CN109150869B - Switch information acquisition and analysis system and method - Google Patents

Switch information acquisition and analysis system and method Download PDF

Info

Publication number
CN109150869B
CN109150869B CN201810920512.8A CN201810920512A CN109150869B CN 109150869 B CN109150869 B CN 109150869B CN 201810920512 A CN201810920512 A CN 201810920512A CN 109150869 B CN109150869 B CN 109150869B
Authority
CN
China
Prior art keywords
switch
information
equipment
snmp
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810920512.8A
Other languages
Chinese (zh)
Other versions
CN109150869A (en
Inventor
李牧野
韩勇
裴培
王黎明
杨雨轩
景娜
陈功胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NARI Group Corp
Nari Information and Communication Technology Co
Original Assignee
NARI Group Corp
Nari Information and Communication Technology Co
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NARI Group Corp, Nari Information and Communication Technology Co filed Critical NARI Group Corp
Priority to CN201810920512.8A priority Critical patent/CN109150869B/en
Publication of CN109150869A publication Critical patent/CN109150869A/en
Application granted granted Critical
Publication of CN109150869B publication Critical patent/CN109150869B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/02Standardisation; Integration
    • H04L41/0213Standardised network management protocols, e.g. simple network management protocol [SNMP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/12Discovery or management of network topologies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/16Threshold monitoring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/54Presence management, e.g. monitoring or registration for receipt of user log-on information, or the connection status of the users

Abstract

The invention discloses a system and a method for collecting and analyzing switch information, which collect all information of an internal switch of an industrial control system in three ways; screening and screening the collected data messages according to a filtering rule, and performing message recombination according to a preset log specification; and sending the recombined formatted log to a message bus, performing safety analysis after consumption by an analysis unit, and storing an analysis result in a storage unit. The method can be compatible with the switches of most manufacturers and models on the market, and realizes real-time monitoring and early warning of the switch equipment in the industrial control system.

Description

Switch information acquisition and analysis system and method
Technical Field
The invention relates to the technical field of information security, in particular to a system and a method for collecting and analyzing switch information.
Background
With the rapid development of computer and network technologies, the network attack technology is also rapidly developed. In recent years, large-area blackout in ukrainian (2015), eastern internet service paralysis in the united states (2016), global outbreak of leso virus (2017) and other events have occurred internationally, all of which have had a serious impact. Industrial control systems have become an important target of attack in international network battles, and the safety protection of industrial control systems bears huge pressure, and a set of mature network safety supervision measures needs to be established. From three stages of network attack contact, preparation and attack, the method respectively presents the characteristics of secret contact means, quick establishment of an attack platform, strong comprehensive attack capability and the like, and the characteristics also determine that the security protection of the network must be developed early, and preferably find risks before and during contact to inhibit network attack behaviors.
Network-centric is an important feature of industrial control systems. In an industrial control system, a switch is an important communication hub device for data transmission in a network. The intrusion industrial control system usually performs dangerous operation or implants viruses by accessing unauthorized terminal equipment into an intranet switch, prevents and monitors whether illegal equipment is accessed and whether the switch works normally, and is vital to guarantee the normal operation of an industrial control system.
Aiming at the situation, a safety protection means is urgently needed, namely, the internal network topology of the industrial control system can be comprehensively monitored, the internal network switch can be timely found to be accessed into illegal equipment, the safety events, the operation behaviors and the operation information generated by the internal network switch can be collected in real time, and the potential safety hazards are monitored and early warned in real time before and during contact through analysis and warning.
Disclosure of Invention
In order to solve the defects in the prior art, the invention provides a switch information acquisition and analysis system and a switch information acquisition and analysis method, which can comprehensively monitor the internal network topology of an industrial control system, discover illegal equipment accessed by an intranet switch in time, acquire safety events, operation behaviors and operation information generated by the intranet switch in real time, and monitor and early warn potential safety hazards in real time before and during contact through analysis and alarm.
In order to achieve the above purpose, the invention adopts the following technical scheme: a switch information acquisition and analysis system is characterized in that: the system comprises a plurality of switches, a first acquisition unit, a second acquisition unit, a recombination unit, an analysis unit, a storage unit and a display module, wherein the first acquisition unit, the second acquisition unit, the recombination unit, the analysis unit, the storage unit and the display module are connected with the switches;
the first acquisition unit acquires topology information, running information, operation behaviors and safety events of the switch, and the second acquisition unit receives the safety events of the switch; the first acquisition unit directly stores the acquired topology information into the storage unit for the display module to call, and other acquisition information is transmitted to the recombination unit by the first acquisition unit and the second acquisition unit respectively;
the restructuring unit is used for screening and screening the acquired data messages according to a filtering rule, and carrying out message restructuring according to a preset log specification to obtain formatted log information; the reorganization unit sends the formatted log information to the analysis unit through a message bus;
the analysis unit is used for carrying out security analysis on the formatted log information and storing the analysis result into the storage unit.
The switch information acquisition and analysis system is characterized in that: the topology information acquisition process is as follows:
1) inputting the information of the switch equipment into a switch equipment asset table and a switch SNMP parameter table of a storage unit;
2) the display module preferentially draws the switch equipment, defaults to be in an off-line state, and the off-line equipment is filled with colors;
3) the first acquisition unit detects whether the switch is on-line or not, if the switch is in the on-line state, the asset list of the switch equipment in the storage unit is updated in real time, and the display module acquires the on-line state and fills the on-line switch with colors;
4) reading the SNMP parameters of the online switch and storing the SNMP parameters into an SNMP parameter table of the switch;
5) reading the MAC address table of each network port of the online equipment to obtain the MAC address of the opposite terminal equipment, judging whether the MAC address is legal or not by comparing the MAC addresses of all host equipment in the equipment asset table of the system switch, respectively drawing legal host equipment and illegal host equipment, and drawing a connecting line to connect the switch to which the connecting line belongs.
The switch information acquisition and analysis system is characterized in that: the collection modes are respectively as follows:
the first acquisition unit passively receives part of security events and all operation behavior information of the switch in an SNMP TRAP mode, wherein the part of security events comprise: IP, MAC address conflict and illegal equipment access;
the first acquisition unit actively polls the topological information of the switch through an SNMP protocol, and automatically discovers the switch in the system, active host equipment connected with the switch and the interconnection relationship among the switch, the active host equipment and the switch through SNMP and IP protocol group commands in combination with the asset table of the switch equipment of the storage unit; meanwhile, the first acquisition unit can also actively poll the running information of the switch and partial information of the security events through the SNMP protocol, wherein the partial information of the security events comprises that the CPU utilization rate exceeds a threshold value and the memory utilization rate exceeds a threshold value;
and the second acquisition unit passively receives other safety events of the switch through a SYSLOG protocol, wherein the other safety events comprise power module faults and CPU temperature exceeding a threshold value.
A method for collecting and analyzing switch information is characterized in that: the method comprises the following steps:
collecting related information of an internal switch of an industrial control system;
screening and screening the collected relevant information of the switch according to a filtering rule, and performing message recombination according to the switch log specification to obtain formatted log information;
and step three, sending the recombined formatted log information to a message bus, carrying out safety analysis on the message bus, and storing an analysis result into a storage unit.
The method for collecting and analyzing the switch information is characterized in that the related information includes topology information of the switch, and the topology information obtaining process includes:
1) inputting the information of the switch equipment into a switch equipment asset table and a switch SNMP parameter table;
2) preferentially drawing the switch equipment, defaulting to an off-line state, and filling the off-line equipment with colors;
3) detecting whether the switch is on-line or not, if so, updating the asset table of the switch equipment in real time, acquiring the on-line state and filling the on-line switch with colors;
4) reading the SNMP parameters of the online switch and storing the SNMP parameters into an SNMP parameter table of the switch;
5) reading the MAC address table of each network port of the online equipment to obtain the MAC address of the opposite terminal equipment, judging whether the MAC address is legal or not by comparing the MAC addresses of all host equipment in the asset table of the switch equipment, respectively drawing legal host equipment and illegal host equipment, and drawing a connection to connect the switch to which the connection belongs.
The switch information acquisition and analysis method is characterized in that: the related information includes security events of the switch, the security events including one of: IP, MAC address conflict, power module failure, CPU temperature exceeding a threshold, CPU utilization exceeding a threshold, memory utilization exceeding a threshold, and illegal device access.
The switch information acquisition and analysis method is characterized in that: the relevant information includes operational behavior of the switch, the operational behavior including one of: user, password management, user login and user operation.
The switch information acquisition and analysis method is characterized in that: the related information comprises operation information of the switch, and the operation information comprises one of the following: the method comprises the following steps of switch online time, CPU utilization rate, memory utilization rate, network packet loss rate, bit error rate, network port state, link delay and network connection condition.
The switch information acquisition and analysis method is characterized in that: the relevant information of the internal switch of the industrial control system is collected, and the collection modes are respectively as follows:
passively receiving partial security events and all operation behavior information of the switch in an SNMP TRAP mode, wherein the partial security events comprise: IP, MAC address conflict and illegal equipment access;
actively polling the topological information of the switch through an SNMP protocol, and automatically discovering the switch in the system, the active host equipment connected with the switch and the interconnection relationship among the switches through SNMP and IP protocol family commands in combination with the asset table of the switch equipment of the storage unit; meanwhile, the switch running information and partial information of the security event class can be actively polled through an SNMP protocol, wherein the partial information of the security event class comprises that the CPU utilization rate exceeds a threshold value and the memory utilization rate exceeds a threshold value;
the remaining security events of the switch, including power module failure and CPU temperature exceeding a threshold, are passively received via the SYSLOG protocol.
The switch information acquisition and analysis method is characterized in that: the security analysis includes one of:
extracting the running information of the switch from the running information message of the related information of the switch, carrying out state overrun judgment, if the state exceeds a threshold value, generating a state overrun security event, and merging continuous events of the continuously generated state overrun security event;
extracting the switch operation behavior information from the operation behavior message of the relevant information of the switch, traversing a dangerous operation list preset in a storage unit, judging dangerous operation, and generating dangerous operation safety events for the dangerous operation behavior;
extracting switch safety event information from a safety event message of the relevant information of the switch, indexing whether the event exists in a storage unit, discarding repeated events and realizing the duplicate removal of the safety event;
tracking, tracing and correlation analysis are carried out on all the security events acquired and generated by security analysis according to the time period: the method comprises the steps of drawing security events in a certain time period in a time axis mode, marking the security events generated by the same equipment through the name of the switch equipment or the IP address of the switch, and realizing the tracking and tracing of the security events; classifying and analyzing reasons of all security events occurring in the same equipment, acquiring internal relations among the security events, tracking threat sources of the security events and processing the threat sources in time so as to realize security event correlation analysis.
The invention achieves the following beneficial effects: the invention can be compatible with the switches of most manufacturers and models in the market, and has strong universality; the internal network topology of the industrial control system can be comprehensively monitored, the fact that an intranet switch is accessed to illegal equipment is timely found, and real-time monitoring and effective control are conducted before threat contact; the safety event, the operation behavior and the operation information generated by the intranet switch can be comprehensively collected in real time, and real-time monitoring and early warning are carried out when the threat is accessed through analysis and warning.
Drawings
FIG. 1 is a diagram of a switch information collection and analysis system architecture;
fig. 2 is a flowchart of acquiring topology information according to the present invention.
Detailed Description
The invention is further described below with reference to the accompanying drawings. The following examples are only for illustrating the technical solutions of the present invention more clearly, and the protection scope of the present invention is not limited thereby.
As shown in fig. 1, an exchange information acquisition and analysis system includes a plurality of exchanges, a first acquisition unit, a second acquisition unit, a recombination unit, an analysis unit, a storage unit, and a display module, which are connected to the exchanges;
the first acquisition unit acquires topology information, running information, operation behaviors and part of security events of the switch in two modes of SNMP (simple network management protocol) active polling and SNMP TRAP (SNMP TRAP) passive receiving, and the second acquisition unit passively receives the rest security events of the switch in a SYSLOG protocol. The first acquisition unit directly stores the acquired topology information into the storage unit for being called by a display module in the system, and other acquisition information (safety events, operation behaviors and operation information) is respectively transmitted to the recombination unit by the first acquisition unit and the second acquisition unit;
the restructuring unit is used for screening and screening the acquired data messages according to a filtering rule, and carrying out message restructuring according to a preset log specification to obtain formatted log information; the reorganization unit sends the formatted log information to the analysis unit through a message bus;
the analysis unit is used for carrying out security analysis on the formatted log information and storing the analysis result into the storage unit.
The storage unit may be implemented by a damming database.
A method for collecting and analyzing switch information comprises the following steps:
acquiring relevant information of an internal switch of an industrial control system in three ways;
the related information includes topology information, security events, operational behavior and operational information of the switch.
The topology information refers to information of all switch equipment in the industrial control system and active host equipment connected to each switch;
as shown in fig. 2, the topology information acquisition process is as follows:
1) inputting the information of the switch equipment: all switch equipment information needs to be input into a switch equipment asset table and a switch SNMP parameter table of a switch information acquisition and analysis system storage unit before system deployment;
2) after the system runs, the display module preferentially draws the switch equipment, the default is an off-line state, and the off-line equipment is filled with gray;
3) the first acquisition unit detects whether the switch is on line or not through two modes of ping and SNMP polling, if the switch is in an on-line state, the asset list of the switch equipment in the storage unit is updated in real time, and the display module acquires the on-line state and fills the on-line switch in green;
4) reading the SNMP parameters of the online switch and storing the SNMP parameters into an SNMP parameter table of the switch;
5) reading the MAC address table of each network port of the online equipment to obtain the MAC address of the opposite terminal equipment, judging whether the MAC address is legal or not by comparing the MAC addresses of all host equipment in the equipment asset table of the system switch, respectively drawing legal host equipment and illegal host equipment, and drawing a connecting line to connect the switch to which the connecting line belongs.
The safety events comprise IP, MAC address conflict, power module failure, CPU temperature exceeding a threshold value, CPU utilization rate exceeding a threshold value, memory utilization rate exceeding a threshold value and illegal equipment access, and refer to events with higher emergency degree.
The operation behavior comprises user, password management, user login, user operation and referring to behavior events related to the user.
The operation information comprises the on-line time length of the switch, the utilization rate of a CPU (central processing unit), the utilization rate of a memory, the packet loss rate of a network, the error rate, the state of a network port, the time delay of a link and the network connection condition, and the operation information is used for displaying the operation state of the switch.
The three acquisition modes are respectively as follows:
the first acquisition unit passively receives part of security events and all operation behavior information of the switch in an SNMP TRAP mode, wherein the part of security events comprise: IP, MAC address collision and illegal device access.
The first acquisition unit actively polls the topology information of the switch through an SNMP protocol, and automatically discovers the switch in the system, the active host equipment connected with the switch and the interconnection relationship among the switch, the active host equipment and the switch equipment through SNMP and IP protocol family commands in combination with the asset table of the switch equipment of the storage unit. Meanwhile, the first acquisition unit can also actively poll the running information of the switch and partial information of the security event class through the SNMP protocol, wherein the partial information of the security event class comprises that the CPU utilization rate exceeds a threshold value and the memory utilization rate exceeds a threshold value.
And the second acquisition unit passively receives other safety events of the switch through a SYSLOG protocol, wherein the other safety events comprise power module faults and CPU temperature exceeding a threshold value.
Screening and screening the collected relevant information of the switch by a recombination unit according to a filtering rule, and performing message recombination according to the switch log specification issued by a national network to obtain formatted log information;
because the data types reported by switch equipment of different manufacturers and different models are different from the SYSLOG log format, a plurality of invalid messages are doped, the filtering rule needs to be established in advance, after the switch safety event, the operation behavior and the operation information are acquired, the effective acquisition information of the switch is retrieved through comparing the filtering rule by a Brute Force algorithm, and the invalid data is filtered.
Formatting and recombining the effective switch log message to obtain formatted log information, wherein the recombined data comprises four fields: event level, event time, device identification, and content description. The event level represents the urgency or severity of the event; the event time refers to a timestamp of the event occurrence; the equipment identification refers to the equipment name of the switch and is used for uniquely identifying one switch; the content description contains the specific content of the entire event.
And step three, sending the recombined formatted log information to a message bus, receiving the information by an analysis unit, carrying out safety analysis, and storing an analysis result in a storage unit.
The message bus employs a high speed data bus kafka (kafka is a high throughput distributed publish-subscribe message system). And the reorganization unit sends the reorganized formatted log information to a kafka browser (kafka cluster server) through a product message system pushing end.
The analysis unit is used as a message system subscription end (consumer) to subscribe the switch security event, the operation information and the operation behavior information in the kafka browser cluster, and the safety analysis is carried out on the recombined switch formatted log message. The safety analysis comprises the steps of carrying out duplicate event removal, state overrun judgment, persistent event merging and dangerous operation judgment on the switch logs, and carrying out tracking, tracing and correlation analysis on the safety events according to time periods to find the reasons of the events.
And the result obtained by the safety analysis is stored in a storage unit and is called by other functional modules. The storage unit is implemented by a Dameng database.
Example (b):
acquiring relevant information of an internal switch of an industrial control system in three ways;
in the embodiment, firstly, the equipment asset information of the switch is input in advance, the equipment asset information is stored in two tables of a dream database of a storage unit, and a switch equipment asset table sw _ alerts and an SNmp _ config of an SNMP parameter table of the switch are stored in the storage unit; wherein table sw _ attributes (table 1) stores switch device information, and table SNMP _ config (table 2) stores SNMP parameters for all switches:
table 1 switch equipment asset table
Figure BDA0001764091500000081
Figure BDA0001764091500000091
Table 2 SNMP parameters for switch
NAME Corresponding switch ID
VERSION SNMP protocol version number
READ_COMMUNITY Reading group names
WRITE_COMMUNITY Writing group names
RETRIES Number of retransmissions
The first acquisition unit reads the SNMP parameters of the switch by looking up the corresponding ID of the switch in the SNMP _ config table (table 2).
And secondly, drawing all the switch equipment by an interface display module in the system according to the asset information of the switch equipment, wherein the switch equipment is in an off-line state by default. Whether the switch is on-line is detected through two modes, namely: IP addresses LOGOIP of all switch management ports are sequentially ping; the second method comprises the following steps: and reading parameters of each switch through an SNMP protocol. And if the network equipment can be ping-connected or can read data, the equipment is proved to be on line, the on-line equipment is lightened, and the read data is updated to the SNMP parameter table of the switch.
And for the online equipment, reading the MAC address table of each network port to obtain the MAC address of opposite-end equipment, and judging whether the equipment is legal or not by comparing the MAC addresses of all host equipment in the system asset table. Respectively drawing legal equipment and illegal equipment, distinguishing by colors, drawing a connection line to connect the affiliated switch, and finally reporting an illegal equipment access alarm.
And step two, screening and screening the collected relevant information of the switch through a recombination unit according to a filtering rule, and performing message recombination according to the switch log specification issued by the national network to obtain formatted log information.
In this embodiment, after the security event, the operation information, and the operation behavior of the switch are collected, invalid data is removed by comparing the filtering rules and using a Brute Force algorithm, and valid data is retained.
The reorganization unit strips the event level, the event time, the device identification and the content description from the reserved effective data, and the reorganized formatted log information example is shown in the following table:
TABLE 3 restructured structured Log information
Figure BDA0001764091500000101
The event level is Arabic numerals and is divided into four levels according to the emergency degree: emergency, important, general and annunciation, corresponding to the numbers 1-4; the event time format is 'year-month-day: minutes: seconds'; the equipment identifier is the name of the switch equipment generating events, is named by 'switch model _ SW _ same model index', and uniquely identifies one switch; the content description comprises three fields, namely an event type, a subtype and event content, wherein the event type and the subtype are used for distinguishing different events, and the event content is a specific event description. And according to the event level, the event type and the event subtype defined in the switch log specification issued by the national network, combining the event occurrence time, the switch equipment name and the event description in the asset table, and performing message recombination.
The first piece in the table is running information, which describes that at the time of 2017-09-0320: 12:23, the CPU threshold of the switch H3CS3600_ SW _01 is 15%; the second is a security event, which describes two IP address conflicts of the gateway 2/0/6 and the gateway 2/0/8 of the switch H3CS3600_ SW _02 at the time 2017-09-0320:15: 48.
And step three, sending the recombined formatted log information to a message bus, receiving the information by an analysis unit, carrying out safety analysis, and storing an analysis result in a storage unit.
In this embodiment, a data caching subscription module is built by adopting a kafka distributed message system to realize the functions of caching and forwarding data. And issuing the formatted log to the kafka browser cluster through a product message system pushing end of the reorganization unit. The analysis unit is used as a subscriber terminal provider of the message system to subscribe data in a topic (theme) related to the switch in the kafka browser cluster according to user requirements. And configuring 3 types of topics according to the message types of the switch, wherein the topics are respectively sw _ war, sw _ oper and sw _ sys and correspond to 3 types of messages of security events, operation behaviors and operation information.
In this embodiment, the analysis unit reads log information from the 3 types of topic of the message bus, and the analysis steps are as follows:
1) extracting switch operation information from the sw _ sys, judging state overrun, generating a state overrun security event if the state exceeds a threshold value, and merging continuous events for the continuously generated state overrun events;
2) extracting switch operation behavior information from the sw _ operator, traversing a dangerous operation list preset in a storage unit, judging dangerous operation, and generating dangerous operation safety events for the dangerous operation behaviors;
3) extracting switch security event information from sw _ war, indexing whether the event exists in a storage unit, discarding repeated events, and realizing security event deduplication;
4) tracking, tracing and correlation analysis are carried out on all the security events acquired and generated by security analysis according to the time period: the method comprises the steps that a safety event within a certain time period is drawn in a display module in a time axis mode, and the safety event generated by the same equipment is marked through an equipment name or an IP address of a switch, so that the tracking and tracing of the safety event are realized; classifying and analyzing reasons of all security events occurring in the same equipment, acquiring internal relations among the security events, tracking threat sources of the security events and processing the threat sources in time so as to realize security event correlation analysis.
The analysis unit stores the analysis result in the storage unit, and simultaneously, related rules in the storage unit need to be inquired and read for the analysis, so that the bidirectional data interaction process is realized.
Meanwhile, the analysis unit pushes the safety event generated by analysis to the interface display module in real time, and operation and maintenance personnel are informed in time in an acousto-optic and electric mode through the display module when a threat occurs, so that real-time monitoring and early warning of the safety event are realized.
The invention can be compatible with the switches of most manufacturers and models in the market, and has strong universality; the internal network topology of the industrial control system can be comprehensively monitored, the fact that an intranet switch is accessed to illegal equipment is timely found, and real-time monitoring and effective control are conducted before threat contact; the safety event, the operation behavior and the operation information generated by the intranet switch can be comprehensively collected in real time, and real-time monitoring and early warning are carried out when the threat is accessed through analysis and warning.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, several modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.

Claims (8)

1. A switch information acquisition and analysis system is characterized in that: the system comprises a plurality of switches, a first acquisition unit, a second acquisition unit, a recombination unit, an analysis unit, a storage unit and a display module, wherein the first acquisition unit, the second acquisition unit, the recombination unit, the analysis unit, the storage unit and the display module are connected with the switches;
the first acquisition unit acquires topology information, running information, operation behaviors and safety events of the switch, and the second acquisition unit receives the safety events of the switch; the first acquisition unit directly stores the acquired topology information into the storage unit for the display module to call, and other acquisition information is transmitted to the recombination unit by the first acquisition unit and the second acquisition unit respectively;
the restructuring unit is used for screening and screening the acquired data messages according to a filtering rule, and carrying out message restructuring according to a preset log specification to obtain formatted log information; the reorganization unit sends the formatted log information to the analysis unit through a message bus;
the analysis unit is used for carrying out security analysis on the formatted log information and storing an analysis result into the storage unit;
the topology information acquisition process is as follows:
inputting the information of the switch equipment into a switch equipment asset table and a switch SNMP parameter table of a storage unit;
the display module preferentially draws the switch equipment, defaults to be in an off-line state, and the off-line equipment is filled with colors;
the first acquisition unit detects whether the switch is on-line or not, if the switch is in the on-line state, the asset list of the switch equipment in the storage unit is updated in real time, and the display module acquires the on-line state and fills the on-line switch with colors;
reading the SNMP parameters of the online switch and storing the SNMP parameters into an SNMP parameter table of the switch;
5) reading the MAC address table of each network port of the online equipment to obtain the MAC address of the opposite terminal equipment, judging whether the MAC address is legal or not by comparing the MAC addresses of all host equipment in the equipment asset table of the system switch, respectively drawing legal host equipment and illegal host equipment, and drawing a connecting line to connect the switch to which the connecting line belongs.
2. The switch information collection and analysis system of claim 1, wherein: the collection modes are respectively as follows:
the first acquisition unit passively receives part of security events and all operation behavior information of the switch in an SNMP TRAP mode, wherein the part of security events comprise: IP, MAC address conflict and illegal equipment access;
the first acquisition unit actively polls the topological information of the switch through an SNMP protocol, and automatically discovers the switch in the system, active host equipment connected with the switch and the interconnection relationship among the switch, the active host equipment and the switch through SNMP and IP protocol group commands in combination with the asset table of the switch equipment of the storage unit; meanwhile, the first acquisition unit can also actively poll the running information of the switch and partial information of the security events through the SNMP protocol, wherein the partial information of the security events comprises that the CPU utilization rate exceeds a threshold value and the memory utilization rate exceeds a threshold value;
and the second acquisition unit passively receives other safety events of the switch through a SYSLOG protocol, wherein the other safety events comprise power module faults and CPU temperature exceeding a threshold value.
3. A method for collecting and analyzing switch information is characterized in that: the method comprises the following steps:
collecting related information of an internal switch of an industrial control system;
screening and screening the collected relevant information of the switch according to a filtering rule, and performing message recombination according to the switch log specification to obtain formatted log information;
step three, sending the recombined formatted log information to a message bus, carrying out safety analysis on the message bus, and storing an analysis result into a storage unit;
the related information comprises topology information of the switch, and the topology information acquisition process comprises the following steps:
1) inputting the information of the switch equipment into a switch equipment asset table and a switch SNMP parameter table;
2) preferentially drawing the switch equipment, defaulting to an off-line state, and filling the off-line equipment with colors;
3) detecting whether the switch is on-line or not, if so, updating the asset table of the switch equipment in real time, acquiring the on-line state and filling the on-line switch with colors;
4) reading the SNMP parameters of the online switch and storing the SNMP parameters into an SNMP parameter table of the switch;
5) reading the MAC address table of each network port of the online equipment to obtain the MAC address of the opposite terminal equipment, judging whether the MAC address is legal or not by comparing the MAC addresses of all host equipment in the asset table of the switch equipment, respectively drawing legal host equipment and illegal host equipment, and drawing a connection to connect the switch to which the connection belongs.
4. The method for collecting and analyzing switch information as claimed in claim 3, wherein: the related information includes security events of the switch, the security events including one of: IP, MAC address conflict, power module failure, CPU temperature exceeding a threshold, CPU utilization exceeding a threshold, memory utilization exceeding a threshold, and illegal device access.
5. The method for collecting and analyzing switch information as claimed in claim 3, wherein: the relevant information includes operational behavior of the switch, the operational behavior including one of: user, password management, user login and user operation.
6. The method for collecting and analyzing switch information as claimed in claim 3, wherein: the related information comprises operation information of the switch, and the operation information comprises one of the following: the method comprises the following steps of switch online time, CPU utilization rate, memory utilization rate, network packet loss rate, bit error rate, network port state, link delay and network connection condition.
7. The method for collecting and analyzing switch information as claimed in claim 3, wherein: the relevant information of the internal switch of the industrial control system is collected, and the collection modes are respectively as follows:
passively receiving partial security events and all operation behavior information of the switch in an SNMP TRAP mode, wherein the partial security events comprise: IP, MAC address conflict and illegal equipment access;
actively polling the topological information of the switch through an SNMP protocol, and automatically discovering the switch in the system, the active host equipment connected with the switch and the interconnection relationship among the switches through SNMP and IP protocol family commands in combination with the asset table of the switch equipment of the storage unit; meanwhile, the switch running information and partial information of the security event class can be actively polled through an SNMP protocol, wherein the partial information of the security event class comprises that the CPU utilization rate exceeds a threshold value and the memory utilization rate exceeds a threshold value;
the remaining security events of the switch, including power module failure and CPU temperature exceeding a threshold, are passively received via the SYSLOG protocol.
8. The method for collecting and analyzing switch information as claimed in claim 3, wherein: the security analysis includes one of:
extracting the running information of the switch from the running information message of the related information of the switch, carrying out state overrun judgment, if the state exceeds a threshold value, generating a state overrun security event, and merging continuous events of the continuously generated state overrun security event;
extracting the switch operation behavior information from the operation behavior message of the relevant information of the switch, traversing a dangerous operation list preset in a storage unit, judging dangerous operation, and generating dangerous operation safety events for the dangerous operation behavior;
extracting switch safety event information from a safety event message of the relevant information of the switch, indexing whether the event exists in a storage unit, discarding repeated events and realizing the duplicate removal of the safety event;
tracking, tracing and correlation analysis are carried out on all the security events acquired and generated by security analysis according to the time period: the method comprises the steps of drawing security events in a certain time period in a time axis mode, marking the security events generated by the same equipment through the name of the switch equipment or the IP address of the switch, and realizing the tracking and tracing of the security events; classifying and analyzing reasons of all security events occurring in the same equipment, acquiring internal relations among the security events, tracking threat sources of the security events and processing the threat sources in time so as to realize security event correlation analysis.
CN201810920512.8A 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method Active CN109150869B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810920512.8A CN109150869B (en) 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810920512.8A CN109150869B (en) 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method

Publications (2)

Publication Number Publication Date
CN109150869A CN109150869A (en) 2019-01-04
CN109150869B true CN109150869B (en) 2021-06-04

Family

ID=64793209

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810920512.8A Active CN109150869B (en) 2018-08-14 2018-08-14 Switch information acquisition and analysis system and method

Country Status (1)

Country Link
CN (1) CN109150869B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109922055A (en) * 2019-02-26 2019-06-21 深圳市信锐网科技术有限公司 A kind of detection method, system and the associated component of risk terminal
CN110650038B (en) * 2019-09-12 2022-09-09 国家电网有限公司 Security event log collecting and processing method and system for multiple classes of supervision objects
CN111181984B (en) * 2019-12-31 2022-04-01 北京力控华康科技有限公司 Security protection method, device, system, terminal and storage medium based on environment-friendly 212 protocol
CN111343018B (en) * 2020-02-22 2022-12-20 苏州浪潮智能科技有限公司 Method and device for collecting alarm logs of data center switch
CN113671909A (en) * 2021-06-30 2021-11-19 云南昆钢电子信息科技有限公司 Safety monitoring system and method for steel industrial control equipment
CN115941632A (en) * 2023-02-16 2023-04-07 北京天弛网络有限公司 Acquisition method, device, medium and equipment based on network switch equipment state
CN116405411B (en) * 2023-06-09 2023-08-15 深圳市洪瑞光祥电子技术有限公司 Redundant time domain monitoring system of industrial Ethernet switch

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103296755A (en) * 2013-05-10 2013-09-11 国家电网公司 Network online monitoring system for transformer substation
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching
CN105959144A (en) * 2016-06-02 2016-09-21 中国科学院信息工程研究所 Safety data acquisition and anomaly detection method and system facing industrial control network
CN107124319A (en) * 2017-06-14 2017-09-01 贵州电网有限责任公司 A kind of topological Dynamic Recognition device of the intelligent substation network equipment matched based on MAC Address
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN107910956A (en) * 2017-10-26 2018-04-13 南京南瑞集团公司 A kind of integrated power network schedule automation operation comprehensive supervision method of main plant stand

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7979521B2 (en) * 2002-06-03 2011-07-12 Oracle America, Inc. Method and system for relocating and using enterprise management tools in a service provider model

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103296755A (en) * 2013-05-10 2013-09-11 国家电网公司 Network online monitoring system for transformer substation
CN103856579A (en) * 2014-03-03 2014-06-11 国家电网公司 Dynamic recognition method for intelligent substation network device topology based on MAC address matching
CN105959144A (en) * 2016-06-02 2016-09-21 中国科学院信息工程研究所 Safety data acquisition and anomaly detection method and system facing industrial control network
CN107124319A (en) * 2017-06-14 2017-09-01 贵州电网有限责任公司 A kind of topological Dynamic Recognition device of the intelligent substation network equipment matched based on MAC Address
CN107493265A (en) * 2017-07-24 2017-12-19 南京南瑞集团公司 A kind of network security monitoring method towards industrial control system
CN107910956A (en) * 2017-10-26 2018-04-13 南京南瑞集团公司 A kind of integrated power network schedule automation operation comprehensive supervision method of main plant stand

Also Published As

Publication number Publication date
CN109150869A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
CN109150869B (en) Switch information acquisition and analysis system and method
CN109768880B (en) Remote visual network topology monitoring method for power monitoring system
CN103716173B (en) A kind of method for storing monitoring system and monitoring alarm issue
CN108063753A (en) A kind of information safety monitoring method and system
CN101312405B (en) Alarm processing method and network management system
CN114567463B (en) Industrial network information safety monitoring and protecting system
CN102014020A (en) Equipment for performing network monitoring on network equipment and method thereof
CN107947998B (en) Real-time monitoring system based on application system
CN103647662B (en) A kind of malfunction monitoring alarm method and device
CN103905219A (en) System and method for monitoring and storing communication information in service platform
CN102083091A (en) Network management alarm managing method and system, and alarm collecting server
CN110752959A (en) Intelligent substation process layer physical link fault positioning system
CN111488258A (en) System for analyzing and early warning software and hardware running state
CN116257021A (en) Intelligent network security situation monitoring and early warning platform for industrial control system
CN105629103A (en) Online monitoring method based on transformer substation operation and maintenance network shutdown
EP1622310B1 (en) Administration method and system for network management systems
CN114513342B (en) Intelligent substation communication data safety monitoring method and system
CN113285937B (en) Safety audit method and system based on traditional substation configuration file and IEC103 protocol flow
KR100887874B1 (en) System for managing fault of internet and method thereof
CN115102828A (en) Fault analysis method and device
KR20050002263A (en) System and method for managing network failure
CN103248505A (en) View-based network monitoring method and device
WO2019230739A1 (en) Abnormality detection apparatus, abnormality detection method, and abnormality detection program
CN112731906B (en) Information acquisition device
CN113890814B (en) Fault perception model construction and fault perception method and system, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant