LU504889B1 - DCS Network Security Monitoring System - Google Patents
DCS Network Security Monitoring System Download PDFInfo
- Publication number
- LU504889B1 LU504889B1 LU504889A LU504889A LU504889B1 LU 504889 B1 LU504889 B1 LU 504889B1 LU 504889 A LU504889 A LU 504889A LU 504889 A LU504889 A LU 504889A LU 504889 B1 LU504889 B1 LU 504889B1
- Authority
- LU
- Luxembourg
- Prior art keywords
- abnormal
- equipment
- behavior
- internal equipment
- level
- Prior art date
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 42
- 230000002159 abnormal effect Effects 0.000 claims abstract description 221
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 103
- 230000006399 behavior Effects 0.000 claims description 114
- 238000004458 analytical method Methods 0.000 claims description 33
- 238000000034 method Methods 0.000 claims description 18
- 230000008569 process Effects 0.000 claims description 18
- 230000002452 interceptive effect Effects 0.000 claims description 15
- 238000010219 correlation analysis Methods 0.000 claims description 12
- 230000000903 blocking effect Effects 0.000 claims description 11
- 230000003993 interaction Effects 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 4
- 238000012216 screening Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 3
- 238000012502 risk assessment Methods 0.000 claims description 3
- 101100443249 Caenorhabditis elegans dig-1 gene Proteins 0.000 claims 1
- 230000000875 corresponding effect Effects 0.000 description 44
- 230000005540 biological transmission Effects 0.000 description 7
- 230000009286 beneficial effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000001276 controlling effect Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 229940081330 tena Drugs 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000019771 cognition Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0218—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults
- G05B23/0243—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterised by the fault detection method dealing with either existing or incipient faults model based detection method, e.g. first-principles knowledge model
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0259—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
- G05B23/0286—Modifications to the monitored process, e.g. stopping operation or adapting control
- G05B23/0289—Reconfiguration to prevent failure, e.g. usually as a reaction to incipient failure detection
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24065—Real time diagnostics
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Chemical & Material Sciences (AREA)
- Chemical Kinetics & Catalysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a DCS network security monitoring system, and belongs to the field of network security monitoring. The system includes: a login module, which is used for granting management authority based on a control terminal and an internal login account and constructing an internal equipment tree; an anomaly recognition module, which is used for recognizing a first abnormal behavior in the DCS network and confirming an abnormal equipment in the DCS and a corresponding abnormal type; and a security protection module, which is used for carrying out security protection on an abnormal control terminal based on a recognition result of the anomaly recognition module. The present invention determines abnormal behaviors of the internal equipment from two aspects to avoid potential security hazards, thus ensuring the stable operation of a DCS system timely and effectively.
Description
DCS NETWORK SECURITY MONITORING SYSTEM 7504889
The present invention relates to the field of network security monitoring, in particular to a
DCS network security monitoring system.
Distributed control system (DCS) occupies an important position in the production process control of all walks of life, because its main and auxiliary systems are unified, its control system is single, its spare parts are universal and can be managed conveniently, and the training of maintenance and repair personnel is relatively concentrated, thus greatly reducing the operating cost of enterprises. Therefore, the application scope of DCS has become wider and its functions have become stronger gradually.
The stable operation of distributed control system (DCS) represents the stable operation of production. However, with the rapid development of computer technology, there are many problems in network security protection of distributed control system (DCS), so that certain security risks are caused and the stable operation performance is reduced to some extent.
Therefore, the present invention provides a DCS network security monitoring system.
In order to solve the shortcomings of the prior art, the present invention provides a DCS network security monitoring system, and the DCS network security monitoring system determines abnormal behaviors of internal equipment from two aspects by the interactive monitoring between internal equipment in the DCS system and the interactive monitoring between internal equipment in the DCS system and external equipment, and realizes the security protection of the corresponding internal equipment based on an appropriate protection mode, so as to avoid the existence of potential security hazards, thus ensuring the stable operation of DCS system timely and effectively. a login module: obtaining equipment attribute information of each internal equipment in the
DCS system, determining a first management authority of an internal network for the corresponding internal equipment, and constructing an internal equipment tree according to the first management authority;
an anomaly recognition module: setting an event capture tool between a control terminal 20000 and a controlled terminal in the internal equipment tree; capturing an interactive behavior between the control terminal and the controlled terminal based on the event capture tool, and locking the internal equipment with a first abnormal behavior; obtaining interactive data between each internal equipment in the internal equipment tree and an external equipment; and analyzing the interactive data to determine the internal equipment with a second abnormal behavior; and a security protection module: when the same internal equipment has only the first abnormal behavior, locking an analysis end matching with a behavior type of the first abnormal behavior in the internal equipment tree, and analyzing the first abnormal behavior, so as to perform a first security protection for the same internal equipment; when the same internal equipment has only the second abnormal behavior, disconnecting a communication between the same internal equipment and the external equipment; and when the same internal equipment has both the first abnormal behavior and the second abnormal behavior, obtaining a combined protection mode from a type-combination mapping table according to a first abnormal type and a second abnormal type, so as to perform a second security protection for the same internal equipment.
Preferably, the login module of a DCS network security monitoring system includes: an authority granting unit: recognizing login account information on each internal equipment in the DSC system, and sending a first signal to a designated control terminal based on the internal network when recognizing that the corresponding login account is an exclusive account of the internal equipment; and the designated terminal obtains a preset authority level of the exclusive account matching with the first signal based on a authority database, and grants a first management authority to the internal equipment; and a display unit: constructing an internal equipment tree of the DSC system based on a first management authority of each internal equipment.
Preferably, the anomaly recognition module of a DCS network security monitoring system includes:
an anomaly capture unit: performing process monitoring and network monitoring on a 504889 instruction control process between the control terminal and the controlled terminal based on the event capture tool, and a data interaction process after the controlled terminal is controlled according to the instruction, and determining an abnormal process behavior and an abnormal network behavior between the control terminal and the controlled terminal; an anomaly determining unit: analyzing the abnormal network behavior to determine a first abnormal type and a first abnormal end, and analyzing the abnormal process behavior to determine a second abnormal type and a second abnormal end; and an anomaly analysis unit: judging that the same end has its own anomaly or network anomaly if the first abnormal type and the second abnormal type are the same anomaly, and the first abnormal end and the second abnormal end are the same end; judging that the same end has both its own anomaly and network anomaly if the first abnormal type and the second abnormal type are not the same anomaly, but the first abnormal end and the second abnormal end are the same end; and regarding the end with abnormal behavior as the internal equipment with the first abnormal behavior.
Preferably, the anomaly recognition module of a DCS network security monitoring system further includes: an analysis unit: analyzing the interactive data to determine an access behavior and a business behavior of the external equipment to the internal equipment, and a blocking behavior of a firewall during the access of the external equipment to the internal equipment; a frequency determining unit: determining a first login frequency of each external account on the same external equipment within a preset time, and a second login frequency of the same external account on the different external equipment within a preset time according to the access behavior of the external equipment to the internal equipment; a doubt judging unit: judging that the same external account is a doubtful account when the first login frequency of the same external account is greater than a first login threshold or the second login frequency is greater than a second login threshold; an equipment determining unit: determining a first internal equipment accessed by all doubtful accounts, determining a second internal equipment with interaction risk according to all blocking behaviors, and determining a third internal equipment with abnormal business 504889 according to all business behaviors; and an equipment judging unit: judging the first internal equipment, the second internal equipment and the third internal equipment, and judging that the corresponding internal equipment is the internal equipment with the second abnormal behavior when the occurrence times of the same internal equipment are greater than or equal to 2.
Preferably, the equipment determining unit of a DCS network security monitoring system includes: a value dividing block: classifying threat values of all bugs determined by the firewall, and determining all the first bugs included in each level; a level behavior extraction block: extracting all the attack behaviors of external equipment to the firewall from all the blocking behaviors, and extracting first behaviors related to all the first bugs in the same level from all the attack behaviors, specifically, the number of levels is 3; and a risk assessment block: respectively determining the first number of the first bugs in the same level, and the second number of the first behaviors related to each first bug, and calculating an alarm level coefficient L; $1 % Yazı Ylun0la +S2% X Y72N022 +53 + Bises V3 0031
XL, n014 + EL, n02; + EE, n03; where, S1 represents a level weight of Level 1; SZ represents a level weight of Level 2;
S3 represents a level weight of Level 3, and S1+S2+S3=1; n1 represents the first number of the first bugs in Level 1; n2 represents the first number of the first bugs in Level 2, n3 represents the first number of the first bugs in Level 3, y1; represents an attacked risk coefficient of the il-th first bug in Level 1, y2;2 represents an attacked risk coefficient of the 12-th first bug in
Level 2, and y3;3 represents an attacked risk coefficient of the 13-th first bug in Level 3; n01;1 represents the second number of the first behaviors related to the 11-th first bug in Level 1; n02;2 represents the second number of the first behaviors related to the 12-th first bug in Level 2; and n03;3 represents the second number of the first behaviors related to the 13-th first bug in
Level 3; calculating a risk index P of firewall risk caused by all attack behaviors:
L LU504889
Pe (1 + me ve 3)
Q where, w1 represents a threat value of Level 1; w2 represents a threat value of Level 2; w3 represents a threat value of Level 3; and Q represents a preset maximum threat value; and a risk block: determining a dynamic risk value of each internal equipment according to the risk index P and the first management authority of each internal equipment;
Rj= P*Lj 5 where, Rj represents a dynamic risk value of the j-th internal equipment; and Lj represents an importance of an equipment corresponding to the first management authority of the j-th internal equipment; and screening an equipment with the dynamic risk value greater than the corresponding preset risk value from all internal equipment to be taken as the second internal equipment.
Preferably, the security protection module of a DCS network security monitoring system includes: a first anomaly analysis unit: locking a first abnormal equipment matching with the first abnormal behavior in the internal equipment tree, and obtaining an equipment matching with the abnormal type combination formed by all the first abnormal behaviors from the remaining equipment in the internal equipment tree to be taken as an analysis end; constructing an abnormal chain based on the equipment position of the first abnormal equipment under the same control instruction in the internal equipment tree, the corresponding first abnormal behavior and behavior type, and the control and controlled relationship between the first abnormal equipment involved, specifically, each first abnormal equipment corresponds to a child node; marking the same behavior type in the abnormal chain to obtain a plurality of abnormal segments, specifically, the behavior types of the same abnormal segment are the same; and determining abnormal time of an abnormal equipment with the same behavior type in the abnormal chain, and obtaining an abnormal time interval corresponding to the same behavior type according to the determination result; and a correlation analysis unit: performing correlation analysis on adjacent abnormal segments based on the abnormal time interval,
determining a segment starting having no correlation based on the correlation analysis 504889 results in the same abnormal chain, and reserving the first abnormal behaviors of all the first abnormal equipment in the front of the segment starting having no correlation; and performing security analysis on all reserved abnormal behaviors involved in the same internal equipment based on the analysis end to perform the first security protection on the corresponding same internal equipment.
Preferably, the correlation analysis unit of a DCS network security monitoring system includes: an abnormal segment analysis block: determining an absolute time difference between adjacent abnormal segments according to the abnormal time interval, and then obtaining an absolute average difference, and locking an anomaly occurrence time of the first abnormal equipment in the second segment of adjacent abnormal segments, specifically, the adjacent abnormal segments include the first segment and the second segment, and the anomaly occurrence time of the first segment is superior to that of the second segment; and moving the anomaly occurrence time forward according to the absolute average difference to obtain the to-be-judged time; and a correlation judging block: determining whether a corresponding first segment exists before the to-be-judged time, and if so, judging that there is no correlation between the current second segment and the corresponding first segment; and otherwise, judging that there is an correlation between the current second segment and the corresponding first segment.
Preferably, the security protection module of a DCS network security monitoring system further includes: a second protection unit: determining an initial abnormal end where the second abnormal behavior exists first, and retrieving a disconnection instruction from the security database based on the abnormal type of the initial abnormal end, and issuing the disconnection instruction.
Other characteristics and advantages of the present invention will be set forth in the following description, and in part will be obvious from the description, or may be learned by practice of the present invention. The objectives and other advantages of the present invention can be realized and obtained by the structure particularly pointed out in the written specification 0 000 claims and attached drawings.
The technical solutions of the present invention will be described in further detail below with reference to the attached drawings and examples.
The attached drawings are provided for a further understanding of the present invention and constitute a part of the specification; together with the examples of the present invention, they serve to explain the present invention and do not limit the present invention. Among them:
FIG.1 is a schematic diagram of a DCS network security monitoring system in the present invention;
FIG.2 is a schematic diagram of a first control authority in the present invention;
FIG.3 is a schematic diagram of an internal equipment tree construction in the present invention; and
FIG.4 is a schematic diagram of an abnormal chain and an abnormal segment constructed in the present invention.
Preferred examples of the present invention will be described below with reference to the attached drawings, and it should be understood that the preferred examples described here are only used to illustrate and explain the present invention, and are not used to limit the present invention.
Example 1
As shown in FIG.1, the present invention provides a DCS network security monitoring system, and the DCS network security monitoring system includes: a login module: obtaining equipment attribute information of each internal equipment in the
DCS system, determining a first management authority of an internal network for the corresponding internal equipment, and constructing an internal equipment tree according to the first management authority; an anomaly recognition module: setting an event capture tool between a control terminal and a controlled terminal in the internal equipment tree; and capturing an interactive behavior between the control terminal and the controlled terminal >. 009 based on the event capture tool, and locking the internal equipment with a first abnormal behavior; obtaining interactive data between each internal equipment in the internal equipment tree and an external equipment; and analyzing the interactive data to determine the internal equipment with a second abnormal behavior; a security protection module: when the same internal equipment has only the first abnormal behavior, locking an analysis end matching with a behavior type of the first abnormal behavior in the internal equipment tree, and analyzing the first abnormal behavior, so as to perform a first security protection for the same internal equipment; when the same internal equipment has only the second abnormal behavior, disconnecting a communication between the same internal equipment and the external equipment; and when the same internal equipment has both the first abnormal behavior and the second abnormal behavior, obtaining a combined protection mode from a type-combination mapping table according to a first abnormal type and a second abnormal type, so as to perform a second security protection for the same internal equipment.
In this example, different control terminals of DCS system correspond to different internal login accounts, and the corresponding management authority can only be obtained by logging in the corresponding login account at the control terminal; if the control terminal does not match the login account, login failure 1s displayed at the control terminal, and if the login fails for many times, it is displayed as the first abnormal behavior, at this time, the corresponding equipment is locked as an internal equipment with the first abnormal behavior.
After the login is successful, the control terminal sends a first signal to a designated control terminal, the first management authorities corresponding to different control terminals are determined based on the data stored in the authority database in the designated control terminal, and a first management authority is granted to the control terminal sending the first signal;
In this example, the management authority in DCS system is shown in FIG.2; the control terminals of DCS system are divided into N levels, the first-level control terminal has the lowest management authority and only controls the equipment in the production process, while the n-th-level control terminal has the highest management authority and controls the subordinate 504889 terminals to cooperate; under normal circumstances, only the adjacent control levels can perform direct control and direct data transmission, for example, the first-level control terminal only has the function of data transmission to the second-level control terminal, the second-level control terminal directly controls the connected first-level control terminal, and the third-level control terminal indirectly controls the first-level control terminal by controlling the second-level control terminal, and there is no connection among the same management levels. When there is an abnormal control terminal, the superior normal control terminal can control the abnormal control terminal beyond its authority;
In this example, an internal equipment tree is constructed based on the management authority levels of the internal control terminals in DCS system, and the internal equipment tree contains hierarchical control relationships between different management authority levels, and between equipment (control terminals) corresponding to high management authority levels and equipment (controlled terminals) corresponding to low management authority levels. The highest control terminal constructs an internal equipment tree, as shown in FIG. 3; control terminals of different management levels display the equipment tree composed of themselves and their subordinate equipment, and the higher the management authority, the more nodes in the internal equipment tree are displayed;
In this example, event capture tools, i.e., firewalls, exist between control terminals of different management levels and the subordinate control terminals directly controlled by them, so as to monitor behaviors among different management levels, such as the firewalls between the second-level control terminal and its directly connected first-level control terminal are to monitor behaviors between the first-level control terminal and second-level control terminal, recognize abnormal traffic and unauthorized access behaviors during transmission, monitor control instructions of the superior control terminal, and recognize skip-level control behaviors and abnormal access behaviors, thus recognizing abnormal terminals.
In this example, by analyzing internal equipment and the external access behavior of external equipment, the doubtful account in the external login accounts, the abnormal business in the interactive data, and the internal equipment with risk value exceeding the preset threshold are determined, and then the internal equipment with the second abnormal behavior is recognized.
In this example, DCS system divides the abnormal terminal into three parts based on the 504889 abnormal judgment result: internal equipment with only the first abnormal behavior, internal equipment with only the second abnormal behavior, and internal equipment with the first abnormal behavior and the second abnormal behavior;
According to different abnormal terminal types and actual abnormal problems, the preset security measures in the database are matched and implemented to ensure the network security of DCS system;
When the first abnormal behavior and the second abnormal behavior exist, a first matching set is obtained by matching from the security database (i.e., the type-combination mapping table) based on the first abnormal behavior and the abnormal type, and a second matching set 1s obtained by matching from the first matching set based on the second abnormal behavior, that is, the security protection mode.
In this example, the analysis end is a normal control terminal without abnormal behavior in the internal equipment tree;
In this example, the first security protection is to protect the internal equipment with only the first abnormal behavior in sequence according to the abnormal occurrence sequence from the initial abnormal equipment, and the second security protection is to protect the internal equipment with the first abnormal behavior and the second abnormal behavior and the internal equipment with only the second abnormal behavior.
The technical solution has the following beneficial effects: after the first management authority is granted to the internal equipment, the accuracy of results of monitoring abnormal behavior is determined by monitoring and calculating different data, and the problems in DCS system are solved in different ways by recognizing different abnormal behaviors, thus ensuring the stable operation of DCS system.
Example 2 the present invention provides a DCS network security monitoring system, and its login module includes: an authority granting unit: recognizing login account information on each internal equipment in the DSC system, and sending a first signal to a designated control terminal based on the internal network when recognizing that the corresponding login account is an exclusive account of the internal equipment; and the designated terminal obtains a preset authority level 5 504889 the exclusive account matching with the first signal based on a authority database, and grants a first management authority to the internal equipment; and a display unit: constructing an internal equipment tree of the DSC system based on a first management authority of each internal equipment.
In this example, each equipment in DCS system has a corresponding internal login account; when the internal login account on an equipment is the corresponding account of the equipment, the internal login account can be successfully logged in; after the login is successful, the internal equipment sends a specific signal to the designated control terminal, and the control terminal matches from the preset database based on the received specific signal so as to determine the first management authority level corresponding to the specific signal, and then grants the corresponding management authority to the internal equipment.
In this example, after the first management authority is granted, the management authority of the internal equipment directly connected on the network is determined, and an internal equipment tree is constructed and displayed based on the determination result of the management authority so as to show the management relationship of DCS system.
The technical solution has the following beneficial effects: by strictly controlling the login account at the control terminal level, the reliability of control terminal is ensured and the internal anomaly of DCS network caused by people can be effectively prevented; by constructing the internal equipment tree, the working condition and abnormal behavior of the subordinate controlled terminal can be effectively monitored.
Example 3 the present invention provides a DCS network security monitoring system, and its anomaly recognition module includes: an anomaly capture unit: performing process monitoring and network monitoring on an instruction control process between the control terminal and the controlled terminal based on the event capture tool, and a data interaction process after the controlled terminal is controlled according to the instruction, and determining an abnormal process behavior and an abnormal network behavior between the control terminal and the controlled terminal;
an anomaly determining unit: analyzing the abnormal network behavior to determine a first 504889 abnormal type and a first abnormal end, and analyzing the abnormal process behavior to determine a second abnormal type and a second abnormal end; and an anomaly analysis unit: judging that the same end has its own anomaly or network anomaly if the first abnormal type and the second abnormal type are the same anomaly, and the first abnormal end and the second abnormal end are the same end; judging that the same end has both its own anomaly and network anomaly if the first abnormal type and the second abnormal type are not the same anomaly, but the first abnormal end and the second abnormal end are the same end; and regarding the end with abnormal behavior as the internal equipment with the first abnormal behavior.
In this example, the event capture tool determines the instruction transmission from the control terminal to the controlled terminal, and recognizes the anomaly of the controlled terminal performing the received instructions for data transmission and the anomaly existing in the data transmission process;
In this example, abnormal process behaviors include abnormal control instructions sent by the control terminal, and abnormal behaviors after the controlled terminal executes the control instructions;
In this example, abnormal network behaviors include: data anomaly in the data transmission process from the controlled terminal to the control terminal, unauthorized access behavior of the controlled terminal to the control terminal, abnormal access behavior of the control terminal to the controlled terminal, and unauthorized control behavior of the control terminal with management authority not being adjacent to the controlled terminal, for example, when no abnormal behavior occurs, the control behavior of the third-level control terminal or above to the first-level control terminal belongs to unauthorized control,
In this example, after it is determined that there is abnormal network behavior, the abnormal type of abnormal network behavior is determined, and the abnormal beginning end, that is, the first abnormal end, is determined based on the recognition result. The abnormal end is monitored to confirm the occurrence end of second abnormal behavior and the second abnormal type, and if the first abnormal end has the second abnormal behavior and the second abnormal type is the same as the first abnormal type, then there is a self anomaly or a network anomaly; if the first 204889 abnormal end has the second abnormal behavior and the second abnormal type is different from the first abnormal type, then it means that there are self anomaly and network anomaly.
In this example, an initial end with the same first abnormal behavior is determined, and if the initial end has a second abnormal behavior, then it means that the first abnormal behavior and the second abnormal behavior of the initial end are the same anomaly;
The technical solution has the following beneficial effects: the abnormal process behavior and abnormal network behavior among different management levels of equipment in DCS system are monitored, so that the anomaly in DCS system can be quickly and effectively recognized, the causes of network anomaly can be found out timely, thus ensuring the overall security of DCS network.
Example 4 the present invention provides a DCS network security monitoring system, and its anomaly recognition module further includes: an analysis unit: analyzing the interactive data to determine an access behavior and a business behavior of the external equipment to the internal equipment, and a blocking behavior of a firewall during the access of the external equipment to the internal equipment; a frequency determining unit: determining a first login frequency of each external account on the same external equipment within a preset time, and a second login frequency of the same external account on the different external equipment within a preset time according to the access behavior of the external equipment to the internal equipment; a doubt judging unit: judging that the same external account is a doubtful account when the first login frequency of the same external account is greater than a first login threshold or the second login frequency is greater than a second login threshold; an equipment determining unit: determining a first internal equipment accessed by all doubtful accounts, determining a second internal equipment with interaction risk according to all blocking behaviors, and determining a third internal equipment with abnormal business according to all business behaviors; and an equipment judging unit: judging the first internal equipment, the second internal equipment and the third internal equipment, and judging that the corresponding internal equipment is the internal equipment with the second abnormal behavior when the occurrence 504889 times of the same internal equipment are greater than or equal to 2.
In this example, the equipment determining unit includes: a value dividing block: classifying threat values of all bugs determined by the firewall, and determining all the first bugs included in each level, a level behavior extraction block: extracting all the attack behaviors of external equipment to the firewall from all the blocking behaviors, and extracting first behaviors related to all the first bugs in the same level from all the attack behaviors, specifically, the number of levels is 3; a risk assessment block: respectively determining the first number of the first bugs in the same level, and the second number of the first behaviors related to each first bug, and calculating an alarm level coefficient L; s1+ Yazı Ylun0la +S2% X Y72N022 +53 + Bises V3 0031
XL, n014 + EL, n02; + EE, n03; where, S1 represents a level weight of Level 1; SZ represents a level weight of Level 2;
S3 represents a level weight of Level 3, and S1+S2+S3=1; n1 represents the first number of the first bugs in Level 1; n2 represents the first number of the first bugs in Level 2, n3 represents the first number of the first bugs in Level 3, y1;, represents an attacked risk coefficient of the il-th first bug in Level 1, y2;2 represents an attacked risk coefficient of the 12-th first bug in
Level 2, and y3;3 represents an attacked risk coefficient of the 13-th first bug in Level 3; n01;1 represents the second number of the first behaviors related to the 11-th first bug in Level 1; n02;, represents the second number of the first behaviors related to the 12-th first bug in Level 2; and n03;3 represents the second number of the first behaviors related to the 13-th first bug in
Level 3; calculating a risk index P of firewall risk caused by all attack behaviors:
Pe (1 + maxi vy
Q where, w1 represents a threat value of Level 1; w2 represents a threat value of Level 2; w3 represents a threat value of Level 3; and Q represents a preset maximum threat value; and a risk block: determining a dynamic risk value of each internal equipment according to the risk index P and the first management authority of each internal equipment;
Rj=P+1j LU504889 where, Rj represents a dynamic risk value of the j-th internal equipment; and Lj represents an importance of an equipment corresponding to the first management authority of the j-th internal equipment; and screening an equipment with the dynamic risk value greater than the corresponding preset risk value from all internal equipment to be taken as the second internal equipment.
In this example, the external login account can't control the internal equipment, the business behavior refers to the internal equipment's access to external equipment or data query, and the blocking behavior refers to the interception behavior of firewall between internal equipment and external equipment to the access behavior of external equipment without external login account and the external equipment's attack behavior to the firewall;
In this example, the access behavior can be logging in and logging out of the external account information through the external equipment; if the same external account is captured to log in to the external equipment 1 for 10 times within 10 minutes, and the external equipment 1 is accessed for 30 times within 10 minutes, and the corresponding first login frequency is 1/3, and at this time, the first login threshold is 1/6, so that the corresponding account is regarded as a doubtful account;
The login state of the same external account on different external equipment is determined based on account login address, and if the same external account is captured to be logged in on four different equipment within one hour, the corresponding second login frequency is 4, and at this time, the second login threshold is 3, so that the corresponding account is regarded as a doubtful account;
The above-mentioned marked account is an account threatening the internal equipment, that is, a doubtful account, and the first internal equipment accessed by the doubtful account is determined;
In this example, a firewall exists between the DCS network and the external network so as to monitor the malicious behaviors of the external network; after the firewall is suffered from external attack behaviors, the bugs existing in the firewall and the attack bugs of external attack behaviors are determined as the first bugs, and the threats of all attack behaviors to the firewall in a certain period of time are determined, specifically, the weight of the first behavior corresponding to Level 1 is set to 0.2, the weight of the first behavior corresponding to Level 2 TS 504889 set to 0.3, and the weight of the first behavior corresponding to Level 3 is set to 0.5; the attacked risk coefficient of the 11-th first bug in Level 1 is 1, the attacked risk coefficient of the 12-th first bug in Level 2 is 4, and the attacked risk coefficient of the 13-th first bug in Level 3 is 9;
When the risk index of external attack behaviors on the firewall exceeds the preset threshold, the risk value of internal equipment connected with external equipment is determined based on the firewall risk index of the first management authority; in the case of a certain firewall risk index, the higher the first management authority level, the more important the corresponding internal equipment are, that is, the importance of the first-level internal equipment is L1=1.0, the importance of the second-level internal equipment can be expressed as L2=1 1, and similarly, the importance of the N-th-level internal equipment can be expressed as
LN=1+(N-1)/10;
The risk value of internal equipment indicates the possibility that the internal equipment is abnormal, and when the risk value of internal equipment exceeds the preset risk value, that is,
Rstandad =LN+0.1, it indicates that the internal equipment is likely to have a second abnormal behavior;
The business of the control terminal connected to the external network is recognized, and the control terminal with abnormal business is recognized as the third internal equipment.
In this example, the internal equipment 1 occurs for two times, the internal equipment 2 occurs for three times, and the internal equipment 3 occurs for one time, and at this time, the internal equipment 1 and the internal equipment 2 are regarded as doubtful equipment.
The technical solution has the following beneficial effects: the access behavior and business behavior of external network and the firewall blocking behavior are recognized, the internal equipment with the second abnormal behavior in DCS system is recognized by determining the threat of the external network to each internal equipment, so that the accuracy of the recognition result of the internal equipment with the second abnormal behavior is improved, and the system can determine and handle the DCS network anomaly caused by the external network timely, thus ensuring the safe operation of DCS system.
Example 5
The present invention provides a DCS network security monitoring system, and its security 20 20% protection module includes: a first anomaly analysis unit: locking a first abnormal equipment matching with the first abnormal behavior in the internal equipment tree, and obtaining an equipment matching with the abnormal type combination formed by all the first abnormal behaviors from the remaining equipment in the internal equipment tree to be taken as an analysis end, constructing an abnormal chain based on the equipment position of the first abnormal equipment under the same control instruction in the internal equipment tree, the corresponding first abnormal behavior and behavior type, and the control and controlled relationship between the first abnormal equipment involved, specifically, each first abnormal equipment corresponds to a child node; marking the same behavior type in the abnormal chain to obtain a plurality of abnormal segments, specifically, the behavior types of the same abnormal segment are the same; and determining abnormal time of an abnormal equipment with the same behavior type in the abnormal chain, and obtaining an abnormal time interval corresponding to the same behavior type according to the determination result; and a correlation analysis unit: performing correlation analysis on adjacent abnormal segments based on the abnormal time interval, determining a segment starting having no correlation based on the correlation analysis results in the same abnormal chain, and reserving the first abnormal behaviors of all the first abnormal equipment in the front of the segment starting having no correlation; and performing security analysis on all reserved abnormal behaviors involved in the same internal equipment based on the analysis end to perform the first security protection on the corresponding same internal equipment.
The present invention provides a DCS network security monitoring system, and its correlation analysis unit includes: an abnormal segment analysis block: determining an absolute time difference between adjacent abnormal segments according to the abnormal time interval, and then obtaining an absolute average difference, and locking an anomaly occurrence time of the first abnormal equipment in the second segment of adjacent abnormal segments, specifically, the adjacent abnormal segments include the first segment and the second segment, and the anomaly 0 200 occurrence time of the first segment is superior to that of the second segment; and moving the anomaly occurrence time forward according to the absolute average difference to obtain the to-be-judged time; and a correlation judging block: determining whether a corresponding first segment exists before the to-be-judged time, and if so, judging that there is no correlation between the current second segment and the corresponding first segment; and otherwise, judging that there is an correlation between the current second segment and the corresponding first segment.
In this example, after the first abnormal equipment in the equipment tree is determined, an analysis end is matched and determined among the remaining normal equipment, the analysis end is connected with the abnormal end, and the analysis end can obtain information of all internal equipment with the first abnormal behavior; in the process of analysis end determination, the analysis end is obtained by screening after matching each of the remaining normal ends with the abnormal type combination of abnormal behavior, for example, when there are first abnormal behaviors 1, 2 and 3, the corresponding abnormal types are al, a2 and a3 respectively, the anomaly combination solved by the normal end 1 is ala2, the abnormal combination solved by normal end 1 is ala2, and the abnormal combination solved by normal end 2 is ala2a3, at this time, the normal end 2 is regarded as the analysis end, and abnormal types that can be analyzed are preset in advance for each equipment end.
In this example, the same control instruction refers to the abnormal situation that may occur in different equipment triggered after the instruction is issued to an equipment in the corresponding internal equipment tree, that is, a basis for the rationality analysis of the equipment that may have abnormal behavior is provided under the instruction.
In this example, after the analysis end is determined, an abnormal chain is established based on the abnormal end and its control and controlled relationship; the abnormal chain is composed of a plurality of child nodes, and each child node represents an internal equipment forming the abnormal chain; abnormal segments are determined by arranging according to the control and controlled relationship, as shown in FIG. 4, the black part represents the abnormal segment 1 formed by abnormal type 1 in the first abnormal behavior, the white part represents the abnormal segment 2 formed by abnormal type 2 in the first abnormal behavior, the first abnormal behavior 204889 of abnormal type 2 starts from node 9 and occurs on node 10 and node 11 in sequence, with the upper node 10 controlling the lower node 9 and node 11;
After determining the abnormal segments, the abnormal time interval when the child nodes in the same abnormal end recognize the same abnormal behavior is determined, for example, the time when the child node 1 recognizes the abnormal behavior is t1, the time when the child node 2 recognizes the same abnormal behavior is t2, and the abnormal time interval is x1=t2-t1, and t2>t1;
In this example, the occurrence sequence of adjacent abnormal segments is determined, that is, the earliest time when abnormal equipment recognizes abnormal behaviors in abnormal segments is compared, and the earlier time when abnormal behaviors are recognized indicates that the abnormal segment occurs first. The absolute time difference between adjacent abnormal segments based on the occurrence sequence of abnormal segments is determined, that is, the absolute value of abnormal time interval difference, for example, the abnormal time interval of abnormal segment 1 is {x1, x2, x3... x6}, the abnormal time interval of abnormal segment 2 is {z1, z2, z3}, and the absolute value of abnormal time interval difference between abnormal segment 1 and adjacent abnormal segment 2 is |[(x 1+x2+x3...+x6)/6-(z1+z2+z3)/3|, and absolute values of abnormal time interval differences of all adjacent abnormal segments are obtained; when there are only two abnormal segments, the corresponding absolute average difference is absolute time difference; when there are more than two abnormal segments, all absolute time differences are averaged to obtain absolute average difference, and t is used to represent absolute time difference, where x1, x2, x3.. x6 respectively represent the time differences between node 1 and node 2, node 2 and node 3, node 2 and node 4, node 3 and node 6, node 6 and node 7, and node 6 and node 8; z1, z2 and z3 respectively represent the time differences between node 3 and node 10, node 10 and node 9, and node 10 and node 11.
The time tena when the child node adjacent to the next abnormal segment in the abnormal segment occurring earlier recognizes the abnormal behavior is determined, and time t is shifted forward to obtain time T=tena -t, if another first abnormal behavior does not occur within the time
T, it means that the adjacent abnormal segments are correlated, and if another first abnormal behavior occurs within the time T, it means that there is no correlation relationship between the 504889 abnormal segments;
According to conventional cognition, if two abnormal segments have different anomalies triggered by the same factor, there is a secondary relationship between them in time, that is, whether there is correlation can be judged by shifting the time forward.
The abnormal segments with correlation are reserved, the occurrence sequence in the abnormal segments with correlation is determined based on the recognition time, and the first security protection is given to the abnormal segments in sequence based on the occurrence sequence and abnormal types of the abnormal segments.
The technical solution has the following beneficial effects: the first abnormal behavior in
DCS network is recognized and the correlation and occurrence sequence of different abnormal behaviors are determined, so that the first abnormal behavior in DCS system is protected from the source to reduce the possibility of the same abnormal behavior happening again, thus ensuring the safe operation of DCS network.
Obviously, those skilled in the art can make various modifications and variations to the present invention without departing from the spirit and scope of the present invention. Thus, it is intended that the present invention include these modifications and variations provided that they are within the scope of the claims and their equivalents.
Claims (8)
1. A DCS network security monitoring system, comprising: a login module: obtaining equipment attribute information of each internal equipment in the DCS system, determining a first management authority of an internal network for the corresponding internal equipment, and constructing an internal equipment tree according to the first management authority; an anomaly recognition module: setting an event capture tool between a control terminal and a controlled terminal in the internal equipment tree; capturing an interactive behavior between the control terminal and the controlled terminal based on the event capture tool, and locking the internal equipment with a first abnormal behavior; obtaining interactive data between each internal equipment in the internal equipment tree and an external equipment; analyzing the interactive data to determine the internal equipment with a second abnormal behavior; and a security protection module: when the same internal equipment has only the first abnormal behavior, locking an analysis end matching with a behavior type of the first abnormal behavior in the internal equipment tree, and analyzing the first abnormal behavior, so as to perform a first security protection for the same internal equipment; when the same internal equipment has only the second abnormal behavior, disconnecting a communication between the same internal equipment and the external equipment; and when the same internal equipment has both the first abnormal behavior and the second abnormal behavior, obtaining a combined protection mode from a type-combination mapping table according to a first abnormal type and a second abnormal type, so as to perform a second security protection for the same internal equipment.
2. The DCS network security monitoring system according to claim 1, wherein the login module comprises: an authority granting unit: recognizing login account information on each internal equipment in the DSC system, and sending a first signal to a designated control terminal based on the internal network when recognizing that the corresponding login account is an exclusive 504889 account of the internal equipment; and the designated terminal obtains a preset authority level of the exclusive account matching with the first signal based on a authority database, and grants a first management authority to the internal equipment; and a display unit: constructing an internal equipment tree of the DSC system based on a first management authority of each internal equipment.
3. The DCS network security monitoring system according to claim 1, wherein the anomaly recognition module comprises: an anomaly capture unit: performing process monitoring and network monitoring on an instruction control process between the control terminal and the controlled terminal based on the event capture tool, and a data interaction process after the controlled terminal is controlled according to the instruction, and determining an abnormal process behavior and an abnormal network behavior between the control terminal and the controlled terminal; an anomaly determining unit: analyzing the abnormal network behavior to determine a first abnormal type and a first abnormal end, and analyzing the abnormal process behavior to determine a second abnormal type and a second abnormal end; and an anomaly analysis unit: judging that the same end has its own anomaly or network anomaly if the first abnormal type and the second abnormal type are the same anomaly, and the first abnormal end and the second abnormal end are the same end; judging that the same end has both its own anomaly and network anomaly if the first abnormal type and the second abnormal type are not the same anomaly, but the first abnormal end and the second abnormal end are the same end; and regarding the end with abnormal behavior as the internal equipment with the first abnormal behavior.
4. The DCS network security monitoring system according to claim 1, wherein the anomaly recognition module further comprises: an analysis unit: analyzing the interactive data to determine an access behavior and a business behavior of the external equipment to the internal equipment, and a blocking behavior of a firewall during the access of the external equipment to the internal equipment;
a frequency determining unit: determining a first login frequency of each external account 504889 on the same external equipment within a preset time, and a second login frequency of the same external account on the different external equipment within a preset time according to the access behavior of the external equipment to the internal equipment; a doubt judging unit: judging that the same external account is a doubtful account when the first login frequency of the same external account is greater than a first login threshold or the second login frequency is greater than a second login threshold; an equipment determining unit: determining a first internal equipment accessed by all doubtful accounts, determining a second internal equipment with interaction risk according to all blocking behaviors, and determining a third internal equipment with abnormal business according to all business behaviors; and an equipment judging unit: judging the first internal equipment, the second internal equipment and the third internal equipment, and judging that the corresponding internal equipment is the internal equipment with the second abnormal behavior when the occurrence times of the same internal equipment are greater than or equal to 2.
5. The DCS network security monitoring system according to claim 4, wherein the equipment determining unit comprises: a value dividing block: classifying threat values of all bugs determined by the firewall, and determining all the first bugs included in each level; a level behavior extraction block: extracting all the attack behaviors of external equipment to the firewall from all the blocking behaviors, and extracting first behaviors related to all the first bugs in the same level from all the attack behaviors, wherein the number of levels 1s 3; a risk assessment block: respectively determining the first number of the first bugs in the same level, and the second number of the first behaviors related to each first bug, and calculating an alarm level coefficient L; s1+ Yazı Ylun0la +S2% X Y72N022 +53 + Bises V3 0031 L= Zi N01, Dig—1 N02:2 Dis—1 N03:3 XL, n014 + EL, n02; + EE, n03; where, S1 represents a level weight of Level 1; SZ represents a level weight of Level 2; S3 represents a level weight of Level 3, and S1+S2+S3=1; n1 represents the first number of the first bugs in Level 1; n2 represents the first number of the first bugs in Level 2, n3 represents the first number of the first bugs in Level 3, y1;; represents an attacked risk coefficient of the 504889 il-th first bug in Level 1, y2;2 represents an attacked risk coefficient of the 12-th first bug in Level 2, and y3;3 represents an attacked risk coefficient of the 13-th first bug in Level 3; n01;1 represents the second number of the first behaviors related to the 11-th first bug in Level 1; n02;2 represents the second number of the first behaviors related to the 12-th first bug in Level 2; and n03;3 represents the second number of the first behaviors related to the 13-th first bug in Level 3; calculating a risk index P of firewall risk caused by all attack behaviors: P = (1 + maxi vy Q where, w1 represents a threat value of Level 1; w2 represents a threat value of Level 2; W3 represents a threat value of Level 3; and @ represents a preset maximum threat value; and a risk block: determining a dynamic risk value of each internal equipment according to the risk index P and the first management authority of each internal equipment; Rj=P+*Lj where, Rj represents a dynamic risk value of the j-th internal equipment; and Lj represents an importance of an equipment corresponding to the first management authority of the j-th internal equipment; and screening an equipment with the dynamic risk value greater than the corresponding preset risk value from all internal equipment to be taken as the second internal equipment.
6. The DCS network security monitoring system according to claim 1, wherein the security protection module comprises: a first anomaly analysis unit: locking a first abnormal equipment matching with the first abnormal behavior in the internal equipment tree, and obtaining an equipment matching with the abnormal type combination formed by all the first abnormal behaviors from the remaining equipment in the internal equipment tree to be taken as an analysis end, constructing an abnormal chain based on the equipment position of the first abnormal equipment under the same control instruction in the internal equipment tree, the corresponding first abnormal behavior and behavior type, and the control and controlled relationship between the first abnormal equipment involved, wherein each first abnormal equipment corresponds to à 904869 child node; marking the same behavior type in the abnormal chain to obtain a plurality of abnormal segments, wherein the behavior types of the same abnormal segment are the same; and determining abnormal time of an abnormal equipment with the same behavior type in the abnormal chain, and obtaining an abnormal time interval corresponding to the same behavior type according to the determination result; and a correlation analysis unit: performing correlation analysis on adjacent abnormal segments based on the abnormal time interval; determining a segment starting having no correlation based on the correlation analysis results in the same abnormal chain, and reserving the first abnormal behaviors of all the first abnormal equipment in the front of the segment starting having no correlation; and performing security analysis on all reserved abnormal behaviors involved in the same internal equipment based on the analysis end to perform the first security protection on the corresponding same internal equipment.
7. The DCS network security monitoring system according to claim 6, wherein the correlation analysis unit comprises: an abnormal segment analysis block: determining an absolute time difference between adjacent abnormal segments according to the abnormal time interval, and then obtaining an absolute average difference, and locking an anomaly occurrence time of the first abnormal equipment in the second segment of adjacent abnormal segments, wherein the adjacent abnormal segments include the first segment and the second segment, and the anomaly occurrence time of the first segment is superior to that of the second segment; and moving the anomaly occurrence time forward according to the absolute average difference to obtain the to-be-judged time; and a correlation judging block: determining whether a corresponding first segment exists before the to-be-judged time, and if so, judging that there is no correlation between the current second segment and the corresponding first segment; and otherwise, judging that there is an correlation between the current second segment and the corresponding first segment.
8. The DCS network security monitoring system according to claim 1, wherein the security 20 20% protection module further comprises: a second protection unit: determining an initial abnormal end where the second abnormal behavior exists first, and retrieving a disconnection instruction from the security database based on the abnormal type of the initial abnormal end, and issuing the disconnection instruction.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310433772.3A CN116594369A (en) | 2023-04-17 | 2023-04-17 | DCS network safety monitoring system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| LU504889B1 true LU504889B1 (en) | 2024-02-12 |
Family
ID=87588988
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| LU504889A LU504889B1 (en) | 2023-04-17 | 2023-08-10 | DCS Network Security Monitoring System |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN116594369A (en) |
| LU (1) | LU504889B1 (en) |
-
2023
- 2023-04-17 CN CN202310433772.3A patent/CN116594369A/en active Pending
- 2023-08-10 LU LU504889A patent/LU504889B1/en active IP Right Grant
Also Published As
| Publication number | Publication date |
|---|---|
| CN116594369A (en) | 2023-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102546638B (en) | Scene-based hybrid invasion detection method and system | |
| CN101562537B (en) | Distributed self-optimized intrusion detection alarm associated system | |
| CN105264861A (en) | Method and apparatus for detecting a multi-stage event | |
| US10129273B2 (en) | System and methods for computer network security involving user confirmation of network connections | |
| CN112134877A (en) | Network threat detection method, device, equipment and storage medium | |
| CN105191257A (en) | Method and apparatus for detecting a multi-stage event | |
| CN108259202A (en) | A kind of CA monitoring and pre-alarming methods and CA monitoring and warning systems | |
| CN111614696A (en) | Network security emergency response method and system based on knowledge graph | |
| CN103378991A (en) | Online service abnormity monitoring method and monitoring system thereof | |
| LU504889B1 (en) | DCS Network Security Monitoring System | |
| CN106878338B (en) | Telecontrol equipment gateway firewall integrated machine system | |
| CN111199504B (en) | Block chain-based decentralization fire control maintenance supervision method | |
| CN108924129A (en) | One kind being based on computer network instrument system of defense and intrusion prevention method | |
| CN110750795B (en) | Information security risk processing method and device | |
| EP2911362B1 (en) | Method and system for detecting intrusion in networks and systems based on business-process specification | |
| CN115701889A (en) | Oil field industrial control safety supervision method based on SOAR | |
| CN113055362A (en) | Method, device, equipment and storage medium for preventing abnormal behaviors | |
| KR102592868B1 (en) | Methods and electronic devices for analyzing cybersecurity threats to organizations | |
| KR102267411B1 (en) | A system for managing security of data by using compliance | |
| CN115801334B (en) | Intelligent instrument function safety and information safety strategy fusion method and system | |
| Cao et al. | Design of network security situation awareness analysis module for electric power dispatching and control system | |
| CN112398778B (en) | Method for automatically responding to security problem in modular environment | |
| Gong | Intrusion detection model based on security knowledge in online network courses | |
| Liu et al. | Research on Different Levels of Early Warning Systems for Power Internet Application Business | |
| CN110650155A (en) | Method for quickly transmitting potential safety hazard information in network safety situation awareness platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FG | Patent granted |
Effective date: 20240212 |