基于态势感知和网络杀伤链的电网报警关联分析

Power Grid Alarm Association Analysis Based on Situation Awareness and Cyber Kill Chain

随着我国电力网络规模的扩大,电力网络安全隐患日益突出。为解决电网中存在的网络安全问题,本文提出了一种用于在电力网络环境中寻找网络杀伤链及挖掘关联规则的方法。该方法首先基于生成树模式构建能用于描述网络攻击生命周期的网络杀伤链,然后采用OPTICS算法和并行FP-Growth算法消除原始报警中的冗余信息,进而挖掘出网络报警关联规则。最后,我们设计了一个链规则分析模块,用来准确生成能够进一步预测网络攻击的关联规则。为了证明所提出方法的有效性和准确性,我们通过在某电力公司部署的全场景态势感知平台上采集的报警日志进行实验与分析,结果证明本文提出的方法能够有效发现报警日志中的网络杀伤链和关联规则。与此同时,我们在测试数据集中评估了这些关联规则,发现它们都有较高的性能。

With the expansion of the scale of China’s power grid,the hidden dangers of power grid security are becoming increasingly prominent.In order to solve the network security problems in power grid,this paper proposes a method for finding Cyber kill chains and mining association rules in power network environment.This method first constructs Cyber kill chains that can be used to describe the life cycle of network attack based on spanning tree pattern,then uses OPTICS algorithm and parallel FP growth algorithm to eliminate the redundant information in the original alarm,and then excavates the network alarm association rules.Finally,we design a chain rule analysis module to accurately generate association rules that can further predict network attacks.In order to prove the effectiveness and accuracy of the proposed method,we conduct experiments and analysis on the alarm log collected on the whole scene situation awareness platform deployed by a power company.The results show that the method proposed in this paper can effectively find the Cyber kill chains and association rules in the alarm log.At the same time,we evaluated these association rules in the test data set and found that they all have high performance.