CN109660518A - Communication data detection method, device and the machine readable storage medium of network - Google Patents
Communication data detection method, device and the machine readable storage medium of network Download PDFInfo
- Publication number
- CN109660518A CN109660518A CN201811399478.0A CN201811399478A CN109660518A CN 109660518 A CN109660518 A CN 109660518A CN 201811399478 A CN201811399478 A CN 201811399478A CN 109660518 A CN109660518 A CN 109660518A
- Authority
- CN
- China
- Prior art keywords
- payload
- cluster
- length
- clustered
- model
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The embodiment of the present invention provides communication data detection method, device and the machine readable storage medium of a kind of network, belongs to technical field of network security.This method comprises: receiving communication data, which includes the data message with payload;It based at least one Data Detection model, is successively matched with the variable field of the length of the payload, the fixed field of the payload and the payload, when there is any matching unsuccessful, judges data message exception.Communication data detection method, device and the machine readable storage medium of the network without analyzing network protocol in advance, so that it may the exception of real-time detection communication data.
Description
Technical field
The present invention relates to network security technologies, more particularly to communication data detection method, device and the machine of network
Readable storage medium storing program for executing.
Background technique
Industrial control system (Industrial Control System, ICS) is a kind of
The general designation of system.It includes monitoring control and data collection system (Supervisory Control and Data
Acquisition, SCADA), dcs and some other be common in the small-sized of industrial department and critical infrastructures
Control system (such as programmable logic controller (PLC)).In recent years, Network Intrusion technology is more and more in industrial control system network, from
And the concern of industry is also increasingly obtained for the discovery warning technology of the attack data message in industrial control network.
There are two types of now commonly used technologies.First, being the IDS Framework based on white list study mechanism.The skill
Art is divided into industrial control system operation white list study and generates and industrial control system operation exception two stages of detection.It is generating
Stage filters out industrial control system data packet from the data packet of web-based history flow, from the application layer load of data packet
Extract the variable fields location information conducts such as the fixed character code of particular industry control system agreement, operation code, access address
Protocol knowledge library, is loaded into appliance arrangement to be put into again in industry control business network and is learnt.And, it is assumed that web-based history flow
Not comprising there is abnormal data, the datagram for meeting above-mentioned protocol knowledge library and defining that will occur in industrial control system data packet
Text parses its variable field such as operation code and access address etc. as legal industrial control system operation field, and generates work
Industry control system operation white list regular collection is stored.In the abnormality detection stage, the white list generated according to generation phase
Rule accuses illegal format message, illegal operation code and the illegal address access for failing to match these white lists rule
Alert or inhibition processing.
The above-mentioned Intrusion Detection Technique specific implementation based on white list mechanism is upper mainly to detect (Deep using deep message
Packet Inspection, DPI) technology, based on analyze in advance come " tagged word " first identify industrial control system data
Industrial control system agreement used in packet identifies each industrial control system data Bao Zhong according further to " tagged word "
The load (information such as operation code and access address) of carrying.But because every kind of different industrial control system data agreement has
Its unique format, therefore artificial ex ante analysis and its message format will be understood for each agreement, it is artificial fixed in advance
Different " tagged word " is made, to identify the operation code and access address in industrial control system data packet.Its defect has three:
First is that being extracted by manually carrying out protocal analysis and " tagged word ", working efficiency is low.Second is that for private proprietary protocol without
Method is analyzed and extracts accurate format, and subsequent abnormality detection accuracy is influenced.Third is that Industry Control once occurs in the application
System protocol edition upgrading, the above-mentioned detection system based on white list also must be to the industrial control system agreements after upgrading again
Manual analysis is carried out, and software release upgrade is carried out to said detecting system, could effectively be supported.
Second, passing through the pure statistics of data message in the network that pursues one's vocational study based entirely on the modeling technique of machine learning
Feature, such as message length, time interval, character in message load, the frequency etc. that n-gram occurs are established model and are detected.
The disadvantage is that not high based on the model accuracy that these statistical natures are established, the infected information for being easy to be forged is cheated easily.It is this kind of
Technology based on statistical nature modeling has Payl, the typical machines learning model building technology such as Macpad.
Summary of the invention
The purpose of the embodiment of the present invention is that providing a kind of communication data detection method of network, device and machine readable depositing
Storage media, communication data detection method, device and the machine readable storage medium of the network without dividing network protocol in advance
Analysis, so that it may the exception of real-time detection communication data.
To achieve the goals above, the embodiment of the present invention provides a kind of communication data detection side of industrial control system network
Method, this method comprises: receiving communication data, which includes the data message with payload;Based at least one
Data Detection model, successively with the length of the payload, the fixed field of the payload and the payload
Variable field matched, have it is any matching it is unsuccessful when, judge the data message exception.
Preferably, the Data Detection model is established in the following manner: receiving multiple sample communications data, multiple sample
Each sample communications data in this communication data include the sample data message with payload;According to the sample data
The multiple sample data message is divided at least one length model by the length of the payload of message;For it is described at least
Each length model in one length model, is gathered according to the similarity of the payload of the multiple sample data message
Class forms at least one set of payload clustered;Every group in payload clustered for at least one set gathers
The variable field of the payload of class calculates and stores regular expression to generate the Data Detection model.
Preferably, it includes: to build that the similarity of the payload according to the multiple sample data message, which carries out cluster,
A class cluster is found, one of payload of multiple payload is stored to such cluster, and the cluster sequence as such cluster
Column;To operation below remaining each payload execution of the multiple payload to generate at least one class cluster, as
The payload that at least one set is clustered: successively the cluster sequence with current each class cluster calculates similarity;It is effective at this
When the similarity of load and any one class cluster is more than or equal to threshold value, which is stored to such cluster, and by effective load
The longest common subsequence of the cluster sequence of lotus and such cluster replaces with the cluster sequence of such cluster;In the payload and currently
When the similarity of the cluster sequence of each class cluster is respectively less than threshold value, new class cluster is established, and the payload is stored to this newly
Class cluster, and the cluster sequence of the class cluster new as this.
Preferably, the similarity d of the payload and the cluster sequence is calculated by the following formula:
Wherein, L is the length of the payload or the cluster sequence, and len (s) is institute
State the length of the longest common subsequence of payload and the cluster sequence.
Preferably, this method further include: clustered every group of the payload that at least one set is clustered effective
The fixed field for the payload that the longest common subsequence of load is clustered as every group.
It is preferably based at least one Data Detection model, successively with the length of the payload, the payload
Fixed field and the payload variable field carry out matching include: by the length of the payload and it is described extremely
The length of the payload of a few length model is matched, and matched length model is found;Based on matched length model,
The fixed field of the payload is matched with the fixed field of every group of payload clustered, finds matching
The payload clustered;Based on matched clustered payload, by the variable field of the payload with it is described
Regular expression is matched.
Preferably, this method further include: receive the input for averagely reporting number in the first predetermined time by mistake;Detect the data
Detection model, when the Data Detection model reports message in number and second predetermined time by mistake within second scheduled time
Ratio, which was less than in first predetermined time, averagely reports number by mistake and in first predetermined time when ratio of message, establishes institute
State the completion of Data Detection model.
The embodiment of the present invention also provides a kind of communication data detection device of industrial control system network, which includes:
Receiving module and processing module, wherein for the receiving module for receiving communication data, which includes having effectively
The data message of load;The processing module is used to be based at least one Data Detection model, successively with the payload
The variable field of length, the fixed field of the payload and the payload is matched, and is having any matching not
When success, data message exception is judged.
Preferably, the Data Detection model is established in the following manner: receiving multiple sample communications data, multiple sample
Each sample communications data in this communication data include the sample data message with payload;According to the sample data
The multiple sample data message is divided at least one length model by the length of the payload of message;For it is described at least
Each length model in one length model, is gathered according to the similarity of the payload of the multiple sample data message
Class forms at least one set of payload clustered;Every group in payload clustered for at least one set gathers
The variable field of the payload of class calculates and stores regular expression to generate the Data Detection model.
The embodiment of the present invention also provides a kind of machine readable storage medium, and readable storage medium storing program for executing is stored with finger on the machine
It enables, which is used for so that machine executes method as discussed above.
Through the above technical solutions, receiving communication data first, which includes the datagram with payload
Text;It is then based at least one Data Detection model, successively with the length of the payload, the fixed word of the payload
The variable field of section and the payload is matched, and when there is any matching unsuccessful, judges data message exception.
Data Detection model of the present invention, which does not depend on, manually carries out analysis and " tagged word " formulation to industrial control system agreement in advance, finally
Industrial control system Network anomaly detection is carried out based on Data Detection model, without being analyzed in advance network protocol, so that it may real-time detection
The exception of communication data.
The other feature and advantage of the embodiment of the present invention will the following detailed description will be given in the detailed implementation section.
Detailed description of the invention
Attached drawing is to further understand for providing to the embodiment of the present invention, and constitute part of specification, under
The specific embodiment in face is used to explain the present invention embodiment together, but does not constitute the limitation to the embodiment of the present invention.Attached
In figure:
Fig. 1 is the communication data detection method for the industrial control system network that one embodiment of the invention provides;
Fig. 2 is the communication data testing process frame signal for the industrial control system network that one embodiment of the invention provides
Figure;
Fig. 3 is the Data Detection method for establishing model that one embodiment of the invention provides;
Fig. 4 is the clustering method that one embodiment of the invention provides;
Fig. 5 is the matching process that one embodiment of the invention provides;And
Fig. 6 is the structural representation of the communication data detection device for the industrial control system network that one embodiment of the invention provides
Figure.
Description of symbols
1 receiving module, 2 processing module.
Specific embodiment
It is described in detail below in conjunction with specific embodiment of the attached drawing to the embodiment of the present invention.It should be understood that this
Locate described specific embodiment and be merely to illustrate and explain the present invention embodiment, is not intended to restrict the invention embodiment.
Fig. 1 is the communication data detection method for the industrial control system network that one embodiment of the invention provides.Such as Fig. 1 institute
Show, this method comprises:
Step S11 receives communication data, which includes the data message with payload;
Step S12 is based at least one Data Detection model, successively with the length of the payload, effective load
The variable field of the fixed field of lotus and the payload is matched, and when there is any matching unsuccessful, judges the number
According to message exception.
In embodiments of the present invention, Data Detection model can be the security strategy selected according to user, to Industry Control
The whole of the data message transmitted in grid, or according to acl rule filtering policy, according to network layer information (IP, end
Mouthful etc.) or application layer message (domain name, URL information, to application type etc.) to the data of part of service or application in network
What message was established.On the basis of Data Detection model, the communication data of any agreement for receiving (including is requested or answered
Answer), it can successively match: the length of payload (essence can be considered character string), the fixed field of payload and effectively
The variable field of load judges data message exception when there is any matching unsuccessful;When all matchings are successful, sentence
The data message that breaks is normal.
Fig. 2 is the communication data testing process frame signal for the industrial control system network that one embodiment of the invention provides
Figure.As shown in Fig. 2, in the present invention, can totally be divided into line modeling (modeling method is detailed below) and abnormality detection two
Stage.In the line modeling stage, system carries out the payload of the data message mirror image transmitted in industrial control system network
Capture, is then automatically analyzed and is learnt the inherent law in normal message load, the model or baseline as normal behaviour.
Stop study and preservation model after the completion of modelling phase, the abnormality detection stage starts.Anomaly detector captures the Industry Control system
Its normal behaviour model established with the modelling phase is compared, appoints by the payload of the data message transmitted in system network
What data message too wide in the gap with model is all taken as exception, and triggers alarm, and trigger other possible measures to answer
It is right.
This system carries out modeling to the data message transmitted in industrial control system network and uses online Real-time modeling set mode.
System can be connected in series in the industrial control system network being currently running, to the data message of transmission carry out the modeling of flow relaying and
Abnormality detection.It can also be connected in parallel in the industrial control system network being currently running, flow mirror is carried out to the data message of transmission
As modeling and abnormality detection.
Fig. 3 is the Data Detection method for establishing model that one embodiment of the invention provides.As shown in figure 3, this method comprises:
Step S31 receives multiple sample communications data, each sample communications data packet in multiple sample communications data
Include the sample data message with payload;
Step S32 draws the multiple sample data message according to the length of the payload of the sample data message
Assign at least one length model;
Step S33, for each length model at least one described length model, according to the multiple sample data
The similarity of the payload of message is clustered, and at least one set of payload clustered is formed;
Step S34, every group of payload clustered in the payload clustered for at least one set can
Mutilation section calculates and stores regular expression to generate the Data Detection model.
Before establishing model, can first to sample data message carry out L34/L7 layer filtering, intrusion detection filter and
Signaling message filtering, these filter types are the filter types that present those skilled in the art can choose as needed, herein
Seldom repeat.
In terms of the message transmissions in industrial control system network, the message of different length, content and purpose difference are larger.System
System can be divided according to the length of payload first.If transport layer protocol is based on TCP, single network message has
Effect loaded length range can be 1~1460.If transport layer protocol is based on UDP, the payload of single network message is long
Degree range can be 1~1472.According to transport layer protocol, the payload length of all messages is divided into first for system
In 1460 or 1472 different length models.
In each length model, system is further divided according to the similitude of payload.Here stroke
Point method can be based on unsupervised clustering, such as hierarchical clustering, the cluster based on division and density clustering, shape
The payload clustered at least one set.
Then, after the completion of cluster, for each cluster, the longest common subsequence for obtaining sample in the cluster (such as has
Effect load acdfg is adf with the longest common subsequence for clustering sequence aedfc) and store, it is substantially the effective of such cluster
Load fixed field.The other positions of longest common subsequence are substantially the payload variable fields of such cluster, this is
System is concluded (type such as letter/number etc., whole possible values etc.) to its codomain range of variable field, so as to shape
It at regular expression and stores, to generate Data Detection model.Therefore Data Detection model is divided twice by length, cluster
Afterwards, regeneration regular expression obtains.
In order to avoid modeling process by malicious attack is influenced and influenced the accuracy of abnormality detection, which can be with fire prevention
Wall, the technologies such as intrusion prevention system (IPS) or equipment are integrated, and are maliciously attacked just when to avoid this system modeling
Hit message loading effect.
The payload of each data message transmitted in network is substantially a series of byte, the load of different application
The format rule that lotus has its different.This system, can also be first according to L34 layers of information (such as IP information, port letter in the modelling phase
Breath, TCP/UDP protocol information etc.) and L7 layers of information (such as MODBUS protocol information, OPC protocol information etc.) difference, data
Message is first divided into different models, such as the content of a certain model only has TCP/UDP protocol information and OPC protocol information.Again
It is individually modeled using above-mentioned length division mode for each model, learns the inherent law of load.System is just for message
Payload is learnt, and the signaling message (such as ACK message) and response message of not payload are ignored.
Adaptive modeling process is polluted by malicious traffic stream in order to prevent, it is therefore desirable to after the completion of modeling, be stopped and be stored
Modeling result.It is existing it is most need manually to stop the process or pre-set certain modeling time, timing stops adaptive
Modeling process.The embodiment of the present invention can synchronize progress " examination detection " mechanism during modeling, and according to " examination detects "
As a result it is automatically stopped modeling process.The present invention provides a configuration item in user interface, and the receptible wrong report number of user is arranged,
It can be the number averagely alerted daily, be also possible to percentage.A wrong report number can be set in user, indicates that first is predetermined
Allow the wrong report number (such as 2 wrong reports) of average appearance in time (such as every 24 hours).So (24 is small within one day for system statistics
When) message that occurs tries testing number, such as 10000 messages, if the second predetermined time (it is pre- much smaller than first to can configure the time
Fix time 24 hours) in discovery 99.98% ((10000-2)/10000) communication data can meet learning model, then automatically
Stop modeling process, and stores modeling result.
Fig. 4 is the clustering method that one embodiment of the invention provides.As shown in figure 4, this method comprises:
Step S41 establishes a class cluster, and one of payload of multiple payload is stored to such cluster, and
Cluster sequence as such cluster;
Step S42, it is successively poly- with current each class cluster to remaining each payload of the multiple payload
Class sequence calculates similarity;
Step S43, the similarity for judging whether there is any one class cluster and payload are more than or equal to threshold value;
Step S44 deposits the payload when the payload and the similarity of any one class cluster are more than or equal to threshold value
It stores up to such cluster, and the longest common subsequence of the payload He the cluster sequence of such cluster is replaced with to the cluster of such cluster
Sequence;
Step S45 is established when the similarity of the payload and the cluster sequence of current each class cluster is respectively less than threshold value
New class cluster, and the payload is stored to the new class cluster, and the cluster sequence of the class cluster new as this.
Not accurate enough, the inefficiency such as hierarchical clustering, the cluster based on division and density clustering described above,
It is not suitable with the line modeling of high speed network message.It is specific as follows the embodiment of the invention provides a kind of preferred clustering method:
A final class cluster chained list is initialized, a class cluster is established, is initially empty;
One of payload of multiple payload is stored to such cluster, and the cluster sequence as such cluster
(can first be ranked up herein to multiple payload will not reprocess to guarantee payload in subsequent processing);
To remaining each payload of multiple payload, successively the cluster sequence with current each class cluster calculates phase
Like degree.If at this time class cluster only one, similarity only is calculated to the cluster sequence of such cluster;
A load similarity threshold is initialized, similarity is more than that the load of threshold value belongs to a class cluster;
When payload and the similarity of any one class cluster are more than or equal to threshold value, which is stored to such
Cluster, and the longest common subsequence of the payload He the cluster sequence of such cluster is replaced with to the cluster sequence of such cluster, this
The digit of Shi Ruguo longest common subsequence is fewer than the digit of payload, then is supplied using any label, such as payload
The longest common subsequence of acdfg and cluster sequence aedfc are adf, then carry out clustering sequence after digit is supplied being a*df*, so
Replace the cluster sequence of such cluster again afterwards;
When the similarity of the payload and the cluster sequence of current each class cluster is respectively less than threshold value, new class is established
Cluster, and the payload is stored to the new class cluster, and the cluster sequence of the class cluster new as this.
When all class clusters are no longer changed in a period of time threshold value, illustrate that all payload are disposed, obtain
At least one class cluster can be used as at least one set of payload clustered, terminate cluster.
Similarity calculation described above can be obtained by using calculating character string distance.Such as two character strings (s1,
The distance between acdfg and s2, aedfc, length L), exactly find out longest common subsequence s3, such as above-mentioned character string s1
Longest common subsequence with s2 is adf, and the distance between they areSimilarity is according to formulaIt calculates, wherein L is the length of the payload or the cluster sequence, and len (s) has to be described
Imitate the length of the longest common subsequence of load and the cluster sequence.That is, obtaining distance is (5-3)/5=0.4, similarity is
1-0.4=0.6.
Fig. 5 is the matching process that one embodiment of the invention provides.As shown in figure 5, this method comprises:
Step S51, by the length of the length of the payload and the payload of at least one length model into
Row matching, finds matched length model;
Step S52 is based on matched length model, and the fixed field of the payload is clustered with described every group
The fixed field of payload is matched, and matched clustered payload is found;
Step S53, based on matched clustered payload, by the variable field of the payload and the canonical
Expression formula is matched.
In conclusion in modeling process, the payload and regular expressions that have respectively obtained length model, clustered
Formula, therefore, for the message of new communication data, progress length matching first sees which length is the payload of the message belong to
Model is spent, corresponding length model is found.Then in the length model, according to the payload of each cluster stored before
Fixed field matched, see the fixed field of which equivalent cluster of the fixed field of the payload, and find and meet
Cluster.Finally according to the variable field of the regular expression matching payload of cluster storage.If length matching, cluster
Match and regular expression matching have one it is unsuccessful (length matching or cluster match it is for example unsuccessful, then will not carry out subsequent
Matching), then be determined as exception message, carry out alarm and further responsive to.
This system does not depend on any " feature database ", without analyzing in advance industrial control system network protocol, i.e.,
Communication data in industrial control system network can be measured in real time, the known and even unknown attack of discovery,
The communication data feature in real network environment can be automatically extracted, and sets up baseline, the foundation as abnormality detection.When with
Normal upgrading or adjustment occur for family network, when variation has occurred in communication data, can also re-start study, realize and update mould
Type.
Fig. 6 is the structural representation of the communication data detection device for the industrial control system network that one embodiment of the invention provides
Figure.As shown in fig. 6, the device includes: receiving module 1 and processing module 2, wherein the receiving module 1 is for receiving communication
Data, the communication data include the data message with payload;The processing module 2 is used to examine based at least one data
Model is surveyed, successively with the variable of the length of the payload, the fixed field of the payload and the payload
Field is matched, and when there is any matching unsuccessful, judges data message exception.
Preferably, the Data Detection model is established in the following manner: receiving multiple sample communications data, multiple sample
Each sample communications data in this communication data include the sample data message with payload;According to the sample data
The multiple sample data message is divided at least one length model by the length of the payload of message;For it is described at least
Each length model in one length model, is gathered according to the similarity of the payload of the multiple sample data message
Class forms at least one set of payload clustered;Every group in payload clustered for at least one set gathers
The variable field of the payload of class calculates and stores regular expression to generate the Data Detection model.
Preferably, it includes: to build that the similarity of the payload according to the multiple sample data message, which carries out cluster,
A class cluster is found, one of payload of multiple payload is stored to such cluster, and the cluster sequence as such cluster
Column;To operation below remaining each payload execution of the multiple payload to generate at least one class cluster, as
The payload that at least one set is clustered: successively the cluster sequence with current each class cluster calculates similarity;It is effective at this
When the similarity of load and any one class cluster is more than or equal to threshold value, which is stored to such cluster, and by effective load
The longest common subsequence of the cluster sequence of lotus and such cluster replaces with the cluster sequence of such cluster;In the payload and currently
When the similarity of the cluster sequence of each class cluster is respectively less than threshold value, new class cluster is established, and the payload is stored to this newly
Class cluster, and the cluster sequence of the class cluster new as this.
Preferably, the similarity d of the payload and the cluster sequence is calculated by the following formula:
Wherein, L is the length of the payload or the cluster sequence, and len (s) is institute
State the length of the longest common subsequence of payload and the cluster sequence.
Preferably, the similarity d of cluster sequence described above can pass through all characters or partial character of payload
The relative frequency of appearance is distributed, and is compared and calculates Euclidean distance or mahalanobis distance.
Preferably, the processing module 2 is also used to: every group of the payload that at least one set is clustered is clustered
Payload the fixed field of payload that is clustered as every group of longest common subsequence.
It is preferably based at least one Data Detection model, successively with the length of the payload, the payload
Fixed field and the payload variable field carry out matching include: by the length of the payload and it is described extremely
The length of the payload of a few length model is matched, and matched length model is found;Based on matched length model,
The fixed field of the payload is matched with the fixed field of every group of payload clustered, finds matching
The payload clustered;Based on matched clustered payload, by the variable field of the payload with it is described
Regular expression is matched.
Preferably, the processing module 2 is also used to: receiving the input for averagely reporting number in the first predetermined time by mistake;Detection
The Data Detection model, when the Data Detection model reports number and second predetermined time by mistake within second scheduled time
The ratio of interior message be less than first predetermined time in averagely report by mistake number and in first predetermined time message ratio
When, it establishes the Data Detection model and completes.
The embodiment of above-mentioned apparatus and the embodiment of method as discussed above are similar, and details are not described herein.
The embodiment of the present invention also provides a kind of machine readable storage medium, and readable storage medium storing program for executing is stored with finger on the machine
It enables, which is used for so that machine executes method as discussed above.
Through the above technical solutions, receiving communication data first, which includes the datagram with payload
Text;It is then based at least one Data Detection model, successively with the length of the payload, the fixed word of the payload
The variable field of section and the payload is matched, and when there is any matching unsuccessful, judges data message exception.
Data Detection model of the present invention, which does not depend on, manually carries out analysis and " tagged word " formulation to industrial control system agreement in advance, finally
Industrial control system Network anomaly detection is carried out based on Data Detection model, without being analyzed in advance network protocol, so that it may real-time detection
The exception of communication data.
The optional embodiment of the embodiment of the present invention is described in detail in conjunction with attached drawing above, still, the embodiment of the present invention is simultaneously
The detail being not limited in above embodiment can be to of the invention real in the range of the technology design of the embodiment of the present invention
The technical solution for applying example carries out a variety of simple variants, these simple variants belong to the protection scope of the embodiment of the present invention.
It is further to note that specific technical features described in the above specific embodiments, in not lance
In the case where shield, it can be combined in any appropriate way.In order to avoid unnecessary repetition, the embodiment of the present invention pair
No further explanation will be given for various combinations of possible ways.
It will be appreciated by those skilled in the art that implementing the method for the above embodiments is that can pass through
Program is completed to instruct relevant hardware, which is stored in a storage medium, including some instructions are used so that single
Piece machine, chip or processor (processor) execute all or part of the steps of each embodiment the method for the application.And it is preceding
The storage medium stated includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory
The various media that can store program code such as (RAM, Random Access Memory), magnetic or disk.
In addition, any combination can also be carried out between a variety of different embodiments of the embodiment of the present invention, as long as it is not
The thought of the embodiment of the present invention is violated, equally should be considered as disclosure of that of the embodiment of the present invention.
Claims (10)
1. a kind of communication data detection method of industrial control system network, which is characterized in that this method comprises:
Communication data is received, which includes the data message with payload;
Based at least one Data Detection model, successively with the length of the payload, the fixed field of the payload
And the variable field of the payload is matched, and when there is any matching unsuccessful, judges data message exception.
2. the communication data detection method of industrial control system network according to claim 1, which is characterized in that the number
It is established in the following manner according to detection model:
Multiple sample communications data are received, each sample communications data in multiple sample communications data include having effectively to carry
The sample data message of lotus;
The multiple sample data message is divided at least one according to the length of the payload of the sample data message
Length model;
For each length model at least one described length model, according to effective load of the multiple sample data message
The similarity of lotus is clustered, and at least one set of payload clustered is formed;
The variable field of the every group of payload clustered in payload clustered for at least one set calculates simultaneously
Regular expression is stored to generate the Data Detection model.
3. the communication data detection method of industrial control system network according to claim 2, which is characterized in that described
Carrying out cluster according to the similarity of the payload of the multiple sample data message includes:
A class cluster is established, one of payload of multiple payload is stored to such cluster, and as such cluster
Cluster sequence;
To operation below remaining each payload execution of the multiple payload to generate at least one class cluster, as
The payload that at least one set is clustered:
Successively the cluster sequence with current each class cluster calculates similarity;
When the payload and the similarity of any one class cluster are more than or equal to threshold value, which is stored to such cluster,
And the longest common subsequence of the payload He the cluster sequence of such cluster is replaced with to the cluster sequence of such cluster;
When the similarity of the payload and the cluster sequence of current each class cluster is respectively less than threshold value, new class cluster is established, and
The payload is stored to the new class cluster, and the cluster sequence of the class cluster new as this.
4. the communication data detection method of industrial control system network according to claim 3, which is characterized in that described to have
The similarity d of effect load and the cluster sequence is calculated by the following formula:
Wherein, L is the length of the payload or the cluster sequence, and len (s) has to be described
Imitate the length of the longest common subsequence of load and the cluster sequence.
5. the communication data detection method of industrial control system network according to claim 2 or 3, which is characterized in that should
Method further include:
The longest common subsequence of every group of payload clustered of the payload that at least one set is clustered as
The fixed field of every group of payload clustered.
6. the communication data detection method of industrial control system network according to claim 5, which is characterized in that based on extremely
A few data detection model successively with the length of the payload, the fixed field of the payload and described has
The variable field of effect load carries out matching
The length of the payload is matched with the length of the payload of at least one length model, is found
The length model matched;
Based on matched length model, by consolidating for the fixed field of the payload and every group of payload clustered
Determine field to be matched, finds matched clustered payload;
Based on matched clustered payload, by the variable field of the payload and regular expression progress
Match.
7. the communication data detection method of industrial control system network according to claim 2, which is characterized in that this method
Further include:
Receive the input for averagely reporting number in the first predetermined time by mistake;
The Data Detection model is detected, when the Data Detection model reports number and described second by mistake within second scheduled time
The ratio of message, which was less than in first predetermined time, in predetermined time averagely reports report in number and first predetermined time by mistake
When the ratio of text, establishes the Data Detection model and complete.
8. a kind of communication data detection device of industrial control system network, which is characterized in that the device includes:
Receiving module and processing module, wherein
For the receiving module for receiving communication data, which includes the data message with payload;
The processing module is used to be based at least one Data Detection model, successively with the length of the payload, described have
The variable field of the fixed field and the payload of imitating load is matched, when there is any matching unsuccessful, judgement
The data message is abnormal.
9. the communication data detection device of industrial control system network according to claim 8, which is characterized in that the number
It is established in the following manner according to detection model:
Multiple sample communications data are received, each sample communications data in multiple sample communications data include having effectively to carry
The sample data message of lotus;
The multiple sample data message is divided at least one according to the length of the payload of the sample data message
Length model;
For each length model at least one described length model, according to effective load of the multiple sample data message
The similarity of lotus is clustered, and at least one set of payload clustered is formed;
The variable field of the every group of payload clustered in payload clustered for at least one set calculates simultaneously
Regular expression is stored to generate the Data Detection model.
10. a kind of machine readable storage medium, which is characterized in that readable storage medium storing program for executing is stored with instruction on the machine, the instruction
For making machine execute method described in any one of the claim of this application 1-7 claim.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811399478.0A CN109660518B (en) | 2018-11-22 | 2018-11-22 | Communication data detection method and device of network and machine-readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811399478.0A CN109660518B (en) | 2018-11-22 | 2018-11-22 | Communication data detection method and device of network and machine-readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109660518A true CN109660518A (en) | 2019-04-19 |
| CN109660518B CN109660518B (en) | 2020-12-18 |
Family
ID=66112151
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811399478.0A Active CN109660518B (en) | 2018-11-22 | 2018-11-22 | Communication data detection method and device of network and machine-readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109660518B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311925A (en) * | 2019-07-30 | 2019-10-08 | 百度在线网络技术(北京)有限公司 | Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack |
| CN110912927A (en) * | 2019-12-09 | 2020-03-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting control message in industrial control system |
| CN111800312A (en) * | 2020-06-23 | 2020-10-20 | 中国核动力研究设计院 | Message content analysis-based industrial control system anomaly detection method and system |
| CN112272184A (en) * | 2020-10-29 | 2021-01-26 | 杭州迪普科技股份有限公司 | Industrial flow detection method, device, equipment and medium |
| CN112910797A (en) * | 2021-01-20 | 2021-06-04 | 中国科学院计算技术研究所 | I2P flow identification method and system based on feature matching |
| CN115314252A (en) * | 2022-07-06 | 2022-11-08 | 北京神州慧安科技有限公司 | Protection method, system, terminal and storage medium applied to industrial firewall |
| CN116582363A (en) * | 2023-07-12 | 2023-08-11 | 江苏政采数据科技有限公司 | Industrial protocol based detection method for transmission flow abnormal attack |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078897A (en) * | 2012-11-29 | 2013-05-01 | 中山大学 | System for implementing fine grit classification and management of Web services |
| US20160012235A1 (en) * | 2014-02-10 | 2016-01-14 | Vivo Security Inc. | Analysis and display of cybersecurity risks for enterprise data |
| US20160177304A1 (en) * | 2014-12-18 | 2016-06-23 | Integrated Dna Technologies, Inc. | Crispr-based compositions and methods of use |
| CN106375295A (en) * | 2016-08-30 | 2017-02-01 | 四川新环佳科技发展有限公司 | Data storage monitoring method |
| CN107612905A (en) * | 2017-09-15 | 2018-01-19 | 广西电网有限责任公司电力科学研究院 | The malicious code monitoring method of equipment oriented monitoring distributed system main website |
-
2018
- 2018-11-22 CN CN201811399478.0A patent/CN109660518B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103078897A (en) * | 2012-11-29 | 2013-05-01 | 中山大学 | System for implementing fine grit classification and management of Web services |
| US20160012235A1 (en) * | 2014-02-10 | 2016-01-14 | Vivo Security Inc. | Analysis and display of cybersecurity risks for enterprise data |
| US20160177304A1 (en) * | 2014-12-18 | 2016-06-23 | Integrated Dna Technologies, Inc. | Crispr-based compositions and methods of use |
| CN106375295A (en) * | 2016-08-30 | 2017-02-01 | 四川新环佳科技发展有限公司 | Data storage monitoring method |
| CN107612905A (en) * | 2017-09-15 | 2018-01-19 | 广西电网有限责任公司电力科学研究院 | The malicious code monitoring method of equipment oriented monitoring distributed system main website |
Non-Patent Citations (2)
| Title |
|---|
| ISTVÁN KISS等: ""Data Clustering-based Anomaly Detection in Industrial Control Systems"", 《2014 IEEE 10TH INTERNATIONAL CONFERENCE ON INTELLIGENT COMPUTER COMMUNICATION AND PROCESSING (ICCP)》 * |
| 尚文利等: ""工业控制系统入侵检测技术的研究及发展综述"", 《计算机应用研究》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110311925A (en) * | 2019-07-30 | 2019-10-08 | 百度在线网络技术(北京)有限公司 | Detection method and device, computer equipment and the readable medium of DDoS reflection-type attack |
| CN110311925B (en) * | 2019-07-30 | 2022-06-28 | 百度在线网络技术(北京)有限公司 | DDoS reflection type attack detection method and device, computer equipment and readable medium |
| CN110912927A (en) * | 2019-12-09 | 2020-03-24 | 北京神州绿盟信息安全科技股份有限公司 | Method and device for detecting control message in industrial control system |
| CN111800312A (en) * | 2020-06-23 | 2020-10-20 | 中国核动力研究设计院 | Message content analysis-based industrial control system anomaly detection method and system |
| CN111800312B (en) * | 2020-06-23 | 2021-08-24 | 中国核动力研究设计院 | Message content analysis-based industrial control system anomaly detection method and system |
| CN112272184A (en) * | 2020-10-29 | 2021-01-26 | 杭州迪普科技股份有限公司 | Industrial flow detection method, device, equipment and medium |
| CN112272184B (en) * | 2020-10-29 | 2022-07-01 | 杭州迪普科技股份有限公司 | Industrial flow detection method, device, equipment and medium |
| CN112910797A (en) * | 2021-01-20 | 2021-06-04 | 中国科学院计算技术研究所 | I2P flow identification method and system based on feature matching |
| CN112910797B (en) * | 2021-01-20 | 2023-04-11 | 中国科学院计算技术研究所 | I2P flow identification method and system based on feature matching |
| CN115314252A (en) * | 2022-07-06 | 2022-11-08 | 北京神州慧安科技有限公司 | Protection method, system, terminal and storage medium applied to industrial firewall |
| CN116582363A (en) * | 2023-07-12 | 2023-08-11 | 江苏政采数据科技有限公司 | Industrial protocol based detection method for transmission flow abnormal attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109660518B (en) | 2020-12-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109660518A (en) | Communication data detection method, device and the machine readable storage medium of network | |
| US20220150267A1 (en) | Cognitive information security using a behavior recognition system | |
| CN106131071B (en) | A kind of Web method for detecting abnormality and device | |
| CN107154950B (en) | Method and system for detecting log stream abnormity | |
| CN111262722B (en) | Safety monitoring method for industrial control system network | |
| CN106778259B (en) | Abnormal behavior discovery method and system based on big data machine learning | |
| CN104509034B (en) | Pattern merges to identify malicious act | |
| CN108200030A (en) | Detection method, system, device and the computer readable storage medium of malicious traffic stream | |
| CN111309565B (en) | Alarm processing method and device, electronic equipment and computer readable storage medium | |
| CN105376193B (en) | The intelligent association analysis method and device of security incident | |
| JP2019110513A (en) | Anomaly detection method, learning method, anomaly detection device, and learning device | |
| CN108512841A (en) | A kind of intelligent system of defense and defence method based on machine learning | |
| CN106685984A (en) | Network threat analysis system and method based on data pocket capture technology | |
| CN105260662A (en) | Detection device and method of unknown application bug threat | |
| CN110460611B (en) | Machine learning-based full-flow attack detection technology | |
| CN109768952A (en) | A kind of industry control network anomaly detection method based on trust model | |
| CN107111609A (en) | Lexical analyzer for neural language performance identifying system | |
| CN111049827A (en) | Network system safety protection method, device and related equipment | |
| CN112511351A (en) | Security situation prediction method and system based on MES identification data intercommunication system | |
| CN110445766A (en) | Ddos attack method for situation assessment and device | |
| US11297082B2 (en) | Protocol-independent anomaly detection | |
| EP4009586A1 (en) | A system and method for automatically neutralizing malware | |
| CN110598959A (en) | Asset risk assessment method and device, electronic equipment and storage medium | |
| CN107896229A (en) | A kind of method, system and the mobile terminal of computer network abnormality detection | |
| KR102433830B1 (en) | System and method for security threats anomaly detection based on artificial intelligence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Room C202, floor 2, building 1, No. 12, Shangdi Information Road, Haidian District, Beijing 100085 Applicant after: Beijing Liufang cloud Information Technology Co., Ltd Applicant after: BEIJING 6CLOUD TECHNOLOGY Co.,Ltd. Address before: 100085 Beijing Haidian District Information Road No. 7 3 Floor 18-1-3017, 18-1-3018 Applicant before: BEIJING LIUFANG LING'AN NETWORK TECHNOLOGY Co.,Ltd. Applicant before: BEIJING 6CLOUD TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |