CN115396182A - Industrial control safety automatic arrangement and response method and system - Google Patents

Industrial control safety automatic arrangement and response method and system Download PDF

Info

Publication number
CN115396182A
CN115396182A CN202211014145.8A CN202211014145A CN115396182A CN 115396182 A CN115396182 A CN 115396182A CN 202211014145 A CN202211014145 A CN 202211014145A CN 115396182 A CN115396182 A CN 115396182A
Authority
CN
China
Prior art keywords
case
event
security
cases
response
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211014145.8A
Other languages
Chinese (zh)
Inventor
肖丰明
刘杰
王靖元
吴辉
胡晓阳
苏文辉
刘畅尧
汪涛
谢源强
李闯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Wuling Power Technology Co Ltd
Wuling Power Corp Ltd
Original Assignee
Hunan Wuling Power Technology Co Ltd
Wuling Power Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Wuling Power Technology Co Ltd, Wuling Power Corp Ltd filed Critical Hunan Wuling Power Technology Co Ltd
Priority to CN202211014145.8A priority Critical patent/CN115396182A/en
Publication of CN115396182A publication Critical patent/CN115396182A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides an industrial control safety automatic arrangement and response method and a system, wherein the method comprises the following steps: receiving original data, and performing behavior analysis and attack identification on the original data to generate a security event; acquiring an incidence relation table of cases and attack identification rules, and printing case labels of the cases related to the security events on the basis of the incidence relation table; analyzing the safety event marked with the case label, selecting a script corresponding to the case label and generating a control command; and responding to the control instruction, triggering the equipment to execute a disposal action, and performing global display on the indexes obtained after disposal execution through an automatic operation and maintenance large screen. The invention can complete automatic closed-loop treatment through the script, not only can shorten the response treatment time, but also can release an engineer from daily operation and maintenance, thereby saving the personnel cost of enterprises.

Description

Industrial control safety automatic arrangement and response method and system
Technical Field
The invention belongs to the technical field of industrial control safety, and particularly relates to an industrial control safety automatic arrangement and response method and system.
Background
With the continuous development of enterprise informatization, the amount of company informatization assets is increased day by day, and the relevance and complexity of a system are enhanced continuously, however, the current situation of information security is increasingly severe, and the work of information security protection faces unprecedented difficulties and challenges. In the face of these challenges, information security construction is also under constant development and evolution.
In the current systematic construction transformation process, the following challenges are faced: professional safety attack and defense, analysis and handling personnel are lacked, and the experience of the personnel on safety analysis and study is hard to solidify; the safety response and the disposal time are too long, and the efficiency is low; lack of standardized response and disposal processes, and lack of quantifiable indexes in safe operation and disposal efficiency. It is urgent to establish a set of platform to realize safe operation closed loop disposal, which can monitor and early warn in advance, monitor and analyze in the process, automatically respond to disposal and trace to the source after the process.
Disclosure of Invention
The invention provides an industrial control safety automatic arrangement and response method and system, which aim to solve the technical problems.
Based on the above purpose, an embodiment of the present invention provides an industrial control safety automation arrangement and response method, including: receiving original data, and performing behavior analysis and attack identification on the original data to generate a security event; acquiring an incidence relation table of cases and attack identification rules, and printing case labels of the cases related to the security events on the basis of the incidence relation table; analyzing the safety event marked with the case label, selecting a script corresponding to the case label and generating a control command; and responding to the control instruction, triggering the equipment to execute a disposal action, and globally displaying the obtained indicator after the disposal action through an automatic operation and maintenance large screen.
Optionally, the method further includes: and managing the cases, including but not limited to creating, deleting, editing, starting and stopping, importing and exporting.
Optionally, the method further includes: acquiring an execution result of the security event, and converging the same type of security events with the same successively occurring case labels to the same case; and carrying out security performance measurement on the execution results of the similar security events, and adjusting the execution strategy according to the measurement results.
Optionally, the obtaining an association relation table between the case and the attack identification rule, and printing a case label of the case associated with the security event based on the association relation table includes: acquiring an association relation table of the case and the attack identification rule; performing behavior analysis, attack identification and association analysis on the security event, searching the association relation table, and matching with a built-in security rule; and printing case labels of the cases corresponding to the matched safety rules on the safety events.
Optionally, the analyzing the security event marked with the case label, selecting a scenario corresponding to the case label and generating a control instruction includes: performing information, flow and host evidence obtaining on the safety event according to the case label and generating a script; and generating the control instruction according to the script.
Optionally, the triggering, in response to the control instruction, the device to perform a treatment action includes: responding the control instruction, calling response equipment to execute a disposal action, and completing the blocking work, wherein the blocking work comprises at least one of threat interception, suspicious access source blocking, isolation of an attacked host, threat elimination or reinforcement of an unhampered host.
Based on the same invention concept, the embodiment of the invention also provides an industrial control safety automatic arrangement and response system, which comprises: the attack recognition module is used for receiving the original data, and performing behavior analysis and attack recognition on the original data to generate a security event; the prejudgment engine module is used for acquiring an incidence relation table of cases and attack identification rules and marking case labels of the cases related to the security events on the basis of the incidence relation table; the automatic arrangement module is used for analyzing the safety event printed with the case label, selecting a script corresponding to the case label and generating a control instruction; and the one-key treatment module is used for responding to the control instruction, triggering the equipment to execute a treatment action, and performing global display on the obtained indicator after the treatment is executed through an automatic operation and maintenance large screen.
Optionally, the industrial safety automation arrangement and response system further includes: and the case management module is connected with the automatic arrangement module and the one-key treatment module and is used for managing cases, including but not limited to creating, deleting, editing, starting and stopping, importing, exporting and counting treatment results.
Based on the same inventive concept, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the foregoing method when executing the computer program.
Based on the same inventive concept, the embodiment of the present invention further provides a computer storage medium, in which at least one executable instruction is stored, and the executable instruction causes a processor to execute the foregoing method.
The invention has the beneficial effects that: as can be seen from the above description, an industrial safety automation arrangement and response method and system provided by the embodiments of the present invention include: receiving original data, and performing behavior analysis and attack identification on the original data to generate a security event; acquiring an incidence relation table of cases and attack identification rules, and printing case labels of the cases related to the security events on the basis of the incidence relation table; analyzing the safety event marked with the case label, selecting a script corresponding to the case label and generating a control command; respond control command, trigger equipment carries out the action of handling to carry out the global show through the big screen of automatic fortune dimension to the index that obtains after handling the execution, can accomplish automatic closed loop through the script and handle, both can shorten the response and handle the time, can release the engineer from daily fortune dimension again, practice thrift the personnel cost of enterprise.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic flow chart of a method for automatically arranging and responding industrial safety automation according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of an industrial safety automation arrangement and response system according to an embodiment of the present invention;
fig. 3 is a schematic diagram of an electronic device according to an embodiment of the invention.
Detailed Description
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
It is to be noted that technical or scientific terms used in the embodiments of the present invention should have the ordinary meanings as understood by those having ordinary skill in the art to which the present disclosure belongs, unless otherwise defined. The use of "first," "second," and similar language in the embodiments of the present invention does not denote any order, quantity, or importance, but rather the terms "first," "second," and similar language are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that the element or item preceding the word comprises the element or item listed after the word and its equivalent, but does not exclude other elements or items. The terms "connected" or "coupled" and the like are not restricted to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", and the like are used merely to indicate relative positional relationships, and when the absolute position of the object being described is changed, the relative positional relationships may also be changed accordingly.
The embodiment of the invention provides an industrial control safety automatic arrangement and response method. The industrial control safety automatic arrangement and response method is applied to the server. As shown in fig. 1, the method for automatically arranging and responding industrial safety includes:
step S11: and receiving the original data, and performing behavior analysis and attack identification on the original data to generate a security event.
In the embodiment of the invention, the alarm logs or events of each device are obtained as original data, and the devices include but are not limited to a firewall NF, a Ddos defense ADS, a host security UES, a unified threat probe UTS, a Web application firewall WAF, a third party manufacturer device and the like. And then, performing behavior analysis and attack identification on the acquired original data to generate a security event.
Step S12: and acquiring an incidence relation table of the cases and the attack identification rules, and printing case labels of the cases related to the security events on the basis of the incidence relation table.
In the embodiment of the present invention, optionally, an association relation table between the case and the attack identification rule is obtained; performing behavior analysis, attack identification and association analysis on the security event, searching the association relation table, and matching with a built-in security rule; and printing case labels of cases corresponding to the matched safety rules on the safety events. The case label is used for marking the case types to which the security events belong, and the case types include but are not limited to intrusion, denial of service, lasso, phishing, hotlinking, information leakage and the like.
The embodiment of the invention also manages the cases, including but not limited to creation, deletion, editing, starting and stopping, importing and exporting. Acquiring the execution result of the security event, and converging the same type of security events with the same successively-occurring case labels to the same case; and carrying out security performance measurement on the execution results of the similar security events, and adjusting the execution strategy according to the measurement results. In embodiments of the present invention, cases are managed throughout the entire security event lifecycle, helping users perform a streamlined, continuous survey analysis and response to disposition tracking record for a set of related events. Case management includes trigger conditions and response handling actions, and different scenarios (playbooks) can be assigned to cases with different properties through the flow processing function of the cases, and execution is supervised. As long as a case is opened, the event matching the case can complete automated response handling, thereby reducing Mean Time To Repair (MTTR).
The embodiment of the invention can manage the operation and maintenance events of the same type by using the case as the trigger condition through the event and the log, and for the same case, the events of the same type which occur successively are converged under the same case, the types of the case include but not limited to invasion, denial of service, lasso, fishing, stealing, information leakage and the like, so that the invention is beneficial to calling the same Playbooks to carry out serialized response and execution in a labeling mode for the same event type, and simultaneously carries out the security performance measurement on the response execution of the same event type so as to judge the execution efficiency and the execution accuracy and conveniently carry out the unified adjustment on the execution strategy.
Each security team has its own set of security tools, capabilities, common use cases, and compliance requirements. One of the several common threads that span all of these elements is the step that is followed when responding to a security event. The safety operation and maintenance event response life cycle is defined as a continuous and cyclic process, including safety operation and maintenance event intake and enrichment, event management, deeper investigation, execution of response actions, performance measurement, and adoption of learned experience training to improve future operation efficiency. During the event response process, the security team quickly transitions between consoles to gather additional context and contain the event, so it is vital to have a central case management function and avoid fragmented documents. Case management helps users perform a streamlined, continuous survey analysis and response handling for a set of related events. By the process processing function of the cases, different case processing processes (referring to different Playbook processing scripts) can be assigned to the cases with different properties, and the execution is supervised; by means of the event (Artifacts) management function of the case, the related trace physical evidence (IOC) of the case and the technical, tactical and process index information (TTP) of the attacker can be continuously accumulated; by arranging survey and response functions, the system can execute a script or action on any event in the case, trace lines, deeply dig suspicious spots and enrich case information.
Step S13: and analyzing the safety event marked with the case label, selecting a script corresponding to the case label and generating a control command.
In the embodiment of the invention, the security incident is subjected to evidence collection of network layers such as information, flow and host evidence collection and the like according to the case label, and a script is generated; and generating the control instruction according to the script. When the evidence is obtained at the network level, the event needing to be automatically disposed is pushed to an automatic arrangement and response (SOAR) engine according to the case event and case relation information obtained from the step S12, the event is analyzed through the SOAR engine, and a corresponding script is selected to generate a control instruction (action) so as to realize the closed loop of the linkage disposition of the equipment in the following process.
The embodiment of the invention also manages the script. The script (Playbook) records the workflow of the safety engineer. In the aspect of response handling of the script version, the script version can be created and stored in a visual arrangement mode and quoted for cases, and common script versions comprise study and judgment evidence, global plugging, host isolation, work orders, mail early warning and the like.
The Playbook enables the safe operation and maintenance work to be automated, and has the advantages of rapidness in reflection, accuracy in judgment, high continuity and the like compared with manual work. Automatic or manual layout is expressed through the script. And establishing a workflow required by a service scene through the series and parallel relations among the scripts. And triggering the script when the condition is met, and simultaneously calling the response equipment to execute the response action. The Playbook was developed based on Python language and can be subsequently updated. The Playbook can realize a complicated arrangement scene with less codes. The micro-scenarized universal Playbook script includes the following categories: the global universal Playbook scripts comprise block-IP, block-URL, IP-isolation and the like, the infected host universal threat clearing Playbook comprises kill-process, delete-file, kill-task, disable-service, clear-register and the like, and the affected host universal reinforced Playbook comprises disable-service, add-NF-rule and the like. The scenario (Playbook) can be automatically generated by visual arrangement, which corresponds to the treatment response part of the case, and which has less trigger condition parts than the case.
For the event of automatic arrangement response, further threat analysis and judgment can be carried out through information and log evidence obtaining, and evidence obtaining is carried out and matched with a logic judgment function for use so as to realize the diversity of arrangement. In the evidence obtaining link, a series of investigation evidence obtaining technical means, active exploration analysis means and the like such as attack process tracing, flow evidence obtaining, behavior track analysis, safety event track tracing, file track tracing, ATT & CK attack maps can be utilized, the complete process of an event is retrospectively analyzed, the obtained data is continuously monitored, a life cycle-based behavior track chain or event track, attack means, attack sources, attack motivations and attack damaged areas adopted in the attack process are constructed, and the root cause and all gaps of a threat or event are subjected to complete analysis closed loop.
Intelligence forensics can select the intelligence type (including IP, URL, sample, domain name, C2, URL, APT & Comment cred), intelligence object specific value (IP, URL, domain, md 5), execution result (hit or not) for matching. Log forensics may be based on raw log, response content, request content, source address, source port, destination address, destination port, payload, attacker, victim, POST request data to match.
Step S14: and responding to the control instruction, triggering the equipment to execute a disposal action, and performing global display on the indexes obtained after disposal execution through an automatic operation and maintenance large screen.
The embodiment of the invention responds to the control instruction, calls the response equipment to execute the treatment action, and completes the sealing work, wherein the sealing work comprises at least one of threat interception, suspicious access source sealing, attacked host isolation, threat elimination or unhardened host reinforcement. The response equipment is defined and managed through the plug-in, the third-party equipment can be accessed only through plug-in development, the response equipment is fully decoupled through the definition of different plug-ins, and an engineer can arrange data access models of different equipment manufacturers and different data types based on a standard plug-in template, quickly integrate and realize online activation and access of the plug-ins, and realize the capacity of using the data source after opening the box; meanwhile, the engineering personnel can arrange the control models of different control equipment of different equipment manufacturers based on the standard plug-in template, quickly integrate and complete the online activation and access of the plug-in of the control equipment, and realize the out-of-box and ready-to-use capacity of the control equipment. Flexible device management functions may be implemented for the accessed responding device, such as: adding, editing, enabling and disabling. By means of the response equipment, threat interception, suspicious access source sealing and killing, isolation of the attacked host, threat elimination, reinforcement of the un-attacked host and other sealing and prohibiting works can be completed.
The bug repairing and terminal virus clearing files can be pushed to the responsible person in a work order mode, and the responsible person receives the work order and then carries out related treatment. The mail alert includes a significant event generation notification and an automated response handling result notification.
For the view matched to the case automation execution, the event response details can show the event execution handling state (execution success, execution and execution failure) from end to end, and present the operation and maintenance stage of the event and the execution state thereof for the operation and maintenance personnel from the global event. The large automatic operation and maintenance screen can present an automatic response handling general view from a global view, such as automatic response operation efficiency, case event statistical information, case event handling trend, script execution information and the like, and displays operation and maintenance indexes in a measurable and quantifiable mode. The automatic response operation efficiency comprises the total number of automatic response events, the average time length of automatic response, the average review time length of automatic response, the average time length of manual response, the efficiency improvement percentage and the like. The case event statistical information comprises an event automatic response state, a responded result success statistics, a TOP case event statistics, automatic response condition overviews of different severity levels and the like. Case event handling trends include case event handling trends for different time periods, 5 event handling cases that were completed recently. Scenario execution conditions include most active scenario execution statistics, execution of TOP5 execution actions.
In summary, the industrial control safety automation arrangement and response method of the embodiment of the invention generates the safety event by receiving the original data, and performing behavior analysis and attack identification on the original data; acquiring an incidence relation table of cases and attack identification rules, and printing case labels of the cases related to the security events on the basis of the incidence relation table; analyzing the safety event marked with the case label, selecting a script corresponding to the case label and generating a control command; respond the control instruction, trigger equipment carries out the action of handling to carry out the global show through the big screen of automatic fortune dimension to the index that obtains after handling the execution, can accomplish automatic closed loop through the script and handle, both can shorten the response and handle time, can release the engineer from daily fortune dimension again, practice thrift the personnel cost of enterprise.
The foregoing description of specific embodiments of this invention has been presented. In some cases, acts or steps recited in embodiments of the invention may be performed in an order different than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
Based on the same conception, the embodiment of the invention also provides an industrial control safety automatic arrangement and response system. The method is applied to the server. As shown in fig. 2, the automatic industrial safety arrangement and response system comprises: the system comprises an attack identification module, a prejudgment engine module, an automatic arrangement module and a one-key disposal module. Wherein the content of the first and second substances,
the attack recognition module is used for receiving the original data, and performing behavior analysis and attack recognition on the original data to generate a security event;
the prejudgment engine module is used for acquiring an incidence relation table of cases and attack identification rules and marking case labels of the cases related to the security events on the basis of the incidence relation table;
the automatic arrangement module is used for analyzing the safety event printed with the case label, selecting a script corresponding to the case label and generating a control instruction;
and the one-key treatment module is used for responding to the control instruction, triggering the equipment to execute a treatment action, and performing global display on the indexes obtained after the treatment execution through the large automatic operation and maintenance screen.
The industrial safety automation arrangement and response system further comprises: and the case management module is connected with the automatic arrangement module and the one-key treatment module and is used for managing cases, including but not limited to creating, deleting, editing, starting and stopping, importing, exporting and counting treatment results.
With continued reference to fig. 3, the industrial safety automation orchestration and response system comprises: a data access layer, a management research and judgment handling layer and a display layer; the management judging and disposing layer comprises an attack identification module, a prejudging engine module, a judging engine module, an automatic arranging module and a one-key disposing module; the automated orchestration module is an automated orchestration and response engine at the management judgment handling layer. The data access layer is used for accessing and analyzing the original data. The attack recognition module is used for performing behavior analysis and attack recognition on the original data to generate a security event, and the prejudgment engine module is used for acquiring an incidence relation table of the cases and the attack recognition rules and marking case labels of the cases related to the security event on the basis of the incidence relation table; the system comprises a case label processing module, a case analysis module and a one-key processing module, wherein the case label processing module is used for performing network-level evidence collection on a security event with a case label, transmitting the security event to an automatic arrangement and response engine, analyzing the security event by the automatic arrangement and response engine, selecting a script corresponding to the case label and generating a control instruction, and the one-key processing module responds to the control instruction and triggers equipment to execute a processing action. An automatic operation and maintenance large screen is arranged in the display layer, and indexes obtained after treatment execution are displayed globally through the automatic operation and maintenance large screen.
The industrial safety automation arrangement and response system further comprises: the system comprises a data receiving module connected with a research and judgment engine module, a script engine module connected with the data receiving module and a disposal engine module connected with the script engine module, wherein the data receiving module is used for receiving a safety event transmitted by the research and judgment engine module; the processing engine module receives and responds to the control instruction sent by the script engine module, and calls the response equipment to execute the response action.
For convenience of description, the above system is described with the functions divided into various modules, which are described separately. Of course, the functions of the modules may be implemented in the same or multiple software and/or hardware in implementing embodiments of the invention.
The system of the above embodiment is applied to the corresponding method in the foregoing embodiment, and has the beneficial effects of the corresponding method embodiment, which are not described herein again.
Based on the same inventive concept, an embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the method according to any of the above embodiments is implemented.
An embodiment of the present invention provides a non-volatile computer storage medium, where at least one executable instruction is stored in the computer storage medium, and the computer executable instruction may execute the method described in any of the above embodiments.
Fig. 3 is a schematic diagram illustrating a more specific hardware structure of an electronic device according to this embodiment, where the electronic device may include: a processor 301, a memory 302, an input/output interface 303, a communication interface 304, and a bus 305. Wherein the processor 301, the memory 302, the input/output interface 303 and the communication interface 304 enable communication connections within the device with each other via a bus 305.
The processor 301 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solution provided by the method embodiment of the present invention.
The Memory 302 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random access Memory), a static storage device, a dynamic storage device, or the like. The memory 302 may store an operating system and other application programs, and when the technical solution provided by the method embodiment of the present invention is implemented by software or firmware, the relevant program codes are stored in the memory 302 and called by the processor 301 for execution.
The input/output interface 303 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 304 is used for connecting a communication module (not shown in the figure) to implement communication interaction between the present device and other devices. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, bluetooth and the like).
Bus 305 includes a path that transfers information between the various components of the device, such as processor 301, memory 302, input/output interface 303, and communication interface 304.
It should be noted that although the above-mentioned device only shows the processor 301, the memory 302, the input/output interface 303, the communication interface 304 and the bus 305, in a specific implementation, the device may also include other components necessary for normal operation. Furthermore, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement embodiments of the present invention, and need not include all of the components shown in the figures.
Those of ordinary skill in the art will understand that: the discussion of any embodiment above is merely exemplary, and is not intended to intimate that the scope of the disclosure is limited to these examples; within the context of the present application, features from the above embodiments or from different embodiments may also be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the present application as described above, which are not provided in detail for the sake of brevity.
This application is intended to embrace all such alternatives, modifications and variances that fall within the broad scope of embodiments of the present invention. Therefore, any omissions, modifications, substitutions, improvements and the like that may be made without departing from the spirit and principles of the embodiments of the present invention are intended to be included within the scope of the present application.

Claims (10)

1. An industrial safety automatic arranging and responding method is characterized by comprising the following steps:
receiving original data, and performing behavior analysis and attack identification on the original data to generate a security event;
acquiring an incidence relation table of cases and attack identification rules, and printing case labels of the cases related to the security events on the basis of the incidence relation table;
analyzing the safety event marked with the case label, selecting a script corresponding to the case label and generating a control command;
and responding to the control instruction, triggering the equipment to execute a disposal action, and performing global display on the indexes obtained after disposal execution through an automatic operation and maintenance large screen.
2. The method of claim 1, further comprising:
cases are managed, including but not limited to create, delete, edit, start-stop, import, export.
3. The method of claim 1, further comprising:
acquiring the execution result of the security event, and converging the same type of security events with the same successively occurring case labels to the same case;
and carrying out security performance measurement on the execution results of the similar security events, and adjusting the execution strategy according to the measurement results.
4. The method of claim 1, wherein obtaining a case-to-attack recognition rule correlation table and tagging a case label for a case associated with the security event based on the correlation table comprises:
acquiring a case and attack identification rule association relation table;
performing behavior analysis, attack identification and association analysis on the security event, searching the association relation table, and matching with a built-in security rule;
and printing case labels of the cases corresponding to the matched safety rules on the safety events.
5. The method of claim 1, wherein the parsing the security event tagged with the case label, selecting a scenario corresponding to the case label, and generating a control instruction comprises:
performing information, flow and host evidence obtaining on the safety event according to the case label and generating a script;
and generating the control instruction according to the script.
6. The method of claim 1, wherein triggering the device to perform a treatment action in response to the control instruction comprises:
responding the control instruction, calling response equipment to execute a disposal action, and completing the blocking work, wherein the blocking work comprises at least one of threat interception, suspicious access source blocking, isolation of an attacked host, threat elimination or reinforcement of an unhampered host.
7. An industrial safety automation orchestration and response system, the system comprising:
the attack identification module is used for receiving the original data, and performing behavior analysis and attack identification on the original data to generate a security event;
the prejudgment engine module is used for acquiring an incidence relation table of cases and attack identification rules and marking case labels of the cases related to the security events on the basis of the incidence relation table;
the automatic arrangement module is used for analyzing the safety event printed with the case label, selecting a script corresponding to the case label and generating a control instruction;
and the one-key treatment module is used for responding to the control instruction, triggering the equipment to execute a treatment action, and performing global display on the indexes obtained after the treatment is executed through an automatic operation and maintenance large screen.
8. The industrial safety automation arrangement and response system of claim 7, further comprising: and the case management module is connected with the automatic arrangement module and the one-key treatment module and is used for managing cases, including but not limited to creating, deleting, editing, starting and stopping, importing, exporting and counting treatment results.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1-6 when executing the program.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform the method of any one of claims 1-6.
CN202211014145.8A 2022-08-23 2022-08-23 Industrial control safety automatic arrangement and response method and system Pending CN115396182A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211014145.8A CN115396182A (en) 2022-08-23 2022-08-23 Industrial control safety automatic arrangement and response method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211014145.8A CN115396182A (en) 2022-08-23 2022-08-23 Industrial control safety automatic arrangement and response method and system

Publications (1)

Publication Number Publication Date
CN115396182A true CN115396182A (en) 2022-11-25

Family

ID=84120952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211014145.8A Pending CN115396182A (en) 2022-08-23 2022-08-23 Industrial control safety automatic arrangement and response method and system

Country Status (1)

Country Link
CN (1) CN115396182A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471122A (en) * 2023-06-12 2023-07-21 南京众智维信息科技有限公司 Network security script arrangement method based on Q learning
CN116760636A (en) * 2023-08-16 2023-09-15 国网江苏省电力有限公司信息通信分公司 Active defense system and method for unknown threat

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116471122A (en) * 2023-06-12 2023-07-21 南京众智维信息科技有限公司 Network security script arrangement method based on Q learning
CN116471122B (en) * 2023-06-12 2023-08-29 南京众智维信息科技有限公司 Network security script arrangement method based on Q learning
CN116760636A (en) * 2023-08-16 2023-09-15 国网江苏省电力有限公司信息通信分公司 Active defense system and method for unknown threat

Similar Documents

Publication Publication Date Title
Mavroeidis et al. Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence
CN115396182A (en) Industrial control safety automatic arrangement and response method and system
CN108121914B (en) Document divulgence protection tracking system
CN110908883B (en) User portrait data monitoring method, system, equipment and storage medium
US9424426B2 (en) Detection of malicious code insertion in trusted environments
US20080148398A1 (en) System and Method for Definition and Automated Analysis of Computer Security Threat Models
Jayathilake Towards structured log analysis
US20230011004A1 (en) Cyber security sandbox environment
CN112738126A (en) Attack tracing method based on threat intelligence and ATT & CK
Ezzati-Jivan et al. A stateful approach to generate synthetic events from kernel traces
CN112491602A (en) Behavior data monitoring method and device, computer equipment and medium
CN112668010A (en) Method, system and computing device for scanning industrial control system for bugs
KR101696694B1 (en) Method And Apparatus For Analysing Source Code Vulnerability By Using TraceBack
CN107423090B (en) Flash player abnormal log management method and system
CN114036526A (en) Vulnerability testing method and device, computer equipment and storage medium
Marandi et al. Implementing and Automating Security Scanning to a DevSecOps CI/CD Pipeline
CN112925805A (en) Big data intelligent analysis application method based on network security
Alrimawi et al. Incidents are meant for learning, not repeating: sharing knowledge about security incidents in cyber-physical systems
CN116346458A (en) Network security prediction method, device, computing equipment and storage medium
CN114490261A (en) Terminal security event linkage processing method, device and equipment
Jiang et al. An exploitability analysis technique for binary vulnerability based on automatic exception suppression
CN112989403A (en) Method, device and equipment for detecting database destruction and storage medium
Kennedy et al. Towards Increasing Trust In Expert Evidence Derived From Malware Forensic Tools
CN114491513B (en) Knowledge graph-based blockchain intelligent contract reentry attack detection system and method
CN118171271B (en) Safety monitoring method, system and terminal for database

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination