CN113259160A - Point location information early warning method and device for industrial control network and electronic device - Google Patents
Point location information early warning method and device for industrial control network and electronic device Download PDFInfo
- Publication number
- CN113259160A CN113259160A CN202110510015.2A CN202110510015A CN113259160A CN 113259160 A CN113259160 A CN 113259160A CN 202110510015 A CN202110510015 A CN 202110510015A CN 113259160 A CN113259160 A CN 113259160A
- Authority
- CN
- China
- Prior art keywords
- information
- point location
- service
- industrial control
- service information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000013507 mapping Methods 0.000 claims abstract description 25
- 238000003860 storage Methods 0.000 claims abstract description 11
- 238000012550 audit Methods 0.000 claims description 23
- 238000004590 computer program Methods 0.000 claims description 15
- 239000000523 sample Substances 0.000 claims description 6
- 238000001914 filtration Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 8
- 230000000694 effects Effects 0.000 abstract description 4
- 230000008859 change Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 231100000989 no adverse effect Toxicity 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000005096 rolling process Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/04—Processing captured monitoring data, e.g. for logfile generation
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a point location information early warning method, a point location information early warning device, an electronic device and a storage medium of an industrial control network, wherein the method comprises the following steps: acquiring parameter information transmitted by a lower computer corresponding to a point to be detected in an industrial control network; converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information, and a service information threshold range corresponding to the point location to be detected; and sending threshold value warning information under the condition that the service information does not fall into the threshold value range of the service information, wherein the threshold value warning information comprises the service information. By the method and the device, the problem that whether threshold value alarming occurs to current business information or not can not be judged quickly by an auditing system in the related technology, so that the safety of the industrial control network is low is solved, and the technical effect of improving the safety of the industrial control network is achieved.
Description
Technical Field
The present application relates to the field of industrial control network security technologies, and in particular, to a point location information early warning method and apparatus for an industrial control network, an electronic apparatus, and a storage medium.
Background
With the continuous development of network information technology and the development mode of enterprises pursuing opening and fusion, key infrastructures represented by industrial control systems increasingly adopt general protocols of the internet and perform data exchange and operation management through the internet, so that more and more industrial control systems are connected with the internet.
Due to the fact that the industrial control system needs to maintain the continuity of operation and reliability and the like, the industrial control system has a problem that a large number of loopholes are not repaired, so that industrial control equipment exposed to a public network is easily attacked and utilized by hackers, and even the production and operation of enterprises are damaged. Therefore, how to monitor the safety of the industrial control system becomes a research hotspot in the industry.
At present, safety monitoring of an industrial control system is often realized through an industrial control network safety monitoring auditing system, the system generally supports industrial control protocols such as Modbus and S7, however, the auditing system often shows an original parameter output value of industrial control equipment in the industrial control network, and a user cannot intuitively obtain whether service information at a certain point in the industrial control network changes or not according to the original parameter output value. For example, in a temperature control system, only parameter values output by a lower computer of a certain device can be seen in an audit system, the change of the current temperature cannot be intuitively obtained, and whether the current temperature reaches a threshold value cannot be quickly judged, so that the safety of the current industrial control network is reduced.
At present, no effective solution is provided for the problem that the auditing system in the related technology cannot quickly judge whether the current service information has a threshold alarm, which causes low industrial control network security.
Disclosure of Invention
The embodiment of the application provides a point location information early warning method, a point location information early warning device, an electronic device and a storage medium of an industrial control network, and aims to at least solve the problem that in the related technology, an auditing system cannot quickly judge whether current business information has threshold value alarm or not, so that the safety of the industrial control network is low.
In a first aspect, an embodiment of the present application provides a point location information early warning method for an industrial control network, including: acquiring parameter information transmitted by a lower computer corresponding to a point to be detected in an industrial control network; converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information, and a service information threshold range corresponding to the point location to be detected; and sending threshold value warning information under the condition that the service information does not fall into the threshold value range of the service information, wherein the threshold value warning information comprises the service information.
In some embodiments, before obtaining parameter information transmitted by a lower computer corresponding to a point to be detected in an industrial control network, the method further includes: acquiring point location identification information of each point location in the industrial control network, wherein the point location identification information includes at least one of the following: setting bit number, equipment IP, point location address, address name, industrial control protocol, transport layer protocol and data type; acquiring a parameter information threshold range transmitted by a lower computer corresponding to each point location in the industrial control network and a mapping relation between the parameter information corresponding to each point location and service information; calculating to obtain a service information threshold range corresponding to each point location according to the mapping relation between the parameter information and the service information corresponding to each point location and the parameter information threshold range transmitted by the lower computer corresponding to each point location; and determining that the point location information configuration table comprises the mapping relation between the point location identification information of each point location and the parameter information and the service information corresponding to each point location, and the service information threshold range corresponding to each point location.
In some embodiments, the obtaining parameter information transmitted by a lower computer corresponding to a point to be detected in an industrial control network includes: acquiring an initial data packet passing through the switch in an industrial control network; performing port filtering on the initial data packet to obtain a data packet to be detected which passes through the switch; and carrying out industrial control protocol identification and analysis on the data packet to be detected to obtain parameter information transmitted by a lower computer corresponding to the point to be detected in the data packet to be detected.
In some embodiments, obtaining initial data that passes through the switch in an industrial control network includes: carrying out real-time mirroring on an initial data packet passing through the switch through a mirroring port of the switch, and sending the initial data packet to a bypass audit system deployed at a layer of the switch; and acquiring an initial data packet passing through the switch in the industrial control network through an audit probe in the audit system.
In some of these embodiments, the parameter information includes a plurality of parameter values over a preset time period; converting the parameter information into service information according to a preset point location information configuration table includes: converting a plurality of parameter values in a preset time period into a plurality of service values in the preset time period according to a preset point location information configuration table; determining that the traffic information includes a plurality of traffic values within a preset time period.
In some embodiments, in the case that the traffic information does not fall within the traffic information threshold range, sending threshold alarm information includes: respectively judging whether each service value in the service information falls into the threshold range of the service information; under the condition that at least one service value does not fall into the service information threshold range in the service information, determining all the service values which do not fall into the service information threshold range as alarm values, and sending the threshold alarm information, wherein the threshold alarm information comprises the alarm values; and under the condition that all the service values in the service information fall into the service information threshold range, extracting the service minimum value and the service maximum value in the service information within a preset time period from a plurality of service values, and determining that the service information comprises the service minimum value and the service maximum value.
In some of these embodiments, the method further comprises: under the condition that at least one service value in the service information does not fall into the service information threshold range, displaying an alarm value in the service information on a preset display page; and under the condition that all the service values in the service information fall into the service information threshold range, displaying the service minimum value and the service maximum value in the service information within a preset time period on a preset display page, and storing the service information.
In a second aspect, an embodiment of the present application provides a point location information early warning apparatus for an industrial control network, including: the acquisition module is used for acquiring parameter information transmitted by a lower computer corresponding to the point to be detected in the industrial control network; the conversion module is used for converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information and a service information threshold range corresponding to the point location to be detected; and the alarm module is used for sending threshold alarm information under the condition that the service information does not fall into the threshold range of the service information, wherein the threshold alarm information comprises the service information.
In a third aspect, an embodiment of the present application further provides an electronic apparatus, which includes a memory and a processor, where the memory stores a computer program, and the processor is configured to run the computer program to execute the point location information early warning method for an industrial control network according to the first aspect.
In a fourth aspect, an embodiment of the present application further provides a storage medium, where a computer program is stored in the storage medium, where the computer program is configured to execute the point location information early warning method for an industrial control network according to the first aspect when running.
Compared with the related art, the point location information early warning method, the point location information early warning device, the electronic device and the storage medium for the industrial control network provided by the embodiment of the application are characterized in that parameter information transmitted by a lower computer corresponding to a point location to be detected in the industrial control network is obtained, the parameter information is converted into service information according to a preset point location information configuration table, the point location information configuration table at least comprises a mapping relation between the parameter information and the service information corresponding to the point location to be detected and a service information threshold range corresponding to the point location to be detected, and finally, threshold warning information is sent under the condition that the service information does not fall into the service information threshold range, so that the problem that the industrial control network is low due to the fact that an auditing system in the related art cannot quickly judge whether threshold warning occurs to the current service information is solved, and the technical effect of improving the safety of the industrial control.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more thorough understanding of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a point location information early warning method of an industrial control network according to an embodiment of the present application;
FIG. 2 is a block diagram of an industrial control network environment according to an embodiment of the present application;
fig. 3 is a block diagram of a point location information early warning device of an industrial control network according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
The embodiment provides a point location information early warning method for an industrial control network, and fig. 1 is a flowchart of the point location information early warning method for the industrial control network according to the embodiment of the present application, and as shown in fig. 1, the method includes:
step S101, acquiring parameter information transmitted by a lower computer corresponding to the point to be detected in the industrial control network.
Step S102, converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information, and a service information threshold range corresponding to the point location to be detected.
Step S103, sending threshold value warning information under the condition that the service information does not fall into the threshold value range of the service information, wherein the threshold value warning information comprises the service information.
In this embodiment, according to a mapping relationship between parameter information corresponding to a point location to be detected and service information in a preset point location information configuration table, the parameter information transmitted by a lower computer corresponding to the point location to be detected in an industrial control network is converted into the service information, and whether the service information falls into a service information threshold range or not is judged.
In some embodiments, before obtaining parameter information transmitted by a lower computer corresponding to a point to be detected in an industrial control network, the method further includes: acquiring point location identification information of each point location in an industrial control network, wherein the point location identification information comprises at least one of the following: setting bit number, equipment IP, point location address, address name, industrial control protocol, transport layer protocol and data type; acquiring a parameter information threshold range transmitted by a lower computer corresponding to each point location in an industrial control network and a mapping relation between the parameter information corresponding to each point location and service information; calculating to obtain a service information threshold range corresponding to each point location according to the mapping relation between the parameter information and the service information corresponding to each point location and the parameter information threshold range transmitted by the lower computer corresponding to each point location; and determining a point location information configuration table comprising the point location identification information of each point location, the mapping relation between the parameter information and the service information corresponding to each point location, and the service information threshold range corresponding to each point location.
TABLE 1
Table 1 shows information of a certain industrial Control device in the preset point location information configuration table, as shown in table 1, in this embodiment, an example in table 1 indicates that the industrial Control device uses a Modbus industrial Control Protocol, a transport layer Protocol uses a TCP Protocol (Transmission Control Protocol, TCP for short), an IP address of the industrial Control device is 192.168.110.138, an area bit number and a lower computer address of the industrial Control device are TT _307 and% MW2695, respectively, and a point location address of the lower computer is 42695, which is a read holding register address with a function of 3. The data type of the parameter value output by the point is INT integer data with symbols.
The bit number, the device IP, the point location address, the address name, the industrial control protocol, the transport layer protocol, the data type setting, and other information are used to perform a point location identification function on the industrial control device, subsequently acquire parameter information transmitted by a lower computer corresponding to a point location to be detected in the industrial control network, and convert the parameter information into service information according to a preset point location information configuration table.
The transmission value in the above-mentioned value range map is the parameter information output by the lower computer corresponding to the industrial control device, and the map value is the service information corresponding to the industrial control device. For example, in a case where the industrial control device is a temperature control device, 200 to 500 are threshold ranges of parameter values output by a lower computer corresponding to the industrial control device, linear change value mapping with upper and lower limits is subjected to value processing according to a preset mapping relationship between parameter information and service information corresponding to the industrial control device, 200 to 500 are converted into 10 to 20, 10 to 20 are service information threshold ranges of the industrial control device, and 10 to 20 ℃ is a service information threshold range of the temperature control device, that is, 10 ℃ to 20 ℃ is a service information threshold range of the temperature control device.
When the output value of the temperature control device is less than 10 ℃ or more than 20 ℃, threshold alarm information is sent out, the change condition of the business information (such as temperature, humidity and the like) can be visually known through the embodiment, the problem that the safety of the industrial control network is reduced due to the fact that the audit system cannot directly reflect the change condition of the business information in the related technology is avoided, the problem that the safety of the industrial control network is low due to the fact that the audit system cannot rapidly judge whether the current business information has the threshold alarm or not in the related technology is solved, and the technical effect of improving the safety of the industrial control network is achieved.
Fig. 2 is a block diagram of an industrial control network environment according to an embodiment of the present application, and as shown in fig. 2, in some embodiments, the industrial control network environment includes an equipment layer, a control layer, a monitoring layer, a management layer (not shown in the figure), and the like.
In this embodiment, the obtaining of the parameter information transmitted by the lower computer corresponding to the point location to be detected in the industrial control network may include the following steps:
step 1, acquiring an initial data packet passing through a switch in an industrial control network.
And 2, carrying out port filtering on the initial data packet to obtain the data packet to be detected passing through the switch.
And 3, carrying out industrial control protocol identification and analysis on the data packet to be detected to obtain parameter information transmitted by a lower computer corresponding to the point to be detected in the data packet to be detected.
In this embodiment, after the initial data packet passing through the switch in the industrial control network is obtained, port filtering is also performed, and the data packet sent by the port that is not in the white list is deleted, so that a safe data packet to be tested is obtained, and the safety of the industrial control network is ensured.
In some embodiments, obtaining initial data that passes through a switch in an industrial control network includes: carrying out real-time mirroring on an initial data packet passing through the switch through a mirroring port of the switch, and sending the initial data packet to a bypass audit system deployed at a layer of the switch; and acquiring an initial data packet passing through the switch in the industrial control network through an audit probe in the audit system.
In this embodiment, the audit system is deployed at the switch layer of the industrial control network in a bypass deployment manner, and an audit probe in the audit system can receive all traffic data of the whole industrial control network without affecting the data flow direction of the industrial control system corresponding to the industrial control network.
Wherein, each port of the switch can be connected with devices based on different industrial ethernet protocols, for example, an engineer station, a Modbus master station, a Modbus slave station, a Profinet controller, a Profinet device, an OPC UA (unified architecture, unifie architecture, UA for short) server, an OPC UA client, or devices based on different industrial ethernet protocols.
In this embodiment, an audit system is deployed by-pass at each switch position in a monitoring layer in an industrial control network, and each audit system copies an initial data packet passing through the switch through a mirror port of the switch. Meanwhile, the audit system is deployed at the position of the switch in a bypass deployment mode, so that an audit probe in the audit system only receives an initial data packet passing through the switch, any interference message cannot be sent to the industrial control network, and no adverse effect is generated on the normal operation of the industrial control system.
In some of these embodiments, the parameter information includes a plurality of parameter values over a preset time period; converting the parameter information into the service information according to the preset point location information configuration table includes: converting a plurality of parameter values in a preset time period into a plurality of service values in the preset time period according to a preset point location information configuration table; it is determined that the traffic information includes a plurality of traffic values within a preset time period.
In the above embodiment, when the service information does not fall within the threshold range of the service information, the sending the threshold warning information includes the following steps:
step 1, respectively judging whether each service value in the service information falls into a service information threshold range.
And 2, under the condition that at least one service value does not fall into the service information threshold range in the service information, determining all the service values which do not fall into the service information threshold range as alarm values, and sending threshold alarm information, wherein the threshold alarm information comprises the alarm values.
And 3, under the condition that all the service values in the service information fall into the service information threshold range, extracting the service minimum value and the service maximum value in the service information within a preset time period from the plurality of service values, and determining that the service information comprises the service minimum value and the service maximum value.
In this embodiment, the preset time period may be 1 minute, that is, the parameter information includes a plurality of consecutive parameter values within 1 minute, the service information includes a plurality of consecutive service values within 1 minute, and it may be determined whether each service value in the service information falls within a service information threshold range.
For example, the service information may include: if the service information has six service values of 10 ℃, 12 ℃, 9 ℃, 19 ℃, 16 ℃ and 22 ℃ and the service information threshold range is [10 ℃ and 20 ℃), the embodiment can judge that two service values of 9 ℃ and 22 ℃ do not fall into the service information threshold range, determine the two service values of 9 ℃ and 22 ℃ as alarm values, and send threshold alarm information, where the threshold alarm information includes two alarm values of 9 ℃ and 22 ℃.
For another example, the service information may include: and six service values of 10 ℃, 12 ℃, 11 ℃, 19 ℃, 16 ℃ and 18 ℃ are obtained, the embodiment can judge that all the service values in the obtained service information fall into the service information threshold range, the service minimum value of 10 ℃ and the service maximum value of 19 ℃ are extracted from the service information, and the service minimum value of 10 ℃ and the service maximum value of 19 ℃ are determined as the service information in the current one minute.
In other embodiments, the preset time period may be other values, such as 30 seconds, 2 minutes, and the like.
In this embodiment, the method further includes: displaying an alarm value in the service information on a preset display page under the condition that at least one service value in the service information does not fall into the service information threshold range; and under the condition that all the service values in the service information fall within the service information threshold range, displaying the service minimum value and the service maximum value in the service information within a preset time period on a preset display page, and storing the service information.
In this embodiment, taking the preset time period as 1 minute as an example, the service information may be cached in units of minutes, and a service maximum value, a service minimum value, or an alarm value of the current service information in the current 1 minute may be counted when the current minute ends.
In a preset display page, the time can be taken as a unit, the bottom of a column is used for representing the minimum value of the business in the current 1 minute, the top of the column is used for representing the maximum value of the business in the current 1 minute, the business is displayed in a dynamic rolling graph form along with the time, the alarm value can be obviously prompted to a user in a list form, the user can be ensured to obtain the change condition of the business information corresponding to each point position in the industrial control network in real time, and whether a threshold alarm event occurs in each point position or not is obtained in real time, so that the user can timely check the abnormal point position with the threshold alarm event, and the safety of the industrial control network is further improved.
Through the steps S101 to S103, according to the mapping relationship between the parameter information corresponding to the point location to be detected in the preset point location information configuration table and the service information, the parameter information transmitted by the lower computer corresponding to the point location to be detected in the industrial control network is converted into the service information, and whether the service information falls within the threshold range of the service information is determined, and if the service information does not fall within the threshold range of the service information, the threshold warning information is sent, so that the user can obtain the change condition of the service information corresponding to each point location in the industrial control network in real time, and obtain the threshold warning information in real time, so that the user can check the abnormal point location where the threshold warning occurs in time. By the method and the device, the problem that whether threshold value alarming occurs to current business information or not can not be judged quickly by an auditing system in the related technology, so that the safety of the industrial control network is low is solved, and the technical effect of improving the safety of the industrial control network is achieved.
This embodiment provides a point location information early warning device of industrial control network, and fig. 3 is a block diagram of a point location information early warning device of the industrial control network according to this embodiment of the application, as shown in fig. 3, the device includes: the acquisition module is used for acquiring parameter information transmitted by a lower computer corresponding to the point to be detected in the industrial control network; the conversion module is used for converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information and a service information threshold range corresponding to the point location to be detected; and the alarm module is used for sending threshold alarm information under the condition that the service information does not fall into the threshold range of the service information, wherein the threshold alarm information comprises the service information.
In some embodiments, the obtaining module is further configured to obtain an initial data packet passing through a switch in the industrial control network; carrying out port filtering on the initial data packet to obtain a data packet to be detected which passes through the switch; and carrying out industrial control protocol identification and analysis on the data packet to be detected to obtain parameter information transmitted by a lower computer corresponding to the point to be detected in the data packet to be detected.
In some embodiments, the obtaining module is further configured to mirror, in real time, an initial data packet passing through the switch through a mirror port of the switch, and send the initial data packet to a bypass audit system deployed at a layer of the switch; and acquiring an initial data packet passing through the switch in the industrial control network through an audit probe in the audit system.
In some of these embodiments, the parameter information includes a plurality of parameter values over a preset time period; the conversion module is also configured to convert a plurality of parameter values within a preset time period into a plurality of service values within the preset time period according to a preset point location information configuration table; it is determined that the traffic information includes a plurality of traffic values within a preset time period.
In some embodiments, the alarm module is further configured to separately determine whether each service value in the service information falls within a service information threshold range; under the condition that at least one service value does not fall into the service information threshold range in the service information, determining all the service values which do not fall into the service information threshold range as alarm values, and sending threshold alarm information, wherein the threshold alarm information comprises the alarm values; and under the condition that all the service values in the service information fall into the service information threshold range, extracting the service minimum value and the service maximum value in the service information within a preset time period from the plurality of service values, and determining that the service information comprises the service minimum value and the service maximum value.
In some embodiments, the apparatus further includes a display module, configured to display an alarm value in the service information on a preset display page when at least one service value in the service information does not fall within a service information threshold range; and under the condition that all the service values in the service information fall within the service information threshold range, displaying the service minimum value and the service maximum value in the service information within a preset time period on a preset display page, and storing the service information.
In some embodiments, the apparatus further includes a configuration module, configured to obtain identification information of each point location in the industrial control network, where the identification information includes at least one of: setting bit number, equipment IP, point location address, address name, industrial control protocol, transport layer protocol and data type; acquiring a parameter information threshold range transmitted by a lower computer corresponding to each point location in an industrial control network and a mapping relation between the parameter information corresponding to each point location and service information; calculating to obtain a service information threshold range corresponding to each point location according to the mapping relation between the parameter information and the service information corresponding to each point location and the parameter information threshold range transmitted by the lower computer corresponding to each point location; and determining a point location information configuration table comprising the identification information of each point location, the mapping relation between the parameter information and the service information corresponding to each point location, and the service information threshold range corresponding to each point location.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
The present embodiment further provides an electronic device, fig. 4 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present application, and as shown in fig. 4, the electronic device includes a memory 404 and a processor 402, the memory 404 stores a computer program, and the processor 402 is configured to execute the computer program to perform the steps in any of the method embodiments.
Specifically, the processor 402 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.
The processor 402 reads and executes the computer program instructions stored in the memory 404 to implement the point location information early warning method of any one of the industrial control networks in the above embodiments.
Optionally, the electronic apparatus may further include a transmission device 406 and an input/output device 408, where the transmission device 406 is connected to the processor 402, and the input/output device 408 is connected to the processor 402.
Optionally, in this embodiment, the processor 502 may be configured to execute the following steps by a computer program:
and S1, acquiring parameter information transmitted by a lower computer corresponding to the point to be detected in the industrial control network.
And S2, converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information, and a service information threshold range corresponding to the point location to be detected.
And S3, sending threshold value warning information under the condition that the service information does not fall into the threshold value range of the service information, wherein the threshold value warning information comprises the service information.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In addition, in combination with the point location information early warning method of the industrial control network in the above embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; when being executed by a processor, the computer program realizes the point location information early warning method of any industrial control network in the embodiments.
It should be understood by those skilled in the art that various features of the above embodiments can be combined arbitrarily, and for the sake of brevity, all possible combinations of the features in the above embodiments are not described, but should be considered as within the scope of the present disclosure as long as there is no contradiction between the combinations of the features.
The above examples are merely illustrative of several embodiments of the present application, and the description is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A point location information early warning method of an industrial control network is characterized by comprising the following steps:
acquiring parameter information transmitted by a lower computer corresponding to a point to be detected in an industrial control network;
converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information, and a service information threshold range corresponding to the point location to be detected;
and sending threshold value warning information under the condition that the service information does not fall into the threshold value range of the service information, wherein the threshold value warning information comprises the service information.
2. The point location information early warning method of the industrial control network according to claim 1, wherein before obtaining the parameter information transmitted by the lower computer corresponding to the point location to be measured in the industrial control network, the method further comprises:
acquiring point location identification information of each point location in the industrial control network, wherein the point location identification information includes at least one of the following: setting bit number, equipment IP, point location address, address name, industrial control protocol, transport layer protocol and data type;
acquiring a parameter information threshold range transmitted by a lower computer corresponding to each point location in the industrial control network and a mapping relation between the parameter information corresponding to each point location and service information;
calculating to obtain a service information threshold range corresponding to each point location according to the mapping relation between the parameter information and the service information corresponding to each point location and the parameter information threshold range transmitted by the lower computer corresponding to each point location;
and determining that the point location information configuration table comprises the mapping relation between the point location identification information of each point location and the parameter information and the service information corresponding to each point location, and the service information threshold range corresponding to each point location.
3. The point location information early warning method of the industrial control network according to claim 1, wherein the obtaining of the parameter information transmitted by the lower computer corresponding to the point location to be detected in the industrial control network comprises:
acquiring an initial data packet passing through a switch in an industrial control network;
performing port filtering on the initial data packet to obtain a data packet to be detected which passes through the switch;
and carrying out industrial control protocol identification and analysis on the data packet to be detected to obtain parameter information transmitted by a lower computer corresponding to the point to be detected in the data packet to be detected.
4. The point location information early warning method of the industrial control network according to claim 3, wherein the obtaining of the initial data passing through the switch in the industrial control network comprises:
carrying out real-time mirroring on an initial data packet passing through the switch through a mirroring port of the switch, and sending the initial data packet to a bypass audit system deployed at a layer of the switch;
and acquiring an initial data packet passing through the switch in the industrial control network through an audit probe in the audit system.
5. The point location information early warning method of the industrial control network according to claim 1, wherein the parameter information includes a plurality of parameter values within a preset time period; converting the parameter information into service information according to a preset point location information configuration table includes:
converting a plurality of parameter values in a preset time period into a plurality of service values in the preset time period according to a preset point location information configuration table;
determining that the traffic information includes a plurality of traffic values within a preset time period.
6. The point location information early warning method of the industrial control network according to claim 5, wherein sending threshold value warning information when the service information does not fall within the threshold value range of the service information comprises:
respectively judging whether each service value in the service information falls into the threshold range of the service information;
under the condition that at least one service value does not fall into the service information threshold range in the service information, determining all the service values which do not fall into the service information threshold range as alarm values, and sending the threshold alarm information, wherein the threshold alarm information comprises the alarm values;
and under the condition that all the service values in the service information fall into the service information threshold range, extracting the service minimum value and the service maximum value in the service information within a preset time period from a plurality of service values, and determining that the service information comprises the service minimum value and the service maximum value.
7. The point location information early warning method of the industrial control network according to claim 6, wherein the method further comprises:
under the condition that at least one service value in the service information does not fall into the service information threshold range, displaying an alarm value in the service information on a preset display page;
and under the condition that all the service values in the service information fall into the service information threshold range, displaying the service minimum value and the service maximum value in the service information within a preset time period on a preset display page, and storing the service information.
8. The utility model provides a point location information early warning device of industrial control network which characterized in that, the device includes:
the acquisition module is used for acquiring parameter information transmitted by a lower computer corresponding to the point to be detected in the industrial control network;
the conversion module is used for converting the parameter information into service information according to a preset point location information configuration table, wherein the point location information configuration table at least comprises a mapping relation between the parameter information corresponding to the point location to be detected and the service information and a service information threshold range corresponding to the point location to be detected;
and the alarm module is used for sending threshold alarm information under the condition that the service information does not fall into the threshold range of the service information, wherein the threshold alarm information comprises the service information.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the point location information early warning method of the industrial control network according to any one of claims 1 to 7.
10. A storage medium, wherein a computer program is stored in the storage medium, and when executed by a processor, the computer program implements the point location information early warning method for an industrial control network according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110510015.2A CN113259160A (en) | 2021-05-11 | 2021-05-11 | Point location information early warning method and device for industrial control network and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110510015.2A CN113259160A (en) | 2021-05-11 | 2021-05-11 | Point location information early warning method and device for industrial control network and electronic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113259160A true CN113259160A (en) | 2021-08-13 |
Family
ID=77222630
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110510015.2A Pending CN113259160A (en) | 2021-05-11 | 2021-05-11 | Point location information early warning method and device for industrial control network and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113259160A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109725588A (en) * | 2018-11-28 | 2019-05-07 | 中国科学院近代物理研究所 | A kind of temperature monitoring system and method |
| CN110430225A (en) * | 2019-09-16 | 2019-11-08 | 杭州安恒信息技术股份有限公司 | A kind of industrial equipment monitoring and managing method, device, equipment and readable storage medium storing program for executing |
| CN110716592A (en) * | 2019-10-12 | 2020-01-21 | Oppo广东移动通信有限公司 | Temperature control method and related equipment |
| CN111600863A (en) * | 2020-05-08 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Network intrusion detection method, device, system and storage medium |
| CN111935085A (en) * | 2020-06-30 | 2020-11-13 | 物耀安全科技(杭州)有限公司 | Method and system for detecting and protecting abnormal network behaviors of industrial control network |
-
2021
- 2021-05-11 CN CN202110510015.2A patent/CN113259160A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109725588A (en) * | 2018-11-28 | 2019-05-07 | 中国科学院近代物理研究所 | A kind of temperature monitoring system and method |
| CN110430225A (en) * | 2019-09-16 | 2019-11-08 | 杭州安恒信息技术股份有限公司 | A kind of industrial equipment monitoring and managing method, device, equipment and readable storage medium storing program for executing |
| CN110716592A (en) * | 2019-10-12 | 2020-01-21 | Oppo广东移动通信有限公司 | Temperature control method and related equipment |
| CN111600863A (en) * | 2020-05-08 | 2020-08-28 | 杭州安恒信息技术股份有限公司 | Network intrusion detection method, device, system and storage medium |
| CN111935085A (en) * | 2020-06-30 | 2020-11-13 | 物耀安全科技(杭州)有限公司 | Method and system for detecting and protecting abnormal network behaviors of industrial control network |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103117879B (en) | A kind of computer hardware operational factor network monitoring system | |
| Parthasarathy et al. | Bloom filter based intrusion detection for smart grid SCADA | |
| CN109460343A (en) | System exception monitoring method, device, equipment and storage medium based on log | |
| CN113507461B (en) | Network monitoring system and network monitoring method based on big data | |
| CN113507480B (en) | Network equipment, gateway equipment and system and inter-network data transmission and reporting method | |
| CN113660215A (en) | Attack behavior detection method and device based on Web application firewall | |
| CN111654477A (en) | Information topology method and device of industrial control network based on FINS protocol and computer equipment | |
| CN114338372A (en) | Network information security monitoring method and system | |
| CN113993002A (en) | Cable monitoring data reporting method and device | |
| CN115225385B (en) | Flow monitoring method, system, equipment and computer readable storage medium | |
| CN108965318B (en) | Method and device for detecting unauthorized access equipment IP in industrial control network | |
| CN113507691B (en) | Information pushing system and method based on power distribution network cross-region service | |
| CN112367384B (en) | Kafka cluster-based dynamic speed limiting method and device and computer equipment | |
| CN113691395A (en) | Network operation and maintenance method and device, computer equipment and storage medium | |
| CN113259160A (en) | Point location information early warning method and device for industrial control network and electronic device | |
| CN114257604A (en) | Data processing method and system | |
| CN114296979A (en) | Method and device for detecting abnormal state of Internet of things equipment | |
| CN108933707A (en) | A kind of safety monitoring system and method for industrial network | |
| US9900207B2 (en) | Network control protocol | |
| CN116684303B (en) | Digital twinning-based data center operation and maintenance method and system | |
| CN117395082B (en) | Service processing method, electronic device and storage medium | |
| US20170257259A1 (en) | Computer system, gateway apparatus, and server apparatus | |
| CN113630396B (en) | Method, device and system for processing network security alarm information | |
| CN116743508B (en) | Method, device, equipment and medium for detecting network attack chain of power system | |
| CN117527001A (en) | Power distribution communication network detection method, device, equipment, storage medium and product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210813 |