CN111953684A - APT attack analysis system in power network - Google Patents
APT attack analysis system in power network Download PDFInfo
- Publication number
- CN111953684A CN111953684A CN202010806417.2A CN202010806417A CN111953684A CN 111953684 A CN111953684 A CN 111953684A CN 202010806417 A CN202010806417 A CN 202010806417A CN 111953684 A CN111953684 A CN 111953684A
- Authority
- CN
- China
- Prior art keywords
- virus
- apt
- module
- attack
- stream
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 41
- 241000700605 Viruses Species 0.000 claims abstract description 193
- 230000005540 biological transmission Effects 0.000 claims abstract description 30
- 238000000034 method Methods 0.000 claims abstract description 28
- 238000001514 detection method Methods 0.000 claims description 35
- 239000011159 matrix material Substances 0.000 claims description 6
- 230000002159 abnormal effect Effects 0.000 claims description 5
- 241000726306 Irus Species 0.000 claims description 3
- 230000000052 comparative effect Effects 0.000 claims 1
- 230000002085 persistent effect Effects 0.000 description 3
- 230000009545 invasion Effects 0.000 description 2
- 230000007774 longterm Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000005923 long-lasting effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an APT attack analysis system in a power network, which belongs to the technical field of power and comprises an information collection system and an APT virus search system, the invention is scientific and reasonable, the use is safe and convenient, the information collection system randomly grabs packets for transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the random packet grabbing ensures the randomness, saves time and resources, encrypts the information streams to obtain the transmission streams, different encryption modes are adopted for different parts of elements in the transmission stream in the system obtained by packet capturing, the system has the advantages that the security can be greatly improved, the information is prevented from being attacked and stolen by the APT in the packet capturing process, the virus sequence database is preset in the system, the APT virus searching system compares the virus sequence database prestored in the system with elements in the transmission stream, whether the superposition exists is judged, and whether the virus exists in the APT attack analysis system can be judged; and if the virus exists, further judging whether the attack initiated by the virus is an APT attack.
Description
Technical Field
The invention relates to the technical field of electric power, in particular to an APT attack analysis system in an electric power network.
Background
The APT refers to a high-level persistent threat, and refers to a network attack form which utilizes an advanced attack section to carry out long-term persistent attack on a specific target, compared with other network attack forms, the principle of the APT attack is higher and more advanced, and the high level is mainly reflected in that the APT attack can utilize a vulnerability in a network to accurately collect a target system. After the collection process is completed, continuous high-strength attack is carried out on the network system; advanced Persistent Threat (APT), which threatens the data security of an enterprise. The APT is a "malicious commercial spy threat" which is a long-lasting consummated object for hackers to steal core data and aim at network attacks and attacks launched by clients. Such activities are often conducted and planned for a long period of time and are highly concealed. The APT attack method is to hide itself, steal data for a specific object in a long-term, planned and organized manner, and the actions of stealing data and collecting information in a digital space are the actions of 'network spy'.
Because the power network is more and more popularized and the power control system is more and more complex in the life nowadays, the security requirement of the power system is continuously improved, and network virus intrusion, especially APT attack, poses a considerable threat to the network security, so that an APT attack analysis system in the power network is needed to solve the problem.
Disclosure of Invention
The invention aims to provide an APT attack analysis system in a power network to solve the problems in the prior art.
In order to achieve the purpose, the invention provides the following technical scheme: an APT attack analysis system in a power network is characterized in that:
comprises an information collection system and an APT virus searching system;
the information collection system comprises an acquisition module, a password module, a control module, a storage module and a communication module;
the acquisition module randomly captures a transmission stream in the system to obtain captured packet data and acquire an information stream;
the cryptographic module encrypts the packet capturing data acquired by the acquisition module respectively and summarizes the packet capturing data into an encrypted information stream;
the control module controls the packet capturing process of the acquisition module and controls the encryption process of the password module;
the storage module performs backup storage on the encrypted information stream;
the communication module transmits the encrypted information flow from the collection system to an APT virus searching system;
the APT virus searching system comprises a decryption module, a virus detection module, an APT attack analysis module and an APT attack protection module;
and the decryption module performs symmetric decryption, asymmetric decryption or hash value decryption on the encrypted information stream transmitted by the communication module. Obtaining a decrypted information stream;
the virus detection module detects whether a virus is input or output in the system according to the decryption information flow and the virus sequence database;
the APT attack analysis module detects viruses invading the system, judges whether the viruses belong to the APT viruses or not, and sends the result of APT virus attack detection to a system administrator;
and the APT attack protection module judges the mode to process according to the results obtained by the virus detection module and the APT attack analysis module.
Transport stream S in said systemtra:
Wherein d is data obtained by packet capturing, s is the number of the packet capturing data in longitudinal distribution, and c is the number of the packet capturing data in transverse distribution;
summarizing the data obtained by packet capturing in the system to obtain a transmission stream StraThe next encryption and analysis process of the packet capturing data is facilitated;
will transmit stream StraThe elements in the method are divided into three parts, and encryption in different modes is carried out:
first part S1:
Second part S2:
Third part S3:
Will transmit stream StraThe element in (1) is divided into three parts, and the purpose of the three parts is to transmit the stream StraDifferent encryption modes are adopted for different parts of elements in the system, so that the safety can be improved;
to S1Encrypting to obtain a first encrypted value M1:
M1=σS1*(1-α)
Wherein, sigma is a proportionality coefficient and sigma is more than 0, alpha is a constant term and alpha is more than 1;
to S2Encrypting to obtain a second encrypted value M2:
M2=S1*Code
Wherein, CodeIs an encryption coefficient;
wherein b is an encryption coefficient CodeA is the second cryptographic value M2Number of matrix longitudinally distributed, e being second cryptographic value M2The number of the matrix is distributed transversely, the numerical value of a is the same as s/3, and the numerical value of e is the same as c;
to S3Encrypting to obtain a third encrypted value M3:
M3=μS3*(ω-1)
Wherein mu is a proportionality coefficient and mu is more than 0, and omega is a constant term and omega is more than 1;
said stream of encrypted information JMComprises the following steps:
JM=M1∩M2∩M3
said stream of encrypted information JMIs a first cryptographic value M1A second cryptographic value M2And a third cryptographic value M3Or the union of (a) encrypted information stream JMComprising a first cryptographic value M1A second cryptographic value M2And a third cryptographic value M3。
The virus detection module detects whether a virus is input or output in the system or not, and calculates a virus parameter HM:
Wherein, VirusA virus sequence database pre-stored for the system;
according to the virus parameter HMDetermines whether there is a virus input or output within the system:
when H is presentMIf the input is more than 0, the virus input or output is judged to exist in the system;
when H is presentMIf the value is 0, judging that no virus is input or output in the system;
when H is presentMIf the value is less than 0, judging that the parameters are wrong to solve, and re-evaluating;
virus sequence database V pre-stored by systemirusAnd a transport stream StraComparing the elements in the APT, judging whether coincidence exists or not, and judging whether viruses exist in an APT attack analysis system or not;
if the virus input or output is judged to exist in the system, the APT attack analysis module detects the virus invading the system and detects the virus according to the detection result ASDJudging whether the virus belongs to APT virus:
ASD=F(f(Stra),f(Virus))=∑f(Stra)*loge f(Stra)∪f(Virus)
wherein, f (S)tra) Is a transport stream StraElement set in (1), f (V)irus) Is a collection of virus sequences pre-stored in the system;
according to the detection result ASDJudging whether the virus belongs to APT virus:
when A isSDIf the virus is more than K, judging that the virus invading the system belongs to APT virus;
when A isSDWhen the virus is less than or equal to K, judging that the virus invading the system belongs to APT virus;
wherein K is a comparison value;
the detection result A is due to the fact that APT viruses are characterized by large quantity and can initiate continuous attacksSDGet a transmission stream StraSet of middle elements ∑ f (S)tra) And exponential function loge f(Stra)∪f(Virus) Multiplication, loge f(Stra)∪f(Virus) Can represent a transport stream StraAnd virus sequence database VirusIf the size of the intersection part is larger than a preset threshold value K, the value of K can be set according to the actual situation, the virus invading into the system belongs to the APT virus, and if the size of the intersection part is smaller than the preset threshold value K, the virus invading into the system does not belong to the APT virus;
the APT attack analysis system randomly grabs packets for the transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the randomness is guaranteed by random packet grabbing, and time and resources are saved compared with the detection of all data; encrypting the information flow to obtain a transmission flow, adopting different encryption modes for different parts of elements in the transmission flow in a system obtained by packet capturing, greatly improving the safety, preventing information from being stolen by APT attack in the packet capturing process, presetting a virus sequence database in the system, comparing the virus sequence database pre-stored in the system with the elements in the transmission flow, judging whether superposition exists, and judging whether viruses exist in the APT attack analysis system or not; if the virus exists, judging whether the attack initiated by the virus is APT attack or not, and finally according to the transmission stream StraSet of middle elements ∑ f (S)tra) And transmissionStream StraAnd virus sequence database VirusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.
The system for analyzing the APT attack in the power network comprises a method for analyzing the APT attack in the power network, wherein the method comprises the following steps:
s100: randomly capturing a packet of a transmission stream in a system to obtain packet capturing data, summarizing the packet capturing data into an information stream, and encrypting the information stream to obtain an encrypted information stream;
s200: the encrypted information flow is backed up and stored, and the encrypted information flow is transmitted to an APT virus searching system by a collecting system;
s300, decrypting the encrypted information flow to obtain a decrypted information flow, and detecting whether a virus is input or output in the system according to the decrypted information flow and the virus sequence database;
s400: detecting viruses invading the system, judging whether the viruses belong to APT viruses, and sending the result of the APT virus attack detection to a system administrator;
the modes for sending the result of the APT virus attack detection to the system administrator comprise short message reminding, mail reminding and message reminding.
S500: and judging the mode for processing according to the result of the APT attack detection.
Preferably, the method for analyzing the APT attack in the power network further includes determining whether the APT virus is continuously invading;
the APT virus has the characteristics of continuous invasion, and if the virus continuously invades, the protection level of the system can be improved or the firewall configuration can be improved under the regulation and control of an administrator, so that the operation safety of the power network system is guaranteed.
Preferably, when the virus invading into the system is detected to be the APT virus, the APT virus sequence is brought into an abnormal database;
the APT virus sequence is brought into the abnormal database, so that the power network system can be protected, the system can quickly react when the same kind of virus invades next time, and the system operation safety is maintained.
Compared with the prior art, the invention has the beneficial effects that:
the APT attack analysis system randomly grabs packets for the transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the randomness is guaranteed by random packet grabbing, and time and resources are saved compared with the detection of all data;
encrypting the information flow to obtain a transmission flow, adopting different encryption modes for different parts of elements in the transmission flow in a system obtained by packet capturing, greatly improving the safety, preventing information from being stolen by APT attack in the packet capturing process, presetting a virus sequence database in the system, comparing the virus sequence database pre-stored in the system with the elements in the transmission flow, judging whether superposition exists, and judging whether viruses exist in the APT attack analysis system or not; if the virus exists, judging whether the attack initiated by the virus is APT attack or not, and finally according to the transmission stream StraSet of middle elements ∑ f (S)tra) And a transport stream StraAnd virus sequence database VirusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.
Drawings
FIG. 1 is a schematic diagram of a module distribution structure of an APT attack analysis system in a power network according to the present invention;
fig. 2 is a schematic view of a step structure of an APT attack analysis method in a power network according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example (b): as shown in fig. 1-2, an APT attack analysis system in a power network is characterized in that:
comprises an information collection system and an APT virus searching system;
the information collection system comprises an acquisition module, a password module, a control module, a storage module and a communication module;
the acquisition module randomly captures a transmission stream in the system to obtain packet capturing data and information stream;
the encryption module encrypts the packet capturing data acquired by the acquisition module respectively and summarizes the packet capturing data into an encrypted information stream;
the control module controls the packet capturing process of the acquisition module and controls the encryption process of the password module;
the storage module performs backup storage on the encrypted information stream;
the communication module transmits the encrypted information flow from the collection system to an APT virus searching system;
the APT virus searching system comprises a decryption module, a virus detection module, an APT attack analysis module and an APT attack protection module;
the decryption module performs symmetric decryption, asymmetric decryption or hash value decryption on the encrypted information stream transmitted by the communication module. Obtaining a decrypted information stream;
the virus detection module detects whether a virus is input or output in the system according to the decryption information flow and the virus sequence database;
the APT attack analysis module detects viruses invading the system, judges whether the viruses belong to the APT viruses or not, and sends the result of APT virus attack detection to a system administrator;
and the APT attack protection module judges the mode to process according to the results obtained by the virus detection module and the APT attack analysis module.
Transport stream S in a systemtra:
Wherein d is data obtained by packet capturing, s is the number of the packet capturing data in longitudinal distribution, and c is the number of the packet capturing data in transverse distribution;
summarizing the data obtained by packet capturing in the system to obtain a transmission stream StraAnd the packet capturing data can be conveniently processed in the next stepAn encryption and analysis process;
will transmit stream StraThe elements in the method are divided into three parts, and encryption in different modes is carried out:
first part S1:
Second part S2:
Third part S3:
Will transmit stream StraThe element in (1) is divided into three parts, and the purpose of the three parts is to transmit the stream StraDifferent encryption modes are adopted for different parts of elements in the system, so that the safety can be improved;
to S1Encrypting to obtain a first encrypted value M1:
M1=σS1*(1-α)
Wherein, sigma is a proportionality coefficient and sigma is more than 0, alpha is a constant term and alpha is more than 1;
to S2Encrypting to obtain a second encrypted value M2:
M2=S1*Code
Wherein, CodeIs an encryption coefficient;
wherein b is an encryption coefficient CodeA is the second cryptographic value M2Number of matrix longitudinally distributed, e being second cryptographic value M2Matrix horizontal divisionThe number of the cloth is the same as s/3, and the number of e is the same as c;
to S3Encrypting to obtain a third encrypted value M3:
M3=μS3*(ω-1)
Wherein mu is a proportionality coefficient and mu is more than 0, and omega is a constant term and omega is more than 1;
encryption information stream JMComprises the following steps:
JM=M1∩M2∩M3
encryption information stream JMIs a first cryptographic value M1A second cryptographic value M2And a third cryptographic value M3Or the union of (a) encrypted information stream JMComprising a first cryptographic value M1A second cryptographic value M2And a third cryptographic value M3。
The virus detection module detects whether a virus is input or output in the system, and calculates a virus parameter HM:
Wherein, VirusA virus sequence database pre-stored for the system;
according to the virus parameter HMDetermines whether there is a virus input or output within the system:
when H is presentMIf the input is more than 0, the virus input or output is judged to exist in the system;
when H is presentMIf the value is 0, judging that no virus is input or output in the system;
when H is presentMIf the value is less than 0, judging that the parameters are wrong to solve, and re-evaluating;
virus sequence database V pre-stored by systemirusAnd a transport stream StraComparing the elements in the APT, judging whether coincidence exists or not, and judging whether viruses exist in an APT attack analysis system or not;
if the system is judged to have virus input or output, the APT attack analysis module detects the virus invading the system and detects the virus according to the detection result ASDJudging whether the virus belongs to APT virus:
ASD=F(f(Stra),f(Virus))=∑f(Stra)*loge f(Stra)∪f(Virus)
wherein, f (S)tra) Is a transport stream StraElement set in (1), f (V)irus) Is a collection of virus sequences pre-stored in the system;
according to the detection result ASDJudging whether the virus belongs to APT virus:
when A isSDIf the virus is more than K, judging that the virus invading the system belongs to APT virus;
when A isSDWhen the virus is less than or equal to K, judging that the virus invading the system belongs to APT virus;
wherein K is a comparison value;
the detection result A is due to the fact that APT viruses are characterized by large quantity and can initiate continuous attacksSDGet a transmission stream StraSet of middle elements ∑ f (S)tra) And exponential function loge f(Stra)∪f(Virus) Multiplication, loge f(Stra)∪f(Virus) Can represent a transport stream StraAnd virus sequence database VirusIf the size of the intersection part is larger than a preset threshold value K, the value of K can be set according to the actual situation, the virus invading into the system belongs to the APT virus, and if the size of the intersection part is smaller than the preset threshold value K, the virus invading into the system does not belong to the APT virus;
the APT attack analysis system randomly grabs packets for the transmitted and transmitted transmission streams to obtain packet data and obtain information streams, the randomness is guaranteed by random packet grabbing, and time and resources are saved compared with the detection of all data; the information stream is encrypted to obtain a transport stream, different encryption modes are adopted for elements of different parts in the transport stream in a system obtained by packet capturing, so that the safety can be greatly improved, and the packet capturing is prevented from being carried outIn the process, information is attacked and stolen by APT, a virus sequence database is preset in the system, the virus sequence database prestored in the system is compared with elements in a transmission stream, whether coincidence exists or not is judged, and whether viruses exist in an APT attack analysis system or not can be judged; if the virus exists, judging whether the attack initiated by the virus is APT attack or not, and finally according to the transmission stream StraSet of middle elements ∑ f (S)tra) And a transport stream StraAnd virus sequence database VirusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.
An APT attack analysis system in a power network comprises an APT attack analysis method in the power network, and the method comprises the following steps:
s100: randomly capturing a packet of a transmission stream in a system to obtain packet capturing data, summarizing the packet capturing data into an information stream, and encrypting the information stream to obtain an encrypted information stream;
s200: the encrypted information flow is backed up and stored, and the encrypted information flow is transmitted to an APT virus searching system by a collecting system;
s300, decrypting the encrypted information flow to obtain a decrypted information flow, and detecting whether a virus is input or output in the system according to the decrypted information flow and the virus sequence database;
s400: detecting viruses invading the system, judging whether the viruses belong to APT viruses, and sending the result of the APT virus attack detection to a system administrator;
the modes for sending the result of the APT virus attack detection to the system administrator comprise short message reminding, mail reminding and message reminding.
S500: and judging the mode for processing according to the result of the APT attack detection.
The method for analyzing the APT attack in the power network further comprises the step of judging whether the APT virus is continuously invaded.
The APT virus has the characteristics of continuous invasion, and if the virus continuously invades, the protection level of the system can be improved or the firewall configuration can be improved under the regulation and control of an administrator, so that the operation safety of the power network system is guaranteed.
When the virus invaded in the system is detected to be the APT virus, the APT virus sequence is brought into an abnormal database.
The APT virus sequence is brought into the abnormal database, so that the power network system can be protected, the system can quickly react when the same kind of virus invades next time, and the system operation safety is maintained.
The working principle is as follows: the APT attack analysis system randomly grabs the incoming and outgoing transport streams to obtain packet data, acquires information streams, and summarizes the data obtained by packet capturing in the system to obtain a transport stream StraThe next step of encrypting and analyzing the packet data is facilitated, and the transmission stream S is transmittedtraIs divided into three parts for transmission stream StraDifferent encryption modes are adopted for different parts of elements in the system, so that the safety can be improved, and the virus sequence database V pre-stored in the systemirusAnd a transport stream StraComparing the elements in the data, judging whether superposition exists or not, judging whether viruses exist in an APT attack analysis system or not, if the viruses exist, judging whether the attacks initiated by the viruses are APT attacks or not, and finally, according to the transmission stream StraSet of middle elements ∑ f (S)tra) And a transport stream StraAnd virus sequence database VirusAnd judging whether the network system is subjected to APT attack or not according to the size of the intersection part.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Claims (8)
1. An APT attack analysis system in a power network is characterized in that:
comprises an information collection system and an APT virus searching system;
the information collection system comprises an acquisition module, a password module, a control module, a storage module and a communication module;
the acquisition module randomly captures a transmission stream in the system to obtain captured packet data and acquire an information stream;
the cryptographic module encrypts the packet capturing data acquired by the acquisition module respectively and summarizes the packet capturing data into an encrypted information stream;
the control module controls the packet capturing process of the acquisition module and controls the encryption process of the password module;
the storage module performs backup storage on the encrypted information stream;
the communication module transmits the encrypted information flow from the collection system to an APT virus searching system;
the APT virus searching system comprises a decryption module, a virus detection module, an APT attack analysis module and an APT attack protection module;
the decryption module decrypts the encrypted information stream transmitted by the communication module to obtain a decrypted information stream;
the virus detection module detects whether a virus is input or output in the system according to the decryption information flow and the virus sequence database;
the APT attack analysis module detects viruses invading the system, judges whether the viruses belong to the APT viruses or not, and sends the result of APT virus attack detection to a system administrator;
and the APT attack protection module judges the mode to process according to the results obtained by the virus detection module and the APT attack analysis module.
2. The system according to claim 1, wherein the system comprises: transport stream S in said systemtra:
Wherein d is data obtained by packet capturing, s is the number of the packet capturing data in longitudinal distribution, and c is the number of the packet capturing data in transverse distribution;
will transmit stream StraThe elements in the method are divided into three parts, and encryption in different modes is carried out:
first part S1:
Second part S2:
Third part S3:
To S1Encrypting to obtain a first encrypted value M1:
M1=σS1*(1-α)
Wherein, sigma is a proportionality coefficient and sigma is more than 0, alpha is a constant term and alpha is more than 1;
to S2Encrypting to obtain a second encrypted value M2:
M2=S1*Code
Wherein, CodeIs an encryption coefficient;
wherein b is an encryption coefficient CodeA is the second cryptographic value M2Number of matrix longitudinally distributed, e being second cryptographic value M2The number of the matrix is distributed transversely, the numerical value of a is the same as s/3, and the numerical value of e is the same as c;
to S3Encrypting to obtain a third encrypted value M3:
M3=μS3*(ω-1)
Wherein mu is a proportionality coefficient and mu is more than 0, and omega is a constant term and omega is more than 1;
said stream of encrypted information JMComprises the following steps:
JM=M1∩M2∩M3。
3. the system according to claim 1, wherein the system comprises: the virus detection module detects whether a virus is input or output in the system or not, and calculates a virus parameter HM:
Wherein, VirusA virus sequence database pre-stored for the system;
according to the virus parameter HMDetermines whether there is a virus input or output within the system:
when H is presentMIf the input is more than 0, the virus input or output is judged to exist in the system;
when H is presentMIf the value is 0, judging that no virus is input or output in the system;
when H is presentMIf the value is less than 0, the parameter solving error is judged, and the value is re-evaluated.
4. The system according to claim 1, wherein the system comprises: if the virus input or output is judged to exist in the system, the APT attack analysis module detects the virus invading the system and detects the virus according to the detection result ASDJudging whether the virus belongs to APT virus:
ASD=F(f(Stra),f(Virus))=∑f(Stra)*logef(Stra)∪f(Virus)
wherein, f (S)tra) Is a transport stream StraElement set in (1), f (V)irus) Is a collection of virus sequences pre-stored in the system;
according to the detection result ASDJudging whether the virus belongs to APT virus:
when A isSDIf the virus is more than K, judging that the virus invading the system belongs to APT virus;
when A isSDWhen the virus is less than or equal to K, judging that the virus invading the system belongs to APT virus;
wherein K is a comparative value.
5. The system according to claim 1, wherein the system comprises: the system for analyzing the APT attack in the power network comprises a method for analyzing the APT attack in the power network, wherein the method comprises the following steps:
s100: randomly capturing a packet of a transmission stream in a system to obtain packet capturing data, summarizing the packet capturing data into an information stream, and encrypting the information stream to obtain an encrypted information stream;
s200: the encrypted information flow is backed up and stored, and the encrypted information flow is transmitted to an APT virus searching system by a collecting system;
s300, decrypting the encrypted information flow to obtain a decrypted information flow, and detecting whether a virus is input or output in the system according to the decrypted information flow and the virus sequence database;
s400: detecting viruses invading the system, judging whether the viruses belong to APT viruses, and sending the result of the APT virus attack detection to a system administrator;
s500: and judging the mode for processing according to the result of the APT attack detection.
6. The APT attack analysis system in the power network according to claim 5, wherein: the method for analyzing the APT attack in the power network further comprises the step of judging whether the APT virus is continuously invaded.
7. The APT attack analysis system in the power network according to claim 5, wherein: when the virus invaded in the system is detected to be the APT virus, the APT virus sequence is brought into an abnormal database.
8. The APT attack analysis system in the power network according to claim 5, wherein: in step S400, the modes of sending the result of the APT virus attack detection to the system administrator include short message reminding, mail reminding, and message reminding.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010806417.2A CN111953684A (en) | 2020-08-12 | 2020-08-12 | APT attack analysis system in power network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010806417.2A CN111953684A (en) | 2020-08-12 | 2020-08-12 | APT attack analysis system in power network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN111953684A true CN111953684A (en) | 2020-11-17 |
Family
ID=73332799
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010806417.2A Pending CN111953684A (en) | 2020-08-12 | 2020-08-12 | APT attack analysis system in power network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111953684A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
KR101499470B1 (en) * | 2014-09-26 | 2015-03-09 | (주)유엠로직스 | Advanced Persistent Threat attack defense system and method using transfer detection of malignant code |
CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
CN109660526A (en) * | 2018-12-05 | 2019-04-19 | 国网江西省电力有限公司信息通信分公司 | A kind of big data analysis method applied to information security field |
CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
CN111209608A (en) * | 2020-02-25 | 2020-05-29 | 于梦丽 | Big data storage system |
-
2020
- 2020-08-12 CN CN202010806417.2A patent/CN111953684A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103312679A (en) * | 2012-03-15 | 2013-09-18 | 北京启明星辰信息技术股份有限公司 | APT (advanced persistent threat) detection method and system |
KR101499470B1 (en) * | 2014-09-26 | 2015-03-09 | (주)유엠로직스 | Advanced Persistent Threat attack defense system and method using transfer detection of malignant code |
CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
CN109660526A (en) * | 2018-12-05 | 2019-04-19 | 国网江西省电力有限公司信息通信分公司 | A kind of big data analysis method applied to information security field |
CN111209608A (en) * | 2020-02-25 | 2020-05-29 | 于梦丽 | Big data storage system |
Non-Patent Citations (2)
Title |
---|
LIN SHENWEN: "Study and research of APT detection technology based on big data processing architecture", 《 2015 IEEE 5TH INTERNATIONAL CONFERENCE ON ELECTRONICS INFORMATION AND EMERGENCY COMMUNICATION》 * |
孙健等: "基于行为分析的APT攻击检测研究", 《电子设计工程》 * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alipour et al. | Wireless anomaly detection based on IEEE 802.11 behavior analysis | |
Niksefat et al. | Privacy issues in intrusion detection systems: A taxonomy, survey and future directions | |
EP2448211B1 (en) | Method, system and equipment for detecting botnets | |
CN101141244A (en) | Network encrypted data virus detection and elimination system, proxy server and method | |
CN110830514A (en) | Detection method for collusion-based false data injection attack of smart power grid | |
CN116132989A (en) | Industrial Internet security situation awareness system and method | |
Patel et al. | Internet protocol identification number based ideal stealth port scan detection using snort | |
Uyyala | DETECTION OF CYBER ATTACK IN NETWORK USING MACHINE LEARNING TECHNIQUES | |
Singh et al. | Evaluating email’s feasibility for botnet command and control | |
US7920705B1 (en) | System and method for convert channel detection | |
Gangwar et al. | A survey on anomaly and signature based intrusion detection system (IDS) | |
Rao et al. | A smart heuristic scanner for an intrusion detection system using two-stage machine learning techniques | |
CN111953684A (en) | APT attack analysis system in power network | |
Cherukuri et al. | Integrity of IoT network flow records in encrypted traffic analytics | |
CN112995216B (en) | Safety processor for online financial information | |
Parekh et al. | Approach for intrusion detection system using data mining | |
Goh et al. | Towards intrusion detection for encrypted networks | |
CN113923021A (en) | Sandbox-based encrypted flow processing method, system, device and medium | |
CN115225301A (en) | D-S evidence theory-based hybrid intrusion detection method and system | |
RU183015U1 (en) | Intrusion detection tool | |
Zhang et al. | Analysis of CAN bus encryption and decryption performance of different chips | |
Anikin et al. | Privacy preserving data mining in terms of DBSCAN clustering algorithm in distributed systems | |
Purohit et al. | Cyber Threats in Internet of Thing systems and Impact reduction | |
US20240146754A1 (en) | Network security | |
Iduh et al. | Analysis of Botnet Classification and Detection Techniques: A review |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20201117 |
|
RJ01 | Rejection of invention patent application after publication |