[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN116708038B - Industrial Internet enterprise network security threat identification method based on asset mapping - Google Patents

Industrial Internet enterprise network security threat identification method based on asset mapping Download PDF

Info

Publication number
CN116708038B
CN116708038B CN202310981236.7A CN202310981236A CN116708038B CN 116708038 B CN116708038 B CN 116708038B CN 202310981236 A CN202310981236 A CN 202310981236A CN 116708038 B CN116708038 B CN 116708038B
Authority
CN
China
Prior art keywords
reaction
threat
identification
processing
verification
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310981236.7A
Other languages
Chinese (zh)
Other versions
CN116708038A (en
Inventor
刘红梅
陈晓光
刘洪波
王晟
赵帅
王其松
韩增辉
王海洋
崔晓雷
李超峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Group Shandong Co Ltd
Eversec Beijing Technology Co Ltd
Original Assignee
China Mobile Group Shandong Co Ltd
Eversec Beijing Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Group Shandong Co Ltd, Eversec Beijing Technology Co Ltd filed Critical China Mobile Group Shandong Co Ltd
Priority to CN202310981236.7A priority Critical patent/CN116708038B/en
Publication of CN116708038A publication Critical patent/CN116708038A/en
Application granted granted Critical
Publication of CN116708038B publication Critical patent/CN116708038B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses an industrial Internet enterprise network security threat identification method based on asset mapping, belonging to the technical field of network security; preliminary monitoring analysis and classification are carried out on the operation states of corresponding production equipment through real-time uplink flow and real-time downlink flow in the early stage, threat verification is carried out on verification equipment with abnormal operation monitoring states of the early stage monitoring analysis, threat states of the production equipment are estimated and marked through simultaneous calculation on abnormal data of all aspects monitored by the production equipment, and the estimation is carried out from the aspects of network security threat identification reaction and from the aspects of network security threat processing reaction; the method and the device are used for solving the technical problems that in the existing scheme, analysis and evaluation of different dimensionalities are not implemented on the abnormality obtained by recognition, and the network security threat recognition and processing scheme implemented subsequently cannot be dynamically adjusted according to the evaluation result so as to improve the overall effect of network security threat recognition and processing.

Description

Industrial Internet enterprise network security threat identification method based on asset mapping
Technical Field
The invention relates to the technical field of network security, in particular to an industrial Internet enterprise network security threat identification method based on asset mapping.
Background
Asset mapping is to detect some information in the network space by some technical means and tools and then correlate and display the detected asset data; the threat of network security is mainly divided into two types, one is the threat of information in the network and the other is the threat of the network itself.
When the existing industrial Internet enterprise network security threat identification scheme is implemented, monitoring analysis and early warning are implemented on the aspect of the network of industrial Internet enterprise production, preliminary evaluation classification is not carried out on the abnormality found in the early stage, then monitoring evaluation is implemented on the identification reaction and the processing reaction found by monitoring according to the classification result, and the subsequently implemented network security threat identification and processing scheme is not dynamically adjusted according to the evaluation result, so that the overall effect of network security threat identification and processing is poor.
Disclosure of Invention
The invention aims to provide an industrial Internet enterprise network security threat identification method based on asset mapping, which is used for solving the technical problems that in the existing scheme, analysis and evaluation of different dimensionalities are not implemented on the abnormality obtained by identification, and the network security threat identification and processing scheme implemented subsequently cannot be dynamically adjusted according to the evaluation result so as to improve the overall effect of network security threat identification and processing.
The aim of the invention can be achieved by the following technical scheme:
an industrial internet enterprise network security threat identification method based on asset mapping, comprising the following steps:
monitoring the operation states of different production equipment of an industrial Internet enterprise to obtain operation monitoring data, and analyzing and evaluating the operation monitoring data to obtain the operation monitoring states corresponding to the production equipment;
and carrying out traceability evaluation on the network security threat identification and processing scheme implemented by the verification equipment with abnormal operation monitoring states, and carrying out dynamic adjustment on the network security threat identification and processing scheme implemented by the verification equipment with abnormal operation monitoring states according to the evaluation result.
Preferably, all production equipment and corresponding production numbers contained in an industrial Internet enterprise are obtained, equipment names and equipment types corresponding to the production equipment are obtained according to the production numbers, and the equipment names and the equipment types are set as a first identifier and a second identifier respectively;
when the corresponding production equipment is subjected to digital processing according to the second identifier, traversing and matching the second identifier with an equipment type-weight table stored in a database to obtain corresponding type weight LQ;
and acquiring the real-time uplink flow and the real-time downlink flow corresponding to the production equipment according to the first identifier and the production number, and acquiring the standard uplink flow range and the real-time downlink flow range corresponding to the production equipment according to the second identifier.
Preferably, when monitoring and analyzing the real-time running state of the production equipment, comparing and judging the real-time uplink flow and the real-time downlink flow corresponding to the production equipment with the corresponding standard uplink flow range and the real-time downlink flow range respectively;
if the real-time uplink flow belongs to the standard uplink flow range and the real-time downlink flow belongs to the standard downlink flow range, generating a normal operation signal and prompting that the operation monitoring state is normal;
if at least one of the real-time uplink flow and the real-time downlink flow does not belong to the standard uplink flow ranges is established, generating an abnormal operation signal, marking corresponding production equipment as verification equipment, and carrying out threat verification on the abnormality of the verification equipment according to the abnormal operation signal to obtain threat verification analysis data and prompting the abnormal operation monitoring state.
Preferably, the step of acquiring threat verification analysis data includes:
acquiring a time point of generating an abnormal operation signal and marking the time point as a first analysis time point, counting the total times ZC of occurrence of the abnormal operation signal of the verification device after the first analysis time point and the duration CS of occurrence of each abnormal operation signal, extracting the type weight of the mark corresponding to the verification device, the total times of occurrence of the abnormal operation signal and the value of the duration of occurrence of each abnormal operation signal, and calculating and acquiring a threat state coefficient Wz corresponding to the verification device through a formula;
and evaluating the threat state of the verification equipment according to the threat state coefficient to obtain threat verification analysis data consisting of a mild threat signal, a second analysis time point, a severe threat signal and a third analysis time point.
Preferably, the threat state coefficients Wz are calculated as:the method comprises the steps of carrying out a first treatment on the surface of the Wherein, w1 and w2 are constant coefficients larger than zero, and w1 is larger than w2; w1+w2=1; when the threat state of the verification equipment is evaluated according to the threat state coefficient;
if the threat state coefficient is smaller than the threat state threshold, generating a mild threat signal, marking the corresponding verification equipment as one type of equipment, acquiring the corresponding coordinate position of the verification equipment, implementing one type of alarm prompt, and marking the time point of the mild threat signal generation as a second analysis time point;
if the threat state coefficient is not smaller than the threat state threshold, a severe threat signal is generated, the corresponding verification equipment is marked as a second class of equipment, the corresponding coordinate position of the verification equipment is obtained, the second class of alarm prompt is implemented, and the time point of the severe threat signal generation is marked as a third analysis time point.
Preferably, when the evaluation is implemented from the aspect of network security threat identification reaction, threat verification analysis data corresponding to verification equipment with abnormal operation monitoring state are acquired and traversed, and identification reaction time difference SF between a second analysis time point or a third analysis time point and a first analysis time point is respectively acquired according to a light threat signal or a heavy threat signal acquired through traversing;
calculating the type weight corresponding to the identification reaction time difference and the verification equipment through a formula sf=LQ× (SF-SF 0 +alpha) to obtain the identification reaction degree Sf; wherein alpha is a device network compensation factor;
when the identification reaction of the verification equipment corresponding to the abnormal operation monitoring state is evaluated and classified according to the identification reaction degree, if the identification reaction degree is not more than zero, generating an identification reaction normal label;
if the recognition reactivity is greater than zero, generating a recognition reaction abnormal label;
the recognition reaction degree and the corresponding recognition reaction normal label or recognition reaction abnormal label form recognition reaction evaluation data.
Preferably, when the evaluation is implemented from the aspect of network security threat processing reaction, threat verification analysis data corresponding to production equipment with abnormal operation monitoring states are obtained and traversed, a corresponding network security threat identification processing scheme of one type or a corresponding network security threat identification processing scheme of two types are implemented respectively according to a light threat signal or a heavy threat signal obtained through traversing, and a time point when the corresponding scheme starts to be processed is marked as a processing starting time point; acquiring a processing reaction time difference CF between the second analysis time point or the third analysis time point according to the processing starting time point;
calculating the type weight corresponding to the processing reaction time difference and the verification equipment through a formula Cf=LQ× (CF/CF0+beta) to obtain the processing reaction degree Cf; wherein, beta is a processing network compensation factor;
when carrying out evaluation classification on the processing reaction of the verification equipment corresponding to the abnormal operation monitoring state according to the processing reaction degree, if the processing reaction degree is not more than K, generating a processing reaction normal label; k is a positive integer; if the processing reactivity is greater than K, generating a processing reaction abnormal label;
the processing reaction degree and the corresponding processing reaction normal label or processing reaction abnormal label form processing reaction evaluation data;
the recognition reaction evaluation data and the processing reaction evaluation data constitute an evaluation result of the verification apparatus.
Preferably, when dynamically adjusting the network security threat identification and processing schemes implemented by the verification devices with abnormal different operation monitoring states according to the evaluation results, the evaluation results corresponding to all the verification devices in the monitoring period are counted and traversed, and the identification response obtained by traversing is countedThe total number of abnormal labels and the total number of processing reaction abnormal labels are marked as BZk, and k=1, 2; extracting the number of the marked identification reaction abnormal labels and the number of the processed reaction abnormal labels and passing through a formulaCalculating an identification processing reaction coefficient Sck for network security threat identification in the acquisition stage, wherein Sc1 is the identification reaction coefficient and Sc2 is the processing reaction coefficient;
and evaluating the stage network security threat identification state of the industrial Internet enterprise according to the identification processing reaction coefficient to obtain stage identification evaluation data consisting of a first identification reaction instruction or a second identification reaction instruction and a first processing reaction instruction or a second processing reaction instruction.
Preferably, when the identification state of the network security threat in the stage of the industrial Internet enterprise is evaluated according to the identification processing reaction coefficient, the identification reaction coefficient and the processing reaction coefficient are respectively compared and judged with the corresponding identification reaction threshold and processing reaction threshold;
if the identification reaction coefficient is smaller than the identification reaction threshold value and the processing reaction coefficient is smaller than the processing reaction threshold value, generating a first identification reaction instruction and a first processing reaction instruction;
and if the identification reaction coefficient is not smaller than the identification reaction threshold value and the processing reaction coefficient is not smaller than the processing reaction threshold value, generating a second identification reaction instruction and a second processing reaction instruction.
Preferably, the implementation of the existing cyber security threat identification scheme and cyber security threat processing scheme is maintained according to the first identification reaction instruction and the first processing reaction instruction in the stage identification evaluation data, and the implementation of the cyber security threat identification scheme and the cyber security threat processing scheme is updated and adjusted according to the second identification reaction instruction and the second processing reaction instruction in the stage identification evaluation data.
Compared with the prior art, the invention has the beneficial effects that:
according to the method, the initial monitoring analysis and classification are carried out on the running states of the corresponding production equipment through the monitored real-time uplink flow and real-time downlink flow in the early stage, so that reliable support of local monitoring analysis data can be provided for the verification analysis of the abnormal states corresponding to the subsequent production equipment, and the efficiency of the monitoring analysis of the abnormal states of the subsequent production equipment is improved.
On the other hand, threat verification is implemented on verification equipment with abnormal operation monitoring states, which is monitored and analyzed in the early stage, threat states of production equipment are evaluated and marked by carrying out simultaneous calculation on abnormal data of all aspects monitored by the production equipment, so that the threat state degree corresponding to the verification equipment with abnormal operation monitoring states can be obtained, reliable local data support can be provided for dynamic adjustment of network security threat identification and processing schemes of subsequent industrial Internet enterprises, and the diversity of network security threat identification, monitoring and analysis is improved.
According to other aspects disclosed by the invention, through carrying out data mining of different dimensions on the abnormal production equipment discovered by early monitoring and identification, the stage states of different aspects of industrial Internet enterprise network security threat identification processing can be obtained by carrying out evaluation from the aspect of network security threat identification reaction and the aspect of network security threat processing reaction, meanwhile, reliable data support can be provided for dynamic adjustment of processing schemes of different subsequent aspects, and the overall effects of monitoring and analysis aspects of industrial Internet enterprise network security threat identification and processing and development mining aspects can be effectively improved by carrying out dynamic adjustment on the processing schemes of different subsequent aspects.
Drawings
The invention is further described below with reference to the accompanying drawings.
FIG. 1 is a block flow diagram of an industrial Internet enterprise network security threat identification method based on asset mapping of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, the present invention is an industrial internet enterprise network security threat identification method based on asset mapping, comprising:
monitoring the operation states of different production equipment of an industrial Internet enterprise to obtain operation monitoring data, and analyzing and evaluating the operation monitoring data to obtain the operation monitoring states corresponding to the production equipment; comprising the following steps:
acquiring all production equipment and corresponding production numbers contained in an industrial Internet enterprise, acquiring equipment names and equipment types corresponding to the production equipment according to the production numbers, and setting the equipment names and the equipment types as a first identifier and a second identifier respectively;
wherein the device type is determined based on the division standard of the existing industrial Internet enterprise production device, including but not limited to transportation type, processing type, assembly type and detection type; the production equipment refers to the production data interaction which can be implemented through the industrial Internet;
when the corresponding production equipment is subjected to digital processing according to the second identifier, traversing and matching the second identifier with an equipment type-weight table stored in a database to obtain corresponding type weight LQ;
the device type-weight table comprises a plurality of different device types and corresponding type weights, wherein the different device types are associated with one corresponding type weight in advance, the type weights are used for digitally representing the device types of the text types, and specific numerical values of the type weights can be obtained according to the simulation of production big data of corresponding production devices;
acquiring real-time uplink flow and real-time downlink flow corresponding to production equipment according to the first identifier and the production number, and acquiring a standard uplink flow range and a real-time downlink flow range corresponding to the production equipment according to the second identifier;
when the real-time running state of the production equipment is monitored and analyzed, the real-time uplink flow and the real-time downlink flow corresponding to the production equipment are respectively compared and judged with the corresponding standard uplink flow range and the real-time downlink flow range; the comparison and judgment are realized by extracting the numerical values of the real-time uplink flow and the real-time downlink flow, and the standard uplink flow range and the real-time downlink flow range are obtained by simulating the historical production big data of the production equipment;
if the real-time uplink flow belongs to the standard uplink flow range and the real-time downlink flow belongs to the standard downlink flow range, generating a normal operation signal and prompting that the operation monitoring state is normal;
if at least one of the real-time uplink flow rate and the real-time downlink flow rate does not belong to the standard uplink flow rate range is established, generating an abnormal operation signal and marking the corresponding production equipment as verification equipment;
it should be noted that, in the embodiment of the invention, the operation state of the corresponding production equipment is subjected to preliminary monitoring analysis and classification through the monitored real-time uplink flow and real-time downlink flow, so that reliable support of local monitoring analysis data can be provided for the verification analysis of the abnormal state corresponding to the subsequent production equipment, and the efficiency of the monitoring analysis of the abnormal state of the subsequent production equipment is improved;
threat verification is carried out on the abnormality of the verification equipment according to the abnormal operation signal, threat verification analysis data are obtained, and the abnormal operation monitoring state is prompted; comprising the following steps:
acquiring a time point of generating an abnormal operation signal and marking the time point as a first analysis time point, wherein the unit of the first analysis time point is accurate to seconds, the unit of the same follow-up different time points is accurate to seconds, counting the total number ZC of occurrence of the abnormal operation signal of the verification device after the first analysis time point and the duration CS of each occurrence of the abnormal operation signal, wherein the unit of the duration is seconds, extracting the type weight of the corresponding mark of the verification device, the total number of occurrence of the abnormal operation signal and the value of the duration of each occurrence of the abnormal operation signal and passing through a formulaCalculating and acquiring threat corresponding to verification equipmentState coefficient Wz; wherein, w1 and w2 are constant coefficients larger than zero, and w1 is larger than w2; w1+w2=1, and constant coefficients in the formula can be set by those skilled in the art according to actual situations or obtained through a large number of data simulations;
the threat state coefficient is a numerical value for evaluating the threat state of the abnormal data of each aspect monitored by the production equipment by simultaneous calculation; the larger the threat state coefficient is, the more serious the threat state of the corresponding production equipment is;
when the threat state of the verification equipment is evaluated according to the threat state coefficient, if the threat state coefficient is smaller than the threat state threshold, generating a mild threat signal, marking the corresponding verification equipment as one type of equipment, acquiring the corresponding coordinate position of the verification equipment, implementing one type of alarm prompt, and marking the time point of the generation of the mild threat signal as a second analysis time point; the threat state threshold is obtained through simulation of historical threat big data corresponding to the production equipment;
if the threat state coefficient is not smaller than the threat state threshold, generating a severe threat signal, marking the corresponding verification equipment as a second class of equipment, acquiring the corresponding coordinate position of the verification equipment, implementing a second class of alarm prompt, and marking the time point of the severe threat signal generation as a third analysis time point; the units of the second analysis time point and the third analysis time point are accurate to seconds;
threat state coefficients and corresponding mild threat signals and second analysis time points, severe threat signals and third analysis time points form threat verification analysis data corresponding to verification equipment;
in the embodiment of the invention, threat verification is implemented on the verification equipment with abnormal operation monitoring state in the early monitoring analysis, threat state coefficients are obtained by carrying out simultaneous calculation on abnormal data of all aspects monitored by the production equipment, and threat states received by the production equipment are evaluated and marked according to the threat state coefficients, so that the threat state degree corresponding to the verification equipment with abnormal operation monitoring state can be obtained, reliable local data support can be provided for dynamic adjustment of network security threat identification and processing schemes of subsequent industrial Internet enterprises, and the diversity of network security threat identification, monitoring and analysis is improved.
The network security threat identification and processing scheme implemented by the verification equipment with abnormal operation monitoring states is traced and evaluated, and the network security threat identification and processing scheme implemented by the verification equipment with abnormal operation monitoring states is dynamically adjusted according to the evaluation result; comprising the following steps:
when the network security threat identification reaction aspect is evaluated, threat verification analysis data corresponding to verification equipment with abnormal operation monitoring state are obtained and traversed, and identification reaction time difference SF between a second analysis time point or a third analysis time point and a first analysis time point is respectively obtained according to a light threat signal or a heavy threat signal obtained through traversing; the unit of the identification reaction time length is seconds;
calculating the type weight corresponding to the identification reaction time difference and the verification equipment through a formula sf=LQ× (SF-SF 0 +alpha) to obtain the identification reaction degree Sf; wherein, alpha is a device network compensation factor, which can be obtained by performing simulation training on the current network data of the production device, wherein the network data comprises but is not limited to network speed and network delay;
the recognition reactivity is a numerical value for evaluating the recognition reaction state of the verification device by performing simultaneous calculation on the data of each aspect of the abnormality monitored and acquired by the verification device; the smaller the recognition reaction degree is, the better the abnormal recognition reaction state of the corresponding verification equipment is;
when the identification reaction of the verification equipment corresponding to the abnormal operation monitoring state is evaluated and classified according to the identification reaction degree, if the identification reaction degree is not more than zero, generating an identification reaction normal label;
if the recognition reactivity is greater than zero, generating a recognition reaction abnormal label;
the recognition reaction degree and the corresponding recognition reaction normal label or recognition reaction abnormal label form recognition reaction evaluation data;
when the evaluation is implemented from the aspect of network security threat processing reaction, threat verification analysis data corresponding to production equipment with abnormal operation monitoring states are obtained and traversed, a corresponding network security threat identification processing scheme of one type or a corresponding network security threat identification processing scheme of two types are implemented respectively according to a light threat signal or a heavy threat signal obtained through traversing, and a time point when the corresponding scheme starts to be processed is marked as a processing starting time point;
and acquiring a processing reaction time difference CF between the second analysis time point or the third analysis time point according to the processing start time point;
calculating the type weight corresponding to the processing reaction time difference and the verification equipment through a formula Cf=LQ× (CF/CF0+beta) to obtain the processing reaction degree Cf; wherein, beta is a processing network compensation factor, and can be obtained by performing simulation training on the current network data of the processing server;
the processing reactivity is a numerical value for evaluating the processing reaction state of the data of each aspect of the abnormality monitoring, identifying and processing of the verification device by simultaneous calculation; the smaller the recognition reaction degree is, the better the abnormal recognition reaction state of the corresponding verification equipment is;
when carrying out evaluation classification on the processing reaction of the verification equipment corresponding to the abnormal operation monitoring state according to the processing reaction degree, if the processing reaction degree is not more than K, generating a processing reaction normal label; k is a positive integer;
if the processing reactivity is greater than K, generating a processing reaction abnormal label;
the processing reaction degree and the corresponding processing reaction normal label or processing reaction abnormal label form processing reaction evaluation data;
identifying reaction evaluation data and processing the reaction evaluation data to form an evaluation result of the verification device;
when the network security threat identification and processing schemes which are implemented subsequently by the verification devices with abnormal running monitoring states are dynamically adjusted according to the evaluation results, the evaluation results corresponding to all the verification devices in the monitoring period are counted and traversed, the unit of the monitoring period is a day, specifically seven days, the total number of the identification reaction abnormal labels and the total number of the processing reaction abnormal labels which are obtained by the traversing are counted and marked as BZk, and k=1 and 2; BZ1 is the identification reaction abnormal label totalBZ2 is the total number of the abnormal labels of the processing reaction; extracting the number of the marked identification reaction abnormal labels and the number of the processed reaction abnormal labels and passing through a formulaCalculating an identification processing reaction coefficient Sck for network security threat identification in the acquisition stage, wherein Sc1 is the identification reaction coefficient and Sc2 is the processing reaction coefficient;
the identification processing reaction coefficient is a numerical value for integrally evaluating the identification reaction state and the processing reaction state of the stage by combining the monitoring analysis results of all the verification devices in the monitoring period;
when the identification state of the stage network security threat of the industrial Internet enterprise is evaluated according to the identification processing reaction coefficient, the identification reaction coefficient and the processing reaction coefficient are respectively compared and judged with a corresponding identification reaction threshold value and a corresponding processing reaction threshold value; the recognition reaction threshold and the processing reaction threshold are obtained through simulation of historical recognition processing big data corresponding to the generating equipment;
if the identification reaction coefficient is smaller than the identification reaction threshold value and the processing reaction coefficient is smaller than the processing reaction threshold value, generating a first identification reaction instruction and a first processing reaction instruction;
if the identification reaction coefficient is not smaller than the identification reaction threshold value and the processing reaction coefficient is not smaller than the processing reaction threshold value, generating a second identification reaction instruction and a second processing reaction instruction;
the first recognition reaction instruction or the second recognition reaction instruction and the first processing reaction instruction or the second processing reaction instruction form stage recognition evaluation data;
maintaining the implementation of the existing network security threat identification scheme and network security threat processing scheme according to the first identification reaction instruction and the first processing reaction instruction in the stage identification evaluation data, and updating and adjusting the implementation of the network security threat identification scheme and the network security threat processing scheme according to the second identification reaction instruction and the second processing reaction instruction in the stage identification evaluation data;
the implementation of the network security threat identification scheme and the network security threat processing scheme can improve the training update frequency of the identification data model and the processing data model through the existing technical means.
According to the embodiment of the invention, through carrying out data mining of different dimensions on the abnormal production equipment discovered by early monitoring and identification, the stage states of different aspects of industrial Internet enterprise network security threat identification processing can be obtained by carrying out evaluation from the aspect of network security threat identification reaction and the aspect of network security threat processing reaction, meanwhile, reliable data support can be provided for dynamic adjustment of subsequent processing schemes of different aspects, and the overall effects of monitoring analysis aspects and expansion mining aspects of industrial Internet enterprise network security threat identification and processing can be effectively improved by carrying out dynamic adjustment on the processing schemes of different aspects.
In addition, the formulas related in the above are all formulas for removing dimensions and taking numerical calculation, and are one formula closest to the actual situation obtained by collecting a large amount of data and performing software simulation.
In the several embodiments provided in the present invention, it should be understood that the disclosed method may be implemented in other manners. For example, the above-described embodiments of the invention are merely illustrative, and for example, the division of modules is merely a logical function division, and other manners of division may be implemented in practice.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present invention may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module. The integrated modules may be implemented in hardware or in hardware plus software functional modules.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the essential characteristics thereof.
Finally, it should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention.

Claims (5)

1. The industrial Internet enterprise network security threat identification method based on asset mapping is characterized by comprising the following steps:
monitoring the operation states of different production equipment of an industrial Internet enterprise to obtain operation monitoring data, and analyzing and evaluating the operation monitoring data to obtain the operation monitoring states corresponding to the production equipment;
the network security threat identification and processing scheme implemented by the verification equipment with abnormal operation monitoring states is traced and evaluated, and the network security threat identification and processing scheme implemented by the verification equipment with abnormal operation monitoring states is dynamically adjusted according to the evaluation result;
when the network security threat identification reaction aspect is evaluated, threat verification analysis data corresponding to verification equipment with abnormal operation monitoring state are obtained and traversed, and identification reaction time difference SF between a second analysis time point or a third analysis time point and a first analysis time point is respectively obtained according to a light threat signal or a heavy threat signal obtained through traversing;
calculating the type weight corresponding to the identification reaction time difference and the verification equipment through a formula sf=LQ× (SF-SF 0 +alpha) to obtain the identification reaction degree Sf; wherein alpha is a device network compensation factor;
when the identification reaction of the verification equipment corresponding to the abnormal operation monitoring state is evaluated and classified according to the identification reaction degree, if the identification reaction degree is not more than zero, generating an identification reaction normal label;
if the recognition reactivity is greater than zero, generating a recognition reaction abnormal label;
the recognition reaction degree and the corresponding recognition reaction normal label or recognition reaction abnormal label form recognition reaction evaluation data;
when the evaluation is implemented from the aspect of network security threat processing reaction, threat verification analysis data corresponding to production equipment with abnormal operation monitoring states are obtained and traversed, a corresponding network security threat identification processing scheme of one type or a corresponding network security threat identification processing scheme of two types are implemented respectively according to a light threat signal or a heavy threat signal obtained through traversing, and a time point when the corresponding scheme starts to be processed is marked as a processing starting time point; acquiring a processing reaction time difference CF between the second analysis time point or the third analysis time point according to the processing starting time point;
calculating the type weight corresponding to the processing reaction time difference and the verification equipment through a formula Cf=LQ× (CF/CF0+beta) to obtain the processing reaction degree Cf; wherein, beta is a processing network compensation factor;
when carrying out evaluation classification on the processing reaction of the verification equipment corresponding to the abnormal operation monitoring state according to the processing reaction degree, if the processing reaction degree is not more than K, generating a processing reaction normal label; k is a positive integer; if the processing reactivity is greater than K, generating a processing reaction abnormal label;
the processing reaction degree and the corresponding processing reaction normal label or processing reaction abnormal label form processing reaction evaluation data;
identifying reaction evaluation data and processing the reaction evaluation data to form an evaluation result of the verification device;
when the network security threat identification and processing schemes which are implemented by the verification devices with abnormal different operation monitoring states are dynamically adjusted according to the evaluation results, the evaluation results corresponding to all the verification devices in the monitoring period are counted and traversed, and the total number of identification reaction abnormal labels and the total number of processing reaction abnormal labels which are obtained by the traversing are counted and marked as BZk, k=1 and 2; extracting the total number of the marked recognition reaction abnormal labels and processing the reaction abnormal labelsThe numerical value of the total number of the labels is calculated by the formulaCalculating an identification processing reaction coefficient Sck for network security threat identification in the acquisition stage, wherein Sc1 is the identification reaction coefficient and Sc2 is the processing reaction coefficient;
according to the recognition processing reaction coefficient, evaluating the stage network security threat recognition state of the industrial Internet enterprise to obtain stage recognition evaluation data composed of a first recognition reaction instruction or a second recognition reaction instruction and a first processing reaction instruction or a second processing reaction instruction;
when the identification state of the stage network security threat of the industrial Internet enterprise is evaluated according to the identification processing reaction coefficient, the identification reaction coefficient and the processing reaction coefficient are respectively compared and judged with a corresponding identification reaction threshold value and a corresponding processing reaction threshold value;
if the identification reaction coefficient is smaller than the identification reaction threshold value and the processing reaction coefficient is smaller than the processing reaction threshold value, generating a first identification reaction instruction and a first processing reaction instruction;
if the identification reaction coefficient is not smaller than the identification reaction threshold value and the processing reaction coefficient is not smaller than the processing reaction threshold value, generating a second identification reaction instruction and a second processing reaction instruction;
and updating and adjusting the implementation of the network security threat identification scheme and the network security threat processing scheme according to the second identification reaction instruction and the second processing reaction instruction in the stage identification evaluation data.
2. The method for identifying the network security threat of the industrial internet enterprise based on the asset mapping according to claim 1, wherein all production equipment and corresponding production numbers contained in the industrial internet enterprise are acquired, equipment names and equipment types corresponding to the production equipment are acquired according to the production numbers and are set as a first identifier and a second identifier respectively;
when the corresponding production equipment is subjected to digital processing according to the second identifier, traversing and matching the second identifier with an equipment type-weight table stored in a database to obtain corresponding type weight LQ;
and acquiring the real-time uplink flow and the real-time downlink flow corresponding to the production equipment according to the first identifier and the production number, and acquiring the standard uplink flow range and the real-time downlink flow range corresponding to the production equipment according to the second identifier.
3. The method for identifying the industrial internet enterprise network security threat based on asset mapping according to claim 2, wherein when the real-time running state of the production equipment is monitored and analyzed, the real-time uplink flow and the real-time downlink flow corresponding to the production equipment are respectively compared and judged with the corresponding standard uplink flow range and the real-time downlink flow range;
if the real-time uplink flow belongs to the standard uplink flow range and the real-time downlink flow belongs to the standard downlink flow range, generating a normal operation signal and prompting that the operation monitoring state is normal;
if at least one of the real-time uplink flow and the real-time downlink flow does not belong to the standard uplink flow ranges is established, generating an abnormal operation signal, marking corresponding production equipment as verification equipment, and carrying out threat verification on the abnormality of the verification equipment according to the abnormal operation signal to obtain threat verification analysis data and prompting the abnormal operation monitoring state.
4. The asset mapping-based industrial internet enterprise network security threat identification method of claim 3, wherein the threat verification analysis data obtaining step comprises:
acquiring a time point of generating an abnormal operation signal and marking the time point as a first analysis time point, counting the total times ZC of occurrence of the abnormal operation signal of the verification device after the first analysis time point and the duration CS of occurrence of each abnormal operation signal, extracting the type weight of the mark corresponding to the verification device, the total times of occurrence of the abnormal operation signal and the value of the duration of occurrence of each abnormal operation signal, and calculating and acquiring a threat state coefficient Wz corresponding to the verification device through a formula;
and evaluating the threat state of the verification equipment according to the threat state coefficient to obtain threat verification analysis data consisting of a mild threat signal, a second analysis time point, a severe threat signal and a third analysis time point.
5. The asset mapping-based industrial internet enterprise network security threat identification method of claim 4, wherein the threat state coefficients Wz are calculated as:the method comprises the steps of carrying out a first treatment on the surface of the Wherein, w1 and w2 are constant coefficients larger than zero, and w1 is larger than w2; w1+w2=1; when the threat state of the verification equipment is evaluated according to the threat state coefficient;
if the threat state coefficient is smaller than the threat state threshold, generating a mild threat signal, marking the corresponding verification equipment as one type of equipment, acquiring the corresponding coordinate position of the verification equipment, implementing one type of alarm prompt, and marking the time point of the mild threat signal generation as a second analysis time point;
if the threat state coefficient is not smaller than the threat state threshold, a severe threat signal is generated, the corresponding verification equipment is marked as a second class of equipment, the corresponding coordinate position of the verification equipment is obtained, the second class of alarm prompt is implemented, and the time point of the severe threat signal generation is marked as a third analysis time point.
CN202310981236.7A 2023-08-07 2023-08-07 Industrial Internet enterprise network security threat identification method based on asset mapping Active CN116708038B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310981236.7A CN116708038B (en) 2023-08-07 2023-08-07 Industrial Internet enterprise network security threat identification method based on asset mapping

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310981236.7A CN116708038B (en) 2023-08-07 2023-08-07 Industrial Internet enterprise network security threat identification method based on asset mapping

Publications (2)

Publication Number Publication Date
CN116708038A CN116708038A (en) 2023-09-05
CN116708038B true CN116708038B (en) 2023-10-13

Family

ID=87826207

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310981236.7A Active CN116708038B (en) 2023-08-07 2023-08-07 Industrial Internet enterprise network security threat identification method based on asset mapping

Country Status (1)

Country Link
CN (1) CN116708038B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117196416B (en) * 2023-11-07 2024-03-29 广州汇通国信科技有限公司 Equipment state monitoring system driven by industrial middle platform
CN117291555B (en) * 2023-11-24 2024-04-16 南通钜盛数控机床有限公司 Cooperative control system for manufacturing mechanical parts
CN118520472B (en) * 2024-07-24 2024-11-05 福建中信网安信息科技有限公司 Computer data safety monitoring method and system based on big data technology

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820413A (en) * 2010-01-08 2010-09-01 中国科学院软件研究所 Method for selecting optimized protection strategy for network security
CN111600912A (en) * 2020-07-22 2020-08-28 四川新网银行股份有限公司 Network security policy management system
CN114553537A (en) * 2022-02-22 2022-05-27 上海帝焚思信息科技有限公司 Abnormal flow monitoring method and system for industrial Internet

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11503048B2 (en) * 2020-07-30 2022-11-15 Cisco Technology, Inc. Prioritizing assets using security metrics

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101820413A (en) * 2010-01-08 2010-09-01 中国科学院软件研究所 Method for selecting optimized protection strategy for network security
CN111600912A (en) * 2020-07-22 2020-08-28 四川新网银行股份有限公司 Network security policy management system
CN114553537A (en) * 2022-02-22 2022-05-27 上海帝焚思信息科技有限公司 Abnormal flow monitoring method and system for industrial Internet

Also Published As

Publication number Publication date
CN116708038A (en) 2023-09-05

Similar Documents

Publication Publication Date Title
CN116708038B (en) Industrial Internet enterprise network security threat identification method based on asset mapping
CN110417721B (en) Security risk assessment method, device, equipment and computer readable storage medium
CN106888205B (en) Non-invasive PLC anomaly detection method based on power consumption analysis
CN111475804A (en) Alarm prediction method and system
CN107154950A (en) A kind of method and system of log stream abnormality detection
CN112987675A (en) Method, device, computer equipment and medium for anomaly detection
CN111191720B (en) Service scene identification method and device and electronic equipment
CN117523299B (en) Image recognition method, system and storage medium based on computer network
CN117032415B (en) Equipment data supervision system and method based on temperature change
CN117439827B (en) Network flow big data analysis method
CN114338195A (en) Web traffic anomaly detection method and device based on improved isolated forest algorithm
CN110990788A (en) Bearing residual life prediction method based on ternary wiener process
CN111717753A (en) Self-adaptive elevator fault early warning system and method based on multi-dimensional fault characteristics
CN115296933B (en) Industrial production data risk level assessment method and system
CN105825130A (en) Information security early-warning method and device
CN110956112B (en) Novel high-reliability slewing bearing service life assessment method
CN115705413A (en) Method and device for determining abnormal log
CN117114420B (en) Image recognition-based industrial and trade safety accident risk management and control system and method
CN113670611A (en) Bearing early degradation evaluation method, system, medium and electronic equipment
CN113254485A (en) Real-time data flow abnormity detection method and system
CN118094531A (en) Safe operation and maintenance real-time early warning integrated system
CN107085544A (en) A kind of system mistake localization method and device
CN115741218B (en) Machine tool fault early warning method and system based on machining image analysis
CN118071144A (en) Intelligent factory production on-line monitoring system based on big data
CN117349903A (en) Safety protection management and control system based on data analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant