CN-122001625-A - Method, system, equipment and medium for integrating evidence chain without file attack by electric power side equipment

Abstract

The invention discloses a file-attack-free evidence chain integrated evidence fixing method, system, equipment and medium for power side equipment, which comprise the steps of obtaining pointer jump events in a memory of the power side equipment, fusing physical topology information of the power side equipment in a power network, carrying out risk assessment and threat diffusion path modeling on power side equipment nodes to obtain a risk propagation model, monitoring the pointer jump events by utilizing a bimodal real-time triggering mechanism based on the risk propagation model to obtain a lossless memory snapshot, carrying out data processing on evidence obtaining data in the lossless memory snapshot by utilizing a data purification and adaptation mechanism to obtain first evidence obtaining data, carrying out feature extraction on the first evidence obtaining data to obtain a multidimensional evidence chain, storing the multidimensional evidence chain, realizing file-free attack-free evidence chain integrated evidence fixing of the power side equipment, and effectively improving evidence fixing efficiency under a file-free attack scene.

Inventors

• LIANG BIAO
• Zeng Hushuang
• Wu Mingzhan
• LIANG ZHONGFENG
• XIE MING
• ZENG MINGFEI
• MENG LIANG
• CHEN YONGMING
• LIN KONGSHENG
• CHEN LINA
• ZHAO WANLING

Assignees

• 广西电网有限责任公司

Dates

Publication Date

20260508

Application Date

20260109

Claims (10)

1. 1. The method for integrating the evidence chain of the file-free attack of the electric power side equipment is characterized by comprising the following steps: Acquiring pointer jump events in a memory of the electric power side equipment, fusing physical topology information of the electric power side equipment in an electric power network, and performing risk assessment and threat diffusion path modeling on nodes of the electric power side equipment to obtain a risk propagation model; Based on the risk propagation model, monitoring the pointer jump event by utilizing a bimodal real-time trigger mechanism to obtain a lossless memory snapshot; Based on the lossless memory snapshot, performing data processing on the evidence obtaining data in the lossless memory snapshot by utilizing a data purifying and adapting mechanism to obtain first evidence obtaining data; And extracting the characteristics of the first evidence obtaining data to obtain a multi-dimensional evidence chain, and storing the multi-dimensional evidence chain to realize the integrated evidence fixing of the evidence chain without file attack of the electric power side equipment.
2. 2. The method for integrating and fixing the evidence chain without file attack by the electric power side equipment according to claim 1, wherein the constructing a risk propagation model comprises the following steps: according to the pointer jump event and the physical topology information, using the electric power side equipment as a network node, and defining the triplet data of the network node; Constructing connection edges among network nodes according to communication and interaction relations among power edge equipment, and calculating edge weights based on topology level coefficients and time attenuation factors; Based on the triplet data and the edge weight in combination with the equipment risk level, the active time and the topology level, the importance degree of each network node in threat propagation is evaluated by using a first evaluation algorithm, and a risk propagation model is obtained.
3. 3. The method for securing the chain of evidence for file-free attack by the power edge device according to claim 2, wherein monitoring the pointer jump event comprises: in a preset time window, performing frequency statistics on a preset type sensitive operation sequence, calculating behavior density, and performing first judgment on the behavior density; Analyzing the logic rationality of pointer jump to obtain semantic consistency quantization indexes, and performing second judgment on the semantic consistency quantization indexes; and triggering and capturing the lossless memory snapshot when the first judgment and the second judgment are simultaneously satisfied.
4. 4. The method for securing the evidence chain integration of the file-free attack of the power edge device according to claim 3, wherein the data processing of the evidence-obtaining data in the lossless memory snapshot comprises: Carrying out power frequency harmonic elimination on evidence obtaining data by using a first signal decomposition method to obtain filtered evidence obtaining data; Correcting the physical address analysis deviation through a preset address conversion compensation mechanism on the filtered evidence obtaining data to obtain corrected evidence obtaining data; and compressing and storing the corrected evidence obtaining data by using a first compression algorithm to obtain first evidence obtaining data.
5. 5. The method for integrating and fixing the evidence chain without file attack by the power side equipment according to claim 4, wherein the feature extraction of the first evidence obtaining data comprises a process feature, a network feature and a memory feature; the process characteristics comprise extracting time-frequency domain characteristics of a process derived chain, and calculating energy distribution based on process creation and exit time stamps; the network characteristics comprise calculating protocol entropy distribution of network connection, and judging abnormal network behavior based on entropy threshold; the memory features include performing hash computation on the memory resident code segment, generating a unique memory fingerprint, and recording a hash value; And associating and integrating the process characteristics, the network characteristics and the memory characteristics to form a multidimensional evidence chain.
6. 6. The method for integrally fixing and authenticating a evidence chain without file attack by a power side device according to claim 5, wherein storing the multidimensional evidence chain comprises: performing differential storage according to the equipment type by using a topology aware fragmentation strategy; for the protection equipment, determining the slicing position based on the hash operation result of the equipment fingerprint and the timestamp; for a common device, the slice locations are determined based on a linear division of the time stamps.
7. 7. The method for securing the chain of evidence integration of file-free attack of power edge equipment according to claim 2 or 6, further comprising: according to the evaluation result of the risk propagation model, the external communication of the malicious process is blocked in real time through a kernel-level network hook mechanism; generating a judicial evidence packet according to a preset standard, wherein the evidence packet comprises a process chain, session fingerprints and an attack path topological graph; and when the continuous lost times of the service heartbeat packet are detected to exceed the threshold value, starting a fusing protection mechanism and switching to the backup communication channel.
8. 8. The evidence chain integration and fixing system without file attack for the electric power side equipment, which is applied to the evidence chain integration and fixing method without file attack for the electric power side equipment according to any one of claims 1 to 7, is characterized by comprising the following steps: the modeling module is used for acquiring pointer jump events in the memory of the electric power side equipment, fusing physical topology information of the electric power side equipment in the electric power network, and carrying out risk assessment and threat diffusion path modeling on the electric power side equipment nodes to obtain a risk propagation model; The detection module is used for monitoring the pointer jump event by utilizing a bimodal real-time trigger mechanism based on the risk propagation model to obtain a lossless memory snapshot; The data processing module is used for carrying out data processing on evidence obtaining data in the lossless memory snapshot by utilizing a data purification and adaptation mechanism based on the lossless memory snapshot to obtain first evidence obtaining data; And the storage module is used for extracting the characteristics of the first evidence obtaining data to obtain a multidimensional evidence chain, and storing the multidimensional evidence chain to realize the file attack-free evidence chain integrated solid evidence of the electric power side equipment.
9. 9. A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the steps of the method for securing the power edge device evidence chain without file attack of any one of claims 1 to 7 when executing the computer program.
10. 10. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, implements the steps of the power edge device file attack-free evidence chain integration fixing method of any one of claims 1 to 7.

Description

Method, system, equipment and medium for integrating evidence chain without file attack by electric power side equipment Technical Field The invention relates to the technical field of network security, in particular to a file attack-free evidence chain integrated fixing method, system, equipment and medium for electric power side equipment. Background Currently, under the current large trend of intelligent transformation of a power system, side equipment is used as a key node for interaction between the power system and a user, and is faced with more and more complex and serious network attack threats. The traditional security protection scheme based on the X86 architecture has a plurality of obvious defects, such as the aspect of evidence obtaining mechanism, and the traditional scheme relies on post log feedback analysis. When an attack occurs, the device log data needs to be returned to the analysis center for processing, which can result in a response delay of more than 5 minutes. However, according to relevant regulations, the critical operation interruption time must not exceed 100 milliseconds, and the long response delay of the conventional scheme obviously has no way to meet the mandatory requirement, so that the power system is difficult to timely respond when being attacked, and the system security risk is increased. With the advancement of domestic substitution processes, autonomous CPU platforms are slowly applied to power systems. However, due to the lack of a special memory analysis algorithm, the false alarm rate of the traditional safety protection scheme on the domestic platforms is high. The large number of false alarms not only can interfere with the judgment of safety personnel, but also can consume a large amount of manpower and time resources to carry out invalid investigation, and seriously influence the efficiency and accuracy of safety protection. The power industry control environment has uniqueness and 50Hz electromagnetic harmonic interference exists. The prior art lacks effective means of suppressing such interference, resulting in a long-term signal-to-noise ratio below 10dB. Under the low signal-to-noise ratio environment, key attack characteristics are easily submerged by noise, so that the security protection system is difficult to accurately detect the attack behavior, and a potential security threat cannot be found in time. In addition, in the traditional scheme, processes, networks and file data are stored in a scattered manner, an effective association integration mechanism is lacked, a complete evidence chain is difficult to construct, and the recovery integrity of attack events is insufficient. This makes it difficult for security personnel to formulate targeted defenses and coping strategies without a way to fully and accurately understand the attack process. Under the background, the development of a novel evidence obtaining technology with real-time response capability, domestic full-adaptation and power frequency interference resistance is urgent, and the intelligent power grid intelligent evidence obtaining system has important significance in guaranteeing safe and stable operation of the intelligent power grid. Disclosure of Invention In view of the existing problems, the invention provides a method, a system, a device and a medium for integrating evidence chains without file attack for power side equipment. The invention provides a method, a system, a device and a medium for integrating evidence chain integration without file attack for electric power side equipment, which solve the problems that in the traditional technical scheme, processes, networks and file data are stored in a scattered way, an effective association and integration mechanism is lacked, a complete evidence chain is difficult to construct, the restoration integrity of an attack event is insufficient, security personnel cannot comprehensively and accurately know the attack process, and targeted defense and strategy handling are difficult to formulate. In order to solve the technical problems, the invention provides the following technical scheme: in a first aspect, the invention provides a method for integrating and fixing evidence chains without file attack for electric power side equipment, which comprises the following steps: Acquiring pointer jump events in a memory of the electric power side equipment, fusing physical topology information of the electric power side equipment in an electric power network, and performing risk assessment and threat diffusion path modeling on nodes of the electric power side equipment to obtain a risk propagation model; Based on the risk propagation model, monitoring the pointer jump event by utilizing a bimodal real-time trigger mechanism to obtain a lossless memory snapshot; Based on the lossless memory snapshot, performing data processing on the evidence obtaining data in the lossless memory snapshot by utilizing a data purifying and adapting mechanism t