Industrial internet alarm log association analysis method and system based on graph method

Abstract

The invention provides an industrial internet alarm log association analysis method and system based on a graph method. The method comprises the following steps: step 1, obtaining a network attack alarm log; step 2, analyzing the obtained network attack alarm log to obtain a characteristic quantity corresponding to each network attack alarm; 3, creating a network security event graph according to the obtained characteristic quantity, and dividing the network security event graph into a plurality of alarm clusters; 4, extracting statistical characteristics and topological structure characteristics corresponding to each alarm cluster; 5, analyzing and identifying each alarm cluster according to the obtained statistical characteristics and topological structure characteristics; according to the method, the influence of multi-source and heterogeneous characteristics of alarm log data is avoided, the processing efficiency of common security event alarms and the recognition capability of high-risk events can be effectively improved, and the perception capability of the overall security situation of the industrial internet can be provided.

Description

technical field [0001] The invention belongs to the field of industrial Internet intrusion detection, and in particular relates to a method and system for correlation analysis of industrial Internet alarm logs based on a graph method. Background technique [0002] The Industrial Internet combines advanced sensing and measurement technology, information communication technology and automatic control technology with the process industry, uses the Industrial Internet to sense the state information and parameter data of the process industry, and issues control instructions to realize remote real-time control of industrial processes . The application of advanced industrial Internet technology has improved the controllability, observability and real-time performance of industrial production, and has the trend of resource integration, remote control and interconnection with portal websites and the Internet. The application of the Industrial Internet has improved the production eff...

AI Technical Summary

Problems solved by technology

This multi-source, heterogeneous data feature brings additional difficulties and challenges to security analysts' monitoring, analysis, and disposal work. The deployment method that is distributed in different partitions of the network and applies different rules also increases the use of separate networks. Difficulty for security systems or devices to understand the overall security posture of the network

[0004] In addition, because the Industrial Internet applies relatively strict security rules, and network construction prioritizes production efficiency rather than security requirements, the network security systems and devices deployed in the Industrial Internet will generate a large number of low-risk alarms and false alarms

A large number of low-risk alarms and false positives are mixed with a small number of alarms with greater security risks, which also makes the analysis and processing of alarm data more difficult

Images