Specific embodiment
For a better understanding of the present invention, with reference to the description of the embodiment of the accompanying drawings, system of the invention is carried outFurther instruction.
In order to fully understand the present invention, numerous details are referred in the following detailed description.But art technologyPersonnel are it should be understood that the present invention may not need these details and realize.In embodiment, it is not described in detail well known sideMethod, process, component, in order to avoid unnecessarily make embodiment cumbersome.
Referring to figure 1 and figure 2, the present invention provides a kind of power network securities to defend warning system, comprising:
Security control module, for monitoring the safety state information of network host in electric power networks, and the peace that will be monitoredZone supervisors module corresponding to the network host is sent on full state information is real-time;
Zone supervisors module, for the acquisition available communication node by the center switch of network where each network hostNetwork management configuration information detects the real-time communication conditions of corresponding network, and combines the safety state information sent in security control module,It is formed in network security real time information and is sent to safety analysis module;
Composite defense module, for the available communication node network management configuration information of receiving area administration module acquisition, to electricityNetwork termination edge access provides Prevention-Security;
Safety analysis module, the network security real time information sent on the administration module of receiving area carry out each networkNetwork Safety Analysis;
Real-time Alarm module carries out Real-time Alarm and display for that will analyze obtained security risk, and by Real-time AlarmIt is sent on information and network security analysis result information to the central server of affiliated area, and by Real-time Alarm information and networkThe report of safety analysis result is stored as historical data.
Preferably, security control module is with coded communication mode, by the safety state information monitored it is real-time on send to thisThe corresponding zone supervisors module of network host.
Preferably, the system also includes policy development modules, the net for being obtained according to central server based on analysisThe security postures information of network, connected applications need and security regulations, formulate corresponding power network security defence policies.
Preferably, wherein the composite defense module includes specifically including:
Resource pool module: for by network communication node structure all in received available communication node network management configuration informationAt network communication node resource pool, alternative resource pond is provided for the choice of dynamical and auto-associating of later period network link;
Link module: it for constructing network link auto-associating space, randomly selects available network communication node and constitutesAvailable link space;
Negotiation module: executing network communication link auto-associating for network communication both sides and negotiate process, negotiates to choose and work asPreceding communication link, and timing unoccupied place carries out the adjustment of communication link dynamic negotiation.
Preferably, the zone supervisors module, for the acquisition by the center switch of network where each network hostAvailable communication node network management configuration information, wherein the available communication node network management configuration information include network address information,Port information, protocol information.
Preferably, the network address is the address IPv4 or the address IPv6.
Preferably, the resource pool module: for by net all in received available communication node network management configuration informationNetwork communication node constitutes network communication node resource pool, provides alternative money for the choice of dynamical and auto-associating of later period network linkSource pond,
Wherein, all available address information form address pool I={ ip1, ip2, L, ipm};Port is the various agreements of application layerProcess carries out the address that interlayer interacts with transportation entities, and usable range is 0 to 65535, removes first 1024 known ports, remainsRemaining 64512 available ports, all available port information form port pool P={ port1, port2, L, portn};Agreement includesNetwork communication protocol, data encryption protocol, data compression algorithm etc., all allowed protocol information form protocol pool Ψ={ pro1,pro2, L, pros}。
Node network management configuration e is made of address, port, agreement triple, individual node network management configuration ei=(ipi,porti, proi), node network management configuration state space is as follows:
E=I × P × Ψ={ (ipi, portj, prok) | 1≤i≤m, 1≤j≤n, 1≤k≤s }
Preferably, for constructing network link auto-associating space, it is logical the link module: to randomly select available networkBelieve that node constitutes available link space, specifically include: is random from available communication node resource pond by way of pseudo random numberA plurality of alternative communication link is chosen, and pseudorandom selection and configuration are carried out to information such as communication port, agreements;
Network link auto-associating space EH is by node network management configuration state space E, pseudo-random sequence collection Φ, automated topologyIt is associated with the five-tuple group that node of graph network management configuration state set Ω, Correlation Criteria C, network link auto-associating transfer relationship δ are constitutedAt i.e. EH=(E, Φ, Ω, C, δ).
Φ1, Φ2, Φ3For pseudo-random functionThe pseudo-random sequence of generation, define respectively address, port, agreement three classes node network management configuration association sequence, communicating pair pressesImplement association and communication according to the node network management configuration of sequence mapping.Pseudo-random sequence guarantees the random of network link auto-associatingProperty, the ability of attacker's match network topologies is reduced, attacker is made to be difficult to hold the related law of destination host, increases and attacksThe person of hitting detects difficulty.
It is the network management configuration state set for constituting all nodes of topological correlation figureIt closes, whereinFor the node network management configuration used in moment t system.
C is the condition for triggering network link auto-associating, such as receives a certain confirmation message, the time for reaching agreement, sendsA certain number of data packets etc., C=(c1, c2, L, cp) the different trigger condition of characterization.
Indicate Correlation Criteria ciUnder, node network management configuration that communicating pair uses is from Ω (ti) stateMove to Ω (ti+1) state process, meet
Preferably, the negotiation module: executing network communication link auto-associating for network communication both sides and negotiate process,Negotiate to choose current communications link, and timing unoccupied place carries out the adjustment of communication link dynamic negotiation, specifically includes: communicating pair executesNetwork link auto-associating negotiates process, and one or more communication link is chosen from alternative communication link as practical communication chainRoad, and the execution network link auto-associating negotiation of timing gap adjusts process again, realizes that the network based on homomorphism communication link is attackedHit composite defense.
Network link auto-associating can be communication one side's single-point association, be also possible to the association of communicating pair equity, evenIt is the collaboration association between multiple communication objects.Therefore the present invention provides correlating method for equity association.Method allows moreIndependent transmission node layer on a network link auto-associating channel, main station side and client require to state certainly to communication objectOneself topological correlation figure, topological correlation figure two-way exchange, then according to set topological correlation figure communication with high safety, wherein main websiteIt holds related procedure to be acted on behalf of by power grid main website topological correlation to execute.
The negotiation module: network communication link auto-associating is executed for network communication both sides and negotiates process, negotiates choosingCurrent communications link is taken, and timing unoccupied place carries out the adjustment of communication link dynamic negotiation, the negotiation module specifically includes:
Request message sending module: for preparing to lead to main station side when the client of a support network link auto-associatingWhen letter, conventional requests message is sent to main station side firstUse client private key KrcTo client identityIDc, network link auto-associating support label mark and request message send when time stamp T1Signature;
First signature verification module: message is received for main station side recordTime T2, use clientHold public key KucSignature verification is carried out, the legitimacy of client identity is verified (if main station side does not support network link certainlyDynamic association, ignores the message);
Auto-associating communication module: after authenticating successfully for client identity, main station side is immediately switched to network link certainlyDynamic association communication pattern, and response message is sent to clientUse main station side private key KrsTo main station sideIdentity IDs, main station side network link automated topology associated diagram HPsT is stabbed with response message sending time3It signs;
Second signature verification module: message is received for client recordTime T4, use main station sidePublic key KusSignature verification is carried out, the legitimacy of main station side identity is verified;
Response message sending module: after main station side authentication success, client sends response message to main station sideUse client private key KrcTo client network link automated topology associated diagram HPcWhen being sent with response messageBetween stab T4It signs;
Time drift computing module: for main station side according to time stamp T1, T2, T3, T4The time drift θ of calculating both sides=(T2-T1+T3-T4)/2, and send it to client
Synchronous correction module: correction is synchronized to local zone time according to time drift θ for client, and switches to netNetwork link auto-associating communication pattern;
Secure communication module: for client and main station side according to given network link automated topology associated diagram HPsAnd HPcIt securely communicates;
Period update module: for working as topological correlation figure T life cyclehWhen arrival, updates network link automated topology and closeConnection figure.
Compared with prior art, the present invention its remarkable advantage are as follows: the invention proposes a kind of defence of power network security to accuseAlert system can realize comprehensive individual monitoring to electric power networks, main plot monitoring, composite defense, safety analysis, accuse in real timeAlert, solid comprehensively protects the safety of entire electric power networks.Especially, it can be achieved that communicating pair or passing through primary data in many waysExchange is concentrated random negotiation to determine communication topology associated diagram and correlation time, was being communicated in set available network nodesTopological correlation figure in journey according to agreement establishes dynamic communication link, and listener is difficult to grasp communication topology interior joint network management configurationRule, to be difficult to track communication overall process.During network link auto-associating, legal entity is matched using correct node network managementMaintenance normal communication is set, unauthorized entity is due to that can not know that legal entity node network management configuration will be difficult to carry out effective attack.TogetherWhen, main station side and client can under specific circumstances, security update topological correlation figure, to guarantee network link certainly to greatest extentIt is dynamic to be associated with the randomness shown, the time and space complexity that attack is implemented is increased, to reach information security attack activelyDefensive Target.
Here the preferred embodiment of the present invention is only illustrated, but its meaning is not intended to limit the scope of the invention, applicability and is matchedIt sets.On the contrary, detailed explanation of the embodiments can be implemented by those skilled in the art.It will be understood that without departing from appended powerIn the case of the spirit and scope of the invention that sharp claim determines, changes and modifications may be made to details.