CN-122027218-A - Industrial cloud edge end cooperative security situation sensing method and device

Abstract

The application discloses an industrial cloud edge end cooperative security situation sensing method and device, and relates to the technical field of industrial Internet and information security, wherein the method comprises the steps of obtaining equipment-level security events through anomaly detection and white list verification based on original security data reported by terminal equipment; the method comprises the steps of carrying out aggregation analysis on events by using a lightweight rule base at the edge side to generate an edge domain level local security situation, fusing multiple edge domain situations at the cloud, carrying out global correlation reasoning by means of a knowledge graph and a graph neural network to form a system level security situation, finally generating a hierarchical early warning and response strategy according to the global situation, and supporting feedback-based rule base and knowledge graph dynamic optimization. By the method, efficient collaborative processing and intelligent analysis of industrial safety data at the end, the side and the cloud are realized, and real-time performance, accuracy and response capability of threat perception of a large-scale industrial system are improved.

Inventors

• ZHANG RENZHENG
• PENG ZHENLIN
• LI HAITAO
• ZHU XUDONG
• CHEN ZHE
• WU ZHANHAO
• XIAO JIANFENG

Assignees

• 中广核智能科技(深圳)有限责任公司

Dates

Publication Date

20260512

Application Date

20260106

Claims (10)

1. 1. The industrial cloud edge end cooperative security situation sensing method is characterized by comprising the following steps of: Obtaining a preliminarily filtered equipment-level security event according to the original security data reported by the industrial field terminal equipment; based on the equipment-level security event, event aggregation is carried out through a lightweight association analysis rule base deployed at an edge computing node, so that an edge domain-level local security situation is obtained; Carrying out global association reasoning on the edge domain level local security situation based on the edge domains by utilizing a cloud knowledge graph to obtain an industrial system global security situation; and generating hierarchical safety early warning information and response strategies according to the global safety situation of the industrial system.
2. 2. The method of claim 1, wherein the step of deriving the preliminarily filtered device-level security event from the raw security data reported by the industrial field terminal device comprises: Extracting equipment state parameters and network flow from original data reported by industrial field terminal equipment, and determining abnormal data points in the equipment state parameters and the network flow according to a data credible scoring factor; carrying out validity check on the abnormal data points based on a device behavior white list to obtain effective abnormal events; Determining the event type, the trigger time stamp and the equipment identifier of the effective abnormal event, and packaging the event type, the trigger time stamp and the equipment identifier to obtain a preliminarily filtered equipment-level security event.
3. 3. The method of claim 2, wherein the step of extracting the device state parameters and the network traffic from the raw data reported by the industrial field terminal device, and determining the abnormal data points in the device state parameters and the network traffic according to the data credible scoring factors further comprises: Extracting a device certificate of the industrial field terminal device and a digital signature in the reported original data, and verifying the industrial field terminal device based on the device certificate and the digital signature; When the verification is passed, performing mode verification on the original data based on a behavior baseline model fitted by the historical data of the industrial field terminal equipment to obtain a data credibility score; And obtaining a data credibility scoring factor according to the data credibility scoring.
4. 4. The method of claim 1, wherein the step of obtaining an edge domain level local security posture based on the device level security event by event aggregation through a lightweight association analysis rule base deployed at an edge computing node comprises: Performing pattern matching on a plurality of equipment-level security events with space-time relevance in the same period based on an attack scene feature sequence preset in a lightweight association analysis rule base deployed at an edge computing node to obtain potential attack chain fragments; determining threat levels and equipment asset importance weights of the potential attack chain fragments, and carrying out weighted fusion calculation on the threat levels and the equipment asset importance weights to obtain comprehensive threat indexes of the edge domain; and generating an edge domain level local security situation describing the overall security condition of the edge domain based on the comprehensive threat index and the integrity evaluation result of the potential attack chain segment.
5. 5. The method of claim 4, wherein the step of performing pattern matching on a plurality of device-level security events having space-time relevance in the same period of time based on an attack scene feature sequence preset in a lightweight association analysis rule base deployed at an edge computing node, to obtain a potential attack chain segment comprises: Constructing a temporal associated event window according to the occurrence time and the physical position information of the equipment-level security event; Inquiring a rule template containing multi-step attack sequence characteristics in a lightweight association analysis rule base deployed at an edge computing node; Determining an attack scene feature sequence of a rule template of the multi-step attack sequence feature, and carrying out sliding window matching in the temporal correlation event window based on the attack scene feature sequence in the same period to obtain the matched number and sequence coincidence degree of attack steps; Calculating the confidence coefficient of the attack chain segment according to the number of the attack steps and the sequence conformity; And determining the attack scene feature sequence corresponding to the confidence coefficient of the attack chain segment larger than the threat threshold value as a potential attack chain segment.
6. 6. The method of claim 1, wherein the step of obtaining the global security posture of the industrial system by performing global correlation reasoning using a cloud knowledge graph based on the edge domain-level local security posture from the plurality of edge domains comprises: extracting attack entity, controlled asset and attack path information in the local security situation uploaded by each edge domain; Based on cloud pre-constructed industrial system asset topology and vulnerability association knowledge maps, carrying out node mapping and relational linking on the attack entity, the controlled asset and the attack path information to obtain a threat propagation map crossing an edge domain; And analyzing potential diffusion paths and influence ranges of the threats among key infrastructures through a graph neural network according to the threat propagation map, and obtaining an industrial system global security situation according to the diffusion paths and the influence ranges.
7. 7. The method of claim 6, wherein the step of analyzing potential diffusion paths and impact ranges of threats among critical infrastructures through a graph neural network based on the threat propagation map, and deriving an industrial system global security situation based on the diffusion paths and the impact ranges comprises: Determining the topological structure of the threat propagation map, and extracting the association attribute of the feature vector and the edge of the node in the topological structure; Based on a neighborhood information aggregation mechanism of the graph neural network, iteratively updating threat states of all nodes in the threat propagation map according to the feature vector and the association attribute to obtain updated node threat states; predicting the propagation probability of the threat along the connecting edge by using a random walk algorithm according to the updated node threat state, and obtaining the potential diffusion path and the influence range of the threat on the key infrastructure element according to the propagation probability; and obtaining the global security situation of the industrial system according to the diffusion path and the influence range.
8. 8. The method of claim 1, wherein the step of generating hierarchical security pre-warning information and response policies based on the industrial system global security posture comprises: Scoring the global security situation of the industrial system to obtain situation scores, and grading according to the situation scores to obtain security early warning levels; generating hierarchical safety early warning information based on the safety early warning level; and based on the security early warning level and the key asset information in the threat propagation map, retrieving a matched response operation set from a cloud response strategy library to obtain a response strategy.
9. 9. The method of claim 1, wherein after the step of generating the hierarchical security pre-warning information and response policy based on the global security posture of the industrial system, further comprises: According to feedback labeling information of security operation staff on the global security situation, an optimized sample for situation assessment is obtained; Based on the optimized sample, dynamically adjusting the association weights among entities of the cloud knowledge graph through an incremental learning algorithm to obtain the optimized association weights; And synchronously updating the optimized association weight to a lightweight association analysis rule base of the edge computing node.
10. 10. The utility model provides an industry cloud limit end cooperatees safe situation perception device which characterized in that, industry cloud limit end cooperatees safe situation perception device includes: the data processing module is used for obtaining a preliminarily filtered equipment-level security event according to the original security data reported by the industrial field terminal equipment; the event aggregation module is used for carrying out event aggregation through a lightweight association analysis rule base deployed at the edge computing node based on the equipment-level security event to obtain an edge domain-level local security situation; The situation awareness module is used for carrying out global correlation reasoning on the edge domain level local security situations based on the edge domains from the plurality of edge domains by utilizing a cloud knowledge graph to obtain an industrial system global security situation; And the situation response module is used for generating hierarchical safety early warning information and response strategies according to the global safety situation of the industrial system.

Description

Industrial cloud edge end cooperative security situation sensing method and device Technical Field The application relates to the technical field of industrial Internet and information security, in particular to a method and a device for sensing cooperative security situation of an industrial cloud edge. Background Along with the deep fusion of the industrial Internet, an industrial production system presents a typical framework of 'cloud-side-end' cooperation, the cloud performs big data analysis and decision making, the edge side is responsible for regional data aggregation and real-time processing, and the terminal comprises field devices such as various PLCs, sensors, controllers and the like. The traditional network safety protection means based on feature library matching is worry when facing unknown attack, low-frequency slow attack and asymmetric unidirectional transparent dilemma of information of both attack and defense parties of an industrial protocol, particularly under the privacy protection requirements that data are not delivered from a factory and are not discharged from a garden, the cloud is difficult to acquire detailed data of each industrial site to train an efficient global detection model, the edge side or the terminal of a single factory is limited in data quantity, an accurate local model is difficult to construct, and the problems of delay in security situation perception, weak discovery capability of unknown threat and low cooperative defense efficiency exist in the whole cloud-side-end system. The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present invention and is not intended to represent an admission that the foregoing is prior art. Disclosure of Invention The application mainly aims to provide an industrial cloud edge end cooperative security situation sensing method and device, and aims to solve the technical problems of industrial security situation sensing fragmentation and response lag in the prior art. In order to achieve the above purpose, the application provides an industrial cloud edge end cooperative security situation sensing method, which comprises the following steps: Obtaining a preliminarily filtered equipment-level security event according to the original security data reported by the industrial field terminal equipment; based on the equipment-level security event, event aggregation is carried out through a lightweight association analysis rule base deployed at an edge computing node, so that an edge domain-level local security situation is obtained; Carrying out global association reasoning on the edge domain level local security situation based on the edge domains by utilizing a cloud knowledge graph to obtain an industrial system global security situation; and generating hierarchical safety early warning information and response strategies according to the global safety situation of the industrial system. In an embodiment, the step of obtaining the preliminarily filtered device-level security event according to the original security data reported by the industrial field terminal device includes: Extracting equipment state parameters and network flow from original data reported by industrial field terminal equipment, and determining abnormal data points in the equipment state parameters and the network flow according to a data credible scoring factor; carrying out validity check on the abnormal data points based on a device behavior white list to obtain effective abnormal events; Determining the event type, the trigger time stamp and the equipment identifier of the effective abnormal event, and packaging the event type, the trigger time stamp and the equipment identifier to obtain a preliminarily filtered equipment-level security event. In an embodiment, before the step of extracting the device state parameter and the network traffic from the raw data reported by the industrial field terminal device and determining the abnormal data points in the device state parameter and the network traffic according to the data credibility scoring factor, the method further includes: Extracting a device certificate of the industrial field terminal device and a digital signature in the reported original data, and verifying the industrial field terminal device based on the device certificate and the digital signature; When the verification is passed, performing mode verification on the original data based on a behavior baseline model fitted by the historical data of the industrial field terminal equipment to obtain a data credibility score; And obtaining a data credibility scoring factor according to the data credibility scoring. In an embodiment, the step of obtaining the edge domain local security situation by event aggregation through a lightweight association analysis rule base deployed at an edge computing node based on the device-level security event includes: Performing pattern matching on a plurality