CN106651183B - Communication data security audit method and device of industrial control system - Google Patents
Communication data security audit method and device of industrial control system Download PDFInfo
- Publication number
- CN106651183B CN106651183B CN201611216266.5A CN201611216266A CN106651183B CN 106651183 B CN106651183 B CN 106651183B CN 201611216266 A CN201611216266 A CN 201611216266A CN 106651183 B CN106651183 B CN 106651183B
- Authority
- CN
- China
- Prior art keywords
- business
- service
- control system
- behavior
- industrial control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Abstract
The invention discloses a communication data security auditing method and a device of an industrial control system, wherein the method comprises the following steps: analyzing the obtained communication data to determine service behavior data contained in the communication data; determining a service rule set required to be met by executing the service behavior industrial control system according to the service behavior data; and judging whether the current state of the industrial control system meets the service rule set or not, and carrying out corresponding recording. The embodiment of the invention has the beneficial effects that: when examining the communication data, not only the communication behavior of the communication data but also the business behavior represented by the communication behavior is determined. Therefore, whether the business behavior accords with the corresponding business rule is judged and recorded. Therefore, when the industrial control system has a problem, the communication data causing the problem can be determined only from the recorded communication data which do not accord with the business rule. The efficiency of troubleshooting or threat investigation is promoted, and time is saved for restoring the industrial control system as soon as possible.
Description
Technical Field
The invention relates to the field of industrial control safety, in particular to a communication data safety audit method and device of an industrial control system.
Background
In an industrial control system, Intelligent Electronic devices (abbreviated as IEDs) communicate with each other through a communication protocol. In order to realize traceability of the behavior of the industrial control system, identification of dangerous operation and guarantee of the safety of the industrial control system, safety audit of communication data in the industrial control system is required.
The traditional security audit analyzes communication data according to a communication protocol, records field information in the communication data, and forms an audit record of communication behaviors. The traditional safety auditing method does not consider the service function of the industrial control system, only identifies the communication behavior according to the communication primitive in the communication protocol, and cannot identify which service function the communication behavior represents, namely cannot identify the service behavior represented by the communication behavior. The traditional safety auditing method does not consider the business rule of the industrial control system, and cannot audit and analyze the business behavior represented by the communication behavior according to the business rule.
Due to the problems, the traditional safety auditing method can only audit the communication behavior in the industrial control system, cannot identify the business behavior, cannot audit whether the business behavior meets the business rule or not, and cannot meet the safety auditing requirement of the industrial control system. Since the prior art is simply to determine the communication behavior of the communication data through the identification of communication primitives. For example, it is determined that communication data is used for reading or writing data to a certain node (IED). When the industrial control system has problems, all the communication data recorded by auditing can be judged one by one to determine the communication data causing the problems, and the failure or threat removal efficiency is low. This would result in a huge loss for industrial control systems with extremely high real-time requirements.
Disclosure of Invention
The embodiment of the invention provides a communication data security auditing method and device of an industrial control system, which are used for solving at least one of the technical problems.
In a first aspect, an embodiment of the present invention provides a method for auditing communication data security of an industrial control system, including: analyzing the obtained communication data to determine service behavior data contained in the communication data; determining a service rule set required to be met by executing the service behavior industrial control system according to the service behavior data; and judging whether the current state of the industrial control system meets the service rule set or not, and carrying out corresponding recording.
In a second aspect, an embodiment of the present invention further provides a communication data security audit device for an industrial control system, where the device includes:
the data analysis module is used for analyzing the acquired communication data to determine the business behavior data contained in the communication data;
the business rule set determining module is used for determining a business rule set required to be met by the business behavior industrial control system according to the business behavior data;
and the judging and recording module is used for judging whether the current state of the industrial control system meets the service rule set or not and carrying out corresponding recording.
In a third aspect, an embodiment of the present invention provides a non-transitory computer-readable storage medium, where one or more programs including execution instructions are stored, where the execution instructions can be read and executed by an electronic device (including but not limited to a computer, a server, or a network device, etc.) to perform the communication data security auditing method of any one of the above-mentioned industrial control systems of the present invention.
In a fourth aspect, an electronic device is provided, comprising: the system comprises at least one processor and a memory which is in communication connection with the at least one processor, wherein the memory stores instructions which can be executed by the at least one processor, and the instructions are executed by the at least one processor so as to enable the at least one processor to execute the communication data security auditing method of any industrial control system.
In a fifth aspect, the embodiment of the present invention further provides a computer program product, where the computer program product includes a computer program stored on a non-volatile computer-readable storage medium, and the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the communication data security auditing method of any one of the industrial control systems.
The embodiment of the invention has the beneficial effects that: when examining the communication data, not only the communication behavior of the communication data but also the business behavior represented by the communication behavior is determined. And judging whether the business behavior accords with the corresponding business rule set or not, and recording. Therefore, when the industrial control system has a problem, the communication data causing the problem can be determined only from the recorded communication data which do not accord with the business rule. The method reduces the determination time of factors caused by faults or threats, improves the efficiency of troubleshooting the faults or the threats, and saves time for recovering the industrial control system as soon as possible.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a flow chart of an embodiment of a communication data security auditing method of an industrial control system according to the present invention;
FIG. 2 is a flowchart of an embodiment of step S12 in FIG. 1;
FIG. 3 is a schematic structural diagram of a business function model according to an embodiment of the present invention;
FIG. 4 is a block diagram of an example of a business function model in an embodiment of the invention;
FIG. 5 is a schematic structural diagram of a business rule model according to an embodiment of the present invention;
FIG. 6 is a block diagram of an example of a business rule model in an embodiment of the invention;
FIG. 7 is a flowchart of an embodiment of step S13 in FIG. 1;
FIG. 8 is a block diagram of an embodiment of a communication data security audit device of the industrial control system according to the present invention;
FIG. 9 is a block diagram of an embodiment of a business rule determining module of a communication data security auditing apparatus of an industrial control system according to the present invention;
FIG. 10 is a block diagram of an embodiment of a determination record module of a communication data security audit device of the industrial control system according to the present invention;
fig. 11 is a schematic structural diagram of an embodiment of an electronic device according to the invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
As used in this disclosure, "module," "device," "system," and the like can refer to a computer-related entity, either hardware, a combination of hardware and software, or software in execution. In particular, for example, an element may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. Also, an application or script running on a server, or a server, may be an element. One or more elements may be in a process and/or thread of execution and an element may be localized on one computer and/or distributed between two or more computers and may be operated by various computer-readable media. The elements may also communicate by way of local and/or remote processes based on a signal having one or more data packets, e.g., from a data packet interacting with another element in a local system, distributed system, and/or across a network in the internet with other systems by way of the signal.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
As shown in fig. 1, a method for auditing communication data security of an industrial control system according to an embodiment of the present invention includes:
s11, analyzing the acquired communication data to determine the business behavior data contained in the communication data;
s12, determining a service rule set required to be met by the industrial control system for executing the service behaviors according to the service behavior data;
and S13, judging whether the current state of the industrial control system meets the service rule set or not, and carrying out corresponding recording.
The communication data security auditing method of the industrial control system can be executed by a data security auditing device. In step S11, the communication data in the industrial control system is obtained by setting the data security audit device in parallel with the switch in the industrial control system. In the method of the embodiment, not only the communication behavior of the communication data but also the business behavior represented by the communication behavior is determined when the communication data is examined. Thereby judging whether the business behavior accords with the corresponding business rule set or not, and recording (including recording of the conditions of meeting and not meeting the business rule set). Therefore, when the industrial control system has a problem, the communication data causing the problem can be determined only from the recorded communication data which do not conform to the service rule set. The time for determining the factors caused by the faults or threats is shortened, and the time is saved for restoring the industrial control system as soon as possible.
As shown in fig. 2, in some embodiments, the business behavior data at least includes a target intelligent electronic device identifier, an operation behavior identifier; step S12, determining the set of business rules that needs to be satisfied for executing the business behavior industrial control system according to the business behavior data includes:
s121, determining the business behavior according to the target intelligent electronic equipment identifier and the operation behavior identifier;
and S122, determining a business rule set corresponding to the business behavior according to a pre-established business rule model.
In this embodiment, the determining the service behavior according to the target intelligent electronic device identifier and the operation behavior identifier in step S121 includes: and determining the business behavior from a pre-generated business function model according to the obtained target intelligent electronic equipment identifier and the operation behavior identifier.
Fig. 3 is a schematic structural diagram of a pre-established business function model. The industrial control system is composed of a plurality of IEDs, each IED comprises specific attributes and specific methods, and the IEDs, the attributes and the specific methods in the industrial control system are organized to form a business function model of the industrial control system. The business function model shown in FIG. 3 includes a plurality of intelligent electronic devices IED-1, IED-2 … … IED-N (or IED1, IED2 … … IEDN), and includes a plurality of attributes and methods corresponding to each intelligent electronic device.
Fig. 4 is a schematic structural diagram of an embodiment of a business function model. The example shows that a business function model of the industrial control system comprises two intelligent electronic devices, namely IED-1 and IED-2 (IED-1 and IED-2 are respectively unique identifiers of corresponding intelligent electronic devices, namely target intelligent electronic device identifiers), and each IED comprises a plurality of attributes and methods. The business function model defines a unique identification (i.e., an operational behavior identification) for the attributes and methods therein.
In the above embodiment, the business behavior represented by the communication data is determined by analyzing the target intelligent electronic device identifier and the operation behavior identifier included in the acquired communication data. For example, when the target intelligent electronic device obtained by parsing a communication packet is identified as IED-1 and the operation behavior is identified as YX1, the service behavior represented by the communication packet is remote signaling 1 for accessing the intelligent electronic device IED-1, IED-1 and YC1 identify remote signaling 1 of IED1, IED-1 and YK1 identify remote signaling 1 of IED1, and so on. The attribute state (value) and method state (execution result) are stored in the business function model. Therefore, in the embodiment, the efficiency of determining the communication data service behavior is greatly improved by comparing the analyzed target intelligent electronic device identifier and the operation behavior identifier with the service function model generated in advance to determine the service behavior corresponding to the communication data packet. Moreover, each intelligent electronic device corresponds to a unique identifier, and each corresponding intelligent electronic device corresponds to an operation behavior identifier with the unique identifier, so that the accuracy of determining the service behavior of the communication data is also ensured.
Fig. 5 is a block diagram of an embodiment of a business rule model in the embodiment of the present invention. The business rule model in step S122 of the above embodiment is formed by establishing a corresponding relationship between all business behaviors in the industrial control system and the corresponding business rules. The business rule model of the industrial control system shown in fig. 5 includes a plurality of business behaviors: business behavior 1, business behavior 2 … …, and each business behavior comprises a plurality of business rule sets, each business rule set further comprising a plurality of business rules.
Fig. 6 is a schematic structural diagram of a specific embodiment of the business rule model.
And (4) business behaviors: business behavior refers to access to IED attributes or methods in a business function model, such as IED1 remote control 1, IED2 remote control 2 selection, IED2 remote control 2 execution, etc. in FIG. 6.
And (4) business rules: a business rule is a condition that must be satisfied to perform a certain business behavior, and a business rule may be represented by a logical expression, which may include the following: logical operators, numeric or string constants, mathematical operators or functions, current date or time, attributes or method identification defined in a business function model, and the like.
The business rule model may reference business function model-related states by referencing attributes or method identifications defined in the business function model. In the embodiment, the service function model and the service rule model are designed for the safety audit requirement of the industrial control system, so as to perform the safety audit of the industrial control system. In this embodiment, a service function model and a service rule model of the industrial control system are established in advance, when auditing and analyzing communication data in the industrial control system, communication primitives (including at least a target intelligent electronic device identifier and an operation behavior identifier) are identified according to a communication protocol, and a service behavior is identified based on the service function model. And then auditing the rationality of the business behavior based on the business rule model to obtain an auditing result. Therefore, the embodiment of the invention not only realizes the auditing and recording of the communication behavior corresponding to the communication data, but also realizes the auditing and recording of the business behavior corresponding to the communication data and whether the business behavior accords with the corresponding business rule. Therefore, the traceability of the industrial control system behaviors is realized, the efficiency and the accuracy of dangerous operation of troubleshooting and identification are improved, and the safety of the industrial control system is ensured.
In some embodiments, the business rule set includes a plurality of business rule groups, the business rule groups including a plurality of business rules. If all the business rules under the business rule group are true, the business rule group can be judged to be true; and if any business rule is false, judging that the business rule group is false.
When the business behavior is examined, the business behavior can be considered reasonable as long as the judgment result of any corresponding business rule group is true; and if all the service rule groups judge that the results are false, the service behavior is considered to be unreasonable.
As shown in fig. 7, in some embodiments, the determining whether the current state of the industrial control system satisfies the service rule set, and performing corresponding recording includes:
s131, judging whether the current state of the industrial control system meets the plurality of service rule groups;
s132, when the current state of the industrial control system is judged to meet any one service rule group, determining that the current state of the industrial control system meets the service rule set, and recording;
s133, when the current state of the industrial control system is judged not to meet all the service rule groups, determining that the current state of the industrial control system does not meet the service rule set, and recording.
In the example of the business rule model shown in fig. 6, three business behaviors are defined, each business behavior corresponds to two business rule groups, and each business rule group includes a plurality of business rules. The business rule group 1 of the business behavior IED-1 remote control 1 comprises two business rules, wherein the logical expression of rule 1 is YX1 ═ 1, and the condition is that IED1 remote control signals that 1 is in an on position; the rule 2 logical expression is YX2 ═ 0, and this indicates that IED1 telecommands 2 in the bitwise position. When the business behavior IED1 remote control 1 is examined, it is determined whether the business rule group 1 is true, and if not, it is determined whether the business rule group 2 is true. When the business rule group 1 is judged, firstly judging the business rule 1, if the business rule 1 is true, then judging the business rule 2, and if the business rule 2 is also true, judging the business rule group 1 to be true; otherwise, the business rule set 1 is determined to be false. Then, the business rule set 2 is determined according to the above process. If the business rule group 1 is true or the business rule group 2 is true, it can be determined that the business behavior of the IED1 remote control 1 is reasonable, otherwise, it is determined that the business behavior is unreasonable.
In some embodiments, the execution result of the business action is one of a plurality of business rules that another business action needs to satisfy. As shown in fig. 6, the result of the selection performed by the service behavior IED-2 remote control 2 is that the service behavior IED-2 remote control 2 executes the service rules (rule 9 and rule 12, respectively) included in the corresponding service rule group 5 and service rule group 6.
Auditing of the rationality of the associated business behavior is achieved in this embodiment. Therefore, the reasonability audit of the communication data packets which are mutually associated is realized, and the defect that the communication behavior of the communication data is simply audited and the related communication data cannot be audited is overcome. For example, when the IED-2 remote control 2 selection operation fails, if the IED-2 remote control 2 execution operation is performed, the service behavior IED-2 remote control 2 execution is not in accordance with the service rule, but the threat cannot be audited only by the communication behavior. The embodiment of the invention just audits and records the business behavior corresponding to the communication data on the business rule level, thereby discovering and recording the relevance among the communication data and discovering the threat which can not be identified by the simple communication behavior audit.
It should be noted that for simplicity of explanation, the foregoing method embodiments are described as a series of acts or combination of acts, but those skilled in the art will appreciate that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
As shown in fig. 8, an embodiment of the present invention further provides a communication data security audit apparatus 800 of an industrial control system, including:
the data analysis module 810 is configured to analyze the obtained communication data to determine service behavior data included in the communication data;
a service rule set determining module 820, configured to determine, according to the service behavior data, a service rule set that needs to be satisfied for executing the service behavior industrial control system;
and the judging and recording module 830 is configured to judge whether the current state of the industrial control system meets the service rule set, and perform corresponding recording.
The communication data security audit device of the industrial control system of this embodiment may execute the method in the above-described embodiment of the present invention. The data analysis module 810 obtains communication data in the industrial control system by setting the data security audit device and the switch in the industrial control system in parallel. The device of the embodiment determines not only the communication behavior of the communication data but also the business behavior represented by the communication behavior when examining the communication data. Thereby judging whether the business behavior accords with the corresponding business rule or not, and recording (including recording of the conditions of meeting and not meeting the business rule). Therefore, when the industrial control system has a problem, the communication data causing the problem can be determined only from the recorded communication data which do not accord with the business rule. The time for determining the factors caused by the faults or threats is shortened, and the time is saved for restoring the industrial control system as soon as possible.
As shown in fig. 9, in some embodiments, the business behavior data at least includes a target intelligent electronic device identifier, an operation behavior identifier;
the business rule set determination module 820 includes:
a service behavior determining unit 821, configured to determine the service behavior according to the target intelligent electronic device identifier and the operation behavior identifier;
a business rule determining unit 822, configured to determine a business rule set corresponding to the business behavior according to a pre-established business rule model.
In some embodiments, the business rule set includes a plurality of business rule groups, the business rule groups including a plurality of business rules.
In some embodiments, the execution result of the business action is one of a plurality of business rules that another business action needs to satisfy.
As shown in fig. 10, in some embodiments, the determining and recording module 830 includes:
a compliance judgment unit 831, which judges whether the current state of the industrial control system satisfies the plurality of service rule sets;
a first executing unit 832, configured to determine that the current state of the industrial control system satisfies the service rule set and record the current state of the industrial control system when it is determined that the current state of the industrial control system satisfies any one service rule group;
a second executing unit 833, configured to determine that the current state of the industrial control system does not satisfy the service rule set and record when it is determined that the current state of the industrial control system does not satisfy all service rule groups.
The communication data security audit device of the industrial control system according to the embodiment of the present invention may be used to execute the communication data security audit method of the industrial control system according to the embodiment of the present invention, and the audit device of each embodiment corresponds to the audit method described in each embodiment one by one, and accordingly achieves the technical effects achieved by the communication data security audit method of the industrial control system according to the embodiment of the present invention, and details are not described here.
In the embodiment of the present invention, the relevant functional module may be implemented by a hardware processor (hardware processor).
In another aspect, the present invention provides a non-transitory computer-readable storage medium, in which one or more programs including executable instructions are stored, where the executable instructions can be read and executed by an electronic device (including but not limited to a computer, a server, or a network device, etc.) to perform the relevant steps in the above method embodiments, for example:
analyzing the obtained communication data to determine service behavior data contained in the communication data;
determining the service rules required to be met by the service behavior industrial control system according to the service behavior data;
and judging whether the current state of the industrial control system meets the service rule or not, and carrying out corresponding recording.
On the other hand, the embodiment of the invention also discloses an electronic device, which comprises:
at least one processor, and
a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to:
analyzing the obtained communication data to determine service behavior data contained in the communication data;
determining the service rules required to be met by the service behavior industrial control system according to the service behavior data;
and judging whether the current state of the industrial control system meets the service rule or not, and carrying out corresponding recording.
Fig. 11 is a schematic hardware structure diagram of an electronic device for executing a method for security audit of communication data of an industrial control system according to another embodiment of the present application, and as shown in fig. 11, the device includes:
one or more processors 1110 and a memory 1120, with one processor 1110 being an example in fig. 11.
The equipment for executing the communication data security auditing method of the industrial control system can also comprise: an input device 1130 and an output device 1140.
The processor 1110, the memory 1120, the input device 1130, and the output device 1140 may be connected by a bus or other means, and the bus connection is exemplified in fig. 11.
The memory 1120 is a non-volatile computer-readable storage medium, and can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules corresponding to the communication data security auditing method of the industrial control system in the embodiments of the present application. The processor 1110 executes various functional applications and data processing of the server by running the nonvolatile software program, instructions and modules stored in the memory 1120, that is, the communication data security auditing method of the industrial control system of the above-described method embodiment is implemented.
The memory 1120 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of a communication data security audit device of the industrial control system, and the like. Further, the memory 1120 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, memory 1120 optionally includes memory located remotely from processor 1110, and such remote memory may be networked to the industrial control system's communications data security audit device. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 1130 may receive input numeric or character information and generate signals related to user settings and functional control of the communications data security audit device of the industrial control system. The output device 1140 may include a display device such as a display screen.
The one or more modules are stored in the memory 1120, and when executed by the one or more processors 1110, perform a communication data security auditing method of an industrial control system in any of the above-described method embodiments.
The product can execute the method provided by the embodiment of the application, and has the corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the methods provided in the embodiments of the present application.
The electronic device of the embodiments of the present application exists in various forms, including but not limited to:
(1) mobile communication devices, which are characterized by mobile communication capabilities and are primarily targeted at providing voice and data communications. Such terminals include smart phones (e.g., iphones), multimedia phones, functional phones, and low-end phones, among others.
(2) The ultra-mobile personal computer equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include PDA, MID, and UMPC devices, such as ipads.
(3) Portable entertainment devices such devices may display and play multimedia content. Such devices include audio and video players (e.g., ipods), handheld game consoles, electronic books, as well as smart toys and portable car navigation devices.
(4) The server is similar to a general computer architecture, but has higher requirements on processing capability, stability, reliability, safety, expandability, manageability and the like because of the need of providing highly reliable services.
(5) And other electronic devices with data interaction functions.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. Based on such understanding, the above technical solutions substantially or contributing to the related art may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.
Claims (11)
1. A communication data security audit method of an industrial control system comprises the following steps:
analyzing the obtained communication data to determine service behavior data contained in the communication data, wherein the service behavior refers to access to IED attributes or methods in a service function model;
determining a service rule set required to be met by executing the service behavior industrial control system according to the service behavior data, wherein the service rule in the service rule set is a condition which must be met by executing a certain service behavior;
and judging whether the current state of the industrial control system meets the service rule set or not, and carrying out corresponding recording.
2. The method of claim 1, wherein the business behavior data includes at least a target intelligent electronic device identification, an operational behavior identification;
the determining, according to the business behavior data, a set of business rules that needs to be satisfied for executing the business behavior industrial control system includes:
determining the business behavior according to the target intelligent electronic equipment identifier and the operation behavior identifier;
and determining a business rule set corresponding to the business behavior according to a pre-established business rule model.
3. The method of claim 1, wherein the business rule set comprises a plurality of business rule groups, the business rule groups comprising a plurality of business rules.
4. The method of claim 3, wherein the execution of the business action results in one of a plurality of business rules that another business action needs to satisfy.
5. The method according to claim 3 or 4, wherein the determining whether the current state of the industrial control system satisfies the business rule set and performing corresponding recording comprises:
judging whether the current state of the industrial control system meets the plurality of service rule groups or not;
when the current state of the industrial control system is judged to meet any one service rule group, determining that the current state of the industrial control system meets the service rule set, and recording;
and when the current state of the industrial control system is judged not to meet all the service rule groups, determining that the current state of the industrial control system does not meet the service rule set, and recording.
6. A communication data security audit device of an industrial control system comprises:
the data analysis module is used for analyzing the acquired communication data to determine service behavior data contained in the communication data, wherein the service behavior refers to access to IED attributes or methods in a service function model;
a service rule set determining module, configured to determine, according to the service behavior data, a service rule set that needs to be satisfied for executing the service behavior industrial control system, where a service rule in the service rule set is a condition that must be satisfied for executing a certain service behavior;
and the judging and recording module is used for judging whether the current state of the industrial control system meets the service rule set or not and carrying out corresponding recording.
7. The apparatus of claim 6, wherein the business behavior data comprises at least a target intelligent electronic device identification, an operational behavior identification;
the business rule set determining module comprises:
a service behavior determining unit, configured to determine the service behavior according to the target intelligent electronic device identifier and the operation behavior identifier;
and the business rule determining unit is used for determining a business rule set corresponding to the business behavior according to a pre-established business rule model.
8. The apparatus of claim 6, wherein the business rule set comprises a plurality of business rule groups, the business rule groups comprising a plurality of business rules.
9. The apparatus of claim 8, wherein the execution result of the business action is one of a plurality of business rules that another business action needs to satisfy.
10. The apparatus of claim 8 or 9, wherein the means for determining a record comprises:
the compliance judging unit is used for judging whether the current state of the industrial control system meets the plurality of service rule groups or not;
the first execution unit is used for determining that the current state of the industrial control system meets the business rule set and recording when the current state of the industrial control system meets any one business rule group;
and the second execution unit is used for determining that the current state of the industrial control system does not meet the service rule set and recording when the current state of the industrial control system does not meet all the service rule groups.
11. An electronic device, comprising:
at least one processor, and
a memory communicatively coupled to the at least one processor, wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to:
analyzing the obtained communication data to determine service behavior data contained in the communication data, wherein the service behavior refers to access to IED attributes or methods in a service function model;
determining a service rule set required to be met by executing the service behavior industrial control system according to the service behavior data, wherein the service rule in the service rule set is a condition which must be met by executing a certain service behavior;
and judging whether the current state of the industrial control system meets the service rule set or not, and carrying out corresponding recording.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611216266.5A CN106651183B (en) | 2016-12-26 | 2016-12-26 | Communication data security audit method and device of industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611216266.5A CN106651183B (en) | 2016-12-26 | 2016-12-26 | Communication data security audit method and device of industrial control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106651183A CN106651183A (en) | 2017-05-10 |
| CN106651183B true CN106651183B (en) | 2020-04-10 |
Family
ID=58828007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611216266.5A Active CN106651183B (en) | 2016-12-26 | 2016-12-26 | Communication data security audit method and device of industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106651183B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109741029A (en) * | 2018-12-27 | 2019-05-10 | 广东电网有限责任公司 | The building method and device in a kind of power grid enterprises' audit regulation storehouse |
| CN110008706B (en) * | 2019-03-05 | 2021-03-23 | 烽台科技(北京)有限公司 | Host security state management method and device and terminal equipment |
| CN110430187B (en) * | 2019-08-01 | 2021-07-06 | 英赛克科技(北京)有限公司 | Communication message security audit method, equipment and storage medium in industrial control system |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8239339B2 (en) * | 2008-04-29 | 2012-08-07 | Rockwell Automation Technologies, Inc. | Library synchronization between definitions and instances |
| CN102413013B (en) * | 2011-11-21 | 2013-11-06 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting abnormal network behavior |
| CN103036886B (en) * | 2012-12-19 | 2016-02-24 | 珠海市鸿瑞软件技术有限公司 | Industrial control network security protection method |
| KR20140147583A (en) * | 2013-06-20 | 2014-12-30 | 한국전자통신연구원 | Apparatus for preventing illegal access of industrial control system and method thereof |
| CN104376023B (en) * | 2013-08-16 | 2017-08-04 | 北京神州泰岳软件股份有限公司 | A kind of auditing method and system based on daily record |
| CN104683332A (en) * | 2015-02-10 | 2015-06-03 | 杭州优稳自动化系统有限公司 | Security isolation gateway in industrial control network and security isolation method thereof |
| CN105049228B (en) * | 2015-06-12 | 2019-05-10 | 北京奇虎科技有限公司 | A kind of O&M operation auditing method and device |
| CN105279614A (en) * | 2015-11-11 | 2016-01-27 | 上海熙菱信息技术有限公司 | Business auditing system based on process and method thereof |
| CN106209870B (en) * | 2016-07-18 | 2019-07-09 | 北京科技大学 | A kind of Network Intrusion Detection System for distributed industrial control system |
| CN105978745B (en) * | 2016-07-27 | 2019-08-13 | 福州福大自动化科技有限公司 | A kind of monitoring abnormal state method towards industrial control system |
-
2016
- 2016-12-26 CN CN201611216266.5A patent/CN106651183B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN106651183A (en) | 2017-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2015201161B2 (en) | Event correlation | |
| CN110430187B (en) | Communication message security audit method, equipment and storage medium in industrial control system | |
| US20210385251A1 (en) | System and methods for integrating datasets and automating transformation workflows using a distributed computational graph | |
| CN113486334A (en) | Network attack prediction method and device, electronic equipment and storage medium | |
| CN113315742B (en) | Attack behavior detection method and device and attack detection equipment | |
| Sahlabadi et al. | Detecting abnormal behavior in social network websites by using a process mining technique | |
| CN106651183B (en) | Communication data security audit method and device of industrial control system | |
| CN104252592A (en) | Method and device for identifying plug-in application program | |
| CN111160624B (en) | User intention prediction method, user intention prediction device and terminal equipment | |
| CN103905532A (en) | Microblog marketing account recognition method and system | |
| US20210136121A1 (en) | System and method for creation and implementation of data processing workflows using a distributed computational graph | |
| WO2017185652A1 (en) | Method for implementing file sharing and electronic device | |
| CN111414402A (en) | Log threat analysis rule generation method and device | |
| CN113037545A (en) | Network simulation method, device, equipment and storage medium | |
| CN112287339A (en) | APT intrusion detection method and device and computer equipment | |
| CN110941632A (en) | Database auditing method, device and equipment | |
| CN110959153B (en) | Application analysis using flexible post-processing | |
| US20200004905A1 (en) | System and methods for complex it process annotation, tracing, analysis, and simulation | |
| CN111030968A (en) | Detection method and device capable of customizing threat detection rule and storage medium | |
| US20170017602A1 (en) | Storage system cabling analysis | |
| CN102724195A (en) | Access request tracing method and related device | |
| WO2020167539A1 (en) | System and method for complex it process annotation, tracing, analysis, and simulation | |
| CN114817928A (en) | Network space data fusion analysis method and system, electronic device and storage medium | |
| CN114301699A (en) | Behavior prediction method and apparatus, electronic device, and computer-readable storage medium | |
| CN108881151B (en) | Joint-point-free determination method and device and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |