Industrial control network threat automatic isolation method and system

Abstract

The invention discloses an industrial control network threat automatic isolation method, which comprises the following steps of: obtaining operation information of each piece of equipment in an industrial control system, and extracting operation information features; in response to a threat event matched with the operation information features existing in a preset threat decision table, obtainingan isolation strategy corresponding to the threat event, and isolating a threat source; in response to the situation that no threat event matched with the operation information features exists in a preset threat decision table, inputting the operation information features into a pre-trained decision model, and obtaining an event category corresponding to the operation information features; and inresponse to the event corresponding to the operation information features being a threat event, obtaining an isolation strategy corresponding to the threat event, isolating a threat source, and storing the operation information features in a preset threat decision table. The invention further discloses a corresponding system. According to the invention, the threat decision table and the decision model are combined and applied, threat source isolation in an event is effectively realized, the threat decision table is continuously perfected in a self-learning mode while the threat detection efficiency is ensured, and real-time updating is realized, so that the network security threat identification accuracy is improved.

Description

technical field [0001] The invention relates to a method and system for automatically isolating industrial control network threats, belonging to the technical field of information security. Background technique [0002] Compared with traditional information systems, industrial control systems have special requirements for high real-time performance, high reliability, and work continuity, but at the same time, they are relatively lacking in network security defense capabilities. Looking at the current industrial control system network security protection solutions on the market, the focus is mostly on the security baseline verification and vulnerability scanning beforehand, the network security data monitoring and early warning during the incident, the attack source tracing and security reinforcement after the incident, and lack of in-process security protection solutions. In-situ automatic blocking mechanism or automatic blocking means. At the same time, most threat detectio...

AI Technical Summary

Problems solved by technology

Looking at the current industrial control system network security protection solutions on the market, the focus is mostly on the security baseline verification and vulnerability scanning beforehand, the network security data monitoring and early warning during the incident, the attack source tracing and security reinforcement after the incident, and lack of in-process security protection solutions. In-situ automatic blocking mechanism or automatic blocking means. At the same time, most threat detection methods based on pattern matching cannot effectively update the threat signature database, and the slow update of the threat signature database has become a key factor affecting the false negative rate and accuracy of the security protection system.

Images