CN111695115B - Industrial control system network attack tracing method based on communication time delay and security evaluation - Google Patents

Industrial control system network attack tracing method based on communication time delay and security evaluation Download PDF

Info

Publication number
CN111695115B
CN111695115B CN202010451084.6A CN202010451084A CN111695115B CN 111695115 B CN111695115 B CN 111695115B CN 202010451084 A CN202010451084 A CN 202010451084A CN 111695115 B CN111695115 B CN 111695115B
Authority
CN
China
Prior art keywords
attack
network
nodes
security
time delay
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010451084.6A
Other languages
Chinese (zh)
Other versions
CN111695115A (en
Inventor
王宇
李俊娥
黄桂容
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Original Assignee
Wuhan University WHU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU filed Critical Wuhan University WHU
Priority to CN202010451084.6A priority Critical patent/CN111695115B/en
Publication of CN111695115A publication Critical patent/CN111695115A/en
Application granted granted Critical
Publication of CN111695115B publication Critical patent/CN111695115B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Abstract

The invention discloses an industrial control system network attack tracing method based on communication time delay and security assessment, which comprises the following steps: s1, determining a potential attack source address list L; s2, sending a network state feedback request to all nodes in the L, if the network connection of the nodes is disconnected or feedback is not received after the request for the preset times, judging the network state feedback request as an attack source, otherwise, turning to S3; s3, sending a system running state information feedback request to all the nodes in the L; s4, carrying out security assessment according to the system running state information, and taking the node with the lowest security degree as an attack source; s5, sending a system supervision log information feedback request to all the nodes in the L; s6, carrying out security assessment according to the system supervision log information, and taking the node with the lowest security degree as an attack source; and S7, outputting switch information or a router information list which is directly connected with the node in the L for checking the illegal external terminal. The method realizes the full coverage of potential attack sources and accurately positions the attack sources.

Description

Industrial control system network attack tracing method based on communication time delay and security evaluation
Technical Field
The invention belongs to the technical field of intelligent power grid security, and particularly relates to an industrial control system network attack tracing method based on communication time delay and security assessment.
Background
The network attack tracing can help the electric power industrial control system to adopt a proper defense strategy, and block the attack from the source, so that the electric power industrial control system gets rid of the threat of the attack to the greatest extent. Currently, related researches for tracing industrial control system network attacks of power based on communication delay and safety evaluation are lacking. Because the real-time control service in the power industrial control system has the characteristics of high real-time requirement and no TCP/IP layer of partial communication protocol, the network attack tracing method aiming at the traditional information network cannot be applied.
Disclosure of Invention
The invention aims to provide an industrial control system network attack tracing method based on communication time delay and security evaluation, which aims to solve the problem of how to effectively trace the network attack of an electric industrial control system so as to determine an attack source.
The technical scheme adopted for solving the technical problems is as follows:
an industrial control system network attack tracing method based on communication time delay and security assessment comprises the following steps:
s1, determining all potential attack sources, and determining a potential attack source address list L according to all potential attack sources, wherein the potential attack sources comprise attack messages, all messages with the same time delay characteristic as the attack messages, and a terminal directly connected with transmission equipment for capturing the attack messages;
s2, sending a network state feedback request to all nodes in the L, judging as an attack source if the network connection of the nodes is disconnected or feedback is not received after the request for the preset times, otherwise, turning to S3;
s3, sending a system running state information feedback request to all the nodes in the L;
s4, carrying out security assessment according to the system running state information to obtain a first-level security list, if nodes with the security lower than a first preset threshold exist, taking the node with the lowest security as an attack source, otherwise, turning to S5;
s5, sending a system supervision log information feedback request to all the nodes in the L;
s6, carrying out security assessment according to the system supervision log information to obtain a secondary security list, if a terminal node with the security lower than a second preset threshold exists, taking the node with the lowest security as an attack source, otherwise, turning to S7;
and S7, outputting switch information or a router information list which is directly connected with the node in the L for checking the illegal external terminal.
Further, the step S1 includes:
s1.1, initializing a potential attack source address list L; when the attack message is a non-Ethernet frame, the method goes to S1.3; when the attack message is an Ethernet frame but has no IP header, adding the source MAC address in the attack message into L; when the message is an Ethernet frame and has an IP header, adding the equipment MAC address corresponding to the source IP address into L;
s1.2, acquiring MAC addresses of all non-transmission devices directly connected with the acquisition point, and adding L;
s1.3, obtaining a time label of the attack message, calculating time delay information of the attack message, and if the time label is not available, converting to S1.5
S1.4, acquiring all MAC addresses with the same time delay characteristic nodes according to the time delay information, and taking the MAC addresses as a second attack source address list, if the second attack source address list is not empty, adding L, and ending S1; if the two attack source address lists are empty, the step is switched to S1.5;
s1.5, updating L into a terminal MAC address list of all the terminals which are in the same network with the attack capture point.
Further, the system operation state information includes: any one or more of CPU utilization, memory utilization, switch partition utilization, disk utilization and process number.
Further, the system supervision log information comprises file addition and deletion record and/or process detailed information.
The beneficial effects of the invention are as follows:
the message with the same time delay characteristic as the attack message and the terminal directly connected with the transmission equipment for capturing the attack message are used as potential attack sources, so that the full coverage of the potential attack sources is realized, and omission is avoided. According to the network connection state feedback, the system running state information feedback and the system supervision log information feedback, the attack sources are traced layer by layer, and the accurate positioning of the attack sources can be realized.
Drawings
The invention will be further described with reference to the accompanying drawings and embodiments, in which:
fig. 1 is a flowchart of a network attack tracing method of an industrial control system based on communication delay and security evaluation provided by an embodiment of the invention;
fig. 2 is an application scenario diagram of an industrial control system network attack tracing method based on communication delay and security evaluation provided by the embodiment of the invention;
fig. 3 is a flowchart of a network attack tracing method of an industrial control system based on communication delay and security evaluation according to another embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flowchart of a network attack tracing method of an industrial control system based on communication delay and security evaluation provided by the embodiment of the invention, and as shown in fig. 1, the embodiment of the invention provides a network attack tracing method of an industrial control system based on communication delay and security evaluation, which comprises the following steps:
s1, determining all potential attack sources, and determining a potential attack source address list L according to all potential attack sources, wherein the potential attack sources comprise attack messages, all messages with the same time delay characteristic as the attack messages, and a terminal directly connected with transmission equipment for capturing the attack messages.
Fig. 2 is an application scenario diagram of an industrial control system network attack tracing method based on communication delay and security evaluation provided by the embodiment of the invention, and as shown in fig. 2, a network attack scenario possibly suffered by an embedded terminal of a power grid is shown. First, an attacker implants malicious code on the operation and maintenance personnel device. Then, when operation and maintenance personnel connect the equipment to a substation control layer network for operation and maintenance, malicious codes are implanted into one terminal by using the equipment as a 'gangway', and utilizing the loopholes existing in the embedded terminal, namely the measurement and control terminal of the power grid; the malicious code can tamper the data field of the GOOSE control message transmitted on the network to realize the opening and closing operation of the breaker controlled by other terminals which are in the same VLAN with the terminal; finally, the malicious program realizes that a plurality of circuit breakers are opened/closed for a plurality of times simultaneously through continuously tampering the control message, thereby achieving the purpose of continuously damaging the power grid.
An intrusion detection system (intrusion detection system, abbreviated as "IDS") is a network security device that monitors network transmissions on the fly, and when suspicious transmissions are found, alerts or proactively reacts to actions. And after the IDS detects the attack message, providing the network attack related information so as to determine the potential attack source. In this embodiment, a server may be provided, or an existing server may be used as a network attack tracing host to perform the method. Considering the time delay characteristics of the attack message, the message with the same time delay characteristics is also considered as a potential attack source in the embodiment. The same delay characteristics may be determined according to a preset interval, for example, (0, 0.2 ms) is an interval, and the interval is used as the same characteristics.
S2, sending a network state feedback request to all nodes in the L, if the network connection of the nodes is disconnected or feedback is not received after the request for the preset times, judging the network state feedback request as an attack source, and otherwise, turning to S3.
Notifying all suspicious nodes in the list L to feed back the current network connection condition to the network attack tracing host, if the network attack tracing host is at t MAX And if the network connection condition of a suspicious node is not received yet in time, a notification command is sent to the node again, if the network connection condition is not received yet after the preset times (such as three times), the position of the suspicious node is judged to be an attack source position, at the moment, the attack equipment is an illegal terminal, the MAC address and the port number of the transmission equipment accessed by the node are output as the position of the attack source according to a preset network topology diagram, and the network attack tracing is finished. If some suspicious node catches attack provided by IDSAnd if the connection of the network where the acquisition point is located is disconnected, judging that the position where the suspicious node is located is the position of an attack source, wherein at the moment, the attack equipment is an illegal terminal, and outputting the MAC address and the port number of the transmission equipment which the node is accessed to as the position of the attack source, thereby ending the tracing of the network attack. If the network attack tracing host receives the network connection conditions of all the suspicious nodes and the network connection conditions of all the suspicious nodes are normal, the step is transferred to S3.
S3, sending a system running state information feedback request to all the nodes in the L.
And notifying all suspicious nodes in the list L to feed back the running state information of the system to the network attack traceable host.
As an alternative embodiment, the system operation state information includes: any one or more of CPU utilization, memory utilization, switch partition utilization, disk utilization and process number.
For example, the system operation state information includes at the same time: CPU utilization, memory utilization, swap partition utilization, disk utilization, and process number.
S4, carrying out security assessment according to the system running state information to obtain a first-level security list, if nodes with the security lower than a first preset threshold exist, taking the node with the lowest security as an attack source, otherwise, turning to S5.
The network attack traceability host machine carries out primary security assessment on system running state information of all suspicious nodes, the assessment is realized based on the existing method, and an assessment algorithm can select a support vector machine to obtain a primary security list L x1 Judging whether the primary safety degree is lower than the threshold value X 1 Node (first preset threshold), X 1 Defaulting to 0.3, if the node with the lowest security is used as an attack source, at the moment, the attack equipment is a legal terminal, the MAC address of the node is output, the MAC address and the port number of the transmission equipment accessed by the node are output as the position of the attack source according to a preset network topology diagram, and the network attack tracing is finished. If not, turning to S5.
S5, sending a system supervision log information feedback request to all the nodes in the L.
And notifying all suspicious nodes in the list L to feed back current system supervision log information to the network attack traceable host.
As an alternative embodiment, the system supervision log information comprises file addition and deletion record and/or process detailed information. The above embodiment. For example, it includes at the same time: the important file adds and deletes record and process detailed information.
S6, carrying out security assessment according to the system supervision log information to obtain a secondary security list L x2 If the terminal node with the security lower than the second preset threshold exists, the node with the lowest security is used as an attack source, otherwise, the process goes to S7.
The network attack traceability host carries out secondary security assessment on supervision log information of all suspicious nodes, and an assessment algorithm can select a support vector machine to obtain a secondary security list L x2 Judging whether the secondary safety degree is lower than the threshold value X 2 Node X of (2) 2 Defaulting to 0.5, if the node with the lowest security is the attack source, at the moment, the attack equipment is a legal terminal, the MAC address of the node is output, the MAC address and the port number of the transmission equipment accessed by the node are output as the position of the attack source according to a preset network topology diagram, and the network attack tracing is finished. If not, the process goes to S7, and at this time, the attack equipment is an illegal terminal.
And S7, outputting switch information or a router information list which is directly connected with the node in the L for checking the illegal external terminal.
Based on the potential attack source address list L and a preset network topological graph, outputting switch information or router information list L of the nodes in the list L directly connected DTE And notifying an administrator to check whether the switches or the routers are externally connected with illegal terminals or not, and ending the tracing of the network attack.
According to the industrial control system network attack tracing method based on communication time delay and security assessment, which is provided by the embodiment of the invention, the messages with the same time delay characteristics as the attack messages and the terminals directly connected with the transmission equipment for capturing the attack messages are used as potential attack sources, so that the whole coverage of the potential attack sources is realized, and omission is avoided. According to the network connection state feedback, the system running state information feedback and the system supervision log information feedback, the attack sources are traced layer by layer, and the accurate positioning of the attack sources can be realized.
Based on the above embodiment, as an alternative embodiment, fig. 3 is a flowchart of a network attack tracing method of an industrial control system based on communication delay and security assessment according to another embodiment of the present invention, as shown in fig. 3, except for step S1, which is basically the same as the above embodiment, the above step S1 includes:
s1.1, initializing a potential attack source address list L; when the attack message is a non-Ethernet frame, the method goes to S1.3; when the attack message is an Ethernet frame but has no IP header, adding the source MAC address in the attack message into L; and when the message is an Ethernet frame and has an IP header, adding the equipment MAC address corresponding to the source IP address into L.
Initializing a list of potential attack source addresses l= { MAC source If the attack packet is a non-Ethernet frame, MAC source Set to empty and go to S1.3. If the message is an Ethernet frame but does not have an IP header, judging whether the source MAC address in the attack message is broadcast MAC, if so, the MAC source Set to null, otherwise, MAC source The source MAC address in the attack message is used; if the message is an Ethernet frame and has an IP header, the source IP address in the IP header of the message is read, and if the IP address is a broadcast address, the MAC is used for reading the source IP address in the IP header of the message source Setting the device to be empty, otherwise, acquiring the device MAC address corresponding to the IP according to a preset network topology diagram, wherein the device MAC address is the MAC source
S1.2, acquiring MAC addresses of all non-transmission devices directly connected with the acquisition point, and adding L.
MAC address based on attack capture point location provided by intrusion detection system capture Acquiring all MAC addresses from a preset network topology diagram as MAC addresses capture Non-transmitting device MAC addresses directly connected to the transmitting device and add all MAC addresses to the possible attack sources list L. The transmission equipment refers to equipment for realizing message forwarding function on a communication network, and the non-transmission equipment refers to the communication networkAnd equipment for communication on the network, namely data terminal equipment.
S1.3, acquiring a time tag of the attack message, calculating time delay information of the attack message, and if the time tag is not available, turning to S1.4.
UTC time tag t carried in read attack message UTC If the time tag field does not exist in the attack message, the method is switched to S1.5; otherwise, according to the time t provided by IDS for capturing the message current ,t UTC And t current Is millisecond and calculates the time delay information as t delay =t current -t UTC
S1.4, acquiring all MAC addresses with the same time delay characteristic nodes according to the time delay information, and taking the MAC addresses as a second attack source address list, if the second attack source address list is not empty, adding L, and ending S1; if the two attack source address lists are empty, go to S1.5.
Length, MAC capture 、t UTC And t Delay Inputting a communication delay model, and acquiring a MAC address list L of all nodes conforming to delay characteristics delay . The communication delay model can be constructed in advance according to the mapping relation between the communication delay range (or delay characteristic) and the node MAC address. For the power industrial control system, when no fault occurs, the communication delay of the same equipment is relatively stable at the same moment every day (because most of services are periodic), so that the nodes with the same delay characteristics of the transmitted messages can be obtained according to the delay of the attack messages, and the nodes are used as potential attack nodes, and the MAC addresses of the nodes are used as a second attack source address list. The invention considers the error of the time delay value, adopts the time delay range instead of the determined time delay value as the mapping of different MAC addresses, and can improve the robustness of the invention. If L delay Not empty, list L delay Is added to L, i.e. l= { L, L delay Ending S1, going to S2; otherwise, turning to S1.5.
S1.5, updating L into a terminal MAC address list of all the terminals which are in the same network with the attack capture point.
And updating L into a list composed of the MAC addresses of all terminals which are in the same network with the attack capture point provided by the IDS according to a preset network topological diagram. Because some networks of the electrical industrial control system are physically isolated, terminals in different physically isolated networks cannot communicate. When communication can be carried out between 2 terminals and the terminals are not physically isolated, the 2 terminals are considered to be in the same network.
Based on the above embodiments, the following is described by way of a specific example:
acquiring relevant information of network attack from an intrusion detection system, including: attack message PG 3 MAC address MAC of capture point of attack message 1 Message capturing time UTC cap1
The communication time delay of the attack message is 0.1225ms through calculation, and the time delay precision is only millisecond in practical cases, so the time delay is recorded as 0ms;
obtaining a list L of all possible attack sources using a statistical-based communication latency model attack ={MAC 24 ,MAC 26 ,MAC 28 ,MAC 30 ,MAC 32 ,MAC 34 ,MAC 35 ,MAC 36 ,MAC 37 ,MAC 38 };
Acquisition of L attack The current network connection conditions of all terminals are judged to be normal;
acquisition of L attack The system operation state information of all terminals comprises: CPU utilization, memory utilization, exchange partition utilization, disk utilization and process number;
for L attack The system running state information of all terminals in the network is subjected to primary security assessment to obtain a primary security list L x1 = {0.7881,0.7683,0.8233,0.7374,0.8411,0.0055,0.7833,0.4543,0.7946,0.6914}, it is judged that there is a first level of security below the threshold value X 1 Terminal (X) 1 Default value 0.3) and the terminal with the lowest security is the attack source, at this time, the attack equipment is the legal terminal, and the MAC address MAC of the terminal is output 34 And according to preset network topologyThe flutter diagram outputs the MAC address MAC of the transmission equipment accessed by the terminal 18 And the port number 2 is used as the network coordinate of the attack source, and the network attack tracing is finished
The invention has been described with reference to a few embodiments. However, as is well known to those skilled in the art, other embodiments than the above disclosed invention are equally possible within the scope of the invention, as defined by the appended patent claims.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above embodiments are only for illustrating the technical aspects of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the above embodiments, it should be understood by those of ordinary skill in the art that: modifications and equivalents may be made to the specific embodiments of the invention without departing from the spirit and scope of the invention, which is intended to be covered by the claims.

Claims (4)

1. The industrial control system network attack tracing method based on communication time delay and security assessment is characterized by comprising the following steps of:
s1, determining all potential attack sources, and determining a potential attack source address list L according to all potential attack sources, wherein the potential attack sources comprise attack messages, all messages with the same time delay characteristic as the attack messages, and a terminal directly connected with transmission equipment for capturing the attack messages;
s2, sending a network state feedback request to all nodes in the L, judging as an attack source if the network connection of the nodes is disconnected or feedback is not received after the request for the preset times, otherwise, turning to S3;
s3, sending a system running state information feedback request to all the nodes in the L;
s4, carrying out security assessment according to the system running state information to obtain a first-level security list, if nodes with the security lower than a first preset threshold exist, taking the node with the lowest security as an attack source, otherwise, turning to S5;
s5, sending a system supervision log information feedback request to all the nodes in the L;
s6, carrying out security assessment according to the system supervision log information to obtain a secondary security list, if a terminal node with the security lower than a second preset threshold exists, taking the node with the lowest security as an attack source, otherwise, turning to S7;
and S7, outputting switch information or a router information list which is directly connected with the node in the L for checking the illegal external terminal.
2. The industrial control system network attack tracing method based on communication delay and security assessment according to claim 1, wherein the step S1 comprises:
s1.1, initializing a potential attack source address list L; when the attack message is a non-Ethernet frame, the method goes to S1.3; when the attack message is an Ethernet frame but has no IP header, adding the source MAC address in the attack message into L; when the message is an Ethernet frame and has an IP header, adding the equipment MAC address corresponding to the source IP address into L;
s1.2, acquiring MAC addresses of all non-transmission devices directly connected with the acquisition point, and adding L;
s1.3, obtaining a time label of the attack message, calculating time delay information of the attack message, and if the time label is not available, converting to S1.5
S1.4, acquiring all MAC addresses with the same time delay characteristic nodes according to the time delay information, and taking the MAC addresses as a second attack source address list, if the second attack source address list is not empty, adding L, and ending S1; if the second attack source address list is empty, turning to S1.5;
s1.5, updating L into a terminal MAC address list of all the terminals which are in the same network with the attack capture point.
3. The industrial control system network attack tracing method based on communication delay and security assessment according to claim 1, wherein the system running state information comprises: any one or more of CPU utilization, memory utilization, switch partition utilization, disk utilization and process number.
4. The industrial control system network attack tracing method based on communication time delay and safety assessment according to claim 1, wherein the system supervision log information comprises file addition and deletion record and/or process detailed information.
CN202010451084.6A 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation Active CN111695115B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010451084.6A CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010451084.6A CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Publications (2)

Publication Number Publication Date
CN111695115A CN111695115A (en) 2020-09-22
CN111695115B true CN111695115B (en) 2023-05-05

Family

ID=72478142

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010451084.6A Active CN111695115B (en) 2020-05-25 2020-05-25 Industrial control system network attack tracing method based on communication time delay and security evaluation

Country Status (1)

Country Link
CN (1) CN111695115B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112738089B (en) * 2020-12-29 2023-03-28 中国建设银行股份有限公司 Method and device for automatically backtracking source ip under complex network environment
CN114866298B (en) * 2022-04-21 2023-03-24 武汉大学 Power engineering control system network attack tracing method combining packet marking and packet log

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070192863A1 (en) * 2005-07-01 2007-08-16 Harsh Kapoor Systems and methods for processing data flows
JPWO2008084729A1 (en) * 2006-12-28 2010-04-30 日本電気株式会社 Application chain virus and DNS attack source detection device, method and program thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282497A (en) * 2018-04-28 2018-07-13 电子科技大学 For the ddos attack detection method of SDN control planes
CN110113328A (en) * 2019-04-28 2019-08-09 武汉理工大学 A kind of software definition opportunistic network DDoS defence method based on block chain

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
何金栋 等.智能变电站嵌入式终端的网络攻击类型研究及验证.《中国电力》.2020,全文. *
姜建国 ; 王继志 ; 孔斌 ; 胡波 ; 刘吉强 ; .网络攻击源追踪技术研究综述.信息安全学报.2018,(01),全文. *
王启林 ; 李小鹏 ; 郁滨 ; 黄一才 ; .基于连接认证的低功耗蓝牙泛洪攻击防御方案.计算机应用研究.2017,(02),全文. *
田红成 ; 毕军 ; 王虹 ; .可增量部署、基于采样流的IP溯源方法.清华大学学报(自然科学版).2014,(11),全文. *

Also Published As

Publication number Publication date
CN111695115A (en) 2020-09-22

Similar Documents

Publication Publication Date Title
Tan et al. A new framework for DDoS attack detection and defense in SDN environment
US10681079B2 (en) Method for mitigation of cyber attacks on industrial control systems
Yang et al. Multidimensional intrusion detection system for IEC 61850-based SCADA networks
Yang et al. Multiattribute SCADA-specific intrusion detection system for power networks
US9894080B1 (en) Sequence hopping algorithm for securing goose messages
US20060034305A1 (en) Anomaly-based intrusion detection
CN111695115B (en) Industrial control system network attack tracing method based on communication time delay and security evaluation
US11038900B2 (en) Structural command and control detection of polymorphic malware
Magro et al. Safety related functions with IEC 61850 GOOSE messaging
da Silveira et al. IEC 61850 network cybersecurity: Mitigating GOOSE message vulnerabilities
Procopiou et al. Current and future threats framework in smart grid domain
Bohara et al. Ed4gap: Efficient detection for goose-based poisoning attacks on iec 61850 substations
CN108833430B (en) Topology protection method of software defined network
Zheng et al. Towards improving data validity of cyber-physical systems through path redundancy
Tebekaemi et al. Secure overlay communication and control model for decentralized autonomous control of smart micro-grids
Irvene et al. If i knew then what i know now: On reevaluating dnp3 security using power substation traffic
Pourmirza et al. Cybersecurity analysis for the communication protocol in smart grids
Mai et al. Uncharted networks: A first measurement study of the bulk power system
CN114760212A (en) SDN-based DDoS attack detection and mitigation method and system
Sun et al. Research on distributed feeder automation communication based on XMPP and GOOSE
Mocanu et al. Real-time performance and security of IEC 61850 process bus communications
CN110121866A (en) Detection and suppression loop
Gu et al. Im-ofdp: An improved openflow-based topology discovery protocol for software defined network
CN108418794A (en) A kind of intelligent substation communication network resists the method and system of ARP attacks
CN105099799A (en) Botnet detection method and controller

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant