CN109150869A - A kind of exchanger information acquisition analysis system and method - Google Patents
A kind of exchanger information acquisition analysis system and method Download PDFInfo
- Publication number
- CN109150869A CN109150869A CN201810920512.8A CN201810920512A CN109150869A CN 109150869 A CN109150869 A CN 109150869A CN 201810920512 A CN201810920512 A CN 201810920512A CN 109150869 A CN109150869 A CN 109150869A
- Authority
- CN
- China
- Prior art keywords
- interchanger
- information
- security incident
- analysis
- snmp
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/12—Discovery or management of network topologies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/54—Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users
Abstract
The invention discloses a kind of exchanger information acquisition analysis system and methods, and all information of industrial control system internal switch are acquired by three kinds of modes;Collected data message is screened and screened according to filtering rule, and carries out Packet reassembling according to scheduled log specification;Formatted log after recombination is sent to messaging bus, carries out safety analysis after being consumed by analytical unit, analysis result is stored in storage unit.The interchanger of the compatible most manufacturers on the market of this method and model realizes real-time monitoring and early warning to switch device in industrial control system.
Description
Technical field
The present invention relates to field of information security technology, and in particular to a kind of exchanger information acquisition analysis system and method.
Background technique
With the fast development of computer and network technology, cyber-attack techniques are similarly quickly grown.In recent years, international
Upper generation Ukraine's large-area power-cuts (2015) in succession, eastern United States Internet service paralysis (2016), whole world outburst are strangled
The events such as rope virus (2017), all cause suitable bad influence.Industrial control system has become the weight of international network war
Target of attack is wanted, industrial control system security protection bears immense pressure, and the network security supervision for needing to establish a set of maturation is arranged
It applies.From the point of view of network attack contact, preparing and hitting three phases, contact means secret is showed respectively, Attack Platform is established
Rapidly, the features such as comprehensive striking capabilities are strong, these features also determine that the security protection of network must be carried out early, are preferably connecing
Risk is found before touching and in contact, inhibits attack.
Network-centric is an important feature of industrial control system.In industrial control system, interchanger is in network
A kind of important communication hub device of data transmission.Industrial control system is invaded usually by accessing unauthorized end in Intra-Network switch
End equipment executes risky operation or implantation virus, prevents and has monitored whether illegality equipment access, interchanger are working properly,
Guarantee industrial control system is operated normally most important.
For such situation, be badly in need of a kind of security protection means, can comprehensive monitoring industrial control system internal network topology,
Discovery Intra-Network switch accesses illegality equipment in time, and is capable of real-time acquisition the security incident of Intra-Network switch generation, operation behavior
And operation information, and by analysis and alarm, security risk is monitored in real time before contact and when contacting and early warning.
Summary of the invention
To solve deficiency in the prior art, the present invention provides a kind of exchanger information acquisition analysis system and method, energy
Enough comprehensive monitoring industrial control system internal network topologies find that Intra-Network switch accesses illegality equipment in time, and are capable of real-time acquisition interior
Network switch generate security incident, operation behavior and operation information, and by analysis and alarm, before contact and contact when pair
Security risk is monitored in real time and early warning.
In order to achieve the above objectives, the present invention adopts the following technical scheme: a kind of exchanger information acquisition analysis system,
It is characterized in that: including several interchangers, the acquisition unit being connect with the interchanger one, acquisition unit two, recomposition unit, analysis
Unit, storage unit and display module;
The acquisition unit one acquires topology information, operation information, operation behavior and the security incident of interchanger, and acquisition is single
The security incident of first two desamplers;Collected topology information is directly stored in storage unit by acquisition unit one, for showing
Module is called, other acquisition information are transferred to recomposition unit by acquisition unit one and acquisition unit two respectively;
Recomposition unit is used to that collected data message to be screened and be screened according to filtering rule, and according to scheduled log
Specification carries out Packet reassembling, the log information formatted;Recomposition unit passes through messaging bus for the log information of formatting
It is sent to analytical unit;
Analytical unit is used to carry out safety analysis to the log information of formatting, and analysis result is stored in storage unit.
A kind of exchanger information acquisition analysis system above-mentioned, it is characterised in that: the topology information acquisition process is as follows:
1) by the switch device asset table of switch device data input storage unit and interchanger SNMP parameter list;
2) switch device is preferentially drawn out by display module, is defaulted as off-line state, off-line device is with color filling;
3) acquisition unit one detect interchanger it is whether online, if presence real-time update to storage unit interchanger
Asset of equipments table obtains presence by display module and with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is exchanged by Compare System
The MAC Address of All hosts equipment judges whether this MAC Address is legal in machine equipment asset table, draws legal hosts respectively and sets
Standby and illegal host equipment, and draw line and connect affiliated interchanger.
A kind of exchanger information acquisition analysis system above-mentioned, it is characterised in that: acquisition mode is respectively as follows:
The Partial security event and all operation behaviors that acquisition unit one passes through the passive desampler of SNMP TRAP mode
Information, part of security incident includes: IP, MAC Address conflict and illegality equipment access;
Acquisition unit one passes through the topology information of snmp protocol active poll interchanger, passes through SNMP, the order of IP agreement race
In conjunction with storage unit switch device asset table discovery system in interchanger, the host that enlivens that is connected with interchanger sets
Interconnected relationships standby and between them;Meanwhile acquisition unit one can also be run by snmp protocol active poll interchanger and be believed
Breath and security incident sector of breakdown information, security incident sector of breakdown information include that cpu busy percentage is more than that threshold value and memory make
It is more than threshold value with rate;
Acquisition unit two passes through remaining security incident of the passive desampler of SYSLOG agreement, including power module failure
It is more than threshold value with cpu temperature.
A kind of exchanger information capturing analysis method, it is characterized in that: comprising steps of
Step 1 acquires the relevant information of industrial control system internal switch;
Step 2, by the way that collected interchanger relevant information is screened and screened according to filtering rule, and according to exchange
Machine log specification carries out Packet reassembling, the log information formatted;
Formatted log information after recombination is sent to messaging bus by step 3, will be divided after safety analysis is carried out to it
It analyses result and is stored in storage unit.
A kind of exchanger information capturing analysis method above-mentioned, characterized in that the relevant information includes opening up for interchanger
Information is flutterred, the topology information acquisition process is as follows:
1) by switch device data input switch device asset table and interchanger SNMP parameter list;
2) switch device is preferentially drawn out, is defaulted as off-line state, off-line device is with color filling;
3) whether detection interchanger is online, and real-time update obtains online to interchanger asset of equipments table if presence
State and with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is set by comparing interchanger
The MAC Address of All hosts equipment judges whether this MAC Address legal in standby asset table, respectively draw legal hosts equipment and
Illegal host equipment, and draw line and connect affiliated interchanger.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the relevant information includes the peace of interchanger
Total event, the security incident include one of following: IP, MAC Address conflict, power module failure, cpu temperature are more than threshold
Value, cpu busy percentage are more than threshold value, memory usage more than threshold value and illegality equipment access.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the relevant information includes the behaviour of interchanger
Make behavior, the operation behavior includes one of following: user, password management, user's login, user's operation.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the relevant information includes the fortune of interchanger
Row information, the operation information include one of following: interchanger online hours, cpu busy percentage, memory usage, network
Packet loss, the bit error rate, network interface state, chain-circuit time delay, network connection situation.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: acquisition industrial control system internal switch
Relevant information, acquisition mode is respectively as follows:
By the Partial security event and all operation behavior information of the passive desampler of SNMP TRAP mode, wherein
Partial security event includes: IP, MAC Address conflict and illegality equipment access;
By the topology information of snmp protocol active poll interchanger, combine storage single by SNMP, the order of IP agreement race
Member switch device asset table discovery system in interchanger, be connected with interchanger enliven host equipment and they
Between interconnected relationship;Meanwhile it can also pass through snmp protocol active poll interchanger operation information and the portion of security incident class
Divide information, security incident sector of breakdown information includes that cpu busy percentage is more than threshold value and memory usage more than threshold value;
Pass through remaining security incident of the passive desampler of SYSLOG agreement, including power module failure and cpu temperature
More than threshold value.
A kind of exchanger information capturing analysis method above-mentioned, it is characterized in that: the safety analysis includes one in following
Kind:
Interchanger operation information is extracted from the operation information message of the relevant information of interchanger, carry out state, which transfinites, to be sentenced
Fixed, if state is more than threshold value, the state of generation transfinites security incident, and the security incident of transfiniting of the state of lasting generation is held
Continuous event merger;
Interchanger operation behavior information is extracted from the operation behavior message of the relevant information of interchanger, traversal, which is preset at, deposits
The risky operation list of storage unit carries out risky operation judgement, generates risky operation security incident for risky operation behavior;
Interchanger security event information is extracted from the security incident message of the relevant information of interchanger, in the memory unit
It indexes whether the event has existed, abandons repeated events, realize security incident duplicate removal;
All security incidents generated with safety analysis collected are tracked, traced to the source and are associated with according to the period
Analysis: the security incident in certain period of time is drawn in a manner of time shaft, by switch device title or interchanger IP
The security incident that location marks same equipment to generate, realizes the tracking of security incident and traces to the source;Same equipment is occurred
All security incidents carry out classification and the analysis of causes, obtain the internal connection between security incident, track the threat of security incident
Source is simultaneously handled in time, to realize security event associative analysis.
Advantageous effects of the invention: the interchanger of the compatible most manufacturers on the market of the present invention and model, tool
There is very strong universality;Can comprehensive monitoring industrial control system internal network topology, in time find Intra-Network switch access illegally sets
It is standby, monitoring in real time and effectively control are carried out before threatening contact;The safety of Intra-Network switch generation can be comprehensively acquired in real time
Event, operation behavior and operation information, and by analysis and alarm, it is monitored in real time and early warning when threatening access.
Detailed description of the invention
Fig. 1 is exchanger information acquisition analysis system architecture diagram;
Fig. 2 is that the present invention obtains topology information flow chart.
Specific embodiment
The invention will be further described below in conjunction with the accompanying drawings.Following embodiment is only used for clearly illustrating the present invention
Technical solution, and not intended to limit the protection scope of the present invention.
As shown in Figure 1, a kind of exchanger information acquisition analysis system, including several interchangers, it connect with the interchanger
Acquisition unit one, acquisition unit two, recomposition unit, analytical unit, storage unit and display module;
The acquisition unit one passes through SNMP (Simple Network Management Protocol) agreement active poll and SNMP TRAP (SNMP
Trap) topology information, operation information, operation behavior and Partial security event that two ways acquires interchanger are passively received, it adopts
Collect remaining security incident that unit two passes through the passive desampler of SYSLOG agreement.Acquisition unit one believes collected topology
Breath is directly stored in storage unit, calls for display module in system, other acquisition information (security incident, operation behavior and operations
Information) recomposition unit is transferred to by acquisition unit one and acquisition unit two respectively;
Recomposition unit is used to that collected data message to be screened and be screened according to filtering rule, and according to scheduled log
Specification carries out Packet reassembling, the log information formatted;Recomposition unit passes through messaging bus for the log information of formatting
It is sent to analytical unit;
Analytical unit is used to carry out safety analysis to the log information of formatting, and analysis result is stored in storage unit.
Storage unit can be by reaching dream database realizing.
A kind of exchanger information capturing analysis method, comprising steps of
Step 1 acquires the relevant information of industrial control system internal switch by three kinds of modes;
The relevant information includes topology information, security incident, operation behavior and the operation information of interchanger.
Topology information refers to all switch devices in industrial control system and is connected to enlivening on every interchanger
Host equipment information;
As shown in Fig. 2, topology information acquisition process is as follows:
1) typing switch device information: all switch device information need typing exchanger information before system deployment
The switch device asset table and interchanger SNMP parameter list of acquisition analysis system storage unit;
2) after system operation, switch device is preferentially drawn out by display module, is defaulted as off-line state, off-line device with
Grey filling;
3) acquisition unit one is by ping and snmp polling two ways, and whether detection interchanger is online, if presence
Then real-time update is obtained presence by display module and is filled with green online to the switch device asset table of storage unit
Interchanger;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is exchanged by Compare System
The MAC Address of All hosts equipment judges whether this MAC Address is legal in machine equipment asset table, draws legal hosts respectively and sets
Standby and illegal host equipment, and draw line and connect affiliated interchanger.
It is more than that threshold value, cpu busy percentage are more than that security incident, which includes IP, MAC Address conflict, power module failure, cpu temperature,
Threshold value, memory usage are more than that threshold value and illegality equipment access, and refer to the higher event of urgency level.
Operation behavior includes user, password management, user's login, user's operation, refers to behavior event related with user.
Operation information includes interchanger online hours, cpu busy percentage, memory usage, network packet loss rate, the bit error rate, net
Mouth state, chain-circuit time delay, network connection situation, operating status of this type of information to show interchanger.
Three kinds of acquisition modes are respectively as follows:
The Partial security event and all operation behaviors that acquisition unit one passes through the passive desampler of SNMP TRAP mode
Information, part of security incident includes: IP, MAC Address conflict and illegality equipment access.
Acquisition unit one passes through the topology information of snmp protocol active poll interchanger, passes through SNMP, the order of IP agreement race
In conjunction with storage unit switch device asset table discovery system in interchanger, the host that enlivens that is connected with interchanger sets
Interconnected relationships standby and between them.Meanwhile acquisition unit one can also be run by snmp protocol active poll interchanger and be believed
Breath and security incident sector of breakdown information, security incident sector of breakdown information include that cpu busy percentage is more than that threshold value and memory make
It is more than threshold value with rate.
Acquisition unit two passes through remaining security incident of the passive desampler of SYSLOG agreement, including power module failure
It is more than threshold value with cpu temperature.
Step 2 is screened and is screened according to filtering rule to collected interchanger relevant information by recomposition unit, and
Packet reassembling, the log information formatted are carried out according to the interchanger log specification that state's net is issued;
The data type and SYSLOG journal format phase not to the utmost reported due to the switch device of different vendor, different model
Together, many invalid packets are doped with, the filtering rule need to be formulated in advance, collect the interchanger security incident, operation row
To compare effective acquisition letter that filtering rule retrieves interchanger by Brute Force (storm wind) algorithm with after operation information
Breath filters invalid data.
Recombination is formatted to effective interchanger log message, obtains formatted log information, the data after recombination
Include four class fields: event level, event time, device identification and content description.The event level indicates the urgent of event
Or severity;The timestamp that the event time self-explanatory characters part occurs;The device identification refers to switch device name, to only
One one interchanger of mark;The content description includes the particular content of whole event.
Formatted log information after recombination is sent to messaging bus, is pacified after being received by analytical unit by step 3
Analysis result is stored in storage unit by complete analysis.
Using high speed data bus kafka, (kafka is that a kind of distributed post of high-throughput is subscribed to the messaging bus
Message system).The recomposition unit pushes the formatted log information after recombination by produce (producer) message system
It holds news release to kafka broker (kafka cluster server).
The analytical unit subscribes to the interchanger in kafka broker cluster as message system subscription end (consumer)
Security incident, operation information and operation behavior information carry out safety analysis to the interchanger formatted log message after recombination.Institute
Stating safety analysis includes transfinite to interchanger log progress repeated events duplicate removal, state judgement, lasting event merger and dangerous behaviour
Judge, and according to the period security incident is tracked, traced to the source and association analysis, find business reasons.
The safety analysis acquired results are stored in storage unit, call for other functional modules.The storage unit by
Up to dream database realizing.
Embodiment:
Step 1 acquires the relevant information of industrial control system internal switch by three kinds of modes;
In the present embodiment, firstly, typing switch device assets information, asset of equipments information are stored in storage list in advance
In two tables up to dream database of member, the SNMP parameter list snmp_ of switch device asset table sw_asserts and interchanger
config;Wherein, table sw_asserts (table 1) stores switch device information, and table snmp_config (table 2) stores all friendships
The SNMP parameter changed planes:
1 switch device asset table of table
The SNMP parameter of 2 interchanger of table
NAME | Corresponding interchanger ID |
VERSION | Snmp protocol version number |
READ_COMMUNITY | Read group's name |
WRITE_COMMUNITY | Write group's name |
RETRIES | Number of retransmissions |
Acquisition unit one reads the interchanger by searching for corresponding interchanger ID in snmp_config table (table 2)
SNMP parameter.
Secondly, all switch devices are drawn out according to switch device assets information by system inner boundary display module,
Switch device is defaulted as off-line state.It is whether online by two ways detection interchanger, mode one: pass through successively ping institute
There is switch management mouth IP address LOGOIP;Mode two: every interchanger parameter is read by snmp protocol.Can ping it is logical or
Data, which can be read, then proves equipment on-line, lights online equipment and the data of reading are updated to interchanger SNMP parameter
Table.
For the online equipment, the mac address table for reading each of which network interface obtains opposite equip. MAC Address, passes through ratio
Judge the MAC Address of All hosts equipment in system assets table whether equipment is legal.Legitimate device and illegal is drawn respectively
Equipment is distinguished with color, and is drawn line and connected affiliated interchanger, and illegality equipment access warning is finally reported.
Step 2 is screened and is screened according to filtering rule to collected interchanger relevant information by recomposition unit, and
Packet reassembling, the log information formatted are carried out according to the interchanger log specification that state's net is issued.
In the present embodiment, after the security incident, operation information and the operation behavior that collect the interchanger, pass through comparison
Filtering rule rejects invalid data using Brute Force algorithm, retains valid data.
Recomposition unit separates event level, event time, device identification and content description from the valid data of reservation,
Formatted log information instances after recombination are as shown in the table:
Structuring log information after the recombination of table 3
Event level is Arabic numerals, is divided into level Four according to urgency level: urgent, important, general and informing, corresponding number
Word 1-4;Event time format is " when year-month-day: dividing: the second ";Device identification is the switch device title of generation event, with
" the same model index of interchanger model _ SW_ " name, one interchanger of unique identification;Content description includes three fields, respectively
For event type, subtype and event content, event type, subtype are specific thing for distinguishing different event, event content
Part description.Event level, event type and event subtype defined in the interchanger log specification issued according to state's net, in conjunction with
Switch device name and event description in Time To Event, asset table carry out Packet reassembling.
First is operation information in upper table, describes 2017-09-03 20:12:23 moment, interchanger H3CS3600_
The CPU threshold value of SW_01 is 15%;Article 2 is security incident, describes 2017-09-0320:15:48 moment, interchanger
Two network interface IP address conflicts of GigabitEthernet2/0/6 and GigabitEthernet2/0/8 of H3CS3600_SW_02.
Formatted log information after recombination is sent to messaging bus, is pacified after being received by analytical unit by step 3
Analysis result is stored in storage unit by complete analysis.
In the present embodiment, data buffer storage subscribing module is built using kafka distributed information system and realizes the slow of data
It deposits and forwarding capability.End is pushed by the produce message system of recomposition unit, and formatted log is distributed to kafka
Broker cluster.Analytical unit subscribes to kafka broker cluster according to user demand as message system subscription end consumer
In data in topic (theme) related to interchanger.3 kinds of topic, respectively sw_ are configured according to interchanger type of message
Warn, sw_oper and sw_sys, corresponding security incident, 3 class message of operation behavior and operation information.
In the present embodiment, analytical unit reads log information from 3 class topic of messaging bus, and analytical procedure is as follows:
1) interchanger operation information is extracted from sw_sys, carry out state transfinites judgements, if state is generated more than threshold value
State transfinites security incident, and the state event of transfiniting of lasting generation is carried out to continue event merger;
2) interchanger operation behavior information is extracted from sw_oper, traversal is preset at the risky operation list of storage unit,
Risky operation judgement is carried out, risky operation security incident is generated for risky operation behavior;
3) interchanger security event information is extracted from sw_warn, indexes whether the event has deposited in the memory unit
Repeated events are being abandoned, are realizing security incident duplicate removal;
4) it is tracked, traces to the source and closes according to all security incidents that the period generates collect and safety analysis
Connection analysis: the security incident in certain period of time is drawn in display module in a manner of time shaft, passes through switch device name
The security incident that title or switch ip address mark same equipment to generate, realizes the tracking of security incident and traces to the source;To same
All security incidents that platform equipment is occurred carry out classification and the analysis of causes, obtain the internal connection between security incident, tracking
The threat source of security incident is simultaneously handled in time, to realize security event associative analysis.
Analytical unit by analyze result be stored in storage unit, while need inquiry, read storage unit in dependency rule into
The above-mentioned analysis of row, is a two-way data exchange process.
Meanwhile the security incident that analysis generates is pushed to showing interface module by analytical unit in real time, when threatening generation
Operation maintenance personnel is notified in the form of acousto-optic-electric display module in time, realizes the real-time monitoring and early warning of security incident.
The interchanger of the compatible most manufacturers on the market of the present invention and model, has very strong universality;It can be comprehensive
Industrial control system internal network topology is monitored, finds that Intra-Network switch accesses illegality equipment in time, is carried out before threat contacts real-time
Monitoring and effectively control;Security incident, operation behavior and the operation information of Intra-Network switch generation can be comprehensively acquired in real time,
And by analysis and alarm, monitored in real time and early warning when threatening access.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the technical principles of the invention, several improvement and deformations can also be made, these improvement and deformations
Also it should be regarded as protection scope of the present invention.
Claims (10)
1. a kind of exchanger information acquisition analysis system, it is characterised in that: connect including several interchangers, with the interchanger
Acquisition unit one, acquisition unit two, recomposition unit, analytical unit, storage unit and display module;
The acquisition unit one acquires topology information, operation information, operation behavior and the security incident of interchanger, acquisition unit two
The security incident of desampler;Collected topology information is directly stored in storage unit by acquisition unit one, for display module
It calls, other acquisition information are transferred to recomposition unit by acquisition unit one and acquisition unit two respectively;
Recomposition unit is used to that collected data message to be screened and be screened according to filtering rule, and according to scheduled log specification
Carry out Packet reassembling, the log information formatted;Recomposition unit is sent the log information of formatting by messaging bus
To analytical unit;
Analytical unit is used to carry out safety analysis to the log information of formatting, and analysis result is stored in storage unit.
2. a kind of exchanger information acquisition analysis system according to claim 1, it is characterised in that: the topology information obtains
Take process as follows:
1) by the switch device asset table of switch device data input storage unit and interchanger SNMP parameter list;
2) switch device is preferentially drawn out by display module, is defaulted as off-line state, off-line device is with color filling;
3) acquisition unit one detect interchanger it is whether online, if presence real-time update to storage unit switch device
Asset table obtains presence by display module and with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, is set by Compare System interchanger
The MAC Address of All hosts equipment judges whether this MAC Address legal in standby asset table, respectively draw legal hosts equipment and
Illegal host equipment, and draw line and connect affiliated interchanger.
3. a kind of exchanger information acquisition analysis system according to claim 1, it is characterised in that: acquisition mode difference
Are as follows:
Acquisition unit one is believed by the Partial security event of the passive desampler of SNMP TRAP mode and all operation behaviors
Breath, part of security incident includes: IP, MAC Address conflict and illegality equipment access;
Acquisition unit one passes through the topology information of snmp protocol active poll interchanger, is combined by SNMP, the order of IP agreement race
Interchanger in the switch device asset table discovery system of storage unit, be connected with interchanger enliven host equipment with
And the interconnected relationship between them;Meanwhile acquisition unit one can also by snmp protocol active poll interchanger operation information with
And security incident sector of breakdown information, security incident sector of breakdown information include that cpu busy percentage is more than threshold value and memory usage
More than threshold value;
Acquisition unit two by remaining security incident of the passive desampler of SYSLOG agreement, including power module failure and
Cpu temperature is more than threshold value.
4. a kind of exchanger information capturing analysis method, it is characterized in that: comprising steps of
Step 1 acquires the relevant information of industrial control system internal switch;
Step 2, by the way that collected interchanger relevant information is screened and screened according to filtering rule, and according to interchanger day
Will specification carries out Packet reassembling, the log information formatted;
Formatted log information after recombination is sent to messaging bus by step 3, ties analysis after safety analysis is carried out to it
Fruit is stored in storage unit.
5. a kind of exchanger information capturing analysis method according to claim 4, characterized in that the relevant information includes
The topology information of interchanger, the topology information acquisition process are as follows:
1) by switch device data input switch device asset table and interchanger SNMP parameter list;
2) switch device is preferentially drawn out, is defaulted as off-line state, off-line device is with color filling;
3) whether detection interchanger is online, and real-time update obtains presence to interchanger asset of equipments table if presence
And with the online interchanger of color filling;
4) online interchanger SNMP parameter is read, interchanger SNMP parameter list is stored in;
5) mac address table for reading each network interface of online equipment obtains opposite equip. MAC Address, by comparing switch device money
The MAC Address of All hosts equipment judges whether this MAC Address is legal in production table, draws legal hosts equipment and illegal respectively
Host equipment, and draw line and connect affiliated interchanger.
6. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the relevant information includes
The security incident of interchanger, the security incident include one of following: IP, MAC Address conflict, power module failure, CPU
Temperature is more than that threshold value, cpu busy percentage are accessed more than threshold value, memory usage more than threshold value and illegality equipment.
7. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the relevant information includes
The operation behavior of interchanger, the operation behavior include one of following: user, password management, user's login, Yong Hucao
Make.
8. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the relevant information includes
The operation information of interchanger, the operation information include one of following: interchanger online hours, cpu busy percentage, memory benefit
With rate, network packet loss rate, the bit error rate, network interface state, chain-circuit time delay, network connection situation.
9. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: acquisition industrial control system
The relevant information of internal switch, acquisition mode are respectively as follows:
It is part of by the Partial security event and all operation behavior information of the passive desampler of SNMP TRAP mode
Security incident includes: IP, MAC Address conflict and illegality equipment access;
By the topology information of snmp protocol active poll interchanger, pass through SNMP, IP agreement race order combination storage unit
Interchanger in switch device asset table discovery system, be connected with interchanger enliven host equipment and they between
Interconnected relationship;Meanwhile it can also be believed by snmp protocol active poll interchanger operation information and security incident sector of breakdown
Breath, security incident sector of breakdown information include that cpu busy percentage is more than threshold value and memory usage more than threshold value;
It is more than by remaining security incident of the passive desampler of SYSLOG agreement, including power module failure and cpu temperature
Threshold value.
10. a kind of exchanger information capturing analysis method according to claim 4, it is characterized in that: the safety analysis packet
It includes one of following:
Interchanger operation information is extracted from the operation information message of the relevant information of interchanger, carry out state transfinites judgement, if
State is more than threshold value, then generating state transfinites security incident, and the security incident of transfiniting of the state of lasting generation is carried out continuing thing
Part merger;
Interchanger operation behavior information is extracted from the operation behavior message of the relevant information of interchanger, it is single that traversal is preset at storage
The risky operation list of member carries out risky operation judgement, generates risky operation security incident for risky operation behavior;
Interchanger security event information is extracted from the security incident message of the relevant information of interchanger, is indexed in the memory unit
Whether the event has existed, and abandons repeated events, realizes security incident duplicate removal;
All security incidents collected with safety analysis generates are tracked, traced to the source and are associated with point according to the period
Analysis: the security incident in certain period of time is drawn in a manner of time shaft, passes through switch device title or switch ip address
The security incident for marking same equipment to generate, realizes the tracking of security incident and traces to the source;The institute that same equipment is occurred
There is security incident to carry out classification and the analysis of causes, obtains the internal connection between security incident, track the threat source of security incident
Head is simultaneously handled in time, to realize security event associative analysis.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810920512.8A CN109150869B (en) | 2018-08-14 | 2018-08-14 | Switch information acquisition and analysis system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810920512.8A CN109150869B (en) | 2018-08-14 | 2018-08-14 | Switch information acquisition and analysis system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109150869A true CN109150869A (en) | 2019-01-04 |
CN109150869B CN109150869B (en) | 2021-06-04 |
Family
ID=64793209
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810920512.8A Active CN109150869B (en) | 2018-08-14 | 2018-08-14 | Switch information acquisition and analysis system and method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109150869B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922055A (en) * | 2019-02-26 | 2019-06-21 | 深圳市信锐网科技术有限公司 | A kind of detection method, system and the associated component of risk terminal |
CN110650038A (en) * | 2019-09-12 | 2020-01-03 | 国家电网有限公司 | Security event log collecting and processing method and system for multiple classes of supervision objects |
CN111181984A (en) * | 2019-12-31 | 2020-05-19 | 北京力控华康科技有限公司 | Security protection method, device and system based on environment-friendly 212 protocol |
CN111343018A (en) * | 2020-02-22 | 2020-06-26 | 苏州浪潮智能科技有限公司 | Method and device for collecting alarm logs of data center switch |
CN113671909A (en) * | 2021-06-30 | 2021-11-19 | 云南昆钢电子信息科技有限公司 | Safety monitoring system and method for steel industrial control equipment |
CN115941632A (en) * | 2023-02-16 | 2023-04-07 | 北京天弛网络有限公司 | Acquisition method, device, medium and equipment based on network switch equipment state |
CN116405411A (en) * | 2023-06-09 | 2023-07-07 | 深圳市洪瑞光祥电子技术有限公司 | Redundant time domain monitoring system of industrial Ethernet switch |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060015613A1 (en) * | 2002-06-03 | 2006-01-19 | Greaves Jon D | Method and system for relocating and using enterprise management tools in a service provider model |
CN103296755A (en) * | 2013-05-10 | 2013-09-11 | 国家电网公司 | Network online monitoring system for transformer substation |
CN103856579A (en) * | 2014-03-03 | 2014-06-11 | 国家电网公司 | Dynamic recognition method for intelligent substation network device topology based on MAC address matching |
CN105959144A (en) * | 2016-06-02 | 2016-09-21 | 中国科学院信息工程研究所 | Safety data acquisition and anomaly detection method and system facing industrial control network |
CN107124319A (en) * | 2017-06-14 | 2017-09-01 | 贵州电网有限责任公司 | A kind of topological Dynamic Recognition device of the intelligent substation network equipment matched based on MAC Address |
CN107493265A (en) * | 2017-07-24 | 2017-12-19 | 南京南瑞集团公司 | A kind of network security monitoring method towards industrial control system |
CN107910956A (en) * | 2017-10-26 | 2018-04-13 | 南京南瑞集团公司 | A kind of integrated power network schedule automation operation comprehensive supervision method of main plant stand |
-
2018
- 2018-08-14 CN CN201810920512.8A patent/CN109150869B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060015613A1 (en) * | 2002-06-03 | 2006-01-19 | Greaves Jon D | Method and system for relocating and using enterprise management tools in a service provider model |
CN103296755A (en) * | 2013-05-10 | 2013-09-11 | 国家电网公司 | Network online monitoring system for transformer substation |
CN103856579A (en) * | 2014-03-03 | 2014-06-11 | 国家电网公司 | Dynamic recognition method for intelligent substation network device topology based on MAC address matching |
CN105959144A (en) * | 2016-06-02 | 2016-09-21 | 中国科学院信息工程研究所 | Safety data acquisition and anomaly detection method and system facing industrial control network |
CN107124319A (en) * | 2017-06-14 | 2017-09-01 | 贵州电网有限责任公司 | A kind of topological Dynamic Recognition device of the intelligent substation network equipment matched based on MAC Address |
CN107493265A (en) * | 2017-07-24 | 2017-12-19 | 南京南瑞集团公司 | A kind of network security monitoring method towards industrial control system |
CN107910956A (en) * | 2017-10-26 | 2018-04-13 | 南京南瑞集团公司 | A kind of integrated power network schedule automation operation comprehensive supervision method of main plant stand |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109922055A (en) * | 2019-02-26 | 2019-06-21 | 深圳市信锐网科技术有限公司 | A kind of detection method, system and the associated component of risk terminal |
CN110650038A (en) * | 2019-09-12 | 2020-01-03 | 国家电网有限公司 | Security event log collecting and processing method and system for multiple classes of supervision objects |
CN110650038B (en) * | 2019-09-12 | 2022-09-09 | 国家电网有限公司 | Security event log collecting and processing method and system for multiple classes of supervision objects |
CN111181984A (en) * | 2019-12-31 | 2020-05-19 | 北京力控华康科技有限公司 | Security protection method, device and system based on environment-friendly 212 protocol |
CN111181984B (en) * | 2019-12-31 | 2022-04-01 | 北京力控华康科技有限公司 | Security protection method, device, system, terminal and storage medium based on environment-friendly 212 protocol |
CN111343018A (en) * | 2020-02-22 | 2020-06-26 | 苏州浪潮智能科技有限公司 | Method and device for collecting alarm logs of data center switch |
CN111343018B (en) * | 2020-02-22 | 2022-12-20 | 苏州浪潮智能科技有限公司 | Method and device for collecting alarm logs of data center switch |
CN113671909A (en) * | 2021-06-30 | 2021-11-19 | 云南昆钢电子信息科技有限公司 | Safety monitoring system and method for steel industrial control equipment |
CN115941632A (en) * | 2023-02-16 | 2023-04-07 | 北京天弛网络有限公司 | Acquisition method, device, medium and equipment based on network switch equipment state |
CN116405411A (en) * | 2023-06-09 | 2023-07-07 | 深圳市洪瑞光祥电子技术有限公司 | Redundant time domain monitoring system of industrial Ethernet switch |
CN116405411B (en) * | 2023-06-09 | 2023-08-15 | 深圳市洪瑞光祥电子技术有限公司 | Redundant time domain monitoring system of industrial Ethernet switch |
Also Published As
Publication number | Publication date |
---|---|
CN109150869B (en) | 2021-06-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109150869A (en) | A kind of exchanger information acquisition analysis system and method | |
CN107241226B (en) | Fuzzy test method based on industrial control private protocol | |
CN107135093B (en) | Internet of things intrusion detection method and detection system based on finite automaton | |
CN104506507B (en) | A kind of sweet net safety protective system and method for SDN | |
CN101924757B (en) | Method and system for reviewing Botnet | |
CN110909811A (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
CN110839019A (en) | Network security threat tracing method for power monitoring system | |
CN114679338A (en) | Network risk assessment method based on network security situation awareness | |
KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
CN103716173B (en) | A kind of method for storing monitoring system and monitoring alarm issue | |
CN102611713B (en) | Entropy operation-based network intrusion detection method and device | |
CN105024877A (en) | Hadoop malicious node detection system based on network behavior analysis | |
CN110958231A (en) | Industrial control safety event monitoring platform and method based on Internet | |
CN112114995A (en) | Process-based terminal anomaly analysis method, device, equipment and storage medium | |
Hodo et al. | Anomaly detection for simulated iec-60870-5-104 trafiic | |
Brahmi et al. | Towards a multiagent-based distributed intrusion detection system using data mining approaches | |
CN108270722A (en) | A kind of attack detection method and device | |
CN107547228A (en) | A kind of safe operation management platform based on big data realizes framework | |
CN113271303A (en) | Botnet detection method and system based on behavior similarity analysis | |
CN106209902A (en) | A kind of network safety system being applied to intellectual property operation platform and detection method | |
CN116257021A (en) | Intelligent network security situation monitoring and early warning platform for industrial control system | |
CN110061854A (en) | A kind of non-boundary network intelligence operation management method and system | |
CN107682166A (en) | The implementation method of safe O&M service platform remote data acquisition based on big data | |
CN114006719B (en) | AI verification method, device and system based on situation awareness |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |