CN116743503B - Health evaluation method based on industrial control asset - Google Patents
Health evaluation method based on industrial control asset Download PDFInfo
- Publication number
- CN116743503B CN116743503B CN202311011932.1A CN202311011932A CN116743503B CN 116743503 B CN116743503 B CN 116743503B CN 202311011932 A CN202311011932 A CN 202311011932A CN 116743503 B CN116743503 B CN 116743503B
- Authority
- CN
- China
- Prior art keywords
- industrial control
- asset
- event
- health
- control asset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000036541 health Effects 0.000 title claims abstract description 120
- 238000011156 evaluation Methods 0.000 title claims abstract description 16
- 230000006854 communication Effects 0.000 claims description 55
- 238000004891 communication Methods 0.000 claims description 53
- 238000000034 method Methods 0.000 claims description 38
- 230000002159 abnormal effect Effects 0.000 claims description 15
- 230000005856 abnormality Effects 0.000 claims description 13
- 238000013210 evaluation model Methods 0.000 claims description 9
- 238000011160 research Methods 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 5
- 238000011161 development Methods 0.000 claims description 4
- 238000012795 verification Methods 0.000 claims description 3
- 230000008859 change Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 238000004519 manufacturing process Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000003862 health status Effects 0.000 description 2
- 230000000246 remedial effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Data Mining & Analysis (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a health evaluation method based on industrial control assets, which relates to the technical field of network security and comprises the following steps of S100, designing an industrial control asset event set; s200, designing a self-adaptive weight fuzzy rule; s300, adjusting the self-adaptive weight fuzzy rule parameters; s400, deploying an industrial control asset health assessment model; s500, collecting industrial control asset information; s600, evaluating the health degree of the industrial control asset. The invention establishes a multi-factor fuzzy industrial control asset health assessment model, accurately assesses the health degree of the online industrial control asset in the industrial control network, provides basis for target prediction of network attack and upgrading and replacing of the industrial control asset, better knows the running condition of the asset, and further manages the asset and network security configuration.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a health degree assessment method based on industrial control assets.
Background
Along with the development direction of the manufacturing industry, the traditional industrial control network gradually breaks through the original boundary, and brings some invasion risks for the industrial control system. However, no matter how high the technology of the attack is and how complex the path is, the final attack must fall on a certain asset of the industrial control network, so the evaluation of the health status of the asset is very important. At present, the analysis of assets in the market is mainly based on the host and server assets of an information network, but the technology and the method become 'open eye blind' as soon as the technology and the method enter an industrial control system, the industrial controller commonly used in the industrial control system cannot be identified, and the running state of the industrial controller cannot be acquired. For asset management and state detection of an industrial control system, the safety field is still in a blank state, and a conventional PLC industrial control manufacturer only uses state monitoring as a means for debugging and error checking, so that the real-time performance is not achieved.
Currently, in the field of industrial control, some methods exist for evaluating and predicting the status of industrial control assets, but more than those are detecting and predicting the hardware status and faults of equipment, most of the faults are tracked and can be predicted by continuously monitoring points of easy faults. But the network attack has randomness and variability, more monitoring points are needed, the parameter self-adaption requirement on the prediction algorithm is higher, the existing algorithm for equipment faults and the selected monitoring points do not have the capability of predicting risks caused by the network attack, and a perfect space exists.
Accordingly, those skilled in the art are working to develop a health assessment method based on industrial control assets.
Disclosure of Invention
In view of the above-mentioned drawbacks of the prior art, the technical problem to be solved by the present invention is how to predict the risk that may occur in the early stage of the change of the status of an asset.
The inventor analyzes that the industrial control system is closely related to the physical world, and once the network threat penetrates into the industrial control system through the information network, the network threat finally falls on one asset of the industrial control system no matter what path or means of attack is adopted. Clearly grasp the health status of the asset, and predict the risk possibly generated in the early stage of the change of the status of the asset. The inventor refers to a multi-parameter identification technology to study the health state evaluation method of the production equipment, builds a multi-dimensional industrial control asset health evaluation model, adaptively adjusts event evaluation weights according to the current network condition and the importance degree of the asset, generates health scores of corresponding assets, outputs asset prediction risk points, calculates the health of the production equipment, analyzes the occupation ratio of different indexes in the evaluation of the health state through calculation of each weight, and obtains an index evaluation mode to complete the health state evaluation of the production equipment. And establishing a comprehensive evaluation index and system combining 'information-function' safety, accurately evaluating the health degree of industrial control assets, finding asset risks in advance, and reducing losses.
The inventor extracts industrial control asset information and operation characteristics based on industrial control asset (collectively referred to as industrial control asset) communication interaction characteristics in a network, wherein the industrial control asset information and operation characteristics comprise industrial control asset types, industrial control asset models, operating systems, offline states, resource use information, operation logs and open service ports; combining session information characteristics in the industrial control network, and extracting communication characteristics including communication content, communication protocol and flow information; analyzing and preprocessing the acquired information, fusing time sequence change characteristics, and outputting an event and an event grade; constructing a multi-dimensional industrial control asset health evaluation model, adaptively adjusting event evaluation weights according to the current network conditions and the importance degree of the asset, generating health scores of corresponding industrial control assets, and outputting industrial control asset prediction risk points.
In one embodiment of the invention, a health assessment method based on industrial control assets is provided, comprising the following steps:
s100, designing an industrial control asset event set, wherein the industrial control asset event set covers events which possibly occur in the asset;
s200, designing a self-adaptive weight fuzzy rule, and building a multi-factor fuzzy industrial control asset health assessment model according to weights of industrial control asset information with different attributes in health assessment in a self-adaptive manner according to actual conditions;
s300, adjusting the self-adaptive weight fuzzy rule parameters, introducing the multi-factor fuzzy industrial control asset health evaluation model into an actual application scene for verification, and readjusting the self-adaptive weight fuzzy rule parameters according to different industry characteristics;
s400, deploying an industrial control asset health assessment model, and deploying the industrial control asset health assessment model on a server;
s500, collecting industrial control asset information, wherein the industrial control asset information covers industrial control asset information elements related to the whole life cycle of the industrial control asset, and the industrial control asset information comprises inherent properties, operation characteristics and communication characteristics;
s600, evaluating the health degree of the industrial control asset, analyzing the collected industrial control asset information by using a server for deploying the industrial control asset health evaluation model, and outputting an industrial control asset health degree score.
Optionally, in the method for evaluating health based on industrial control assets in the above embodiment, step S100 includes:
s110, designing industrial control asset information, and determining all basic information bases required by evaluating the health degree of the industrial control asset;
s120, designing an industrial control asset event set, comprehensively analyzing the association relation of industrial control asset information elements based on industrial control asset information and combining the time of the industrial control asset event and event analysis rules, designing the industrial control asset event set, accurately describing the state of the online industrial control asset, and positioning the event level of the corresponding state.
Further, in the method for evaluating health based on industrial control assets in the above embodiment, the industrial control asset information covers the industrial control asset information elements related to the industrial control asset full life cycle, including the inherent attribute, the operation feature and the communication feature.
Further, in the method for evaluating health based on industrial control assets in the above embodiment, the intrinsic attribute is basic information of the industrial control assets, including but not limited to type, brand, model, module, and operating system.
Further, in the method for evaluating health of industrial control assets according to the embodiment, the operation features are feature information of the industrial control assets in operation, including but not limited to offline state, open service port, failure state, resource usage information, and operation log.
Further, in the health assessment method based on the industrial control asset in the above embodiment, the communication features are information of the industrial control asset in the communication process, including but not limited to development services, communication contents, communication protocols, and traffic information.
Further, in the health evaluation method based on the industrial control asset in the above embodiment, the industrial control asset includes an industrial controller, an industrial host, a human-machine interface device (HMI), a smart meter, a switch, a machine tool, and a camera.
Further, in the industrial control asset-based health assessment method in the above embodiment, the industrial control asset event set is a set of industrial control asset events, and the industrial control asset events include event category, event name and event class.
Further, in the industrial asset-based health assessment method in the above embodiment, the event category includes vulnerability events, operation states, communication anomalies, and fault grinding decisions.
Further, in the method for evaluating the health degree based on the industrial control asset in the embodiment, the vulnerability event includes a high-risk vulnerability, a medium-risk vulnerability and a low-risk vulnerability, the corresponding event levels are respectively 4, 3 and 2, and the higher the event level is, the greater the risk possibility is.
Further, in the method for evaluating health based on industrial control assets in the above embodiment, the operation state includes industrial control asset failure, industrial control asset offline and asset resource overrun, the corresponding event class is respectively 4, 3 and 3, and the higher the event class, the greater the risk possibility is indicated.
Further, in the method for evaluating health based on industrial control assets in the above embodiment, the communication anomalies include an open service anomaly and a traffic anomaly, the corresponding event classes are respectively 4 and 3, and the higher the event class, the greater the likelihood of risk is indicated.
Further, in the method for evaluating the health degree based on the industrial control asset in the above embodiment, the fault determination includes that there is an intrusion risk and a service life risk, the corresponding event levels are respectively 4 and 4, and the higher the event level is, the greater the risk possibility is.
Optionally, in the method for dynamically constructing a network traffic detection model in the above embodiment, step S200 includes:
s210, establishing a multi-factor fuzzy industrial control asset health assessment model, and establishing the multi-factor fuzzy industrial control asset health assessment model based on an industrial control asset event set and the importance degree of the industrial control asset;
s220, determining the scoring basic weight of the industrial control asset event, and defining the weight range of different industrial control asset events;
s230, designing an industrial control asset health assessment algorithm, and designing the industrial control asset health assessment algorithm according to the industrial control asset health assessment model;
s240, defining fuzzy sets based on input and output, and determining fuzzy rules of the industrial control asset events.
Further, in the industrial asset-based health assessment method in the above embodiment, step S210 includes developing health scores for the intrinsic attribute, the operation feature, the communication feature, and the failure.
Further, in the method for evaluating the health of the industrial control asset based on the embodiment, the intrinsic attribute health score value is an intrinsic attribute event score, the intrinsic attribute event score is related to the level and the number of existing vulnerabilities of the industrial control asset, and the higher the level of existing vulnerabilities of the industrial control asset is, the higher the number of existing vulnerabilities of the industrial control asset is, and the lower the intrinsic attribute event score is.
Further, in the method for evaluating health of industrial control assets according to the embodiment, the running state health score value is a running state event score, which is a running state score weight, and the running state event score is related to the event level, the occurrence frequency and the duration of the existing running state class of the industrial control asset, and the higher the event level, the higher the occurrence frequency and the longer the duration of the existing running state class of the industrial control asset, the lower the running state event score.
Further, in the method for evaluating health based on industrial control assets in the above embodiment, the communication abnormal health score value is a communication abnormal event score, which is a communication abnormal score weight, and the communication abnormal event score is related to the event level, occurrence frequency and duration of the existing communication abnormal class of the industrial control asset, and the higher the event level, the higher the occurrence frequency and the longer the duration of the existing communication abnormal class of the industrial control asset, the lower the communication abnormal event score.
Further, in the method for evaluating the health of the industrial control asset based on the embodiment, the value of the failure grinding health score is the failure grinding event score, which is the weight of the failure grinding event score, the failure grinding event score is related to the event level and occurrence probability of the existing failure grinding class of the industrial control asset, the failure grinding event is a predicted event for the risk which may occur in the future, and the higher the event level and the higher the occurrence probability of the existing failure grinding class of the industrial control asset, the lower the failure grinding event score.
Further, in the method for evaluating the health of the industrial control asset according to the above embodiment, step S220 further includes the process of blurring the importance degree of the industrial control asset, and the more important the asset, the lower the event scoring weight of the inherent attribute, and the higher the scoring event weight of the running state and communication abnormality.
Further, in the method for evaluating the health degree based on the industrial control asset in the above embodiment, step S230 further includes performing fuzzification processing on the intrinsic attribute, the running state, the communication abnormality, the event level of fault study and judgment and the importance degree of the industrial control asset, designing a fuzzification rule based on the event level and the importance degree of the asset, and weighting and outputting the health degree score of the asset based on the importance degree of the asset; when corresponding disposal actions or remedial measures are made, event scores or asset vulnerability conditions change according to the degree of resolution, and health scores of industrial control assets are updated accordingly.
Further, in the method for evaluating health based on industrial control assets in the above embodiment, step S240 further includes: defining fuzzy sets based on inputs, wherein the inputs are event levels, event frequencies, duration and asset importance degrees; and defining output fuzzy set based on the output as industrial asset event score E(s), wherein the fuzzy sets are { BN, MN, SN, OZ, SP, MP, BP }, and respectively represent a negative large value, a negative median, a negative small value, a zero value, a positive small value, a positive median and a positive large value.
Further, in the method for evaluating health of industrial control assets according to the above embodiment, step S240 further includes designing fuzzy rules and membership functions based on the event scores E (S) of the industrial control assets, where the argument of E (S) is: e(s) = {0, 100}, E (0) = 100.
Optionally, in the method for dynamically constructing a network traffic detection model in the foregoing embodiment, step S600 includes:
s610, carrying out fuzzy processing on the importance degree of the industrial control asset, wherein the more important the industrial control asset is, the lower the event scoring weight of the inherent attribute is, and the higher the scoring event weight of the running state and communication abnormality is;
s620, carrying out fuzzification treatment on the inherent attribute, the running state, the communication abnormality, the event level of fault research and judgment and the importance degree of the industrial control asset;
s630, weighting and outputting health scores of the industrial control assets based on the event level, the event frequency, the duration, the asset importance degree and the asset importance degree.
The invention provides a health evaluation method based on industrial control assets, which establishes a multi-factor fuzzy industrial control asset health evaluation model, accurately evaluates the health of on-line industrial control assets in an industrial control network, provides a basis for target prediction of network attack and upgrading and replacement of industrial control assets, better knows the running condition of the assets, and further manages the assets and network security configuration.
The conception, specific structure, and technical effects of the present invention will be further described with reference to the accompanying drawings to fully understand the objects, features, and effects of the present invention.
Drawings
FIG. 1 is a flowchart illustrating a method for industrial asset-based health assessment, according to an exemplary embodiment.
Detailed Description
The following description of the preferred embodiments of the present invention refers to the accompanying drawings, which make the technical contents thereof more clear and easy to understand. The present invention may be embodied in many different forms of embodiments and the scope of the present invention is not limited to only the embodiments described herein.
In the drawings, like structural elements are referred to by like reference numerals and components having similar structure or function are referred to by like reference numerals. The dimensions and thickness of each component shown in the drawings are arbitrarily shown, and the present invention is not limited to the dimensions and thickness of each component. The thickness of the components is schematically and appropriately exaggerated in some places in the drawings for clarity of illustration.
The inventor designs a health degree assessment method based on industrial control assets, as shown in fig. 1, comprising the following steps:
s100, designing an industrial control asset event set, wherein the industrial control asset event set covers events possibly happening to an asset, the industrial control asset comprises an industrial controller, an industrial host, a human-machine interface (HMI), an intelligent instrument, a switch, a machine tool and a camera, the industrial control asset event set is a set of industrial control asset events, and the industrial control asset events comprise event categories, event names and event grades; the event class comprises a vulnerability event, an operation state, communication abnormality and fault research judgment, wherein the vulnerability event comprises a high-risk vulnerability, a medium-risk vulnerability and a low-risk vulnerability, the corresponding event class is respectively 4, 3 and 2, and the higher the event class is, the higher the risk possibility is; the running state comprises industrial control asset faults, industrial control asset offline and asset resource overrun, the corresponding event class is respectively 4, 3 and 3, and the higher the event class is, the greater the risk possibility is indicated; the communication anomalies comprise open service anomalies and flow anomalies, the corresponding event levels are respectively 4 and 3, and the higher the event level is, the greater the risk possibility is indicated; the fault study judgment comprises intrusion risk and service life risk, wherein the corresponding event class is respectively 4 and 4, and the higher the event class is, the greater the possibility of risk is indicated;
s100 specifically comprises:
s110, designing industrial control asset information, namely determining all basic information libraries required by evaluating the health degree of the industrial control asset, wherein the industrial control asset information covers industrial control asset information elements related to the whole life cycle of the industrial control asset and comprises inherent properties, operation characteristics and communication characteristics, and the inherent properties are basic information of the industrial control asset and comprise, but are not limited to, types, brands, models, modules and operating systems; the operation characteristics are characteristic information of industrial control assets in operation, including but not limited to offline state, open service port, fault state, resource use information and operation log; the communication features are information of industrial control assets in the communication process, including but not limited to development services, communication content, communication protocols, and flow information;
s120, designing an industrial control asset event set, comprehensively analyzing the association relation of industrial control asset information elements based on industrial control asset information and combining the time of the industrial control asset event and event analysis rules, designing the industrial control asset event set, accurately describing the state of the online industrial control asset, and positioning the event level of the corresponding state.
S200, designing a self-adaptive weight fuzzy rule, and building a multi-factor fuzzy industrial control asset health assessment model according to weights of industrial control asset information with different attributes in health assessment in a self-adaptive manner according to actual conditions; comprising the following steps:
s210, establishing a multi-factor fuzzy industrial control asset health assessment model, and establishing the multi-factor fuzzy industrial control asset health assessment model based on an industrial control asset event set and the importance degree of the industrial control asset, wherein the multi-factor fuzzy industrial control asset health assessment model comprises the steps of scoring intrinsic attribute health, operation characteristic health score, communication characteristic health score and fault research judgment health score, wherein the intrinsic attribute health score value is intrinsic attribute event score, intrinsic attribute score weight is given, the intrinsic attribute event score is related to the grade and the quantity of existing loopholes of the industrial control asset, and the higher the grade of the existing loopholes of the industrial control asset is, the more the quantity of the existing loopholes of the industrial control asset is, and the lower the intrinsic attribute event score is; the running state health score value is the running state event score weight, the running state event score is related to the event grade, the occurrence frequency and the duration of the existing running state class of the industrial control asset, and the higher the event grade, the higher the occurrence frequency and the longer the duration of the existing running state class of the industrial control asset, the lower the running state event score; the communication abnormal health score is a communication abnormal event score which is related to the event level, the occurrence frequency and the duration of the existing communication abnormal class of the industrial control asset, and the higher the event level, the higher the occurrence frequency and the longer the duration of the existing communication abnormal class of the industrial control asset, the lower the communication abnormal event score; the value of the fault grinding health score is the fault grinding event score which is related to the event grade and occurrence probability of the existing fault grinding class of the industrial control asset, wherein the fault grinding event is a predicted event for the risk possibly occurring in the future, and the higher the event grade and the higher the occurrence probability of the existing fault grinding class of the industrial control asset, the lower the fault grinding event score;
s220, determining the scoring fundamental weight of the event of the industrial control asset, and defining the weight ranges of different industrial control asset events, wherein the weight ranges comprise the importance degree fuzzification treatment of the industrial control asset, the more important the asset is, the lower the event scoring weight of the inherent attribute is, and the higher the scoring event weight of the running state and communication abnormality is;
s230, designing an industrial control asset health assessment algorithm, wherein the industrial control asset health assessment algorithm is designed according to the industrial control asset health assessment model and comprises the steps of carrying out fuzzification processing on the inherent attribute, the running state, the communication abnormality, the event level of fault research and judgment and the industrial control asset importance degree of the industrial control asset, designing a fuzzy rule based on the event level and the asset importance degree, and weighting and outputting the health score of the asset based on the asset importance degree; when corresponding disposal actions or remedial measures are made, event scores or asset vulnerability conditions change according to the degree of resolution, and health scores of industrial control assets are updated correspondingly;
s240, defining fuzzy sets based on input and output, and determining fuzzy rules of the industrial control asset event, wherein the fuzzy rules comprise: defining fuzzy sets based on inputs, wherein the inputs are event levels, event frequencies, duration and asset importance degrees; defining the output-based fuzzy set output as an event score E(s), wherein the fuzzy sets are { BN, MN, SN, OZ, SP, MP, BP }, and respectively represent a negative large value, a negative median, a negative small value, a zero value, a positive small value, a positive median and a positive large value, and comprise the following steps of designing a fuzzy rule and a membership function based on the event score E(s), wherein the argument of E(s) is: e(s) = {0, 100}, E (0) = 100.
S300, adjusting the self-adaptive weight fuzzy rule parameters, introducing the multi-factor fuzzy industrial control asset health evaluation model into an actual application scene for verification, and readjusting the self-adaptive weight fuzzy rule parameters according to different industry characteristics;
s400, deploying an industrial control asset health assessment model, and deploying the industrial control asset health assessment model on a server;
s500, collecting industrial control asset information, wherein the industrial control asset information covers industrial control asset information elements related to the whole life cycle of the industrial control asset, and the industrial control asset information comprises inherent properties, operation characteristics and communication characteristics;
s600, evaluating the health degree of the industrial control asset, analyzing the collected industrial control asset information by using a server for deploying an industrial control asset health evaluation model, and outputting an industrial control asset health degree score, wherein the method specifically comprises the following steps of:
s610, carrying out fuzzy processing on the importance degree of the industrial control asset, wherein the more important the industrial control asset is, the lower the event scoring weight of the inherent attribute is, and the higher the scoring event weight of the running state and communication abnormality is;
s620, carrying out fuzzification treatment on the inherent attribute, the running state, the communication abnormality, the event level of fault research and judgment and the importance degree of the industrial control asset;
s630, weighting and outputting health scores of the industrial control assets based on the event level, the event frequency, the duration, the asset importance degree and the asset importance degree.
The foregoing describes in detail preferred embodiments of the present invention. It should be understood that numerous modifications and variations can be made in accordance with the concepts of the invention by one of ordinary skill in the art without undue burden. Therefore, all technical solutions which can be obtained by logic analysis, reasoning or limited experiments based on the prior art by the person skilled in the art according to the inventive concept shall be within the scope of protection defined by the claims.
Claims (7)
1. The health evaluation method based on the industrial control asset is characterized by comprising the following steps of:
s100, designing an industrial control asset event set, wherein the industrial control asset event set covers events which possibly occur in an asset;
s200, self-adapting weights of industrial control asset information with different attributes in health degree assessment according to actual conditions, establishing a multi-factor fuzzy industrial control asset health assessment model, and designing a self-adapting weight fuzzy rule;
s300, adjusting the self-adaptive weight fuzzy rule parameters, bringing the industrial control asset health assessment model into an actual application scene for verification, and readjusting the self-adaptive weight fuzzy rule parameters according to different industry characteristics;
s400, deploying an industrial control asset health assessment model, and deploying the industrial control asset health assessment model on a server;
s500, collecting industrial control asset information, wherein the industrial control asset information covers industrial control asset information elements related to the industrial control asset full life cycle and comprises inherent properties, operation characteristics and communication characteristics;
s600, evaluating the health degree of the industrial control asset, analyzing the collected industrial control asset information by using the server for deploying the industrial control asset health evaluation model, and outputting an industrial control asset health degree score;
the step S200 includes:
s210, establishing a multi-factor fuzzy industrial control asset health assessment model, and researching and judging inherent attribute health scores, operation characteristic health scores, communication characteristic health scores and faults; the intrinsic attribute health score value is intrinsic attribute event score multiplied by intrinsic attribute score weight; the running state health score value is running state event score multiplied by running state score weight; the communication abnormal health score value is communication abnormal event score multiplied by communication abnormal score weight; the fault judging health score value is the fault judging event score multiplied by the fault judging score weight;
s220, determining the scoring fundamental weight of the event of the industrial control asset, and defining the weight ranges of different industrial control asset events, wherein the weight ranges comprise the importance degree fuzzification treatment of the industrial control asset, the more important the asset is, the lower the event scoring weight of the inherent attribute is, and the higher the scoring event weight of the running state and communication abnormality is;
s230, designing an industrial control asset health evaluation algorithm, wherein the industrial control asset health evaluation algorithm is designed according to the industrial control asset health evaluation model and comprises the steps of carrying out fuzzification processing on the inherent attribute, the running state, the communication abnormality, the event level of fault research and judgment and the industrial control asset importance level, and designing a fuzzy rule based on the event level and the asset importance level;
s240, defining fuzzy sets based on input and output, and determining fuzzy rules of the industrial control asset events.
2. The industrial asset-based health assessment method according to claim 1, wherein the step S100 comprises:
s110, designing industrial control asset information, and determining all basic information bases required by evaluating the health degree of the industrial control asset;
s120, designing an industrial control asset event set, designing the industrial control asset event set based on the industrial control asset information, combining the time of the industrial control asset event and the rule of event analysis, comprehensively analyzing the association relation of the industrial control asset information elements, accurately describing the state of the online industrial control asset, and positioning the event level of the corresponding state.
3. The method of claim 1, wherein the intrinsic property is basic information of the industrial asset, including but not limited to type, make, model, module, operating system.
4. The industrial asset-based health assessment method of claim 1, wherein the operational characteristics are characteristic information of the industrial asset in operation, including but not limited to in offline state, open service port, failure state, resource usage information, and operational log.
5. The industrial asset-based health assessment method of claim 1, wherein the communication features are information of industrial assets during communication, including but not limited to development services, communication content, communication protocols, and traffic information.
6. The industrial asset-based health assessment method of claim 1, wherein the industrial asset event set is a set of industrial asset events, the industrial asset events comprising event categories, event names, and event levels.
7. The industrial asset-based health assessment method according to claim 1, wherein the step S600 comprises:
s610, blurring the importance degree of the industrial control asset, wherein the more important the industrial control asset is, the lower the event scoring weight of the inherent attribute is, and the higher the scoring event weight of the running state and communication abnormality is;
s620, carrying out fuzzification treatment on the inherent attribute, the running state, the communication abnormality, the event level of fault research and judgment and the importance degree of the industrial control asset;
s630, weighting and outputting the health degree score of the industrial control asset based on the event level, the event frequency, the duration, the asset importance degree and the asset importance degree.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311011932.1A CN116743503B (en) | 2023-08-11 | 2023-08-11 | Health evaluation method based on industrial control asset |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311011932.1A CN116743503B (en) | 2023-08-11 | 2023-08-11 | Health evaluation method based on industrial control asset |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116743503A CN116743503A (en) | 2023-09-12 |
| CN116743503B true CN116743503B (en) | 2023-11-07 |
Family
ID=87917220
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311011932.1A Active CN116743503B (en) | 2023-08-11 | 2023-08-11 | Health evaluation method based on industrial control asset |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116743503B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768710A (en) * | 2018-05-18 | 2018-11-06 | 国家电网公司信息通信分公司 | A kind of changeable weight appraisal procedure, model and the device of optical transport network health |
| CN109495502A (en) * | 2018-12-18 | 2019-03-19 | 北京威努特技术有限公司 | A kind of safe and healthy Index Assessment method and apparatus of industry control network |
| CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
| CN111695823A (en) * | 2020-06-16 | 2020-09-22 | 清华大学 | Industrial control network flow-based anomaly evaluation method and system |
| CN113326514A (en) * | 2021-07-30 | 2021-08-31 | 紫光恒越技术有限公司 | Risk assessment method and device for network assets, switch, equipment and server |
| CN113610171A (en) * | 2021-08-13 | 2021-11-05 | 西安热工研究院有限公司 | Industrial control system security evaluation method |
| CN113671909A (en) * | 2021-06-30 | 2021-11-19 | 云南昆钢电子信息科技有限公司 | Safety monitoring system and method for steel industrial control equipment |
| WO2022028012A1 (en) * | 2020-08-07 | 2022-02-10 | 杭州安恒信息技术股份有限公司 | Asset scoring method and apparatus, computer device, and storage medium |
| CN115640998A (en) * | 2022-10-21 | 2023-01-24 | 杭州安恒信息技术股份有限公司 | Risk assessment method, device, equipment and storage medium |
-
2023
- 2023-08-11 CN CN202311011932.1A patent/CN116743503B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108768710A (en) * | 2018-05-18 | 2018-11-06 | 国家电网公司信息通信分公司 | A kind of changeable weight appraisal procedure, model and the device of optical transport network health |
| CN109639670A (en) * | 2018-12-10 | 2019-04-16 | 北京威努特技术有限公司 | A kind of industry control network security postures quantitative estimation method of knowledge based map |
| CN109495502A (en) * | 2018-12-18 | 2019-03-19 | 北京威努特技术有限公司 | A kind of safe and healthy Index Assessment method and apparatus of industry control network |
| CN111695823A (en) * | 2020-06-16 | 2020-09-22 | 清华大学 | Industrial control network flow-based anomaly evaluation method and system |
| WO2022028012A1 (en) * | 2020-08-07 | 2022-02-10 | 杭州安恒信息技术股份有限公司 | Asset scoring method and apparatus, computer device, and storage medium |
| CN113671909A (en) * | 2021-06-30 | 2021-11-19 | 云南昆钢电子信息科技有限公司 | Safety monitoring system and method for steel industrial control equipment |
| CN113326514A (en) * | 2021-07-30 | 2021-08-31 | 紫光恒越技术有限公司 | Risk assessment method and device for network assets, switch, equipment and server |
| CN113610171A (en) * | 2021-08-13 | 2021-11-05 | 西安热工研究院有限公司 | Industrial control system security evaluation method |
| CN115640998A (en) * | 2022-10-21 | 2023-01-24 | 杭州安恒信息技术股份有限公司 | Risk assessment method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116743503A (en) | 2023-09-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113965404B (en) | Network security situation self-adaptive active defense system and method | |
| CN115996146B (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| EP2943843A1 (en) | Method, device and computer program for monitoring an industrial control system | |
| CN115378744B (en) | Network security test evaluation system and method | |
| Lyu et al. | Bayesian network based C2P risk assessment for cyber-physical systems | |
| CN113822421A (en) | Neural network based anomaly positioning method, system, equipment and storage medium | |
| EP2747365A1 (en) | Network security management | |
| Leite et al. | A hybrid and learning agent architecture for network intrusion detection | |
| CN112511351A (en) | Security situation prediction method and system based on MES identification data intercommunication system | |
| CN113269327A (en) | Flow anomaly prediction method based on machine learning | |
| CN117411703A (en) | Modbus protocol-oriented industrial control network abnormal flow detection method | |
| CN112906775A (en) | Equipment fault prediction method and system | |
| CN117973902A (en) | Intelligent decision method and system based on level-keeping table fault handling | |
| CN116882756B (en) | Power safety control method based on block chain | |
| CN116743503B (en) | Health evaluation method based on industrial control asset | |
| Alem et al. | A hybrid intrusion detection system in industry 4.0 based on ISA95 standard | |
| CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
| CN116909712A (en) | Intelligent task scheduling system and method based on machine learning | |
| Larrinaga et al. | Implementation of a reference architecture for cyber physical systems to support condition based maintenance | |
| CN116346405A (en) | Network security operation and maintenance capability evaluation system and method based on data statistics | |
| KR102417752B1 (en) | System and method for threat detecting based on AI in OT/ICS | |
| CN110855650B (en) | Illegal file uploading detection method | |
| CN116700197B (en) | Industrial control monitoring, analyzing and early warning system and analyzing and early warning processing method | |
| Sivakumar et al. | Intrusion Detection System for Securing the SCADA Industrial Control System | |
| CN117807590B (en) | Information security prediction and monitoring system and method based on artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |