CN115277472A - Network security risk early warning system and method for multidimensional industrial control system - Google Patents
Network security risk early warning system and method for multidimensional industrial control system Download PDFInfo
- Publication number
- CN115277472A CN115277472A CN202210725874.8A CN202210725874A CN115277472A CN 115277472 A CN115277472 A CN 115277472A CN 202210725874 A CN202210725874 A CN 202210725874A CN 115277472 A CN115277472 A CN 115277472A
- Authority
- CN
- China
- Prior art keywords
- data
- industrial control
- control system
- network security
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000001514 detection method Methods 0.000 claims abstract description 39
- 238000004458 analytical method Methods 0.000 claims abstract description 38
- 230000006870 function Effects 0.000 claims abstract description 31
- 238000007405 data analysis Methods 0.000 claims abstract description 19
- 230000008447 perception Effects 0.000 claims abstract description 19
- 238000007726 management method Methods 0.000 claims description 32
- 238000003860 storage Methods 0.000 claims description 12
- 238000004891 communication Methods 0.000 claims description 10
- 238000013528 artificial neural network Methods 0.000 claims description 7
- 238000013500 data storage Methods 0.000 claims description 7
- 230000006399 behavior Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 6
- 238000012549 training Methods 0.000 claims description 6
- 206010000117 Abnormal behaviour Diseases 0.000 claims description 5
- 230000005284 excitation Effects 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 210000002569 neuron Anatomy 0.000 claims description 3
- 238000003745 diagnosis Methods 0.000 abstract description 16
- 238000005516 engineering process Methods 0.000 abstract description 13
- 230000015654 memory Effects 0.000 description 24
- 238000004519 manufacturing process Methods 0.000 description 18
- 238000012423 maintenance Methods 0.000 description 15
- 230000008901 benefit Effects 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 238000012544 monitoring process Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 241000700605 Viruses Species 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000000007 visual effect Effects 0.000 description 4
- 230000009545 invasion Effects 0.000 description 3
- 238000012502 risk assessment Methods 0.000 description 3
- 230000002776 aggregation Effects 0.000 description 2
- 238000004220 aggregation Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 2
- 238000007418 data mining Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000013508 migration Methods 0.000 description 2
- 230000005012 migration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000010223 real-time analysis Methods 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 238000013135 deep learning Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000010191 image analysis Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000012800 visualization Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
- H04L43/045—Processing captured monitoring data, e.g. for logfile generation for graphical visualisation of monitoring data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Alarm Systems (AREA)
Abstract
The invention discloses a network security risk early warning system and method of a multidimensional industrial control system, wherein the system comprises the following steps: the system comprises a basic platform, a micro-service architecture and a data display layer, wherein the basic platform is used for collecting, distributing and storing data of the multi-dimensional industrial control system and providing a data base for the micro-service architecture and the data display layer; the service architecture is used for modularizing the platform security analysis function of the risk early warning system, carrying out security detection and analysis on data and determining a security detection result and a data analysis result; and the data display layer is used for visually displaying the safety detection result and the data analysis result. According to the invention, by discovering external and internal network security threats and checking self risk points, the overall network security protection level of the industrial control system is comprehensively improved; the network security investment cost is reduced; safety diagnosis is carried out by applying a multi-dimensional perception technology based on the generalized radial basis function, and safety risk identification and early warning of the industrial control system are realized.
Description
Technical Field
The invention relates to the technical field of industrial control safety risk assessment, in particular to a network safety risk early warning system and method of a multidimensional industrial control system.
Background
With the advent of big data and the era of industrial intelligence, industrial control systems are evolving towards more sophisticated and intelligent directions. However, the huge migration of network environments makes industrial control systems face more serious threats. The main problems in terms of network security faced by current industrial control systems include:
currently, industrial control systems face a number of cyber-security threats, wherein the main problems facing cyber-security risk identification, alarm, traceability, etc. are:
the network security risk alarm is inaccurate, and the security operation and maintenance personnel are busy processing the irrelevant risk alarm without time to process the real important alarm information. In addition, the shortage of safety practitioners is well known, and safety operation and maintenance personnel are particularly in short supply, and under the condition, the accuracy rate of alarm needs to be improved urgently;
the network security risk alarm is scattered or incomplete, although a plurality of network security detection products are deployed in some system information, alarm information is displayed in different products and managed by different personnel, centralized analysis and unified processing cannot be performed, so that potential safety hazards are easily processed untimely, and serious consequences are caused; safety tools are arranged in a superposed manner, safety operation and maintenance personnel manage a plurality of devices at the same time, and the daily management efficiency is low;
the tracing and tracing capability of the network security event is weak, the tracing capability of the security operation and maintenance personnel to the network security event needs to be improved, especially in the process of fault occurrence and fault finding of an industrial control system, log, flow and video data are collected on different devices, comprehensive analysis cannot be realized, and the cause of the security event and the source of an intruder cannot be rapidly and accurately determined.
Disclosure of Invention
In view of this, the embodiment of the invention provides a network security risk early warning system and method for a multidimensional industrial control system, which solve the problems of high network security investment cost, poor production and operation stability and the like in the prior art.
According to a first aspect, an embodiment of the present invention provides a network security risk early warning system for a multidimensional industrial control system, including: a base platform, a microservice architecture, and a data presentation layer, wherein,
the basic platform is used for collecting, distributing and storing data of the multi-dimensional industrial control system and providing a data basis for the micro-service architecture and the data display layer;
the service architecture is used for modularizing the platform security analysis function of the risk early warning system, carrying out security detection and analysis on the data and determining a security detection result and a data analysis result;
and the data display layer is used for visually displaying the safety detection result and the data analysis result.
According to the network security risk early warning system of the multidimensional industrial control system, disclosed by the embodiment of the invention, by discovering external and internal network security threats and checking risk points of the system, the overall network security protection level of the industrial control system is comprehensively improved, the configuration strategy is optimized, and the network security of different levels such as equipment, a network, a physical environment, application and data is ensured; the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved; the safety diagnosis method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations of field equipment, an internet of things terminal, a control system, a network platform, data safety and the like, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events, residual risks and the like and applying a multi-dimensional perception technology based on the generalized radial basis function, safety risk identification and early warning of the industrial control system are achieved, and stable production operation of the industrial control system is guaranteed.
With reference to the first aspect, in a first implementation manner of the first aspect, the base platform includes: the device comprises a device group, a data acquisition module and a data storage module, wherein,
the equipment group is used for carrying out data interaction on the multi-dimensional industrial control system;
the data acquisition module is used for acquiring flow data and system logs of the multidimensional industrial control system;
and the data storage module is used for respectively storing the data acquired by the data acquisition module according to a classification standard.
With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the micro service architecture includes: an asset management module, a threat analysis module, a vulnerability management module, an alarm management module and a system management module, wherein,
the asset management module is used for carrying out grouping management on the assets of the multidimensional industrial control system;
the threat analysis module is used for transversely comparing similar equipment in the equipment group with historical behaviors of assets per se, detecting abnormal behaviors of different assets and determining a threat signal;
the vulnerability management module is used for evaluating and classifying the vulnerabilities of the multidimensional industrial control system;
the alarm management module is used for alarming the threat signal and the bug;
and the system management module is used for managing the configuration and the authority of the multidimensional industrial control system.
With reference to the first aspect, in a third implementation manner of the first aspect, the data display layer includes: the system comprises a security operation and maintenance center, an asset management center, a security risk perception center, a security event analysis center and an alarm handling center.
According to the network security risk early warning system of the multidimensional industrial control system, disclosed by the embodiment of the invention, by discovering external and internal network security threats and checking risk points of the system, the overall network security protection level of the industrial control system is comprehensively improved, the configuration strategy is optimized, and the network security of different levels such as equipment, a network, a physical environment, application and data is ensured; the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved; the safety diagnosis method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations of field equipment, an internet of things terminal, a control system, a network platform, data safety and the like, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events, residual risks and the like and applying a multi-dimensional perception technology based on the generalized radial basis function, safety risk identification and early warning of the industrial control system are achieved, and stable production operation of the industrial control system is guaranteed.
According to a second aspect, the network security risk early warning method for the multidimensional industrial control system provided by the embodiment of the invention comprises the following steps:
collecting data of a multidimensional industrial control system, and collecting, distributing and storing the data;
carrying out safety detection and analysis on the data, and determining a safety detection result and a data analysis result;
and visually displaying the safety detection result and the data analysis result.
According to the network security risk early warning method for the multidimensional industrial control system, disclosed by the embodiment of the invention, by discovering external and internal network security threats and checking risk points of the multidimensional industrial control system, the overall network security protection level of the industrial control system is comprehensively improved, the configuration strategy is optimized, and the network security of different levels such as equipment, a network, a physical environment, application and data is ensured; the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved; the safety diagnosis method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations of field equipment, an internet of things terminal, a control system, a network platform, data safety and the like, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events, residual risks and the like and applying a multi-dimensional perception technology based on the generalized radial basis function, safety risk identification and early warning of the industrial control system are achieved, and stable production operation of the industrial control system is guaranteed.
With reference to the second aspect, in a first embodiment of the second aspect, the performing security detection and analysis on the data, and determining a security detection result and a data analysis result includes:
establishing a network security situation model based on the generalized radial basis function;
carrying out weight adjustment on the network security situation model according to a preset training target, and determining a target network security situation model;
determining a security detection result and a data analysis result by using the target network security situation model and the data, wherein the data comprises: traffic, log, video data.
With reference to the first embodiment of the second aspect, in a second embodiment of the second aspect, the network security posture model includes:
input X = { X =1,x2,…,xn}T∈RnNetwork weight W = { W = { (W)1,w2,…,wm}T∈RL*mThreshold V, summing unit Sigma, excitation function f(x)Neural network output
Forming;
the traffic, the log, the data, and the data the video data is analyzed after processing, training samples X = { X = (X) are formed1,x2,…,xn}T∈RnThe output calculation formula of the jth neuron node of the hidden layer is as follows:
all outputs of the hidden layer are:
the output of the neural network is the result of a weighted calculation on the hidden layer output:
according to the network security risk early warning method for the multidimensional industrial control system, disclosed by the embodiment of the invention, by discovering external and internal network security threats and checking risk points of the multidimensional industrial control system, the overall network security protection level of the industrial control system is comprehensively improved, the configuration strategy is optimized, and the network security of different levels such as equipment, a network, a physical environment, application and data is ensured; the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved; the safety diagnosis method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations of field equipment, an internet of things terminal, a control system, a network platform, data safety and the like, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events, residual risks and the like and applying a multi-dimensional perception technology based on the generalized radial basis function, safety risk identification and early warning of the industrial control system are achieved, and stable production operation of the industrial control system is guaranteed.
According to a third aspect, an embodiment of the present invention provides an electronic device, including: the network security risk early warning method of the multidimensional industrial control system comprises a memory and a processor, wherein the memory and the processor are in communication connection with each other, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the network security risk early warning method of the multidimensional industrial control system in the second aspect or any one of the implementation manners of the second aspect.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, where the computer-readable storage medium stores computer instructions, and the computer instructions are configured to enable the computer to execute the second aspect or the method for network security risk early warning of a multidimensional industrial control system described in any one of the implementation manners of the second aspect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a schematic diagram of a network security risk early warning system of a multidimensional industrial control system according to an embodiment of the invention;
FIG. 2 is a schematic diagram of modules of a network security risk early warning system of a multidimensional industrial control system according to a preferred embodiment of the invention;
FIG. 3 is a flowchart of a network security risk early warning method of a multidimensional industrial control system according to a preferred embodiment of the present invention;
fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
With the advent of big data and the era of industrial intelligence, industrial control systems are evolving towards more sophisticated and intelligent directions. However, the huge migration of network environment makes the industrial control system face more serious threat. The current industrial control system faces network security, however, risk alarm in the prior art faces problems of low accuracy, poor real-time performance of alarm process, low efficiency and the like.
In order to solve the problems, the method helps enterprises meet the requirements of national relevant compliance, reduces the network security input cost, and ensures stable production operation, and the specific contents are as follows:
the method meets the requirements of national relevant compliance, helps enterprises to discover external and internal network security threats, troubleshoots self risk points, comprehensively promotes the overall network security protection level of the industrial control system, optimizes configuration strategies, ensures the network security of different layers of equipment, networks, physical environments, applications, data and the like, and meets the requirements of equal security 2.0, information security risk assessment, industrial internet security evaluation and compliance of relevant management organizations;
the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved;
the safety diagnosis method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations of field equipment, an internet of things terminal, a control system, a network platform, data safety and the like, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events, residual risks and the like and applying a multi-dimensional perception technology based on the generalized radial basis function, safety risk identification and early warning of the industrial control system are achieved, and stable production operation of the industrial control system is guaranteed.
In the embodiment, a network security risk early warning system of a multidimensional industrial control system is also provided, and as used below, the term "module" may implement a combination of software and/or hardware with predetermined functions. While the system described in the embodiments below is preferably implemented in software, implementations in hardware, or a combination of software and hardware are also possible and contemplated.
Therefore, in order to solve the above problems, the present invention discloses a network security risk early warning system of a multidimensional industrial control system, as shown in fig. 1, including: the system comprises a basic platform 1, a micro-service architecture 2 and a data display layer 3, wherein the basic platform 1 is used for collecting, distributing and storing data of the multi-dimensional industrial control system and providing a data base for the micro-service architecture 2 and the data display layer 3; the service architecture is used for modularizing the platform security analysis function of the risk early warning system, carrying out security detection and analysis on data and determining a security detection result and a data analysis result; and the data display layer 3 is used for visually displaying the safety detection result and the data analysis result.
Specifically, the embodiment is constructed by adopting the concept of big data storage and processing, a flow acquisition probe and video monitoring equipment, and is designed to be composed of a single high-performance server (a built-in virtualization cluster) or a plurality of server clusters based on a high-performance big data intelligent security analysis platform with a distributed architecture, and a multi-dimensional security risk perception model based on a generalized radial basis function is used and the technologies of data mining, artificial intelligence and the like are combined. The system has the functions of mass data acquisition and storage, high-performance distributed computation, real-time analysis and alarm, visual display, safe report forms and the like.
The multidimensional industrial control system network security risk early warning system provided by the embodiment finds external and internal network security threats, inspects self risk points, comprehensively promotes the overall network security protection level of the industrial control system, optimizes configuration strategies, and ensures network security of different levels such as equipment, network, physical environment, application and data; the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved; the safety risk identification and early warning method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations such as field equipment, an internet of things terminal, a control system, a network platform and data safety, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events and residual risks and applying a multi-dimensional perception technology based on generalized radial basis functions, safety risk identification and early warning of an industrial control system are achieved, and stable production safety operation of the industrial control system is guaranteed.
In another embodiment, as shown in fig. 2, the base platform 1 includes: the device group is used for carrying out data interaction on the multi-dimensional industrial control system; the data acquisition module is used for acquiring flow data and system logs of the multi-dimensional industrial control system; and the data storage module is used for respectively storing the data acquired by the data acquisition module according to the classification standard.
In this embodiment, the data display layer 3 includes: the system comprises a security operation and maintenance center, an asset management center, a security risk perception center, a security event analysis center and an alarm handling center.
The embodiment has the functions of mass data acquisition and storage, high-performance distributed computation, real-time analysis and alarm, visual display, safe report forms and the like. The method realizes low coupling among modules and high cohesion in the modules, and mainly comprises a basic platform 1 layer, a micro service architecture 2 layer (service architecture) and a data display layer 3, as shown in fig. 2. The basic platform 1 mainly comprises an equipment layer, a data acquisition layer and a data storage layer, and adopts a distributed big data architecture to realize high-performance collection, distribution and storage of full-flow data and provide a massive data basis for security risk perception analysis. The 2-layer micro-service architecture modularizes the platform security analysis function and embeds the platform security analysis function into the platform as a plurality of security services. The system comprises an asset discovery module, an asset topology algorithm module, an AI clustering algorithm module, an AI detection module, an association analysis module, a risk backtracking module and a video analysis module, and can be flexibly expanded and upgraded. The data display layer 3 performs visual presentation on the results of security detection and analysis, and mainly comprises risk perception display, multi-dimensional risk alarm, security reports, asset management, security event analysis and the like. Through visual presentation, let the security risk everywhere stealthy, it is visible controllable.
The multidimensional security risk perception analysis system aims to realize a high-performance big data intelligent security analysis platform based on a distributed architecture, carries an original AI threat immune algorithm to prevent malicious programs from running, combines technologies such as machine learning, data mining and neural networks, makes up for the defects of network security and physical security of industrial control enterprises, and mainly comprises the following research contents:
(1) The generalized full-flow analysis is researched, operation and maintenance personnel can conveniently carry out unified risk analysis and control, the prior attack characteristics or threat information are not relied on, the characteristic library or the threat information library is not required to be upgraded, the cloud end is not required to be connected, self iteration and self reinforcement are carried out through continuously learning the flow in the current network, and the daily flow model of each subnet and each asset is continuously learned. Meanwhile, through transverse comparison with similar equipment and longitudinal comparison with the historical behaviors of the assets, abnormal behaviors of different assets are continuously detected, secret abnormal behaviors which do not accord with daily rules are found, and unknown threats are found.
(2) The multi-dimensional risk prediction of safety log flow video data is researched, log data, flow information and video data are collected and analyzed in a centralized mode, the functions of log audit, full-flow deep analysis and video monitoring violation identification are integrated, and the functions of safety risk omnibearing sensing, safety event tracking and tracing, detection and early warning, overall management and the like are achieved.
(3) The intelligent video monitoring violation behavior alarming and event tracking technology is researched, the processing and optimizing capacity of video monitoring information is improved by adopting a deep learning algorithm, the functions of blacklist alarming, stranger alarming, track inquiring, entrance and exit people counting, people flow counting, safety helmet wearing detection, work clothes detection, article left detection, mobile phone detection, firework alarming, fire point identification, cabinet door switch detection and the like are realized by intelligently analyzing video data, violation behavior analysis alarming, violation event tracking can be carried out, alarming information is displayed according to the type of the alarming information, and the like.
(4) The method is characterized in that efficient asset operation and maintenance and topology visualization technologies are researched, and aiming at the characteristics of large and medium-sized industrial enterprises, such as large quantity of assets and difficult maintenance, a multi-dimensional security risk perception analysis system finds each asset in an environment through flow information without manual input; after the assets are found, the assets can be flexibly grouped and identified, and the unknown assets can be conveniently identified and managed. And automatically clustering assets through an artificial intelligence algorithm, identifying asset flow topology, displaying single asset access relation topology and identifying abnormal access.
Specifically, for the electric power enterprise stable operation health protection navigation score is obvious, flow log video data aggregation and accurate threat alarm, risk monitoring and network security incident are traced back, the multi-dimensional network security risk perception analysis system adopts the AI model to carry out threat detection, and is different from the traditional security perception equipment, the defects that the traditional equipment is huge in alarm quantity and high in false alarm rate are overcome, thousands of pieces of alarm information are sent in the period of re-protection, winter Olympic meeting and network protection, and workers timely handle the alarm information, so that reputation and economic loss caused by network security attack of an application unit are reduced.
The network safety emergency response and traceability capacity are improved, the problem that the network safety tracking traceability capacity of industrial control enterprises is poor is solved, the safety event traceability capacity of an application unit is improved, especially when a fault occurs, the comprehensive investigation can be efficiently carried out through log analysis, flow detection and video image analysis, the reason of the accident and the source of invasion can be rapidly determined, and potential safety hazards are fundamentally eliminated.
The network security risk false alarm rate is reduced, the network security event handling efficiency is improved, the daily management efficiency of industrial control enterprises is low, the system is favorable for improving the network security defense capacity and the daily management efficiency of the industrial control system, the difficulty of security management is reduced through integrated physical layer and network layer centralized monitoring and early warning, and the administrator is guaranteed to handle and respond to the security risk in the first time.
The system can rapidly give an alarm to prompt security workers to process after discovering the flow or the evidence of the Lesox virus activity in the log by utilizing the video data aggregation analysis of the flow log, can find the invasion source and the springboard of the Lesox virus by analyzing and investigating the video data of the flow log after discovering the invasion of the Lesox virus, removes virus sockets and cuts off the entrance of an attacker.
The system can reduce the investment of a purchase log collecting and analyzing system, a flow analyzing system and a video warning platform, reduce the repeated investment, save the expenditure on information safety for enterprises, and save the safety investment cost by dozens of ten thousand yuan each year.
The embodiment provides a network security risk early warning method for a multidimensional industrial control system, which can be used for electronic devices such as computers, mobile phones, tablet computers and the like. Fig. 3 is a flowchart of a network security risk early warning method of a multidimensional industrial control system according to an embodiment of the present invention, and as shown in fig. 3, the flowchart includes the following steps:
s1, collecting data of the multi-dimensional industrial control system, and collecting, distributing and storing the data. For a specific acquisition process, reference is made in detail to the above embodiment of the network security risk early warning system of the multidimensional industrial control system, which is not described herein again.
And S2, carrying out safety detection and analysis on the data, and determining a safety detection result and a data analysis result. Different analyses are performed in the specific analysis process according to different types of data, and the detailed reference is made to the embodiment of the network security risk early warning system of the multidimensional industrial control system, which is not described herein again.
And S3, visually displaying the safety detection result and the data analysis result. For details, reference is made to the above embodiments of the network security risk early warning system of the multidimensional industrial control system, which are not described herein again.
According to the network security risk early warning method for the multidimensional industrial control system, by discovering external and internal network security threats and investigating self risk points, the overall network security protection level of the industrial control system is comprehensively improved, configuration strategies are optimized, and network security of different levels of equipment, networks, physical environments, applications, data and the like is ensured; the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved; the safety diagnosis method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations of field equipment, an internet of things terminal, a control system, a network platform, data safety and the like, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events, residual risks and the like and applying a multi-dimensional perception technology based on the generalized radial basis function, safety risk identification and early warning of the industrial control system are achieved, and stable production operation of the industrial control system is guaranteed.
Specifically, the step S2 further includes the following steps:
s21, establishing a network security situation model based on the generalized radial basis function; the network security situation model comprises:
input X = { X =1,x2,…,xn}T∈RnNetwork weight W = { W = { (W)1,w2,…,wm}T∈RL*mThreshold V, summing unit Sigma, excitation function f(x)Neural network output
Composition is carried out;
analyzing and processing the flow, log and video data to form a training sample X = { X = { (X) }1,x2,…,xn}T∈RnThe output calculation formula of the jth neuron node of the hidden layer is as follows:
wherein, cjIs the center point of the Gaussian function of the jth node of the hidden layer;
all outputs of the hidden layer are:
the output of the neural network is the result of a weighted calculation on the hidden layer output:
s22, carrying out weight adjustment on the network security situation model according to a preset training target, and determining a target network security situation model;
s23, determining a security detection result and a data analysis result by using the security situation model of the target network and data, wherein the data comprises: traffic, log, video data.
According to the network security risk early warning method for the multidimensional industrial control system, by discovering external and internal network security threats and investigating self risk points, the overall network security protection level of the industrial control system is comprehensively improved, configuration strategies are optimized, and network security of different levels of equipment, networks, physical environments, applications, data and the like is ensured; the network security investment cost is reduced, the risk hidden dangers in the network and the physical environment can be intensively checked through the system, the overhead of repeatedly deploying network security equipment by an enterprise is effectively reduced, and the security operation and maintenance cost of the enterprise is saved; the safety diagnosis method has the advantages that stable production operation is guaranteed, three key factors of current asset value, face threat and internal vulnerability are determined according to protection current situations of field equipment, an internet of things terminal, a control system, a network platform, data safety and the like, safety diagnosis is carried out by combining attributes such as business strategy, safety requirements, safety events, residual risks and the like and applying a multi-dimensional perception technology based on the generalized radial basis function, safety risk identification and early warning of the industrial control system are achieved, and stable production operation of the industrial control system is guaranteed.
An embodiment of the present invention further provides an electronic device, please refer to fig. 4, where fig. 4 is a schematic structural diagram of an electronic device according to an alternative embodiment of the present invention, and as shown in fig. 4, the electronic device may include: at least one processor 601, such as a CPU (Central Processing Unit), at least one communication interface 603, memory 604, and at least one communication bus 602. Wherein a communication bus 602 is used to enable the connection communication between these components. The communication interface 603 may include a Display (Display) and a Keyboard (Keyboard), and the optional communication interface 603 may also include a standard wired interface and a standard wireless interface. The Memory 604 may be a high-speed RAM (Random Access Memory) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The memory 604 may optionally be at least one storage device located remotely from the processor 601. Wherein the processor 601 may be associated with the system described in fig. 1, an application program is stored in the memory 604 and the processor 601 calls the program code stored in the memory 604 for performing any of the above-mentioned method steps.
The communication bus 602 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus 602 may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 4, but this does not indicate only one bus or one type of bus.
The memory 604 may include a volatile memory (RAM), such as a random-access memory (RAM); the memory may also include a non-volatile memory (english: flash memory), such as a Hard Disk Drive (HDD) or a solid-state drive (SSD); the memory 604 may also comprise a combination of the above types of memory.
The processor 601 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP.
The processor 601 may further include a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
Optionally, the memory 604 is also used for storing program instructions. The processor 601 may call a program instruction to implement the network security risk early warning method of the multidimensional industrial control system shown in the embodiment of the present application.
The embodiment of the invention also provides a non-transient computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions can execute the network security risk early warning method of the multidimensional industrial control system in any method embodiment. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (9)
1. The utility model provides a multidimension industrial control system network security risk early warning system which characterized in that includes: a base platform, a micro-service architecture, and a data presentation layer, wherein,
the basic platform is used for collecting, distributing and storing data of the multi-dimensional industrial control system and providing a data basis for the micro-service architecture and the data display layer;
the service architecture is used for modularizing the platform security analysis function of the risk early warning system, carrying out security detection and analysis on the data and determining a security detection result and a data analysis result;
and the data display layer is used for visually displaying the safety detection result and the data analysis result.
2. The system of claim 1, wherein the base platform comprises: the device comprises a device group, a data acquisition module and a data storage module, wherein,
the equipment group is used for carrying out data interaction on the multi-dimensional industrial control system;
the data acquisition module is used for acquiring flow data and system logs of the multidimensional industrial control system;
and the data storage module is used for respectively storing the data acquired by the data acquisition module according to a classification standard.
3. The system of claim 2, wherein the microservice architecture comprises: an asset management module, a threat analysis module, a vulnerability management module, an alarm management module, and a system management module, wherein,
the asset management module is used for grouping and managing the assets of the multidimensional industrial control system;
the threat analysis module is used for transversely comparing similar equipment in the equipment group with historical behaviors of assets, detecting abnormal behaviors of different assets and determining a threat signal;
the vulnerability management module is used for evaluating and classifying and managing the vulnerabilities of the multidimensional industrial control system;
the alarm management module is used for alarming the threat signal and the bug;
and the system management module is used for managing the configuration and the authority of the multidimensional industrial control system.
4. The system of claim 1, wherein the data presentation layer comprises: the system comprises a security operation and maintenance center, an asset management center, a security risk perception center, a security event analysis center and an alarm handling center.
5. A network security risk early warning method for a multidimensional industrial control system is characterized by comprising the following steps:
collecting data of a multidimensional industrial control system, and collecting, distributing and storing the data;
carrying out safety detection and analysis on the data, and determining a safety detection result and a data analysis result;
and visually displaying the safety detection result and the data analysis result.
6. The method of claim 5, wherein the performing security detection and analysis on the data to determine a security detection result and a data analysis result comprises:
establishing a network security situation model based on the generalized radial basis function;
carrying out weight adjustment on the network security situation model according to a preset training target, and determining a target network security situation model;
determining a security detection result and a data analysis result by using the target network security situation model and the data, wherein the data comprises: traffic, log, video data.
7. The method of claim 6, wherein the network security posture model comprises:
input X = { X1,x2,…,xn}T∈RnNetwork weight W = { W = { (W)1,w2,…,wm}T∈RL*mThreshold V, summing Unit ∑ (S), excitation function f (x), neural network output
Composition is carried out;
the flow, the log the video data is analyzed and processed to form a training sample X = { X = { (X) }1,x2,…,xn}T∈RnThe output calculation formula of the jth neuron node of the hidden layer is as follows:
wherein, cjIs the center point of the Gaussian function of the jth node of the hidden layer;
all outputs of the hidden layer are:
the output of the neural network is the result of a weighted calculation on the hidden layer output:
8. an electronic device, comprising:
the memorizer and the processor are connected with each other in a communication mode, the memorizer stores computer instructions, and the processor executes the computer instructions so as to execute the network security risk early warning method of the multidimensional industrial control system according to any one of claims 5 to 7.
9. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions for causing a computer to execute the network security risk pre-warning method of the multidimensional industrial control system according to any one of claims 5 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210725874.8A CN115277472A (en) | 2022-06-24 | 2022-06-24 | Network security risk early warning system and method for multidimensional industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210725874.8A CN115277472A (en) | 2022-06-24 | 2022-06-24 | Network security risk early warning system and method for multidimensional industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115277472A true CN115277472A (en) | 2022-11-01 |
Family
ID=83762798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210725874.8A Pending CN115277472A (en) | 2022-06-24 | 2022-06-24 | Network security risk early warning system and method for multidimensional industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115277472A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118174962A (en) * | 2024-05-11 | 2024-06-11 | 四川九洲视讯科技有限责任公司 | Network safety feedback analysis method and system based on artificial intelligence |
| CN118174962B (en) * | 2024-05-11 | 2024-08-13 | 四川九洲视讯科技有限责任公司 | Network safety feedback analysis method and system based on artificial intelligence |
-
2022
- 2022-06-24 CN CN202210725874.8A patent/CN115277472A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118174962A (en) * | 2024-05-11 | 2024-06-11 | 四川九洲视讯科技有限责任公司 | Network safety feedback analysis method and system based on artificial intelligence |
| CN118174962B (en) * | 2024-05-11 | 2024-08-13 | 四川九洲视讯科技有限责任公司 | Network safety feedback analysis method and system based on artificial intelligence |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN111404909B (en) | Safety detection system and method based on log analysis | |
| CN105681298A (en) | Data security abnormity monitoring method and system in public information platform | |
| CN105009132A (en) | Event correlation based on confidence factor | |
| CN110825757A (en) | Equipment behavior risk analysis method and system | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN117375985A (en) | Method and device for determining security risk index, storage medium and electronic device | |
| CN112801359A (en) | Industrial internet security situation prediction method and device, electronic equipment and medium | |
| CN115378711A (en) | Industrial control network intrusion detection method and system | |
| CN110149303B (en) | Party-school network security early warning method and early warning system | |
| CN112925805B (en) | Big data intelligent analysis application method based on network security | |
| CN117478433B (en) | Network and information security dynamic early warning system | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| RU180789U1 (en) | DEVICE OF INFORMATION SECURITY AUDIT IN AUTOMATED SYSTEMS | |
| CN117879961A (en) | Threat early warning analysis model of situation awareness system | |
| CN116915463B (en) | Call chain data security analysis method, device, equipment and storage medium | |
| CN112596984A (en) | Data security situation sensing system under weak isolation environment of service | |
| CN110677271B (en) | Big data alarm method, device, equipment and storage medium based on ELK | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN116389148A (en) | Network security situation prediction system based on artificial intelligence | |
| CN107623677B (en) | Method and device for determining data security | |
| CN115277472A (en) | Network security risk early warning system and method for multidimensional industrial control system | |
| CN112839029B (en) | Botnet activity degree analysis method and system | |
| CN111274089B (en) | Server abnormal behavior perception system based on bypass technology | |
| CN113726810A (en) | Intrusion detection system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |