Industrial control system with intrusion detection function and detection method
Technical Field
The invention relates to the technical field of computer systems, in particular to an industrial control system with an intrusion detection function and a detection method.
Background
The network is a tool, which can bring convenience and rapidness to people, but is easy to be used by other people with other plans in the society, various network security situations become more and more complex, and events such as data leakage, hacking and the like become more and more severe. The network brings good factors for industrial development and challenges for industrial internet of things. When an industrial system is invaded by a hacker, the hacker may rewrite the control program, causing a series of subsequent problems.
The existing industrial control system has defects in the aspect of detection before hacker intrusion, the abnormality of the system is often detected after the intrusion occurs, and once the abnormality occurs, great damage and destruction are caused to individuals, enterprises and the society, so that the abnormal instruction detection before the industrial control system is invaded is necessary to solve the potential safety hazard in time so as to reinforce the control system.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides the industrial control system with the intrusion detection function and the detection method, and the design scheme has the advantages that the abnormal instruction before the industrial control system is intruded can be detected, and the abnormal instruction disguised as the normal instruction can be detected.
The industrial control system with the intrusion detection function comprises an intrusion detection system, wherein the intrusion detection system comprises a network communication module, an intrusion scanning module, a virtual intranet module, an instruction analysis module and a vulnerability alarm module, and the vulnerability alarm module is connected with the industrial control system and is used for controlling the industrial control system to send an alarm;
the intrusion scanning module comprises a white list storage unit and a black list storage unit, wherein the white list storage unit comprises a known and authorized request instruction or software installation program in the intranet, and the black list storage unit comprises an abnormal instruction or a virus program recorded in the intranet;
the virtual intranet module comprises a virtual program unit, an instruction rescanning unit, an instruction matching unit and a data transmission unit;
the instruction analysis module comprises a new instruction storage unit, a historical instruction storage unit and an alarm information sending unit.
As a further improvement of the invention, the system also comprises an outer net, a router, an inner net and an industrial control system, wherein the intrusion detection system is arranged on a connecting channel of the outer net and the inner net and is connected with the router through a network communication module, the router is connected with the outer net, and the inner net is connected with the industrial control system.
Through the design of the technical scheme, the intrusion detection system can be arranged between the outer net and the inner net, and then the abnormal instructions are cut off and processed before invading the inner net, so that the industrial system can be prevented from being damaged.
As a further improvement of the invention, the network communication module is connected with the intrusion scanning module, the intrusion scanning module is connected with the virtual intranet module through the white list storage unit, and the virtual intranet module is connected with the instruction analysis module through the data transmission unit.
Through the technical scheme design, data transmission among a plurality of modules can be realized, and the checking and processing of abnormal instructions can be realized at the first time.
As a further improvement of the invention, a blacklist storage unit in the intrusion scanning module and a data transmission unit in the virtual intranet module are connected with the vulnerability alarm module through an alarm information sending unit in the instruction analysis module.
Through the technical scheme design, when any one of the modules finds an abnormal instruction, alarm information can be generated through the vulnerability alarm module at the first time, and then management personnel can conveniently process the abnormal instruction at the first time.
As a further improvement of the present invention, the network communication module is configured to receive a network communication command of an external network, generate a data packet to be detected, and send the data packet to the intrusion scanning module, where the network communication module is one or more of a GPRS communication unit, an EDGE communication unit, a CDMA communication unit, a WCDMA communication unit, and a CDMA communication unit.
Through the technical scheme design, the instruction of the external network can be received through the network communication module, and the instruction is transmitted to the intrusion detection system.
As a further improvement of the invention, the virtual program unit comprises a part of virtual programs of the intranet and is used for receiving vulnerability attacks, and the instruction rescanning unit performs illegal instruction scanning on the request instruction or the software installation program received by the virtual intranet module.
Through the technical scheme design, the part of the virtual program of the intranet is arranged in the virtual program unit, the abnormal instruction disguised as the white list instruction can be exposed, and the system and workers can conveniently find and intercept the abnormal instruction disguised as the white list instruction to attack the virtual program.
As a further improvement of the invention, the new instruction storage unit stores the abnormal instruction transmitted by the data transmission unit, generates an instruction information table in real time, and configures a unique instruction ID;
the historical instruction storage unit receives the instruction information table generated by the new instruction storage unit and performs instruction ID matching with data stored in the newly received instruction information table;
the alarm information sending unit is used for sending the information of the leak generated at the moment to the leak alarm module.
Through the technical scheme design, the new abnormal instruction can be recorded and stored, and different processing modes are used for processing according to different abnormal instructions.
To achieve the above object, there is provided a detection method of an industrial control system having an intrusion detection function,
the method comprises the following steps:
step S1, the network communication module receives the network communication instruction of the external network, generates the data packet to be detected and sends the data packet to the intrusion scanning module;
step S2, scanning and comparing the data packet to be detected from the network communication module with the data recorded in the white list storage unit and the black list storage unit respectively;
step S2-1, when the scanning result is the recorded instruction of the white list storage unit, a data channel between the outer net and the virtual inner net module is opened, and when the scanning result is the recorded abnormal instruction or virus program, the information is sent to the bug alarm module;
step S3, the virtual program unit receives the instruction recorded in the white list storage unit, and detects whether the instruction recorded in the white list storage unit is an abnormal instruction through a virtual program built in the virtual program unit;
step S3-1, when the scanning result is an abnormal instruction which is not recorded in the blacklist storage unit or a normal instruction which is recorded in the white list storage unit, opening a connection channel of a real intranet;
step S3-2, when the scanning result is an abnormal instruction recorded by the blacklist storage unit or a normal instruction not recorded by the whitelist storage unit, a data channel between the external network and the instruction analysis module is opened, the request of the abnormal instruction is immediately rejected, and information is sent to the bug alarm module;
step S4, the new instruction storage unit receives the abnormal instruction for storage, generates an abnormal instruction information table in real time, configures a unique instruction ID, and matches the abnormal instruction ID with the data stored in the historical instruction storage unit;
step S4-1, when the same abnormal instruction ID is matched, processing by using a processing mode corresponding to the historical abnormal instruction ID, generating a vulnerability processing table and sending information to a vulnerability alarm module;
step S4-2, when a new abnormal instruction ID is found, analyzing the corresponding new abnormal instruction ID by using an analysis tool, acquiring corresponding vulnerability information, and generating a new abnormal instruction analysis table;
and step S5, the bug alarm module receives abnormal instruction information formed by the intrusion scanning module, the virtual intranet module and the instruction analysis module at the same time, and controls the industrial control system to give an alarm.
Compared with the prior art, the invention has the following beneficial effects:
according to the invention, through the designed intrusion scanning module, white list and black list matching can be carried out on the network communication command from the network communication module, when the abnormal command recorded in the black list storage unit is matched, an alarm can be sent out in time, the abnormal command is forbidden to control an intranet, and when the command recorded in the white list storage unit is matched, the matched command can be matched with the virtual intranet module to carry out simulation detection on the matched command through the virtual program unit, so that whether the matched white list command is disguised by the abnormal command or not is further detected, and the abnormal command from the network communication module can be further detected through multiple means, so that the safety performance of an industrial control system can be further improved; through the instruction analysis module of design, can also carry out the record to unusual instruction, unusual instruction this moment is recorded in the system, can be quick handle through historical processing mode, unusual instruction this moment if pretend to become the new unusual instruction of white list, the analysis record is carried out to new unusual instruction to utilization analysis instrument that can be quick, makes things convenient for the staff to handle new unusual instruction fast.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
FIG. 1 is a schematic diagram of a framework of an intrusion detection system according to the present invention;
FIG. 2 is a schematic diagram of a frame structure of an intrusion scanning module according to the present invention;
FIG. 3 is a schematic diagram of a frame structure of a virtual intranet module according to the present invention;
FIG. 4 is a block diagram of an exemplary embodiment of a command analysis module;
FIG. 5 is a schematic flow chart of the method of the present invention.
In the figure: 10. a network communication module; 20. an intrusion scanning module; 201. a white list storage unit; 202. a blacklist storage unit; 30. a virtual intranet module; 301. a virtual program unit; 302. an instruction rescanning unit; 303. an instruction matching unit; 304. a data transmission unit; 40. an instruction analysis module; 401. a new instruction storage unit; 402. a history instruction storage unit; 403. an alarm information sending unit; 50. and a vulnerability alarm module.
Detailed Description
In the following description, for purposes of explanation, numerous implementation details are set forth in order to provide a thorough understanding of the various embodiments of the present invention. It should be understood, however, that these implementation details are not to be interpreted as limiting the invention. That is, in some embodiments of the invention, such implementation details are not necessary. In addition, some conventional structures and components are shown in simplified schematic form in the drawings.
In addition, the descriptions related to the first, the second, etc. in the present invention are only used for description purposes, do not particularly refer to an order or sequence, and do not limit the present invention, but only distinguish components or operations described in the same technical terms, and are not understood to indicate or imply relative importance or implicitly indicate the number of indicated technical features. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In addition, technical solutions between various embodiments may be combined with each other, but must be realized by a person skilled in the art, and when the technical solutions are contradictory or cannot be realized, such a combination should not be considered to exist, and is not within the protection scope of the present invention.
Referring to fig. 1-4, an industrial control system with intrusion detection function includes an intrusion detection system, the intrusion detection system includes a network communication module 10, an intrusion scanning module 20, a virtual intranet module 30, an instruction analysis module 40, and a bug alarm module 50, the bug alarm module 50 is connected to the industrial control system for controlling the industrial control system to send an alarm;
the intrusion scanning module 20 includes a white list storage unit 201 and a black list storage unit 202, the white list storage unit 201 includes a known and authorized request instruction or software installation program in the intranet, and the black list storage unit 202 includes an abnormal instruction or virus program recorded in the intranet;
the virtual intranet module 30 includes a virtual program unit 301, an instruction scanning unit 302, an instruction matching unit 303, and a data transmission unit 304;
the instruction analysis module 40 includes a new instruction storage unit 401, a history instruction storage unit 402, and an alarm information transmission unit 403.
Further, the system comprises an external network, a router, an internal network and an industrial control system, wherein the intrusion detection system is arranged on a connecting channel between the external network and the internal network, the intrusion detection system is connected with the router through a network communication module 10, the router is connected with the external network, and the internal network is connected with the industrial control system; the intrusion detection system can be arranged between an outer net and an inner net, and then the abnormal instructions are cut off and processed before invading the inner net, so that the industrial system can be prevented from causing damage.
Further, the network communication module 10 is connected to the intrusion scanning module 20, the intrusion scanning module 20 is connected to the virtual intranet module 30 through the white list storage unit 201, and the virtual intranet module 30 is connected to the instruction analysis module 40 through the data transmission unit 304; the data transmission among a plurality of modules can be realized, and the inspection and the processing of abnormal instructions can be realized at the first time.
Further, the blacklist storage unit 202 in the intrusion scanning module 20 and the data transmission unit 304 in the virtual intranet module 30 are both connected to the vulnerability alarm module 50 through the alarm information sending unit 403 in the instruction analysis module 40; when any one of the modules finds an abnormal instruction, alarm information can be generated through the vulnerability alarm module 50 at the first time, and then management personnel can conveniently process the abnormal instruction at the first time.
Further, the network communication module 10 is configured to receive a network communication instruction of an external network, generate a to-be-detected data packet, and send the to-be-detected data packet to the intrusion scanning module 20, where the network communication module 10 is one or more of a GPRS communication unit, an EDGE communication unit, a CDMA communication unit, a WCDMA communication unit, and a CDMA2000 communication unit; the network communication module 10 can receive the command from the external network and transmit the command to the intrusion detection system.
Further, the virtual program unit 301 includes a partial virtual program of the intranet, and is configured to accept a bug attack, and the instruction rescanning unit 302 performs illegal instruction scanning on a request instruction or a software installation program received by the virtual intranet module 30; by setting part of virtual programs of the intranet in the virtual program unit 301, abnormal instructions disguised as white list instructions can be exposed, and by attacking the virtual programs by the abnormal instructions disguised as white list instructions, the system and workers can conveniently find and intercept the abnormal instructions in time.
Further, the new instruction storage unit 401 stores the abnormal instruction transmitted by the data transmission unit 304, and generates an instruction information table in real time, and configures a unique instruction ID;
the historical instruction storage unit 402 receives the instruction information table generated by the new instruction storage unit 401, and performs instruction ID matching with data stored in the newly received instruction information table;
the alarm information sending unit 403 is configured to send information about the vulnerability generated at this time to the vulnerability alarm module 50; through the structure, the new abnormal instruction can be recorded and stored, and different processing modes are used for processing according to different abnormal instructions.
Referring to fig. 5, to achieve the above object, a method for detecting an industrial control system with intrusion detection function is provided,
the method comprises the following steps:
step S1, the network communication module 10 receives a network communication instruction of the external network, generates a to-be-detected data packet, and sends the to-be-detected data packet to the intrusion scanning module 20;
step S2, scanning and comparing the data packet to be detected from the network communication module 10 with the data recorded in the white list storage unit 201 and the black list storage unit 202 respectively;
step S2-1, when the scan result is an instruction recorded by the white list storage unit 201, the data channel between the extranet and the virtual intranet module 30 is opened, and when the scan result is an abnormal instruction or a virus program recorded, the information is sent to the bug alarm module 50;
step S3, the virtual program unit 301 receives the instruction already recorded in the white list storage unit 201, and detects whether the instruction already recorded in the white list storage unit 201 is an abnormal instruction by the virtual program built in the virtual program unit 301;
step S3-1, when the scanning result is an abnormal instruction not recorded in the blacklist storage unit 202 or a normal instruction recorded in the whitelist storage unit 201, opening a connection channel of a real intranet;
step S3-2, when the scanning result is an abnormal instruction already recorded in the blacklist storage unit 202 or a normal instruction not recorded in the whitelist storage unit 201, opening a data channel between the external network and the instruction analysis module 40, immediately rejecting a request for the abnormal instruction, and sending information to the bug alarm module 50;
step S4, the new instruction storage unit 401 receives the abnormal instruction and stores it, and generates an abnormal instruction information table in real time, configures a unique instruction ID, and matches the abnormal instruction ID with the data stored in the historical instruction storage unit 402;
step S4-1, when the same abnormal instruction ID is matched, processing by using a processing mode corresponding to the historical abnormal instruction ID, generating a vulnerability processing table and sending the information to the vulnerability alarm module 50;
step S4-2, when a new abnormal instruction ID is found, analyzing the corresponding new abnormal instruction ID by using an analysis tool, acquiring corresponding vulnerability information, and generating a new abnormal instruction analysis table;
step S5, the bug alarm module 50 receives the abnormal instruction information from the intrusion scanning module 20, the virtual intranet module 30, and the instruction analysis module 40, and controls the industrial control system to send an alarm.
The above description is only an embodiment of the present invention, and is not intended to limit the present invention. Various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.