CN121441635A - A method and system for lateral isolation and secure data transmission in power systems - Google Patents
A method and system for lateral isolation and secure data transmission in power systemsInfo
- Publication number
- CN121441635A CN121441635A CN202511815700.0A CN202511815700A CN121441635A CN 121441635 A CN121441635 A CN 121441635A CN 202511815700 A CN202511815700 A CN 202511815700A CN 121441635 A CN121441635 A CN 121441635A
- Authority
- CN
- China
- Prior art keywords
- domain
- cross
- business
- self
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明涉及电力系统网络与信息安全技术领域,公开了一种电力系统横向隔离与安全数据传输方法及系统,该方法包括:确定生产控制安全域和管理信息安全域,配置跨域业务流信息;当需要在生产控制安全域和管理信息安全域之间传输时,采集业务数据所属的跨域业务流信息并封装为安全自描述数据单元;在横向隔离路径上,获取头部信息生成会话令牌;转发安全自描述数据单元时,获取特征数据并与关联的会话令牌进行比较,均满足限定条件时转发;维护滑动时间窗口并对已转发的安全自描述数据单元进行统计,识别异常行为。本申请实现了生产控制安全域与管理信息安全域之间跨域业务的语义级访问控制与动态防护。
This invention relates to the field of power system network and information security technology, and discloses a method and system for horizontal isolation and secure data transmission in power systems. The method includes: determining the production control security domain and the management information security domain, and configuring cross-domain service flow information; when transmission is required between the production control security domain and the management information security domain, collecting the cross-domain service flow information to which the service data belongs and encapsulating it into a secure self-describing data unit (SSDI); on the horizontal isolation path, obtaining header information to generate a session token; when forwarding the SSDI, obtaining feature data and comparing it with the associated session token, and forwarding it only if both meet the specified conditions; maintaining a sliding time window and statistically analyzing the forwarded SSDIs to identify abnormal behavior. This application achieves semantic-level access control and dynamic protection for cross-domain services between the production control security domain and the management information security domain.
Description
Technical Field
The invention relates to the technical field of power system networks and information security, in particular to a method and a system for transversely isolating and transmitting safety data of a power system.
Background
The power monitoring system widely adopts a safety architecture of 'safety partition, network special, transverse isolation and longitudinal authentication', the production control safety domain bears real-time services such as scheduling monitoring, protection and automatic devices, the management information safety domain bears non-real-time services such as operation management, production management and analysis decision, and the transverse isolation and safety data transmission must be realized between the two domains through special safety products of the power monitoring system so as to meet the national standard requirements on the safety protection of the power monitoring system. In this context, security protection and data transmission control at the power monitoring network side evolves gradually from traditional firewalls, intrusion detection to fine-grained access control and network behavior analysis.
In the existing power network security protection scheme, aiming at the lateral isolation between the production control security domain and the management information security domain, most of the work focuses on connectivity and state detection of the security device, for example, patent CN112383410B proposes to diagnose the abnormal connection of the forward isolation device by collecting the connection state, port state and heartbeat information of the first area and the second area, so as to improve the detection efficiency when the connection between the internal network and the external network fails. However, the scheme mainly monitors the state of the isolation device at the network or host layer, does not perform uniform safe self-description encapsulation on cross-domain service data, lacks a fine-granularity control mechanism for establishing a cross-domain service flow baseline model around a service intention label and an access object range and generating a session token by taking the cross-domain service flow as a unit, does not introduce a cross-domain service flow time sequence behavior statistics and abnormal behavior driven session token tightening or disabling strategy based on a sliding time window on a transverse isolation path, is difficult to timely find out override access and frequency abnormal control behaviors performed through legal channels, and still has the problems of unhooking cross-domain service semantics and access constraint and difficult dynamic convergence of the session range.
Therefore, there is a need to design a method and a system for lateral isolation and secure data transmission of an electric power system to solve the problems in the prior art.
Disclosure of Invention
In view of the above, the invention provides a method and a system for transversely isolating and transmitting safety data of a power system, which aim to solve the problems that in the prior art, fine granularity dynamic control based on cross-domain business flow semantics and an access object range is lacking, and unauthorized access and frequency abnormal control behaviors through legal channels are difficult to discover in time.
In one aspect, the invention provides a method for lateral isolation and safety data transmission of an electric power system, which comprises the following steps:
Determining a production control security domain and a management information security domain in a power system, and configuring cross-domain business flow information based on cross-domain business requirements, wherein the cross-domain business flow information comprises a cross-domain business flow identifier, a business intention label and an access object range;
On a service data generation side, when service data is required to be transmitted between the production control security domain and the management information security domain, acquiring cross-domain service flow information to which the service data belongs, and packaging the service data into a secure self-description data unit, wherein the head information of the secure self-description data unit at least carries the cross-domain service flow information and service instruction types, and the service load part carries service data corresponding to the head information;
Acquiring header information of a security self-description data unit which appears for the first time on a transverse isolation path between the production control security domain and the management information security domain, generating a session token according to a pre-established cross-domain service flow baseline model, and associating the session token with the cross-domain service flow identifier;
when forwarding the safety self-description data unit on the transverse isolation path, acquiring characteristic data of the safety self-description data unit, comparing the characteristic data with an associated session token, and forwarding the safety self-description data unit when the characteristic data meet the limiting condition of the session token, otherwise, blocking the safety self-description data unit;
Maintaining sliding time windows by taking a cross-domain service flow as a unit, carrying out time sequence behavior statistics on the forwarded safety self-description data units in each sliding time window, identifying abnormal behaviors according to a behavior abnormality judgment rule, tightening or disabling access object range and number conditions defined by corresponding session tokens when the abnormal behaviors are identified, and blocking the follow-up safety self-description data units belonging to the cross-domain service flow.
Further, determining a production control security domain and a management information security domain in the power system, when configuring the cross-domain traffic flow information based on the cross-domain traffic demand, includes:
Acquiring asset information of each service system and each device in the power system, wherein the asset information comprises an affiliated security domain, service functions, adopted industrial communication protocol types and operated object identifiers;
Identifying data interaction required to be transmitted between a production control security domain and a management information security domain according to the asset information, dividing the data interaction into at least one service type of measurement uploading, running state uploading, control instruction issuing, parameter adjustment and file issuing according to service functions, generating a unique cross-domain service flow identifier for each type of data interaction, and selecting a corresponding service intention label for the cross-domain service flow from a preset service intention label set;
And determining the access object range as a group of measuring point set identifiers or a group of equipment set identifiers according to the operated object identifiers related to the cross-domain service flow, so that the same cross-domain service flow is fixedly associated with the unique cross-domain service flow identifier, the service intention label and the access object range.
Further, when the service data is encapsulated into the secure self-description data unit at the service data generating side, the method includes:
Analyzing the industrial communication protocol message corresponding to the service data to obtain a sending service system identifier, a receiving service system identifier, a service function and an operated object identifier, and determining cross-domain service flow information matched with the service data from pre-configured cross-domain service flow information according to the sending service system identifier, the receiving service system identifier, the service function and the operated object identifier to obtain the cross-domain service flow identifier, the service intention label and the access object range;
The production control security domain identification, the management information security domain identification, the cross-domain service flow identification, the service intention label, the access object range and the service instruction type are written in the header information of the security self-description data unit, and the industrial communication protocol message is written in the service load part of the security self-description data unit, so that the same service data is transmitted in the form of the security self-description data unit carrying unified service meaning and access constraint when being transmitted between the production control security domain and the management information security domain.
Further, when generating a session token on a lateral isolation path between the production control security domain and the management information security domain, the method includes:
According to pre-collected cross-domain service configuration and historical safety self-description data units, a cross-domain service flow baseline model is established according to the cross-domain service flow, and the cross-domain service flow baseline model at least gives out the normal service instruction types, the normal access object range, the normal session duration time, the upper limit of the number of the safety self-description data units passing in the normal session and the upper limit of the number of the safety self-description data units passing in the unit time corresponding to the cross-domain service flow;
When the first-appearing secure self-description data unit arrives, selecting a parameter matched with the secure self-description data unit from the cross-domain business flow baseline model according to the cross-domain business flow identifier of the secure self-description data unit, taking the parameter as an allowed business instruction type, an allowed access object range, a session effective time and a passing condition based on quantity defined by a session token, and associating the session token with the cross-domain business flow identifier.
Further, when generating the session token, the method further comprises:
Dividing the cross-domain business flow into at least a first risk level and a second risk level according to business intention labels, importance degrees of access object ranges and sensitivity degrees of business instruction types given in the cross-domain business flow baseline model;
when the cross-domain service flow belongs to the first risk level, limiting an access object range limited by a session token to be a single measuring point set or a single device set, limiting the number of safety self-description data units allowed to pass in a session and the number of safety self-description data units allowed to pass in unit time to be in a first number threshold range, limiting the effective time of the session to be in a first time range, and when the cross-domain service flow belongs to the second risk level, limiting the access object range limited by the session token to be a plurality of measuring point sets or a plurality of device sets, limiting the number of safety self-description data units allowed to pass in the session and the number of safety self-description data units allowed to pass in unit time to be in a second number threshold range, and limiting the effective time of the session to be in a second number threshold range, wherein the first number threshold range is smaller than the second number threshold range and the first time range is shorter than the second time range.
Further, when forwarding the secure self-description data unit on the lateral isolation path, the method includes:
For each safety self-description data unit to be forwarded, reading the service instruction type and the access object in the header information, acquiring the arrival time of the safety self-description data unit on the transverse isolation path, and determining the number of the safety self-description data units which pass through in the session and the number of the safety self-description data units which pass through in the unit time according to the number of the safety self-description data units which are marked as forwarded in the current session and the number of the safety self-description data units which are marked as forwarded in the preset unit time;
and comparing the service instruction type, the access object, the arrival time, the number of the passed safety self-description data units in the session and the number of the passed safety self-description data units in the unit time with the allowed service instruction type, the allowed access object range, the session effective time, the upper quantity limit in the session and the upper quantity limit in the unit time defined by the associated session token item by item, and marking the safety self-description data units as forwarding only when the corresponding items of the characteristic data are in the limited range of the session token, otherwise marking the safety self-description data units as blocking.
Further, when the secure self-describing data unit is marked as blocked, further comprising:
Recording blocking reasons according to items which do not meet the limiting conditions of the session token in the characteristic data, recording the blocking reasons as cross-domain business override access when the non-meeting conditions are business instruction types or access objects, recording the blocking reasons as overtime of the session range when the non-meeting conditions are effective time of the session or the number of safety self-description data units which pass in the session, recording the blocking reasons as frequency abnormality when the non-meeting conditions are the number of the safety self-description data units which pass in unit time, and associating the blocking reasons with corresponding cross-domain business flow identifiers and session token identifiers.
Further, when maintaining the sliding time window in units of the cross-domain traffic flow, the method includes:
Setting a sliding time window length and a sliding step length for each cross-domain service flow, and in each sliding time window, carrying out time sequence behavior statistics on forwarded safety self-description data units, wherein the time sequence behavior statistics comprise the number of the safety self-description data units which belong to control instruction issuing and parameter adjustment, the number of accessed devices or measuring point sets in the sliding time window, the minimum time interval between adjacent control instructions or parameter adjustment and the number of the safety self-description data units marked as blocking in the sliding time window;
And according to a pre-configured behavior abnormality judgment rule, judging at least one of the conditions that the quantity of the control instructions issued exceeds a quantity threshold, the quantity of the accessed devices or the quantity of the measuring point sets exceeds an object quantity threshold, the minimum time interval is lower than a time interval threshold and the blocking quantity exceeds a blocking quantity threshold as abnormal behaviors, and associating a sliding time window in which the abnormal behaviors occur with corresponding cross-domain service flow identifiers and session token identifiers.
Further, when the abnormal behavior is identified, the method includes:
When the abnormal behavior is that the number of the accessed devices or the number of the measuring point sets exceeds an object number threshold, the access object range defined by the corresponding session token is contracted into a single measuring point set or a single device set by a plurality of measuring point sets or a plurality of device sets;
When the abnormal behavior is that the quantity of control instructions issued exceeds a quantity threshold or the blocking quantity exceeds a blocking quantity threshold, reducing the quantity of safety self-description data units allowed to pass in a session defined by a corresponding session token and the quantity of safety self-description data units allowed to pass in unit time to a quantity lower limit threshold;
And when abnormal behaviors occur in a plurality of continuous sliding time windows, disabling the corresponding session token, blocking the subsequent secure self-description data units belonging to the cross-domain service flow during the disabling period, and recording disabling information and the cross-domain service flow identification and the session token identification.
Compared with the prior art, the invention has the advantages that the cross-domain business flow information is pre-configured around the cross-domain business requirement by taking the production control security domain and the management information security domain as boundaries, cross-domain business flow identification, business intention labels and access object ranges are solidified, each business data is packaged into a safety self-description data unit carrying business semantics and business instruction types by analyzing industrial communication protocol messages at a business data generation side, a cross-domain business flow is made to not only see network messages, but to sense which type of business is operating which objects, when the first cross-domain business occurs, a conversation token which is in one-to-one correspondence with the cross-domain business flow identification is generated based on a cross-domain business flow baseline model, and characteristic data such as the business instruction types, access objects, arrival time and the number of the safety self-description data units which have passed in the conversation are compared with each other in a cross-domain business data generation side, so as to realize semantic level token control on the safety self-description data unit, a cross-domain business flow is used as a unit to maintain a sliding time window, a time sequence self-description data unit is forwarded, a time sequence self-description data unit is counted, and a corresponding behavior is automatically counted, when the situation is difficult to form a closed-loop, and the abnormal condition is difficult to be detected in a state, and the abnormal condition is difficult to be detected when the abnormal condition is detected in a closed-loop state, and the abnormal condition is limited by the cross-domain access state is located, and the abnormal condition is detected, and the abnormal condition is located in the state is automatically, and the abnormal condition is detected, service safety and protection precision in a transverse isolation scene of the power system are improved.
On the other hand, the application also provides a system for transversely isolating and transmitting safety data of the power system, which is used for applying the method for transversely isolating and transmitting safety data of the power system and comprises the following steps:
the production control security domain and the management information security domain are connected through a transverse isolation path;
The production control security domain is provided with a service data processing device, and the service data processing device is used for collecting cross-domain service flow information to which the service data belongs and packaging the service data into a safe self-description data unit when the service data needs to be transmitted between the production control security domain and the management information security domain, so that the head information of the safe self-description data unit carries the cross-domain service flow information and service instruction types, and the service load part carries the service data corresponding to the head information;
The session control device is used for acquiring the head information of the first-appearing safe self-description data unit, generating a session token according to a pre-established cross-domain business flow baseline model, associating the session token with a cross-domain business flow identifier, acquiring characteristic data of the safe self-description data unit when forwarding the safe self-description data unit, comparing the characteristic data with associated session token limiting conditions, releasing the safe self-description data unit when the characteristic data meet the limiting conditions, and blocking the safe self-description data unit when the characteristic data do not meet the limiting conditions;
The behavior monitoring device is used for maintaining sliding time windows by taking the cross-domain service flow as a unit, carrying out time sequence behavior statistics on the forwarded safety self-description data units in each sliding time window, identifying abnormal behaviors according to the behavior abnormality judgment rules, tightening or disabling the access object range and the number condition defined by the corresponding session token when the abnormal behaviors are identified, and blocking the follow-up safety self-description data units belonging to the cross-domain service flow.
It can be appreciated that the above method and system for lateral isolation and secure data transmission of an electric power system have the same beneficial effects, and are not described herein.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
Fig. 1 is a flowchart of a method for lateral isolation and secure data transmission of an electric power system according to an embodiment of the present invention;
fig. 2 is a block diagram of a transverse isolation and security data transmission system of an electric power system according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other. The invention will be described in detail below with reference to the drawings in connection with embodiments.
In the traditional transverse isolation architecture of the existing power monitoring system, unhooking phenomenon exists between service semantics and access constraint of a cross-domain service flow, and the phenomenon is particularly shown that a dynamic binding mechanism cannot be established between a service intention label and an access object range, so that a session range cannot be adaptively converged according to real-time transmission behaviors. The security policy lacks fine granularity control capability taking a service flow as a unit in a cross-domain data transmission process, so that the transverse isolation device can only perform static monitoring based on the state of a network layer or a host layer, and cannot identify unauthorized access behaviors and frequency abnormal control behaviors implemented through legal channels, thereby causing structural defects of a security protection system in a service semantic layer, and further affecting the overall security and data transmission reliability of the system.
For example, in a power dispatch monitoring scenario, a relay protection device in a production control security domain needs to transmit device status data to an operation management system in a management information security domain. When the service data is transmitted in a cross-domain mode, as the unified safety self-description encapsulation is not implemented on the service flow, the service intention label (such as 'protection device state update') and the access object range (such as the breaker equipment of a specific transformer substation) are not associated to the data unit header, and the transverse isolation device can only filter according to the port state or the heartbeat information. Under the scene, an attacker can send a disguised data packet by utilizing a legal service channel, unauthorized equipment objects are accessed at high frequency to implement unauthorized operation, and the existing isolation mechanism cannot detect abnormal behavior patterns due to the lack of time sequence behavior analysis capability based on service intention, so that the system is exposed to the risk of unauthorized operation penetration.
If the above problem is not solved, the security control of the cross-domain service flow will depend on static policy configuration for a long time, and dynamic coupling of access constraint and service semantics cannot be realized. Further, the security protection system is difficult to cope with hidden attack behaviors, so that malicious operations can continuously permeate through legal data channels, thereby possibly causing damage to the integrity of service data or abnormal functions, and seriously weakening the security isolation efficiency of the power monitoring network.
In this regard, referring to fig. 1, the present application provides a method for lateral isolation and secure data transmission of an electric power system, including:
S100, determining a production control security domain and a management information security domain in a power system, and configuring cross-domain business flow information based on cross-domain business requirements, wherein the cross-domain business flow information comprises a cross-domain business flow identifier, a business intention label and an access object range;
S200, at a service data generation side, when service data is required to be transmitted between a production control security domain and a management information security domain, acquiring cross-domain service flow information to which the service data belongs, packaging the service data into a safety self-description data unit, wherein the head information of the safety self-description data unit at least carries the cross-domain service flow information and service instruction types, and the service load part carries the service data corresponding to the head information;
s300, acquiring head information of a security self-description data unit which appears for the first time on a transverse isolation path between a production control security domain and a management information security domain, generating a session token according to a pre-established cross-domain service flow baseline model, and associating the session token with a cross-domain service flow identifier;
S400, when forwarding the safety self-description data unit on the transverse isolation path, acquiring the characteristic data of the safety self-description data unit, comparing the characteristic data with the associated session token, and forwarding the safety self-description data unit when the characteristic data meet the limiting condition of the session token, otherwise, blocking the safety self-description data unit;
and S500, maintaining sliding time windows by taking the cross-domain service flow as a unit, carrying out time sequence behavior statistics on the forwarded safety self-description data units in each sliding time window, identifying abnormal behaviors according to the behavior abnormality judgment rules, tightening or disabling the access object range and the number condition defined by the corresponding session token when the abnormal behaviors are identified, and blocking the follow-up safety self-description data units belonging to the cross-domain service flow.
In this embodiment, the service intention label refers to a service semantic descriptor for identifying the purpose of cross-domain service flow. In practical application, the method can be realized by adopting a predefined service type code, such as 'equipment state monitoring' and 'parameter adjustment request', and is mainly used for realizing source binding of service semantics and an access object range and preventing the service intention from being disjointed with an operation boundary in cross-domain transmission. Specifically, the secure self-description data unit refers to a data structure including header information and service load, which can be implemented in a structured data format such as JSON or XML, for example, the header carries a cross-domain service flow identifier and a service instruction type, and the service load carries original service data content, which is mainly used to ensure that the service meaning and constraint condition are self-described when data is transmitted between a production control security domain and a management information security domain. The cross-domain business flow baseline model refers to a parameter range model established based on historical normal behaviors, and can be realized by adopting a statistical analysis method or rule engine configuration, for example, a distribution threshold value of normal business instruction types is calculated through historical data, and the cross-domain business flow baseline model is mainly used for providing basis for generating a session token. Further, session tokens refer to authentication credentials associated with cross-domain traffic flow identification, which may be implemented using cryptographic tokens or digital signature techniques, such as generating tokens using HMAC algorithms, primarily to define traffic instruction categories, access object ranges, and quantity conditions. On the lateral isolation path, the characteristic data refers to a data attribute for verifying whether the secure self-describing data unit meets the conditions of the session token, which may include the source address, the time stamp or the data size of the data unit, for example, recording the generation time and the transmission delay of the data unit, which is mainly for the purpose of item-by-item comparison with the conditions of the session token. The application tightly couples service semantics and access constraint from the source through a binding mechanism of the service intention label and the access object range, ensures complete service meaning in data transmission through safe self-description data unit encapsulation, generates a session token based on a cross-domain service flow baseline model to realize fine granularity access control, utilizes characteristic data and session token comparison to carry out real-time dynamic verification, maintains a sliding time window by taking the cross-domain service flow as a unit to carry out time sequence behavior statistics, and enables a safety strategy to dynamically converge the access object range and quantity conditions according to an abnormal behavior identification result.
In the method for transversely isolating and transmitting the safety data of the electric power system, firstly, a production control safety domain and a management information safety domain are definitely divided in the system, and cross-domain business flow information is configured according to cross-domain business requirements, wherein the information covers cross-domain business flow identification, business intention labels and access object ranges, so that tight coupling of business semantics and access constraint is realized at a business source, and override risks caused by separation of the semantics and the constraint in a traditional scheme are avoided. When the service data is required to be transmitted between two domains, the service data generation side collects the cross-domain service flow information to which the service data belongs, and encapsulates the service data into a safe self-description data unit, wherein the header information carries the cross-domain service flow information and the service instruction type, and the service load part carries the corresponding service data, so that the self-description service meaning and access constraint condition of the data unit in the transmission process are ensured, and the semantic loss or tampering in the transmission link is prevented. On the transverse isolation path, the head information of the security self-description data unit appearing for the first time is acquired, a session token is generated according to a pre-established cross-domain business flow baseline model, and is associated with the cross-domain business flow identifier, and the baseline model defines a parameter range based on the history normal behavior, so that the session token is accurately matched with the specific business flow characteristics. In the forwarding process, the characteristic data of the safety self-description data unit are extracted and compared with the limiting conditions of the associated session token in real time, and the safety self-description data unit is forwarded only when the characteristic data completely meet the limiting conditions of the session token, otherwise, the safety self-description data unit is blocked, so that fine-granularity access control is realized. Further, a sliding time window is maintained by taking a cross-domain service flow as a unit, time sequence behavior statistics is carried out on the forwarded safety self-description data units in the window, abnormal behaviors are identified according to a behavior abnormality judgment rule, once the abnormal behaviors are identified, the access object range and the number condition limited by the session token are dynamically tightened or disabled, and the follow-up safety self-description data units belonging to the cross-domain service flow are blocked, so that the safety strategy is adaptively converged along with the variation of the service popularity.
In a specific embodiment, when the scheduling monitoring system transmits a control instruction to the operation management system, the cross-domain service FLOW information is configured to cross-domain service FLOW identification "ctrl_flow_1", service intention label "control instruction issue", and access object range "breaker set of substation 1". The service data is packaged into a safe self-description data unit, the header information comprises CTRL_FLOW_1, a control instruction issue, a breaker set of the transformer substation 1 and a closing instruction, and the service load part is an IEC 60870-5-104 protocol message. On the transverse isolation path, when the data unit appears for the first time, a session token is generated, the allowed service instruction type is defined as 'switching on/off', the access object range is 'a breaker set of a transformer substation 1', the effective time of the session is 10 minutes, and the upper limit of the number in the session is 20. The characteristic data of the subsequent data unit, such as the instruction type, the access object, the arrival time, the passing number in the session and the passing number in the unit time, are verified in real time, and are blocked if the breaking instruction is detected to "access" the circuit breaker of the substation 2. Meanwhile, the number of control instructions and the number of accessed devices are counted in a sliding time window (for example, a 5-minute window), and if the number of control instructions exceeds 15 or the number of accessed devices exceeds 5, the access range of the session token is contracted into a single breaker.
The method solves the problem of unhooking cross-domain business semantics and access constraint by binding the business intention labels and the access object range to the head of the safe self-description data unit, ensures that business data always carries unified business meanings and access constraint in transmission, simultaneously, enables the conversation range to be adaptively converged according to actual business behaviors based on a time sequence behavior statistics and dynamic conversation token tightening mechanism of a sliding time window, timely identifies and blocks unauthorized access and frequency abnormal control behaviors carried out through legal channels, and improves the security and strategy self-adaption capability of transverse isolation of an electric power system.
Specifically, in some embodiments of the present application, configuring cross-domain service flow information to define a constraint framework for cross-domain data transmission is proposed, however, in the implementation process, if an automatic identification and accurate configuration mechanism based on system asset information is absent, repeated or conflict of cross-domain service flow identification, mismatching of service intention labels and actual service functions, excessive generalization or blurring of access object ranges are caused, so that the generation of session tokens cannot accurately reflect service semantics, and misjudgment and missed judgment on unauthorized access or abnormal behaviors on a transverse isolation path are caused, which is difficult to realize fine-granularity service-level security control.
In this regard, the present application further provides a method for lateral isolation and secure data transmission of an electric power system according to the above description, including:
Acquiring asset information of each service system and each device in the power system, wherein the asset information comprises an affiliated security domain, service functions, adopted industrial communication protocol types and operated object identifiers;
Identifying data interaction required to be transmitted between a production control security domain and a management information security domain according to asset information, dividing the data interaction into at least one service type of measurement uploading, running state uploading, control instruction issuing, parameter adjustment and file issuing according to service functions, generating a unique cross-domain service flow identifier for each type of data interaction, and selecting a corresponding service intention label for the cross-domain service flow from a preset service intention label set;
And determining the access object range as a group of measuring point set identifiers or a group of equipment set identifiers according to the operated object identifiers related to the cross-domain service flow, so that the same cross-domain service flow is fixedly associated with the unique cross-domain service flow identifier, the service intention label and the access object range.
The method comprises the steps of acquiring asset information of each service system and each device in a power system, wherein the acquisition of the asset information of each service system and each device in the power system refers to acquisition of an attribute data set of a system operation entity, and the automatic acquisition can be performed by adopting an asset management system or a configuration management database, so as to construct an asset image based on a real system state, and avoid information loss or deviation caused by manual configuration; the identification of data interactions to be transmitted between a production control security domain and a management information security domain according to asset information can be understood as screening cross-domain data streams through a rule engine or a service stream analysis module, aiming at precisely positioning service scenes to be isolated and controlled, dividing the data interactions into service types such as measurement uploading, running state uploading and the like according to service functions, particularly carrying out logic classification according to service semantics, such as adopting a decision tree algorithm or a predefined classification rule to enable service type boundaries to be clear and enhance the interpretability of the function semantics, generating unique cross-domain service stream identifiers for each type of data interactions refers to creating nonrepeatable service stream identifiers which can be realized by adopting a UUID generation algorithm or a sequence number mechanism based on a time stamp, aiming at preventing identifier collision and ensuring service stream uniqueness, selecting corresponding service intention labels from a preset service intention label set can be understood as matching service functions from an enumeration label library, such as being realized by a label mapping table or a semantic matching algorithm, aiming at ensuring that labels are strictly corresponding to the service functions, determining an access object range as a set identifier or a set identifier refers to an equipment identifier which can be realized by adopting an operation object identifier to be precisely established based on a boundary identifier list or an operation object identifier, the method aims at avoiding generalization of access range, and enables the same cross-domain service flow to fixedly associate a unique cross-domain service flow identifier, a service intention label and an access object range to establish a non-tamperable metadata binding relationship, for example, through database transaction or hash check mechanism.
Specifically, the scheme of the application automatically constructs a system entity attribute database by collecting asset information, identifies cross-domain data interaction based on the database and classifies the cross-domain data interaction according to business function semantics, generates a unique identifier for each type of interaction and matches with a preset label, and meanwhile, accurately limits the range of an access object according to the identifier of the operated object, and finally, the identifier, the label and the range are fixed into an indivisible metadata unit. In the process, asset information acquisition provides a data basis for service flow identification, service function division ensures clear type boundaries, unique identification generation avoids conflict, tag selection strengthens semantic consistency, access range determination realizes object-level constraint, and a fixed association mechanism ensures metadata integrity. The accuracy of asset information directly influences the reliability of data interaction identification, the accuracy of service function division determines the matching degree of the identification and the label, the accuracy of the access range is supported by the definition of the object identification, and the dispersive elements are integrated into a unified service flow definition by fixed association. The design changes the cross-domain service flow configuration from manual experience driving to automatic semantic driving, and ensures that service constraint definition is strictly aligned with the actual system state.
In a 220kV intelligent substation scene, a service data processing device acquires RTU equipment asset information of a SCADA system through an asset management system, wherein the RTU equipment asset information comprises a security domain which belongs to production control security domain, a service function which is telemetry data acquisition, an industrial communication protocol which is IEC 60870-5-104, and an operated object which is identified as a transformer oil temperature measuring point ID, a measurement uploading service which needs to be transmitted in a cross-domain mode is identified based on the asset information, classified as a measurement uploading type according to the service function, a unique cross-domain service FLOW identifier such as a FLOW_MEAS_001 is generated, a service intention tag MeasurementUpload is selected from a preset tag set, an access object range is determined as a measuring point set identifier of a specific transformer according to the transformer oil temperature measuring point ID related to the service FLOW, and the cross-domain service FLOW identifier, the service intention tag and the access object range are fixedly associated through a metadata management module.
Through the scheme, the method and the device avoid the problem of repeated or conflicting cross-domain service flow identification, ensure that the service intention labels are strictly matched with the actual service functions, prevent the access object range from being excessively generalized or blurred, enable the session token to generate and accurately reflect the service semantics, thereby providing a reliable service constraint framework for fine-grained access control on a transverse isolation path and reducing misjudgment and missed judgment risks of unauthorized access and abnormal behaviors.
In some embodiments of the present application, it is proposed to encapsulate service data into a secure self-description data unit at the service data generating side for realizing cross-domain secure transmission, however, in this process, because service data may be based on multiple industrial communication protocols, the structural difference of protocol messages may cause that cross-domain service flow information to which service data belongs cannot be accurately collected, resulting in header information errors of the secure self-description data unit, so that service semantics and access constraints are unhooked, and the validity of fine-grained control is affected.
In this regard, the present application further proposes that when the service data is encapsulated into a secure self-description data unit at the service data generating side, the method includes:
Analyzing an industrial communication protocol message corresponding to service data to obtain a sending service system identifier, a receiving service system identifier, a service function and an operated object identifier, and determining cross-domain service flow information matched with the service data from pre-configured cross-domain service flow information according to the sending service system identifier, the receiving service system identifier, the service function and the operated object identifier to obtain a cross-domain service flow identifier, a service intention label and an access object range;
The method comprises the steps of writing a production control security domain identifier, a management information security domain identifier, a cross-domain service flow identifier, a service intention label, an access object range and a service instruction type into header information of a security self-description data unit, writing an industrial communication protocol message into a service load part of the security self-description data unit, and transmitting the same service data in the form of the security self-description data unit carrying unified service meaning and access constraint when the same service data is transmitted between the production control security domain and the management information security domain.
Specifically, industrial communication protocol message parsing refers to structural extraction of industrial communication protocol messages based on service data, and can be realized by adopting a protocol parsing engine, wherein the engine supports message parsing of a plurality of industrial protocols such as IEC 60870-5-104, modbus TCP and the like, and aims to accurately acquire service key identifiers from original messages and avoid information acquisition errors caused by protocol differences, cross-domain service flow information matching can be understood to be cross-domain service flow association based on the identifiers acquired by parsing, the cross-domain service flow information matching can be realized by adopting a key value query or rule matching algorithm, for example, a hash table is used for quickly searching a pre-configured cross-domain service flow information base, the aim is to ensure that service data and correct cross-domain service flow information are accurately bound, and prevent mismatching of service intention labels and access object ranges, and safe self-description data unit header information writing is specifically realized by integrating service semantics and access constraints into data unit headers, the method can be realized by adopting a fixed field encapsulation or an extensible label mechanism, the aim is to enable data units to have self-description characteristics, to provide uniform basis for verification on a transverse isolation path, and the aim is to completely realize the transmission of the service with the integrity of the existing communication system, and the service can be completely encrypted by adopting the transmission of the service information.
The method comprises the steps of analyzing an industrial communication protocol message to obtain a transmission service system identifier, a receiving service system identifier, a service function and an operated object identifier, wherein the identifiers are used as key inputs for precisely matching corresponding cross-domain service flow identifiers, service intention labels and access object ranges from pre-configured cross-domain service flow information, then writing a matching result together with information such as a security domain identifier, a service instruction type and the like into the head of a security self-description data unit, and meanwhile packaging an original industrial communication protocol message as a service load, thereby forming a data unit carrying unified service meaning and access constraint.
When service data is generated based on IEC 60870-5-104 protocol, a service data processing device firstly calls a protocol analysis engine to analyze a message, extracts a service system identifier as a SCADA system, a service system identifier as a DMS system, a service function as a control instruction issue, an operated object identifier as a breaker set, then queries a preconfigured cross-domain service FLOW information base according to the identifiers, matches the preconfigured cross-domain service FLOW information base to a cross-domain service FLOW identifier as CTL_FLOW_001, a service intention tag as "emergency control", an access object range as "substation A breaker set", then writes a production control security domain identifier "PC_ZONE", a management information security domain identifier "MI_ZONE", a cross-domain service FLOW identifier CTL_FLOW_001, a service intention tag as "emergency control", an access object range "substation A breaker set" and a service instruction type break instruction "into a service load part, and directly encapsulates an IEC 60-5-104 message, and finally, the security self-description data unit always carries meaning in a cross-domain and carries the security self-description data to enable the security self-description unit to carry the security and the security device to verify the security on the security.
By the scheme, the problem of error acquisition of cross-domain service flow information caused by industrial communication protocol difference is solved, the header information of the safety self-description data unit accurately reflects service semantics and access constraint, and the phenomenon of unhooking of service intention and access control is avoided, so that a fine-grained control mechanism based on a session token can be reliably executed, and the safety and consistency of cross-domain data transmission in transverse isolation of a power system are improved.
In some embodiments of the present application, it is proposed to generate a session token based on a cross-domain traffic flow baseline model to implement fine-granularity access control, however, in the implementation process, the parameter setting of the baseline model lacks specific basis and fine-granularity definition, which results in that the session token cannot accurately reflect normal behavior characteristics of different traffic flows, and may cause legal data transmission to be blocked by mistake or abnormal behavior to be missed, so as to affect the security and reliability of cross-domain data transmission.
In this regard, the present application further proposes that the step of generating a session token on a lateral isolation path between the production control security domain and the management information security domain comprises:
According to pre-collected cross-domain service configuration and historical safety self-description data units, a cross-domain service flow baseline model is established according to the cross-domain service flow, and the cross-domain service flow baseline model at least gives out the normal service instruction types, the normal access object range, the normal session duration time, the upper limit of the number of the safety self-description data units passing in the normal session and the upper limit of the number of the safety self-description data units passing in the unit time corresponding to the cross-domain service flow;
when the first-appearing secure self-description data unit arrives, selecting parameters matched with the secure self-description data unit from the cross-domain business flow baseline model according to the cross-domain business flow identification of the secure self-description data unit, taking the parameters as allowed business instruction types, allowed access object ranges, session effective time and passing conditions based on quantity defined by the session token, and associating the session token with the cross-domain business flow identification.
In practical application, the cross-domain service flow baseline model refers to a model established according to a cross-domain service flow, and can be implemented by adopting a statistical analysis method based on historical service data, wherein the purpose of the model is to provide a parameter basis conforming to actual service behaviors for a session token, the type of normal service instructions refers to a service operation type allowed to be executed in a specific cross-domain service flow, the type of normal service instructions can be a predefined instruction set, the purpose of the model is to limit a legal operation range so as to prevent unauthorized access, the normal access object range refers to a device or a measuring point set allowed to be accessed in the specific cross-domain service flow, the type of normal access object range can be an identifier list, the purpose of controlling a data access boundary so as to ensure a minimum authority principle, the duration of the normal session refers to the effective time length of a single session and can be determined based on historical session data analysis, the purpose of preventing overlong security risks caused by the session, the upper limit of the number of security self-description data units passing in the normal session refers to the maximum number of data units allowed to be transmitted in the single session and the maximum number of data units allowed to be set based on service requirements, the purpose of limiting the data transmission amount so as to prevent data leakage, the number of the security self-description data units passing in the unit time can be allowed in the single session and the maximum number window is determined based on the frequency of the maximum number allowed data traffic.
Specifically, the scheme of the application establishes a cross-domain service flow baseline model according to the pre-collected cross-domain service configuration and historical safety self-description data units, and the model defines normal behavior parameters of each service flow. When the first security self-description data unit arrives, the system selects matching parameters from the baseline model according to the cross-domain service flow identification, generates a session token and associates the service flow identification. In data transmission, the system compares the characteristics of the data units with the limiting conditions of the session tokens item by item, and forwards the data units only when the characteristic data meet the limiting conditions of the session tokens, so that the fine-grained access control based on the characteristics of the service flow is realized. The mechanism ensures that the session token parameters are directly derived from actual service operation data, avoids deviation caused by subjective setting parameters, and covers core elements of service operation through multidimensional indexes, so that token limiting conditions are consistent with the actual service heights, and the pertinence of access control is enhanced.
As a specific implementation mode, the scheme of the application is implemented by establishing a baseline model based on historical data for measuring the uplink service flow by the system, determining the normal service instruction type as the telemetry data uplink type, the normal access object range as the predefined measuring point set identifier, setting the normal session duration as a shorter time limit, setting the upper limit of the number of data units in the session as a moderate threshold, and setting the upper limit of the number in unit time as a lower threshold. When the first security self-description data unit arrives, the system generates a session token, the type of the allowed service instruction is defined as a telemetry data uploading type, the range of the allowed access object is the measuring point set identifier, the effective time of the session is a short time limit, the upper limit of the quantity in the session is a moderate threshold, and the upper limit of the quantity in unit time is a lower threshold.
By the technical scheme, the baseline model parameters are established based on the actual service operation data, so that the session token can be accurately adapted to the characteristics of the specific service flow, the misjudgment risk caused by parameter deviation is avoided, the situation that legal data transmission is blocked by mistake or abnormal behavior is missed is reduced, and the safety and reliability of cross-domain data transmission are improved.
Specifically, in some embodiments of the present application, it is proposed to generate session tokens based on a cross-domain traffic flow baseline model to implement fine-grained access control, however, in the implementation process, all traffic flows adopt a uniform token parameter setting, and cannot implement stricter access constraints for high-risk traffic flows, and cannot provide looser transmission conditions for low-risk traffic flows, so that security risks of override access and frequency abnormal behavior exist for high-risk traffic flows, and meanwhile, normal transmission efficiency may be affected by excessive restrictions for low-risk traffic flows.
In this regard, the present application further proposes that, when generating the session token, the method further comprises:
dividing the cross-domain business flow into at least a first risk level and a second risk level according to business intention labels, importance degrees of access object ranges and sensitivity degrees of business instruction types given in a cross-domain business flow baseline model;
When the cross-domain traffic belongs to the first risk level, the access object scope limited by the session token is limited to a single measuring point set or a single device set, the number of the allowed safe self-description data units in the session and the number of the allowed safe self-description data units in the unit time are limited to be in a first number threshold scope, the effective time of the session is limited to be in a first time length scope, when the cross-domain traffic belongs to the second risk level, the access object scope limited by the session token is limited to a plurality of measuring point sets or a plurality of device sets, the number of the allowed safe self-description data units in the session and the number of the allowed safe self-description data units in the unit time are limited to be in a second number threshold scope, and the effective time of the session is limited to be in a second time length scope, wherein the first number threshold scope is smaller than the second number threshold scope, and the first time length scope is shorter than the second time length scope.
Specifically, the risk classification refers to a technical means of classifying cross-domain traffic according to traffic safety attributes, which can be implemented in a manner based on a preset rule set or a dynamic risk assessment model, and the risk classification is determined by quantifying sensitivity of traffic intention labels, criticality of access object ranges and risk coefficients of traffic instruction types, so as to establish a differentiated safety control policy to adapt to actual risk levels of different traffic flows, wherein a first risk classification refers to a traffic class determined as high risk, which can be understood as a traffic related to critical control operations or sensitive data, such as a control instruction issuing service, and is aimed at implementing strict constraint on the high risk traffic to compress potential attack windows, and a second risk classification refers to a traffic class determined as low risk, which can be understood as a traffic related to state monitoring or non-critical data, such as measurement of up-feed traffic, so as to improve data transmission continuity on the premise of guaranteeing basic safety.
Specifically, a risk level dynamic adapting mechanism is introduced when a session token is generated, firstly, the service flow is divided into different risk levels according to service intention labels, access object range importance degrees and service instruction type sensitivity degrees in a cross-domain service flow baseline model, and differentiated token parameters are configured for the different risk levels, wherein for the service flow of a first risk level, the access object range is strictly limited to be a single measuring point set or a single equipment set, a smaller quantity threshold range and a shorter session duration range, the diffusion range of unauthorized access is restricted, and an attack window is compressed, and for the service flow of a second risk level, the access object range is allowed to be expanded to a plurality of measuring point sets or a plurality of equipment sets, and meanwhile, a larger quantity threshold range and a longer session duration range are set, so that the transmission efficiency is improved on the premise of ensuring basic safety. The parameter differentiation setting based on the risk level enables the security control strategy to dynamically match the service risk level, thereby strengthening the deep defense capability of high-risk service flows, avoiding transmission interruption of low-risk service flows caused by excessive limitation, and realizing the optimization balance of security control granularity and service efficiency.
As a specific implementation mode, the scheme of the application is implemented by dividing a service intention label of a cross-domain service flow into a first risk level when the service intention label is indicated as emergency control and related to breaker operation, setting an access object range limited by a session token into a single breaker equipment set, configuring a quantity threshold range and a session duration range in a strictly-constrained interval, and dividing the service intention label of the cross-domain service flow into a second risk level when the service intention label is indicated as regular monitoring and related to substation measuring point data uploading, allowing the access object range to cover a plurality of measuring point sets in a substation, and configuring the quantity threshold range and the session duration range in a relatively loose interval, so that the data transmission continuity of non-critical service is improved on the premise of guaranteeing safety isolation.
By the technical scheme, differentiated session token parameter configuration can be implemented for the cross-domain service flows with different risk levels, the problems of potential safety hazards of high-risk service flows and transmission efficiency of low-risk service flows are solved, unauthorized access and frequency abnormal behaviors are prevented, transmission interruption of normal services due to improper parameter setting is avoided, and safety data transmission efficiency of the power system in a transverse isolation environment is improved.
In particular, in some embodiments of the present application, a mechanism is proposed for acquiring feature data and comparing the feature data with a session token when forwarding a secure self-description data unit on a lateral isolation path, however, in the implementation process, specific components of feature data and comparison logic lack of explicit specifications, which results in a system failing to accurately verify whether a service instruction type is within an allowable range, whether an access object is within an access object range, whether a session is within a valid time, and whether a data transmission frequency exceeds a threshold, so that unauthorized access and abnormal frequency behaviors may not be blocked in time, resulting in potential safety hazards that the lateral isolation path is abused for illegal data transmission.
In this regard, the present application further proposes forwarding a secure self-describing data unit over a laterally isolated path, comprising:
For each safety self-description data unit to be forwarded, reading the service instruction type and the access object in the header information, obtaining the arrival time of the safety self-description data units on the transverse isolation path, and determining the number of the safety self-description data units which pass through in the session and the number of the safety self-description data units which pass through in the unit time according to the number of the safety self-description data units which are marked as forwarded in the current session and the number of the safety self-description data units which are marked as forwarded in the preset unit time;
And comparing the service instruction type, the access object, the arrival time, the number of the passed safety self-description data units in the session and the number of the passed safety self-description data units in the unit time with the allowed service instruction type, the allowed access object range, the session effective time, the upper quantity limit in the session and the upper quantity limit in the unit time defined by the associated session token item by item, and marking the safety self-description data units as forwarding only when the corresponding items of the characteristic data are in the session token defined range, otherwise marking the safety self-description data units as blocking.
The service instruction type refers to a field identifying a service operation type in header information of a secure self-description data unit, and the service instruction type can be implemented by adopting a predefined enumeration value (such as measurement uploading, running state uploading, control instruction issuing, parameter adjustment and file issuing), and aims to define a semantic attribute of the service operation, provide a unified basis for instruction validity verification, the access object refers to a target device or a measuring point range specified in the header information of the secure self-description data unit, the access object can be a set of measuring point set identifiers or a set of device set identifiers, the purpose is to limit a physical boundary of data access and prevent override operation, the arrival time refers to a receiving timestamp of the secure self-description data unit on a transverse isolation path, the arrival time can be implemented by adopting a time value obtained by synchronizing a system high-precision clock, the purpose is to dynamically verify session timeliness, the number of the secure self-description data unit which has passed in a session refers to the accumulated number of data units which have been forwarded in the current session can be implemented by a counter in real time statistics, the purpose is to monitor the total data transmission amount in the session life unit time, the number of the secure self-description data unit which has passed in the time refers to the number of the data transmission unit which has been passed in the preset time window can be passed in the time window, and the data transmission window can be accumulated by the time window to realize whether the data transmission is in accordance with a normal fluctuation window, and the standard data transmission algorithm can be achieved by calculating.
The method comprises the steps of firstly directly extracting service instruction types and access objects from the header information of a secure self-description data unit, ensuring that verification is based on unified service semantics without external analysis, simultaneously obtaining accurate arrival time as a dynamic time reference, then counting the forwarded number in real time based on the current session state and a preset time window to form a dynamic quantization index, then carrying out independent condition check on the multi-dimensional characteristic data and session token limiting conditions, ensuring that security dimensions such as service semantics, access objects, time points, accumulation number and transmission rate are strictly verified, and finally allowing forwarding only when all characteristic data completely meet the session token limiting range, otherwise immediately blocking, thereby constructing a zero tolerance verification mechanism with full condition meeting, and avoiding single-dimension verification loopholes.
In a transverse isolation environment of a power system, when a safety self-description data unit arrives at a transverse isolation path, a session control device analyzes header information of the safety self-description data unit, obtains a service instruction type of 'control instruction issue', an access object of 'measurement point set A', records arrival time of a system timestamp, counts the number of the safety self-description data units forwarded in a current session of 5 and the number of the safety self-description data units forwarded in the past minute of 3, and marks the safety self-description data units as forwarding because all the characteristic data are in a limited range.
Through the scheme, the method and the device realize the fine dynamic control of the cross-domain service flow, solve the problem of inaccurate security verification caused by fuzzy definition of the feature data, ensure that unauthorized access and abnormal frequency behaviors are blocked in time, and further strengthen the security of the transverse isolation path.
In some embodiments of the present application, it is proposed to record blocking reasons when a secure self-description data unit is blocked to support abnormal behavior classification and response, however, in the implementation process, blocking events lack fine classification and context association for specific reasons, which results in a system incapable of distinguishing different types of abnormal behaviors such as unauthorized access, session overrun or frequency abnormality, so that behavior monitoring based on a sliding time window and dynamic adjustment strategies of session tokens are difficult to implement accurately, and the security control capability of a transverse isolation path on a cross-domain traffic flow is affected.
When the security self-description data unit is marked as blocking, further comprising recording blocking reasons according to items which cause the condition of not meeting the limit condition of the session token in the characteristic data, recording the blocking reasons as cross-domain business override access when the condition of not meeting is a business instruction type or an access object, recording the blocking reasons as overtime of the session range when the condition of not meeting is the effective time of the session or the number of the security self-description data units which pass in the session, recording the blocking reasons as frequency abnormality when the condition of not meeting is the number of the security self-description data units which pass in the unit time, and associating the blocking reasons with corresponding cross-domain business flow identifications and session token identifications.
The item which does not meet the limiting condition of the session token in the characteristic data refers to a specific data item which conflicts with preset parameters of the session token in the process of forwarding the secure self-description data unit, and the item can be realized by adopting one or more of a service instruction type, an access object, an arrival time, the number of data units which are passed in the session and the number of data units which are passed in unit time. The cross-domain business override access, the overtime of the session range and the frequency abnormality refer to three standardized blocking reason categories which are divided according to the unsatisfied condition types, and the cross-domain business override access, the overtime of the session range and the frequency abnormality can be realized by adopting a condition judgment logic module to carry out classification mapping on characteristic data. The association of the blocking reason with the corresponding cross-domain service flow identifier and session token identifier refers to a technical means for binding the blocking event to a specific service flow and session context, and the blocking reason, the cross-domain service flow identifier and the session token identifier can be realized by establishing a mapping relation by adopting a database index or a log record mechanism.
Specifically, the scheme of the application is characterized in that when a safety self-description data unit is marked as blocking, a blocking reason analysis flow is triggered, firstly, specific items which do not meet the limiting conditions of a session token are extracted from characteristic data, then, the blocking reason is mapped to three standardized categories of cross-domain business override access, session range overrun or frequency abnormality according to a preset classification rule, and finally, a classification result is established with a cross-domain business flow identifier and a session token identifier for lasting association. The process and a session control device on a transverse isolation path form a closed-loop working mechanism, when the comparison result of characteristic data and a session token limiting condition is not satisfied, blocking operation synchronously triggers a reason classification logic to enable blocking events to be converted into structured safety events from simple data discarding, and meanwhile, the associated blocking reason data is collected in real time by a behavior monitoring device and is used for time sequence behavior statistics and abnormality judgment in a sliding time window, so that a dynamic adjustment strategy of the session token is driven. The system can implement differentiated response measures based on abnormal behavior types just by finely classifying blocking reasons and tightly binding business flow contexts, such as tightening operations of associating cross-domain business override access to access object ranges, dynamically adjusting frequency abnormality to quantity threshold values, and solving the problem of analysis blind areas caused by isolation of blocking events without contexts.
When the session control device detects that the service instruction type of a certain safety self-description data unit exceeds the allowable service instruction type range limited by a session token on a transverse isolation path, the system automatically classifies the blocking event as cross-domain service override access, establishes a related record with a cross-domain service flow identifier to which the safety self-description data unit belongs and a current session token identifier, and in the process of behavior monitoring, the behavior monitoring device continuously generates three cross-domain service override access events under the cross-domain service flow identifier based on sliding time window statistics, immediately triggers a dynamic contraction mechanism of an access object range, and contracts the access object range limited by the session token into a single measurement point set from a plurality of measurement point sets, thereby blocking the possible follow-up override access behavior. In the process, the classification result of the blocking reason directly guides the adjustment strategy of the session token, so that the security control measures are accurately matched with the abnormal behavior types.
Through the technical scheme, the method and the system realize the fine classification of blocking events and the association of business contexts, so that the system can accurately distinguish different types of abnormal behaviors such as cross-domain business override access, overtime of a conversation range, abnormal frequency and the like, and a structured data basis is provided for behavior monitoring based on a sliding time window, thereby supporting the accurate implementation of a dynamic adjustment strategy of a conversation token and improving the safety control capability of a transverse isolation path on cross-domain business flow.
Specifically, in some embodiments of the present application, it is proposed to maintain a sliding time window in units of cross-domain traffic flows to identify abnormal behaviors, however, in the implementation process, the statistics of the time sequence behaviors of the sliding time window lacks specific statistical dimensions and decision basis, and potential risks such as too high frequency of control instructions, abnormal expansion of the access object range or occurrence of blocking event sets cannot be accurately captured, so that abnormal behavior identification is delayed, and the security policy cannot be dynamically adjusted in time.
In this regard, the present application further provides a method for lateral isolation and secure data transmission of an electric power system, where maintaining a sliding time window in units of a cross-domain traffic flow includes:
Setting a sliding time window length and a sliding step length for each cross-domain service flow, and carrying out time sequence behavior statistics on the forwarded safety self-description data units in each sliding time window, wherein the time sequence behavior statistics comprise the number of the safety self-description data units which belong to control instruction issuing and parameter adjustment, the number of accessed devices or measuring point sets in the sliding time window, the minimum time interval between adjacent control instructions or parameter adjustment and the number of the safety self-description data units marked as blocking in the sliding time window;
And according to a pre-configured behavior abnormality judgment rule, judging at least one of the conditions that the quantity of the control instructions issued exceeds a quantity threshold, the quantity of the accessed devices or the quantity of the measuring point sets exceeds an object quantity threshold, the minimum time interval is lower than a time interval threshold and the blocking quantity exceeds a blocking quantity threshold as abnormal behaviors, and associating a sliding time window in which the abnormal behaviors occur with corresponding cross-domain service flow identifiers and session token identifiers.
The sliding time window length refers to a time span range for behavior statistics, can be configured to be a fixed duration or can be dynamically adjusted according to service flow characteristics, and can be realized through system configuration parameters, so that the sliding time window length is aimed at adapting to real-time requirements of different cross-domain service flows, and misjudgment caused by abnormal behavior dilution or too small window due to too large window is avoided; the sliding step length refers to a window moving time interval which can be set in an equal interval or unequal interval mode, and can be realized through a clock synchronization mechanism, the aim of the sliding step length is to balance statistical precision and system expenditure and ensure continuity and timeliness of behavior monitoring, the quantity of safety self-description data units belonging to control instruction issuing and parameter adjustment refers to counting indexes of high-sensitivity service instructions, the aim of the sliding step length can be realized through an instruction type analysis module, the aim of the sliding step length is to focus on key service operation, the aim of accurately identifying instruction injection type attacks, the quantity of accessed devices or measuring point set quantity in a sliding time window refers to a quantization index of an operation object range, the aim of the sliding step length can be realized through object identification set operation, the aim of detecting abnormal expansion of an access range and preventing override scanning behavior, the smallest time interval between adjacent control instructions or parameter adjustment refers to a time difference extreme value between continuous instructions, the aim of the sliding step length can be realized through time stamp comparison logic, the aim of capturing high-frequency instruction flooding attacks and identifying abnormal operation frequencies, the quantity of safety self-description data units marked as blocked in the sliding time window refers to accumulated counting of safety events, the security event, the quantity of the security self-description log can be realized through a blocking aggregation module, the aim of effectively reflecting collision avoidance policy execution and the quantization policy.
The method comprises the steps of enabling a statistics window to be capable of dynamically matching service flow characteristics by independently configuring sliding time window length and sliding step length for each cross-domain service flow, conducting multidimensional time sequence behavior statistics on forwarded safety self-description data units in the window, enabling control instruction quantity, access object range, instruction time interval and blocking event to be included in a unified analysis framework, comparing a statistics result with a dynamic threshold value based on a pre-configured behavior abnormality judgment rule, judging abnormal behavior when any index exceeds the threshold value range, and meanwhile establishing association between the abnormal window and a cross-domain service flow identifier and a session token identifier to ensure that abnormal positioning is accurate to specific service flows and session contexts. The design realizes multidimensional monitoring of business intention, access range, time frequency and strategy conflict, so that the system can distinguish normal business fluctuation and real threat from a historical baseline, and the recognition lag problem caused by single-dimension statistics is avoided.
As a specific implementation mode, the scheme of the application is implemented by aiming at the remote control service flow in the power scheduling scene, and the system configures the sliding time window length and the sliding step length for the cross-domain service flow. During the running period of a certain sliding time window, the system counts the quantity of the control instruction issuing type data units in the forwarded safety self-description data units in real time, and simultaneously records the quantity of accessed substation equipment, the minimum time interval between adjacent control instructions and the quantity of blocked data units. When the system detects that the control instruction number is higher than the conventional level, the number of the accessed devices exceeds the preset range, the minimum time interval of the instruction is shortened abnormally and the event is blocked from being frequently generated, the abnormal judgment is triggered according to the behavior abnormal judgment rule, and the abnormal window is bound with the corresponding cross-domain service flow identifier and the corresponding session token identifier.
Through the scheme, the method and the device can accurately capture potential risks such as overhigh control instruction frequency, abnormal expansion of the access object range, centralized occurrence of blocking events and the like, realize timely identification and positioning of abnormal behaviors, enable the safety strategy to be dynamically converged and adjusted, and solve the problem that the safety strategy cannot respond timely due to abnormal behavior identification lag.
In practical application, in some embodiments of the present application, a mechanism for statistics of time sequence behavior and identification of abnormal behavior of cross-domain traffic flow based on sliding time window is provided, however, in the implementation process, the system can only determine abnormal behavior but lack dynamic response capability, so that the security policy cannot be adjusted in time after detecting the abnormality, so that override access or frequency abnormal behavior may continuously occur, security risks cannot be effectively converged, access object range and number conditions are difficult to accurately tighten according to the abnormality type, even traffic flow cannot be thoroughly blocked when abnormality is continuously performed, and potential safety hazards in cross-domain data transmission are left behind.
In this regard, the present application further proposes, upon recognition of an abnormal behavior, comprising:
When the abnormal behavior is that the number of accessed devices or the number of measuring point sets exceeds an object number threshold, the access object range defined by the corresponding session token is contracted into a single measuring point set or a single device set by a plurality of measuring point sets or a plurality of device sets;
When the abnormal behavior is that the quantity of control instructions issued exceeds a quantity threshold or the blocking quantity exceeds a blocking quantity threshold, reducing the quantity of safety self-description data units allowed to pass in a session defined by a corresponding session token and the quantity of safety self-description data units allowed to pass in unit time to a quantity lower limit threshold;
when abnormal behavior occurs in a plurality of continuous sliding time windows, the corresponding session token is deactivated, the subsequent secure self-description data units belonging to the cross-domain service flow are blocked during the deactivation, and the deactivation information, the cross-domain service flow identification and the session token identification are recorded.
In practical application, the object number threshold refers to a preset threshold for judging whether the access object range is abnormal or not, the threshold can be realized by adopting a threshold or a fixed threshold which is dynamically calculated based on historical behavior data, the aim of timely identifying unauthorized access behavior is to shrink the access object range into a single measuring point set or a single equipment set, the aim of limiting the access-allowed object range into a single entity can be realized by updating an access control list of a session token, the aim of immediately shrinking an attack surface when an abnormality occurs and simultaneously maintaining service basic continuity is realized, the number threshold and the blocking number threshold refer to thresholds respectively used for judging the frequency of control instructions and the frequency of blocking events, the aim of adopting a sliding average algorithm or a peak detection mechanism is to prevent the cumulative effect of high-frequency malicious operations, the aim of reducing the number condition to a number lower limit threshold is to limit the passing number of safety self-description data units to the lowest safety level, the aim of dynamically adjusting the limit value in a counter in the session token is to balance the service efficiency through a stepped tightening strategy, the continuous sliding time windows are used for immediately shrinking the attack surface when an abnormality occurs in a time sequence, the situation can be used for continuously analyzing the session token based on the time sequence of the abnormal event, the situation can be used for enabling the abnormal event sequence to be continuously used for recording and the state of the abnormal event, the abnormal event can be completely recorded by adopting a continuous state and the relevant state is used for recording and the fault is completely recorded.
Specifically, the scheme of the application realizes the closed-loop optimization of the safety control mechanism by triggering differentiated dynamic response strategies according to the type and the persistence of the abnormal behavior. When the abnormal behavior is identified, the system starts corresponding response according to the specific expression form of the abnormality, namely, if the abnormality appears that the number of the accessed equipment or the measuring point set exceeds the threshold value of the number of the objects, the range of the accessed objects is immediately contracted to a single entity to limit the diffusion of potential unauthorized access, if the abnormality appears that the number of the issued control instructions or the blocking number exceeds the corresponding threshold value, the number of the safety self-description data units in a session and in unit time is reduced to a lower threshold value to prevent the cumulative effect of the frequency abnormality, and if the abnormality repeatedly appears in a plurality of continuous sliding time windows, the session token is stopped and the subsequent data units are blocked, and the stopping information is recorded. The fine-granularity response mechanism based on the abnormal context enables the security policy to change from passive detection to active defense, ensures rapid convergence risk when the abnormality occurs through accurate mapping of the abnormality type and the response measure, and avoids failure of the security mechanism.
The method comprises the steps of when detecting that the number of devices accessed by a cross-domain service flow in a sliding time window exceeds an object number threshold, shrinking an access object range defined by a session token corresponding to the service flow from a plurality of device sets to a single device set, if detecting that the number of control instructions issued exceeds the number threshold, further reducing the number of allowed safe self-description data units in the session defined by the session token and the number of allowed safe self-description data units in unit time to a number lower limit threshold, if abnormal actions repeatedly occur in a plurality of continuous sliding time windows, disabling the session token, blocking the safe self-description data units belonging to the cross-domain service flow later during the disabling period, and associating disabling information with a cross-domain service flow identifier and a session token identifier.
Through the scheme, the access object range and the number condition can be accurately tightened according to the type of the abnormal behavior, the service flow is thoroughly blocked when the abnormality is continuous, the problem of strategy adjustment lag after abnormality detection is solved, and the dynamic response capacity and the risk convergence efficiency of the security strategy in cross-domain data transmission are improved.
In summary, the application takes a production control security domain and a management information security domain as boundaries, pre-configures cross-domain service flow information around cross-domain service demands, solidifies cross-domain service flow identification, service intention labels and access object ranges, encapsulates each service data into a safety self-description data unit carrying service semantics and service instruction types by analyzing industrial communication protocol messages at a service data generation side, makes a transverse isolation path not only see network messages but also sense which types of services are operating, generates a session token corresponding to the cross-domain service flow identification one by one based on a cross-domain service flow baseline model when the first cross-domain service appears, compares the service instruction types, access objects, arrival time, the number of the safety self-description data units passing through in a session and unit time and other characteristic data and session token limiting conditions one by one, realizes semantic level access control on the safety self-description data units, maintains a time window by taking the cross-domain service flow as a unit, counts the time sequence self-description data units, triggers a behavior to judge which type of service is operated, automatically determines the corresponding to the network messages, and prevents abnormal conditions from being closed-loop or the number of the corresponding to the access objects from being closed-loop, and prevents abnormal conditions from being met when the prior art has been found out of the abnormal conditions.
In another preferred manner of the foregoing embodiment, referring to fig. 2, the present embodiment provides a power system lateral isolation and security data transmission system, which is configured to apply the foregoing power system lateral isolation and security data transmission method, and includes:
The production control security domain and the management information security domain are connected through a transverse isolation path;
The production control security domain is provided with a service data processing device, the service data processing device is used for collecting cross-domain service flow information to which the service data belongs and packaging the service data into a safe self-description data unit when the service data needs to be transmitted between the production control security domain and the management information security domain, so that the head information of the safe self-description data unit carries the cross-domain service flow information and service instruction types, and the service load part carries the service data corresponding to the head information;
A session control device is arranged on the transverse isolation path and is used for acquiring the head information of the first-appearing safe self-description data unit, generating a session token according to a pre-established cross-domain service flow baseline model, associating the session token with a cross-domain service flow identifier, acquiring characteristic data of the safe self-description data unit when forwarding the safe self-description data unit, comparing the characteristic data with associated session token limiting conditions, releasing the safe self-description data unit when the characteristic data meet the limiting conditions, and blocking the safe self-description data unit when the characteristic data do not meet the limiting conditions;
The behavior monitoring device is used for maintaining sliding time windows by taking the cross-domain service flow as a unit, carrying out time sequence behavior statistics on the forwarded safety self-description data units in each sliding time window, identifying abnormal behaviors according to the behavior abnormality judgment rules, tightening or disabling the access object range and the number condition defined by the corresponding session token when the abnormal behaviors are identified, and blocking the follow-up safety self-description data units belonging to the cross-domain service flow.
It can be understood that by combining the semantic packaging mechanism of the secure self-description data unit and the dynamic control mechanism of the session token in a cooperative manner and introducing cross-domain traffic flow time sequence behavior statistics based on a sliding time window, source binding of traffic intention labels and access object ranges and self-adaptive dynamic convergence of session ranges are realized, and the effects of timely detecting unauthorized access and frequency abnormal behaviors are achieved. The business data processing device codes business intention labels and access object ranges to the head of the safe self-description data unit in a unified mode in a data packaging stage to enable business semantics and access constraint to be tightly coupled, the session control device generates a session token based on a cross-domain business flow baseline model, characteristic data and token limiting conditions are compared in real time to accurately identify and block unauthorized access behaviors, the behavior monitoring device dynamically adjusts the access range and quantity conditions of the session token according to time sequence behavior statistical results in a sliding time window, and self-adaptive convergence of a security policy along with business behavior changes is ensured. In summary, the problems of cross-domain business semantics and access constraint unhooking and difficult dynamic convergence of session range are solved through a closed-loop mechanism of semantic packaging, tokenization control and dynamic policy adjustment.
Finally, it should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made to the specific embodiments of the present invention without departing from the spirit and scope of the present invention, and any modifications and equivalents are intended to be included in the scope of the claims of the present invention.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511815700.0A CN121441635B (en) | 2025-12-04 | 2025-12-04 | A method and system for lateral isolation and secure data transmission in power systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202511815700.0A CN121441635B (en) | 2025-12-04 | 2025-12-04 | A method and system for lateral isolation and secure data transmission in power systems |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN121441635A true CN121441635A (en) | 2026-01-30 |
| CN121441635B CN121441635B (en) | 2026-04-14 |
Family
ID=98536968
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202511815700.0A Active CN121441635B (en) | 2025-12-04 | 2025-12-04 | A method and system for lateral isolation and secure data transmission in power systems |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN121441635B (en) |
Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019165668A1 (en) * | 2018-02-27 | 2019-09-06 | 平安科技(深圳)有限公司 | Cross-platform user rights management method, apparatus, computer device, and storage medium |
| CN113067797A (en) * | 2021-02-01 | 2021-07-02 | 上海金融期货信息技术有限公司 | Identity authentication and authentication system that supports multi-terminal and multi-credentials across network areas |
| WO2021175057A1 (en) * | 2020-03-05 | 2021-09-10 | 支付宝(杭州)信息技术有限公司 | Service processing system, method, apparatus and device |
| CN114978584A (en) * | 2022-04-12 | 2022-08-30 | 深圳市蔚壹科技有限公司 | Network security protection security method and system based on unit unit |
| CN115378625A (en) * | 2022-04-21 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | Cross-network information security interaction method and system |
| CN115514519A (en) * | 2022-08-11 | 2022-12-23 | 云南电网有限责任公司 | Active defense method based on transverse micro-isolation and plug-in |
| CN118677921A (en) * | 2024-06-04 | 2024-09-20 | 中国三峡建工(集团)有限公司 | System for synchronizing data across areas of hydropower station |
| CN118761852A (en) * | 2024-09-06 | 2024-10-11 | 企享云(北京)信息技术有限公司 | Cross-domain secure interaction method and system for public service system based on universal large model |
| WO2024215332A1 (en) * | 2023-04-14 | 2024-10-17 | Citibank, N.A. | Data management platform |
| CN118827149A (en) * | 2024-06-13 | 2024-10-22 | 北京航空航天大学 | Multi-domain isolation control method and system applied to IoT scenarios |
| CN119449428A (en) * | 2024-11-09 | 2025-02-14 | 苏州赛洛特数字科技有限公司 | Cross-domain network security strategy automatic generation and protection strategy collaboration method and system |
| CN119561768A (en) * | 2024-12-04 | 2025-03-04 | 江苏享佳健康科技股份有限公司 | Information security management method and system for enterprise customers |
| CN120257327A (en) * | 2025-04-01 | 2025-07-04 | 中国神华能源股份有限公司神东煤炭分公司 | A Security Integrated Management System for Archives Data |
| DE202025104640U1 (en) * | 2025-08-07 | 2025-08-26 | Ravi Kumar Kotapati | Context-aware privileged access control system for dynamic risk-based authorization |
| CN120639457A (en) * | 2025-07-16 | 2025-09-12 | 南京国电南自维美德自动化有限公司 | Distributed control system cross-domain access method, system, computer equipment and storage medium |
| CN120658476A (en) * | 2025-06-30 | 2025-09-16 | 芜湖青穗信息科技有限公司 | Security authentication method and system for industrial Internet |
| CN120750599A (en) * | 2025-07-18 | 2025-10-03 | 深圳市晖拓信息科技有限公司 | Cloud desktop security access control method based on zero trust architecture |
| CN120856354A (en) * | 2025-09-25 | 2025-10-28 | 济南浪潮数据技术有限公司 | A cross-domain computing task processing method, program product, device and medium |
| CN120880791A (en) * | 2025-09-26 | 2025-10-31 | 合肥霖浠信息科技有限公司 | Network traffic abnormality sensing method and system based on big data |
-
2025
- 2025-12-04 CN CN202511815700.0A patent/CN121441635B/en active Active
Patent Citations (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019165668A1 (en) * | 2018-02-27 | 2019-09-06 | 平安科技(深圳)有限公司 | Cross-platform user rights management method, apparatus, computer device, and storage medium |
| WO2021175057A1 (en) * | 2020-03-05 | 2021-09-10 | 支付宝(杭州)信息技术有限公司 | Service processing system, method, apparatus and device |
| CN113067797A (en) * | 2021-02-01 | 2021-07-02 | 上海金融期货信息技术有限公司 | Identity authentication and authentication system that supports multi-terminal and multi-credentials across network areas |
| CN114978584A (en) * | 2022-04-12 | 2022-08-30 | 深圳市蔚壹科技有限公司 | Network security protection security method and system based on unit unit |
| CN115378625A (en) * | 2022-04-21 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | Cross-network information security interaction method and system |
| CN115514519A (en) * | 2022-08-11 | 2022-12-23 | 云南电网有限责任公司 | Active defense method based on transverse micro-isolation and plug-in |
| WO2024215332A1 (en) * | 2023-04-14 | 2024-10-17 | Citibank, N.A. | Data management platform |
| CN118677921A (en) * | 2024-06-04 | 2024-09-20 | 中国三峡建工(集团)有限公司 | System for synchronizing data across areas of hydropower station |
| CN118827149A (en) * | 2024-06-13 | 2024-10-22 | 北京航空航天大学 | Multi-domain isolation control method and system applied to IoT scenarios |
| CN118761852A (en) * | 2024-09-06 | 2024-10-11 | 企享云(北京)信息技术有限公司 | Cross-domain secure interaction method and system for public service system based on universal large model |
| CN119449428A (en) * | 2024-11-09 | 2025-02-14 | 苏州赛洛特数字科技有限公司 | Cross-domain network security strategy automatic generation and protection strategy collaboration method and system |
| CN119561768A (en) * | 2024-12-04 | 2025-03-04 | 江苏享佳健康科技股份有限公司 | Information security management method and system for enterprise customers |
| CN120257327A (en) * | 2025-04-01 | 2025-07-04 | 中国神华能源股份有限公司神东煤炭分公司 | A Security Integrated Management System for Archives Data |
| CN120658476A (en) * | 2025-06-30 | 2025-09-16 | 芜湖青穗信息科技有限公司 | Security authentication method and system for industrial Internet |
| CN120639457A (en) * | 2025-07-16 | 2025-09-12 | 南京国电南自维美德自动化有限公司 | Distributed control system cross-domain access method, system, computer equipment and storage medium |
| CN120750599A (en) * | 2025-07-18 | 2025-10-03 | 深圳市晖拓信息科技有限公司 | Cloud desktop security access control method based on zero trust architecture |
| DE202025104640U1 (en) * | 2025-08-07 | 2025-08-26 | Ravi Kumar Kotapati | Context-aware privileged access control system for dynamic risk-based authorization |
| CN120856354A (en) * | 2025-09-25 | 2025-10-28 | 济南浪潮数据技术有限公司 | A cross-domain computing task processing method, program product, device and medium |
| CN120880791A (en) * | 2025-09-26 | 2025-10-31 | 合肥霖浠信息科技有限公司 | Network traffic abnormality sensing method and system based on big data |
Non-Patent Citations (1)
| Title |
|---|
| 李明;: "基于可信身份认证的企业信任服务体系研究", 信息安全研究, no. 09, 5 September 2017 (2017-09-05) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN121441635B (en) | 2026-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
| CN105812387A (en) | Unidirectional safe data exchange device | |
| CN112019478A (en) | TRDP protocol based train network safety protection method, device and system | |
| CN113157994A (en) | Multi-source heterogeneous platform data processing method | |
| CN114567463B (en) | Industrial network information safety monitoring and protecting system | |
| CN107770174A (en) | A kind of intrusion prevention system and method towards SDN | |
| CN116846642A (en) | Dynamic access control method and system based on programmable network | |
| CN120692094B (en) | Network security situation awareness method based on multi-layer defense architecture | |
| CN120091071A (en) | Equipment management method and system based on industrial Internet identification resolution system | |
| CN120223388A (en) | A network security intelligent monitoring method and system, and electronic equipment | |
| CN121441635B (en) | A method and system for lateral isolation and secure data transmission in power systems | |
| CN116962066A (en) | Cross-network information security interaction method and system | |
| CN121261998A (en) | Private network dynamic access control method and system | |
| CN120321044A (en) | Network security protection method and system based on traffic analysis | |
| CN109660551A (en) | A kind of data packet and its transmission method of rule components encapsulation | |
| CN120257309A (en) | A blockchain-based power metering data traceability method | |
| CN118586756A (en) | A product quality traceability system based on blockchain | |
| CN120896800B (en) | A network data security protection system based on artificial intelligence and big data | |
| CN120825343B (en) | A method and system for network communication security protection based on plaintext data | |
| CN120281572B (en) | Industrial Internet safety monitoring control system | |
| CN121486827B (en) | Method and system for detecting abnormal traffic of high-speed aircraft data link communication | |
| CN118785168A (en) | A network security situation awareness device and method suitable for CBTC system | |
| CN121664546A (en) | Network security protection methods and related equipment based on distributed threat identification | |
| Research on Network Security Protection System under Computer Digitization Technology | ||
| CN121691221A (en) | Data exchange system based on 5G technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant |