CN116859804A - Safety situation monitoring and early warning system for ship manufacturing workshop - Google Patents
Safety situation monitoring and early warning system for ship manufacturing workshop Download PDFInfo
- Publication number
- CN116859804A CN116859804A CN202310881584.7A CN202310881584A CN116859804A CN 116859804 A CN116859804 A CN 116859804A CN 202310881584 A CN202310881584 A CN 202310881584A CN 116859804 A CN116859804 A CN 116859804A
- Authority
- CN
- China
- Prior art keywords
- data
- analysis
- situation
- workshop
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004519 manufacturing process Methods 0.000 title claims abstract description 47
- 238000012544 monitoring process Methods 0.000 title claims abstract description 29
- 238000012098 association analyses Methods 0.000 claims abstract description 32
- 230000004044 response Effects 0.000 claims abstract description 32
- 238000001514 detection method Methods 0.000 claims abstract description 20
- 230000006399 behavior Effects 0.000 claims abstract description 12
- 238000012545 processing Methods 0.000 claims abstract description 5
- 238000010230 functional analysis Methods 0.000 claims abstract 5
- 238000004458 analytical method Methods 0.000 claims description 59
- 238000007726 management method Methods 0.000 claims description 51
- 230000006870 function Effects 0.000 claims description 27
- 238000012550 audit Methods 0.000 claims description 17
- 230000004927 fusion Effects 0.000 claims description 15
- 238000012423 maintenance Methods 0.000 claims description 15
- 238000007405 data analysis Methods 0.000 claims description 12
- 231100000279 safety data Toxicity 0.000 claims description 12
- 238000000034 method Methods 0.000 claims description 11
- 238000011835 investigation Methods 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 8
- 238000007619 statistical method Methods 0.000 claims description 8
- 238000007781 pre-processing Methods 0.000 claims description 6
- 230000002776 aggregation Effects 0.000 claims description 3
- 238000004220 aggregation Methods 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 230000008030 elimination Effects 0.000 claims description 3
- 238000003379 elimination reaction Methods 0.000 claims description 3
- 238000001914 filtration Methods 0.000 claims description 3
- 230000008676 import Effects 0.000 claims description 3
- 230000002452 interceptive effect Effects 0.000 claims description 3
- 238000002955 isolation Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 abstract description 3
- 230000007547 defect Effects 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004888 barrier function Effects 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004378 air conditioning Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 238000005520 cutting process Methods 0.000 description 1
- 238000013075 data extraction Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011156 evaluation Methods 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 231100000817 safety factor Toxicity 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B19/00—Programme-control systems
- G05B19/02—Programme-control systems electric
- G05B19/04—Programme control other than numerical control, i.e. in sequence controllers or logic controllers
- G05B19/042—Programme control other than numerical control, i.e. in sequence controllers or logic controllers using digital processors
- G05B19/0428—Safety, monitoring
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24024—Safety, surveillance
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a safety situation monitoring and early warning system for a ship manufacturing workshop, which comprises an equipment sensing module, a data acquisition module, a functional analysis module and a monitoring and early warning module, wherein the equipment sensing module acquires workshop data based on various terminal equipment of the ship manufacturing workshop, the data acquisition module acquires the workshop data and transmits the workshop data to the functional analysis module, the functional analysis module analyzes and manages the workshop safety situation based on the workshop data, and the monitoring and early warning module is used for displaying the workshop situation and workshop early warning response. The system is oriented to a ship manufacturing workshop, performs standardized processing and real-time association analysis on the collected heterogeneous data in real time, realizes security situation element extraction and association, security situation assessment and threat prediction, provides a security decision basis for a user, and can overcome the defect that an intrusion detection system cannot detect unknown intrusion behaviors to a certain extent.
Description
Technical Field
The invention belongs to the field of information safety, and particularly relates to a safety situation monitoring and early warning system for a ship manufacturing workshop.
Background
With the rapid development of industrial informatization, the trend of integration of industrialization and informatization is more and more obvious, and the industrial Internet is a trend. Ship manufacturing shop industrial control systems and networks are also utilizing the latest computer network technology to improve the level of integration, interconnection and informatization management between systems. In order to improve the production efficiency and benefit, the industrial control network of the ship manufacturing workshop is more and more opened, and the safety problem brought by the industrial control network becomes an important factor for restricting the integration of two types, the development of the industry 4.0 and the promotion of the industry Internet.
Currently, the number, scale, speed and variety of industrial network attacks in a ship manufacturing shop are continuously increasing, and the existing traditional security defense tools and technologies have difficulty in comprehensively coping with the novel attack behaviors.
(1) Many network security situation awareness models and systems have been proposed, and although different models and systems have different definitions of functions, most of the functions are substantially consistent, and no specific design and development are performed for specific industries, such as characteristics of industrial workshops in the ship industry.
(2) Aiming at the fact that a safety defense system, a production system and a data system in a ship manufacturing workshop are basically independently built, interconnection and intercommunication of data resources cannot be achieved, information islands are formed by the data barriers, the whole safety situation of a network cannot be comprehensively perceived and acquired in the workshop, each system can only acquire effective information from one side, so that operation and maintenance personnel cannot identify abnormal behaviors in the network, the hazard degree of the operation and maintenance personnel is analyzed and estimated, and the capability of handling emergencies through network safety management and emergency response decision making is reduced.
Disclosure of Invention
Aiming at the problems, the invention aims to provide a safety situation monitoring and early warning system for a ship manufacturing workshop.
The specific technical scheme for realizing the purpose of the invention is as follows:
a safety situation monitoring and early warning system for a ship manufacturing workshop comprises an equipment sensing module, a data acquisition module, a function analysis module and a monitoring and early warning module;
the equipment sensing module collects workshop data based on various terminal equipment of a ship manufacturing workshop;
the data acquisition module acquires workshop data and transmits the workshop data to the function analysis module;
the function analysis module is used for analyzing and managing the workshop safety situation based on workshop data;
the monitoring and early warning module is used for displaying workshop situations and workshop early warning response.
Further, the equipment sensing module comprises a ship manufacturing workshop terminal system, manufacturing equipment, industrial control equipment, operation and maintenance equipment, security equipment and network equipment.
Further, the data acquisition module comprises a log acquisition unit, a flow acquisition unit and an importing unit;
the log acquisition unit acquires a terminal log, a security log, a file log, a system log, an application log and an operation and maintenance log;
the flow acquisition unit comprises industrial gateway data, industrial detection system data, security audit system data, host protection system data, vulnerability scanning system data and security isolation device data;
the importing unit imports other needed workshop data according to the requirement.
Further, the function analysis module comprises a core function unit, a management support unit and a data analysis unit;
the data analysis unit performs local analysis and global analysis after preprocessing based on the data acquired by the data acquisition layer;
the core functional unit performs situation analysis and assessment of the ship manufacturing workshop based on the data analysis result;
the management support unit provides management support functions for the system based on the shop data.
Further, the data analysis unit comprises a local analysis and a global analysis;
the local analysis acquires data of the data acquisition layer, data preprocessing is carried out, the data is transmitted to global analysis, the global analysis is based on current safety data and historical safety data, rules are formed after classification learning, a classification method is transmitted back to the local analysis, and the local analysis carries out local association analysis of the data based on the classification learning;
and carrying out global situation analysis based on the current safety data, the historical safety data and the local association analysis result.
Further, the core functional unit comprises a safety response, IT operation and maintenance and fault investigation, compliance audit, strategy audit, attack and threat detection, business statistics analysis, situation analysis and situation assessment;
the situation analysis is used for carrying out aggregation and redundancy elimination on the network security events, carrying out network security event association analysis based on attack scenes, identifying alarm information, carrying out classification processing on repeated alarms, carrying out alarm classification according to time and similarity, and providing data for situation assessment;
the situation assessment is based on data and network security event data, and various index assessment results of the network are determined through ternary data fusion situation assessment;
the safety response is based on situation assessment result response, and comprises intra-system response and extra-system response, wherein corresponding safety response measures are made in the system during the intra-system response, and the extra-system response adjusts network safety situation indexes by sending a prompt to a network administrator;
the IT operation and maintenance and fault investigation is used for collecting various logs in the system, extracting various information comprising time stamps, IP addresses of visitors, behavior categories and response states from the logs, and rapidly determining the position and the reason of the fault by intensively analyzing the logs of a router and firewall equipment and by automating and interactive association analysis when the network has problems; determining a root cause and a starting point of the network interrupt by analyzing the time sequence relation of the network interrupt log; the power supply, the board card and the interface fault condition of the network equipment are rapidly found;
the compliance audit is used for collecting logs of IT infrastructure and application systems in the system, storing the logs in a distributed non-relational database in a centralized manner, supporting horizontal elastic expansion, carrying out structural description on the logs, and simultaneously storing the original logs for later investigation and evidence collection;
the policy audit judges whether the server accesses unauthorized IP, the host and the user in unauthorized time or not through log acquisition and flow acquisition by auditing the source IP address, login time and login user information in the login log; aiming at the password length of the mail account, judging whether the mail account with the password lower than 8-bit characters exists or not by collecting a detection log of the intrusion detection system;
the attack and threat detection is carried out by carrying out association analysis on logs of access connection log security equipment within a period of time, and a plurality of threats and attack behaviors in a network are discovered in real time through centralized association analysis on the logs;
the business statistical analysis aims at various logs of the system and carries out corresponding statistical analysis.
Furthermore, the management support unit comprises algorithm library management, model library management, patch management, dictionary configuration, log management, backup management, user management and tool management, so as to realize management of all databases and functions in the system.
Further, the network security event association analysis based on the attack scenario specifically includes:
firstly, filtering the analyzed logs and flow, extracting information fields to form an event queue, constructing an association analysis engine with rules, defining association relation of the same attack scene by using the association analysis engine, organizing scattered data records into complete attack scenes, and finally reconstructing an attack process.
Further, the ternary data fusion situation assessment specifically includes:
fusing the screened and processed information into a new complete information base, and further supporting the construction of a network security situation assessment model:
and (3) data source information fusion: determining a device attack birth support probability;
probability-based situation element fusion: determining the successful support probability of the threat to the host node attack by using the obtained attack occurrence support probability;
and (5) fusing key node situations: and solving the overall value of the network security situation, drawing the overall value into a time-security situation curve, and predicting and analyzing the network security situation in a future period of time.
Compared with the prior art, the invention has the beneficial effects that:
(1) Aiming at massive security data, the scheme of the invention has a large amount of redundancies, is not easy to directly manage, and can not reflect the whole attack threat overall problem by means of single event records, the network security event association analysis based on an attack scene is provided, an event queue is formed by filtering the analyzed logs and flow and extracting information fields, an association analysis engine is constructed with a rule base, the association analysis engine is used for defining the association relation of the same attack scene, the scattered data records are organized into a complete attack scene, and finally, the attack process is rebuilt, so that reliability support is provided for data management and future security situation prediction;
(2) Aiming at the problems of multi-source, complexity, fuzzy data relevance and the like of threat data in a network, three-element data fusion situation assessment is provided, screened and processed data are fused into a new complete database, potential dangerous features and dangerous relevance information in network information are modeled and assessed, after a simplified threat data and clear data relevance result are obtained, the information is summarized to a monitoring and early warning layer, and a safety manager can conveniently and accurately grasp the network safety situation;
(3) The scheme is oriented to a ship manufacturing workshop, aims at the data characteristics of the ship manufacturing workshop, solves the data problems of continuous data growth, complex types, various sources and the like in safety analysis, simultaneously uses a user and entity behavior analysis technology, realizes high-level continuous malicious attack and effective detection of internal illegal behaviors, and the system integrates various network safety factors to evaluate the safety situation of a network in real time from a macroscopic angle, realizes safety linkage after the threat is found, blocks in time, provides basis for decision analysis of enterprise informatization management departments, and protects customer core assets;
(4) According to the scheme, the interconnection and intercommunication of the data resources of the ship manufacturing workshop are realized, the data barriers are broken, the overall security situation of the network is comprehensively perceived, the effective information is obtained from all aspects, and the real-time monitoring and prediction of the overall security situation of the network of the ship manufacturing workshop are realized.
Drawings
Fig. 1 is a schematic diagram of a security situation monitoring and early warning system architecture for a ship manufacturing shop.
Fig. 2 is a schematic diagram of a situation element extraction process according to the present invention.
Fig. 3 is a schematic diagram of a network security event association analysis flow based on an attack scenario according to the present invention.
Fig. 4 is a schematic diagram of a ternary data fusion situation evaluation flow of the present invention.
Detailed Description
Examples
Referring to fig. 1, a security situation monitoring and early warning system for a ship manufacturing workshop comprises an equipment sensing module, a data acquisition module, a function analysis module and a monitoring and early warning module;
the equipment sensing module collects workshop data based on various terminal equipment of a ship manufacturing workshop;
the data acquisition module acquires workshop data and transmits the workshop data to the function analysis module;
the function analysis module is used for analyzing and managing the workshop safety situation based on workshop data;
the monitoring and early warning module is used for displaying workshop situations and workshop early warning response.
Further, the device sensing module includes a terminal system of the ship manufacturing shop (such as an operator station, an engineer station, an intelligent instrument, etc. of the ship manufacturing shop), manufacturing devices (such as a cutting machine tool, a forging device, a power machine, etc.), industrial control devices (such as a programmable controller, an industrial control computer, a numerical control system, etc.), operation and maintenance devices (such as a weak current system, an air conditioning system, etc.), security devices (such as a camera, an infrared detector, an alarm, etc.), network devices (such as an intrusion detection system, an industrial control vulnerability scanning system, an industrial security audit system, etc. security devices, switches, routers, firewalls, etc.).
The data acquisition module provides data support for the whole system and comprises a log acquisition unit, a flow acquisition unit and an importing unit;
the log acquisition unit acquires a terminal log, a security log, a file log, a system log, an application log and an operation and maintenance log;
the flow acquisition unit comprises industrial gateway data, industrial detection system data, security audit system data, host protection system data, vulnerability scanning system data and security isolation device data;
the importing unit imports other required workshop data, such as supervision data, virus data and the like, according to the requirement.
The function analysis module comprises a core function unit, a management support unit and a data analysis unit;
the data analysis unit performs local analysis and global analysis after preprocessing based on the data acquired by the data acquisition layer;
the core functional unit performs situation analysis and assessment of the ship manufacturing workshop based on the data analysis result;
the management support unit provides management support functions for the system based on the shop data.
Wherein the data analysis unit comprises local analysis and global analysis;
the local analysis acquires data of the data acquisition layer, data preprocessing is carried out, the data is transmitted to global analysis, the global analysis is based on current safety data and historical safety data, rules are formed after classification learning, a classification method is transmitted back to the local analysis, and the local analysis carries out local association analysis of the data based on the classification learning;
and carrying out global situation analysis based on the current safety data, the historical safety data and the local association analysis result.
This analysis mechanism can either obtain local situation elements or extract global situation elements, as shown in fig. 2.
Further, the core functional unit comprises a safety response, IT operation and maintenance and fault investigation, compliance audit, strategy audit, attack and threat detection, business statistics analysis, situation analysis and situation assessment;
the situation analysis is used for carrying out aggregation and redundancy elimination on the network security events, carrying out network security event association analysis based on attack scenes, identifying alarm information, carrying out classification processing on repeated alarms, carrying out alarm classification according to time and similarity, and providing data for situation assessment;
the network security event association analysis is carried out based on the attack scene, specifically:
with reference to fig. 3, first, the parsed log and flow are filtered, the information field is extracted to form an event queue, an association analysis engine is constructed with the rule, the association analysis engine is used for defining the association relation of the same attack scene, the scattered data records are organized into a complete attack scene, and finally, the attack process is rebuilt.
The situation assessment is based on data and network security event data, and various index assessment results of the network are determined through ternary data fusion situation assessment;
referring to fig. 4, the ternary data fusion situation assessment is specifically:
fusing the screened and processed information into a new complete information base, and further supporting the construction of a network security situation assessment model:
and (3) data source information fusion: determining a device attack birth support probability;
probability-based situation element fusion: determining the successful support probability of the threat to the host node attack by using the obtained attack occurrence support probability;
and (5) fusing key node situations: and solving the overall value of the network security situation, drawing the overall value into a time-security situation curve, and predicting and analyzing the network security situation in a future period of time.
The safety response is based on situation assessment result response, and comprises intra-system response and extra-system response, wherein corresponding safety response measures are made in the system during the intra-system response, and the extra-system response adjusts network safety situation indexes by sending a prompt to a network administrator;
the IT operation and maintenance and fault investigation is used for collecting various logs in the system, extracting various information comprising time stamps, IP addresses of visitors, behavior categories and response states from the logs, and rapidly determining the position and the reason of the fault by intensively analyzing the logs of a router and firewall equipment and by automating and interactive association analysis when the network has problems; determining a root cause and a starting point of the network interrupt by analyzing the time sequence relation of the network interrupt log; the power supply, the board card and the interface fault condition of the network equipment are rapidly found;
the compliance audit is used for collecting logs of IT infrastructure and application systems in the system, storing the logs in a distributed non-relational database in a centralized manner, supporting horizontal elastic expansion, carrying out structural description on the logs, and simultaneously storing the original logs for later investigation and evidence collection; the system can also help users eliminate various compliance constraints that prevent operation, and provide necessary log files for developers and application system administrators in a centralized manner to facilitate analysis and troubleshooting of production failures without seeking corresponding data materials sent by specific server administrators. Therefore, the problems can be quickly solved with less manpower, and meanwhile, the production server does not need to be accessed, so that the production operation is not affected, and the safety compliance audit of the access of the organization to the server can be satisfied.
The policy audit judges whether the server accesses unauthorized IP, the host and the user in unauthorized time or not through log acquisition and flow acquisition by auditing the source IP address, login time and login user information in the login log; aiming at the password length of the mail account, judging whether the mail account with the password lower than 8-bit characters exists or not by collecting a detection log of the intrusion detection system; aiming at the audit of the security policy, the log analysis function is combined with the organization security policy, and provides complete evidence for tracing, thereby replacing the tedious manual audit process.
The attack and threat detection are carried out by associating and analyzing access connection logs and security equipment logs such as IDS/IPS and the like in a period of time, the system can find that the port numbers are different by intensively analyzing a large number of logs with the same source and destination addresses, and the system can find that the port numbers are different and the port numbers are greatly changed by combining the scanning logs detected by the IDS, so that the system can find that the port numbers are purposeful port scanning and prying behaviors from the source address. Aiming at various security scenes, various threats and attack behaviors in the network are discovered in real time through centralized association analysis of logs;
the business statistical analysis aims at various logs of the system and carries out corresponding statistical analysis, the logs of the business system of the government enterprise clients can provide basis for business analysis of the clients, and the system can help operation and maintenance management personnel to collect and analyze the logs of the business system and carry out corresponding statistical analysis. For the access log of the application system, the system can perform statistical analysis for the source IP of the visitor; statistics are performed on the names of the access users, and active users and inactive users can be analyzed for a period of time.
Further, the management support unit comprises algorithm library management, model library management, patch management, dictionary configuration, log management, backup management, user management and tool management, and realizes management of various databases and functions in the system:
(1) Algorithm library management, namely detecting suspicious and abnormal behaviors, and realizing an algorithm after modeling a specific business object;
(2) Model library management, which is to establish a detection model based on network metadata and the like, and detect suspicious and abnormal behaviors;
the model supports modeling of specific business objects.
(3) Patch management, namely mainly completing the management functions of loopholes and patch information;
(4) Dictionary configuration, mainly completing functions of adding, deleting, changing, checking and the like of some basic dictionary information in a system;
(5) And (3) log management, namely mainly completing the network log information management in the system operation process. Such as user operation logs, system management logs, etc.;
(6) The backup management mainly completes the backup function of data information in the system operation process, and a basic information base and a network security event base formed in the data acquisition process need to be backed up;
(7) User management, mainly completing the functions of user information management, function authority configuration and the like;
(8) Tool management, integration of primary network tools such as ping, telnet, etc.
The monitoring and early warning module comprises a comprehensive situation, an asset situation, an attack situation, a comprehensive panel, threat panorama, attack early warning and safety warning, provides the display and early warning functions of monitoring the industrial control network situation of the ship manufacturing workshop, displays the overall network safety situation in an omnibearing manner, completes the display of the overall situation, the asset safety situation and the like of the workshop area, and provides friendly man-machine interfaces.
The system relies on multisource data extraction, network security event association based on attack scenes and situation assessment based on ternary data fusion, is oriented to ship manufacturing workshops, introduces artificial intelligence and big data, can perform standardized processing and real-time association analysis on collected heterogeneous data in real time, realizes security situation element extraction and association, security situation assessment and threat prediction, provides security decision basis for enterprise security personnel, and can overcome the defect that an intrusion detection system cannot detect unknown intrusion behaviors to a certain extent.
The foregoing embodiments illustrate and describe the basic principles, principal features of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, and that the above embodiments and descriptions are merely illustrative of the principles of the present invention, and various changes and modifications may be made without departing from the spirit and scope of the invention, which is defined in the appended claims.
Claims (9)
1. The safety situation monitoring and early warning system for the ship manufacturing workshop is characterized by comprising an equipment sensing module, a data acquisition module, a functional analysis module and a monitoring and early warning module;
the equipment sensing module collects workshop data based on various terminal equipment of a ship manufacturing workshop;
the data acquisition module acquires workshop data and transmits the workshop data to the function analysis module;
the function analysis module is used for analyzing and managing the workshop safety situation based on workshop data;
the monitoring and early warning module is used for displaying workshop situations and workshop early warning response.
2. The ship manufacturing shop oriented security posture monitoring and early warning system according to claim 1, wherein the equipment sensing module comprises a ship manufacturing shop terminal system, manufacturing equipment, industrial control equipment, operation and maintenance equipment, security equipment and network equipment.
3. The ship manufacturing shop oriented security situation monitoring and early warning system according to claim 1, wherein the data acquisition module comprises a log acquisition unit, a flow acquisition unit and an importing unit;
the log acquisition unit acquires a terminal log, a security log, a file log, a system log, an application log and an operation and maintenance log;
the flow acquisition unit comprises industrial gateway data, industrial detection system data, security audit system data, host protection system data, vulnerability scanning system data and security isolation device data;
the importing unit imports other needed workshop data according to the requirement.
4. The ship manufacturing shop oriented security situation monitoring and early warning system according to claim 1, wherein the functional analysis module comprises a core functional unit, a management support unit and a data analysis unit;
the data analysis unit performs local analysis and global analysis after preprocessing based on the data acquired by the data acquisition layer;
the core functional unit performs situation analysis and assessment of the ship manufacturing workshop based on the data analysis result;
the management support unit provides management support functions for the system based on the shop data.
5. The ship manufacturing shop oriented security posture monitoring and early warning system of claim 4, wherein the data analysis unit comprises a local analysis and a global analysis;
the local analysis acquires data of the data acquisition layer, data preprocessing is carried out, the data is transmitted to global analysis, the global analysis is based on current safety data and historical safety data, rules are formed after classification learning, a classification method is transmitted back to the local analysis, and the local analysis carries out local association analysis of the data based on the classification learning;
and carrying out global situation analysis based on the current safety data, the historical safety data and the local association analysis result.
6. The ship manufacturing shop oriented security posture monitoring and early warning system of claim 4, wherein the core functional units include security response, IT operation and maintenance and fault investigation, compliance auditing, policy auditing, attack and threat detection, business statistics analysis, posture analysis and posture assessment;
the situation analysis is used for carrying out aggregation and redundancy elimination on the network security events, carrying out network security event association analysis based on attack scenes, identifying alarm information, carrying out classification processing on repeated alarms, carrying out alarm classification according to time and similarity, and providing data for situation assessment;
the situation assessment is based on data and network security event data, and various index assessment results of the network are determined through ternary data fusion situation assessment;
the safety response is based on situation assessment result response, and comprises intra-system response and extra-system response, wherein corresponding safety response measures are made in the system during the intra-system response, and the extra-system response adjusts network safety situation indexes by sending a prompt to a network administrator;
the IT operation and maintenance and fault investigation is used for collecting various logs in the system, extracting various information comprising time stamps, IP addresses of visitors, behavior categories and response states from the logs, and rapidly determining the position and the reason of the fault by intensively analyzing the logs of a router and firewall equipment and by automating and interactive association analysis when the network has problems; determining a root cause and a starting point of the network interrupt by analyzing the time sequence relation of the network interrupt log; the power supply, the board card and the interface fault condition of the network equipment are rapidly found;
the compliance audit is used for collecting logs of IT infrastructure and application systems in the system, storing the logs in a distributed non-relational database in a centralized manner, supporting horizontal elastic expansion, carrying out structural description on the logs, and simultaneously storing the original logs for later investigation and evidence collection;
the policy audit judges whether the server accesses unauthorized IP, the host and the user in unauthorized time or not through log acquisition and flow acquisition by auditing the source IP address, login time and login user information in the login log; aiming at the password length of the mail account, judging whether the mail account with the password lower than 8-bit characters exists or not by collecting a detection log of the intrusion detection system;
the attack and threat detection is carried out by carrying out association analysis on logs of access connection log security equipment within a period of time, and a plurality of threats and attack behaviors in a network are discovered in real time through centralized association analysis on the logs;
the business statistical analysis aims at various logs of the system and carries out corresponding statistical analysis.
7. The ship manufacturing shop oriented security situation monitoring and early warning system according to claim 4, wherein the management support unit comprises algorithm library management, model library management, patch management, dictionary configuration, log management, backup management, user management and tool management, and management of various databases and functions in the system is achieved.
8. The ship manufacturing shop oriented security situation monitoring and early warning system according to claim 6, wherein the network security event association analysis based on the attack scenario is specifically:
firstly, filtering the analyzed logs and flow, extracting information fields to form an event queue, constructing an association analysis engine with rules, defining association relation of the same attack scene by using the association analysis engine, organizing scattered data records into complete attack scenes, and finally reconstructing an attack process.
9. The ship manufacturing shop oriented safety situation monitoring and early warning system according to claim 6, wherein the ternary data fusion situation assessment is specifically:
fusing the screened and processed information into a new complete information base, and further supporting the construction of a network security situation assessment model:
and (3) data source information fusion: determining a device attack birth support probability;
probability-based situation element fusion: determining the successful support probability of the threat to the host node attack by using the obtained attack occurrence support probability;
and (5) fusing key node situations: and solving the overall value of the network security situation, drawing the overall value into a time-security situation curve, and predicting and analyzing the network security situation in a future period of time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310881584.7A CN116859804A (en) | 2023-07-18 | 2023-07-18 | Safety situation monitoring and early warning system for ship manufacturing workshop |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310881584.7A CN116859804A (en) | 2023-07-18 | 2023-07-18 | Safety situation monitoring and early warning system for ship manufacturing workshop |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116859804A true CN116859804A (en) | 2023-10-10 |
Family
ID=88226649
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310881584.7A Pending CN116859804A (en) | 2023-07-18 | 2023-07-18 | Safety situation monitoring and early warning system for ship manufacturing workshop |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116859804A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118313673A (en) * | 2024-06-11 | 2024-07-09 | 青岛大数华创科技有限公司 | Laboratory security situation sensing system based on multidimensional data analysis |
-
2023
- 2023-07-18 CN CN202310881584.7A patent/CN116859804A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118313673A (en) * | 2024-06-11 | 2024-07-09 | 青岛大数华创科技有限公司 | Laboratory security situation sensing system based on multidimensional data analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112651006B (en) | Power grid security situation sensing system | |
| CN114584405B (en) | Electric power terminal safety protection method and system | |
| CN108933791B (en) | Intelligent optimization method and device based on power information network safety protection strategy | |
| CN113486351A (en) | Civil aviation air traffic control network safety detection early warning platform | |
| CN107239707B (en) | Threat data processing method for information system | |
| CN116662989B (en) | Security data analysis method and system | |
| CN106371986A (en) | Log treatment operation and maintenance monitoring system | |
| CN105681298A (en) | Data security abnormity monitoring method and system in public information platform | |
| CN112416872A (en) | Cloud platform log management system based on big data | |
| CN113824682B (en) | Modularized SCADA security situation sensing system architecture | |
| CN107295010A (en) | A kind of enterprise network security management cloud service platform system and its implementation | |
| CN110020687B (en) | Abnormal behavior analysis method and device based on operator situation perception portrait | |
| CN115378711B (en) | Intrusion detection method and system for industrial control network | |
| CN113794276A (en) | Power distribution network terminal safety behavior monitoring system and method based on artificial intelligence | |
| CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
| CN117827813A (en) | Computer information security monitoring system | |
| CN115001934A (en) | Industrial control safety risk analysis system and method | |
| CN114125083A (en) | Industrial network distributed data acquisition method and device, electronic equipment and medium | |
| CN113709170A (en) | Asset safe operation system, method and device | |
| Skendžić et al. | Management and monitoring security events in a business organization-siem system | |
| CN113162897A (en) | Industrial control network security filtering system and method | |
| CN116859804A (en) | Safety situation monitoring and early warning system for ship manufacturing workshop | |
| CN113132370A (en) | Universal integrated safety pipe center system | |
| CN112596984A (en) | Data security situation sensing system under weak isolation environment of service | |
| CN117879887A (en) | Computer host information transmission supervision system based on artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |