This article proposes a SOAR threat rapid response framework for power grid network security, which focuses on addressing response latency, unknown threat handling, and cross system collaboration issues in massive heterogeneous terminal scenarios. The design concept is centered around the “intelligent analysis cloud edge collaboration dynamic orchestration”: the intelligent analysis layer adopts an open set transfer learning algorithm to construct an attack chain temporal model, achieving precise separation of known/unknown attacks and breaking through the bottleneck of missed reports caused by traditional rule base dependencies; The execution layer relies on 5G MEC edge nodes to achieve localized real-time response (such as substation terminal isolation), central cloud global strategy scheduling, and meet the millisecond level low latency requirements of power business; Design a dedicated script library for the power grid at the orchestration layer, integrating attack stage identification and adaptive response logic (such as automatic IP blocking for brute force cracking events, log tracing, generating work orders), and linking existing security tools through the STIX/TAXII protocol. The experiment achieved good results, verifying the effectiveness of the scheme.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Design of Rapid Response and Disposal for Threats Based on SOAR Security Orchestration and Automated Response Technology

  • Peng Yang,
  • Dunquan Wang,
  • Shu Zheng,
  • Jialiang Wang

摘要

This article proposes a SOAR threat rapid response framework for power grid network security, which focuses on addressing response latency, unknown threat handling, and cross system collaboration issues in massive heterogeneous terminal scenarios. The design concept is centered around the “intelligent analysis cloud edge collaboration dynamic orchestration”: the intelligent analysis layer adopts an open set transfer learning algorithm to construct an attack chain temporal model, achieving precise separation of known/unknown attacks and breaking through the bottleneck of missed reports caused by traditional rule base dependencies; The execution layer relies on 5G MEC edge nodes to achieve localized real-time response (such as substation terminal isolation), central cloud global strategy scheduling, and meet the millisecond level low latency requirements of power business; Design a dedicated script library for the power grid at the orchestration layer, integrating attack stage identification and adaptive response logic (such as automatic IP blocking for brute force cracking events, log tracing, generating work orders), and linking existing security tools through the STIX/TAXII protocol. The experiment achieved good results, verifying the effectiveness of the scheme.