阅读说明：本技术 一种电力物联终端安全状态评估方法、装置及存储介质 (Electric power internet of things terminal safety state evaluation method and device and storage medium ) 是由 陈璐 邵志鹏 马媛媛 李尼格 陈牧 于 2021-07-23 设计创作，主要内容包括：本发明公开了一种电力物联终端安全状态评估方法、装置及存储介质,该方法包括：获取历史告警数据,生成预设格式的告警数据；对告警数据进行预处理,得到有效的告警数据；根据同源聚类分析和多源聚类分析对告警数据进行关联分析,得到告警对终端的威胁指数；根据威胁指数计算得到电力物联终端的安全指数。通过实施本发明,从数据预处理、告警事件威胁评估、安全指数计算的维度进行终端安全评估；计算电力物联终端动态运行时的异常指数,从而能够从海量重复无效告警中有效识别低安全终端。由此,该电力物联终端安全状态评估方法从客观上实现了对电力物联终端的安全评估。(The invention discloses a method, a device and a storage medium for evaluating the safety state of an electric power internet of things terminal, wherein the method comprises the following steps: acquiring historical alarm data and generating alarm data in a preset format; preprocessing the alarm data to obtain effective alarm data; performing correlation analysis on alarm data according to homologous clustering analysis and multisource clustering analysis to obtain a threat index of the alarm to the terminal; and calculating the safety index of the power internet of things terminal according to the threat index. By implementing the method, the terminal safety evaluation is carried out from the dimensionalities of data preprocessing, alarm event threat evaluation and safety index calculation; and calculating the abnormal index of the power internet of things terminal during dynamic operation, so that the low-safety terminal can be effectively identified from the massive repeated invalid alarms. Therefore, the safety state evaluation method of the electric power internet of things terminal realizes safety evaluation of the electric power internet of things terminal from the aspect of visitors.)

1. A safety state evaluation method for an electric power internet of things terminal is characterized by comprising the following steps:

acquiring historical alarm data and generating alarm data in a preset format;

preprocessing the alarm data to obtain effective alarm data;

performing correlation analysis on alarm data according to homologous clustering analysis and multisource clustering analysis to obtain a threat index of the alarm to the terminal;

and calculating to obtain the safety index of the power internet of things terminal according to the threat index.

2. The method for evaluating the safety state of the power internet of things terminal according to claim 1, wherein the step of preprocessing the alarm data to obtain effective alarm data comprises the following steps:

and carrying out invalid alarm deletion and false alarm deletion on the alarm data to obtain effective alarm data, wherein the invalid alarm deletion comprises irregular data deletion and repeated alarm data deletion, and the false alarm deletion comprises periodic alarm deletion and frequent alarm sequence deletion.

3. The electric power internet of things terminal safety state evaluation method according to claim 2, wherein the periodic alarm deletion comprises:

classifying the effective alarms, and determining the alarm types and alarm devices which are larger than a threshold value;

constructing a time sequence according to the alarm quantity corresponding to the alarm type generated in the preset time of the alarm equipment;

performing autocorrelation analysis and discrete Fourier transform on the time series to determine an energy density function of each frequency;

determining a period of the time series according to the energy density function;

and judging the alarm type and the alarm equipment according to the period, and deleting the alarm type and the alarm equipment as periodic alarms when the alarm type and the alarm equipment occur at intervals of the period.

4. The electric power internet of things terminal safety state evaluation method according to claim 2, wherein the frequent alarm sequence deletion comprises:

acquiring a shortest alarm sequence generated by a preset number of electric power internet of things terminals within a preset time;

calculating the ratio of the power internet of things terminal with the subsequence to the total number of the power internet of things terminals according to the union set of the subsequences of all the sequences in the shortest alarm sequence;

and deleting the frequent alarm sequence when the ratio is greater than a preset threshold value.

5. The electric power internet of things terminal safety state evaluation method according to claim 2, further comprising:

forming a rule base according to the data which do not belong to the periodic alarm and the data which belong to the frequent alarm;

matching the alarm data in a preset format with the data in the rule base;

and forming effective alarm data according to the successfully matched data.

6. The electric power internet of things terminal safety state evaluation method according to claim 1, wherein the association analysis is performed on alarm data according to the homologous cluster analysis and the multisource cluster analysis to obtain a threat index of an alarm to the terminal, and the method comprises the following steps:

determining the number of each type of alarm of each terminal according to the homologous clustering analysis;

determining the times of occurrence of each type of alarm and the number of terminals of each type of alarm according to multi-source clustering analysis;

and calculating the threat index of the alarm to the terminal according to the number of each type of alarm appearing on each terminal, the frequency of each type of alarm appearing and the number of terminals with each type of alarm appearing.

7. The method for evaluating the safety state of the power internet of things terminal according to claim 1, wherein the step of calculating the safety index of the power internet of things terminal according to the threat index comprises the following steps:

calculating to obtain the safety values of the electric power internet of things terminal at the previous moment and the current moment according to the threat index;

determining a safety factor according to the safety value at the previous moment and whether the safety threat is effectively processed or not;

and calculating to obtain the safety index of the power internet of things terminal at the current moment according to the safety values and the safety factors at the previous moment and the current moment.

8. The utility model provides an electric power thing allies oneself with terminal security state evaluation device which characterized in that includes:

the data acquisition module is used for acquiring historical alarm data and generating alarm data in a preset format;

the preprocessing module is used for preprocessing the alarm data to obtain effective alarm data;

the threat analysis module is used for carrying out correlation analysis on the alarm data according to the homologous clustering analysis and the multisource clustering analysis to obtain a threat index of the alarm to the terminal;

and the safety evaluation module is used for calculating the safety index of the power internet of things terminal according to the threat index.

9. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions for causing the computer to execute the safety state assessment method of the power internet of things terminal according to any one of claims 1 to 7.

10. An electronic device, comprising: the electric power internet of things terminal safety state evaluation method comprises a memory and a processor, wherein the memory and the processor are mutually connected in a communication mode, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the electric power internet of things terminal safety state evaluation method according to any one of claims 1-7.

Technical Field

The invention relates to the technical field of electric power information, in particular to a method and a device for evaluating the safety state of an electric power internet of things terminal and a storage medium.

Background

In recent years, the development of the power internet of things and the change of the safety situation bring new requirements on network safety, particularly the safety of an internet of things terminal. The attack type aiming at the terminal is complex, the terminal protection is limited by self conditions and running environment, the security protection is difficult to be realized, and the security protection capability of the terminal side is not synchronous. The terminal of the internet of things is used as a basic level 'information collector' and an 'instruction executor' of the power internet of things, is various and large in quantity, has wide risk exposure range, and is extremely easy to be attacked in all aspects.

At present, no safety consideration is made in the design and development processes of software such as a plurality of terminal operating systems, firmware, service applications and the like of the internet of things, so that the software has security holes and defects in terms of coding or logic, and an attacker can be illegally utilized or damaged under the unauthorized condition. A large amount of important information such as user identity, electric power operation and maintenance data, power grid management data and the like stored in the electric power internet of things terminal enable the electric power internet of things terminal to have great attack value. At present, the electric power internet of things terminal mostly adopts a Linux operating system, and due to the characteristics of the open source and the like, a channel is provided for various types of attacks such as system bugs, malicious applications and the like while the functions of the electric power internet of things terminal are enhanced and the application flexibility is improved.

At present, a power system has some monitoring technologies and means to support data acquisition and monitoring of an internet of things terminal, but still has some problems to be solved:

(1) the monitoring data format is complicated, and the unified storage processing difficulty is increased. The monitoring data come from different data acquisition sources, and the data often have completely different format fields, which causes great difficulty in data storage. And the problems of a large amount of noise in the original data, how to process a large amount of missing fields, how to process the data so that the data is suitable for subsequent analysis, that different data records collected from different data sources are likely to be redundant records, and the like all bring great challenges to subsequent further security analysis.

(2) Large-scale data acquisition and uploading face performance challenges, and the ratio of invalid data transmission is large. For monitoring data analysis, the existing work mainly aims at analyzing data such as system call, information flow and the like generated by terminal monitoring, and the considered detection environment mainly finds whether one or more applications are malicious applications or not in an experimental environment. In the environment of electric power internet of things safety monitoring, the monitored objects are mass actual operation terminals in various provinces of the whole country, large-scale collection and uploading of the data are unrealistic, and the main monitoring is that some violation or abnormal behaviors possibly shown by terminal application and state data or abnormal events generated by a terminal safety monitoring module.

(3) There are a large number of historical repeated invalid alarms which cannot be resolved by manual means. The safety monitoring alarm data are repeated in a large quantity, the manual solution mode is unrealistic in the face of mass data, and the existing analysis method cannot analyze the alarm data, so that malicious behaviors hidden behind the alarm data are identified.

Therefore, how to effectively process and analyze alarm data in the power internet of things terminal and perform safety assessment on the power internet of things terminal according to the analysis of the alarm data becomes a technical problem to be solved urgently in the technical field of power information.

Disclosure of Invention

In view of this, embodiments of the present invention provide a method, an apparatus, and a storage medium for evaluating a security state of an electric power internet of things terminal, so as to solve how to evaluate the electric power internet of things terminal based on massive alarm data in the prior art.

The technical scheme provided by the invention is as follows:

the first aspect of the embodiments of the present invention provides a method for evaluating a security state of an electric power internet of things terminal, including: acquiring historical alarm data and generating alarm data in a preset format; preprocessing the alarm data to obtain effective alarm data; performing correlation analysis on alarm data according to homologous clustering analysis and multisource clustering analysis to obtain a threat index of the alarm to the terminal; and calculating to obtain the safety index of the power internet of things terminal according to the threat index.

Optionally, preprocessing the alarm data to obtain effective alarm data, including: and carrying out invalid alarm deletion and false alarm deletion on the alarm data to obtain effective alarm data, wherein the invalid alarm deletion comprises irregular data deletion and repeated alarm data deletion, and the false alarm deletion comprises periodic alarm deletion and frequent alarm sequence deletion.

Optionally, the periodic alarm deletion includes: classifying the effective alarms, and determining the alarm types and alarm devices which are larger than a threshold value; constructing a time sequence according to the alarm quantity corresponding to the alarm type generated in the preset time of the alarm equipment; performing autocorrelation analysis and discrete Fourier transform on the time series to determine an energy density function of each frequency; determining a period of the time series according to the energy density function; and judging the alarm type and the alarm equipment according to the period, and deleting the alarm type and the alarm equipment as periodic alarms when the alarm type and the alarm equipment occur at intervals of the period.

Optionally, the frequent alert sequence deletion includes: acquiring a shortest alarm sequence generated by a preset number of electric power internet of things terminals within a preset time; calculating the ratio of the power internet of things terminal with the subsequence to the total number of the power internet of things terminals according to the union set of the subsequences of all the sequences in the shortest alarm sequence; and deleting the frequent alarm sequence when the ratio is greater than a preset threshold value.

Optionally, the method for evaluating the safety state of the power internet of things terminal further includes: forming a rule base according to the data which do not belong to the periodic alarm and the data which belong to the frequent alarm; matching the alarm data in a preset format with the data in the rule base; and forming effective alarm data according to the successfully matched data.

Optionally, performing association analysis on the alarm data according to the homologous clustering analysis and the multisource clustering analysis to obtain a threat index of the alarm to the terminal, including: determining the number of each type of alarm of each terminal according to the homologous clustering analysis; determining the times of occurrence of each type of alarm and the number of terminals of each type of alarm according to multi-source clustering analysis; and calculating the threat index of the alarm to the terminal according to the number of each type of alarm appearing on each terminal, the frequency of each type of alarm appearing and the number of terminals with each type of alarm appearing.

Optionally, the calculating the safety index of the power internet of things terminal according to the threat index includes: calculating to obtain the safety values of the electric power internet of things terminal at the previous moment and the current moment according to the threat index; determining a safety factor according to the safety value at the previous moment and whether the safety threat is effectively processed or not; and calculating to obtain the safety index of the power internet of things terminal at the current moment according to the safety values and the safety factors at the previous moment and the current moment.

A second aspect of the embodiments of the present invention provides an apparatus for evaluating a security state of an electric power internet of things terminal, including: the data acquisition module is used for acquiring historical alarm data and generating alarm data in a preset format; the preprocessing module is used for preprocessing the alarm data to obtain effective alarm data; the threat analysis module is used for carrying out correlation analysis on the alarm data according to the homologous clustering analysis and the multisource clustering analysis to obtain a threat index of the alarm to the terminal; and the safety evaluation module is used for calculating the safety index of the power internet of things terminal according to the threat index.

A third aspect of the embodiments of the present invention provides a computer-readable storage medium, where computer instructions are stored, where the computer instructions are configured to cause a computer to execute the method for evaluating a security state of an electric power internet of things terminal according to any one of the first aspect and the first aspect of the embodiments of the present invention.

A fourth aspect of an embodiment of the present invention provides an electronic device, including: the safety state evaluation method of the power internet of things terminal comprises a memory and a processor, wherein the memory and the processor are connected in a communication mode, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the safety state evaluation method of the power internet of things terminal according to any one of the first aspect and the first aspect of the embodiments of the invention.

The technical scheme provided by the invention has the following effects:

according to the method, the device and the storage medium for evaluating the safety state of the power internet of things terminal, provided by the embodiment of the invention, the terminal safety evaluation is carried out from the dimensionalities of data preprocessing, alarm event threat evaluation and safety index calculation; meanwhile, historical alarm data are subjected to correlation analysis, and abnormal indexes of the power internet of things terminal during dynamic operation are calculated by using the TF-IDF algorithm thought in combination with homologous clustering correlation and heterologous correlation analysis, so that the low-safety terminal can be effectively identified from massive repeated invalid alarms. Therefore, the safety state evaluation method of the electric power internet of things terminal realizes safety evaluation of the electric power internet of things terminal from the aspect of visitors.

According to the safety state evaluation of the power internet of things terminal provided by the embodiment of the invention, when the periodic deletion is carried out, the alarm period calculation is carried out by utilizing the correlation analysis, the Fourier transform and the F distribution model, so that the periodic false alarm is deleted, the alarm caused by the normal network activity of the terminal is avoided, the alarm generated by the real attack is easily submerged, and the interference is generated on the behavior analysis of the terminal.

The safety state evaluation of the electric power internet of things terminal provided by the embodiment of the invention is used for calculating the terminal safety index by combining the homologous clustering analysis and the multisource clustering analysis of the alarm data, wherein the homologous clustering is used for finding the abnormal behavior which is generated by a certain terminal and has larger difference with the historical behavior of the certain terminal, and the multisource clustering is used for finding the abnormal behavior which is generated by the certain terminal and has larger difference with other same application terminals when the certain terminal is used and applied, so that the damage degree of an alarm event to the electric power internet of things terminal is comprehensively evaluated.

According to the safety state evaluation of the power internet of things terminal provided by the embodiment of the invention, the calculated safety index is composed of two parts, wherein one part is the influence of the safety index of the terminal i at the T-T moment on the safety evaluation of the terminal in the next period. The other part is the security index of the terminal i during time T. Since the terminal i is attacked before T-T and the network maintenance administrator does not take effective measures, the security index of the terminal will continuously affect the security index of the next evaluation period.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.

Fig. 1 is a flowchart of a method for evaluating a safety state of an electric power internet of things terminal according to an embodiment of the invention;

fig. 2 is a flowchart of a method for evaluating a security status of an electric power internet of things terminal according to another embodiment of the present invention;

fig. 3 is a flowchart of a method for evaluating a security status of an electric power internet of things terminal according to another embodiment of the present invention;

fig. 4 is a flowchart of a method for evaluating a security status of an electric power internet of things terminal according to another embodiment of the present invention;

fig. 5 is a flowchart of a method for evaluating a security status of an electric power internet of things terminal according to another embodiment of the present invention;

fig. 6 is a flowchart of a method for evaluating a security status of an electric power internet of things terminal according to another embodiment of the present invention;

fig. 7 is a flowchart of a method for evaluating a security status of an electric power internet of things terminal according to another embodiment of the present invention;

fig. 8 is a block diagram of a safety state evaluation device of an electric power internet of things terminal according to an embodiment of the invention;

FIG. 9 is a schematic structural diagram of a computer-readable storage medium provided in accordance with an embodiment of the present invention;

fig. 10 is a schematic structural diagram of an electronic device provided in an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment of the invention provides a method for evaluating the safety state of an electric power internet of things terminal, which comprises the following steps as shown in fig. 1 and fig. 2:

step S101: acquiring historical alarm data and generating alarm data in a preset format; specifically, historical alarm data may be collected from a security monitoring system when it is acquired. The collected alarm data not only comprises the alarm data of the power terminal, but also comprises application safety alarm data, network safety alarm data and environment monitoring alarm data. Because the data sources are different, the formation reasons are different, and the like, the historical alarm data contains a large amount of heterogeneous alarm data. To facilitate analysis and evaluation of these data, the historical alarm data may be integrated into alarm data in a predetermined format.

In one embodiment, the preset format of the alarm data may be represented by a six-tuple < time, type, device _ id, app _ id, alert _ id, priority, content >. Wherein: time represents the time of alarm generation; type represents an alarm type; the device _ id represents the unique identifier of the terminal; app _ id represents application unique identification; alert _ id represents a unique identifier of the alert information; the priority represents the priority of the alarm information; content indicates alert content. In addition, the alarm data can be integrated into other formats according to actual needs.

Step S102: preprocessing the alarm data to obtain effective alarm data; specifically, due to network transmission delay and the like, a large amount of redundant and irregular data also exists in the alarm data. Therefore, for the alarm data with the preset format, preprocessing is also needed, such as deleting irregular and redundant data, and improving the data quality.

Step S103: performing correlation analysis on alarm data according to homologous clustering analysis and multisource clustering analysis to obtain a threat index of the alarm to the terminal; specifically, after valid alarm data is obtained, correlation analysis may be performed thereon. And during the correlation analysis, the idea of the TF-IDF algorithm can be used for reference, and the correlation analysis is carried out by combining the homologous clustering and the multisource clustering of the alarm data. The homologous clustering is used for finding abnormal behaviors generated by a certain terminal and greatly different from the historical behaviors, and the multisource clustering is used for finding abnormal behaviors generated by a certain terminal when the terminal uses an application and greatly different from other terminals using the same application. And evaluating the degree of harm of the alarm event to the power internet of things terminal by performing homologous alarm and heterologous alarm correlation analysis on terminal historical data to obtain a threat index of the alarm to the terminal.

Step S104: and calculating the safety index of the power internet of things terminal according to the threat index. Specifically, threat indexes of different alarm events in the terminal are obtained through calculation, and then a safety index of the power internet of things terminal can be obtained. Meanwhile, all the terminal safety indexes can be sequenced from low to high according to the calculated safety indexes, and the identification of the high-risk terminal is output. And the network operation and maintenance personnel pay attention to the running state of the high-risk terminal according to the identification, analyze the running rule and locate the risk reason.

According to the method for evaluating the safety state of the power internet of things terminal, provided by the embodiment of the invention, the terminal safety evaluation is carried out from the dimensionalities of data preprocessing, alarm event threat evaluation and safety index calculation; meanwhile, historical alarm data are subjected to correlation analysis, and abnormal indexes of the power internet of things terminal during dynamic operation are calculated by using the TF-IDF algorithm thought in combination with homologous clustering correlation and heterologous correlation analysis, so that the low-safety terminal can be effectively identified from massive repeated invalid alarms. Therefore, the safety state evaluation method of the electric power internet of things terminal realizes safety evaluation of the electric power internet of things terminal from the aspect of visitors.

As an optional implementation manner of the embodiment of the present invention, preprocessing the alarm data to obtain effective alarm data includes: and carrying out invalid alarm deletion and false alarm deletion on the alarm data to obtain effective alarm data, wherein the invalid alarm deletion comprises irregular data deletion and repeated alarm data deletion, and the false alarm deletion comprises periodic alarm deletion and frequent alarm sequence deletion.

In one embodiment, the invalid alarms include two types, one type is non-normative data, such as incomplete fields, incorrect parameters, out of range settings, and the like. The non-canonical data may be deleted by setting a filtering rule. The other type is repeated alarm, that is, the alarm time interval is in a specific time range and the record with completely consistent attributes, or can be expressed as: same application to same terminal t₁And t₂Two generated alarms alert _ id₁And alert _ id₂Satisfy | t₂-t₁|<Δt₁(Δt₁Time threshold) and alert _ id₁＝alert_id₂Represents an alert _ id₁And alert _ id₂Is a repeat alarm.

For example, the alarm types collectively define type 4, 1) environmental risk alarm env _ alarm; 2) the simulator runs an alarm mon _ alarm; 3) applying a sensitive behavior attack sense _ alarm; 4) applying attack behavior alarm attr _ alarm; then the type field may be only one of these 4 types, and if the field is indeed or is not within these 4 types, an invalid alarm is considered.

In one embodiment, the terminal behavior analysis is interfered because the terminal normal network activity can also cause an alarm and easily overwhelm the alarm generated by the real attack. The following are found in the actual network: 1) the alarm with more frequency has the periodic characteristic; 2) multiple devices have the same alert subsequence. Based on the two points, the false alarm deletion comprises periodic alarm deletion and frequent alarm sequence deletion. The periodic alarm deletion utilizes a correlation analysis model, a Fourier transform model and an F distribution model to achieve the purposes of calculating the alarm period and deleting the periodic alarm. The frequent alarm subsequence deletes the subsequence with the alarm number sequence generated by the equipment with less alarm number as the alternative sequence for calculation, thereby achieving the purpose of deleting the frequent alarm subsequence.

Wherein, for the periodic alarm, it can be expressed as t at the same power internet of things terminal (or network device)₁And t₂Two generated alarms alert _ id₁And alert _ id₂Satisfy | t more than or equal to 0₂-(t₁+nT₀)|<Δt₂(Δt₂Is a time threshold, T₀Is a period, n is an integer) and alert _ id₁＝alert_id₂It means that the alarm is a periodic alarm and the period is T₀。

In one embodiment, as shown in fig. 3 and 4, the periodic alarm may be determined as follows:

step S201: classifying the effective alarms, and determining the alarm types and alarm devices which are larger than a threshold value; specifically, for the determined effective alarm data or alarm log, the ratio V of each type and the ratio U of each network device in the alarm data may be determined according to the preset format. Meanwhile, a preset threshold value alpha and a threshold value beta can be set, and if V > alpha and U > beta, the alarm type and the corresponding equipment number < alert _ id, device _ id > are recorded.

Step S202: constructing a time sequence according to the alarm quantity of the corresponding alarm type generated in the preset time of the alarm equipment; specifically, after determining the alarm type and the alarm device, that is, < alert _ id, device _ id > that are greater than the threshold, for the binary group < alert _ id, device _ id >, the number of alarm types alert _ id generated by the alarm device _ id in a preset time, such as per hour, may be counted, and thus a time sequence { x (t) } t ∈ N } may be constructed.

Step S203: performing autocorrelation analysis and discrete Fourier transform on the time sequence to determine an energy density function of each frequency; specifically, the constructed time series may be subjected to autocorrelation analysis, and the autocorrelation function is expressed by the following formula:

where r (m) represents a relational metric of the occurrence of alarms at intervals of m hours. The periodicity of the original time sequence can be strengthened by adopting autocorrelation analysis, but the size of the period cannot be judged from the autocorrelation sequence. Thus, the generated autocorrelation sequence { R (m) ≦ 0 ≦ m < n } may be subjected to a discrete Fourier transform, defining a Power Spectral Density function PSD () for each frequency, represented by the following equation:

step S204: determining the period of the time sequence according to the energy density function; specifically, the frequency point at which the energy density value is maximum can be determined from the energy density function, and thus the period of the sequence can be calculated as:

step S205: and judging the alarm type and the alarm equipment according to the period, and deleting the alarm type and the alarm equipment as periodic alarms when the alarm type and the alarm equipment occur at intervals. Specifically, autocorrelation analysis and discrete fourier transform can find the period of a periodic time series, but a period value is generated for a series without periodicity, in which case if periodic alarm deletion is performed, the true alarm may be removed, resulting in false alarm. To avoid this problem, an F distribution model can be constructed to verify the authenticity of the cycle. Therefore, the periodicity of the time sequence can be confirmed by adopting the F test, so that the alarm without relevant properties is ensured not to be deleted, and the occurrence of report missing is avoided.

In one embodiment, as shown in fig. 4 and 5, the frequent alert sequence may be determined in the following manner:

step S301: acquiring a shortest alarm sequence generated by a preset number of electric power internet of things terminals within a preset time; specifically, when the frequent alarm sequence is determined, statistics of the network device in presetting may be performed firstThe shortest alarm sequence { s } generated by the first C normally operating network devices is selected according to the number of alarms generated within an hour_k,1<k<C as an alternative sequence. Wherein 2 is less than or equal to s_kL ≦ L, L denotes the specified maximum sequence length.

Step S302: calculating the ratio of the power internet of things terminal with the subsequence to the total number of the power internet of things terminals according to the union set of the subsequences of all the sequences in the shortest alarm sequence; specifically, after the shortest alarm sequence is determined, the alarm sequence { s ] is obtained_k,1<k<C is the union of subsequences of all sequences sub s_z,1≤z≤n₀In which n is₀Indicates the number of all subsequences. And calculating the ratio of the power internet of things terminal with the subsequence to the total number of the power internet of things terminals according to the union set by the following formula:

wherein p is_zIndicating the presence of a sub-sequence sub _ s_zThe ratio of the number of network devices to the total number of network devices.Represents sub _ s_zAnd whether the sequence is a subsequence of the alarm sequence generated by the ith device is 1 if the sequence is the subsequence, and 0 if the sequence is not the subsequence. N represents the number of network devices in the network.

Step S303: and when the ratio is larger than a preset threshold value, deleting the frequent alarm sequence. In particular, according to the calculated ratio p_zDetermining whether the alarm is a frequent alarm sequence, wherein when p is_zAnd when the value is larger than the preset threshold value theta, the alarm is a frequent alarm sequence.

As an optional implementation manner of the embodiment of the present invention, as shown in fig. 4, a rule base may also be generated according to the periodic alarm and frequent alarm sequence, and the generated alarm base is used to determine an alarm. In one embodiment, the following process may be implemented: forming a rule base according to the data which do not belong to the periodic alarm and the data which belong to the frequent alarm; matching the alarm data in a preset format with the data in the rule base; and forming effective alarm data according to the successfully matched data.

Specifically, as shown in fig. 4, periodically repeated alarms can be identified according to the calculated period p; at the same time, according to the ratio p_zFrequent alarm sequences can be identified. For the alarm sequence, when the alarm sequence is judged not to be a periodic alarm, the alarm sequence can be added into a rule base; meanwhile, when the alarm is judged to be a frequent sequence alarm, the alarm can be added into the rule base. The collected alarm data in the preset format can be matched with the content in the rule base, and if the information such as the alarm type, the terminal identification, the alarm content and the like is in accordance with the rule base, the matching is successful, and the alarm data can be directly used as effective alarm data.

As an optional implementation manner of the embodiment of the present invention, as shown in fig. 6, performing association analysis on alarm data according to homologous clustering analysis and multi-source clustering analysis to obtain a threat index of an alarm to a terminal includes:

step S401: determining the number of each type of alarm of each terminal according to the homologous clustering analysis; specifically, the homologous clustering is to find an abnormal behavior generated by a certain terminal and greatly different from the historical behavior of the certain terminal, that is, the homologous clustering can be used for calculating the frequency of alarm events in the power internet of things terminal. Therefore, the homologous clustering analysis is adopted, and the alarm data in the preset time is subjected to clustering analysis according to the power terminal. Wherein different types of alarm frequencies or different types of alarm occurrence frequencies in the terminal i are used<device_id_i、<alert_id_j、alert_count_ij>>(1. ltoreq. i.ltoreq.n, 1. ltoreq. m), wherein: device _ id_iDenotes the ith terminal, alert _ id_jIndicating class j alarm _ count_ijThe number of j-th alarms in the ith terminal is shown, n is the number of terminals, and m is the number of alarm types. The calculation formula of the number of alarms of each type occurring at each terminal is as follows:

step S402: determining the times of occurrence of each type of alarm and the number of terminals of each type of alarm according to multi-source clustering analysis; specifically, the multi-source clustering is to find abnormal behaviors with larger differences between some terminals and other terminals using the same application when the terminals use the application, that is, the multi-source clustering can calculate the distribution condition of alarm events in the terminals. Therefore, the alarm data in the T time are clustered according to the alarm types by adopting a heterogeneous analysis algorithm, and the jth alarm distribution condition is represented by using a triple group<alert_id_j、total_j、device_count_j>(1. ltoreq. j. ltoreq.m) wherein: total of_jIndicating the number of occurrences of class j alarms in the network, device _ count_jIndicating the number of terminals that generated the alarm distribution of class j. The number of times each type of alarm occurs and the number of terminals for which each type of alarm occurs are calculated as follows:

step S403: and calculating the threat index of the alarm to the terminal according to the number of each type of alarm appearing on each terminal, the frequency of each type of alarm appearing and the number of terminals with each type of alarm appearing. Specifically, the alert _ count calculated as described above_ij、total_j、device_count_jA threat index of the alarm to the terminal may be calculated. In the T time period, the threat index calculation formula of the jth alarm in the terminal i is as follows:

as an optional implementation manner of the embodiment of the present invention, as shown in fig. 7, the calculating the safety index of the power internet of things terminal according to the threat index includes:

step S501: calculating to obtain the safety values of the electric power internet of things terminal at the previous moment and the current moment according to the threat index; specifically, threat indexes of different alarm events in the terminal are obtained through calculation, and a safety value of the power terminal can be obtained. The safety value may be calculated by the following formula:

wherein: and p (j) represents the weight of the j-th alarm, and can be set according to the priority of the alarm. According to the formula, the safety values at different times can be calculated, so that the safety value at the previous moment and the safety value at the current moment can be calculated according to the formula.

Step S502: determining a safety factor according to the safety value at the previous moment and whether the safety threat is effectively processed or not; specifically, in the actual evaluation, the safety index of the terminal at the current time is not only affected by the safety value at the current time, but also affected by whether an effective measure is taken for the alarm at the previous time or not. Therefore, the safety factor needs to be determined according to the safety value at the previous moment and whether the safety threat is effectively processed, and the following formula can be specifically adopted for calculation:

wherein, x represents whether effective processing is performed on the security threat existing in the terminal in the period of T, and if x is 0, it represents that no processing is performed, and x is 1, it represents that processing is performed. Therefore, according to the above formula, the safety factor is 100 if the existing threat is already handled, and the safety factor is the safety factor at the previous time if the threat at the previous time is not handled.

Step S503: and calculating to obtain the safety index of the power internet of things terminal at the current moment according to the safety values and the safety factors at the previous moment and the current moment. Specifically, the safety index at the current time is calculated using the following formula:

specifically, the safety index at the current time needs to be calculated based on the safety factor at the previous time. Thus, when calculating the safety index at the current time, calculation is required from the beginning. Assuming that the first day has not been threatened before, x should be 1, with a corresponding safety factorWhen the number is 100, the number will beSubstituting 100 into the above formula, the safety index of the first day can be calculated as the safety value F of the first day_i ^T. Assuming a security value of 60 for the first day and that the threat has been addressed for the first day, where x should be 0, corresponding to a security factorFor the safety value of the first day, willThe safety factor for the second day is calculated as (1-60/100) x 60+ 60/100 x 50-54, with the safety value for the second day calculated as 50, substituted into the above equation. By analogy, the safety index of each day can be calculated.

As an optional implementation manner of the embodiment of the present invention, the method for evaluating the safety state of the power internet of things terminal provided by the embodiment of the present invention may be implemented in the following scenarios:

and testing by adopting an open source alarm data set. This data set contains 2092 devices at 3, 16, 8 of 2012: 00-16: and 2125795 records generated by 00 relate to 23 alarm types. The alarm log contains fields including: alarm time, alarm feature number and alarm name, alarm type, alarm priority, protocol, source IP address and port, destination IP address and destination port. The method comprises the following steps that alarm types are divided into 3 types according to priority, the I type alarms have the highest threat level, and the alarm types comprise web application attacks, administrator permission alarms, user permission alarms, Trojan horse detection alarms, information leakage alarms, executable code detection alarms and enterprise privacy leakage; class II alarms, medium threat levels, attack types including default user name and password login, denial of service attack alarms, suspicious file name detection alarms, access to vulnerable WEB application programs, RPC query decoding and the like; the class III alarm has low threat level and the like, and mainly comprises unknown activities, network scanning alarm, suspicious character string detection, general protocol command decoding, user permission acquisition attempt and the like.

Selecting T as 1h for 356596 effective alarm data or alarm logs left after preprocessing, and sequentially calculating the safety indexes of each device in different time periods so as to obtain the safety index distribution conditions of all devices and the alarm conditions and the change trend of low-safety devices.

1) Equipment safety index distribution

Dividing the terminal security index interval into [0, 20], [20, 40 ], [40, 60 ], [60, 80], [80, 100), results indicate 2092 devices 16: the safety index distribution at 00 is: 98% of the equipment safety indexes are in the interval [80, 100], and the equipment safety state is represented as high safety; 1.8% of the plant safety index is at [40, 80], the plant safety state is denoted as medium safety; the 0.3% equipment safety index is at [0, 20], and the equipment safety state is indicated as low safety. This result indicates that most devices are in a safe state, consistent with the actual situation.

2) Relationship between equipment safety index and alarm frequency

The number of alarms for the 5 devices with the lowest safety index varies widely, whereas the device with the highest number of alarms has a non-lowest safety index, i.e. the high risk device does not necessarily generate a large number of alarms. The alarm statistics for 4 low and medium security devices are listed in table 1, including the security index, the number of alarms (number of alarms in classes I, II, III) and the alarm type. Wherein, the number in brackets in the alarm times column represents the alarm times of the corresponding level, and the number in brackets in the alarm type column represents the specific alarm times. Through analysis: 1) the device 192.168.27.253 has the most number of alarms and the intruder successfully obtains the user right through brute force and the like, so the security index of the device is the lowest. 2) Device 192.168.202.68 has a small number of alerts, but there is also an alert that the user rights were successfully obtained, so the security index for this device is slightly higher than for device 192.168.27.253. 3) The alarm generated by device 192.168.28.152 relates to 13 types, indicating that the attacker made multiple types of attacks against the device. The security index of the device is low because an attacker attempts to send executable malicious code or trojan viruses to the device to achieve the purpose of controlling the device. 4) The main reason that device 192.168.206.44 has a large number of security alarms but a significantly higher security assessment index than the first 3 devices is that this device has a large number of attempted attack alarms but has no trace of successful intrusion by an attacker and no alarm with a higher level of harm.

TABLE 1

3) Running state trend analysis of equipment

And selecting a high-safety device 192.168.24.254 and a low-safety device 192.168.202.68 to calculate the safety index.

The high security device 192.168.24.254 security index continues to appear above 80 points and is not subject to attack. The low security device 192.168.202.68 has suffered an attack that successfully acquired the user rights at 12 o 'clock-13 o' clock and has not been effectively processed against the attack, and the low security state may continue to affect the device security assessment value of the subsequent cycle.

According to the safety state evaluation of the power internet of things terminal provided by the embodiment of the invention, when the periodic deletion is carried out, the alarm period calculation is carried out by utilizing the correlation analysis, the Fourier transform and the F distribution model, so that the periodic false alarm is deleted, the alarm caused by the normal network activity of the terminal is avoided, the alarm generated by the real attack is easily submerged, and the interference is generated on the behavior analysis of the terminal.

The safety state evaluation of the electric power internet of things terminal provided by the embodiment of the invention is used for calculating the terminal safety index by combining the homologous clustering analysis and the multisource clustering analysis of the alarm data, wherein the homologous clustering is used for finding the abnormal behavior which is generated by a certain terminal and has larger difference with the historical behavior of the certain terminal, and the multisource clustering is used for finding the abnormal behavior which is generated by the certain terminal and has larger difference with other same application terminals when the certain terminal is used and applied, so that the damage degree of an alarm event to the electric power internet of things terminal is comprehensively evaluated.

According to the safety state evaluation of the power internet of things terminal provided by the embodiment of the invention, the calculated safety index is composed of two parts, wherein one part is the influence of the safety index of the terminal i at the T-T moment on the safety evaluation of the terminal in the next period. The other part is the security index of the terminal i during time T. Since the terminal i is attacked before T-T and the network maintenance administrator does not take effective measures, the security index of the terminal will continuously affect the security index of the next evaluation period.

An embodiment of the present invention further provides an apparatus for evaluating a security state of an electric power internet of things terminal, as shown in fig. 8, the apparatus includes:

the data acquisition module is used for acquiring historical alarm data and generating alarm data in a preset format; for details, refer to the related description of step S101 in the above method embodiment.

The preprocessing module is used for preprocessing the alarm data to obtain effective alarm data; for details, refer to the related description of step S102 in the above method embodiment.

The threat analysis module is used for carrying out correlation analysis on the alarm data according to the homologous clustering analysis and the multisource clustering analysis to obtain a threat index of the alarm to the terminal; for details, refer to the related description of step S103 in the above method embodiment.

And the safety evaluation module is used for calculating the safety index of the power internet of things terminal according to the threat index. For details, refer to the related description of step S104 in the above method embodiment.

According to the electric power internet of things terminal safety state evaluation device provided by the embodiment of the invention, terminal safety evaluation is carried out from the dimensionalities of data preprocessing, alarm event threat evaluation and safety index calculation; meanwhile, historical alarm data are subjected to correlation analysis, and abnormal indexes of the power internet of things terminal during dynamic operation are calculated by using the TF-IDF algorithm thought in combination with homologous clustering correlation and heterologous correlation analysis, so that the low-safety terminal can be effectively identified from massive repeated invalid alarms. Therefore, the safety state evaluation device of the electric power internet of things terminal realizes safety evaluation of the electric power internet of things terminal from the aspect of visitors.

The function description of the safety state evaluation device of the power internet of things terminal provided by the embodiment of the invention refers to the description of the safety state evaluation method of the power internet of things terminal in the above embodiment in detail.

An embodiment of the present invention further provides a storage medium, as shown in fig. 9, on which a computer program 601 is stored, where the instructions, when executed by a processor, implement the steps of the method for evaluating the security status of the power internet of things terminal in the foregoing embodiment. The storage medium is also stored with audio and video stream data, characteristic frame data, an interactive request signaling, encrypted data, preset data size and the like. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.

An embodiment of the present invention further provides an electronic device, as shown in fig. 10, the electronic device may include a processor 51 and a memory 52, where the processor 51 and the memory 52 may be connected by a bus or in another manner, and fig. 10 takes the example of connection by a bus as an example.

The processor 51 may be a Central Processing Unit (CPU). The Processor 51 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.

The memory 52, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as the corresponding program instructions/modules in the embodiments of the present invention. The processor 51 executes various functional applications and data processing of the processor by running the non-transitory software programs, instructions and modules stored in the memory 52, that is, implements the safety state evaluation method of the power internet of things terminal in the above method embodiment.

The memory 52 may include a storage program area and a storage data area, wherein the storage program area may store an operating device, an application program required for at least one function; the storage data area may store data created by the processor 51, and the like. Further, the memory 52 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 52 may optionally include memory located remotely from the processor 51, and these remote memories may be connected to the processor 51 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The one or more modules are stored in the memory 52, and when executed by the processor 51, perform the electric power internet of things terminal safety state evaluation method in the embodiment shown in fig. 1-7.

The details of the electronic device may be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 1 to fig. 7, which are not described herein again.

Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.