CN120050104A

CN120050104A - Industrial field network safety on-line monitoring system

Info

Publication number: CN120050104A
Application number: CN202510234692.4A
Authority: CN
Inventors: 白国霖; 李京南; 陈秋任; 杜瑞娟
Original assignee: Saisheng Digital Economy Research Institute Guangzhou Co ltd
Current assignee: Saisheng Digital Economy Research Institute Guangzhou Co ltd
Priority date: 2025-02-28
Filing date: 2025-02-28
Publication date: 2025-05-27

Abstract

The present application relates to the field of network security in the industrial field, and discloses an online monitoring system for network security in the industrial field, including an asset identification module, a topology analysis module, a risk assessment module, a dynamic update module, a decision support module, and a visualization module; the system obtains device information in the network through stateless scanning technology, constructs a device topology map, and evaluates device risks based on a graph convolutional network; by real-time monitoring of device status and topology, the system can dynamically update risk scores and provide accurate security assessment results; according to the assessment results, the system generates network security management decision recommendations, and displays device status, risk scores, vulnerability information, etc. through multi-dimensional visualization, helping network administrators to effectively manage and respond to network security risks. The present invention has the advantages of comprehensive device identification, dynamic risk assessment, intelligent decision support, and intuitive visualization, which improves the efficiency and automation level of network security management.

Description

Industrial field network safety on-line monitoring system

Technical Field

The invention relates to the technical field of network security in the industrial field, in particular to an online monitoring system for network security in the industrial field.

Background

With the rapid development of information technology, network security in the industrial field faces increasingly complex challenges. Traditional network security protection mainly relies on static firewall, intrusion detection system and other technologies, and although these approaches can protect known threats to a certain extent, they lack effective prevention and coping mechanisms for new attacks and potential security vulnerabilities. Meanwhile, the traditional network security monitoring is dependent on manual intervention and periodic inspection, and certain hysteresis exists, so that security risks cannot be found and treated in time.

Furthermore, the prior art often focuses on risk assessment in a single dimension, lacking comprehensive device identification and network topology analysis. This makes it difficult for a network manager to clearly grasp the connection relationship between devices, potential weak points, and risk levels of different devices in the face of complex devices and varying network topologies. Moreover, the existing network security protection system lacks the capability of dynamic update and intelligent evaluation, and cannot automatically adjust risk evaluation results when the equipment state or network topology changes, so that management of network security situations cannot be consistent with network actual conditions.

Disclosure of Invention

Aiming at the defects of the prior art, the invention provides an industrial network safety online monitoring system which can identify equipment states in real time, analyze network topology, dynamically evaluate risks and provide intelligent decision support so as to improve the automation and intelligent level of network safety management.

In order to achieve the purpose, the invention is realized by the following technical scheme that the industrial field network security on-line monitoring system comprises:

The asset identification module is used for acquiring equipment information in a network through a stateless scanning technology and constructing an equipment topological graph;

The topology analysis module is used for carrying out topology data analysis on the equipment topology graph and identifying the connection mode and the potential weak point among the equipment;

The system comprises a risk assessment module, a dynamic updating module and a risk analysis module, wherein the risk assessment module is used for carrying out security risk scoring on equipment based on a graph convolution network and generating a risk assessment result by combining a vulnerability database;

and the decision support module generates a network security decision suggestion according to the risk assessment result.

Preferably, the asset identification module includes:

the device scanning unit is used for scanning the devices in the network through a stateless scanning technology and identifying basic information of the devices, including IP addresses, device types, manufacturer information, operating system versions and port opening conditions;

the device topology construction unit is used for constructing a network topology structure among devices according to the device scanning result and generating a connection relation diagram among the devices;

The equipment classification unit is used for classifying the equipment into different categories according to the equipment characteristics, including an industrial control system, an Internet of things terminal and other network equipment, and identifying the safety characteristics of the equipment according to the equipment categories.

Preferably, the device topology construction unit performs device topology construction by:

Identifying physical connection relations between devices according to the device information provided by the device scanning unit;

analyzing communication data packets among devices based on a network communication protocol, and determining a logic connection relation among the devices;

Combining physical connection and logical connection to generate a complete topological structure diagram among devices, wherein the complete topological structure diagram comprises IP addresses, types, connection ports and communication path information of the devices;

According to the communication frequency and the interaction mode of the equipment, the topological structure diagram is optimized, and the safe communication path among the equipment is ensured to be accurately identified.

Preferably, the topology analysis module includes:

The topology data acquisition unit is used for extracting connection relation information between the devices from the device topology graph, and comprises connection paths, port information and communication protocols of the devices;

The topological structure analysis unit is used for analyzing the stability, reliability and potential weak points of the topological structure of the equipment based on the connection relation among the equipment;

The key node identification unit is used for identifying key equipment nodes in the network, including core switches, routers and bridging nodes among the equipment, and evaluating the security risk of the key equipment nodes;

and the weak point analysis unit is used for analyzing weak links in the network topology and identifying potential attack surfaces and potential safety hazards.

Preferably, the risk assessment module includes:

The risk scoring calculation unit is used for scoring the security risk of the equipment based on the graph rolling network, and considering equipment loopholes, vendor repair states and network connection relations among the equipment;

The vulnerability information matching unit is used for acquiring vulnerability information related to the equipment from the vulnerability database, and matching the vulnerability information with the equipment risk score to generate a comprehensive risk score;

the security situation analysis unit is used for analyzing the network security situation by combining the risk score and the network topology information of the equipment, identifying potential threats and evaluating security protection requirements;

and the dynamic evaluation unit is used for updating the risk score of the equipment in real time and adjusting the risk evaluation result according to the change of the network environment and the equipment state.

Preferably, the risk score calculating unit calculates the risk score by:

Obtaining vulnerability information of equipment, wherein the vulnerability information comprises the severity, the repair state and the vulnerability type of known vulnerabilities;

analyzing the network connection relation of the devices, including communication paths, port opening conditions and communication protocols among the devices, and evaluating potential attack surfaces exposed by the devices;

Based on a graph convolution network model, combining vulnerability information of the equipment with a network connection relation, calculating a preliminary risk score of each equipment, adjusting the risk score according to the network environment where the equipment is located and the role thereof, and considering the importance of the equipment and the core position of the equipment in a network;

and outputting a final risk score of the equipment, and reflecting the current safety state and the potential risk of the equipment.

Preferably, the dynamic update module includes:

The device state monitoring unit is used for monitoring the state change of the device in the network in real time, including the online and offline of the device and configuration change;

The topology structure updating unit is used for dynamically updating the network topology information of the equipment according to the state change of the equipment, so as to ensure the accuracy of the topology structure;

The risk assessment triggering unit is used for triggering the risk assessment module to recalculate the risk score of the equipment according to the topological structure update or the equipment state change;

And the data synchronization unit is used for synchronously updating the equipment state, the topology information and the risk assessment result with the system database, so as to ensure the consistency and timeliness of the information.

Preferably, the decision support module includes:

The system comprises a risk priority evaluation unit, a protection strategy generation unit and a control unit, wherein the risk priority evaluation unit is used for evaluating the security risk priority of equipment according to the risk score and the vulnerability information of the equipment;

the emergency response recommending unit is used for recommending emergency response measures for the high-risk equipment according to the risk assessment result so as to reduce potential security threats;

and the decision output unit is used for outputting a network security management decision suggestion according to the generated protection strategy and emergency response measures so as to be used for a network administrator to make decisions.

Preferably, the system further comprises:

and the visualization module is used for visually displaying the risk score, the network topology structure, the vulnerability information and the protection strategy of the equipment through the graphical interface.

The invention also provides an industrial field network security on-line monitoring method, which comprises the following steps:

Acquiring equipment information in a network through a stateless scanning technology, and constructing an equipment topological graph;

Carrying out topology data analysis on the equipment topology graph, and identifying a connection mode and a weakness among the equipment;

generating equipment risk scores based on the graph rolling network and combining with a vulnerability database, and outputting risk assessment results;

periodically updating equipment information and a topological structure, and adjusting a risk assessment result in real time;

generating a network security management decision suggestion according to the risk assessment result;

And carrying out multidimensional visual display on the equipment state and the risk assessment result according to the region, the manufacturer and the vulnerability category.

The invention provides an industrial field network security on-line monitoring system. The beneficial effects are as follows:

1. The invention can accurately identify various devices in the network and generate detailed risk scores of the devices through the combination of the stateless scanning technology and the graph rolling network. The comprehensive equipment identification and risk assessment capability is beneficial to timely finding out potential security threats, provides data support for network security protection and ensures the security of a network environment.

2. According to the invention, the risk score of the equipment is adjusted in real time by periodically updating the equipment information and the network topology structure. The dynamic updating mechanism can cope with the state change of the equipment and the adjustment of the network topology, ensures that the risk assessment result is always accurate and time-efficient, and improves the response speed and predictability to the network security threat.

3. Based on the equipment risk score and the network security situation, the method and the system can generate targeted security management decision suggestions and provide clear protective measures and emergency response schemes for network administrators. These decision supports help administrators make timely and efficient security decisions, thereby effectively reducing potential safety hazards and coping with sudden security events.

4. The invention provides a multi-dimensional visual display based on areas, manufacturers, vulnerability categories and the like, so that the state, topological structure and risk assessment result of the network equipment can be visually presented in a graphical mode. The visual display improves the understanding and control of the security situation by the network administrator, and is convenient for timely finding and repairing the potential loopholes.

5. According to the invention, through automatic equipment scanning, topology analysis and risk assessment, the need of manual intervention is reduced, and the efficiency and accuracy of network security management are improved. By combining intelligent risk assessment and decision support, the system can autonomously identify security threats and provide corresponding coping strategies, so that the network security protection capability is effectively improved.

Drawings

FIG. 1 is a schematic diagram of a system architecture of the present invention;

FIG. 2 is a schematic flow chart of the method of the present invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Referring to fig. 1, the present invention provides an industrial network security online monitoring system, which aims to improve security of an Industrial Control System (ICS), an internet of things (IoT) terminal and other network devices. By realizing the intelligent support of real-time identification of equipment assets, analysis of network topology, dynamic adjustment of risk assessment and security decision, the system effectively ensures the security of the network in the industrial field.

As shown in FIG. 1, the industrial field network security online monitoring system can comprise an asset identification module, a topology analysis module, a risk assessment module, a dynamic update module, a decision support module and a visualization module. The modules cooperate with each other to jointly complete the functions of network security monitoring, risk assessment and protection strategy formulation.

The following is a detailed description of each module in the method of the present invention, and the specific implementation principles, technical details and flow of each module are fully described.

For the asset identification module, in this embodiment, the design and implementation of the asset identification module in this embodiment aims to implement automatic identification, classification and detection of security features of devices in a network through cooperative work of three main units. The module comprehensively acquires key information of the network equipment through a series of steps of equipment scanning, topology construction, equipment classification and the like, and further optimizes the safety and manageability of the network environment.

First, the asset identification module includes a device scanning unit. The unit scans devices in the network by using a stateless scanning technique to identify basic information of the devices. Specifically, stateless scanning techniques can obtain the IP address of a device, device type, vendor information, operating system version, and port open conditions by sending specific data packets and analyzing the responses in the network. The technology avoids the problems of performance loss and network load possibly caused by the traditional scanning method, and ensures that the equipment identification task is completed under the premise of high efficiency and low influence.

For example, when a device scanning unit starts executing, it may send a simple probe packet to each device in the network, acquiring its response information. By analyzing the response returned by the device, the system can further identify the vendor information, the type of the operating system and the version number of the device, and even can judge whether the port of the device is open to the outside. This information provides critical data support for subsequent topology construction and device classification.

The device topology construction unit then constructs a network topology between devices based on the device scan results. The specific operation comprises the steps of identifying the physical connection relation between the devices, analyzing the communication protocol to determine the logical connection relation, and finally generating a complete topological structure diagram between the devices. In this step, the identification of the physical connection relationship is mainly dependent on device information provided by the scanning unit, such as the IP address and connection port of the device, which can help to determine the relative location of the device in the physical network.

In addition, the topology construction unit further determines the logical connection relationship by analyzing communication data packets between devices in the network. Data packets in a network communication protocol, such as the TCP/IP protocol, carry details about the communication between devices that help the system identify which devices have a communication relationship between them. The logical connection information obtained by the unit in this way is combined with the physical connection information to finally generate a complete topology diagram of the network device, wherein the complete topology diagram comprises key data such as an IP address, a device type, a connection port, a communication path and the like of each device.

In order to ensure that the communication path between the devices is correct and safe, the topology construction unit optimizes the topology structure diagram according to the communication frequency and the interaction mode of the devices. The goal of this optimization step is to ensure that the communication path of each device in the network is accurately identified and to avoid potential security risks, such as unsafe port exposure or unauthorized inter-device communication.

Finally, the device classification unit functions to classify devices in the network into different categories according to the characteristics of the devices and further identify the security features thereof. Specifically, the unit identifies and distinguishes an industrial control system, an internet of things terminal and other types of network equipment according to the scanning information and the network behavior of the equipment. Each class of devices may have different security requirements and protection characteristics depending on its specific function and use environment, and therefore classifying the devices is a very important step.

For example, industrial control systems generally have extremely high requirements on stability and security of networks, and internet of things devices may have more security vulnerabilities and risks of external attacks. By categorizing the devices, the asset identification module can provide more accurate security measures for different types of devices.

In this embodiment, through the cooperation of the device scanning, topology construction and device classification units, the asset identification module can comprehensively identify basic information of devices in the network and connection relations between the devices, and provide support for security protection of the devices. The module not only improves the accuracy of network equipment identification, but also enhances the safety of a network topological structure, and provides an important basis for subsequent safety monitoring and protection.

For the topology analysis module, in this embodiment, the topology analysis module can comprehensively analyze and evaluate the stability, the security and the potential vulnerability of the network topology through the synergistic effect of a plurality of functional units. The module aims to improve the security protection capability and the capability of coping with potential attacks of a network by acquiring topology data, analyzing a topology structure, identifying key nodes and evaluating weak points.

First, the topology data acquisition unit is responsible for extracting connection relationship information between devices from the device topology map. The main task of the unit is to collect and sort the connection paths, port information, and communication protocols between devices in the network. The topology data acquisition unit can accurately acquire physical connection and logical communication information between devices through data transferred from the device scanning module or the device topology construction module.

For example, assuming that a core switch and a plurality of terminal devices exist in the network, the topology data acquisition unit can identify connection paths between the switch and the respective devices, port information (such as port numbers and port types) used, and communication protocols (such as TCP/IP, UDP, etc.) employed between the respective devices by analyzing connection information of the devices. This information provides the underlying data for subsequent topology analysis.

The topology analysis unit then analyzes the stability, reliability and potential weak points of the network topology based on the connection relationship between the devices. The unit analyzes the reliability of each node and connection in the network through comprehensive evaluation of the equipment connection mode, the communication mode and the load condition. In particular, the topology analysis unit may evaluate whether there is redundancy in the communication path between the devices, whether paralysis of the entire network may be caused by failure of some nodes or links, or whether some devices in the network may be targets of attack by an attacker.

For example, when the topology analysis unit detects that a single communication path exists in the network and the path depends on a critical node (e.g., a switch or a router), the unit determines whether the reliability of the path is high enough or whether redundant connections need to be added to ensure the stability of the network. If the single path fails, which may result in disruption of the overall network service, the system may automatically suggest adding alternate paths or taking other actions to enhance the reliability of the network.

The key node identification unit is then used to identify key device nodes in the network and evaluate their security risk. Critical nodes are often critical devices or connection points in the network, such as core switches, routers, and bridging nodes between devices. The security of these critical nodes directly affects the operation and security of the entire network. It is therefore important to identify these nodes and evaluate their potential security risks.

For example, a core switch is typically responsible for traffic scheduling throughout the network, which if it fails, may result in paralysis of the entire network. Likewise, bridging nodes in the network (nodes connecting different subnets) may also be targets of attack for an attacker. The key node identification unit identifies the important nodes by analyzing equipment and connection information in the network topology graph and evaluates the attack risk possibly faced by the important nodes.

And finally, the weak point analysis unit is responsible for analyzing weak links in the network topology and identifying potential attack surfaces and potential safety hazards. The unit identifies possible weak links in the network topology through comprehensive analysis of factors such as connection relation, protocol service condition, node importance and the like of each device in the network. For example, some devices may be exposed to public networks with the risk of unauthorized access, some devices may use outdated protocols or have known vulnerabilities, and become potential attacks.

In vulnerability analysis, the system may use security scan tools or vulnerability libraries to analyze the security of devices and ports, detect if there are known security vulnerabilities, if there are devices using weak passwords or default settings, if there are devices' firmware needs to be updated, etc. Through the analysis, the system can timely discover potential safety hazards in the network and propose corresponding improvement suggestions.

In summary, in this embodiment, the topology analysis module completes the overall analysis of the network topology through the cooperation of the four core units. The topology data acquisition unit extracts connection relation information among devices and provides a basis for subsequent analysis, the topology structure analysis unit evaluates stability and reliability of a network, the key node recognition unit recognizes and evaluates safety risks of key device nodes, and the fragile point analysis unit reveals potential safety hazards in the network. Through these analyses, the system is able to provide detailed network health reports for network administrators and data support for subsequent security safeguards.

For the risk assessment module, in this embodiment, the risk assessment module performs security risk assessment on devices in a network by combining a graph roll-up network (GCN) and a formulated risk calculation method through cooperation of multiple units. The module generates a risk score of each device by considering the device vulnerability, vendor repair state, network connection relation among the devices and the centrality of the devices, and adjusts in real time to cope with the changes of the network environment and the device state.

First, the risk score calculating unit is a core unit of the module and is responsible for calculating a security risk score of each device. The unit performs the risk score calculation by the following steps:

1. obtaining vulnerability information of equipment:

For each device, firstly, obtaining vulnerability information of the device, wherein the vulnerability information comprises the severity, the repair state and the vulnerability type of known vulnerabilities. Such information is typically from a device-dependent vulnerability library. Let the vulnerability information of the device be V _i, where V _i＝{v₁,v₂,…,v_n }, each vulnerability V _k has a severity S _k and a repair state R _k, and perform a preliminary risk assessment according to the severity and repair state of the vulnerability. The risk score for a vulnerability can be expressed as:

Wherein S _k is the severity of the vulnerability, R _k is the repair status, and R _v is the vulnerability risk score of the device. If the vulnerability is not repaired, the repair state R _k =0, the risk score is the severity of the vulnerability, and if the vulnerability is repaired, R _k =1, the influence of the vulnerability on the risk score is zero.

2. Analyzing network connection relation of equipment:

The network connection relationship includes a communication path between devices, a port opening condition, and a communication protocol. Let the connection relationship between device i and device j be C _ij, which can affect the potential attack surface exposed by the device. The network exposure risk of a device can be expressed as:

Wherein, C _ij is the connection strength between device i and device j, and P _ij is the port exposure condition (such as whether the port is open or not, the use condition of the security protocol, etc.) of the communication between the devices. If there are multiple exposed ports between devices and an unsafe protocol is used, the value of P _ij is greater and the risk score R _c is also higher.

3. Calculating a risk score based on the graph roll-up network model:

A graph roll-up network (GCN) is used to consider the dependency relationships between devices and the network structure. By graph rolling the network, the risk score of a device can combine its location throughout the network with the impact of other devices. Let the preliminary risk score for device i be The risk score R _i for device i can be expressed as:

R_i＝σ(W·(R_v+R_c));

Where σ is an activation function (e.g., a ReLU function), W is a weight matrix of the graph rolling network, R _v is a vulnerability risk, and R _c is a connection risk. Through training of the graph rolling network, more accurate equipment risk scores can be calculated according to the connection relation and the vulnerability information among the equipment.

4. Adjusting the risk score according to the role of the device in the network:

devices of different roles in the network (e.g., core switches, routers, etc.) have different impact on the overall network, and the importance of the devices can affect the adjustment of risk scores. For example, if a vulnerability exists in a core device, security of the entire network may be compromised. Let the importance of device I be I _i, its adjusted risk score can be expressed as:

Where α is an adjustment factor representing the impact of device importance on risk score. For core devices, I _i is larger, so its risk score will be correspondingly raised.

Finally, comprehensive risk scoring of the deviceReflecting the current security status and potential risk of the device. The scoring provides an important basis for subsequent safety precautions and emergency responses.

And secondly, the vulnerability information matching unit is responsible for acquiring vulnerability information related to the equipment from the vulnerability database and matching with the risk score of the equipment. By the aid of the unit, the system can supplement vulnerability information of the equipment, and accordingly more accurate comprehensive risk scores are generated. Setting the vulnerability information of the device i as V _i, and calculating the vulnerability risk score of the device by comparing the information in the vulnerability database by the vulnerability information matching unit:

Wherein S _k is the influence of additional vulnerability information related to the device in the vulnerability database, Scoring the adjusted vulnerability risk.

And then, the security situation analysis unit analyzes the security situation of the whole network by combining the risk score and the network topology information of the equipment. The unit identifies potential threats and evaluates security protection requirements by analyzing dependencies between devices. Assuming that the risk score of all devices in the network is r= { R ₁,R₂,…,R_n }, the overall security situation of the network can be calculated by the following formula:

Where C _i is the contribution of device i to network security and R _network is the overall security risk score for the network. Through the analysis, the system can identify which devices form a great threat to network security and provide basis for subsequent security reinforcement.

Finally, the dynamic evaluation unit is responsible for updating the risk score of the device in real time. The risk score of a device needs to be dynamically adjusted as the device status and network environment change. Assuming the device state change is Δs _i, the real-time risk score for the device can be expressed as:

Through the dynamic evaluation, the risk evaluation module can timely respond to network changes, and accuracy and timeliness of a risk evaluation result are ensured.

In summary, the risk assessment module in this embodiment comprehensively and accurately assesses the security risk of the device in the network by combining the graph convolution network and the formulated risk calculation method through the cooperative work of the plurality of core units. The risk score calculating unit generates a preliminary risk score of each device by analyzing the connection relation between the vulnerability information and the devices and combining a graph rolling network model, the vulnerability information matching unit perfects the score, the security situation analyzing unit evaluates the security situation of the whole network, and the dynamic evaluating unit ensures real-time updating of the risk score. The methods work together to ensure that the security monitoring and protection work of the network can be efficiently and accurately executed.

For the dynamic update module, in this embodiment, the dynamic update module is mainly used to monitor the state change of the device in real time, update the network topology information, trigger the risk assessment and perform data synchronization, so as to ensure that all information of the system always remains accurate and timeliness. The dynamic updating module can realize instant response to the state change of the equipment through coordination work of the four core units of equipment state monitoring, topology structure updating, risk assessment triggering and data synchronization.

First, the main task of the device status monitoring unit is to monitor the status changes of the devices in the network in real time. These changes include the device's up, down, and device configuration changes. The change in the status of the device may be caused by a variety of reasons, such as an addition, deletion or update of the configuration of the device. The unit acquires the current state of the equipment through real-time communication between the network management system and the equipment, and transmits the changed equipment state information to other modules for subsequent processing.

In this embodiment, the state of the device may be represented by:

and in the on-line state, the equipment is successfully connected to the network and starts to work normally.

And in a down state, disconnecting the equipment or stopping working.

Configuration change state, device configuration changes such as IP address change, port configuration change, etc.

When the equipment state changes, the equipment state monitoring unit can timely detect the changes and inform other modules of the system, so that the network management system can make adaptive adjustment when the equipment state changes.

Next, the topology updating unit is responsible for dynamically updating network topology information of the device according to the change of the device state. The network topology is a structural diagram formed by physical and logical connections between devices, and when the device is brought on-line, brought off-line, or the configuration is changed, the topology needs to be adjusted accordingly. The topological structure updating unit can acquire information of the state change of the equipment in real time, and update the connection relation among the equipment according to the information, so that the accuracy of the topological structure is ensured.

For example, assuming that a device is added to the network, the topology updating unit automatically identifies the connection point of the new device and updates its connection relationship with other devices into the topology map. If a device goes offline, the system removes the device from the topology and updates the connection path. Configuration changes to the device (e.g., port number changes or IP address changes) also require updating topology information. The goal of this process is to ensure that the network topology always reflects the true state of the network.

For the update of the topology, a specific procedure can be expressed by the following formula. Let the topology of the devices in the network be t= { T ₁,T₂,…,T_n }, where T _i is the connection relationship between each device and other devices. When the device state changes, the topology upgrade can be expressed as:

T_new＝T_old∪ΔT;

Where Δt represents a topology update caused by a change in the state of the device, and T _new is an updated topology.

The risk assessment triggering unit then triggers the risk assessment module to recalculate the risk score of the device after the topology is updated or the device state is changed. The risk score of the device is calculated based on factors such as vulnerability information of the device, network connection relation, importance of the device, and the like, and the factors may change after the state of the device changes. For example, an online device may result in a new attack surface being exposed, while an offline device may reduce the potential risk of the network. The risk assessment triggering unit timely sends a re-assessment request to the risk assessment module through the monitored topological structure change or the monitored equipment state change.

When the risk assessment module recalculates the risk score, the system will re-assess the risk of the device in the network according to the updated topology and device status. This process is triggered by the following formula:

Wherein, Representing a new risk score of the device i under the updated topology structure and the device state, T _new is updated network topology information, and S _i is state information of the device i.

And finally, the data synchronization unit is responsible for synchronously updating the equipment state, the topology information and the risk assessment result with a system database, so that the consistency and timeliness of the information in the system are ensured to be kept all the time. The change of the equipment state, the update of the topological structure and the update of the risk assessment result are required to be reflected in the system database in time so as to facilitate subsequent inquiry and analysis.

In this embodiment, the data synchronization can be expressed by the following formula:

Wherein D _sync represents a set of information synchronously updated into the database, including device state S _i, updated topology information T _new, and recalculated risk score

Through the work of the data synchronization unit, the system can ensure the information consistency among all modules and provide accurate basic data for subsequent decision and network management.

In summary, the dynamic update module in this embodiment realizes the instant response to the device state change through the cooperation of the units such as the device state monitoring, the topology structure updating, the risk assessment triggering, and the data synchronization. The device state monitoring unit detects the state change of the device in real time, the topology structure updating unit dynamically updates network topology information according to the device state change, the risk assessment triggering unit triggers the risk assessment module to recalculate the risk score after the topology change or the device state change, and the data synchronization unit ensures that all information is kept synchronous with the system database. Through the series of work, the dynamic updating module ensures that the network management system can flexibly cope with the state change of the equipment and provide timely and effective risk assessment results, thereby improving the safety and management efficiency of the network.

For the decision support module, in this embodiment, the decision support module is intended to provide scientific decision support for a network administrator to cope with potential security risks in the network. The module helps a network administrator to identify high-risk equipment in the network through the steps of risk priority assessment, protection strategy generation, emergency response recommendation, decision output and the like, and provides corresponding protection measures and emergency response recommendation.

First, the risk priority assessment unit is used for assessing the security risk priority of the device according to the risk score and the vulnerability information of the device. Through the risk score R _i and the vulnerability information V _i of the equipment, the unit can comprehensively evaluate the security threat faced by the equipment and determine the security risk priority of the equipment according to the evaluation result. Specifically, the risk priority P _i of the device can be calculated by the following formula:

Wherein R _i is the risk score of device i, V _ij is the severity or impact value of the jth vulnerability on device i, and w ₁ and w ₂ are the weighting coefficients of the risk score and the vulnerability information, respectively. The formula reflects the comprehensive security risk of the equipment, considers the risk score of the equipment and the possible vulnerability information of the equipment, and can accurately evaluate the security risk priority of the equipment.

For example, if vulnerability information of a device indicates that there are multiple serious vulnerabilities and the risk score is high, the risk priority calculated by the above formula will be high, and the system will pay attention to the devices preferentially, so as to avoid potential security threat.

Next, the protection policy generating unit generates a network security protection policy according to the risk priority, and provides protection suggestions and countermeasures. According to the aforementioned calculated device risk priority P _i, the unit generates a corresponding protection policy for each device. For example, for high risk devices, the protection policy generation unit may recommend more stringent security measures, such as limiting port access, enabling multiple authentication mechanisms, or device isolation, etc.

For example, for devices with higher risk priorities, the protection policy may include restricting external access, updating firmware, applying patches, etc., and for devices with lower risk priorities, only periodic monitoring and vulnerability scanning may be required.

For example, a device may have a higher risk priority, and the protection policy generation unit may suggest deep security inspection and firewall reinforcement to reduce the risk of attack.

Then, the emergency response recommending unit recommends emergency response measures for the high-risk equipment according to the risk assessment result. The task of the emergency response recommending unit is to recommend emergency response measures with strong pertinence according to the risk assessment result of the equipment, especially the state of high-risk equipment. Emergency response measures typically include temporarily isolating devices, enabling emergency firewall rules, blocking potential attack sources, and the like.

For example, if the risk score of a key device is above a set threshold, the emergency response recommendation unit may suggest to isolate the device immediately and perform bug fixes to prevent potential attacks from affecting the entire network.

And finally, the decision output unit outputs a network security management decision suggestion according to the generated protection strategy and emergency response measures. These suggestions are referenced by the network administrator to assist them in making appropriate security decisions. The decision output unit combines the protection strategy, the emergency response measures and the overall security situation of the network, and provides comprehensive decision support for an administrator.

This process provides a comprehensive protection scheme for network administrators based on risk assessment, helping them make timely and efficient decisions in the face of security threats.

For example, if the risk scores of multiple devices are high, the decision output unit may suggest to strengthen the overall protection of the network, prioritize security issues for high risk devices, and prepare emergency response measures to deal with possible attacks.

In summary, the decision support module in this embodiment comprehensively supports the network security management decision through the functional units such as risk priority assessment, protection policy generation, emergency response recommendation and decision output. The risk priority assessment unit assesses the security risk priority of the equipment according to the risk score and the vulnerability information of the equipment, the protection strategy generation unit generates a network security protection strategy according to the priority, the emergency response recommendation unit recommends emergency response measures for the high-risk equipment, and the decision output unit comprehensively generates network security management decision suggestions. Through the cooperation of the modules, the decision support module provides high-efficiency and accurate decision support for a network manager, and improves the safety and management efficiency of the network.

For the visualization module, in this embodiment, the design and implementation of the visualization module aims at displaying the device state, the topology structure, the risk assessment result and the network security situation in the network in a graphical manner, and provides an intuitive and easy-to-understand interface for a network administrator, so as to support more effective network management and decision. The module converts complex network data into visual graphics and reports through the cooperation of multiple subunits, so that an administrator can quickly identify potential problems and take corresponding protective measures.

First, the task of the device state visualization unit is to visualize and display the current state (e.g., online, offline, configuration change, etc.) of each device in the network. The status information of the device is typically obtained in real time by the device status monitoring unit and presented via a graphical interface. For example, an online device may be displayed by a green dot, while an offline device may be displayed by a red dot or logo. Device configuration changes may be represented by change marks or color changes.

In the graphic presentation, the device status visualization unit usually adopts a device icon, color coding, and other modes, so that a network administrator can intuitively check the health status of the device. For example, assuming that the status of a device changes to offline, the device status visualization unit may immediately identify the device in red in the graphical interface, alerting the administrator that the device may need to be checked and repaired. The dynamic change of the device state can be presented through a real-time chart or a state update panel, so that an administrator can be ensured to acquire the device state change in the network in time.

Next, the topology visualization unit is responsible for converting the topology of the devices in the network into a visualized network diagram, showing the physical and logical connection relationships between the devices. The topology information is typically provided by a device topology building unit that generates a connection graph between devices by analyzing device scan results and network communication data.

Visualization of the topology may employ a node-edge model, where each device is represented as a node and the connection between devices is represented by an edge (line). Important devices in the network, such as core switches and routers, may be identified by larger and more obvious nodes, and information such as communication paths and connection ports between the devices may be represented by different colors, thicknesses or virtual reality of edges.

The topological structure diagram not only shows the connection relation between the devices, but also can combine dynamic data to show the information such as the communication frequency, the load condition and the like of the devices. For example, the connection lines between devices may be differentiated by color or width changes based on the frequency of communication, helping an administrator identify bottlenecks or high traffic areas in the network.

The risk assessment visualization unit converts the equipment risk score calculated by the risk assessment module into a visualization form, so that an administrator can conveniently and quickly identify high-risk equipment. The risk score is typically represented by a numerical value or color coding, the higher the numerical value, the greater the risk, the color may change from green (low risk) to yellow, red (high risk), visually presenting the security risk present in the network.

For example, assuming that the risk score of a device is high, the risk assessment visualization unit may display the risk score of the device as red, and label a corresponding value to alert an administrator that the device may have a potential safety hazard. The system can also allow an administrator to click on specific equipment through an interaction function to view detailed risk information such as the type of the vulnerability, the vulnerability restoration state, the connection relation among the equipment and the like, so that the administrator is helped to deeply analyze the equipment risk.

The security situation visualization unit converts the output information of the network security situation analysis unit into a graphical interface to display the security state of the whole network. Through this unit, the administrator can see the security situation of the whole network, including high risk areas, potential attack areas, key nodes, etc. The security posture of the network is typically presented in the form of a graph, thermodynamic diagram, pie chart, or the like to help administrators identify potential threats and vulnerabilities in the network.

For example, the system may display a high risk area in the network by thermodynamic diagrams, with the color depth reflecting the security risk level of the area. The administrator can check the detailed information of the related equipment by clicking different areas and take targeted protective measures. The security situation visualization unit can also update the network security situation according to the real-time data, and help an administrator to quickly respond to security problems in the network.

The data report visualization unit is responsible for presenting detailed security reports of the network in the form of charts or dashboards to help administrators view and analyze historical security data of the network. The data report visualization unit typically combines network history status, vulnerability scanning results, emergency response records, etc., to generate a comprehensive security report. The data in the report may include vulnerability restoration progress, device health status, risk score changes, etc., and is presented via various charts and trend lines.

For example, the data report visualization unit may generate a line graph of changes in risk scores for devices in the network over the past 30 days, helping an administrator identify which devices have significant changes in risk scores. The chart is not only helpful for an administrator to know the change of the network security situation, but also can provide basis for subsequent security policy adjustment.

The interactive function is an important component in the visualization module that allows an administrator to interact with the graphical interface to obtain more detailed information. Through the interaction function, an administrator can click on any node in the device or the topological graph to view the detailed state, risk score, vulnerability information, communication data and the like of the device. The design of the interactive interface typically includes zoom-in, zoom-out, drag, click operations, etc., that enable the administrator to flexibly view and analyze different parts of the network.

For example, in the topology structure diagram, an administrator may view detailed information of the device, including devices connected thereto, communication protocols, port opening conditions, vulnerability information, and the like, by clicking on a certain node. In addition, the administrator can also adjust the view angle by dragging the topological graph to view the structure of the whole network.

In summary, the visualization module in this embodiment presents the complex network security information to the network administrator in a graphical and visual manner through the coordination of the sub-units such as the device status visualization, the topology structure visualization, the risk assessment visualization, the security situation visualization, and the data report visualization. In this way, an administrator can more easily understand the health of the network, identify potential safety hazards, assess risk, and take corresponding safeguards. The visual function of the module not only improves the efficiency of network security management, but also enhances the real-time monitoring capability of an administrator on network conditions.

In general, the system of the present invention includes functional modules for asset identification, topology analysis, risk assessment, dynamic updating, decision support, and visualization. By means of device scanning and classification, the system can automatically identify devices in the network and construct a topological structure among the devices. And combining the technologies of graph convolution network and the like, the system dynamically calculates the security risk of the equipment and updates the risk score in real time when the state of the equipment changes. Based on the risk assessment result, the system generates a protection strategy and emergency response measures, and displays network topology, equipment states and security situations through a graphical interface to help a network administrator to make scientific decisions. The system improves the automation degree of network security management, and supports real-time monitoring, risk identification and effective protection of the network.

Referring to fig. 2, the invention further provides an online monitoring method for network security in the industrial field, which realizes real-time monitoring and risk assessment of network equipment by the following steps:

S1, acquiring equipment information in a network through a stateless scanning technology, and constructing an equipment topological graph. The method comprises the steps of sending a detection packet to equipment in a network, acquiring basic information of the equipment, including IP addresses, equipment types, operating system versions and the like, generating a network topological graph based on connection relations among the equipment, and displaying physical and logical connection among the equipment.

And S2, carrying out topology data analysis on the equipment topology graph, and identifying the connection mode and the weakness among the equipment. The system identifies possible weak links, such as redundant paths, single-point fault points or weak connections between devices, by analyzing the connection relationship between the devices, and provides basis for subsequent security analysis.

And S3, generating equipment risk scores based on the graph rolling network and combining with the vulnerability database, and outputting risk assessment results. And combining the vulnerability information and the network topology data of the equipment, evaluating the risk scores of the equipment by using a graph rolling network model by the system, thereby obtaining the potential safety risk of each equipment, and outputting a related risk evaluation result.

And S4, periodically updating equipment information and a topological structure, and adjusting a risk assessment result in real time. The state and the topology structure of the equipment can change along with time, the system can periodically acquire the latest state information of the equipment, and the risk assessment result of the equipment is adjusted based on the updated topology structure, so that the risk assessment is kept up to date.

S5, generating a network security management decision suggestion according to the risk assessment result. Based on the risk score of the device and the latest state of the network topology, the system generates corresponding security management decision suggestions, including protective measures, emergency response schemes and the like, to help the administrator make timely and effective decisions.

And S6, carrying out multidimensional visual display on the equipment state and the risk assessment result according to the region, manufacturer and vulnerability categories. Through the graphical interface, the system displays the equipment state, the risk assessment result and the vulnerability information according to different dimensions, so that an administrator can conveniently and intuitively check the security situation of the network and make corresponding adjustment.

Through the steps, the network security online monitoring method in the industrial field can comprehensively monitor the state, risk and topology structure of the network equipment, provide timely and effective security management decision support, and realize dynamic risk assessment and response.

Although embodiments of the present invention have been shown and described, it will be understood by those skilled in the art that various changes, modifications, substitutions and alterations can be made therein without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims

1. The industrial network security online monitoring system is characterized by including:

The asset identification module is used to obtain device information in the network through stateless scanning technology and build a device topology map;

A topology analysis module, used to perform topology data analysis on the device topology map to identify connection modes and potential vulnerabilities between devices;

The risk assessment module scores the security risk of the device based on the graph convolutional network and generates risk assessment results in combination with the vulnerability library;

Dynamic update module, used to periodically update device information and topology structure, and adjust risk assessment results in real time;

The decision support module generates network security decision recommendations based on risk assessment results.

2. The industrial network security online monitoring system according to claim 1, characterized in that the asset identification module comprises:

The device scanning unit is used to scan the devices in the network through stateless scanning technology to identify the basic information of the devices, including IP address, device type, manufacturer information, operating system version and port opening status;

A device topology construction unit, used to construct a network topology structure between devices and generate a connection relationship diagram between devices according to the device scanning results;

The device classification unit is used to classify devices into different categories according to their characteristics, including industrial control systems, IoT terminals and other network devices, and identify their security characteristics according to the device categories.

3. The industrial network security online monitoring system according to claim 2, characterized in that the device topology construction unit constructs the device topology through the following steps:

Identify the physical connection relationship between devices according to the device information provided by the device scanning unit;

Analyze the communication data packets between devices based on the network communication protocol to determine the logical connection relationship between devices;

Combine physical and logical connections to generate a complete topology diagram between devices, including the device's IP address, type, connection port, and communication path information;

Optimize the topology diagram based on device communication frequency and interaction mode to ensure that secure communication paths between devices are accurately identified.

4. The industrial network security online monitoring system according to claim 1, characterized in that the topology analysis module comprises:

A topology data acquisition unit, used to extract connection relationship information between devices from the device topology diagram, including the connection path, port information and communication protocol of the device;

Topology analysis unit, used to analyze the stability, reliability and potential vulnerabilities of the device topology based on the connection relationship between devices;

Key node identification unit, used to identify key device nodes in the network, including core switches, routers, and bridge nodes between devices, and assess their security risks;

Vulnerability analysis unit, used to analyze weak links in network topology and identify potential attack surfaces and security risks.

5. The industrial network security online monitoring system according to claim 1, characterized in that the risk assessment module comprises:

The risk scoring calculation unit is used to score the security risk of the device based on the graph convolutional network, taking into account the device vulnerabilities, the manufacturer's repair status, and the network connection relationship between the devices;

A vulnerability information matching unit is used to obtain vulnerability information related to the device from the vulnerability library and match it with the device risk score to generate a comprehensive risk score;

Security situation analysis unit, which is used to analyze network security situation, identify potential threats and evaluate security protection needs by combining the risk score of the device and network topology information;

The dynamic assessment unit is used to update the risk score of the device in real time and adjust the risk assessment results according to changes in the network environment and device status.

6. The industrial network security online monitoring system according to claim 5, characterized in that the risk score calculation unit calculates the risk score by the following steps:

Obtain device vulnerability information, including the severity, repair status, and vulnerability type of known vulnerabilities;

Analyze the network connection relationship of the device, including the communication path, port openness and communication protocol between devices, and evaluate the potential attack surface exposed by the device;

Based on the graph convolutional network model, the preliminary risk score of each device is calculated by combining the device's vulnerability information and network connection relationship;

Adjust the risk score based on the network environment in which the device is located and its role, taking into account the importance of the device and its core position in the network;

Output the final risk score of the device, reflecting the current security status and potential risks of the device.

7. The industrial network security online monitoring system according to claim 1, characterized in that the dynamic update module comprises:

The device status monitoring unit is used to monitor the status changes of devices in the network in real time, including the online and offline status of devices and configuration changes;

The topology update unit is used to dynamically update the network topology information of the device according to the change of the device status to ensure the accuracy of the topology structure;

A risk assessment trigger unit, used to trigger the risk assessment module to recalculate the risk score of the device according to the topology update or device status change;

The data synchronization unit is used to synchronize and update the device status, topology information and risk assessment results with the system database to ensure the consistency and timeliness of the information.

8. The industrial network security online monitoring system according to claim 1, characterized in that the decision support module comprises:

A risk priority assessment unit, used to assess the security risk priority of a device based on the risk score and vulnerability information of the device;

The protection strategy generation unit is used to generate network security protection strategies according to risk priorities and provide protection suggestions and response measures;

The emergency response recommendation unit is used to recommend emergency response measures for high-risk equipment based on risk assessment results to reduce potential security threats;

The decision output unit is used to output network security management decision suggestions based on the generated protection strategies and emergency response measures for network administrators to make decisions.

9. The industrial network security online monitoring system according to claim 1, characterized in that the system also includes:

The visualization module is used to visualize the risk score, network topology, vulnerability information and protection strategy of the device through a graphical interface.

10. An industrial network security online monitoring method, based on the industrial network security online monitoring system according to any one of claims 1 to 9, characterized in that it comprises the following steps:

Obtain device information in the network through stateless scanning technology and build a device topology map;

Performing topological data analysis on the device topology map to identify connection patterns and vulnerabilities between devices;

Generate device risk scores based on graph convolutional networks and vulnerability libraries, and output risk assessment results;

Periodically update device information and topology, and adjust risk assessment results in real time;

Generate cybersecurity management decision recommendations based on risk assessment results;

The device status and risk assessment results are displayed in a multi-dimensional visual manner by region, manufacturer, and vulnerability category.