CN109150869A - A kind of exchanger information acquisition analysis system and method - Google Patents

A kind of exchanger information acquisition analysis system and method Download PDF

Info

Publication number
CN109150869A
CN109150869A CN201810920512.8A CN201810920512A CN109150869A CN 109150869 A CN109150869 A CN 109150869A CN 201810920512 A CN201810920512 A CN 201810920512A CN 109150869 A CN109150869 A CN 109150869A
Authority
CN
China
Prior art keywords
interchanger
information
security incident
analysis
snmp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810920512.8A
Other languages
Chinese (zh)
Other versions
CN109150869B (en
Inventor
李牧野
韩勇
裴培
王黎明
杨雨轩
景娜
陈功胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NARI Group Corp
Nari Information and Communication Technology Co
Original Assignee
NARI Group Corp
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NARI Group Corp, Nari Information and Communication Technology Co filed Critical NARI Group Corp
Priority to CN201810920512.8A priority Critical patent/CN109150869B/en
Publication of CN109150869A publication Critical patent/CN109150869A/en
Application granted granted Critical
Publication of CN109150869B publication Critical patent/CN109150869B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/54Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users

Abstract

The invention discloses a kind of exchanger information acquisition analysis system and methods, and all information of industrial control system internal switch are acquired by three kinds of modes;Collected data message is screened and screened according to filtering rule, and carries out Packet reassembling according to scheduled log specification;Formatted log after recombination is sent to messaging bus, carries out safety analysis after being consumed by analytical unit, analysis result is stored in storage unit.The interchanger of the compatible most manufacturers on the market of this method and model realizes real-time monitoring and early warning to switch device in industrial control system.

Description

A kind of exchanger information acquisition analysis system and method
Technical field
The present invention relates to field of information security technology, and in particular to a kind of exchanger information acquisition analysis system and method.
Background technique
With the fast development of computer and network technology, cyber-attack techniques are similarly quickly grown.In recent years, international Upper generation Ukraine's large-area power-cuts (2015) in succession, eastern United States Internet service paralysis (2016), whole world outburst are strangled The events such as rope virus (2017), all cause suitable bad influence.Industrial control system has become the weight of international network war Target of attack is wanted, industrial control system security protection bears immense pressure, and the network security supervision for needing to establish a set of maturation is arranged It applies.From the point of view of network attack contact, preparing and hitting three phases, contact means secret is showed respectively, Attack Platform is established Rapidly, the features such as comprehensive striking capabilities are strong, these features also determine that the security protection of network must be carried out early, are preferably connecing Risk is found before touching and in contact, inhibits attack.
Network-centric is an important feature of industrial control system.In industrial control system, interchanger is in network A kind of important communication hub device of data transmission.Industrial control system is invaded usually by accessing unauthorized end in Intra-Network switch End equipment executes risky operation or implantation virus, prevents and has monitored whether illegality equipment access, interchanger are working properly, Guarantee industrial control system is operated normally most important.
For such situation, be badly in need of a kind of security protection means, can comprehensive monitoring industrial control system internal network topology, Discovery Intra-Network switch accesses illegality equipment in time, and is capable of real-time acquisition the security incident of Intra-Network switch generation, operation behavior And operation information, and by analysis and alarm, security risk is monitored in real time before contact and when contacting and early warning.
Summary of the invention
To solve deficiency in the prior art, the present invention provides a kind of exchanger information acquisition analysis system and method, energy Enough comprehensive monitoring industrial control system internal network topologies find that Intra-Network switch accesses illegality equipment in time, and are capable of real-time acquisition interior Network switch generate security incident, operation behavior and operation information, and by analysis and alarm, before contact and contact when pair Security risk is monitored in real time and early warning.
In order to achieve the above objectives, the present invention adopts the following technical scheme: a kind of exchanger information acquisition analysis system, It is characterized in that: including several interchangers, the acquisition unit being connect with the interchanger one, acquisition unit two, recomposition unit, analysis Unit, storage unit and display module;
The acquisition unit one acquires topology information, operation information, operation behavior and the security incident of interchanger, and acquisition is single The security incident of first two desamplers;Collected topology information is directly stored in storage unit by acquisition unit one, for showing Module is called, other acquisition information are transferred to recomposition unit by acquisition unit one and acquisition unit two respectively;
Recomposition unit is used to that collected data message to be screened and be screened according to filtering rule, and according to scheduled log Specification carries out Packet reassembling, the log information formatted;Recomposition unit passes through messaging bus for the log information of formatting It is sent to analytical unit;
Analytical unit is used to carry out safety analysis to the log information of formatting, and analysis result is stored in storage unit.
A kind of exchanger information acquisition analysis system above-mentioned, it is characterised in that: the topology information acquisition process is as follows:
1) by the switch device asset table of switch device data input storage unit and interchanger SNMP parameter list;
2) switch device is preferentially drawn out by display module, is defaulted as off-line state, off-line device is with color filling;
3) acquisition unit one detect interchanger it is whether online, if presence real-time update to storage unit interchanger Asset of equipments table obtains presence by display module and with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is exchanged by Compare System The MAC Address of All hosts equipment judges whether this MAC Address is legal in machine equipment asset table, draws legal hosts respectively and sets Standby and illegal host equipment, and draw line and connect affiliated interchanger.
A kind of exchanger information acquisition analysis system above-mentioned, it is characterised in that: acquisition mode is respectively as follows:
The Partial security event and all operation behaviors that acquisition unit one passes through the passive desampler of SNMP TRAP mode Information, part of security incident includes: IP, MAC Address conflict and illegality equipment access;
Acquisition unit one passes through the topology information of snmp protocol active poll interchanger, passes through SNMP, the order of IP agreement race In conjunction with storage unit switch device asset table discovery system in interchanger, the host that enlivens that is connected with interchanger sets Interconnected relationships standby and between them;Meanwhile acquisition unit one can also be run by snmp protocol active poll interchanger and be believed Breath and security incident sector of breakdown information, security incident sector of breakdown information include that cpu busy percentage is more than that threshold value and memory make It is more than threshold value with rate;
Acquisition unit two passes through remaining security incident of the passive desampler of SYSLOG agreement, including power module failure It is more than threshold value with cpu temperature.
A kind of exchanger information capturing analysis method, it is characterized in that: comprising steps of
Step 1 acquires the relevant information of industrial control system internal switch;
Step 2, by the way that collected interchanger relevant information is screened and screened according to filtering rule, and according to exchange Machine log specification carries out Packet reassembling, the log information formatted;
Formatted log information after recombination is sent to messaging bus by step 3, will be divided after safety analysis is carried out to it It analyses result and is stored in storage unit.
A kind of exchanger information capturing analysis method above-mentioned, characterized in that the relevant information includes opening up for interchanger Information is flutterred, the topology information acquisition process is as follows:
1) by switch device data input switch device asset table and interchanger SNMP parameter list;
2) switch device is preferentially drawn out, is defaulted as off-line state, off-line device is with color filling;
3) whether detection interchanger is online, and real-time update obtains online to interchanger asset of equipments table if presence State and with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is set by comparing interchanger The MAC Address of All hosts equipment judges whether this MAC Address legal in standby asset table, respectively draw legal hosts equipment and Illegal host equipment, and draw line and connect affiliated interchanger.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the relevant information includes the peace of interchanger Total event, the security incident include one of following: IP, MAC Address conflict, power module failure, cpu temperature are more than threshold Value, cpu busy percentage are more than threshold value, memory usage more than threshold value and illegality equipment access.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the relevant information includes the behaviour of interchanger Make behavior, the operation behavior includes one of following: user, password management, user's login, user's operation.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the relevant information includes the fortune of interchanger Row information, the operation information include one of following: interchanger online hours, cpu busy percentage, memory usage, network Packet loss, the bit error rate, network interface state, chain-circuit time delay, network connection situation.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: acquisition industrial control system internal switch Relevant information, acquisition mode is respectively as follows:
By the Partial security event and all operation behavior information of the passive desampler of SNMP TRAP mode, wherein Partial security event includes: IP, MAC Address conflict and illegality equipment access;
By the topology information of snmp protocol active poll interchanger, combine storage single by SNMP, the order of IP agreement race Member switch device asset table discovery system in interchanger, be connected with interchanger enliven host equipment and they Between interconnected relationship;Meanwhile it can also pass through snmp protocol active poll interchanger operation information and the portion of security incident class Divide information, security incident sector of breakdown information includes that cpu busy percentage is more than threshold value and memory usage more than threshold value;
Pass through remaining security incident of the passive desampler of SYSLOG agreement, including power module failure and cpu temperature More than threshold value.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the safety analysis includes one in following Kind:
Interchanger operation information is extracted from the operation information message of the relevant information of interchanger, carry out state, which transfinites, to be sentenced Fixed, if state is more than threshold value, the state of generation transfinites security incident, and the security incident of transfiniting of the state of lasting generation is held Continuous event merger;
Interchanger operation behavior information is extracted from the operation behavior message of the relevant information of interchanger, traversal, which is preset at, deposits The risky operation list of storage unit carries out risky operation judgement, generates risky operation security incident for risky operation behavior;
Interchanger security event information is extracted from the security incident message of the relevant information of interchanger, in the memory unit It indexes whether the event has existed, abandons repeated events, realize security incident duplicate removal;
All security incidents generated with safety analysis collected are tracked, traced to the source and are associated with according to the period Analysis: the security incident in certain period of time is drawn in a manner of time shaft, by switch device title or interchanger IP The security incident that location marks same equipment to generate, realizes the tracking of security incident and traces to the source;Same equipment is occurred All security incidents carry out classification and the analysis of causes, obtain the internal connection between security incident, track the threat of security incident Source is simultaneously handled in time, to realize security event associative analysis.
Advantageous effects of the invention: the interchanger of the compatible most manufacturers on the market of the present invention and model, tool There is very strong universality;Can comprehensive monitoring industrial control system internal network topology, in time find Intra-Network switch access illegally sets It is standby, monitoring in real time and effectively control are carried out before threatening contact;The safety of Intra-Network switch generation can be comprehensively acquired in real time Event, operation behavior and operation information, and by analysis and alarm, it is monitored in real time and early warning when threatening access.
Detailed description of the invention
Fig. 1 is exchanger information acquisition analysis system architecture diagram;
Fig. 2 is that the present invention obtains topology information flow chart.
Specific embodiment
The invention will be further described below in conjunction with the accompanying drawings.Following embodiment is only used for clearly illustrating the present invention Technical solution, and not intended to limit the protection scope of the present invention.
As shown in Figure 1, a kind of exchanger information acquisition analysis system, including several interchangers, it connect with the interchanger Acquisition unit one, acquisition unit two, recomposition unit, analytical unit, storage unit and display module;
The acquisition unit one passes through SNMP (Simple Network Management Protocol) agreement active poll and SNMP TRAP (SNMP Trap) topology information, operation information, operation behavior and Partial security event that two ways acquires interchanger are passively received, it adopts Collect remaining security incident that unit two passes through the passive desampler of SYSLOG agreement.Acquisition unit one believes collected topology Breath is directly stored in storage unit, calls for display module in system, other acquisition information (security incident, operation behavior and operations Information) recomposition unit is transferred to by acquisition unit one and acquisition unit two respectively;
Recomposition unit is used to that collected data message to be screened and be screened according to filtering rule, and according to scheduled log Specification carries out Packet reassembling, the log information formatted;Recomposition unit passes through messaging bus for the log information of formatting It is sent to analytical unit;
Analytical unit is used to carry out safety analysis to the log information of formatting, and analysis result is stored in storage unit.
Storage unit can be by reaching dream database realizing.
A kind of exchanger information capturing analysis method, comprising steps of
Step 1 acquires the relevant information of industrial control system internal switch by three kinds of modes;
The relevant information includes topology information, security incident, operation behavior and the operation information of interchanger.
Topology information refers to all switch devices in industrial control system and is connected to enlivening on every interchanger Host equipment information;
As shown in Fig. 2, topology information acquisition process is as follows:
1) typing switch device information: all switch device information need typing exchanger information before system deployment The switch device asset table and interchanger SNMP parameter list of acquisition analysis system storage unit;
2) after system operation, switch device is preferentially drawn out by display module, is defaulted as off-line state, off-line device with Grey filling;
3) acquisition unit one is by ping and snmp polling two ways, and whether detection interchanger is online, if presence Then real-time update is obtained presence by display module and is filled with green online to the switch device asset table of storage unit Interchanger;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is exchanged by Compare System The MAC Address of All hosts equipment judges whether this MAC Address is legal in machine equipment asset table, draws legal hosts respectively and sets Standby and illegal host equipment, and draw line and connect affiliated interchanger.
It is more than that threshold value, cpu busy percentage are more than that security incident, which includes IP, MAC Address conflict, power module failure, cpu temperature, Threshold value, memory usage are more than that threshold value and illegality equipment access, and refer to the higher event of urgency level.
Operation behavior includes user, password management, user's login, user's operation, refers to behavior event related with user.
Operation information includes interchanger online hours, cpu busy percentage, memory usage, network packet loss rate, the bit error rate, net Mouth state, chain-circuit time delay, network connection situation, operating status of this type of information to show interchanger.
Three kinds of acquisition modes are respectively as follows:
The Partial security event and all operation behaviors that acquisition unit one passes through the passive desampler of SNMP TRAP mode Information, part of security incident includes: IP, MAC Address conflict and illegality equipment access.
Acquisition unit one passes through the topology information of snmp protocol active poll interchanger, passes through SNMP, the order of IP agreement race In conjunction with storage unit switch device asset table discovery system in interchanger, the host that enlivens that is connected with interchanger sets Interconnected relationships standby and between them.Meanwhile acquisition unit one can also be run by snmp protocol active poll interchanger and be believed Breath and security incident sector of breakdown information, security incident sector of breakdown information include that cpu busy percentage is more than that threshold value and memory make It is more than threshold value with rate.
Acquisition unit two passes through remaining security incident of the passive desampler of SYSLOG agreement, including power module failure It is more than threshold value with cpu temperature.
Step 2 is screened and is screened according to filtering rule to collected interchanger relevant information by recomposition unit, and Packet reassembling, the log information formatted are carried out according to the interchanger log specification that state's net is issued;
The data type and SYSLOG journal format phase not to the utmost reported due to the switch device of different vendor, different model Together, many invalid packets are doped with, the filtering rule need to be formulated in advance, collect the interchanger security incident, operation row To compare effective acquisition letter that filtering rule retrieves interchanger by Brute Force (storm wind) algorithm with after operation information Breath filters invalid data.
Recombination is formatted to effective interchanger log message, obtains formatted log information, the data after recombination Include four class fields: event level, event time, device identification and content description.The event level indicates the urgent of event Or severity;The timestamp that the event time self-explanatory characters part occurs;The device identification refers to switch device name, to only One one interchanger of mark;The content description includes the particular content of whole event.
Formatted log information after recombination is sent to messaging bus, is pacified after being received by analytical unit by step 3 Analysis result is stored in storage unit by complete analysis.
Using high speed data bus kafka, (kafka is that a kind of distributed post of high-throughput is subscribed to the messaging bus Message system).The recomposition unit pushes the formatted log information after recombination by produce (producer) message system It holds news release to kafka broker (kafka cluster server).
The analytical unit subscribes to the interchanger in kafka broker cluster as message system subscription end (consumer) Security incident, operation information and operation behavior information carry out safety analysis to the interchanger formatted log message after recombination.Institute Stating safety analysis includes transfinite to interchanger log progress repeated events duplicate removal, state judgement, lasting event merger and dangerous behaviour Judge, and according to the period security incident is tracked, traced to the source and association analysis, find business reasons.
The safety analysis acquired results are stored in storage unit, call for other functional modules.The storage unit by Up to dream database realizing.
Embodiment:
Step 1 acquires the relevant information of industrial control system internal switch by three kinds of modes;
In the present embodiment, firstly, typing switch device assets information, asset of equipments information are stored in storage list in advance In two tables up to dream database of member, the SNMP parameter list snmp_ of switch device asset table sw_asserts and interchanger config;Wherein, table sw_asserts (table 1) stores switch device information, and table snmp_config (table 2) stores all friendships The SNMP parameter changed planes:
1 switch device asset table of table
The SNMP parameter of 2 interchanger of table
NAME Corresponding interchanger ID
VERSION Snmp protocol version number
READ_COMMUNITY Read group's name
WRITE_COMMUNITY Write group's name
RETRIES Number of retransmissions
Acquisition unit one reads the interchanger by searching for corresponding interchanger ID in snmp_config table (table 2) SNMP parameter.
Secondly, all switch devices are drawn out according to switch device assets information by system inner boundary display module, Switch device is defaulted as off-line state.It is whether online by two ways detection interchanger, mode one: pass through successively ping institute There is switch management mouth IP address LOGOIP;Mode two: every interchanger parameter is read by snmp protocol.Can ping it is logical or Data, which can be read, then proves equipment on-line, lights online equipment and the data of reading are updated to interchanger SNMP parameter Table.
For the online equipment, the mac address table for reading each of which network interface obtains opposite equip. MAC Address, passes through ratio Judge the MAC Address of All hosts equipment in system assets table whether equipment is legal.Legitimate device and illegal is drawn respectively Equipment is distinguished with color, and is drawn line and connected affiliated interchanger, and illegality equipment access warning is finally reported.
Step 2 is screened and is screened according to filtering rule to collected interchanger relevant information by recomposition unit, and Packet reassembling, the log information formatted are carried out according to the interchanger log specification that state's net is issued.
In the present embodiment, after the security incident, operation information and the operation behavior that collect the interchanger, pass through comparison Filtering rule rejects invalid data using Brute Force algorithm, retains valid data.
Recomposition unit separates event level, event time, device identification and content description from the valid data of reservation, Formatted log information instances after recombination are as shown in the table:
Structuring log information after the recombination of table 3
Event level is Arabic numerals, is divided into level Four according to urgency level: urgent, important, general and informing, corresponding number Word 1-4;Event time format is " when year-month-day: dividing: the second ";Device identification is the switch device title of generation event, with " the same model index of interchanger model _ SW_ " name, one interchanger of unique identification;Content description includes three fields, respectively For event type, subtype and event content, event type, subtype are specific thing for distinguishing different event, event content Part description.Event level, event type and event subtype defined in the interchanger log specification issued according to state's net, in conjunction with Switch device name and event description in Time To Event, asset table carry out Packet reassembling.
First is operation information in upper table, describes 2017-09-03 20:12:23 moment, interchanger H3CS3600_ The CPU threshold value of SW_01 is 15%;Article 2 is security incident, describes 2017-09-0320:15:48 moment, interchanger Two network interface IP address conflicts of GigabitEthernet2/0/6 and GigabitEthernet2/0/8 of H3CS3600_SW_02.
Formatted log information after recombination is sent to messaging bus, is pacified after being received by analytical unit by step 3 Analysis result is stored in storage unit by complete analysis.
In the present embodiment, data buffer storage subscribing module is built using kafka distributed information system and realizes the slow of data It deposits and forwarding capability.End is pushed by the produce message system of recomposition unit, and formatted log is distributed to kafka Broker cluster.Analytical unit subscribes to kafka broker cluster according to user demand as message system subscription end consumer In data in topic (theme) related to interchanger.3 kinds of topic, respectively sw_ are configured according to interchanger type of message Warn, sw_oper and sw_sys, corresponding security incident, 3 class message of operation behavior and operation information.
In the present embodiment, analytical unit reads log information from 3 class topic of messaging bus, and analytical procedure is as follows:
1) interchanger operation information is extracted from sw_sys, carry out state transfinites judgements, if state is generated more than threshold value State transfinites security incident, and the state event of transfiniting of lasting generation is carried out to continue event merger;
2) interchanger operation behavior information is extracted from sw_oper, traversal is preset at the risky operation list of storage unit, Risky operation judgement is carried out, risky operation security incident is generated for risky operation behavior;
3) interchanger security event information is extracted from sw_warn, indexes whether the event has deposited in the memory unit Repeated events are being abandoned, are realizing security incident duplicate removal;
4) it is tracked, traces to the source and closes according to all security incidents that the period generates collect and safety analysis Connection analysis: the security incident in certain period of time is drawn in display module in a manner of time shaft, passes through switch device name The security incident that title or switch ip address mark same equipment to generate, realizes the tracking of security incident and traces to the source;To same All security incidents that platform equipment is occurred carry out classification and the analysis of causes, obtain the internal connection between security incident, tracking The threat source of security incident is simultaneously handled in time, to realize security event associative analysis.
Analytical unit by analyze result be stored in storage unit, while need inquiry, read storage unit in dependency rule into The above-mentioned analysis of row, is a two-way data exchange process.
Meanwhile the security incident that analysis generates is pushed to showing interface module by analytical unit in real time, when threatening generation Operation maintenance personnel is notified in the form of acousto-optic-electric display module in time, realizes the real-time monitoring and early warning of security incident.
The interchanger of the compatible most manufacturers on the market of the present invention and model, has very strong universality;It can be comprehensive Industrial control system internal network topology is monitored, finds that Intra-Network switch accesses illegality equipment in time, is carried out before threat contacts real-time Monitoring and effectively control;Security incident, operation behavior and the operation information of Intra-Network switch generation can be comprehensively acquired in real time, And by analysis and alarm, monitored in real time and early warning when threatening access.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more, The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations Also it should be regarded as protection scope of the present invention.

Claims (10)

1. a kind of exchanger information acquisition analysis system, it is characterised in that: connect including several interchangers, with the interchanger Acquisition unit one, acquisition unit two, recomposition unit, analytical unit, storage unit and display module;
The acquisition unit one acquires topology information, operation information, operation behavior and the security incident of interchanger, acquisition unit two The security incident of desampler;Collected topology information is directly stored in storage unit by acquisition unit one, for display module It calls, other acquisition information are transferred to recomposition unit by acquisition unit one and acquisition unit two respectively;
Recomposition unit is used to that collected data message to be screened and be screened according to filtering rule, and according to scheduled log specification Carry out Packet reassembling, the log information formatted;Recomposition unit is sent the log information of formatting by messaging bus To analytical unit;
Analytical unit is used to carry out safety analysis to the log information of formatting, and analysis result is stored in storage unit.
2. a kind of exchanger information acquisition analysis system according to claim 1, it is characterised in that: the topology information obtains Take process as follows:
1) by the switch device asset table of switch device data input storage unit and interchanger SNMP parameter list;
2) switch device is preferentially drawn out by display module, is defaulted as off-line state, off-line device is with color filling;
3) acquisition unit one detect interchanger it is whether online, if presence real-time update to storage unit switch device Asset table obtains presence by display module and with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is set by Compare System interchanger The MAC Address of All hosts equipment judges whether this MAC Address legal in standby asset table, respectively draw legal hosts equipment and Illegal host equipment, and draw line and connect affiliated interchanger.
3. a kind of exchanger information acquisition analysis system according to claim 1, it is characterised in that: acquisition mode difference Are as follows:
Acquisition unit one is believed by the Partial security event of the passive desampler of SNMP TRAP mode and all operation behaviors Breath, part of security incident includes: IP, MAC Address conflict and illegality equipment access;
Acquisition unit one passes through the topology information of snmp protocol active poll interchanger, is combined by SNMP, the order of IP agreement race Interchanger in the switch device asset table discovery system of storage unit, be connected with interchanger enliven host equipment with And the interconnected relationship between them;Meanwhile acquisition unit one can also by snmp protocol active poll interchanger operation information with And security incident sector of breakdown information, security incident sector of breakdown information include that cpu busy percentage is more than threshold value and memory usage More than threshold value;
Acquisition unit two by remaining security incident of the passive desampler of SYSLOG agreement, including power module failure and Cpu temperature is more than threshold value.
4. a kind of exchanger information capturing analysis method, it is characterized in that: comprising steps of
Step 1 acquires the relevant information of industrial control system internal switch;
Step 2, by the way that collected interchanger relevant information is screened and screened according to filtering rule, and according to interchanger day Will specification carries out Packet reassembling, the log information formatted;
Formatted log information after recombination is sent to messaging bus by step 3, ties analysis after safety analysis is carried out to it Fruit is stored in storage unit.
5. a kind of exchanger information capturing analysis method according to claim 4, characterized in that the relevant information includes The topology information of interchanger, the topology information acquisition process are as follows:
1) by switch device data input switch device asset table and interchanger SNMP parameter list;
2) switch device is preferentially drawn out, is defaulted as off-line state, off-line device is with color filling;
3) whether detection interchanger is online, and real-time update obtains presence to interchanger asset of equipments table if presence And with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, by comparing switch device money The MAC Address of All hosts equipment judges whether this MAC Address is legal in production table, draws legal hosts equipment and illegal respectively Host equipment, and draw line and connect affiliated interchanger.
6. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the relevant information includes The security incident of interchanger, the security incident include one of following: IP, MAC Address conflict, power module failure, CPU Temperature is more than that threshold value, cpu busy percentage are accessed more than threshold value, memory usage more than threshold value and illegality equipment.
7. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the relevant information includes The operation behavior of interchanger, the operation behavior include one of following: user, password management, user's login, Yong Hucao Make.
8. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the relevant information includes The operation information of interchanger, the operation information include one of following: interchanger online hours, cpu busy percentage, memory benefit With rate, network packet loss rate, the bit error rate, network interface state, chain-circuit time delay, network connection situation.
9. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: acquisition industrial control system The relevant information of internal switch, acquisition mode are respectively as follows:
It is part of by the Partial security event and all operation behavior information of the passive desampler of SNMP TRAP mode Security incident includes: IP, MAC Address conflict and illegality equipment access;
By the topology information of snmp protocol active poll interchanger, pass through SNMP, IP agreement race order combination storage unit Interchanger in switch device asset table discovery system, be connected with interchanger enliven host equipment and they between Interconnected relationship;Meanwhile it can also be believed by snmp protocol active poll interchanger operation information and security incident sector of breakdown Breath, security incident sector of breakdown information include that cpu busy percentage is more than threshold value and memory usage more than threshold value;
It is more than by remaining security incident of the passive desampler of SYSLOG agreement, including power module failure and cpu temperature Threshold value.
10. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the safety analysis packet It includes one of following:
Interchanger operation information is extracted from the operation information message of the relevant information of interchanger, carry out state transfinites judgement, if State is more than threshold value, then generating state transfinites security incident, and the security incident of transfiniting of the state of lasting generation is carried out continuing thing Part merger;
Interchanger operation behavior information is extracted from the operation behavior message of the relevant information of interchanger, it is single that traversal is preset at storage The risky operation list of member carries out risky operation judgement, generates risky operation security incident for risky operation behavior;
Interchanger security event information is extracted from the security incident message of the relevant information of interchanger, is indexed in the memory unit Whether the event has existed, and abandons repeated events, realizes security incident duplicate removal;
All security incidents collected with safety analysis generates are tracked, traced to the source and are associated with point according to the period Analysis: the security incident in certain period of time is drawn in a manner of time shaft, passes through switch device title or switch ip address The security incident for marking same equipment to generate, realizes the tracking of security incident and traces to the source;The institute that same equipment is occurred There is security incident to carry out classification and the analysis of causes, obtains the internal connection between security incident, track the threat source of security incident Head is simultaneously handled in time, to realize security event associative analysis.
CN201810920512.8A 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method Active CN109150869B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810920512.8A CN109150869B (en) 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810920512.8A CN109150869B (en) 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method

Publications (2)

Publication Number Publication Date
CN109150869A true CN109150869A (en) 2019-01-04
CN109150869B CN109150869B (en) 2021-06-04

Family

ID=64793209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810920512.8A Active CN109150869B (en) 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method

Country Status (1)

Country Link
CN (1) CN109150869B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922055A (en) * 2019-02-26 2019-06-21 深圳市信锐网科技术有限公司 A kind of detection method, system and the associated component of risk terminal
CN110650038A (en) * 2019-09-12 2020-01-03 国家电网有限公司 Security event log collecting and processing method and system for multiple classes of supervision objects
CN111181984A (en) * 2019-12-31 2020-05-19 北京力控华康科技有限公司 Security protection method, device and system based on environment-friendly 212 protocol
CN111343018A (en) * 2020-02-22 2020-06-26 苏州浪潮智能科技有限公司 Method and device for collecting alarm logs of data center switch
CN113671909A (en) * 2021-06-30 2021-11-19 云南昆钢电子信息科技有限公司 Safety monitoring system and method for steel industrial control equipment
CN115941632A (en) * 2023-02-16 2023-04-07 北京天弛网络有限公司 Acquisition method, device, medium and equipment based on network switch equipment state
CN116405411A (en) * 2023-06-09 2023-07-07 深圳市洪瑞光祥电子技术有限公司 Redundant time domain monitoring system of industrial Ethernet switch

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060015613A1 (en) * 2002-06-03 2006-01-19 Greaves Jon D Method and system for relocating and using enterprise management tools in a service provider model
CN103296755A (en) * 2013-05-10 2013-09-11 国家电网公司 Network online monitoring system for transformer substation
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching
CN105959144A (en) * 2016-06-02 2016-09-21 中国科学院信息工程研究所 Safety data acquisition and anomaly detection method and system facing industrial control network
CN107124319A (en) * 2017-06-14 2017-09-01 贵州电网有限责任公司 A kind of topological Dynamic Recognition device of the intelligent substation network equipment matched based on MAC Address
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN107910956A (en) * 2017-10-26 2018-04-13 南京南瑞集团公司 A kind of integrated power network schedule automation operation comprehensive supervision method of main plant stand

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060015613A1 (en) * 2002-06-03 2006-01-19 Greaves Jon D Method and system for relocating and using enterprise management tools in a service provider model
CN103296755A (en) * 2013-05-10 2013-09-11 国家电网公司 Network online monitoring system for transformer substation
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching
CN105959144A (en) * 2016-06-02 2016-09-21 中国科学院信息工程研究所 Safety data acquisition and anomaly detection method and system facing industrial control network
CN107124319A (en) * 2017-06-14 2017-09-01 贵州电网有限责任公司 A kind of topological Dynamic Recognition device of the intelligent substation network equipment matched based on MAC Address
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN107910956A (en) * 2017-10-26 2018-04-13 南京南瑞集团公司 A kind of integrated power network schedule automation operation comprehensive supervision method of main plant stand

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922055A (en) * 2019-02-26 2019-06-21 深圳市信锐网科技术有限公司 A kind of detection method, system and the associated component of risk terminal
CN110650038A (en) * 2019-09-12 2020-01-03 国家电网有限公司 Security event log collecting and processing method and system for multiple classes of supervision objects
CN110650038B (en) * 2019-09-12 2022-09-09 国家电网有限公司 Security event log collecting and processing method and system for multiple classes of supervision objects
CN111181984A (en) * 2019-12-31 2020-05-19 北京力控华康科技有限公司 Security protection method, device and system based on environment-friendly 212 protocol
CN111181984B (en) * 2019-12-31 2022-04-01 北京力控华康科技有限公司 Security protection method, device, system, terminal and storage medium based on environment-friendly 212 protocol
CN111343018A (en) * 2020-02-22 2020-06-26 苏州浪潮智能科技有限公司 Method and device for collecting alarm logs of data center switch
CN111343018B (en) * 2020-02-22 2022-12-20 苏州浪潮智能科技有限公司 Method and device for collecting alarm logs of data center switch
CN113671909A (en) * 2021-06-30 2021-11-19 云南昆钢电子信息科技有限公司 Safety monitoring system and method for steel industrial control equipment
CN115941632A (en) * 2023-02-16 2023-04-07 北京天弛网络有限公司 Acquisition method, device, medium and equipment based on network switch equipment state
CN116405411A (en) * 2023-06-09 2023-07-07 深圳市洪瑞光祥电子技术有限公司 Redundant time domain monitoring system of industrial Ethernet switch
CN116405411B (en) * 2023-06-09 2023-08-15 深圳市洪瑞光祥电子技术有限公司 Redundant time domain monitoring system of industrial Ethernet switch

Also Published As

Publication number Publication date
CN109150869B (en) 2021-06-04

Similar Documents

Publication Publication Date Title
CN109150869A (en) A kind of exchanger information acquisition analysis system and method
CN107241226B (en) Fuzzy test method based on industrial control private protocol
CN107135093B (en) Internet of things intrusion detection method and detection system based on finite automaton
CN104506507B (en) A kind of sweet net safety protective system and method for SDN
CN101924757B (en) Method and system for reviewing Botnet
CN110909811A (en) OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system
CN107360145B (en) Multi-node honeypot system and data analysis method thereof
CN110839019A (en) Network security threat tracing method for power monitoring system
CN114679338A (en) Network risk assessment method based on network security situation awareness
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN103716173B (en) A kind of method for storing monitoring system and monitoring alarm issue
CN102611713B (en) Entropy operation-based network intrusion detection method and device
CN105024877A (en) Hadoop malicious node detection system based on network behavior analysis
CN110958231A (en) Industrial control safety event monitoring platform and method based on Internet
CN112114995A (en) Process-based terminal anomaly analysis method, device, equipment and storage medium
Hodo et al. Anomaly detection for simulated iec-60870-5-104 trafiic
Brahmi et al. Towards a multiagent-based distributed intrusion detection system using data mining approaches
CN108270722A (en) A kind of attack detection method and device
CN107547228A (en) A kind of safe operation management platform based on big data realizes framework
CN113271303A (en) Botnet detection method and system based on behavior similarity analysis
CN106209902A (en) A kind of network safety system being applied to intellectual property operation platform and detection method
CN116257021A (en) Intelligent network security situation monitoring and early warning platform for industrial control system
CN110061854A (en) A kind of non-boundary network intelligence operation management method and system
CN107682166A (en) The implementation method of safe O&M service platform remote data acquisition based on big data
CN114006719B (en) AI verification method, device and system based on situation awareness

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant