CN113904878A - Data processing method and system based on large number of nodes and readable storage medium - Google Patents
Data processing method and system based on large number of nodes and readable storage medium Download PDFInfo
- Publication number
- CN113904878A CN113904878A CN202111502246.5A CN202111502246A CN113904878A CN 113904878 A CN113904878 A CN 113904878A CN 202111502246 A CN202111502246 A CN 202111502246A CN 113904878 A CN113904878 A CN 113904878A
- Authority
- CN
- China
- Prior art keywords
- intrusion
- flow
- communication request
- behavior
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 32
- 238000003860 storage Methods 0.000 title claims abstract description 20
- 238000004891 communication Methods 0.000 claims abstract description 152
- 238000012545 processing Methods 0.000 claims abstract description 67
- 238000000034 method Methods 0.000 claims abstract description 25
- 238000004806 packaging method and process Methods 0.000 claims abstract description 7
- 230000006399 behavior Effects 0.000 claims description 121
- 238000004458 analytical method Methods 0.000 claims description 22
- 238000001514 detection method Methods 0.000 claims description 21
- 230000000694 effects Effects 0.000 claims description 10
- 230000009545 invasion Effects 0.000 claims description 7
- 230000007246 mechanism Effects 0.000 claims description 6
- 230000008569 process Effects 0.000 claims description 6
- 238000003384 imaging method Methods 0.000 claims description 5
- 238000009472 formulation Methods 0.000 claims description 4
- 239000000203 mixture Substances 0.000 claims description 4
- 238000012098 association analyses Methods 0.000 claims description 3
- 235000012907 honey Nutrition 0.000 description 20
- 238000004088 simulation Methods 0.000 description 13
- 238000005516 engineering process Methods 0.000 description 10
- 230000007123 defense Effects 0.000 description 7
- 238000007726 management method Methods 0.000 description 7
- 230000003993 interaction Effects 0.000 description 6
- 230000000007 visual effect Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000005094 computer simulation Methods 0.000 description 2
- 238000010219 correlation analysis Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000005538 encapsulation Methods 0.000 description 2
- 230000002708 enhancing effect Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013439 planning Methods 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000012550 audit Methods 0.000 description 1
- 238000005422 blasting Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000002513 implantation Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Abstract
The invention discloses a data processing method, a data processing system and a readable storage medium based on a large number of nodes, wherein the method comprises the following steps: receiving communication request information, and determining that the communication request information carries communication request data; determining intrusion flow from the access flow, wherein the intrusion flow is generated when the communication request information is received, and the intrusion flow comprises communication request data; determining communication request data from the intrusion flow, and packaging the communication request data; processing the encapsulated communication request data to acquire communication reply data corresponding to the communication request data; and sending the communication reply message, wherein the communication reply message comprises communication reply data. By the method, the real service controller is hidden in a plurality of other controllers through data processing for a plurality of times, so that an intruder cannot accurately judge the specific service controller, the attack efficiency of the intruder is reduced, and the safe operation capability of the industrial control system is enhanced.
Description
Technical Field
The invention relates to the field of industrial control network security, in particular to a data processing method and system based on a large node number and a readable storage medium.
Background
With the rapid development of internet technology, under the trends of integration of industrialization and informatization and intelligent manufacturing, an Industrial Control System (ICS) which is originally closed and isolated gradually connects an industrial control network with the internet in order to meet the coordination and information sharing among systems, and although the development space of industrial control is enlarged, the system inevitably faces new security threats. The industrial internet security concept developed under the precondition gradually rises to the national security level.
At present, safety products such as an industrial firewall, industrial flow audit and intrusion detection can be deployed in an industrial control system according to a safety solution to solve the safety problem, a set of depth defense system is technically built, and the requirements of compliance and basic safety are met. On the basis, a group company with a part of security concepts considers the means of researching hacker intrusion, carries out security defense from the perspective of trapping and cheating, and complements a depth defense system. However, most of the threat trapping technologies applied in the market at present are traditional honeypots based on virtual simulation technology, and the threat trapping technology based on industrial internet systems has flexible product indexes, and the main difficulties are that: if the honey farm is used as a research-type honey farm, the simulation degree and sweetness of the honey farm are required to be extremely high, the industrial controller is a closed independent individual device, and high-interaction simulation difficulty is extremely high through the modes of firmware inversion, interaction exhaustion and the like. And if the system is used as a defensive honey farm, the number of nodes deployed in the honey farm is required to be huge, so that how to ensure the safe operation of an industrial control system becomes a problem which needs to be solved urgently.
Disclosure of Invention
In view of the foregoing problems, an object of the present invention is to provide a data processing method, system and readable storage medium based on a large number of nodes, which hide a real service controller in a plurality of other controllers through data processing for a plurality of times, so that an intruder cannot accurately determine a specific service controller, thereby reducing the attack efficiency of the intruder, and thus enhancing the capability of the industrial control system for safe operation.
The invention provides a data processing method based on a large number of nodes in a first aspect, which comprises the following steps:
receiving communication request information, and determining that the communication request information carries communication request data;
determining intrusion flow from the access flow, wherein the intrusion flow is generated when the communication request information is received, and the intrusion flow comprises communication request data;
determining communication request data from the intrusion flow, and packaging the communication request data;
processing the encapsulated communication request data to acquire communication reply data corresponding to the communication request data;
and sending the communication reply message, wherein the communication reply message comprises communication reply data.
In this scheme, a data processing method based on a large number of nodes further includes:
carrying out intrusion detection processing on the intrusion flow, and determining an intrusion behavior and a non-intrusion behavior, wherein the intrusion behavior is a behavior with the threat degree greater than or equal to the threat threshold value, and the non-intrusion behavior is a behavior with the threat degree smaller than the threat threshold value;
and intercepting the intrusion behavior, and performing behavior release processing on the non-intrusion behavior so as to normally perform the non-intrusion behavior.
In this scheme, a data processing method based on a large number of nodes further includes:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
carrying out statistics and summarization on the flow to be processed, and determining the threat characteristic causing the system threat;
based on the threat characteristics, a threat statistics report is generated, the threat statistics including formulation for a threat alert mechanism.
In this scheme, a data processing method based on a large number of nodes further includes:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
and combining parallel coordinate line connection analysis, and displaying the flow to be processed on a data display interface based on a sparse line animation effect in a preset time period, wherein the display mode comprises 2-dimensional imaging or at least one of 3-dimensional animation effects.
In this scheme, a data processing method based on a large number of nodes further includes:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
extracting a potential intrusion behavior set based on the traffic to be processed, wherein the potential intrusion behavior set comprises at least one potential intrusion behavior;
attribution analysis is carried out on the potential intrusion behavior set to obtain the intrusion reason of each potential intrusion behavior;
and determining the intrusion mode of the intrusion behavior based on the intrusion reason of each potential intrusion behavior.
In this scheme, a data processing method based on a large number of nodes further includes:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
based on a security knowledge base, carrying out application association analysis processing on the flow to be processed, and identifying attack planning of intrusion behavior;
and reconstructing an intrusion process scene of the intrusion behavior based on the attack plan of the intrusion behavior.
The second aspect of the present invention further provides a data processing system based on a large number of nodes, which includes a memory and a processor, wherein the memory includes a data processing method program based on the large number of nodes, and the data processing method program based on the large number of nodes implements the following steps when being executed by the processor:
receiving communication request information, and determining that the communication request information carries communication request data;
determining intrusion flow from the access flow, wherein the intrusion flow is generated when the communication request information is received, and the intrusion flow comprises communication request data;
determining communication request data from the intrusion flow, and packaging the communication request data;
processing the encapsulated communication request data to acquire communication reply data corresponding to the communication request data;
and sending the communication reply message, wherein the communication reply message comprises communication reply data.
In this scheme, a data processing system based on a large number of nodes, when executed by a processor, may further implement the following steps:
carrying out intrusion detection processing on the intrusion flow, and determining an intrusion behavior and a non-intrusion behavior, wherein the intrusion behavior is a behavior with the threat degree greater than or equal to the threat threshold value, and the non-intrusion behavior is a behavior with the threat degree smaller than the threat threshold value;
and intercepting the intrusion behavior, and performing behavior release processing on the non-intrusion behavior so as to normally perform the non-intrusion behavior.
A third aspect of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes a large-node-number-based data processing method program of a machine, and when the large-node-number-based data processing method program is executed by a processor, the method implements the steps of the large-node-number-based data processing method described in any one of the above.
According to the data processing method and system based on the large node number, disclosed by the invention, the access flow is filtered and detected to determine the intrusion flow in the access flow, so that the communication request information which can be obtained when the data is intruded is obtained, the communication reply information corresponding to the communication request information is sent, and the real service controller is hidden in a plurality of other controllers through a plurality of times of data processing, so that an intruder cannot accurately judge the specific service controller, the attack efficiency of the intruder is reduced, and the safety operation capability of an industrial control system is enhanced.
Drawings
FIG. 1 is a block diagram of a data processing system according to the present application;
FIG. 2 is a flow chart of a data processing method based on a large number of nodes according to the present application;
FIG. 3 is a block diagram of a data processing system based on a large number of nodes according to the present invention.
Detailed Description
In order that the above objects, features and advantages of the present invention can be more clearly understood, a more particular description of the invention will be rendered by reference to the appended drawings. It should be noted that the embodiments and features of the embodiments of the present application may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, however, the present invention may be practiced in other ways than those specifically described herein, and therefore the scope of the present invention is not limited by the specific embodiments disclosed below.
At present, most of threat trapping technologies applied in the market are traditional honeypots based on virtual simulation technology, and threat trapping technology products based on industrial internet systems have flexible indexes, and the main difficulties are as follows: if the honey field is used as a research honey field, the simulation degree and sweetness of the honey field are required to be extremely high, the industrial controller is a closed independent individual device, and the high-interaction simulation difficulty is extremely high through the modes of firmware inversion, interaction exhaustion and the like. If the multi-node defense honey field is used as a defense honey field, the number of nodes deployed in the honey field is required to be huge, and if a simulation program is operated on each node, the multi-node defense honey field is limited by the performance and simulation level of hardware at present, and cannot be deployed in a large scale. Based on the above problems, the application provides a data processing method and system based on a large number of nodes, which can hide a real service controller in a plurality of other controllers through multiple data processing, so that an intruder cannot accurately judge a specific service controller, thereby reducing the attack efficiency of the intruder and enhancing the safe operation capability of an industrial control system.
First, some terms or concepts related to the present application are explained for convenience of understanding.
First, Industrial Control System (ICS)
The industrial control system is composed of control equipment such as a Distributed Control System (DCS) and a Programmable Logic Controller (PLC), sensors for temperature, pressure and the like, and a host computer, and is used for monitoring and controlling an industrial production process.
Second, industrial control protocol
The industrial control protocol is communication between a field network and a control network of an industrial control system, communication between industrial control devices of the field network, and communication of components of the control network often adopt communication protocols specific to the industrial control system, and are typically represented as a Modbus communication protocol, an OPC communication protocol, an S7 communication protocol, an IEC104 communication protocol and the like.
Third, device simulation
The device simulation in the application refers to simulation of the industrial controller through simulation software, firmware reverse, communication interaction exhaustion and other modes, and aims to enable an intruder not to distinguish real devices or simulation devices and carry out false attack on the real devices or the simulation devices.
Fourth, sweetness
Sweetness refers to the size of the attractive and confusing ability of the threat trapping product to intruders, and includes but is not limited to the reality degree of a honey farm topology model, simulation of an industrial controller, simulation of an industrial protocol, simulation of an industrial upper computer, account bait, file bait, domain name bait, tracing bait and protocol bait.
Fifth, industrial controller
The industrial controller is an industrial control computer, and is a general name of a tool which adopts a bus structure and detects and controls a production process, electromechanical equipment and process equipment of the production process. It has important computer attributes and features, such as: the computer has a computer CPU, a hard disk, a memory, peripherals and interfaces, a real-time operating system, a control network and protocol, computing capability, a friendly human-computer interface and the like. The main categories of industrial controllers are: IPC (PC bus industrial computer), RTU (remote terminal unit), PLC (programmable control system), DCS (distributed control system), FCS (field bus system), CNC (numerical control system), and the like, mainly use industrial controllers, which are mainstream in the industry, as objects for dynamic simulation of each proxy node.
As shown in fig. 1, the present application discloses a schematic structural diagram of a data processing system, where the data processing system includes a honey farm system, the honey farm system includes 5 subsystems, namely, a proxy node 1 to a proxy node N, an intrusion detection module 12, a traffic redirection module 13, an access traffic recording and storing module 14, and a threat trapping analysis and alarm module 15, and the honey farm system is configured to deploy virtual nodes in a service network on a large scale, record and analyze intrusion traffic, and forward traffic that is lossless to an industrial controller entity to an industrial controller resource pool by a redirection technology.
Specifically, the agent nodes 1 to N in the honey farm system are independent units obtained by performing virtualization processing based on a docker virtualization technology, Internet Protocol (IP) and Message Authentication Code (MAC) between the agent nodes 1 to N are different from each other, and open ports and communication interaction that can be performed are consistent with a certain controller in the industrial controller resource pool. The access traffic recording and storing module 14 is responsible for structuring the access traffic and storing it for querying and comparing by the threat trapping analysis and alarm module 15. Intrusion detection module 12 is different from traditional intrusion detection technique, and intrusion detection module 12 is used for preventing that the invasion traffic from causing the harm to the industrial controller entity in this application, and carries out intelligent filtration and screening to the traffic. The traffic redirection module 13 is responsible for establishing communication connection with the industrial controller in the industrial controller resource pool so as to perform communication interaction. The threat trapping and analyzing alarm module 15 is responsible for counting and summarizing the access flow to obtain a corresponding statistical result.
Secondly, the management system shown in fig. 1 is mainly used for interacting with an operator to realize operation and feedback of equipment, and includes 5 modules of node setting, equipment management, visual display, report output and API interface. The node setting mainly realizes establishment, configuration, deletion and query of the agent node and supports batch establishment of the nodes. The device management mainly implements state configuration and control of the device itself, including log information collection of the device itself, network interface, Central Processing Unit (CPU), memory and storage information, intrusion detection module configuration, redirection parameter setting, operation and maintenance personnel management, and the like. The visual display realizes the visual display of the result obtained by the threat trapping and analyzing alarm module 15. And the report output is used for outputting a report of the access condition in the unit time period through the embedded test report template. And the API interface is used for providing contents such as a security configuration interface, equipment state information, a log report and the like of the equipment in an API form for the outside, and is used for butting a security operation platform or threat information of an enterprise end, so that linkage is formed by combining a security defense system.
In fig. 1, the resource pool of the industrial controller is mainly composed of IPC (PC bus industrial computer), RTU (remote terminal unit), PLC (programmable control system), DCS (distributed control system), FCS (field bus system), CNC (numerical control system), and other types of devices, and mainly adopts an industrial controller which is mainstream in the industry as an object for dynamic simulation of each agent node.
Based on the data processing system shown in fig. 1, as shown in fig. 2, the application discloses a data processing method based on a large number of nodes, comprising the following steps:
s202, receiving the communication request information, determining the invasion, wherein the communication request information carries communication request data.
And S204, determining intrusion flow from the access flow, wherein the intrusion flow is generated when the communication request information is received, and the intrusion flow comprises communication request data.
S206, determining the communication request data from the intrusion flow, and packaging the communication request data.
And S208, processing the packaged communication request data to acquire communication reply data corresponding to the communication request data.
And S210, sending communication reply information, wherein the communication reply information comprises communication reply data.
It should be noted that, as can be seen from fig. 1, since the proxy nodes 1 to N are single nodes virtualized from the system, there is no host to communicate with the proxy nodes 1 to N under the condition of not being invaded, and therefore, when any node of the proxy nodes 1 to N receives the communication request information, and the communication request information carries the communication request data, it can be determined that the system is invaded.
Based on this, after determining that the system is invaded, the agent nodes 1 to N forward the access traffic including the invasion traffic to the invasion detection module in the honey farm system shown in fig. 1. In the honey farm system shown in fig. 1, after receiving the intrusion traffic forwarded by the agent node and intelligently filtering and screening the access traffic, the intrusion detection module can determine the intrusion traffic from the access traffic, where the intrusion traffic is traffic generated when the communication request information is received, and therefore the intrusion traffic is traffic including communication request data in the access traffic. Therefore, the intrusion detection module forwards the determined intrusion traffic to the traffic redirection module.
Therefore, after the traffic redirection module receives the intrusion traffic forwarded by the intrusion detection module, the communication request data is determined from the intrusion traffic and is encapsulated due to the fact that the intrusion traffic comprises the communication request data for communication between an intruder and the agent node.
Further, after the encapsulation of the communication request data is completed, the traffic redirection module establishes a communication connection with the industrial controller in the industrial controller resource pool, and sends a communication request to the industrial controller in the industrial controller resource pool, where the communication request carries the encapsulated communication request data. Based on this, the industrial controller in the industrial controller resource pool acquires the encapsulated communication request data from the communication request, so as to perform encapsulation processing to obtain the communication request data sent by the intruder, and thus can generate corresponding communication reply data based on the communication request data, and then send reply information to the traffic redirection module, where the reply information carries the communication reply data corresponding to the communication request data, so that the traffic redirection module acquires the communication reply data corresponding to the communication request data based on the reply information.
Finally, the traffic redirection module obtains the communication reply data corresponding to the communication request data based on the reply information, that is, the communication reply data is stripped from the reply information, and the communication reply data is repackaged. And transmitting the packaged communication reply data to an agent node, wherein the agent node is the agent node which receives the communication request information, so that the agent node sends communication reply information to the intrusion host of the intruder, and the communication reply information comprises the communication reply data.
It should be noted that the minimum unit of the resource pool of the industrial controller in the present application is 1, that is, the number of the industrial controller is 1. In practical application, when the number of the industrial controllers in the industrial controller resource pool is greater than or equal to 2, and when the traffic redirection module performs communication interaction with the industrial controllers in the industrial controller resource pool, the traffic redirection module can determine that the communication request data can be subjected to data processing and generate a communication reply data industrial controller through an identifier carried by the communication request data and used for indicating the industrial controllers, where the identifier indicating the industrial controllers may include, but is not limited to, an identifier of the industrial controllers, or a data identifier, or a service type identifier, or a model identifier, and the specific identifier needs to be flexibly determined according to the communication request data sent by an intruder and the actual situation of a specific application scenario.
It should be noted that after the configuration of the node configuration included in the management system of the present application is completed, the node configuration may be dynamically changed by itself, that is, the IP, MAC, open port, and configuration of link with the resource pool are dynamically changed according to the proxy nodes 1 to N, so that an intruder cannot determine the specific proxy node to be accessed according to information such as specific IP, specific MAC, specific open port, and configuration of specific link with the resource pool, thereby increasing the confusion capability of the honey farm system.
It should be noted that, in the present application, the resource pool of the industrial controller may be changed into another entity resource pool, and the corresponding intrusion detection module also needs to adjust the type of the resource pool.
It should be noted that, the proxy nodes 1 to N shown in fig. 1 in the present application may be organized into a more complex network structure for simulating a more real industrial control service scenario.
According to the embodiment of the invention, the data processing method based on the large number of the nodes further comprises the following steps:
carrying out intrusion detection processing on the intrusion flow, and determining an intrusion behavior and a non-intrusion behavior, wherein the intrusion behavior is a behavior with the threat degree greater than or equal to the threat threshold value, and the non-intrusion behavior is a behavior with the threat degree smaller than the threat threshold value;
and intercepting the intrusion behavior, and performing behavior release processing on the non-intrusion behavior so as to normally perform the non-intrusion behavior.
It should be noted that, after the intrusion detection module intelligently filters and screens the access traffic to determine the intrusion traffic, it is also able to perform intrusion detection processing on the intrusion traffic to determine an intrusion behavior and a non-intrusion behavior, where the intrusion behavior is a behavior whose threat degree is greater than or equal to the threat threshold value, and the non-intrusion behavior is a behavior whose threat degree is less than the threat threshold value.
The intrusion behavior may specifically be a behavior that may harm the industrial controller, such as an intrusion behavior that maliciously controls the industrial controller, a trojan implantation behavior, and the like, that is, the intrusion behavior may also be a behavior that controls IO points at a high frequency or reads and writes a memory at a high frequency, and the like, where the intrusion behavior is not specifically exhaustive here. Secondly, the non-invasive behavior can be the behavior which causes less threat to the industrial controller, such as program downloading and uploading, communication instruction tampering, port sniffing, password blasting and the like.
Based on the method, the intrusion detection module intercepts the intrusion behavior, namely intercepts the behavior which may harm the industrial controller to ensure the safe operation of the industrial controller, and performs the behavior releasing processing on the non-intrusion behavior to ensure the normal operation of the non-intrusion behavior, thereby ensuring the processing of the normal data.
According to the embodiment of the invention, the data processing method based on the large number of the nodes further comprises the following steps:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
carrying out statistics and summarization on the flow to be processed, and determining the threat characteristic causing the system threat;
based on the threat characteristics, a threat statistics report is generated, the threat statistics including formulation for a threat alert mechanism.
It should be noted that the original traffic recording and storing module can acquire the access traffic within a preset time period, perform structured processing on the access traffic within the preset time period, and then store the obtained traffic to be processed, so that the threat trapping analysis and warning module queries and compares the traffic to be processed. The preset time period may be a time period of one day, one month, one quarter, and the like, and is determined according to the actual application scene requirements, which is not limited herein.
Based on this, the threat trapping analysis and alarm module performs statistical summarization on the traffic to be processed, and determines threat characteristics causing system threats through a function of report output in the management system, where the threat characteristics causing system threats include, but are not limited to, access conditions within a preset time period, intrusion detection conditions, resource pool calling conditions, attack data statistics, major event alarm and prediction, and the like, and then the function of report output generates a threat statistical report based on the threat characteristics through an embedded test report template, where the threat statistics includes a formulation that can be used for a threat early warning mechanism, for example, taking the preset time period as a week as an example for illustration, if the threat characteristics indicate that the intrusion traffic occurs 15 times within a week and the intrusion traffic occurs 12 times within the first 3 days within a week, then the threat early warning mechanism can be determined as the first 3 days within a week based on the above, the alarm is given more than 5 times per day, and the alarm is given more than 2 times per day 4 days after the week. It should be understood that the foregoing examples are merely for purposes of understanding the present solution and are not to be construed as limiting the specific threat alert mechanism.
According to the embodiment of the invention, the data processing method based on the large number of the nodes further comprises the following steps:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
and combining parallel coordinate line connection analysis, and displaying the flow to be processed on a data display interface based on a sparse line animation effect in a preset time period, wherein the display mode comprises 2-dimensional imaging or at least one of 3-dimensional animation effects.
It should be noted that, similar to the foregoing embodiment, the original traffic recording and storing module may obtain the access traffic within a preset time period, perform structured processing on the access traffic within the preset time period, and then store the obtained traffic to be processed, so that the threat trapping analysis and warning module queries and compares the traffic to be processed. The preset time period may be a time period of one day, one month, one quarter, and the like, and is determined according to the actual application scene requirements, which is not limited herein.
Based on the method, the threat trapping analysis and alarm module can also combine with parallel coordinate line connection analysis, and display the flow to be processed on a data display interface based on the sparse line animation effect in the preset time period. Specifically, the threat trapping analysis and warning module needs to realize the result obtained by the threat trapping and analysis warning module through the function of visual display in the management system, and realizes the visual technology combining parallel coordinate line connection analysis and the sparse line animation effect based on the time sequence, so as to dynamically display the to-be-processed flow acquired in the preset time period, and the display mode can be 2-dimensional imaging, or 3-dimensional animation effect, 2-dimensional imaging and 3-dimensional animation effect, and it should be understood that in practical application, the specific information of the to-be-processed flow can be described in an intelligent voice broadcasting mode, or the related information of the intrusion flow appears in the to-be-processed flow is highlighted and displayed, so that the specific intrusion flow display is not specifically limited.
According to the embodiment of the invention, the data processing method based on the large number of the nodes further comprises the following steps:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
extracting a potential intrusion behavior set based on the traffic to be processed, wherein the potential intrusion behavior set comprises at least one potential intrusion behavior;
attribution analysis is carried out on the potential intrusion behavior set to obtain the intrusion reason of each potential intrusion behavior;
and determining the intrusion mode of the intrusion behavior based on the intrusion reason of each potential intrusion behavior.
It should be noted that, similar to the foregoing embodiment, the original traffic recording and storing module may obtain the access traffic within a preset time period, perform structured processing on the access traffic within the preset time period, and then store the obtained traffic to be processed, so that the threat trapping analysis and warning module queries and compares the traffic to be processed. The preset time period may be a time period of one day, one month, one quarter, and the like, and is determined according to the actual application scene requirements, which is not limited herein.
Based on the above, the threat trapping analysis and alarm module can also extract the potential intrusion behaviors from the acquired traffic to be processed, and cluster the potential intrusion behaviors to obtain an intrusion behavior set, wherein the potential intrusion behavior set comprises at least one potential intrusion behavior. Based on the method, the potential intrusion behavior set is subjected to attribution analysis to obtain the intrusion reason of each potential intrusion behavior, and then the intrusion mode of the intrusion behavior is determined from the flow to be processed based on the clustering method of the attack time sequence similarity. For example, when the system operates the service a in the time slot a, the system receives the communication request information a sent by the intruder a, where the communication request information a is used to access the service a, and when the system operates the service B in the time slot B, the system receives the communication request information B sent by the intruder B, where the communication request information B is used to access the service B. It should be understood that the foregoing examples are for understanding the present solution only, and are not to be construed as limiting the specific intrusion cause and intrusion pattern.
According to the embodiment of the invention, the data processing method based on the large number of the nodes further comprises the following steps:
obtaining access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
based on a security knowledge base, carrying out application association analysis processing on the flow to be processed, and identifying attack planning of intrusion behavior;
and reconstructing an intrusion process scene of the intrusion behavior based on the attack plan of the intrusion behavior.
It should be noted that, similar to the foregoing embodiment, the original traffic recording and storing module may obtain the access traffic within a preset time period, perform structured processing on the access traffic within the preset time period, and then store the obtained traffic to be processed, so that the threat trapping analysis and warning module queries and compares the traffic to be processed. The preset time period may be a time period of one day, one month, one quarter, and the like, and is determined according to the actual application scene requirements, which is not limited herein.
Based on the method, the threat trapping analysis and alarm module can also perform application correlation analysis processing on the flow to be processed based on the security knowledge base, identify the attack plan of the intrusion behavior and reconstruct the intrusion process scene of the intrusion behavior based on the attack plan of the intrusion behavior. Specifically, the threat trapping analysis and alarm module captures the flow to be processed to identify the attack plan and reconstruct the attack process scene under the support of the security knowledge base by applying the correlation analysis method, so that security researchers can find and understand the attack scene contained in the flow to be processed better, the security of the system is improved, and the security of data processing is ensured.
FIG. 3 is a block diagram of a data processing system based on a large number of nodes according to the present invention.
As shown in fig. 3, the present invention discloses a data processing system based on a large number of nodes, the data processing system 3 based on a large number of nodes includes a memory 31 and a processor 32, the memory 31 includes a data processing method program based on a large number of nodes, and the data processing method program based on a large number of nodes realizes the following steps when being executed by the processor 32:
receiving communication request information, and determining that the communication request information carries communication request data;
determining intrusion flow from the access flow, wherein the intrusion flow is generated when the communication request information is received, and the intrusion flow comprises communication request data;
determining communication request data from the intrusion flow, and packaging the communication request data;
processing the encapsulated communication request data to acquire communication reply data corresponding to the communication request data;
and sending the communication reply message, wherein the communication reply message comprises communication reply data.
According to the embodiment of the present invention, in the data processing system 3 based on the number of large nodes, when the data processing method based on the number of large nodes is executed by the processor 32, the following steps can be further implemented:
carrying out intrusion detection processing on the intrusion flow, and determining an intrusion behavior and a non-intrusion behavior, wherein the intrusion behavior is a behavior with the threat degree greater than or equal to the threat threshold value, and the non-intrusion behavior is a behavior with the threat degree smaller than the threat threshold value;
and intercepting the intrusion behavior, and performing behavior release processing on the non-intrusion behavior so as to normally perform the non-intrusion behavior.
A third aspect of the present invention provides a computer-readable storage medium, where the computer-readable storage medium includes a large-node-number-based data processing method program of a machine, and when the large-node-number-based data processing method program is executed by a processor, the method implements the steps of the large-node-number-based data processing method described in any one of the above.
According to the data processing method and system based on the large node number and the readable storage medium, disclosed by the invention, the access flow is filtered and detected to determine the intrusion flow in the access flow, so that the communication request information which can be acquired when the data is intruded is obtained, the communication reply information corresponding to the communication request information is sent, and the real service controller is hidden in a plurality of other controllers through data processing for a plurality of times, so that an intruder cannot accurately judge a specific service controller, the attack efficiency of the intruder is reduced, and the safety operation capability of an industrial control system is enhanced.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, all the functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Alternatively, the integrated unit of the present invention may be stored in a computer-readable storage medium if it is implemented in the form of a software functional module and sold or used as a separate product. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or a part contributing to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic or optical disk, or various other media that can store program code.
Claims (9)
1. A data processing method based on a large number of nodes is characterized by comprising the following steps:
receiving communication request information and determining invasion, wherein the communication request information carries communication request data;
determining intrusion flow from access flow, wherein the intrusion flow is generated when the communication request information is received, and the intrusion flow comprises the communication request data;
determining the communication request data from the intrusion flow, and packaging the communication request data;
processing the encapsulated communication request data to acquire communication reply data corresponding to the communication request data;
and sending a communication reply message, wherein the communication reply message comprises the communication reply data.
2. The data processing method based on the large number of nodes according to claim 1, wherein the method further comprises:
carrying out intrusion detection processing on the intrusion flow, and determining an intrusion behavior and a non-intrusion behavior, wherein the intrusion behavior is a behavior with a threat degree greater than or equal to a threat threshold value, and the non-intrusion behavior is a behavior with a threat degree smaller than the threat threshold value;
intercepting the intrusion behavior, and performing behavior releasing processing on the non-intrusion behavior so as to enable the non-intrusion behavior to be normally performed.
3. The data processing method based on the large number of nodes according to claim 1, wherein the method further comprises:
acquiring the access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
counting and summarizing the flow to be processed, and determining threat characteristics causing system threats;
generating a threat statistics report based on the threat characteristics, the threat statistics including a formulation for a threat alert mechanism.
4. The data processing method based on the large number of nodes according to claim 1, wherein the method further comprises:
acquiring the access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
and combining parallel coordinate line connection analysis, and displaying the flow to be processed on a data display interface based on the sparse line animation effect in the preset time period, wherein the display mode comprises 2-dimensional imaging or at least one of 3-dimensional animation effects.
5. The data processing method based on the large number of nodes according to claim 1, wherein the method further comprises:
acquiring the access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
extracting a potential intrusion behavior set based on the to-be-processed traffic, wherein the potential intrusion behavior set comprises at least one potential intrusion behavior;
attribution analysis is carried out on the potential intrusion behavior set to obtain an intrusion reason of each potential intrusion behavior;
and determining the intrusion mode of the intrusion behavior based on the intrusion reason of each potential intrusion behavior.
6. The data processing method based on the large number of nodes according to claim 1, wherein the method further comprises:
acquiring the access flow in a preset time period;
carrying out structuralization processing on the access flow to obtain a flow to be processed;
based on a safety knowledge base, carrying out application association analysis processing on the flow to be processed, and identifying an attack plan of an entrance and exit invasion behavior;
and reconstructing an intrusion process scene of the intrusion behavior based on the attack plan of the intrusion behavior.
7. A data processing system based on a large number of nodes is characterized by comprising a memory and a processor, wherein the memory comprises a data processing method program based on the large number of nodes, and the data processing method program based on the large number of nodes realizes the following steps when being executed by the processor:
receiving communication request information and determining invasion, wherein the communication request information carries communication request data;
determining intrusion flow from access flow, wherein the intrusion flow is generated when the communication request information is received, and the intrusion flow comprises the communication request data;
determining the communication request data from the intrusion flow, and packaging the communication request data;
processing the encapsulated communication request data to acquire communication reply data corresponding to the communication request data;
and sending a communication reply message, wherein the communication reply message comprises the communication reply data.
8. The data processing system according to claim 7, wherein the program of the data processing method based on the number of the large nodes further implements the following steps when executed by the processor:
carrying out intrusion detection processing on the intrusion flow, and determining an intrusion behavior and a non-intrusion behavior, wherein the intrusion behavior is a behavior with a threat degree greater than or equal to a threat threshold value, and the non-intrusion behavior is a behavior with a threat degree smaller than the threat threshold value;
intercepting the intrusion behavior, and performing behavior releasing processing on the non-intrusion behavior so as to enable the non-intrusion behavior to be normally performed.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium includes a large-node-number-based data processing method program, and when the large-node-number-based data processing method program is executed by a processor, the steps of a large-node-number-based data processing method according to any one of claims 1 to 6 are implemented.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111502246.5A CN113904878B (en) | 2021-12-10 | 2021-12-10 | Data processing method and system based on large number of nodes and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111502246.5A CN113904878B (en) | 2021-12-10 | 2021-12-10 | Data processing method and system based on large number of nodes and readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113904878A true CN113904878A (en) | 2022-01-07 |
| CN113904878B CN113904878B (en) | 2022-03-25 |
Family
ID=79025716
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111502246.5A Active CN113904878B (en) | 2021-12-10 | 2021-12-10 | Data processing method and system based on large number of nodes and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113904878B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090144827A1 (en) * | 2007-11-30 | 2009-06-04 | Microsoft Corporation | Automatic data patch generation for unknown vulnerabilities |
| US20120023572A1 (en) * | 2010-07-23 | 2012-01-26 | Q-Track Corporation | Malicious Attack Response System and Associated Method |
| CN102882884A (en) * | 2012-10-13 | 2013-01-16 | 山东电力集团公司电力科学研究院 | Honeynet-based risk prewarning system and method in information production environment |
| CN107979562A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of mixed type honey jar Dynamic Deployment System based on cloud platform |
-
2021
- 2021-12-10 CN CN202111502246.5A patent/CN113904878B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090144827A1 (en) * | 2007-11-30 | 2009-06-04 | Microsoft Corporation | Automatic data patch generation for unknown vulnerabilities |
| US20120023572A1 (en) * | 2010-07-23 | 2012-01-26 | Q-Track Corporation | Malicious Attack Response System and Associated Method |
| CN102882884A (en) * | 2012-10-13 | 2013-01-16 | 山东电力集团公司电力科学研究院 | Honeynet-based risk prewarning system and method in information production environment |
| CN107979562A (en) * | 2016-10-21 | 2018-05-01 | 北京计算机技术及应用研究所 | A kind of mixed type honey jar Dynamic Deployment System based on cloud platform |
Non-Patent Citations (1)
| Title |
|---|
| 诸葛建伟: ""蜜罐技术研究与应用进展"", 《软件学报》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113904878B (en) | 2022-03-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| CN102088379B (en) | Detecting method and device of client honeypot webpage malicious code based on sandboxing technology | |
| CN109271793B (en) | Internet of things cloud platform equipment category identification method and system | |
| CN113676449B (en) | Network attack processing method and device | |
| CN111935172A (en) | Network abnormal behavior detection method based on network topology, computer device and computer readable storage medium | |
| CN112054996A (en) | Attack data acquisition method and device for honeypot system | |
| CN114363044B (en) | Hierarchical alarm method, hierarchical alarm system, storage medium and terminal | |
| CN106130806B (en) | Data layer real-time monitoring method | |
| CN114584405A (en) | Electric power terminal safety protection method and system | |
| CN109144023A (en) | A kind of safety detection method and equipment of industrial control system | |
| CN111176202A (en) | Safety management method, device, terminal equipment and medium for industrial control network | |
| CN107426231A (en) | A kind of method and device for identifying user behavior | |
| CN110276195A (en) | A kind of smart machine intrusion detection method, equipment and storage medium | |
| CN113794276A (en) | Power distribution network terminal safety behavior monitoring system and method based on artificial intelligence | |
| CN107454068B (en) | Honey net safety situation perception method combining immune hazard theory | |
| Pinto et al. | Attack detection in cyber-physical production systems using the deterministic dendritic cell algorithm | |
| CN115150124A (en) | Fraud defense system | |
| CN113904878B (en) | Data processing method and system based on large number of nodes and readable storage medium | |
| CN114338171A (en) | Black product attack detection method and device | |
| CN110048905B (en) | Internet of things equipment communication mode identification method and device | |
| CN109462617B (en) | Method and device for detecting communication behavior of equipment in local area network | |
| CN115827379A (en) | Abnormal process detection method, device, equipment and medium | |
| CN112822683B (en) | Method for detecting illegal external connection by using mobile network | |
| CN114567472A (en) | Data processing method and device, electronic equipment and storage medium | |
| CN111680294A (en) | Database monitoring method, device and equipment based on high-interaction honeypot technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: A data processing method, system, and readable storage medium based on large node numbers Effective date of registration: 20231108 Granted publication date: 20220325 Pledgee: Guotou Taikang Trust Co.,Ltd. Pledgor: Zhejiang Mulian Internet of things Technology Co.,Ltd. Registration number: Y2023980064454 |