CN-121985336-A - Industrial Internet network security risk assessment method and system

Abstract

The invention relates to the technical field of industrial Internet network security risk assessment, and discloses an industrial Internet network security risk assessment method and system, which can comprehensively grasp the real-time network state and behavior characteristics of a mobile terminal by acquiring and converging physical position information, network connection information and network communication behavior information of the mobile terminal. The method can identify potential risk factors of the mobile terminal based on the converged network information, simulate an attack path of an attacker taking the mobile terminal as a gangway, and carry out risk quantification on the attack path. The dynamic and real-time risk assessment mechanism effectively solves the problems that in the prior art, an assessment blind area and an evolution threat cannot be tracked aiming at a high-mobility intermittent network connection terminal exist.

Inventors

• WANG YUFEI
• XIAO YING
• Hua Suxing
• MEI HUABIN
• YE QIAN

Assignees

• 无锡职业技术大学

Dates

Publication Date

20260505

Application Date

20260130

Claims (10)

1. 1. An industrial internet network security risk assessment method, comprising the steps of: Acquiring and converging network information of the mobile terminal, wherein the network information comprises physical location information, network connection information and network communication behavior information; Based on the converged network information, identifying potential risk factors of the mobile terminal, simulating an attack path of an attacker taking the mobile terminal as a gangway, and carrying out risk quantification on the attack path; and limiting physical movement or network communication behavior of the mobile terminal according to the risk quantification result, and adjusting network access rules to isolate communication between the mobile terminal and a potential attack target.
2. 2. The method for evaluating the security risk of the industrial internet network according to claim 1, wherein the identifying the potential risk factor of the mobile terminal and simulating the attack path of an attacker using the mobile terminal as a springboard based on the converged network information comprises: Acquiring positioning data, network connection data, network communication behavior data and environment perception data of the mobile terminal; Judging whether the mobile terminal is in an electromagnetic interference area or not according to the environment sensing data; When the mobile terminal is in the electromagnetic interference area, carrying out background noise calibration on the communication characteristics of the mobile terminal according to an environmental interference expression rule preset in the electromagnetic interference area; Performing a purposeful analysis on the communication characteristic after the background noise calibration, the purposeful analysis comprising: comparing the communication target with a legal communication target white list of the mobile terminal; Comparing a communication protocol with a legal protocol under the current task type of the mobile terminal; associating communication occurrence time, physical position of the mobile terminal and current task state; Identifying malicious communication based on the objective analysis result; and deducing an attack path based on the malicious communication.
3. 3. The method for evaluating the security risk of an industrial internet network according to claim 2, wherein the performing the purposeful analysis on the communication characteristic after the background noise calibration comprises: acquiring production plan adjustment information, equipment upgrading information and network topology changing information; Dynamically updating the legal communication target white list and the legal protocol set according to the production plan adjustment information, the equipment upgrading information and the network topology changing information; comparing the communication target after the background noise calibration, the communication protocol with a legal communication target white list after dynamic updating and the legal protocol set to obtain a first comparison result; Analyzing the communication frequency and the data packet size after the background noise calibration; And identifying malicious communication according to the first comparison result and the analysis result.
4. 4. A method of industrial internet network security risk assessment according to claim 3, wherein said analyzing said background noise calibrated communication frequency and said data packet size comprises: Acquiring the production task type of the mobile terminal; acquiring running state information of the mobile terminal; acquiring a normal range of the communication frequency according to the production task type and the running state information; Acquiring a normal range of the size of the data packet according to the production task type and the running state information; Comparing the communication frequency after the background noise calibration with the normal range of the communication frequency, and acquiring a second comparison result; Comparing the size of the data packet after the background noise calibration with the normal range of the size of the data packet to obtain a third comparison result; And judging abnormal communication according to the second comparison result and the third comparison result.
5. 5. The method for evaluating the security risk of an industrial internet network according to claim 4, wherein the determining the communication abnormality according to the second comparison result and the third comparison result comprises: acquiring a communication frequency comparison result and a data packet size comparison result of the mobile terminal; When the communication frequency comparison result or the data packet size comparison result shows that the communication is in the edge area of the normal range, marking the communication as the edge abnormal communication; acquiring a history communication behavior record of the mobile terminal; acquiring the sensitivity level of the target equipment of the edge anomaly communication; Analyzing the fluctuation trend difference between the edge abnormal communication and the historical communication behavior record; And judging that the edge abnormal communication is malicious communication according to the fluctuation trend difference and the sensitivity level of the target equipment.
6. 6. The method for evaluating the security risk of an industrial internet network according to claim 5, wherein the analyzing the fluctuation trend difference between the edge anomaly communication and the fluctuation trend in the historical communication behavior record comprises: acquiring the current production task type of the mobile terminal and the real-time communication frequency and the data packet size in the running state; acquiring group behavior data of the communication frequency and the data packet size of other similar mobile terminals of the mobile terminal in the current production task type and the running state; And comparing the real-time communication frequency with the data packet size and the group behavior data, and identifying the fluctuation trend of the edge abnormal communication and the fluctuation trend difference.
7. 7. The method of claim 6, wherein said comparing said real-time communication frequency and said packet size with said group behavior data comprises: identifying a correlation pattern between the real-time communication frequency and the data packet size in the group behavior data; and comparing the association modes, and identifying the fluctuation trend of the edge abnormal communication and the fluctuation trend difference.
8. 8. The method for evaluating the security risk of the industrial internet network according to claim 7, wherein the identifying the association pattern between the real-time communication frequency and the data packet size in the group behavior data comprises: Carrying out time sequence decomposition on the communication frequency sequence and the data packet size sequence in the group behavior data, and separating out a trend component, a periodic component and a residual component; Pattern matching is carried out on the trend component and the periodic component, and a plurality of potential association patterns are identified; evaluating fitting degrees of a plurality of potential association modes according to the residual error components; and selecting the association mode with the fitting degree exceeding a preset threshold as the association mode between the communication frequency and the data packet size.
9. 9. The method for evaluating the security risk of an industrial internet network according to claim 8, wherein evaluating the fitting degree of a plurality of potential association patterns according to the magnitude of the residual component comprises: Acquiring the current production task type and the running state information of the mobile terminal; acquiring a normal fluctuation range and evaluation sensitivity of the residual error component according to the production task type and the running state information; Calculating fitting scores for the plurality of potential correlation patterns based on the normal fluctuation range of the residual component and the evaluation sensitivity; And evaluating the fitting degree of the plurality of potential association modes according to the fitting scores.
10. 10. An industrial internet network security risk assessment system, comprising: The detection terminal is used for acquiring and converging network information of the mobile terminal, wherein the network information comprises physical position information, network connection information and network communication behavior information; The simulation end is used for identifying potential risk factors of the mobile terminal based on the converged network information, simulating an attack path of an attacker taking the mobile terminal as a springboard, and carrying out risk quantification on the attack path; And the adjusting end is used for limiting the physical movement or network communication behavior of the mobile terminal according to the risk quantification result and adjusting the network access rule so as to isolate the communication between the mobile terminal and the potential attack target.

Description

Industrial Internet network security risk assessment method and system Technical Field The invention relates to the technical field of industrial Internet network security risk assessment, in particular to an industrial Internet network security risk assessment method and system. Background In modern industrial environments, the security of industrial internet networks is critical to the sustainability of production and the integrity of data. Conventional cyber-security risk assessment methods typically rely on periodic scanning and static analysis, which is effective for environments where the network structure is relatively fixed. However, with the introduction of high mobility, intermittent network connection terminals such as Autonomous Mobile Robots (AMR), the conventional method faces significant limitations. The real-time changing nature of these mobile terminals introduces complexity that is difficult to resolve with traditional static evaluations, may lead to dead zones, and is unable to track evolving threats. In a large-scale discrete manufacturing factory, in order to improve production efficiency, the factory is deployed with an industrial internet system, and is connected with a PLC, a numerical control machine tool, an industrial robot, and various sensors through an industrial ethernet. The network security team of the factory adopts a conventional network security risk assessment method, periodically performs port scanning, service identification and vulnerability matching on all online devices in the network, checks network device configuration, and checks an access control list. The snapshot-based periodic assessment mode can effectively discover and handle most static security problems under the condition that the network structure of a factory is relatively fixed. However, as factories introduce an internal logistics team consisting of tens of Autonomous Mobile Robots (AMR), the factory network topology becomes highly variable and complex in real time with industrial level wireless networks for communication and task scheduling. AMR continuously moves in the factory, and automatically switches the connected wireless access point, and the network on-line state is also non-continuous. The real-time variability and intermittence of the network behavior brings challenges to the original periodic scanning evaluation method that partial AMR may be offline due to charging or signal blind area in the scanning window period, so that the scanning program cannot find the AMR and form an evaluation blind area. Further, AMR is provided by third party suppliers who require specific remote access channels to be provided on the factory firewall for remote fault diagnosis and software upgrades. This channel allows the vendor engineer to directly connect to the AMR management server inside the factory through the VPN, thereby accessing each AMR. This introduces a new externally controlled attack portal. Conventional risk assessment methods may identify the open VPN port, but cannot continuously monitor traffic content and behavior through the channel, nor assess whether the operation of the vendor's operation staff is compliant or malicious. In view of the above, there is a need in the art for improvements. Disclosure of Invention The invention provides an industrial Internet network security risk assessment method and system, and aims to solve the technical problems that an assessment blind area exists, evolution threat cannot be tracked, external access channels are difficult to monitor continuously and the like when the existing industrial Internet network security risk assessment method faces high mobility and intermittent network connection terminals (such as an AMR). In order to solve the above technical problems, the present invention provides a method for evaluating industrial internet network security risk, including: Acquiring and converging network information of the mobile terminal, wherein the network information comprises physical location information, network connection information and network communication behavior information; Based on the converged network information, identifying potential risk factors of the mobile terminal, simulating an attack path of an attacker taking the mobile terminal as a gangway, and carrying out risk quantification on the attack path; and limiting physical movement or network communication behavior of the mobile terminal according to the risk quantification result, and adjusting network access rules to isolate communication between the mobile terminal and a potential attack target. Preferably, the identifying the potential risk factor of the mobile terminal based on the converged network information and simulating an attack path of an attacker using the mobile terminal as a springboard includes: Acquiring positioning data, network connection data, network communication behavior data and environment perception data of the mobile terminal; Judging whether the