Disclosure of Invention
The embodiment of the application solves the problem that in the prior art, the safety condition of the power system is difficult to accurately and efficiently analyze through the penetration test by providing the intelligent penetration detection method and the intelligent penetration detection system for the power system, and realizes the accurate and efficient analysis of the safety condition of the power system through the penetration test.
The embodiment of the application provides an intelligent penetration detection method for an electric power system, which comprises the following steps of performing penetration test on the electric power system; monitoring and acquiring penetration test parameter data in the penetration test process, performing data processing on the penetration test parameter data, analyzing the safety condition of the power system according to the penetration test parameter data after the data processing, and performing early warning reminding.
The power system safety condition comprises the degree of abnormality of a power system in terms of network flow, the degree of abnormality of a power system in terms of system files and the degree of abnormality of the power system in terms of loopholes, wherein the penetration test parameter data comprise network flow degree of abnormality parameter data, system file degree of abnormality parameter data and loophole safety degree parameter data, and the specific analysis process of the degree of abnormality of the power system in terms of network flow comprises the steps of obtaining the network flow degree of abnormality parameter data according to the penetration test parameter data, analyzing the network flow degree of abnormality parameter data to obtain a network flow degree of abnormality evaluation coefficient, wherein the network flow degree of abnormality evaluation coefficient is used for reflecting the degree of abnormality of the power system in terms of network flow, and analyzing the degree of abnormality of the power system in terms of network flow according to the network flow degree of abnormality evaluation coefficient.
Further, the specific analysis process for analyzing the abnormality degree of the electric power system in the aspect of the network flow according to the network flow abnormality degree evaluation coefficient comprises the steps of obtaining the network flow abnormality degree evaluation coefficient, obtaining a network flow abnormality degree threshold value, comparing the network flow abnormality degree evaluation coefficient with the network flow abnormality degree threshold value, indicating that the electric power system is normal in the aspect of the network flow when the network flow abnormality degree evaluation coefficient is smaller than the network flow abnormality degree threshold value, and indicating that the electric power system is abnormal in the aspect of the network flow when the network flow abnormality degree evaluation coefficient is larger than or equal to the network flow abnormality degree threshold value.
The specific analysis process of the abnormality degree of the power system in the aspect of the system file comprises the steps of obtaining system file abnormality degree parameter data according to penetration test parameter data, analyzing and obtaining a system file abnormality degree evaluation index according to the system file abnormality degree parameter data, wherein the system file abnormality degree evaluation index is used for representing the abnormality degree of the power system in the aspect of the system file, and analyzing the abnormality degree of the power system in the aspect of the system file according to the system file abnormality degree evaluation index.
The specific analysis process of analyzing the abnormality degree of the power system in the aspect of the system file according to the abnormality degree evaluation index of the system file comprises the steps of obtaining the abnormality degree evaluation index of the system file, obtaining a first threshold value of the abnormality degree of the system file and a second threshold value of the abnormality degree of the system file, comparing the abnormality degree evaluation index of the system file with the first threshold value of the abnormality degree of the system file and the second threshold value of the abnormality degree of the system file, and indicating that the power system is normal in the aspect of the system file when the abnormality degree evaluation index of the system file is larger than the first threshold value of the abnormality degree of the system file and smaller than the second threshold value of the abnormality degree of the system file, and indicating that the power system is abnormal in the aspect of the system file when the abnormality degree evaluation index of the system file is smaller than or equal to the first threshold value of the abnormality degree of the system file or the abnormality degree of the system file is larger than the second threshold value of the abnormality degree of the system file.
The specific analysis process of the abnormality degree of the electric power system in the aspect of the loopholes comprises the steps of obtaining parameter data of the security degree of the loopholes according to the permeability test parameter data, carrying out normalization processing on the parameter data of the security degree of the loopholes, analyzing the parameter data of the security degree of the loopholes according to the parameter data of the security degree of the loopholes after normalization processing to obtain an evaluation index of the security degree of the loopholes, wherein the evaluation index of the security degree of the loopholes is used for representing the abnormality degree of the electric power system in the aspect of the loopholes, and analyzing the abnormality degree of the electric power system in the aspect of the loopholes according to the evaluation index of the security degree of the loopholes.
Further, the specific analysis process for analyzing the abnormality degree of the electric power system in terms of the vulnerability according to the vulnerability safety degree assessment index comprises the steps of obtaining the vulnerability safety degree assessment index, obtaining a first threshold value of the vulnerability safety degree and a second threshold value of the vulnerability safety degree, wherein when the vulnerability safety degree assessment index is larger than the first threshold value of the vulnerability safety degree and smaller than the second threshold value of the vulnerability safety degree, the electric power system is indicated to be normal in terms of the vulnerability, and when the vulnerability safety degree assessment index is in other conditions, the electric power system is indicated to be abnormal in terms of the vulnerability.
The specific analysis process of analyzing the safety condition of the power system and carrying out early warning reminding comprises the steps of obtaining the safety condition of the power system, indicating that the power system normally operates when one or more conditions of network flow abnormality, system file abnormality and vulnerability abnormality of the power system occur in the safety condition of the power system, not carrying out early warning reminding, and indicating that the power system is abnormal when two or more conditions of network flow abnormality, system file abnormality and vulnerability abnormality occur in the power system in the safety condition of the power system.
The specific acquisition method of the network flow abnormality degree evaluation coefficient comprises the steps of performing penetration detection on an electric power system, acquiring penetration detection times, numbering the penetration detection times, performing multiple data acquisition during each penetration detection, numbering the data acquisition times, acquiring the preset number of ports used by the electric power system and the weight proportion of HTTP protocol flow used by the electric power system and FTP protocol flow used by the electric power system from a database, acquiring network flow abnormality degree parameter data, constructing a network flow abnormality degree evaluation coefficient calculation formula according to the network flow abnormality degree parameter data, wherein the specific network flow abnormality degree evaluation coefficient calculation formula is as follows:
in the formula,Expressed as a network flow abnormality degree evaluation coefficient of the electric power system at the kth0 times of penetration detection, k0=1,2,...,k,k0 is expressed as a number of penetration detection times, k is expressed as a total number of penetration detection times,The number of ports used by the power system at the time of data acquisition in the time of h0 is denoted by k0 th penetration detection, h0=1,2,...,h,h0 is denoted by the number of data acquisition times, h is denoted by the total number of data acquisition times,Represented as the reference number of power system usage ports at the time of the power system's k0 permeation test,The power system denoted as kth0 penetration test at h0 data acquisition uses Modbus protocol traffic,The power system denoted as kth0 penetration test at h0 data acquisition uses DNP3 protocol traffic,The power system denoted as kth0 penetration test at h0 data acquisition uses HTTP protocol traffic,The method is represented as k0, the penetration detection and the FTP protocol flow of the power system at the time of the data acquisition of the h0, the D1 is represented as the weight proportion of the number of the ports used by the power system in the network flow abnormality degree evaluation coefficient, and the D2 is represented as the weight proportion of the HTTP protocol flow of the power system and the FTP protocol flow of the power system in the network flow abnormality degree evaluation coefficient.
The embodiment of the application provides an intelligent penetration detection system for an electric power system, which comprises a penetration test module, a parameter acquisition module, a data processing module and an early warning analysis module, wherein the penetration test module is used for performing penetration test on the electric power system, the parameter acquisition module is used for monitoring and acquiring penetration test parameter data in the penetration test process, the data processing module is used for performing data processing on the penetration test parameter data, and the early warning analysis module is used for analyzing the safety condition of the electric power system according to the penetration test parameter data after the data processing and performing early warning reminding.
One or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
1. the electric power system is subjected to penetration test, penetration test parameter data are monitored and acquired in the penetration test process, and data processing is carried out on the penetration test parameter data, so that the safety condition of the electric power system is analyzed according to the penetration test parameter data after data processing, early warning reminding is carried out, the safety condition of the electric power system is accurately and efficiently analyzed through the penetration test, and the problem that the safety condition of the electric power system is difficult to accurately and efficiently analyze through the penetration test in the prior art is effectively solved.
2. Network flow abnormality degree parameter data are obtained according to the penetration test parameter data, and the network flow abnormality degree parameter data are analyzed to obtain a network flow abnormality degree evaluation coefficient, so that the abnormality degree of the electric power system in the aspect of network flow is analyzed according to the network flow abnormality degree evaluation coefficient, and further the abnormality degree of the electric power system in the aspect of network flow is accurately analyzed in detail.
3. The system file abnormality degree parameter data is obtained according to the penetration test parameter data, and the system file abnormality degree evaluation index is obtained according to the system file abnormality degree parameter data analysis, so that the abnormality degree of the power system in the aspect of the system file is analyzed according to the system file abnormality degree evaluation index, and further the abnormality degree of the power system in the aspect of the system file is accurately analyzed.
Detailed Description
The embodiment of the application solves the problem that in the prior art, the safety condition of the power system is difficult to be accurately and efficiently analyzed through the penetration test by providing the intelligent penetration detection method and the intelligent penetration detection system for the power system, monitors and acquires penetration test parameter data in the penetration test process by performing the penetration test on the power system, and processes the penetration test parameter data, so that the safety condition of the power system is analyzed according to the penetration test parameter data after the data processing and early warning reminding is performed, and the safety condition of the power system is accurately and efficiently analyzed through the penetration test.
The technical scheme in the embodiment of the application aims to solve the problem that the safety condition of the power system is difficult to accurately and efficiently analyze through the penetration test, and the overall thought is as follows:
Performing penetration test on the power system; monitoring and acquiring penetration test parameter data in a penetration test process, performing data processing on the penetration test parameter data, obtaining network flow abnormality degree parameter data according to the penetration test parameter data after the data processing, analyzing the network flow abnormality degree parameter data to obtain a network flow abnormality degree evaluation coefficient, analyzing the abnormality degree of the electric power system in terms of network flow according to the network flow abnormality degree evaluation coefficient, acquiring system file abnormality degree parameter data according to the penetration test parameter data, analyzing the abnormality degree of the electric power system in terms of system files according to the system file abnormality degree evaluation index, obtaining vulnerability security degree parameter data according to the penetration test parameter data, performing normalization processing on the vulnerability security degree parameter data, analyzing the vulnerability security degree parameter data after normalization processing to obtain a vulnerability security degree evaluation index, analyzing the abnormality degree of the electric power system in terms of vulnerability according to the vulnerability security degree evaluation index, acquiring the security condition of the electric power system, wherein the security condition of the electric power system comprises the abnormality degree of the electric power system in terms of network flow, the abnormality degree of the electric power system in terms of system files and the abnormality degree of the electric power system in terms of the electric power system, the penetration test parameter data comprises the flow abnormality degree parameter data, the system file abnormality degree of the electric power system, and the security degree of the system, when two or more conditions of the power system in terms of network flow, the power system in terms of system file and the power system in terms of vulnerability appear, the power system is indicated to appear abnormal, and early warning reminding is carried out, so that the effect of accurately and efficiently analyzing the safety condition of the power system through penetration test is achieved.
In order to better understand the above technical solutions, the following detailed description will refer to the accompanying drawings and specific embodiments.
As shown in FIG. 1, a flow chart of an intelligent penetration detection method for an electric power system is provided, and the method comprises the following steps of performing penetration test on the electric power system, monitoring and acquiring penetration test parameter data in the penetration test process, performing data processing on the penetration test parameter data, analyzing the safety condition of the electric power system according to the penetration test parameter data after the data processing, and performing early warning reminding.
In this embodiment, with the popularization of the smart grid, the power monitoring system becomes more complex and huge. The systems are responsible for monitoring and controlling the running state of the power system in real time, and ensuring the stability and safety of power supply. With the wide application of information technology in power systems, network security threats are increasing. Hacking, virus intrusion, etc. may cause the power system to break down, resulting in serious socioeconomic loss. Penetration testing is a method of simulating hacking to evaluate the security of a system. In electrical systems, penetration testing may help discover potential security breaches. The safety condition of the power system can be analyzed more accurately and efficiently by combining the penetration test and the penetration test parameter data.
The repeated or wrong data in the penetration test parameter data are removed by carrying out data processing on the penetration test parameter data, and the penetration test parameter data are in the same order of magnitude and range, so that the safety condition of the electric power system can be analyzed more accurately and early warning and reminding can be carried out according to the penetration test parameter data.
The safety condition of the power system comprises the degree of abnormality of the power system in network flow, the degree of abnormality of the power system in system files and the degree of abnormality of the power system in vulnerability, wherein the specific analysis process of the degree of abnormality of the power system in network flow comprises the steps of obtaining network flow abnormality degree parameter data according to penetration test parameter data, analyzing the network flow abnormality degree parameter data to obtain a network flow abnormality degree evaluation coefficient, wherein the network flow abnormality degree evaluation coefficient is used for reflecting the degree of abnormality of the power system in network flow, and analyzing the degree of abnormality of the power system in network flow according to the network flow abnormality degree evaluation coefficient.
In this embodiment, the network traffic aspect of the power system is affected abnormally, thus requiring further analysis, when the power system is in the presence of a sudden increase or decrease in traffic, possibly related to a distributed denial of service attack or network device failure, unusual packet sizes or packet types, possibly indicating malware or probe behavior, traffic activity on an illegitimate port, possibly meaning someone is attempting to exploit a known vulnerability, unauthorized remote access attempts, especially from an external network, port scanning activity, and an attacker may be looking for an open port to attack.
In the embodiment, the network flow abnormality degree evaluation coefficient is obtained by analyzing the network flow abnormality degree parameter data, and then the abnormality degree of the power system in the aspect of network flow is analyzed according to the network flow abnormality degree evaluation coefficient, so that the analysis of the abnormality degree of the power system in the aspect of network flow is more accurate.
The specific acquisition method of the network flow abnormality degree evaluation coefficient comprises the steps of performing penetration detection on an electric power system, acquiring penetration detection times, numbering the penetration detection times, performing multiple data acquisition during each penetration detection, numbering the data acquisition times, acquiring the preset number of ports used by the electric power system and the weight proportion of HTTP protocol flow used by the electric power system and FTP protocol flow used by the electric power system from a database, acquiring network flow abnormality degree parameter data, constructing a network flow abnormality degree evaluation coefficient calculation formula according to the network flow abnormality degree parameter data, wherein the specific network flow abnormality degree evaluation coefficient calculation formula is as follows:
in the formula,Expressed as a network flow abnormality degree evaluation coefficient of the electric power system at the kth0 times of penetration detection, k0=1,2,...,k,k0 is expressed as a number of penetration detection times, k is expressed as a total number of penetration detection times,The number of ports used by the power system at the time of data acquisition in the time of h0 is denoted by k0 th penetration detection, h0=1,2,...,h,h0 is denoted by the number of data acquisition times, h is denoted by the total number of data acquisition times,Represented as the reference number of power system usage ports at the time of the power system's k0 permeation test,The power system denoted as kth0 penetration test at h0 data acquisition uses Modbus protocol traffic,The power system denoted as kth0 penetration test at h0 data acquisition uses DNP3 protocol traffic,The power system denoted as kth0 penetration test at h0 data acquisition uses HTTP protocol traffic,The method is represented as k0, the penetration detection and the FTP protocol flow of the power system at the time of the data acquisition of the h0, the D1 is represented as the weight proportion of the number of the ports used by the power system in the network flow abnormality degree evaluation coefficient, and the D2 is represented as the weight proportion of the HTTP protocol flow of the power system and the FTP protocol flow of the power system in the network flow abnormality degree evaluation coefficient.
In this embodiment, historical network flow anomaly degree parameter data is obtained, the relationship between the number of ports used by the power system and the HTTP protocol flow used by the power system and the relationship between the FTP protocol flow used by the power system and the network flow anomaly degree evaluation coefficient are found out by analyzing the historical network flow anomaly degree parameter data, a fitting curve is obtained by utilizing a multiple linear regression method, a fitting effect of the fitting curve is obtained by analyzing the mean square error of the fitting curve, a fitting curve corresponding to the minimum mean square error is used as a first fitting curve, and a corresponding weight proportion is obtained by the first fitting curve. And bringing the real-time port number used by the power system, the HTTP protocol flow used by the power system and the FTP protocol flow used by the power system into a first fitting curve to obtain the weight proportion corresponding to the port number used by the power system, the HTTP protocol flow used by the power system and the FTP protocol flow used by the power system.
The network traffic abnormality degree parameter data includes a number of power system use ports, a number of power system use ports reference, a power system use Modbus protocol traffic, a power system use DNP3 protocol traffic, a power system use HTTP protocol traffic, and a power system use FTP protocol traffic.
The historical network traffic anomaly degree parameter data includes a historical number of power system usage ports, a reference number of power system usage ports, a Modbus protocol traffic for the power system, a DNP3 protocol traffic for the power system, an HTTP protocol traffic for the power system, and an FTP protocol traffic for the power system.
When an abnormal port is used by the power system, the port may be a listening port of a certain backgate program, an attacker may have successfully installed the backgate program on the system for remote control and data transmission, and unauthorized data transmission may mean that sensitive information is revealed or the system is used as a springboard for further attacks. When an abnormal protocol flow occurs in the power system, for example, when a SCADA (Superv i sory Contro l and Data Acqu i s it i on, supervisory control and data acquisition system) network of the power system is monitored, only the flow of the Modbus (serial communication protocol) or DNP3 (D i str i buted Network Protoco l vers i on, 3 rd edition of distributed network protocol) protocol is generally seen for controlling devices and sensors in the power system. If a large amount of HTTP (Hypertext Transfer Protoco l ) or FTP (F I L E TRANSFER Protoco l, file transfer protocol) protocol traffic is detected, this may be abnormal, and an attacker may be attempting to communicate with a certain component in the system using the HTTP or FTP protocol to perform commands or transfer data, which abnormal protocol traffic may indicate that the attacker is attempting to exploit a known vulnerability or to perform lateral movement. There is a need for monitoring and analyzing the ports and protocol traffic used by the power system.
In the algorithm of the embodiment, the hyperbolic cosine function is used for carrying out nonlinear transformation on the network flow abnormality degree parameter data, so that the excessive or insufficient data in the network flow abnormality degree parameter data is subjected to smooth processing, and a more accurate network flow abnormality degree evaluation coefficient is obtained.
Under the condition that the power system is not influenced by the outside and normally operates, a network scanning tool such as a network scanner or network management software is used for detecting which ports of the power system are in an open state on a network, and the number of the ports in the open state is counted, so that the reference number of the ports used by the power system is obtained. After the electric power system carries out penetration detection, carrying out the process to obtain the number of ports used by the electric power system, capturing and analyzing network data packets by using a network flow monitoring tool such as a network flow analyzer or a special SCADA network monitoring tool to identify the flow of Modbus protocol, the flow of DNP3 protocol, the flow of HTTP protocol and the flow of FTP protocol, namely obtaining the Modbus protocol flow used by the electric power system, the DNP3 protocol flow used by the electric power system, the HTTP protocol flow used by the electric power system and the FTP protocol flow used by the electric power system.
Further, the specific analysis process for analyzing the abnormality degree of the electric power system in the aspect of the network flow according to the network flow abnormality degree evaluation coefficient comprises the steps of obtaining the network flow abnormality degree evaluation coefficient, obtaining a network flow abnormality degree threshold value, comparing the network flow abnormality degree evaluation coefficient with the network flow abnormality degree threshold value, indicating that the electric power system is normal in the aspect of the network flow when the network flow abnormality degree evaluation coefficient is smaller than the network flow abnormality degree threshold value, and indicating that the electric power system is abnormal in the aspect of the network flow when the network flow abnormality degree evaluation coefficient is larger than or equal to the network flow abnormality degree threshold value.
In this embodiment, historical network flow abnormality degree parameter data is obtained, historical network flow abnormality degree evaluation coefficients are analyzed according to the historical network flow abnormality degree parameter data, network flow abnormality degree evaluation coefficients which indicate that the power system is normal in terms of network flow in the historical network flow abnormality degree evaluation coefficients are arranged in order from large to small, and the network flow abnormality degree evaluation coefficient located in the first name is used as a network flow abnormality degree threshold.
Acquiring a network flow abnormality degree evaluation coefficient, acquiring a network flow abnormality degree threshold value, wherein the network flow abnormality degree threshold value is phi, the value range of phi is [1.65,1.67], comparing the network flow abnormality degree evaluation coefficient with the network flow abnormality degree threshold value, and when the network flow abnormality degree evaluation coefficient is smaller than the network flow abnormality degree threshold value, namelyWhen the network flow abnormality degree evaluation coefficient is greater than or equal to the network flow abnormality degree threshold value, namelyWhen this is the case, the power system is shown to be abnormal in terms of network traffic.
The system file abnormality degree evaluation index is used for representing the abnormality degree of the power system in the aspect of the system file, and the abnormality degree of the power system in the aspect of the system file is analyzed according to the abnormality degree parameter data of the system file.
In this embodiment, when an abnormal file modification or creation occurs in the power system or the system file is damaged, the power system is abnormal in terms of system files, and there may be a risk of information leakage in the power system, so that analysis of the power system in terms of system files is required, and herein, a system file abnormality degree evaluation index is obtained by analyzing the system file abnormality degree parameter data, so that the abnormality degree of the power system in terms of system files is analyzed according to the system file abnormality degree evaluation index, and the analysis of the abnormality degree of the power system in terms of system files is more accurate.
The method for acquiring the system file abnormality degree evaluation index comprises the steps of acquiring the weight proportion of the number of preset storage configuration files and the number of normally accessible storage configuration files from a database, acquiring system file abnormality degree parameter data, constructing a system file abnormality degree evaluation index calculation formula according to the system file abnormality degree parameter data, wherein the specific system file abnormality degree evaluation index calculation formula is as follows:
in the formula,Expressed as a system file abnormality degree evaluation index of the electric power system at the kth0 penetration test,Expressed as the number of stored profiles at time of the kth0 penetration test at the time of the h0 data acquisition,Expressed as the number of stored profile references at the kth0 permeation test,Expressed as the number of normally accessible storage profiles at time of the kth0 penetration test at0 data acquisitions,The reference number of the storage configuration files which can be normally accessed and is expressed as the k0 penetration detection is expressed as W1, the weight proportion of the number of the storage configuration files in the system file abnormality degree assessment index is expressed as W2, and the weight proportion of the number of the storage configuration files which can be normally accessed is expressed as the weight proportion of the number of the storage configuration files in the system file abnormality degree assessment index.
The system file abnormality degree parameter data includes the number of storage configuration files, the number of storage configuration file references, the number of normally accessible storage configuration files, and the number of normally accessible storage configuration file references.
And according to the historical system file abnormality degree parameter data, establishing a mapping relation between the number of storage configuration files and the number of normally accessible storage configuration files and the system file abnormality degree evaluation index to obtain a mapping relation table. And inquiring the mapping relation table according to the real-time storage configuration file quantity and the normally accessible storage configuration file quantity to obtain the weight proportion of the storage configuration file quantity and the normally accessible storage configuration file quantity.
When an abnormal file modification or creation occurs in the power system, for example, a directory dedicated to storing configuration files is provided on a server of the power system, and in a daily monitoring, a new file is found to appear under the directory, and is created at a non-maintenance time, the newly created file may be a compressed file created by an attacker to steal configuration information, or a backdoor file for persistent access, and if the configuration file contains sensitive information (such as database password, system credentials, etc.), the file may be used to further attack the system. Furthermore, if the file is malware, it may execute any code in the system. When an abnormal system file corruption occurs in the power system, the system file corruption may be due to hardware failure, software error, or malicious attack. Under the condition of a security event, an attacker may intentionally tamper with or delete a key file to destroy a system file, and the damage of the system file may cause the system to be unable to be started normally, so as to influence the stable operation of the power system. Unauthorized access or malicious code execution may also result if an attacker tampers with the system file.
Before the penetration test is carried out on the electric power system, the total number of the configuration files in the file manager of the electric power system is searched, namely the reference number of the storage configuration files is obtained, and the readable number of the files in the reference number of the storage configuration files is obtained, namely the reference number of the storage configuration files which can be normally accessed is obtained. After the penetration test is performed, the number of the storage configuration files of the power system and the number of the files which can be read in the storage configuration files are searched, so that the number of the storage configuration files and the number of the storage configuration files which can be normally accessed are obtained. In the algorithm of the embodiment, the abnormal degree parameter data of the system file is subjected to nonlinear transformation by using the arctangent function, so that a more accurate abnormal degree evaluation index of the system file is obtained, and the abnormal degree of the power system in the aspect of the system file can be accurately analyzed according to the abnormal degree evaluation index of the system file.
In a specific embodiment, as shown in fig. 2, a system file abnormality degree evaluation index graph is provided for an embodiment of the present application, where the number of stored configuration files is used as an argument, and the system file abnormality degree evaluation index is used as an argument. For example, when 1 data acquisition is performed on the 3 rd penetration test, the increase and decrease performance analysis on the curve one, the curve two and the curve three shows that the greater the number of the stored configuration files is, the greater the system file abnormality degree evaluation index is, and the smaller the number of the stored configuration files is, the smaller the system file abnormality degree evaluation index is. The statistics of the system file abnormality degree evaluation index related data are shown in table 1:
Table 1 system file abnormality degree evaluation index related data statistics table
When the number of the storage configuration files which can be normally accessed is 45, 44 and 43 respectively, and other parameters are consistent, the system file abnormality degree evaluation indexes of the first, second and third curves are 0.79, 0.46 and 0.35 respectively, and when the number of the storage configuration files is consistent with other parameters, the system file abnormality degree evaluation indexes are larger when the number of the storage configuration files which can be normally accessed is larger.
Further, the specific analysis process of the abnormality degree of the power system in the aspect of the system file according to the abnormality degree evaluation index of the system file comprises the steps of obtaining the abnormality degree evaluation index of the system file, obtaining a first threshold value of the abnormality degree of the system file and a second threshold value of the abnormality degree of the system file, comparing the abnormality degree evaluation index of the system file with the first threshold value of the abnormality degree of the system file and the second threshold value of the abnormality degree of the system file, and indicating that the power system is normal in the aspect of the system file when the abnormality degree evaluation index of the system file is larger than the first threshold value of the abnormality degree of the system file and smaller than the second threshold value of the abnormality degree of the system file, and indicating that the power system is abnormal in the aspect of the system file when the abnormality degree evaluation index of the system file is smaller than or equal to the first threshold value of the abnormality degree of the system file or the abnormality degree evaluation index of the abnormality degree of the system file is larger than or equal to the second threshold value of the abnormality degree of the system file.
In this embodiment, historical system file abnormality degree parameter data is obtained, where the historical system file abnormality degree parameter data includes a number of historical storage configuration files, a number of storage configuration files that can be normally accessed, and a number of storage configuration files that can be normally accessed, a historical system file abnormality degree evaluation index is obtained according to the historical system file abnormality degree parameter data, a historical system file abnormality degree evaluation index indicating that a power system is normal in terms of system files is extracted, the historical system file abnormality degree evaluation indexes are arranged in descending order, and a first threshold value of the abnormality degree of the system file and a second threshold value of the abnormality degree of the system file are used as the historical system file in the first and last historical system file abnormality degree evaluation indexes.
Acquiring a first threshold value of system file abnormality degree and a second threshold value of system file abnormality degree, wherein the first threshold value of system file abnormality degree and the second threshold value of system file abnormality degree are respectively A1 and A2, the value range of A1 is [0.74,0.75], the value range of A2 is [0.80,0.81], and the system file abnormality degree evaluation index is compared with the first threshold value of system file abnormality degree and the second threshold value of system file abnormality degree, when the system file abnormality degree evaluation index is larger than the first threshold value of system file abnormality degree and smaller than the second threshold value of system file abnormality degree, namelyWhen the system file abnormality degree evaluation index is smaller than or equal to a first threshold value of the system file abnormality degree or the system file abnormality degree evaluation index is larger than or equal to a second threshold value of the system file abnormality degree, namelyOr alternativelyWhen this is the case, the power system is shown to be abnormal in terms of system files.
The specific analysis process of the abnormality degree of the electric power system in the aspect of the loopholes comprises the steps of obtaining parameter data of the loopholes according to the permeability test parameter data, carrying out normalization processing on the parameter data of the loopholes, analyzing the parameter data of the loopholes according to the parameter data of the loopholes after normalization processing to obtain an evaluation index of the loopholes safety degree, wherein the evaluation index of the loopholes safety degree is used for representing the abnormality degree of the electric power system in the aspect of the loopholes, and analyzing the abnormality degree of the electric power system in the aspect of the loopholes according to the evaluation index of the loopholes safety degree.
In the embodiment, by carrying out normalization processing on the vulnerability security degree parameter data, the data in the vulnerability security degree parameter data keep the same magnitude and range, so that errors are less prone to occurring in the process of calculating the vulnerability security degree evaluation index, and the method is beneficial to obtaining a more accurate vulnerability security degree evaluation index.
As a key infrastructure, the security hole of the power system may have a significant impact on national security, economy and mass life. The following are network security vulnerabilities common to some power systems, software and system vulnerabilities, many power systems rely on complex software platforms that may have programming errors or design flaws, thereby providing hacking opportunities. Communication protocol loopholes-communication protocols in power systems may be insufficiently secure and subject to interception, tampering or counterfeiting. The physical security is weak-the lack of physical access control to the power infrastructure may lead to security breaches, e.g., unauthorized personnel may be able to access critical devices. When the loopholes in the power system are more, the power system is very easy to be interfered by the outside.
The method for acquiring the vulnerability safety degree assessment index comprises the steps of acquiring vulnerability safety degree parameter data, acquiring weight ratios of a preset first type of vulnerability quantity, a preset total type of vulnerability quantity and a preset second type of vulnerability quantity from a database, constructing the vulnerability safety degree assessment index according to the vulnerability safety degree parameter data, and calculating the specific vulnerability safety degree assessment index according to the calculation formula:
in the formula,Expressed as an evaluation index of the vulnerability safety degree of the electric power system at the kth0 penetration test,Denoted as the number of first type holes at the time of the kth0 penetration test at the time of0 data acquisition,Expressed as the number of existing holes in the power system at the kth0 penetration test,Expressed as the total number of holes at time of the kth0 penetration test at0 data acquisition,The second type of vulnerability quantity is expressed as k0 times of penetration detection and h0 times of data acquisition, L1 is expressed as a weight proportion of the first type of vulnerability quantity in the vulnerability safety level assessment index, L2 is expressed as a weight proportion of the whole vulnerability quantity in the vulnerability safety level assessment index, and L3 is expressed as a weight proportion of the second type of vulnerability quantity in the vulnerability safety level assessment index.
The vulnerability security degree parameter data comprises a first type vulnerability quantity, an existing vulnerability quantity of the power system, all vulnerability quantities and a second type vulnerability quantity.
According to the historical vulnerability safety degree parameter data, the historical vulnerability safety degree parameter data comprises a first type of historical vulnerability quantity, an existing vulnerability quantity of the power system, all vulnerability quantities and second type of vulnerability quantities, and a mapping relation table is established between the first type of vulnerability quantity, all vulnerability quantities and second type of vulnerability quantities and a vulnerability safety degree evaluation index to obtain the mapping relation table. And inquiring a mapping relation table according to the real-time first type vulnerability quantity, all vulnerability quantities and the second type vulnerability quantity to obtain the weight proportion of the first type vulnerability quantity, all vulnerability quantities and the second type vulnerability quantity.
And detecting the existing loopholes by using a loophole scanning tool before performing penetration test on the electric power system, and counting to obtain the number of the loopholes, namely obtaining the number of the existing loopholes of the electric power system. After the penetration test is carried out, using a loophole scanning tool to find out all loopholes, taking the number of all loopholes as the number of all loopholes, counting loopholes which are overlapped with the existing number of loopholes in the electric power system in all loopholes to obtain the number, taking the number as the number of first loopholes, counting the number of loopholes which are successfully attacked in the penetration test, and taking the number as the number of second loopholes.
When the difference between the total number of holes and the existing number of holes or the second type of holes of the power system is too large after the penetration test is carried out on the power system, the power system has a large problem in the aspect of holes. In the algorithm of the embodiment, the influence of extreme values in the vulnerability safety degree parameter data is smoothed by using the hyperbolic sine function to carry out nonlinear transformation on the vulnerability safety degree parameter data, so that a more accurate vulnerability safety degree evaluation index is obtained.
Further, the specific analysis process for analyzing the abnormality degree of the electric power system in terms of the vulnerability according to the vulnerability safety degree assessment index comprises the steps of obtaining the vulnerability safety degree assessment index, obtaining a first vulnerability safety degree threshold and a second vulnerability safety degree threshold, wherein when the vulnerability safety degree assessment index is larger than the first vulnerability safety degree threshold and smaller than the second vulnerability safety degree threshold, the electric power system is indicated to be normal in terms of the vulnerability, and when the vulnerability safety degree assessment index is in other conditions, the electric power system is indicated to be abnormal in terms of the vulnerability.
In this embodiment, historical vulnerability security degree parameter data is obtained, a historical vulnerability security degree evaluation index is obtained according to the historical vulnerability security degree parameter data, the historical vulnerability security degree evaluation index indicating that the electric power system becomes normal in terms of vulnerability is extracted and arranged in descending order, and the historical vulnerability security degree evaluation indexes located in the first name and the last name are used as a first threshold of the vulnerability security degree and a second threshold of the vulnerability security degree.
Acquiring a vulnerability security degree assessment index, acquiring a first vulnerability security degree threshold and a second vulnerability security degree threshold, and when the vulnerability security degree assessment index is larger than the first vulnerability security degree threshold and smaller than the second vulnerability security degree threshold, namelyIndicating that the power system is functioning normally in terms of vulnerability, when in other situations, i.eOr (b)When the fault occurs, the power system is shown to be abnormal in terms of the fault.
Further, the specific analysis process of analyzing the safety condition of the power system and carrying out early warning reminding comprises the steps of obtaining the safety condition of the power system, indicating that the power system normally operates when one or more conditions of the power system is abnormal in terms of network flow, the power system is abnormal in terms of system files and the power system is abnormal in terms of loopholes in the safety condition of the power system, not carrying out early warning reminding, and indicating that the power system is abnormal when two or more conditions of the power system is abnormal in terms of network flow, the power system is abnormal in terms of system files and the power system is abnormal in terms of loopholes in the safety condition of the power system.
In the embodiment, when one or more conditions of the power system showing abnormality in terms of network flow, the power system showing abnormality in terms of system files and the power system showing abnormality in terms of holes appear in the safety condition of the power system, the power system is possibly affected by the subtle external abnormality, but the work of the power system is not affected, the power system is normally operated, the early warning reminding is not performed, and when two or more conditions of the power system showing abnormality in terms of network flow, the power system showing abnormality in terms of system files and the power system showing abnormality in terms of holes appear in the safety condition of the power system, the power system is possibly affected by the serious external abnormality, the work of the power system is affected, the power system showing abnormality appears, and the early warning reminding is performed.
The embodiment of the application provides an intelligent penetration detection system for an electric power system, which comprises a penetration test module, a parameter acquisition module, a data processing module and an early warning analysis module, wherein the penetration test module is used for performing penetration test on the electric power system, the parameter acquisition module is used for monitoring and acquiring penetration test parameter data in the penetration test process, the data processing module is used for performing data processing on the penetration test parameter data, and the early warning analysis module is used for analyzing the safety condition of the electric power system and performing early warning reminding according to the penetration test parameter data after the data processing.
In the embodiment, the parameter acquisition module stores the safety condition of the power system and the penetration test parameter data, wherein the safety condition of the power system comprises the abnormality degree of the power system in terms of network flow, the abnormality degree of the power system in terms of system files and the abnormality degree of the power system in terms of loopholes, and the penetration test parameter data comprises the network flow abnormality degree parameter data, the abnormality degree parameter data of the system files and the loophole safety degree parameter data.
The early warning analysis module analyzes the safety condition of the electric power system according to the penetration test parameter data after data processing, namely, analyzes the abnormality degree of the electric power system in terms of network flow, the abnormality degree of the electric power system in terms of system files and the abnormality degree of the electric power system in terms of loopholes according to the network flow abnormality degree parameter data, the system file abnormality degree parameter data and the loophole safety degree parameter data after data processing, so as to further analyze the safety condition of the electric power system and perform early warning reminding.
According to the technical scheme provided by the embodiment of the application, the network flow abnormality degree parameter data is obtained according to the penetration test parameter data, and the network flow abnormality degree parameter data is analyzed to obtain the network flow abnormality degree evaluation coefficient, so that the abnormality degree of the electric power system in the aspect of network flow is analyzed according to the network flow abnormality degree evaluation coefficient, and further the abnormality degree of the electric power system in the aspect of network flow is accurately analyzed in detail.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.