new firewall policy, and displays the determination result of the administrator terminal.

Referring to FIG. 11, the firewall controller 280 can determine the similarity with the existing firewall policy in the process of simulating the new firewall policy.

As a result of determining the degree of similarity of the firewall control unit 280, the existing firewall policy included in the new firewall policy can be confirmed, and the existing firewall policy having the same origin and destination as the source and destination of the new firewall policy can be confirmed. You can identify existing firewall policies that have the same destinations and services as destinations and services.

The second control unit 220 may control the communication unit 270 to transmit the confirmation result of the firewall control unit 280 to the administrator terminal (not shown).

The administrator terminal (not shown) may display the confirmation result of the firewall control unit 280 as shown in FIG.

This allows the administrator to easily determine whether to introduce a new firewall policy, and can easily determine whether to introduce a new firewall policy.

FIG. 12 is a diagram illustrating an exemplary embodiment of the present invention. Referring to FIG. 12, a firewall controller examines an existing firewall policy, connects an existing first firewall policy to an existing second firewall policy, This is an example displayed by the terminal.

Referring to FIG. 12, the firewall control unit 280 may review the existing firewall policy every predetermined period.

If the firewall controller 280 determines that the existing first firewall policy and the existing second firewall policy are continuous values as a result of the examination by the firewall controller 280, the first firewall policy and the existing second firewall policy may be concatenated, It is possible to suggest a third firewall policy execution in which the existing first firewall policy and the existing second firewall policy are connected.

If the firewall control unit 280 associates the existing first firewall policy with the existing second firewall policy, the firewall control unit 280 can connect the existing first firewall policy with the existing second firewall policy, The second control unit 220 may control the communication unit 270 so that the communication unit 270 transmits a third firewall policy execution proposal to which an existing second firewall policy is linked to an administrator terminal (not shown).

As shown in FIG. 12, the administrator terminal (not shown) can display a result that the existing first firewall policy and the existing second firewall policy can be connected. In addition, the administrator terminal (not shown) may display a third firewall policy execution proposal to which the existing first firewall policy and the existing second firewall policy are connected.

Thus, the administrator can periodically check the overlap of the firewall policies every first cycle.

FIG. 13 is another example of the display of the result of the new firewall policy simulation of the firewall control unit according to an embodiment of the present invention.

Although the present invention has been described in connection with what is presently considered to be practical exemplary embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but, on the contrary, .

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, and that various modifications and changes may be made by those skilled in the art.

It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, disclosure methods should be considered from an illustrative point of view, not from a restrictive point of view. The scope of the present invention is defined by the appended claims rather than by the foregoing description, and all differences within the scope of equivalents thereof should be construed as being included in the present invention.

10: Generation 20: Firewall
100: generation management server 110: firstraw data collection unit
120: first control unit 130: raw data backup unit
200: control server 210: second raw data collection unit
220: second control unit 230: data storage unit
240: raw data analysis unit 250: malicious code penetration determination unit
251: malicious code information storage module 252: malicious code determination module
253: malicious code information prediction module 254: sandbox
255: malicious code analysis module 260: status information storage unit
270: communication unit 280:

Claims (8)

In a power generation company integrated management system for managing one or more power generation companies,
The power generation company integrated management system
A first raw data collection unit for collecting raw data from a generation company in real time using wire communication;
A first control unit for controlling the first raw data collection unit; And
A raw data backup unit storing the raw data;
A generation management server including a plurality of servers;
A second raw data collecting unit receiving the raw data collected by the first raw data collecting unit from the generation managing server using wireless communication;
A second control unit for controlling the second raw data collection unit;
A data storage unit for storing the raw data received by the second raw data collection unit;
A raw data analyzing unit for analyzing the raw data received by the second raw data collecting unit and recognizing the current state of the generation source from which the raw data is collected;
A malicious code penetration determination unit for determining whether the malicious code is infiltrated into the generation management server;
a situation information storage unit for storing situation information for each raw data;
And a communication unit for transmitting and receiving data to and from a predetermined administrator terminal;
One or more firewalls for blocking transmission / reception of data when the user is not a predetermined user in a data transmission / reception process between the generation management server and the control server;
/ RTI >
The control server
A firewall control unit for controlling the firewall;
Further comprising:
The raw data analysis unit
Extracting generation operation data by analyzing the raw data received from the generation management server and determining a situation corresponding to the generation operation data by using the status information for each raw data stored in the situation information storage unit, When it is determined that the situation corresponding to the generation operation data is abnormal, it is determined whether the abnormal situation occurs in the generation management server or in the control server itself,
The first control unit
The first raw data collecting unit controls not to collect the raw data from the generation company when the raw data analysis unit determines that the abnormal situation occurs in the generation company,
The second control unit
Controls the communication unit to transmit the situation corresponding to the generation operation data determined by the raw data analysis unit to the administrator terminal previously stored in the communication unit, and the abnormality occurs in the generation company or the generation management server, When the data analysis unit determines that the communication unit transmits the contents to the predetermined administrator terminal and the raw data analysis unit determines that the abnormal situation occurs in the control server itself, The malicious code penetration determination unit determines whether the malicious code has infiltrated the malicious code or not. If the malicious code penetration determination unit determines that the malicious code has infiltrated the malicious code, Content The raw data analysis unit controls the power supply of the control server to be reset when the malicious code penetration determination unit does not determine that the malicious code has infiltrated the control server, Wherein the second raw data collecting unit controls the first raw data collecting unit not to receive the raw data collected by the first raw data collecting unit. delete The method according to claim 1,
The firewall control unit
A simulation is performed on the new firewall policy received from the administrator terminal, and a problem arises in the process of performing a new firewall policy as a result of the simulation, and a new firewall policy received from the administrator terminal, The new firewall policy is compared with the existing firewall policy to determine the similarity. If the similarity determined by comparing the new firewall policy and the existing firewall policy is equal to or less than a preset first reference value, the new firewall policy is applied, The new firewall policy and the existing firewall policy are determined to be similar if the similarity degree determined by comparing the firewall policy is less than or equal to a predetermined first reference value, In any of the policies The new firewall policy and the existing firewall policy are compared with each other and the new firewall policy and the existing firewall policy are compared with each other to determine whether there is a problem When the degree of similarity exceeds a preset first reference value, it is determined whether the new firewall policy or the existing firewall policy is not favorable for data transmission and reception, The method comprising: determining an amount of use of the existing firewall policy; deleting the existing firewall policy if the used amount of the existing firewall policy is less than a second reference value;
The second control unit
Wherein the control unit controls the communication unit to transmit a problem occurring in the process of performing the new firewall policy examined by the firewall control unit to the administrator terminal. The method according to claim 1,
The malicious code penetration determination unit
A malicious code information storing module storing malicious code information;
A malicious code determination module that compares code information generated during data transmission and reception processes between the control server and the generation management server with malicious code information stored in the malicious code information storage module to determine whether the malicious code is malicious code;
When the malicious code determination module compares the code information with the malicious code information stored in the malicious code information storage module and determines that the malicious code is not a malicious code and the second control unit resets the control server, A malicious code information prediction module for predicting the code as a new malicious code and transmitting the code information estimated as a new malicious code to the sandbox if the code is not solved;
The control server executes the code using an application that performs the same function as that of the control server. If an abnormal phenomenon occurs as a result of executing the code of the application, the code is determined to be a malicious code, A sandbox to send to the module;
/ RTI >
The malicious code information storage module
When the malicious code information prediction module receives from the sandbox that the code is determined to be a malicious code, the code is set as a malicious code, and the code information set as the malicious code is stored as a malicious code Integrated management system for power generation companies. Collecting raw data in real time from a generation company using a first raw data collection unit using wire communication;
the raw data backup unit storing the raw data;
Receiving the raw data collected by the first raw data collecting unit from a generation managing server using a second raw data collecting unit wireless communication;
The data storage unit storing the raw data received by the second raw data collection unit;
analyzing the raw data received by the second raw data collecting unit to determine the current state of the power generation source from which the raw data is collected;
Determining whether the malicious code is infiltrated or not by the malicious code infiltration judging unit;
The situation information storage unit storing status information for each raw data;
Blocking data transmission / reception when one or more firewalls are not a predetermined user in the data transmission / reception process between the generation management server and the control server;
, ≪ / RTI &
Wherein the raw data analysis unit analyzes the raw data received by the second raw data collection unit and grasps the current state of the generation source from which the raw data is collected
Analyzing the raw data received by the raw data analysis unit from the generation management server to extract generation operation data;
Using the raw data-dependent status information stored in the status information storage unit to determine a status corresponding to the generation operation data of the raw data analysis unit;
Determining whether the abnormal situation occurs in the generation management server or in the control server itself when the raw data analysis unit determines that the situation corresponding to the generation operation data corresponds to an abnormal situation;
Controlling, by the first control unit, the first raw data collection unit not to collect the raw data from the generation source when the raw data analysis unit determines that the abnormal situation occurs in the generation company;
Controlling the communication unit by the second control unit so that the communication unit transmits a status corresponding to the generation operation data determined by the raw data analysis unit to the administrator terminal previously stored in the communication unit;
Controlling, by the second control unit, the communication unit such that the communication unit transmits the content to the predetermined administrator terminal when the raw data analysis unit determines that the abnormal situation occurs in the generation company or the generation management server;
If the raw data analysis unit determines that the abnormal situation occurs in the control server itself, it is determined whether the malicious code penetration determination unit has determined that the malicious code has infiltrated, ;
The second control unit controls the communication unit so that the communication unit transmits the content to the predetermined administrator terminal when the malicious code penetration determination unit determines that the malicious code penetrated the malicious code;
Controlling the second control unit to reset the power of the control server when the malicious code penetration determination unit does not determine that the malicious code has infiltrated;
If the raw data analysis unit determines that the abnormal situation has occurred in the generation management server, the second control unit controls the second raw data collection unit to prevent the second raw data collection unit from receiving the raw data collected by the firstraw data collection unit ;
The integrated management method comprising: delete 6. The method of claim 5,
If the one or more firewalls are not a predetermined user in the process of transmitting and receiving data between the generation management server and the control server,
Performing a simulation on a new firewall policy received from the administrator terminal by the firewall control unit;
Examining a problem occurring in the process of performing a new firewall policy as a result of the simulation by the firewall controller;
Comparing the new firewall policy received from the administrator terminal with the existing firewall policy that is currently being executed and determining the similarity;
Performing a new firewall policy by the firewall controller if the similarity determined by comparing the new firewall policy and the existing firewall policy is less than or equal to a preset first reference value;
If the degree of similarity determined by comparing the new firewall policy and the existing firewall policy is equal to or less than a predetermined first reference value, the firewall control unit may further analyze the new firewall policy and the portion determined to be similar to the existing firewall policy ;
If the firewall control unit determines that there is no problem even if a part of the new firewall policy and the existing firewall policy that are determined to be similar to each other is deleted as a result of the additional analysis, the firewall control unit may notify the new firewall policy and the existing firewall policy Deleting a portion determined to be similar in either one;
When the degree of similarity determined by comparing the new firewall policy and the existing firewall policy exceeds a predetermined first reference value, it is preferable to perform neither the new firewall policy nor the existing firewall policy, ;
The firewall control unit deletes a policy that the firewall control unit judges that it is not preferable to perform the new firewall policy and the existing firewall policy,
Determining a usage amount of the existing firewall policy by the firewall control unit;
If the usage amount of the existing firewall policy is less than a second reference value, the firewall control unit deletes the existing firewall policy;
The second control unit controlling the communication unit so that the communication unit transmits to the administrator terminal a problem occurring in the process of performing the new firewall policy examined by the firewall control unit;
The integrated management method comprising: 6. The method of claim 5,
If the raw data analysis unit determines that the abnormal situation occurs in the control server itself, it is determined whether the malicious code penetration determination unit has determined that the malicious code has infiltrated, The step of confirming
The malicious code information storage module storing malicious code information; and
Comparing the code information generated in the process of transmitting and receiving data between the control server and the generation management server with malicious code information stored in the malicious code information storage module to determine whether the malicious code is malicious code;
/ RTI >
The step of controlling the second control unit to reset the power of the control server when the malicious code penetration determination unit does not determine that the malicious code has infiltrated
When the malicious code determination module compares the code information with the malicious code information stored in the malicious code information storage module and determines that the malicious code is not a malicious code and the second control unit resets the control server, If it is not solved, anticipating the code as a new malicious code and transmitting the code information anticipated by the new malicious code to the sandbox of the malicious code information prediction module;
Executing the code using an application that performs the same function as the control server in the sandbox;
Determining, by the sandbox, the code as a malicious code if an anomaly occurs as a result of executing the code of the application;
Transmitting the determination content to the malicious code information prediction module by the sandbox; and
When the malicious code information prediction module receives from the sandbox that the code has been determined to be a malicious code, the malicious code information storage module sets the code as a malicious code and stores the code information set as a malicious code Storing as malicious code;
The integrated management method comprising:

Images