CN115102738A - Equipment base station health situation perception system and method based on network attack trend - Google Patents

Abstract

The invention discloses a system and a method for sensing health situation of a device base station based on network attack trend, comprising the following steps of S100: constructing a network attack early warning model; establishing association relations between different network attacks and different equipment vulnerabilities; step S200: identifying and judging vulnerability incidence relation existing among network attacks; step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value for the equipment terminal of the current industrial control computer; step S400: calculating a second network attack trend value for the current industrial control computer equipment terminal; step S500: integrating the first network attack trend value and the second network attack trend value to obtain a comprehensive network attack trend value of the current industrial control computer equipment end; and feeding back early warning information to a base station connected with the industrial control computer equipment terminal based on the comprehensive network attack trend value.

Description

Equipment base station health situation perception system and method based on network attack trend

Technical Field

The invention relates to the technical field of information security, in particular to a system and a method for sensing health situation of a device base station based on network attack tendency.

Background

The industrial control computer equipment end which sends a control instruction to the industrial control equipment through the connecting base station is vital in the whole industrial control process, and once the industrial control computer equipment end continuously suffers network attack and the network attack is in a trend, the accuracy of the control instruction sent to the industrial control equipment by the industrial control computer equipment end is lower, and the possibility that the instruction is tampered and stolen is higher;

generally, different computer devices have different presentation manners of internal vulnerabilities due to the problem of configuration, and similarly, because of the different configuration problems, the repair capabilities of different computer devices under different network attacks are different, and the analysis of the network attack trend is mastered, that is, the analysis of the problem between vulnerability repair and network attack presented by different computer device ends under different network attacks is performed.

Disclosure of Invention

The invention aims to provide a system and a method for sensing health situation of a device base station based on network attack tendency, so as to solve the problems in the background technology.

In order to solve the technical problems, the invention provides the following technical scheme: a health situation perception method of a device base station based on a network attack trend comprises the following steps:

step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;

step S200: based on the incidence relation between each network attack and different equipment vulnerabilities, identifying and judging the vulnerability incidence relation existing between the network attacks; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

step S300: real-time early warning model for industrial control computer equipment based on current equipment operation dataObtaining a plurality of early warning network attacks predicted by early warning; calculating a first network attack trend value phi on the current industrial control computer equipment side based on the incidence relation distribution condition among a plurality of early warning network attacks₁ ；

Step S400: calculating a second network attack trend value phi on the current industrial control computer equipment side based on the analysis of the repair time of all the associated vulnerabilities corresponding to the early warning network attacks₂ ；

Step S500: integrating the first network attack trend value and the second network attack trend value to obtain a comprehensive network attack trend value phi of the current industrial control computer equipment end_Heald ＝φ₁ ×φ₂ (ii) a When the integrated network attack trend value phi_Heald And when the value is larger than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.

Further, step S100 includes:

step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks; respectively converting each equipment performance parameter into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of each equipment operation data of the industrial control computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;

step S102: extracting historical running logs of the industrial control computer equipment end, and extracting bug fixing instructions executed by the industrial control computer equipment end when different types of network attacks appear in the historical running logs; acquiring equipment bugs existing at equipment ends of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;

step S103: and respectively searching all equipment vulnerabilities with incidence relation to each network attack to respectively obtain incidence vulnerability sets corresponding to different network attacks.

Further, step S200 includes:

step S201: for each kind of network attack, finding other different kinds of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding associated vulnerability sets, and preliminarily judging that vulnerability association relations exist between the current kind of network attack and the corresponding other kinds of network attacks; if the network attack A exists, preliminarily judging that the set of the network attacks with the vulnerability association relation between the network attack A and the network attack A is A '═ A'₁ ,A′₂ ,…,A′_v }; wherein, A'₁ ,A′₂ ,…,A′_v Respectively representing 1 st, 2 nd, … th and v kinds of network attacks which are preliminarily judged to have vulnerability incidence relation with the network attack A;

step S202: if q associated network attacks A'_q Same association vulnerability set with network attack A

Comprises the following steps:

wherein, P_A Representing an associated vulnerability set corresponding to the network attack A;

denotes network attack A'_q A corresponding associated vulnerability set; the respective differential association vulnerability sets are:

wherein, P'_A Representation set P_A And set of

The vulnerability sets are related in a distinguishing way;

representation collection

And collections

The differences between the vulnerability sets are correlated;

calculating q network attack A'_q Vulnerability association value with network attack A

Wherein, card (P'_A )、

card(P_A ) Respectively represent a set P'_A Set of

Collection

Set P_A The number of internal equipment loopholes;

the above-mentioned procedure of calculating the vulnerability correlation value is equivalent to that in two network attacks presenting correlation, the probability that the selected device vulnerability is not the device vulnerability possessed by both network attacks is calculated first, and the greater the probability is, the greater the possibility that the attack of the other network attack starts to take effect when the vulnerability of one of the network attacks is repaired;

step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; obtaining a new set A'; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identifications between the network attacks A and the network attacks in the new set A';

the purpose of analyzing and identifying the associated network attack is to perform technical laying for subsequent calculation of a network attack trend value and analyze a network attack trend which can cause harm to an industrial control computer equipment end; analyzing and identifying the associated network attacks because the attack damage to the computer equipment is effective and accurate when the network attacks often having the associated relationship show trend in the actual process, and because the defense capability and the repair capability of different computer equipment to different network attacks are different due to self configuration; the method has the advantages that the device vulnerability overlapping part and the non-overlapping part corresponding to the associated network attacks exist, when one network attack starts to take effect on the computer device and the computer device starts to repair the device vulnerability corresponding to the network attack, and the network attack presenting the association relation with the network attack is continuously suffered, further secondary damage is often brought to the computer device, and because the possibility that other network attacks presenting the association relation with the current network attack take effect on the computer device is higher when the device vulnerability brought by the current network attack is not completely repaired.

Step S204: and respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack.

Further, step S300 includes:

step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and utilizing a network attack early warning model to carry out real-time early warning on the network attack on the equipment end of the current industrial control computerThe early warning network attack set { a) of the current industrial control computer equipment end is obtained through identification and matching₁ ,a₂ ,…,a_n }; wherein, a₁ ,a₂ ,…,a_n Respectively representing 1 st, 2 nd, … th and n kinds of network attacks, wherein the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is greater than the early warning matching score threshold;

step S302: set of early warning network attacks { a₁ ,a₂ ,…,a_n Carrying out associated network attack query on each early warning network attack in the station; respectively accumulated to obtain a set { a }₁ ,a₂ ,…,a_n Associated network attack number of each early warning network attack in the station

Obtaining a first network attack trend value

The larger the first network attack trend value obtained through the calculation is, the larger the number of other network attacks which can generate attack effect on the current computer equipment end is suffered while the vulnerability repair is started in the current computer equipment is, and the larger the network attack hidden danger to be suffered by the current computer equipment end is.

Further, step S400 includes:

step S401: step S302: separately obtain the sets { a₁ ,a₂ ,…,a_n Attacking the corresponding equipment vulnerability set by each network in the software; performing vulnerability category integration on all the associated vulnerability sets to obtain all the associated vulnerabilities existing at the equipment side of the current industrial control computer, wherein all the associated vulnerabilities comprise { b₁ ,b₂ ,…,b_n }; wherein, b₁ ,b₂ ,…,b_n Respectively representing 1 st, 2 nd, … th and n th equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the equipment end of the industrial control computer, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;

step S402: is divided intoRespectively accumulating and early warning network attack set { a) for each equipment vulnerability₁ ,a₂ ,…,a_n There is associated network attack number value in the memory; setting a relevant network attack number threshold value, and sequencing all equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number values to obtain an equipment vulnerability sequence;

step S403: sequentially setting each device vulnerability in the device vulnerability sequence as a target device vulnerability according to the arrangement sequence of each device vulnerability in the device vulnerability sequence; sequentially acquiring the attack set { a in the early warning network₁ ,a₂ ,…,a_n In the item, an early warning network attack subset { c) which does not have an incidence relation with the target equipment vulnerability exists₁ ,c₂ ,…,c_z }; wherein, c₁ ,c₂ ,…,c_z Respectively representing 1 st, 2 nd, … th and z th network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target equipment bug in response time of data influence of different network attacks on industrial control computer equipment end_g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side₁ ,c₂ ,…,c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Respectively gathering the early warning network attacks acquired each time into subsets { c₁ ,c₂ ,…,c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Bug fix time t corresponding to current target device bug_g Carrying out comparison;

step S404: sequentially accumulating in each early warning network attack subset { c₁ ,c₂ ,…,c_z In the method, the response time of causing data influence on the equipment end of the industrial control computer is shorter than that of bug repair corresponding to the current bug of the target equipmentTime t_g The number of network attacks; calculating a second network attack trend value:

wherein k is_f When the set f-th target equipment is vulnerable, the correspondingly obtained f-th early warning network attack subset { c }₁ ,c₂ ,…,c_z In the method, the response time is less than the bug repair time t corresponding to the current f-th target equipment bug_g The network attack figure of (1);

the larger the second network attack trend value obtained by the calculation is, the higher the possibility that the current computer equipment is subjected to other network attacks which can generate attack effect on the current computer equipment side while vulnerability repair is started in the current computer equipment is.

In order to better realize the method, a health situation perception system of the equipment base station based on the network attack trend is also provided, and the system comprises a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;

the data analysis management module is used for acquiring operation data of various equipment before the equipment end of the industrial control computer is subjected to different network attacks historically and constructing a network attack early warning model; the system is used for acquiring historical running logs of the industrial control computer equipment end and establishing the association relation between different network attacks and different equipment bugs;

the associated network attack identification and judgment module is used for receiving the data repeated by the data analysis and management module and identifying and judging the vulnerability association relationship existing between the network attacks based on the association relationship between the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

the real-time detection module is used for carrying out early warning prediction on the network attack on the equipment side of the industrial control computer through a network attack early warning model based on real-time operation data of each piece of equipment;

the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment terminal;

and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.

Further, the data analysis management module comprises a network attack early warning model building unit and a correlation vulnerability analysis unit;

the network attack early warning model establishing unit is used for establishing a network attack early warning model based on various equipment operation data of the industrial control computer equipment terminal before the industrial control computer equipment terminal is subjected to different network attacks historically;

the correlation vulnerability analysis unit is used for acquiring a historical running log of the industrial computer equipment end and extracting a vulnerability repairing instruction executed when the industrial computer equipment end appears on the basis of different types of network attacks from the historical running log; acquiring equipment bugs existing at equipment ends of the industrial control computer when different kinds of network attacks appear on the basis of the bug fixing instructions; and completing the establishment of the association relation between the acquired equipment vulnerability and the corresponding network attack.

Further, the associated network attack identification and judgment module comprises a vulnerability association relationship preliminary judgment unit and a vulnerability association value calculation unit;

the vulnerability association relation primary judgment unit is used for searching other different kinds of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding association vulnerability sets for each kind of network attack, and primarily judging that vulnerability association relation exists between the current kind of network attack and the corresponding other kinds of network attacks;

and the vulnerability correlation value calculating unit is used for receiving the data in the vulnerability correlation preliminary judgment unit, calculating vulnerability correlation values between the network attacks which preliminarily judge that the vulnerability correlation exists between the vulnerability correlation values, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are greater than or equal to the vulnerability correlation value threshold value.

Furthermore, the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;

the first network attack trend value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack trend value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among a plurality of early warning network attacks;

and the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, and calculating a second network attack trend value for the current industrial control computer equipment terminal.

Compared with the prior art, the invention has the following beneficial effects: the invention can realize the prediction calculation of the network attack trend of the current computer equipment end, and indirectly judge the accuracy of the control instruction sent to the industrial control equipment by the current industrial control computer equipment end according to the calculated network attack trend value; because the network attack is usually stronger in purpose and pertinence, the method can avoid real-time judgment and prediction of the network attack, and the equipment information safety of the network attack can be predicted by considering the current network attack situation and the self-repairing capability from the viewpoint of a computing equipment end, and the process is reflected by a network attack trend value, wherein the larger the network attack trend value is, the lower the safety performance of the current computer equipment is, the higher the possibility that the information is stolen and tampered is; the method and the device can improve the detection efficiency of the safety performance of the computer equipment, and reduce the situation of control deviation or control error when the safety performance of the computer equipment is reduced and brought to control the industrial control equipment.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:

FIG. 1 is a schematic structural diagram of a health situation awareness system of a base station of a device based on network attack trend according to the present invention;

fig. 2 is a flow diagram of the method for sensing health situation of the device base station based on network attack tendency according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1-2, the present invention provides a technical solution: a health situation perception method of a device base station based on a network attack trend comprises the following steps:

step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;

wherein, step S100 includes:

step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks; respectively converting each equipment performance parameter into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of each equipment operation data of the industrial control computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;

step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different types of networks from the historical operation logs; acquiring equipment bugs existing at equipment ends of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;

step S103: respectively searching all equipment vulnerabilities with incidence relation to each network attack to respectively obtain incidence vulnerability sets corresponding to different network attacks;

step S200: based on the incidence relation between each network attack and different equipment vulnerabilities, identifying and judging the vulnerability incidence relation existing between the network attacks; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

wherein, step S200 includes:

step S201: respectively searching other different kinds of network attacks which have the same equipment vulnerability and differ equipment vulnerability between the relevant vulnerability sets corresponding to each kind of network attack, and preliminarily judging that vulnerability association relation exists between the current kind of network attack and the corresponding other kinds of network attacks;

for example, the associated vulnerability set corresponding to one network attack X is { vulnerability 1, vulnerability 2, vulnerability 3, vulnerability 4 }; an associated vulnerability set corresponding to the network attack Y is { vulnerability 2, vulnerability 3, vulnerability 5 and vulnerability 6 }; the same equipment vulnerability { vulnerability 2, vulnerability 3} and the different equipment vulnerability { vulnerability 1, vulnerability 5, vulnerability 6} exist between the network attack X and the network attack Y, so that the vulnerability incidence relation exists between the network attack X and the network attack Y is preliminarily judged;

if the network attack A exists, preliminarily judging that the set of the network attacks with the vulnerability association relation between the network attack A and the network attack A is A '═ A'₁ ,A′₂ ,…,A′_v }; wherein, A'₁ ,A′₂ ,…,A′_v Respectively representing 1 st, 2 nd, … th and v kinds of network attacks which are preliminarily judged to have vulnerability incidence relation with the network attack A;

step S202: if q associated network attacks A'_q Same association vulnerability set with network attack A

Comprises the following steps:

wherein, P_A Representing an associated vulnerability set corresponding to the network attack A;

denotes network attack A'_q A corresponding associated vulnerability set; the respective difference association loophole sets are as follows:

wherein, P'_A Representation set P_A And collections

The vulnerability sets are related in a distinguishing way;

representation collection

And collections

The vulnerability sets are related in a distinguishing way; calculating q network attack A'_q Vulnerability association value with network attack A

Wherein, card (P'_A )、

card(P_A ) Respectively represent a set P'_A Set of

Collection

Set P_A The number of internal equipment loopholes;

for example, a network attack X corresponds to an associated vulnerability set P_A Is { vulnerability 1, vulnerability 2, vulnerability 3, vulnerability 4 }; one network attack Y corresponding associated vulnerability set

Is { vulnerability 2, vulnerability 3, vulnerability 5, vulnerability 6 };

preliminarily judging that vulnerability association exists between the network attack X and the network attack Y;

same association vulnerability set between network attack X and network attack Y

Is { leak 2, leak 3 }; difference correlation vulnerability set P 'of network attack X'_A Is { vulnerability 1, vulnerability 4 }; discriminative association vulnerability set for network attack Y

Is { vulnerability 5, vulnerability 6 };

the vulnerability correlation value between network attack X and network attack Y is

Step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; obtaining a new set A'; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identification between the network attacks A and the network attacks in the new set A'.

Step S204: respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack;

step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value phi on the current industrial control computer equipment side based on the incidence relation distribution condition among a plurality of early warning network attacks₁ ；

Wherein, step S300 includes:

step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer₁ ,a₂ ,…,a_n }; wherein, a₁ ,a₂ ,…,a_n Respectively representing 1 st, 2 nd, … th and n kinds of network attacks, wherein the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is greater than the early warning matching score threshold;

step S302: set of early warning network attacks { a₁ ,a₂ ,…,a_n Carrying out associated network attack query on each early warning network attack in the station; respectively accumulated to obtain a set { a₁ ,a₂ ,…,a_n Associated network attack number of each early warning network attack in the station

Obtaining a first network attackTrend value

Step S400: calculating a second network attack trend value phi on the current industrial control computer equipment side based on the analysis of the repair time of all the associated vulnerabilities corresponding to the early warning network attacks₂ ；

Wherein, step S400 includes:

step S401: step S302: separately obtain the sets { a₁ ,a₂ ,…,a_n Attacking the corresponding equipment vulnerability set by each network in the software; performing vulnerability category integration on all the associated vulnerability sets to obtain all the associated vulnerabilities existing at the equipment side of the current industrial control computer, wherein all the associated vulnerabilities comprise { b₁ ,b₂ ,…,b_n }; wherein, b₁ ,b₂ ,…,b_n Respectively representing 1 st, 2 nd, … th and n th equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the industrial control computer equipment end, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;

step S402: respectively accumulating and early warning network attacks { a) to each equipment vulnerability₁ ,a₂ ,…,a_n There are associated network attack number values in the memory; setting a relevant network attack number threshold value, and sequencing all equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number values to obtain an equipment vulnerability sequence;

step S403: sequentially setting each device vulnerability in the device vulnerability sequence as a target device vulnerability according to the arrangement sequence of each device vulnerability in the device vulnerability sequence; sequentially acquiring the attack set { a) in the early warning network₁ ,a₂ ,…,a_n In the item, an early warning network attack subset { c) which does not have an incidence relation with the target equipment vulnerability exists₁ ,c₂ ,…,c_z }; wherein, c₁ ,c₂ ,…,c_z Respectively representing 1 st, 2 nd, … th and z th network attacks which do not have an association relation with the target equipment vulnerability; generating number to industrial control computer equipment end by different kinds of network attackRespectively obtaining bug fixing time t corresponding to each target equipment bug according to the response time of the influence_g (ii) a Sequentially and respectively acquiring each early warning network attack subset { c) from historical operation logs of the industrial control computer equipment side₁ ,c₂ ,…,c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Respectively gathering the early warning network attack subsets { c) obtained each time₁ ,c₂ ,…,c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Bug fix time t corresponding to current target device bug_g Comparing;

step S404: sequentially accumulating in each early warning network attack subset { c₁ ,c₂ ,…,c_z In the method, the response time of causing data influence on the industrial computer equipment end is less than the bug repair time t corresponding to the current target equipment bug_g The number of network attacks; calculating a second network attack trend value:

wherein k is_f When the set f-th target equipment is vulnerable, the correspondingly obtained f-th early warning network attack subset { c }₁ ,c₂ ,…,c_z In the method, the response time is less than the bug repair time t corresponding to the current f-th target equipment bug_g The network attack figure of (1);

step S500: integrating the first network attack tendency value and the second network attack tendency value to obtain a comprehensive network attack tendency value phi of the current industrial control computer equipment end_Heald ＝φ₁ ×φ₂ (ii) a When the integrated network attack trend value phi_Heald When the value is larger than the threshold value of the comprehensive network attack trend value, the early warning information is fed back to the base station connected with the industrial control computer equipment end, the control instruction is stopped being sent to the industrial control equipment, and the industrial control equipment is informedAnd (4) carrying out equipment maintenance and repair on the equipment end of the industrial control computer by a technician.

In order to better realize the method, a health situation perception system of the equipment base station based on the network attack trend is also provided, and the system comprises a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;

the data analysis management module is used for acquiring various equipment operation data of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks, and constructing a network attack early warning model; the system is used for acquiring historical running logs of the equipment end of the industrial control computer and establishing association relation between different network attacks and different equipment bugs;

the data analysis management module comprises a network attack early warning model establishing unit and a correlation vulnerability analysis unit;

the network attack early warning model establishing unit is used for establishing a network attack early warning model based on operation data of various equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;

the correlated vulnerability analyzing unit is used for acquiring a historical running log of the industrial personal computer equipment end and extracting vulnerability repairing instructions executed when the industrial personal computer equipment end is attacked based on different types of networks from the historical running log; acquiring equipment bugs existing at equipment ends of the industrial control computer when different kinds of network attacks appear on the basis of the bug fixing instructions; completing the establishment of an incidence relation between the acquired equipment vulnerability and the corresponding network attack;

the associated network attack identification and judgment module is used for receiving the data repeated by the data analysis and management module and identifying and judging the vulnerability association relationship existing between the network attacks based on the association relationship between the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

the related network attack identification and judgment module comprises a vulnerability correlation preliminary judgment unit and a vulnerability correlation value calculation unit;

the vulnerability association relation primary judgment unit is used for searching other different kinds of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding association vulnerability sets for each kind of network attack, and primarily judging that vulnerability association relation exists between the current kind of network attack and the corresponding other kinds of network attacks;

a vulnerability correlation value calculation unit for receiving data in the vulnerability correlation preliminary judgment unit, calculating vulnerability correlation values between network attacks which preliminarily judge that the vulnerability correlation exists between the network attacks, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are greater than or equal to the vulnerability correlation value threshold value

The real-time detection module is used for carrying out early warning prediction on the network attack on the equipment side of the industrial control computer through a network attack early warning model based on real-time operation data of each piece of equipment;

the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment terminal;

the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;

the first network attack trend value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack trend value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among a plurality of early warning network attacks;

the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, and calculating a second network attack trend value for the current industrial control computer equipment side;

and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention as defined in the following claims. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (9)

1. A health situation perception method of a device base station based on a network attack trend is characterized by comprising the following steps:

step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;

step S200: based on the incidence relation between each network attack and different equipment vulnerabilities, identifying and judging the vulnerability incidence relation existing between the network attacks; capturing the associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; based on the distribution condition of the incidence relation among a plurality of early warning network attacks, a first network attack trend value phi is calculated for the current industrial control computer equipment terminal₁ ；

Step S400: calculating a second network attack trend value phi on the current industrial control computer equipment side based on the analysis of the repair time of all the associated vulnerabilities corresponding to the early warning network attacks₂ ；

Step S500: integrating the first network attack tendency value and the second network attack tendency value to obtain a comprehensive network attack tendency value phi of the current industrial control computer equipment end_Heald ＝φ₁ ×φ₂ (ii) a When the integrated network attack trend value phi_Heald And when the value is larger than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.

2. The method for sensing health status of base station of device based on network attack tendency as claimed in claim 1, wherein the step S100 comprises:

step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks; respectively converting each equipment performance parameter into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of each equipment operation data of an industrial control computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;

step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different types of networks from the historical operation logs; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;

step S103: and respectively searching all equipment vulnerabilities with incidence relation to each network attack to respectively obtain incidence vulnerability sets corresponding to different network attacks.

3. The network attack trend based equipment base station health situation awareness method according to claim 2, wherein the step S200 comprises:

step S201: respectively searching other different kinds of network attacks which have the same equipment vulnerability and differ equipment vulnerability between the relevant vulnerability sets corresponding to each kind of network attack, and preliminarily judging that vulnerability association relation exists between the current kind of network attack and the corresponding other kinds of network attacks; if the network attack A exists, preliminarily judging that the set of the network attacks with the vulnerability association relation between the network attack A and the network attack A is A '═ A'₁ ,A'₂ ,…,A'_v }; wherein, A'₁ ,A'₂ ,…,A'_v Respectively representing 1 st, 2 nd, … th and v kinds of network attacks which are preliminarily judged to have vulnerability incidence relation with the network attack A;

step S202: if the q-th correlation network attacks A'_q Same association vulnerability set with network attack A

Comprises the following steps:

wherein, P_A Representing an associated vulnerability set corresponding to the network attack A;

denotes network attack A'_q A corresponding associated vulnerability set; the respective differential association vulnerability sets are:

wherein, P'_A Representation set P_A And collections

The differences between the vulnerability sets are correlated;

representation collection

And collections

The vulnerability sets are related in a distinguishing way;

calculating q network attack A'_q Vulnerability correlation value with network attack A

Wherein, card (P'_A )、

card(P_A ) Respectively represent collectionsP’_A Set of

Collection

Set P_A The number of internal equipment loopholes;

step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; get new set A "; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identification between the network attacks A and the network attacks in the new set A'.

Step S204: and respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack.

4. The network attack trend based equipment base station health situation awareness method according to claim 2, wherein the step S300 comprises:

step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer₁ ，a₂ ，…，a_n }; wherein, a₁ ，a₂ ，…，a_n Respectively representing 1 st, 2 nd, … th and n kinds of network attacks, wherein the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is greater than the early warning matching score threshold;

step S302: set of early warning network attacks { a₁ ，a₂ ，…，a_n Carrying out associated network attack query on each early warning network attack in the station; respectively accumulated to obtain a set { a₁ ，a₂ ，…，a_n Associated network attack number of each early warning network attack in the station

Obtaining a first network attack trend value

5. The method for sensing health status of base station of equipment based on network attack tendency as claimed in claim 4, wherein the step S400 comprises:

step S401: step S302: separately obtain the sets { a₁ ，a₂ ，…，a_n Attacking the corresponding equipment vulnerability set by each network in the software; performing vulnerability category integration on all the association vulnerability sets to obtain all association vulnerabilities existing at the equipment end of the current industrial control computer, wherein all the association vulnerabilities comprise { b }₁ ，b₂ ，…，b_n }; wherein, b₁ ，b₂ ，…，b_n Respectively representing 1 st, 2 nd, … th and n th equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the industrial control computer equipment end, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;

step S402: respectively accumulating and early warning network attack sets { a) for vulnerabilities of each equipment₁ ，a₂ ，…，a_n There are associated network attack number values in the memory; setting a relevant network attack number threshold value, and sequencing all equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number values to obtain an equipment vulnerability sequence;

step S403: sequentially setting the device vulnerabilities in the device vulnerability sequence as target device vulnerabilities according to the arrangement sequence of the device vulnerabilities in the device vulnerability sequence; sequentially acquiring the attack set { a) in the early warning network₁ ，a₂ ，…，a_n And (c) in the sub-set, early warning network attack with no incidence relation with the target equipment vulnerability{c₁ ，c₂ ，…，c_z }; wherein, c₁ ，c₂ ，…，c_z Respectively representing 1 st, 2 nd, … th and z th network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target equipment bug in response time of data influence of different network attacks on industrial control computer equipment end_g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side₁ ，c₂ ，…，c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Respectively collecting the early warning network attack subsets { c) acquired each time₁ ，c₂ ，…，c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Bug fix time t corresponding to current target device bug_g Comparing;

step S404: sequentially accumulating in each early warning network attack subset { c₁ ，c₂ ，…，c_z In the method, the response time of causing data influence on the equipment end of the industrial control computer is less than the bug repair time t corresponding to the current bug of the target equipment_g The number of network attacks; calculating a second network attack trend value:

wherein k is_f When the target device is bug at the f-th time, the corresponding obtained f-th early warning network attack subset { c }₁ ，c₂ ，…，c_z In the method, the response time is less than the bug repair time t corresponding to the current f-th target equipment bug_g The network attack number.

6. The health situation awareness system for the network attack trend-based equipment base station, which is applied to the health situation awareness method for the network attack trend-based equipment base station according to any one of claims 1 to 5, is characterized by comprising a data analysis management module, an associated network attack recognition and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;

the data analysis management module is used for acquiring operation data of each piece of equipment before the equipment end of the industrial control computer is subjected to different network attacks historically, and constructing a network attack early warning model; the system is used for acquiring historical running logs of the industrial control computer equipment end and establishing the association relation between different network attacks and different equipment bugs;

the associated network attack identification and judgment module is used for receiving the heavy data of the data analysis and management module and identifying and judging the vulnerability association relationship existing between the network attacks based on the association relationship between the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

the real-time detection module is used for carrying out early warning prediction on the network attack on the basis of real-time operation data of each piece of equipment at the equipment end of the industrial control computer through a network attack early warning model;

the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment terminal;

and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing a technician to overhaul and maintain the equipment of the industrial control computer equipment end.

7. The system for sensing health status of equipment base stations based on network attack tendency as claimed in claim 6, wherein the data analysis management module comprises a network attack early warning model establishing unit and an associated vulnerability analyzing unit;

the network attack early warning model establishing unit is used for establishing a network attack early warning model based on the operation data of each piece of equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;

the correlated vulnerability analyzing unit is used for acquiring a historical running log of the industrial personal computer equipment end and extracting vulnerability repairing instructions executed when the industrial personal computer equipment end is attacked based on different networks from the historical running log; acquiring equipment bugs existing at equipment ends of the industrial control computer when different kinds of network attacks appear on the basis of the bug fixing instructions; and completing the establishment of the association relation between the acquired equipment vulnerability and the corresponding network attack.

8. The system as claimed in claim 6, wherein the correlation network attack recognition and determination module comprises a vulnerability correlation preliminary determination unit and a vulnerability correlation value calculation unit;

the vulnerability incidence relation preliminary judgment unit is used for searching other different types of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding incidence vulnerability sets for each type of network attack, and preliminarily judging that vulnerability incidence relations exist between the current type of network attack and the corresponding other types of network attacks;

the vulnerability correlation value calculating unit is used for receiving the data in the vulnerability correlation preliminary judging unit, calculating vulnerability correlation values between the network attacks which preliminarily judge that vulnerability correlation exists between the vulnerability correlation values, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are larger than or equal to the vulnerability correlation value threshold value.

9. The network attack trend based equipment base station health situation awareness method according to claim 6, wherein the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;

the first network attack trend value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack trend value for the current industrial control computer equipment side based on the incidence relation distribution condition among the plurality of early warning network attacks;

and the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, and calculating a second network attack trend value for the current industrial control computer equipment terminal.

Images