CN115102738B - Equipment base station health situation perception system and method based on network attack trend - Google Patents

Abstract

The invention discloses a system and a method for sensing health situation of a device base station based on network attack tendency, comprising the following steps of S100: constructing a network attack early warning model; establishing association relations between different network attacks and different equipment vulnerabilities; step S200: identifying and judging vulnerability incidence relation existing among network attacks; step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value for the equipment terminal of the current industrial control computer; step S400: calculating a second network attack trend value for the current industrial control computer equipment terminal; step S500: integrating the first network attack trend value and the second network attack trend value to obtain a comprehensive network attack trend value of the current industrial control computer equipment end; and feeding back early warning information to a base station connected with the industrial control computer equipment terminal based on the comprehensive network attack trend value.

Description

Equipment base station health situation perception system and method based on network attack trend

Technical Field

The invention relates to the technical field of information security, in particular to a system and a method for sensing health situation of a device base station based on network attack tendency.

Background

The industrial control computer equipment end which sends the control instruction to the industrial control equipment through the connecting base station is vital in the whole industrial control process, and once the industrial control computer equipment end continuously suffers network attack and the network attack is in a trend, the accuracy of the control instruction sent to the industrial control equipment by the industrial control computer equipment end is lower, and the possibility that the instruction is tampered and stolen is higher;

generally, different computer devices have different presentation modes of internal vulnerabilities due to the problem of configuration, and similarly, because of different configuration problems, the vulnerability repair capabilities of different computer devices under different network attacks are different, and the network attack trend is analyzed and mastered, namely the problem between vulnerability repair and network attack presented by different computer device ends under different network attacks is analyzed.

Disclosure of Invention

The invention aims to provide a system and a method for sensing health situation of a device base station based on network attack tendency, so as to solve the problems in the background technology.

In order to solve the technical problems, the invention provides the following technical scheme: a health situation perception method of a device base station based on a network attack trend comprises the following steps:

step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;

step S200: based on the incidence relation between each network attack and different equipment bugs, identifying and judging the bug incidence relation existing between each network attack; capturing the associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value phi on the current industrial control computer equipment side based on the incidence relation distribution condition among a plurality of early warning network attacks₁ ；

Step S400: calculating a second correlation vulnerability corresponding to a plurality of early warning network attacks on the basis of analyzing the repair time of all correlation vulnerabilities corresponding to the early warning network attacksNetwork attack tendency value phi₂ ；

Step S500: integrating the first network attack trend value and the second network attack trend value to obtain a comprehensive network attack trend value phi of the current industrial control computer equipment end_Heald ＝φ₁ ×φ₂ (ii) a When the integrated network attack trend value phi_Heald And when the value is greater than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technical personnel to overhaul and maintain the equipment of the industrial control computer equipment end.

Further, step S100 includes:

step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is subjected to different network attacks historically; respectively converting each equipment performance parameter into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of each equipment operation data of the industrial control computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;

step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different networks from the historical operation logs; acquiring equipment bugs existing at an equipment end of the industrial control computer when different types of network attacks appear based on the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;

step S103: and respectively searching all equipment vulnerabilities with incidence relation to each network attack to respectively obtain an incidence vulnerability set corresponding to different network attacks.

Further, step S200 includes:

step S201: for each kind of network attack, respectively, other different kinds of network attacks which have the same equipment vulnerability and distinguish the equipment vulnerability between the corresponding associated vulnerability sets are found,preliminarily judging that vulnerability incidence relation exists between the current type of network attack and other types of network attacks corresponding to the current type of network attack; if the network attack A exists, preliminarily judging that the set of the network attacks with vulnerability association relation to the network attack A is A '= { A'₁ ,A′₂ ,…,A′_v }; wherein, A'₁ ,A′₂ ,…,A′_v Respectively representing 1 st, 2 nd, 8230and v kinds of network attacks which preliminarily judge that a vulnerability incidence relation exists between the network attack A;

step S202: if q associated network attacks A'_q Same association vulnerability set with network attack A

Comprises the following steps:

wherein, P_A Representing an associated vulnerability set corresponding to the network attack A;

denotes network attack A'_q A corresponding association vulnerability set; the respective difference association loophole sets are as follows:

wherein, P'_A Represents a set P_A And set of

The differences between the vulnerability sets are correlated;

presentation setCombination of Chinese herbs

And collections

The vulnerability sets are related in a distinguishing way;

calculating q network attack A'_q Vulnerability correlation value with network attack A

Wherein card (P'_A )、

card(P_A ) Respectively represent a set P'_A Set of

Collection of

Set P_A The number of internal equipment bugs is set;

the above-mentioned procedure of calculating the vulnerability correlation value is equivalent to that in two network attacks presenting correlation, the probability that the selected device vulnerability is not the device vulnerability possessed by both network attacks is calculated first, and the greater the probability is, the greater the possibility that the attack of the other network attack starts to take effect when the vulnerability of one of the network attacks is repaired;

step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; obtaining a new set A'; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identifications between the network attacks A and the network attacks in the new set A';

the purpose of analyzing and identifying the associated network attack is to make a technical cushion for subsequently calculating a network attack trend value and analyze a network attack trend which can cause harm to an industrial control computer equipment end; analyzing and identifying the associated network attacks because the attack damage to the computer equipment is effective and accurate when the network attacks often having the associated relationship present a trend in the actual process, and because the defense capability and the repair capability presented by different network attacks are different due to self configuration of different computer equipment; the method has the advantages that the device vulnerability overlapping part and the device vulnerability non-overlapping part corresponding to the network attacks exist among the associated network attacks, when one network attack starts to attack the computer device to take effect and the computer device starts to repair the device vulnerability corresponding to the network attack, the network attack presenting the association relation with the network attack continuously suffers, further secondary damage is often brought to the computer device, and when the device vulnerability brought by the current network attack is not completely repaired, the possibility that other network attacks presenting the association relation with the current network attack on the computer device end attack to take effect is higher.

Step S204: and respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack.

Further, step S300 includes:

step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer₁ ,a₂ ,…,a_n }; wherein, a₁ ,a₂ ,…,a_n Respectively representing the 1 st, 2 nd, 8230that the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is larger than the threshold value of the early warning matching score;

step S302: set of early warning network attacks { a₁ ,a₂ ,…,a_n Performing associated network attack inquiry on each early warning network attack in the }; respectively accumulated to obtain a set { a₁ ,a₂ ,…,a_n Associated network attack number of each early warning network attack in the }

Obtaining a first network attack trend value

The larger the first network attack trend value obtained through the calculation is, the larger the number of other network attacks which can generate attack effect on the current computer equipment end is suffered while the vulnerability repair is started in the current computer equipment is, and the larger the network attack hidden danger to be suffered by the current computer equipment end is.

Further, step S400 includes:

step S401: step S302: separately obtain the sets { a₁ ,a₂ ,…,a_n Attacking the corresponding equipment vulnerability set by each network in the software; performing vulnerability category integration on all the associated vulnerability sets to obtain all the associated vulnerabilities existing at the equipment end of the current industrial control computer, wherein all the associated vulnerabilities comprise { b }₁ ,b₂ ,…,b_n }; wherein, b₁ ,b₂ ,…,b_n Respectively representing 1 st, 2 nd, \ 8230and n equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the industrial control computer equipment end, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;

step S402: respectively accumulating and early warning network attack sets { a) for vulnerabilities of each equipment₁ ,a₂ ,…,a_n There is associated network attack number value in the memory; setting a relevant network attack number threshold value, and sequencing all equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number values to obtain an equipment vulnerability sequence;

step S403: according to setting upSequentially setting the equipment vulnerabilities in the equipment vulnerability sequence as target equipment vulnerabilities according to the arrangement sequence of the equipment vulnerabilities in the equipment vulnerability sequence; sequentially acquiring the attack set { a in the early warning network₁ ,a₂ ,…,a_n And (c) a pre-warning network attack subset with no association relation with the target equipment vulnerability₁ ,c₂ ,…,c_z }; wherein, c₁ ,c₂ ,…,c_z Respectively representing 1 st, 2 nd, 8230and z kinds of network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target device bug according to response time of different kinds of network attacks on data influence generated by industrial control computer device end_g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side₁ ,c₂ ,…,c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Respectively gathering the early warning network attacks acquired each time into subsets { c₁ ,c₂ ,…,c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Bug fix time t corresponding to current target device bug_g Carrying out comparison;

step S404: sequentially accumulating in each early warning network attack subset { c₁ ,c₂ ,…,c_z In the method, the response time of causing data influence on the industrial computer equipment end is less than the bug repair time t corresponding to the current target equipment bug_g The number of network attacks; calculating a second network attack trend value:

wherein k is_f When the target device is bug at the f-th time, the corresponding obtained f-th early warning network attack subset { c }₁ ,c₂ ,…,c_z In (c) } the (c) is,the response time is less than the bug repair time t corresponding to the current f-th target equipment bug_g The network attack figure of (1);

the larger the calculated second network attack trend value is, the higher the possibility that the current computer device is subjected to other network attacks which can generate attack effect on the current computer device side is.

In order to better realize the method, a health situation perception system of the equipment base station based on the network attack trend is also provided, and the system comprises a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;

the data analysis management module is used for acquiring various equipment operation data of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks, and constructing a network attack early warning model; the system is used for collecting historical running logs of the industrial control computer equipment end and establishing association relations between different network attacks and different equipment bugs;

the associated network attack identification and judgment module is used for receiving the data repeated by the data analysis and management module and identifying and judging the vulnerability association relationship existing between the network attacks based on the association relationship between the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

the real-time detection module is used for carrying out early warning prediction on the network attack on the basis of real-time operation data of each piece of equipment on the basis of the industrial control computer equipment through the network attack early warning model;

the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment terminal;

and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing technical personnel of carrying out equipment maintenance and repair on the industrial control computer equipment end.

Further, the data analysis management module comprises a network attack early warning model building unit and a correlation vulnerability analysis unit;

the network attack early warning model establishing unit is used for establishing a network attack early warning model based on operation data of various equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;

the correlation vulnerability analysis unit is used for acquiring a historical operating log of the industrial computer equipment end and extracting a vulnerability repairing instruction executed when the industrial computer equipment end appears based on different types of network attacks from the historical operating log; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction; and completing the establishment of the association relation between the acquired equipment vulnerability and the corresponding network attack.

Further, the correlation network attack identification and judgment module comprises a vulnerability correlation relationship preliminary judgment unit and a vulnerability correlation value calculation unit;

the vulnerability association relation primary judgment unit is used for searching other different network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding association vulnerability set and preliminarily judging that vulnerability association relation exists between the current type of network attack and the corresponding other types of network attacks;

and the vulnerability correlation value calculating unit is used for receiving the data in the vulnerability correlation preliminary judgment unit, calculating vulnerability correlation values between the network attacks which preliminarily judge that the vulnerability correlation exists between the vulnerability correlation values, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are greater than or equal to the vulnerability correlation value threshold value.

Furthermore, the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;

the first network attack trend value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack trend value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among a plurality of early warning network attacks;

and the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, and calculating a second network attack trend value for the current industrial control computer equipment terminal.

Compared with the prior art, the invention has the following beneficial effects: the invention can realize the prediction calculation of the network attack trend of the current computer equipment end, and indirectly judge the accuracy of the control instruction sent to the industrial control equipment by the current industrial control computer equipment end according to the calculated network attack trend value; because the network attack is usually stronger in purpose and pertinence, the method can avoid real-time judgment and prediction of the network attack, and the equipment information safety of the network attack can be predicted by considering the current network attack situation and the self-repairing capability from the viewpoint of a computing equipment end, and the process is reflected by a network attack trend value, wherein the larger the network attack trend value is, the lower the safety performance of the current computer equipment is, the higher the possibility that the information is stolen and tampered is; the application can improve the detection efficiency of the safety performance of the computer equipment, and reduce the situation of control deviation or control errors when the safety performance of the computer equipment is reduced and brought about in the process of controlling the industrial control equipment.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:

FIG. 1 is a schematic structural diagram of a health situation awareness system of a device base station based on network attack tendency according to the present invention;

fig. 2 is a schematic flow diagram of the method for sensing health status of a device base station based on network attack trend according to the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.

Referring to fig. 1-2, the present invention provides a technical solution: a health situation perception method of a device base station based on a network attack trend comprises the following steps:

step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;

wherein, step S100 includes:

step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is subjected to different network attacks historically; respectively converting various equipment performance parameters into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of various equipment operation data of an industrial computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;

step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different networks from the historical operation logs; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;

step S103: respectively searching all equipment vulnerabilities with which association exists for each network attack, and respectively obtaining association vulnerability sets corresponding to different network attacks;

step S200: based on the incidence relation between each network attack and different equipment vulnerabilities, identifying and judging the vulnerability incidence relation existing between the network attacks; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

wherein, step S200 includes:

step S201: respectively searching other different kinds of network attacks which have the same equipment vulnerability and differ equipment vulnerability between the network attacks and the corresponding associated vulnerability set, and preliminarily judging that vulnerability association relations exist between the current kind of network attacks and the corresponding other kinds of network attacks;

for example, an associated vulnerability set corresponding to a network attack X is { vulnerability 1, vulnerability 2, vulnerability 3, vulnerability 4}; an associated vulnerability set corresponding to the network attack Y is { vulnerability 2, vulnerability 3, vulnerability 5 and vulnerability 6}; the same equipment vulnerability { vulnerability 2, vulnerability 3} and the different equipment vulnerability { vulnerability 1, vulnerability 5, vulnerability 6} exist between the network attack X and the network attack Y, so that the vulnerability incidence relation exists between the network attack X and the network attack Y is preliminarily judged;

if the network attack A exists, preliminarily judging that the set of the network attacks with vulnerability association relation to the network attack A is A '= { A'₁ ,A′₂ ,…,A′_v }; wherein, A'₁ ,A′₂ ,…,A′_v Respectively representing 1 st, 2 nd, 8230th and v kinds of network attacks which preliminarily judge that a vulnerability association relationship exists between the network attack A;

step S202: if q associated network attacks A'_q Same association vulnerability set with network attack A

Comprises the following steps:

wherein, P_A Representing a networkAttacking the relevant vulnerability set corresponding to the A;

denotes network attack A'_q A corresponding associated vulnerability set; the respective difference association loophole sets are as follows:

wherein, P'_A Represents a set P_A And collections

The vulnerability sets are related in a distinguishing way;

representation collection

And collections

The vulnerability sets are related in a distinguishing way; calculating q network attack A'_q Vulnerability association value with network attack A

Wherein, card (P'_A )、

card(P_A ) Respectively represent a set P'_A Set of

Collection of

Set P_A The number of internal equipment bugs is set;

for example, a network attack X corresponds to an associated vulnerability set P_A Is { vulnerability 1, vulnerability 2, vulnerability 3, vulnerability 4}; associated vulnerability set corresponding to network attack Y

Is { vulnerability 2, vulnerability 3, vulnerability 5, vulnerability 6};

preliminarily judging that vulnerability association exists between the network attack X and the network attack Y;

same association vulnerability set between network attack X and network attack Y

Is { vulnerability 2, vulnerability 3}; difference correlation vulnerability set P 'of network attack X'_A Is { vulnerability 1, vulnerability 4}; differentiated association vulnerability sets for network attack Y

Is { vulnerability 5, vulnerability 6};

the vulnerability correlation value between the network attack X and the network attack Y is

Step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; obtaining a new set A'; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identification between the network attacks A and the network attacks in the new set A'.

Step S204: respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack;

step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value phi on the current industrial control computer equipment side based on the incidence relation distribution condition among a plurality of early warning network attacks₁ ；

Wherein, step S300 includes:

step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer₁ ,a₂ ,…,a_n }; wherein, a₁ ,a₂ ,…,a_n Respectively representing the 1 st, 2 nd, 8230that the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is larger than the threshold value of the early warning matching score;

step S302: set of early warning network attacks { a₁ ,a₂ ,…,a_n Carrying out associated network attack query on each early warning network attack in the station; respectively accumulated to obtain a set { a₁ ,a₂ ,…,a_n Associated network attack number of each early warning network attack in the }

Obtaining a first network attack trend value

Step S400: based on the analysis of the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, a second network attack trend value phi is calculated on the current industrial control computer equipment side₂ ；

Wherein, step S400 includes:

step S401: step S302: separately obtain the sets { a₁ ,a₂ ,…,a_n Attacking the corresponding equipment vulnerability set by each network in the software; and (4) integrating all the associated vulnerability sets into vulnerability categories to obtain all the associated vulnerabilities existing at the equipment side of the current industrial control computer, wherein all the associated vulnerabilities comprise { b₁ ,b₂ ,…,b_n }; wherein, b₁ ,b₂ ,…,b_n Respectively representing 1 st, 2 nd, \ 8230and n equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the equipment end of the industrial control computer, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;

step S402: respectively accumulating and early warning network attacks { a) to each equipment vulnerability₁ ,a₂ ,…,a_n There are associated network attack number values in the memory; setting a relevant network attack number threshold value, and sequencing all the equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number values to obtain an equipment vulnerability sequence;

step S403: sequentially setting each device vulnerability in the device vulnerability sequence as a target device vulnerability according to the arrangement sequence of each device vulnerability in the device vulnerability sequence; sequentially acquiring the attack set { a in the early warning network₁ ,a₂ ,…,a_n In the item, an early warning network attack subset { c) which does not have an incidence relation with the target equipment vulnerability exists₁ ,c₂ ,…,c_z }; wherein, c₁ ,c₂ ,…,c_z Respectively representing 1 st, 2 nd, 8230and z kinds of network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target device bug according to response time of different kinds of network attacks on data influence generated by industrial control computer device end_g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side₁ ,c₂ ,…,c_z Response time of each network attack in the } causing data influence on industrial computer equipment end

Respectively gathering the early warning network attack subsets { c) obtained each time₁ ,c₂ ,…,c_z Response time of each network attack in the station to cause data influence on equipment end of industrial control computer

Bug fix time t corresponding to current target device bug_g Carrying out comparison;

step S404: sequentially accumulating in each early warning network attack subset { c₁ ,c₂ ,…,c_z In the method, the response time of causing data influence on the equipment end of the industrial control computer is less than the bug repair time t corresponding to the current bug of the target equipment_g The number of network attacks; calculating a second network attack trend value:

wherein k is_f When the set f-th target equipment is vulnerable, the correspondingly obtained f-th early warning network attack subset { c }₁ ,c₂ ,…,c_z In the method, the response time is less than the bug repair time t corresponding to the current f-th target equipment bug_g The network attack figure of (1);

step S500: integrating the first network attack tendency value and the second network attack tendency value to obtain a comprehensive network attack tendency value phi of the current industrial control computer equipment end_Heald ＝φ₁ ×φ₂ (ii) a When the integrated network attack trend value phi_Heald And when the value is larger than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.

In order to better realize the method, a health situation perception system of the equipment base station based on the network attack trend is also provided, and the system comprises a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;

the data analysis management module is used for acquiring various equipment operation data of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks, and constructing a network attack early warning model; the system is used for acquiring historical running logs of the equipment end of the industrial control computer and establishing association relation between different network attacks and different equipment bugs;

the data analysis management module comprises a network attack early warning model establishing unit and a correlation vulnerability analysis unit;

the network attack early warning model establishing unit is used for establishing a network attack early warning model based on operation data of various equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;

the correlated vulnerability analyzing unit is used for acquiring a historical operating log of the industrial computer equipment end and extracting vulnerability repairing instructions executed when the industrial computer equipment end is attacked based on different networks from the historical operating log; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instruction; completing the establishment of an incidence relation between the obtained equipment vulnerability and the corresponding network attack;

the relevant network attack identification and judgment module is used for receiving the heavy data of the data analysis and management module and identifying and judging the vulnerability relevant relation existing among the network attacks based on the relevant relation among the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

the relevant network attack identification and judgment module comprises a vulnerability relevant relationship preliminary judgment unit and a vulnerability relevant value calculation unit;

the vulnerability incidence relation primary judgment unit is used for searching other different types of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding incidence vulnerability set for each type of network attack and preliminarily judging that the vulnerability incidence relation exists between the current type of network attack and the corresponding other types of network attacks;

a vulnerability correlation value calculation unit for receiving data in the vulnerability correlation preliminary judgment unit, calculating vulnerability correlation values between network attacks which preliminarily judge that the vulnerability correlation exists between the network attacks, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are greater than or equal to the vulnerability correlation value threshold value

The real-time detection module is used for carrying out early warning prediction on network attack on each real-time equipment operation data of the industrial control computer equipment through the network attack early warning model;

the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment side;

the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;

the first network attack tendency value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack tendency value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among a plurality of early warning network attacks;

the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks and calculating a second network attack trend value for the current industrial control computer equipment side;

and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.

It should be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.

Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (8)

1. A health situation perception method of a device base station based on a network attack trend is characterized by comprising the following steps:

step S100: constructing a network attack early warning model based on various equipment operation data of an industrial control computer equipment terminal before suffering different network attacks historically; based on a historical log running rule, establishing an association relation between different network attacks and different equipment vulnerabilities;

the step S100 includes:

step S101: respectively extracting various equipment performance parameters of the industrial control computer equipment end before the industrial control computer equipment end is historically subjected to different network attacks; respectively converting each equipment performance parameter into a plurality of structured data units, correspondingly converting the plurality of structured data units into a plurality of matrix data, and setting the plurality of matrix data as a plurality of characteristic vectors of each equipment operation data of an industrial control computer equipment end before suffering different network attacks; respectively carrying out data training on a plurality of characteristic vectors through a deep neural network, and correspondingly establishing a network attack early warning model;

step S102: extracting historical operation logs of the industrial control computer equipment end, and extracting vulnerability repair instructions executed when the industrial control computer equipment end is attacked based on different networks from the historical operation logs; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear based on the bug fixing instruction, and respectively establishing association relations between the acquired equipment bugs and the corresponding network attacks;

step S103: respectively searching all equipment vulnerabilities with which association exists for each network attack, and respectively obtaining association vulnerability sets corresponding to different network attacks;

step S200: based on the incidence relation between each network attack and different equipment bugs, identifying and judging the bug incidence relation existing between each network attack; capturing the associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

step S300: obtaining a plurality of early warning network attacks which are early warning and predicted by a network attack early warning model according to current equipment operation data of the industrial control computer equipment base in real time; calculating a first network attack trend value Y for the current industrial control computer equipment terminal based on the incidence relation distribution condition among the plurality of early warning network attacks₁ ；

Step S400: calculating a second network attack trend value Y for the current industrial control computer equipment terminal based on the analysis of the repair time of all the associated vulnerabilities corresponding to the early warning network attacks₂ ；

Step S500: integrating the first network attack tendency value and the second network attack tendency value to obtain a comprehensive network attack tendency value Y of the current industrial control computer equipment end_Heald ＝Y₁ ×Y₂ (ii) a When the integrated network attack trend value Y_Heald And when the value is larger than the threshold value of the comprehensive network attack trend value, feeding back early warning information to a base station connected with the industrial control computer equipment end, stopping sending a control instruction to the industrial control computer equipment, and informing technicians to overhaul and maintain the equipment of the industrial control computer equipment end.

2. The method for sensing health status of base station of equipment based on network attack trend as claimed in claim 1, wherein the step S200 comprises:

step S201: respectively searching other different kinds of network attacks which have the same equipment vulnerability and differ equipment vulnerability between the network attacks and the corresponding associated vulnerability set, and preliminarily judging that vulnerability association relations exist between the current kind of network attacks and the corresponding other kinds of network attacks; if a network attack A exists, preliminarily judging that a set formed by network attacks with vulnerability association relation between the network attack A and the network attack A is A '= { A'₁ ,A’₂ ,…,A’_v }; wherein, A'₁ ,A’₂ ,…,A’_v Respectively representing 1 st, 2 nd, 8230th and v kinds of network attacks which preliminarily judge that a vulnerability association relationship exists between the network attack A;

step S202: if the q-th correlation network attacks A'_q Same association vulnerability set with network attack A

Comprises the following steps:

wherein, P_A Representing an associated vulnerability set corresponding to the network attack A;

denotes network attack A'_q A corresponding association vulnerability set; the respective difference association loophole sets are as follows:

wherein, P'_A Representation set P_A And set of

The differences between the vulnerability sets are correlated;

representation collection

And set of

The differences between the vulnerability sets are correlated;

calculating q network attack A'_q Vulnerability association value with network attack A

Wherein card (P'_A )、

card(P_A ) Respectively represent a set P'_A Set of

Collection

Set P_A The number of vulnerabilities of the internal equipment;

step S203: setting a vulnerability correlation value threshold value, respectively calculating vulnerability correlation values between each network attack and the network attacks A in the set A ', and removing the network attacks of which the vulnerability correlation values are smaller than the vulnerability correlation value threshold value from the set A'; get new set A "; finally, judging that the network attacks A and the network attacks A in the new set A 'are correlated network attacks, and establishing correlation identifications between the network attacks A and the network attacks in the new set A';

step S204: and respectively carrying out associated network attack judgment on each network attack to respectively obtain an associated network attack set corresponding to each network attack.

3. The method for sensing health status of base station of equipment based on network attack tendency as claimed in claim 1, wherein the step S300 comprises:

step S301: collecting various equipment performance parameters of the equipment end of the current industrial control computer in real time, and performing identification matching of real-time early warning network attack on the equipment end of the current industrial control computer by using a network attack early warning model to obtain an early warning network attack set { a) of the equipment end of the current industrial control computer₁ ,a₂ ,…,a_n }; wherein, a₁ ,a₂ ,…,a_n Respectively indicating that the early warning matching score obtained based on each equipment performance parameter of the current industrial control computer equipment end is greater than 1,2, \ 8230of the threshold value of the early warning matching score, and n network attacks;

step S302: set of early warning network attacks { a₁ ,a₂ ,…,a_n Carrying out associated network attack query on each early warning network attack in the station; respectively accumulated to obtain a set { a₁ ,a₂ ,…,a_n Associated network attack number of each early warning network attack in the station

Obtaining a first network attack trend value

4. The network attack trend based equipment base station health situation awareness method according to claim 3, wherein the step S400 comprises:

step S401: step S302: separately obtain the sets { a₁ ,a₂ ,…,a_n Attacking the corresponding equipment vulnerability set by each network in the software; and integrating the vulnerability types of all the associated vulnerability sets to obtain all the associated vulnerabilities existing at the equipment side of the current industrial control computer, wherein all the associated vulnerabilities comprise { b₁ ,b₂ ,…,b_n }; wherein, b₁ ,b₂ ,…,b_n Respectively representing 1 st, 2 nd, \ 8230and n equipment bugs existing at the equipment end of the current industrial control computer; extracting historical operation logs of the industrial control computer equipment end, and respectively capturing repair time corresponding to each equipment bug in the historical operation logs;

step S402: respectively accumulating and early warning network attack sets { a) for vulnerabilities of each equipment₁ ,a₂ ,…,a_n There are associated network attack number values in the memory; setting a relevant network attack number threshold value, and sequencing all equipment vulnerabilities larger than the relevant network attack number threshold value from large to small according to the relevant network attack number value to obtain an equipment vulnerability sequence;

step S403: sequentially setting the device vulnerabilities in the device vulnerability sequence as target device vulnerabilities according to the arrangement sequence of the device vulnerabilities in the device vulnerability sequence; sequentially acquiring the attack set { a in the early warning network₁ ,a₂ ,…,a_n And (c) a pre-warning network attack subset (c) without incidence relation with the target equipment vulnerability in the set₁ ,c₂ ,…,c_z }; wherein, c₁ ,c₂ ,…,c_z Respectively representing 1 st, 2 nd, 8230and z kinds of network attacks which do not have an association relation with the target equipment vulnerability; respectively obtaining bug repair time t corresponding to each target equipment bug in response time of different kinds of network attacks on data influence generated by industrial control computer equipment_g (ii) a Sequentially and respectively acquiring early warning network attack subset { c) from historical operation logs of industrial control computer equipment side₁ ,c₂ ,…,c_z Response time of each network attack in the } causing data influence on industrial computer equipment end

Respectively collecting the early warning network attack subsets { c) acquired each time₁ ,c₂ ,…,c_z Response time of each network attack in the } causing data influence on industrial computer equipment end

Bug fix time t corresponding to current target device bug_g Comparing;

step S404: sequentially accumulating in each early warning network attack subset { c }₁ ,c₂ ,…,c_z In the method, the response time of causing data influence on the equipment end of the industrial control computer is less than the bug repair time t corresponding to the current bug of the target equipment_g The number of network attacks; calculating a second network attack trend value:

wherein k is_f When the set f-th target equipment is vulnerable, the correspondingly obtained f-th early warning network attack subset { c }₁ ,c₂ ,…,c_z In the method, the response time is less than the bug repair time t corresponding to the current f-th target equipment bug_g The network attack number.

5. The health situation awareness system for the network attack trend-based equipment base station, which is applied to the health situation awareness method for the network attack trend-based equipment base station according to any one of claims 1 to 4, is characterized by comprising a data analysis management module, an associated network attack identification and judgment module, a real-time detection module, a network attack trend calculation module and an early warning prompt module;

the data analysis management module is used for acquiring operation data of each piece of equipment before the equipment end of the industrial control computer is subjected to different network attacks historically, and constructing a network attack early warning model; the system is used for collecting historical running logs of the industrial control computer equipment end and establishing association relations between different network attacks and different equipment bugs;

the associated network attack identification and judgment module is used for receiving the heavy data of the data analysis and management module and identifying and judging the vulnerability association relationship existing between the network attacks based on the association relationship between the network attacks and the vulnerabilities of different devices; capturing associated network attacks for each network attack based on the identification and judgment result of the vulnerability association relation, and respectively obtaining an associated network attack set corresponding to each network attack;

the real-time detection module is used for carrying out early warning prediction on network attack on each real-time equipment operation data of the industrial control computer equipment through the network attack early warning model;

the network attack trend calculation module is used for receiving the data in the real-time detection module and analyzing and calculating a first network attack trend value and a first network attack trend value on the current industrial control computer equipment terminal;

and the early warning prompting module is used for receiving the data in the network attack trend calculation module, feeding back early warning information to a base station connected with the industrial control computer equipment end according to the data, stopping sending a control instruction to the industrial control computer equipment, and informing a technician to overhaul and maintain the equipment of the industrial control computer equipment end.

6. The system for sensing health status of equipment base stations based on network attack tendency as claimed in claim 5, wherein the data analysis management module comprises a network attack early warning model establishing unit and an associated vulnerability analyzing unit;

the network attack early warning model establishing unit is used for establishing a network attack early warning model based on the operation data of each piece of equipment before the equipment end of the industrial control computer is subjected to different network attacks historically;

the correlated vulnerability analyzing unit is used for acquiring a historical running log of the industrial computer equipment end and extracting vulnerability repairing instructions executed by the industrial computer equipment end when different types of network attacks occur in the historical running log; acquiring equipment bugs existing at the equipment end of the industrial control computer when different types of network attacks appear on the basis of the bug fixing instructions; and completing the establishment of the association relation between the acquired equipment vulnerability and the corresponding network attack.

7. The system as claimed in claim 5, wherein the correlation network attack recognition and determination module comprises a vulnerability correlation preliminary determination unit and a vulnerability correlation value calculation unit;

the vulnerability incidence relation preliminary judgment unit is used for searching other different types of network attacks which have the same equipment vulnerability and are different from the equipment vulnerability between the corresponding incidence vulnerability set and preliminarily judging whether the vulnerability incidence relation exists between the current type of network attack and the corresponding other types of network attacks;

the vulnerability correlation value calculating unit is used for receiving the data in the vulnerability correlation preliminary judging unit, calculating vulnerability correlation values between the network attacks which preliminarily judge that the vulnerability correlation exists between the network attacks, and establishing corresponding correlation identifications between the network attacks of which the vulnerability correlation values are larger than or equal to the vulnerability correlation value threshold value.

8. The network attack trend based equipment base station health situation awareness method according to claim 5, wherein the network attack trend calculation module comprises a first network attack trend value calculation unit and a second network attack trend value calculation unit;

the first network attack tendency value calculation unit is used for receiving the data in the real-time detection module and calculating a first network attack tendency value for the current industrial control computer equipment terminal based on the incidence relation distribution condition among the plurality of early warning network attacks;

and the second network attack trend value calculation unit is used for receiving the data in the real-time detection module, analyzing the repair time of all the associated vulnerabilities corresponding to the early warning network attacks, and calculating a second network attack trend value for the current industrial control computer equipment terminal.

Images