Research On Theory And Key Technologies Of Information Security Operation Audit System

Construction of smart grid power industry greatly facilitated the development of electricity industry information, in the deep integration process of information industry and pov/er industry, threat from enterprise internal is becoming an urgent issue to consider of power information security.At present, power secondary system protection program segregates the industrial control system and management information system by following the regional protection strategy. It mainly focuses on preventing external attacks, but for from the internal security risk protection, it is inadequate.In this paper, internal security threat prevention strategies and safety protection means are researched based on the information security status of the power industry. Focusing on operation and maintenance safety of information systems, a behaviour management and control model based on auditing is studied to take precautions against security risk brought by internal users’irregular operation. The main contributions of this dissertation are summarized as follows:(1)Analyses the research status of power industry information system’s business and security, Studies security threat of power information system business faced and safety requirement of system’s operation and maintenance. On this basis, proposes the auditing model of operation and maintenance, and designs the bypass monitoring auditing network model and proxy-based operation and maintenance auditing network model. Combined with role-based access control (RBAC) model and general framework access control (GFAC), information system operation and maintenance auditing model’s access control mechanisms are formal described and analyzed.(2)Studies key technology of operation and maintenance audit system, mainly studies an efficient network packet capture technology and data flow recombination technology. The main contents are: ①The traditional network packet capture method needs many data copying and context switcbing, which causes its inefficiencies, this paper studies the network data packet "zero copy" technology, using the "lock free" data synchronization mechanism, significantly reduces the data copying and context switching overhead.②Studies shared-memory-based data stream fast recombination technology, according to the characteristics of this system, simplifies the process of TCP protocol, designs efficient TCP stream state machine, achieves efficient data forwarding. ③Proposes the adaptive dual protocol stack technique getting effective handling of data sent to this machine or to send out. ④ Proposes local-area-adaptive-hash(LAAH) to quick find and locate the TCP data packet. According to the network data locality, uses the "move to front" method to deal with conflicting nodes to effectively reduce the search time. In the simulation of power industry operation audit application tests show that the LAAH algorithm has a good efficiency.(3)Studies character commands and graphics based protocol analysis and playback technology. Studies the network virtual terminal(NVT) control command sequence. Studies the principle and analysis method of RDP(Remote Desktop Protocol), and then design and implement RDP session’s replay program, including playback file and time-control-supported, play-control-supported player.(4)According to common maintenance protocol, analysis the security risk in the process of certification, studies on the method of enhancing authentication security. Proposes the dynamic random user password(DRUP) model, transports disposable dynamic random user name, password through the trusted network channel, then uses them for the login verification in untrusted or security risky network channel, and so solves the problem of user credentials leaks in the process of authentication.(5)According to a province electric power company’s operation and maintenance safety requirement, based on the audit model and key technology researched, designs and implements a set of operation audit system software by using component-based architecture technology, and installs, deploys, runs and tests it.