CN114374535A - Controller network attack defense method and system based on virtualization technology - Google Patents
Controller network attack defense method and system based on virtualization technology Download PDFInfo
- Publication number
- CN114374535A CN114374535A CN202111497236.7A CN202111497236A CN114374535A CN 114374535 A CN114374535 A CN 114374535A CN 202111497236 A CN202111497236 A CN 202111497236A CN 114374535 A CN114374535 A CN 114374535A
- Authority
- CN
- China
- Prior art keywords
- management system
- input data
- data
- simulation
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000007123 defense Effects 0.000 title claims abstract description 63
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000005516 engineering process Methods 0.000 title claims abstract description 28
- 238000004088 simulation Methods 0.000 claims abstract description 73
- 238000012545 processing Methods 0.000 claims abstract description 28
- 230000004044 response Effects 0.000 claims abstract description 20
- 230000002159 abnormal effect Effects 0.000 claims abstract description 19
- 230000006854 communication Effects 0.000 claims description 45
- 238000004891 communication Methods 0.000 claims description 44
- 238000004590 computer program Methods 0.000 claims description 13
- 238000001914 filtration Methods 0.000 claims description 4
- 230000026676 system process Effects 0.000 claims description 2
- 238000007726 management method Methods 0.000 description 41
- 230000006870 function Effects 0.000 description 25
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 230000006378 damage Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the application discloses a controller network attack defense method and system based on a virtualization technology. The controller comprises a first management system and a second management system, wherein the first management system and the second management system run in mutually isolated running environments, and the mutually isolated running environments are created in a software layer of an operating system by using virtualization software, and the method comprises the following steps: after receiving input data, the first management system performs simulation processing on the input data by using a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if no abnormity exists, the input data is sent to a second management system; the second management system receives input data, responds to the input data by using a preset second data source and a preset response strategy, and outputs a response result; wherein the simulation policy and the response policy have the same content, and the first data source and the second data source have the same content.
Description
Technical Field
The embodiment of the application relates to the field of industrial control, in particular to a controller network attack defense method and system based on a virtualization technology.
Background
With the rapid development of the industrial internet, new generation information technologies such as big data and cloud computing are continuously popularized and applied in industrial control systems, and network communication nodes and communication protocols in the industrial control systems are more complex and diversified. The current state of the technology development puts higher technical requirements on the network security of the controller equipment, and how to improve the network attack defense capability of the controller is a technical difficulty to be solved.
The traditional controller network security defense technical scheme comprises two types: one is a controller self-defense scheme and one is an out-extending firewall defense scheme. Both the controller self-defense scheme and the out-extending firewall defense scheme are based on whitelist technology, or blacklist technology. The scheme is mainly characterized in that a white list or a black list is established in the defense equipment aiming at quintuple information of controller network communication, and defense and audit processing are carried out aiming at the quintuple information (a data packet source address, a data packet target address, a protocol type, a source port and a target port) and key messages with fixed content formats in the network communication process.
In practical application, the safety defense scheme has the problems of incomplete defense range, hysteresis of fault detection results and the like.
Disclosure of Invention
In order to solve any one of the above technical problems, embodiments of the present application provide a controller network attack defense method and system based on a virtualization technology.
In order to achieve the object of the embodiment of the present application, an embodiment of the present application provides a controller network attack defense method based on a virtualization technology, where the controller includes a first management system and a second management system, where the first management system and the second management system operate in mutually isolated operating environments, where the mutually isolated operating environments are created in a software layer of an operating system by using virtualization software, and the method includes:
after receiving input data, the first management system performs simulation processing on the input data by using a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if the simulation result is not abnormal, the input data is sent to a second management system;
the second management system receives the input data, responds to the input data by using a preset second data source and a preset response strategy, and outputs a response result;
wherein the simulation policy and the response policy have the same content, and the first data source and the second data source have the same content.
A storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method as described above when executed.
An electronic device comprising a memory having a computer program stored therein and a processor arranged to execute the computer program to perform the method as described above.
A controller network attack defense system based on virtualization technology comprises:
a controller comprising the electronic device described above;
and the memory is used for storing an exception checking strategy, wherein the exception checking strategy is used for judging whether the simulation result has an exception or not.
One of the above technical solutions has the following advantages or beneficial effects:
by carrying out simulation processing on the input data and checking whether the simulation result is abnormal or not, the correctness of the input data is judged, the response of the controller to the input data causing the abnormality is reduced, and the network attack defense capability of the controller is improved.
Additional features and advantages of the embodiments of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the application. The objectives and other advantages of the embodiments of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the embodiments of the present application and are incorporated in and constitute a part of this specification, illustrate embodiments of the present application and together with the examples of the embodiments of the present application do not constitute a limitation of the embodiments of the present application.
FIG. 1 is a diagram of a controller network defense system in the prior art;
fig. 2 is a schematic diagram of a controller network attack defense method based on a virtualization technology according to an embodiment of the present application;
FIG. 3 is a schematic diagram of data processing in the system of FIG. 2;
fig. 4 is a flowchart of a method for managing network security of a controller according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application more apparent, the embodiments of the present application will be described in detail below with reference to the accompanying drawings. It should be noted that, in the embodiments of the present application, features in the embodiments and the examples may be arbitrarily combined with each other without conflict.
Fig. 1 is a schematic diagram of a controller network defense system in the prior art. As shown in FIG. 1, the system realizes the network defense of the controller based on the white list technology. On the basis of controller hardware, an embedded operating system is deployed and operated, and under the environment of the embedded operating system, an operation control module and a network communication defense module are deployed and operated. The control module mainly completes the traditional field control function, and the main flow comprises the steps of receiving external network data, inputting module data acquisition, carrying out industrial control logic operation according to the acquired data, and finally outputting an output result to the field. The network defense module is responsible for completing a network defense function based on a white list and mainly comprises a communication protocol defense strategy module, a communication link defense module and a communication data receiving and transmitting module. The communication data transceiver module is mainly responsible for completing the transceiving of network data, and the communication protocol defense strategy module is responsible for defining a specific white list defense strategy and sending the specific white list defense strategy to the communication link defense module. And the communication link defense module returns the abnormal result to the communication defense strategy module, and if the abnormal result does not exist, the legal data is written into the operation control module.
In the process of implementing the application, technical analysis is performed on the related technologies, and the following reasons for the problems of the related technologies are found, including:
1. the defense range is not comprehensive. The method can only defend against a network communication protocol layer of the controller, but can only conduct defense monitoring diagnosis against the characteristic information of the data packet, and cannot effectively defend against the legality of the controller message command or data against the external network node during operation. For example: if the communication server on site is controlled by virus intrusion or is debugged and misoperated by engineering personnel, the communication server sends a command for changing the parameter for controlling the pressure of the boiler equipment on site to the controller, and the existing white list or black list technology based on the communication quintuple cannot defend. This can eventually lead to excessive boiler pressure on site, which can cause equipment damage, plant downtime, and in severe cases, even harm to personnel's lives and properties.
2. Failure checking result hysteresis. Even on the basis of the existing defense scheme, the final result is subjected to legality check after the control logic operation. Through the method, written error data can be detected, but at the moment, other data are rewritten after the written error data are used as input for control logic operation, the normal operation cannot be automatically recovered, only parking check and fault removal can be carried out on the site, and the normal operation of the control site is influenced. Therefore, this method has a hysteresis in the result of failure detection, and cannot be automatically recovered when a failure is detected.
Aiming at the defects of the existing controller network defense technology, the method for defending the network attack of the controller based on the virtualization technology can enable the controller to have a stronger network defense function, can effectively detect the fault before the fault occurs, and prevents the output misoperation of the controller caused by the input data error of an external network.
The embodiment of the application provides a controller network attack defense method based on a virtualization technology, wherein the controller comprises a first management system and a second management system, the first management system and the second management system run in mutually isolated running environments, the mutually isolated running environments are created in a software layer of an operating system by utilizing virtualization software, and the method comprises the following steps:
after receiving input data, the first management system performs simulation processing on the input data by using a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if the simulation result is not abnormal, the input data is sent to a second management system;
the second management system receives the input data, responds to the input data by using a preset second data source and a preset response strategy, and outputs a response result;
wherein the simulation policy and the response policy have the same content, and the first data source and the second data source have the same content.
On the basis of an original single-operating-system software architecture, virtualization software is introduced, an isolated dual-operating-system software task running environment is established in the same controller hardware equipment environment, and a real operation control module is deployed in one operating environment to form a conventional control software environment. And the other operating system realizes the external network attack defense function by simulating and checking external input data to form a network defense software environment. The constructed network defense software environment is isolated from the conventional control software environment, the conventional control function cannot be influenced by the self fault of the defense function, the isolation of the defense function is realized, and the operation safety of the controller is improved.
When the controller receives input data from an external network, the first management system completes security check of data written in the external network. The checking technical means is different from the white list technology, a simulation control logic operation environment is operated in the module, response operation of input data is simulated in the environment, simulation operation is carried out on the input data, whether external network write-in data is illegal or not is judged by checking a final operation result mode, response of a second management system to the illegal data is avoided, and the safety of the controller is improved.
Optionally, if the simulation result is abnormal, the first management system deletes the first data, so as to prevent the second management system from responding to the illegal data, and improve the security of the controller.
Optionally, the storage areas of the simulation result and the response result are isolated from each other, so as to reduce the influence of the simulation result generated by illegal input data on the normal operation of the controller.
Optionally, before processing the input data, the first management system processes the input data by using a preset data filtering policy; and if the processing is passed, performing simulation processing on the input data.
Wherein the data filtering policy may be a white list determined based on the quintuple information.
By filtering the data, the security risk of the first management system caused by illegal data can be reduced, and the security of the first management system is improved.
Optionally, a storage area of input data shared by the first management system and the second management system is set;
after receiving the input data, the first management system stores the input data in a storage area of the input data and marks the state of the input data as not simulated;
updating the state of the input data to be a simulation pass state after the simulation result of the input data is not abnormal;
and the second management system detects whether the storage area of the input data has input data with a data state of passing simulation or not, and reads the input data with the data state of passing simulation.
The input data can be processed by the first management system and the second management system respectively through the storage area arranged in the input data; and the triggering of the first management system and the second management system on data processing can be realized through the data state.
Optionally, after outputting the response result, the second management system deletes the input data from the storage area of the input data.
According to the method provided by the embodiment of the application, the input data is subjected to simulation processing, whether the simulation result is abnormal or not is checked, the correctness of the input data is judged, the response of the controller to the input data causing the abnormality is reduced, and the network attack defense capability of the controller is improved.
In one exemplary embodiment, mutually isolated execution environments are created by:
creating a communication virtual machine and a control virtual machine, wherein the communication virtual machine runs the first management system, and the control virtual machine runs the second management system, wherein the first virtual machine has the authority to manage the second virtual machine.
And running virtualization software XEN in the operating systems, and constructing a dual-operating-system running environment based on the XEN software, wherein one operating system is an operating system OS1 with management authority matched with the XEN, and the other operating system is an operating system Guest OS with general authority. The first operation system runs the first management system to complete the network defense function of the controller, and is called a communication virtual machine. The other operating system runs a second management system to complete the field control function of the controller system, which is called as a control virtual machine. In XEN software, Dom0 is a virtual machine management function operating system of XEN, and has the authority of managing and monitoring the operating states of other virtual machines, and the operating system level faults of other virtual machines cannot influence the operation of Dom 0. Therefore, the first management system is more suitable for being deployed on the Dom0, and a network defense function is provided for controlling the overall operation of the virtual machine.
The method increases a virtual machine operating system, which inevitably causes the increase of hardware load. To improve performance, the following schemes may be used to create mutually isolated operating environments, including:
the second management system is run in an operating system in the controller and a container is created in which the first management system is run.
And constructing an independent container environment through the docker container, and deploying the first management system in the independent container environment. Compared with an operating system in a virtual machine, the implementation method can better improve the performance, but the reliability is relatively weakened.
In the implementation process of the specific embodiment, which scheme is adopted can be determined according to the hardware resources of the specific controller and the security requirement.
Fig. 2 is a schematic diagram of a controller network attack defense method based on a virtualization technology according to an embodiment of the present application. As shown in fig. 2, unlike the results shown in fig. 1, the structure shown in fig. 2 is improved as follows:
1. on the basis of the unchanged hardware architecture of the existing controller, virtualization software XEN is introduced, and a dual-operating-system software environment is constructed on the same hardware equipment. An operation control module is deployed on one operating system, the internal design of the control module is consistent with that of the original scheme, the conventional control function of the controller is completed, the whole system is called as a control virtual machine, the control module is operated, and the control module realizes the function of the second management system. The other operating system deploys an operation control simulation check processing device and a network communication module to complete a communication function and a communication security defense function, and is integrally called as a communication virtual machine, wherein a functional unit running on the communication virtual machine realizes the functions of the first management system. The internal design of the network communication module still adopts a defense design scheme based on the white list technology to be unchanged. On the basis, a control simulation check processing module is additionally arranged and designed, and a network defense function is added.
2. Under the original hardware environment, a power-down nonvolatile storage medium Norflash is added in an external expansion mode. And the logic project is used for storing the data validity operation result of the output module and checking the logic project.
3. And a control simulation check processing device is additionally designed. The control simulation checking and processing device comprises a control logic operation simulation module and a checking and processing module. The control logic operation simulation module is used for checking a simulation operation result generated by input data, the checking processing module is used for checking the simulation operation result by using an operation result checking logic project, and when abnormality is detected, the written data is discarded. When the check passes, the write data is written to the control module.
The operation result checking logic engineering is written by engineering users on the controller configuration software through industrial control language, and the logic has the main function of checking the operation result according to the actual situation on site and generating a checking result. After writing, the operation check logic project is downloaded to the controller through the configuration software. The controller saves the project to a power-down nonvolatile storage medium Norflash to prevent loss after power failure.
It should be noted that, in the example shown in fig. 2, a dual-operating-system software operating environment is constructed on the basis of the same hardware environment through XEN virtualization software, and an operation control simulation module is deployed by using an independent operating system environment to detect and defend an external network attack. Alternatively, other virtualization software such as KVM, ACRN, etc. may be used to construct the control simulation module operating environment. Different virtualization software has differences in external application software interfaces and use methods, and corresponding alternatives are selected according to specific situations in the implementation process of specific schemes.
Fig. 3 is a schematic diagram of data processing in the system shown in fig. 2. As shown in fig. 3, the control simulation module includes:
the communication transceiving data unit is used for realizing communication interaction and comprises the following functions: and receiving the data written by the network communication unit, sending alarm data to the network communication unit, and writing legal data to the control unit. Assume that the controller receives the external write data and then transmits the data to the logical operation unit.
The data acquisition unit is used for acquiring input data; in order to ensure the consistency of the logic operation input data on the communication virtual machine and the real environment, the communication virtual machine and the control virtual machine use the same data source, and data are collected from the control logic input data memory area.
And the logic operation unit is used for finishing logic operation on the written data and the acquired data and outputting a logic operation result. The algorithm adopted by the logic operation is completely consistent with the algorithm for controlling the logic operation unit on the virtual machine.
And the output data unit is used for outputting the logical operation result data to the simulation logical output memory area, and the memory area is an independently divided area, so that the real control output memory area is not influenced, and the field control is not influenced.
The inspection processing module includes:
and the result checking unit is used for finishing the operation result checking logic project loaded from the power-down nonvolatile storage medium, calling the operation output result checking logic to check the simulation operation result, and outputting the checking result to the exception processing unit.
And the exception processing unit is used for notifying the communication data receiving and transmitting module and writing the data into the control module when the checking result is not abnormal. And if the result is abnormal, discarding the written data and informing the communication module to send alarm data.
Fig. 4 is a flowchart of a method for managing network security of a controller according to an embodiment of the present application. As shown in fig. 4, the method includes:
And step 403, controlling a communication data transceiver unit in the simulation module to receive the written data.
And 405, controlling a logic operation unit in the simulation module to perform operation, wherein the logic algorithm is consistent with the logic algorithm used by the actual control module.
And step 406, controlling an output data module in the simulation module to output an operation result. And the operation result is output to the independent simulation logic output memory area, so that the real control logic output memory area is ensured not to be influenced.
And step 409, discarding the network write data.
And step 410, communication alarm is carried out, and the process is ended.
In summary, the embodiments of the present application provide a controller network attack defense scheme based on a power-down nonvolatile storage medium and a virtualization technology. Has the following advantages that:
first, the defense fault isolation is better. On the basis of an original single-operating-system software architecture, XEN virtualization software is introduced, an isolated dual-operating-system software task running environment is established in the same controller hardware equipment environment, and a real operation control module is deployed in one operating environment to form a conventional control software environment. And the other operating system is provided with an external communication module and a control simulation module to complete the external network attack defense function, so as to form a network defense software environment. The network defense software environment is isolated from the conventional control software environment, and the conventional control function cannot be influenced by the self-failure of the defense function.
Second, the defense range is wider. Compared with the design idea of static checking of the traditional white list, the network defense scheme is based on the design idea of checking the actual simulation execution result. No matter what kind of attack means exists in the external network, simulation operation is carried out in the simulation environment, and effective defense can be carried out as long as the final result check is not passed, so that the scheme can defend more and more attack means. In addition, the writing of analog data and the execution of simulation operation are performed in a simulation environment, so that the rewriting influence on the data area of the control module is avoided. Therefore, when the fault is detected, the conventional control module operation data can not be influenced, and the gain effect is generated on the automatic recovery function of the network fault.
Thirdly, the reliability of the logic engineering is checked. And an externally expanded Norflash power-down nonvolatile storage medium is added to hardware and used for storing an operation result and checking logic engineering. In each detection process, the operation result checking logic project is loaded from the Norflash power-down nonvolatile storage medium, the method can prevent the operation result checking logic project from losing faults, and can also prevent the memory overflow of the memory storage checking logic project from being rewritten faults, and the reliability is higher.
An embodiment of the present application provides a storage medium, in which a computer program is stored, wherein the computer program is configured to perform the method described in any one of the above when the computer program runs.
An embodiment of the application provides an electronic device, comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the method described in any one of the above.
The embodiment of the application provides a controller network attack defense system based on virtualization technology, which comprises: a controller comprising the electronic device described above; and the memory is used for storing an abnormity checking strategy, wherein the abnormity checking strategy is used for judging whether the simulation result has abnormity.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Claims (10)
1. A controller network attack defense method based on virtualization technology is characterized in that a controller comprises a first management system and a second management system, wherein the first management system and the second management system run in mutually isolated running environments, wherein the mutually isolated running environments are created in a software layer of an operating system by utilizing virtualization software, and the method comprises the following steps:
after receiving input data, the first management system performs simulation processing on the input data by using a preset first data source and a preset simulation strategy to obtain a simulation result, and detects whether the simulation result is abnormal; if the simulation result is not abnormal, the input data is sent to a second management system;
the second management system receives the input data, responds to the input data by using a preset second data source and a preset response strategy, and outputs a response result;
wherein the simulation policy and the response policy have the same content, and the first data source and the second data source have the same content.
2. The method of claim 1, wherein creating mutually isolated operating environments comprises:
creating a communication virtual machine and a control virtual machine, wherein the communication virtual machine runs the first management system, and the control virtual machine runs the second management system, wherein the first virtual machine has the authority to manage the second virtual machine;
alternatively, the first and second electrodes may be,
the second management system is run in an operating system in the controller and a container is created in which the first management system is run.
3. The method of claim 1, further comprising:
and if the simulation result is abnormal, the first management system deletes the first data.
4. The method of claim 1, wherein:
the memory areas of the simulation result and the response result are isolated from each other.
5. The method of claim 1, further comprising:
the method comprises the steps that a first management system processes input data by using a preset data filtering strategy before processing the input data; and if the processing is passed, performing simulation processing on the input data.
6. The method according to any one of claims 1 to 5,
setting a storage area of input data shared by a first management system and a second management system;
after receiving the input data, the first management system stores the input data in a storage area of the input data and marks the state of the input data as not simulated;
updating the state of the input data to be a simulation pass state after the simulation result of the input data is not abnormal;
and the second management system detects whether the storage area of the input data has input data with a data state of passing simulation or not, and reads the input data with the data state of passing simulation.
7. The method of claim 6, further comprising:
after outputting the response result, the second management system deletes the input data from the storage area of the input data.
8. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 7 when executed.
9. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 7.
10. A controller network attack defense system based on virtualization technology is characterized by comprising:
a controller comprising the electronic device of claim 9;
and the memory is used for storing an exception checking strategy, wherein the exception checking strategy is used for judging whether the simulation result has an exception or not.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111497236.7A CN114374535B (en) | 2021-12-09 | 2021-12-09 | Controller network attack defense method and system based on virtualization technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111497236.7A CN114374535B (en) | 2021-12-09 | 2021-12-09 | Controller network attack defense method and system based on virtualization technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114374535A true CN114374535A (en) | 2022-04-19 |
| CN114374535B CN114374535B (en) | 2024-01-23 |
Family
ID=81139204
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111497236.7A Active CN114374535B (en) | 2021-12-09 | 2021-12-09 | Controller network attack defense method and system based on virtualization technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114374535B (en) |
Citations (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050268336A1 (en) * | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Method for secure access to multiple secure networks |
| CN106301911A (en) * | 2016-08-12 | 2017-01-04 | 南京大学 | Information Network based on SDN half centralized simulation platform in kind and its implementation |
| CN106844008A (en) * | 2017-01-03 | 2017-06-13 | 华为技术有限公司 | A kind of method of data manipulation, equipment and system |
| US20170289186A1 (en) * | 2016-03-31 | 2017-10-05 | Stuart Staniford | System and method to protect a webserver against application exploits and attacks |
| CN108134792A (en) * | 2017-12-25 | 2018-06-08 | 四川灵通电讯有限公司 | The method for realizing defending against network virus attack in computer systems based on virtualization technology |
| CN108140057A (en) * | 2016-07-14 | 2018-06-08 | 铁网网络安全股份有限公司 | Network behavior system based on simulation and virtual reality |
| CN109474605A (en) * | 2018-11-26 | 2019-03-15 | 华北电力大学 | A kind of source net lotus industrial control system composite defense method based on Autonomous Domain |
| CN109831443A (en) * | 2019-02-26 | 2019-05-31 | 武汉科技大学 | Industrial control network attacking and defending experiment porch and Hardware In The Loop Simulation Method |
| CN110098951A (en) * | 2019-03-04 | 2019-08-06 | 西安电子科技大学 | A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111258712A (en) * | 2020-01-10 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Method and system for protecting safety of virtual machine under virtual platform network isolation |
| CN111277568A (en) * | 2020-01-09 | 2020-06-12 | 武汉思普崚技术有限公司 | Isolation attack method and system for distributed virtual network |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN111984975A (en) * | 2020-07-24 | 2020-11-24 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Vulnerability attack detection system, method and medium based on mimicry defense mechanism |
| CN112073411A (en) * | 2020-09-07 | 2020-12-11 | 北京软通智慧城市科技有限公司 | Network security deduction method, device, equipment and storage medium |
| CN112134854A (en) * | 2020-09-02 | 2020-12-25 | 北京华赛在线科技有限公司 | Method, device, equipment, storage medium and system for defending attack |
| CN112398844A (en) * | 2020-11-10 | 2021-02-23 | 国网浙江省电力有限公司双创中心 | Flow analysis implementation method based on internal and external network real-time drainage data |
| CN112437077A (en) * | 2020-11-19 | 2021-03-02 | 迈普通信技术股份有限公司 | Third party ARP attack and exception handling method, VRRP network and system |
| CN112565243A (en) * | 2020-12-03 | 2021-03-26 | 重庆洞见信息技术有限公司 | Flow simulation system based on network battle |
| CN112788034A (en) * | 2021-01-13 | 2021-05-11 | 泰康保险集团股份有限公司 | Processing method and device for resisting network attack, electronic equipment and storage medium |
| CN112839052A (en) * | 2021-01-25 | 2021-05-25 | 北京六方云信息技术有限公司 | Virtual network security protection system, method, server and readable storage medium |
| US20210168175A1 (en) * | 2015-10-28 | 2021-06-03 | Qomplx, Inc. | Ai-driven defensive cybersecurity strategy analysis and recommendation system |
| CN113326204A (en) * | 2021-06-23 | 2021-08-31 | 鹏城实验室 | Transformer substation system testing method and device, terminal equipment and storage medium |
| CN113660282A (en) * | 2021-08-23 | 2021-11-16 | 公安部第三研究所 | Lesox virus defense method and system based on trusted computing and related equipment |
-
2021
- 2021-12-09 CN CN202111497236.7A patent/CN114374535B/en active Active
Patent Citations (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050268336A1 (en) * | 2004-05-28 | 2005-12-01 | Microsoft Corporation | Method for secure access to multiple secure networks |
| US20210168175A1 (en) * | 2015-10-28 | 2021-06-03 | Qomplx, Inc. | Ai-driven defensive cybersecurity strategy analysis and recommendation system |
| US20170289186A1 (en) * | 2016-03-31 | 2017-10-05 | Stuart Staniford | System and method to protect a webserver against application exploits and attacks |
| CN108140057A (en) * | 2016-07-14 | 2018-06-08 | 铁网网络安全股份有限公司 | Network behavior system based on simulation and virtual reality |
| CN106301911A (en) * | 2016-08-12 | 2017-01-04 | 南京大学 | Information Network based on SDN half centralized simulation platform in kind and its implementation |
| CN106844008A (en) * | 2017-01-03 | 2017-06-13 | 华为技术有限公司 | A kind of method of data manipulation, equipment and system |
| CN108134792A (en) * | 2017-12-25 | 2018-06-08 | 四川灵通电讯有限公司 | The method for realizing defending against network virus attack in computer systems based on virtualization technology |
| CN109474605A (en) * | 2018-11-26 | 2019-03-15 | 华北电力大学 | A kind of source net lotus industrial control system composite defense method based on Autonomous Domain |
| CN111385236A (en) * | 2018-12-27 | 2020-07-07 | 北京卫达信息技术有限公司 | Dynamic defense system based on network spoofing |
| CN109831443A (en) * | 2019-02-26 | 2019-05-31 | 武汉科技大学 | Industrial control network attacking and defending experiment porch and Hardware In The Loop Simulation Method |
| CN110098951A (en) * | 2019-03-04 | 2019-08-06 | 西安电子科技大学 | A kind of network-combination yarn virtual emulation based on virtualization technology and safety evaluation method and system |
| CN110784476A (en) * | 2019-10-31 | 2020-02-11 | 国网河南省电力公司电力科学研究院 | Power monitoring active defense method and system based on virtualization dynamic deployment |
| CN111277568A (en) * | 2020-01-09 | 2020-06-12 | 武汉思普崚技术有限公司 | Isolation attack method and system for distributed virtual network |
| CN111258712A (en) * | 2020-01-10 | 2020-06-09 | 苏州浪潮智能科技有限公司 | Method and system for protecting safety of virtual machine under virtual platform network isolation |
| CN111984975A (en) * | 2020-07-24 | 2020-11-24 | 华东计算技术研究所(中国电子科技集团公司第三十二研究所) | Vulnerability attack detection system, method and medium based on mimicry defense mechanism |
| CN112134854A (en) * | 2020-09-02 | 2020-12-25 | 北京华赛在线科技有限公司 | Method, device, equipment, storage medium and system for defending attack |
| CN112073411A (en) * | 2020-09-07 | 2020-12-11 | 北京软通智慧城市科技有限公司 | Network security deduction method, device, equipment and storage medium |
| CN112398844A (en) * | 2020-11-10 | 2021-02-23 | 国网浙江省电力有限公司双创中心 | Flow analysis implementation method based on internal and external network real-time drainage data |
| CN112437077A (en) * | 2020-11-19 | 2021-03-02 | 迈普通信技术股份有限公司 | Third party ARP attack and exception handling method, VRRP network and system |
| CN112565243A (en) * | 2020-12-03 | 2021-03-26 | 重庆洞见信息技术有限公司 | Flow simulation system based on network battle |
| CN112788034A (en) * | 2021-01-13 | 2021-05-11 | 泰康保险集团股份有限公司 | Processing method and device for resisting network attack, electronic equipment and storage medium |
| CN112839052A (en) * | 2021-01-25 | 2021-05-25 | 北京六方云信息技术有限公司 | Virtual network security protection system, method, server and readable storage medium |
| CN113326204A (en) * | 2021-06-23 | 2021-08-31 | 鹏城实验室 | Transformer substation system testing method and device, terminal equipment and storage medium |
| CN113660282A (en) * | 2021-08-23 | 2021-11-16 | 公安部第三研究所 | Lesox virus defense method and system based on trusted computing and related equipment |
Non-Patent Citations (2)
| Title |
|---|
| 张志新;彭新光;: "基于XEN的入侵检测服务研究", 杭州电子科技大学学报, no. 06 * |
| 陈祝红;崔超远;王儒敬;周继冬;: "基于虚拟化平台Xen的内核安全监控方案", 计算机系统应用, no. 07 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114374535B (en) | 2024-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11409862B2 (en) | Intrusion detection and prevention for unknown software vulnerabilities using live patching | |
| RU2693188C1 (en) | Control method and unit for portable storage devices and storage medium | |
| CN101676876A (en) | Automatic hardware-based recovery of a compromised computer | |
| CN112615856A (en) | Multi-cluster network security policy management and control method and system | |
| JP2019527877A (en) | Automatic distribution of PLC virtual patches and security context | |
| CN109074448B (en) | Detection of a deviation of a safety state of a computing device from a nominal safety state | |
| CN102868699A (en) | Method and tool for vulnerability detection of server providing data interaction services | |
| CN112818307A (en) | User operation processing method, system, device and computer readable storage medium | |
| CN113138836A (en) | Escape-proof honeypot system based on Docker container and method thereof | |
| CN114625074A (en) | Safety protection system and method for DCS (distributed control System) of thermal power generating unit | |
| CN114374535B (en) | Controller network attack defense method and system based on virtualization technology | |
| US20140189449A1 (en) | Method and system for checking software | |
| EP4358484A1 (en) | Intrusion detection method, apparatus and system, and electronic device and computer-readable medium | |
| KR102433386B1 (en) | Apparatus and method for analyzing vulnerabilities | |
| CN105631317B (en) | A kind of system call method and device | |
| CN111680296A (en) | Method, device and equipment for identifying malicious program in industrial control system | |
| CN111488306A (en) | Attack and defense architecture system and construction method thereof | |
| CN112769849A (en) | Method, system, equipment and storage medium for virus confirmation and blocking | |
| Rufus et al. | An autonomic computing system based on a rule-based policy engine and artificial immune systems | |
| CN117521087B (en) | Equipment risk behavior detection method, system and storage medium | |
| CN111598268B (en) | Power plant equipment detection method, system, equipment and computer storage medium | |
| CN113504971B (en) | Security interception method and system based on container | |
| CN114398192B (en) | Method and device for detecting and bypassing Windows control flow protection CFG | |
| CN114070580B (en) | Anti-serialization attack detection method, device, electronic equipment, medium and program | |
| CN116414722B (en) | Fuzzy test processing method and device, fuzzy test system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |