CN114666088A - Method, device, equipment and medium for detecting industrial network data behavior information - Google Patents
Method, device, equipment and medium for detecting industrial network data behavior information Download PDFInfo
- Publication number
- CN114666088A CN114666088A CN202111655150.2A CN202111655150A CN114666088A CN 114666088 A CN114666088 A CN 114666088A CN 202111655150 A CN202111655150 A CN 202111655150A CN 114666088 A CN114666088 A CN 114666088A
- Authority
- CN
- China
- Prior art keywords
- data
- abnormal
- behavior
- link
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000002159 abnormal effect Effects 0.000 claims abstract description 196
- 230000006399 behavior Effects 0.000 claims abstract description 172
- 230000008859 change Effects 0.000 claims abstract description 47
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 27
- 238000004458 analytical method Methods 0.000 claims abstract description 24
- 238000012549 training Methods 0.000 claims abstract description 21
- 238000012544 monitoring process Methods 0.000 claims abstract description 8
- 230000001681 protective effect Effects 0.000 claims abstract description 7
- 230000006854 communication Effects 0.000 claims description 76
- 238000004891 communication Methods 0.000 claims description 75
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 15
- 238000003860 storage Methods 0.000 claims description 12
- 238000001514 detection method Methods 0.000 claims description 11
- 230000006378 damage Effects 0.000 claims description 10
- 238000007781 pre-processing Methods 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 9
- 230000003993 interaction Effects 0.000 claims description 8
- 238000013475 authorization Methods 0.000 claims description 7
- 241000700605 Viruses Species 0.000 claims description 6
- 230000002457 bidirectional effect Effects 0.000 claims description 6
- 230000000903 blocking effect Effects 0.000 claims description 6
- 230000009471 action Effects 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 4
- 238000005520 cutting process Methods 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 238000001914 filtration Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 claims description 3
- 230000003111 delayed effect Effects 0.000 claims description 2
- 208000037265 diseases, disorders, signs and symptoms Diseases 0.000 claims description 2
- 238000011156 evaluation Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 14
- 230000006870 function Effects 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000002347 injection Methods 0.000 description 5
- 239000007924 injection Substances 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 238000013527 convolutional neural network Methods 0.000 description 3
- 230000008260 defense mechanism Effects 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000005065 mining Methods 0.000 description 3
- 238000011160 research Methods 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008447 perception Effects 0.000 description 2
- 241001123248 Arma Species 0.000 description 1
- 241000258937 Hemiptera Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000010523 cascade reaction Methods 0.000 description 1
- 230000001010 compromised effect Effects 0.000 description 1
- 238000013479 data entry Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical class CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 230000002458 infectious effect Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013515 script Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/23—Clustering techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The invention provides a method, a device, equipment and a medium for detecting industrial network data behavior information, wherein the method comprises the following steps: modeling and analyzing data behaviors: establishing and training an abnormal behavior characteristic network model and an abnormal data behavior analysis and prediction model, judging whether the connection has abnormal data behaviors according to the data change condition, and further judging the types of the abnormal data behaviors; measuring the credibility of the data behavior in each connection by using a group of credibility indexes; performing a handling of the security protection: setting corresponding safety protection handling operations aiming at the types of abnormal data behaviors; and monitoring the reliability index of the data behavior in each connection in real time, and automatically triggering and implementing protective measures according to the type of the abnormal data behavior when the reliability index is reduced to a preset threshold value due to the data change in any connection. The invention solves the technical problem of difficulty in sensing and defending abnormal behaviors of industrial internet data.
Description
Technical Field
The invention relates to the technical field of industrial internet information security, in particular to a method, a device, equipment and a medium for detecting industrial network data behavior information.
Background
The security issues involved with industrial internet connectivity are complex. It is very different from the security problem of the traditional closed industrial system. The latter has strong hidden property, is not connected with any external network or system, and the deployed physical isolation facility can protect the industrial system from the threat of various types of network attacks to a certain extent. Since the industrial internet connection network does not have such a closure, the industrial devices or systems connected thereto, and the industrial internet platform will be exposed to the internet environment, providing a possibility for various malicious attacks. For this reason, the problem of industrial internet security composed of large-scale nodes "connected" to each other has become a hot point of research. Many researchers at home and abroad have conducted intensive research on potential safety problems of industrial connection. The U.S. IIC industry alliance proposes a "security framework based on IIOT credibility model" which describes the security features of industrial systems and studies more targeted security strategies. The IIC-IISF working group of the united states also defines a function building block model of a multi-layer IIOT security framework from the boundary to the cloud, which takes 4 core functions of end-point protection, communication and connection protection, security monitoring and analysis, and security configuration management as the key connotation of IIOT information security. Some scholars also propose a dynamic trust management model suitable for the industrial environment aiming at the malicious attack environment, and the dynamic trust management model is used for observing the data behavior change of the industrial internet nodes.
The connection security problem of the Industrial Internet (IIOT) not only refers to whether the legal identities of industrial network nodes such as sensors, gateway devices, servers and the like can be protected, but also includes the security of the industrial data environment, such as whether data can be accessed by normal reading and writing, whether the risk of leakage exists or substantial change occurs, and especially, the data behavior is abnormally changed. Despite the prior art research, there is a direction to analyze data security issues of the industrial internet. However, in a specific situation, how to analyze the data security risk of each connection in the industrial internet and how to detect the data abnormal behavior of the industrial internet still lack an effective technical means. In order to prevent the data from being seriously damaged by abnormal change, the perception capability of the industrial internet to the security situation of the system of the industrial internet is very important to be enhanced.
Disclosure of Invention
The invention aims to provide a method, a device, equipment and a medium for detecting industrial network data behavior information, so as to solve the technical problem that the sensing and defense of the abnormal behavior of the industrial internet data are difficult.
In a first aspect, the present invention provides a method for detecting industrial network data behavior information, including:
modeling and analyzing data behaviors: establishing and training an abnormal behavior characteristic network model and an abnormal data behavior analysis and prediction model, analyzing the data change condition of the connection to be tested by using the two trained models, judging whether the connection has abnormal data behavior according to the data change condition, and further judging the type of the abnormal data behavior; measuring the credibility of the data behavior in each connection by using a group of credibility indexes;
performing a handling of the security protection: setting corresponding safety protection handling operations aiming at the types of abnormal data behaviors; monitoring the reliability index of the data behavior in each connection in real time, and automatically triggering and implementing protective measures according to the type of abnormal data behavior when the reliability index is reduced to a preset threshold value due to data change in any connection;
wherein the connection is composed of at least two endpoints, a unidirectional or bidirectional connection link, and at least one data stream generated when data of one endpoint is transmitted to another endpoint through an associated communication protocol;
the data change means that the data content or the data state in an endpoint or a communication link of a certain connection is changed within a certain time period;
the types of the abnormal data behaviors comprise threat attack type abnormal data behaviors and non-threat attack type abnormal data behaviors.
In a second aspect, the present invention provides a device for detecting industrial network data behavior information, including:
the data behavior modeling and analyzing module is used for establishing and training an abnormal behavior characteristic network model and an abnormal data behavior analyzing and predicting model, analyzing the data change condition of the connection to be tested by utilizing the two trained models, judging whether the connection has abnormal data behavior according to the data change condition and further judging the type of the abnormal data behavior; measuring the credibility of the data behavior in each connection by using a group of credibility indexes;
the handling module is used for executing safety protection, and setting corresponding safety protection handling operations respectively according to the types of the abnormal data behaviors; monitoring the reliability index of the data behavior in each connection in real time, and automatically triggering and implementing protective measures according to the type of the abnormal data behavior when the reliability index is reduced to a preset threshold value due to the data change in any connection;
wherein the connection is composed of at least two endpoints, a unidirectional or bidirectional connection link, and at least one data stream generated when data of one endpoint is transmitted to another endpoint through an associated communication protocol;
the data change means that the data content or the data state in an endpoint or a communication link of a certain connection is changed within a certain time period;
the types of the abnormal data behaviors comprise threat attack type abnormal data behaviors and non-threat attack type abnormal data behaviors.
In a third aspect, the present invention provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of the first aspect when executing the program.
In a fourth aspect, the invention provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the method of the first aspect.
One or more technical schemes provided in the embodiments of the present invention have at least the following technical effects or advantages: the invention adopts a data behavior analysis method based on credibility to detect the security of the industrial internet connection, establishes a special network model, makes the most direct judgment on the credibility of the industrial connection through mining and analyzing the data relation, and sets corresponding safety protection handling operation aiming at the type of abnormal data behavior respectively, thereby establishing a safety autonomous defense mechanism, greatly improving the sensing and detecting capability of the industrial internet to the information security state of the industrial internet, immediately giving a stable and reliable response when necessary, and having very important promotion effect on the information security of the industrial internet. When the industrial internet is not attacked by the network, the rule of counting the change of the related data is used as a criterion for judging whether the industrial internet is attacked by the network; in addition, the abnormal relation of the data is used as the judgment data of the abnormal change of the data. A large amount of industrial historical data are stored in the industrial internet and serve as samples of a training network model, a condition basis is provided for judgment, external attack characteristics are convenient to grasp, and therefore accuracy of judging abnormal data behavior types is greatly improved.
The above description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
The invention will be further described with reference to the following examples with reference to the accompanying drawings.
FIG. 1 is a flow chart of a method according to one embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a connection according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of an apparatus according to a second embodiment of the present invention;
FIG. 5 is a block diagram of a data behavior modeling and analysis module according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to a third embodiment of the invention;
fig. 7 is a schematic structural diagram of a medium according to a fourth embodiment of the present invention.
Detailed Description
The embodiment of the application provides a method, a device, equipment and a medium for detecting industrial network data behavior information, so as to solve the technical problem that the sensing and defending of the abnormal behaviors of the industrial internet data are difficult. .
The technical scheme in the embodiment of the application has the following general idea: since the connection relationship of the industrial internet is generally fixed or dynamic but predictable, the data change range, change rule and logic relationship between the data change range and change rule on each connection are usually determined or can be predicted. In particular, the data related to the industrial production process or the data constrained in the enterprise management system, the changes of which should meet the corresponding motion rules and management requirements of the equipment, can be represented by a specific algorithm model. When the industrial internet is not attacked by the network, the statistical rule of the change of the related data can be used as a criterion for judging whether the industrial internet is attacked by the network. In addition, the abnormal relation of the data can also be regarded as a criterion for abnormal change of the data. Therefore, the invention adopts a data behavior analysis method based on credibility to detect the security of the industrial internet connection, establishes a special network model, makes the most direct judgment on the credibility of the industrial connection through mining and analyzing the data relation, and sets corresponding security protection handling operation aiming at the type of the abnormal data behavior respectively, thereby establishing a security autonomous defense mechanism, greatly improving the sensing and detecting capability of the industrial internet on the information security state of the industrial internet, immediately giving a stable and reliable response when necessary, and having very important promotion effect on the information security of the industrial internet.
Example one
As shown in fig. 1, the present embodiment provides a method for detecting industrial network data behavior information, including:
modeling and analyzing data behaviors: establishing and training an abnormal behavior characteristic network model and an abnormal data behavior analysis and prediction model, analyzing the data change condition of the connection to be tested by using the two trained models, judging whether the connection has abnormal data behavior according to the data change condition, and further judging the type of the abnormal data behavior; measuring the credibility of the data behavior in each connection by using a group of credibility indexes;
performing a handling of the security protection: setting corresponding safety protection handling operations aiming at the types of abnormal data behaviors; monitoring the reliability index of the data behavior in each connection in real time, and automatically triggering and implementing protective measures according to the type of abnormal data behavior when the reliability index is reduced to a preset threshold value due to data change in any connection;
as shown in fig. 2, the connection includes at least two endpoints, a unidirectional or bidirectional connection link, and at least one data stream, where the data stream is generated when data of one endpoint is transmitted to another endpoint through an associated communication protocol;
the data change means that the data content or the data state in an endpoint or a communication link of a certain connection is changed within a certain time period;
the types of the abnormal data behaviors comprise threat attack type abnormal data behaviors and non-threat attack type abnormal data behaviors.
As shown in fig. 3, the process of modeling and analyzing the data behavior specifically includes:
s11, preprocessing the real-time data of the connection to be detected, then performing abnormal data detection, and if abnormal data are obtained through detection, inputting the abnormal data into a real-time abnormal data set;
preferably, the preprocessing is performed by a data preprocessing module, and the adopted data preprocessing algorithm comprises an ARMA autoregressive moving average model, a sliding window algorithm and an adaptive clustering algorithm.
Preferably, the abnormal data inspection is performed by abnormal data inspection, and the abnormal data inspection algorithm includes whether a missing value exists, whether a preset range is exceeded, whether a communication state is abnormal, whether a time tag is abnormal, whether an access right is abnormal, whether a data calling state is abnormal, and whether a definition of a data entry is matched with a preset state of a system.
S12, directly storing the real-time abnormal data set according to a fixed time period or manually marking the real-time abnormal data set and then storing the real-time abnormal data set into a historical abnormal database to be used as a training sample of historical abnormal data attacked by a known virus or malicious program; the manually marked content comprises:
(1) defining classification labels for attack sources, attack objects and attack forms of industrial internet threats;
the attack sources at least comprise 6 major classes of Trojan horses, worms, grey software, backdoor viruses, infectious viruses and vulnerability attacks; the attack objects are 5 types of endpoints and corresponding connection links in industrial connection, and comprise 4 types of physical vulnerability attacks, operating system and middleware vulnerabilities, application program vulnerabilities and protocol vulnerabilities. The physical vulnerabilities include at least network or debug interface, physical memory and firmware vulnerabilities to industrial equipment. For example, the physical interfaces such as the network or debugging of the industrial equipment are remotely destroyed, so as to achieve the purpose of malicious tracking or illegal use. The operating system and middleware vulnerabilities include at least remote execution code vulnerabilities, unnecessary services reserved by the system, buffer overflows, resource management errors, and SQL injection vulnerabilities. The application program bugs at least comprise code problems, code injection, parameter injection, formatting character string errors and cross-site scripts. The protocol vulnerability at least comprises an encryption problem, a security characteristic problem, permission, an authorization problem and input verification;
the attack forms at least comprise network protocol attack, identity spoofing attack, denial of service (DoS), authority promotion, key management and denial of admission. The network protocol attack comprises session control and hijack, port scanning, result redirection and man-in-the-middle attack. The identity spoofing attack comprises identity misuse, false equipment ID and IP address spoofing. The denial of service DoS attacks comprise resource consumption attacks and data packet sniffing. The authority promotion attacks include illegal modification or deletion of system data, illegal stealing of data or computing resources, illegal access and tampering of virtual image files, malicious code injection and SQL injection attacks. The key management includes weak cryptographic attacks and encryption disablement.
(2) Defining a classification label for abnormal change of data caused by industrial internet connection;
the data abnormal mode comprises 8 types of data stealing, data tampering, data loss, data counterfeiting, data delay, data blocking, illegal authorization and data repudiation. The data stealing refers to intercepting and capturing data contents through network technologies such as eavesdropping and the like, but the data are not changed; the communication data content such as the data tampering protocol field and the like is intentionally modified, or the data is intercepted and then the content is tampered, so that the data changes; the data loss refers to data content which is maliciously deleted to cause data loss; the data falsification indicates that the data content is kneaded and is illegally used in a communication network or a database, which may affect the system; the data delay means that the data communication process is hindered by a certain degree, so that the time sequence of data is disordered, or the real-time performance of the data of the industrial internet is influenced; although the data blocking index data content is not changed, the communication is interrupted due to the network attack, and the related data cannot be accessed; the illegal authorization means that data is illegally authorized to suspicious identities or equipment outside a preset rule; the data repudiation means that the data is illegally accessed, authorized or tampered and cannot be verified.
(3) Defining classification tags for possible damage to industrial internet connections;
the threat attack harm is divided into 6 grades according to the damage degree from low to high, and the method comprises the following steps:
grade 1: sensitive data or technology is compromised;
grade 2: destroying availability of system data;
grade 3: causing equipment malfunction or downtime;
grade 4: leading to the out-of-control of a key system and causing safety accidents;
grade 5: leading to significant factory decision errors;
grade 6: a series of cascade reactions is initiated, resulting in plant downtime.
S13, inputting the historical abnormal data samples into an abnormal behavior feature network model and an abnormal data behavior analysis prediction model to complete feature extraction and model prediction training, and obtaining a trained abnormal behavior feature network model and a trained abnormal data behavior analysis prediction model;
preferably, the characteristic network model is a convolutional neural network, a convolutional neural network based on attention mechanism, a twin convolutional neural network, and the prediction model is a prototype network, a self-organizing incremental learning neural network.
S14, inputting the real-time abnormal data set to be tested into the trained abnormal data behavior analysis and prediction model structure, and analyzing and judging the type of the real-time abnormal data behavior to be tested in a characteristic pattern matching mode;
if the detected certain data behavior is matched with the known characteristic pattern of the threat attack behavior, the abnormal data behavior caused by the threat attack is judged to belong, namely the threat attack type abnormal data behavior, and if not, the abnormal data behavior belongs to the non-threat attack type abnormal data behavior.
S15, calculating a group of credibility indexes aiming at the connection to be detected, and evaluating the credibility of threat attack existing on the connection; the reliability index has 7 dimensionality safety indexes, and the expression is as follows:
Li_CRED=f(Cxi,Cyi,Czi,Cmi,Cni,Cpi,Cqi);
in the formula: li _ CRED represents the confidence index of the ith connection;
cxi represents the confidentiality of the link data, i.e. sensitive information is not revealed;
cyi represents data integrity, i.e., the data has not been modified without detection;
czi represent data availability, ensuring that information can be accessed for use when needed;
cmi represents identity authentication, namely, the attribution authority of the data is determined, and the unknown entity is ensured not to access the identity authentication;
cni, which represents non-repudiation, i.e., being able to ensure that the system cannot repudiate that some action was performed;
cpi represents resiliency, i.e., the system can maintain state awareness and normal operating levels when attacked by malicious threats;
cqi represent security in that the affected system does not pose a hazard or damage to the environment or humans in the event of an attack.
As also shown in fig. 3, in the performing of the security protection handling operation, setting the corresponding security protection handling operation for the type of the abnormal data behavior specifically includes: if the non-threat attack abnormal behavior is judged, triggering automatic alarm warning through a man-machine interaction window; otherwise, if the abnormal behavior of the threat attack class is judged, triggering automatic alarm warning through the man-machine interaction window, triggering a corresponding data protection module at the same time, automatically filtering data or cutting off a communication link according to a processing strategy preset by the data protection module, or clearing and repairing the abnormal part of data.
The connection at least contains the following five attribute information: endpoint type, endpoint name, connection link name, link instance, communication protocol associated with the link;
the endpoint types include:
the A-type end point refers to industrial terminal equipment and comprises a sensor node, an actuator node, a controller node, a local database node and a switch node;
the B-type end points refer to edge data acquisition equipment and comprise edge gateway equipment nodes and server nodes;
the C-type endpoint refers to a cloud server and comprises a cloud computing node, a cloud storage node and a video server node;
the class D endpoint refers to industrial application and comprises a web application node and a mobile terminal node;
class E endpoints, which refer to third party systems or APIs;
as shown in fig. 2, the communication protocol associated with the link includes:
the first type of link: connecting class a-class B endpoints, e.g., connections of industrial equipment nodes to edge gateways; the name of the connection link is marked as A-B; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol; for example, EtherNet Industrial Ethernet, TS61158, CIP, Profibus, EtherCAT, Modbus TCP/RTU, 5G, wifi;
the second type of link: connecting class B-class C endpoints, e.g., the connection of an edge gateway to a cloud computing node; the name of the connection link is marked as B-C; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the third type of link: connecting class C-class D endpoints, e.g., a connection of a cloud computing node with a web application node; the name of the connection link is marked as C-D; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the fourth type of link: connecting class B-E endpoints, e.g., edge gateways to third party system APIs; the name of the connection link is marked as B-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface; such as mysql, sqlserver, Oracle, postgreSQL, txt, csv, excel, json, xml, hadoop, kafka, MongoDB, Redis, ES, dynamic link library APIs;
the fifth type of link: connecting class C-class E endpoints, e.g., a connection of a cloud platform node to a third party system API; the name of the connecting link is marked as C-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and third-party data source API interfaces;
type six link: connecting the A-type end points, the B-type end points or indirectly connecting the A-type end points and the B-type end points; the names of the connecting links are respectively recorded as Ai-Aj, Bi-Bj and Ai-Bj; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol; such as EtherNet Industrial Ethernet, TS61158, CIP, Profibus, EtherCAT, Modbus TCP/RTU, 5G, wifi.
Type seven link: a connection between class D endpoints, e.g., a connection of two industrial APP web data interfaces; the name of the connection link is recorded as Di-Dj; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
link of the eighth type: a connection between class E endpoints, for example, a connection of third party system API interfaces; the name of the connecting link is recorded as Ei-Ej; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface;
the change of the data behavior refers to that the data content or the data state of the data in a certain connected endpoint or a communication link of the industrial internet is changed within a certain time period, such as the change of a data value, the change of a storage state and the change of a communication state. If the data behavior of the connection is not matched with a preset standard state value at a certain moment, judging that the abnormal data behavior exists in the current connection; the abnormal data behaviors are divided into 8 types, and each type corresponds to a unique behavior tag:
the abnormal data behavior label is 120110001, which represents data stealing and indicates that the possibility of interception and interception exists on the interface call or transmission link of the data;
an abnormal data behavior label is 120110002, which represents data tampering and indicates that the data value exceeds a preset abnormal degree threshold range;
the abnormal data behavior label is 120110003, which represents data loss, represents an original non-empty data value and becomes a null value;
the abnormal data behavior label is 120110004, which represents data falsification and indicates that the undefined abnormal data of the system occurs;
the abnormal data behavior label is 120110005, which represents data delay and indicates that the time sequence label of the data has delay disorder;
the abnormal data behavior label is 120110006, which represents data blocking, and indicates that data cannot be accessed due to communication interruption;
the abnormal data behavior label is 120110007, represents illegal authorization, and indicates that the data is outside the preset authority rule and is transmitted to a suspicious receiving object;
the abnormal data behavior label is 120110008, which represents data repudiation, and indicates that the data can be denied after being illegally accessed, authorized or tampered.
Based on the same inventive concept, the application also provides a device corresponding to the method in the first embodiment, which is detailed in the second embodiment.
Example two
As shown in fig. 4, in this embodiment, an apparatus for detecting industrial network data behavior information is provided, including:
the data behavior modeling and analyzing module is used for establishing and training an abnormal behavior characteristic network model and an abnormal data behavior analyzing and predicting model, analyzing the data change condition of the connection to be tested by utilizing the two trained models, judging whether the connection has abnormal data behavior according to the data change condition and further judging the type of the abnormal data behavior; measuring the credibility of the data behavior in each connection by using a group of credibility indexes;
the handling module is used for executing safety protection, and setting corresponding safety protection handling operations respectively according to the types of the abnormal data behaviors; monitoring the reliability index of the data behavior in each connection in real time, and automatically triggering and implementing protective measures according to the type of the abnormal data behavior when the reliability index is reduced to a preset threshold value due to the data change in any connection;
wherein the connection is composed of at least two endpoints, a unidirectional or bidirectional connection link, and at least one data stream generated when data of one endpoint is transmitted to another endpoint through an associated communication protocol;
the data change means that the data content or the data state in an endpoint or a communication link of a certain connection is changed within a certain time period;
the types of the abnormal data behaviors comprise threat attack type abnormal data behaviors and non-threat attack type abnormal data behaviors.
As shown in fig. 5, the data behavior modeling and analyzing module further includes:
the preprocessing module is used for preprocessing the real-time data of the connection to be detected;
the abnormal detection module is used for detecting abnormal data of the preprocessed real-time data to be detected and connected, and if the abnormal data is detected, the abnormal data is input into the real-time abnormal data set;
the training sample module is used for directly storing the real-time abnormal data set according to a fixed time period or storing the real-time abnormal data set into a historical abnormal database after manual marking, and the real-time abnormal data set is used as a training sample of historical abnormal data attacked by a known virus or malicious program; the manually marked content comprises:
defining classification labels for attack sources, attack objects and attack forms of industrial internet threats;
defining a classification label for abnormal change of data caused by industrial internet connection;
defining classification tags for possible damage to industrial internet connections;
the training module is used for inputting the historical abnormal data samples into an abnormal behavior characteristic network model and an abnormal data behavior analysis prediction model to complete characteristic extraction and model training, and obtain a trained abnormal behavior characteristic network model and a trained abnormal data behavior analysis prediction model;
the analysis and judgment module is used for inputting a real-time abnormal data set to be tested into the trained abnormal data behavior analysis and prediction model structure and analyzing and judging the type of the real-time abnormal data behavior to be tested in a characteristic pattern matching mode;
the reliability index evaluation module is used for calculating a group of reliability indexes aiming at the connection to be tested and evaluating the credibility of threat attack existing on the connection; the reliability index has 7 dimensionality safety indexes, and the expression is as follows:
Li_CRED=f(Cxi,Cyi,Czi,Cmi,Cni,Cpi,Cqi);
in the formula: li _ CRED represents the confidence index of the ith connection;
cxi represents the confidentiality of the link data, i.e. sensitive information is not revealed;
cyi represents data integrity, i.e., the data has not been modified without detection;
czi represent data availability, ensuring that information can be accessed for use when needed;
cmi represents identity authentication, namely, the attribution authority of the data is determined, and the unknown entity is ensured not to access the identity authentication;
cni, which represents non-repudiation, i.e., being able to ensure that the system cannot repudiate that some action was performed;
cpi represents resiliency, i.e., the system can maintain state awareness and normal operating levels when attacked by malicious threats;
cqi represent security in that the affected system does not pose a hazard or damage to the environment or humans in the event of an attack.
The executing security protection handling module specifically sets corresponding security protection handling operations for the types of the abnormal data behaviors, that is,: if the non-threat attack abnormal behavior is judged, triggering automatic alarm warning through a man-machine interaction window; otherwise, if the abnormal behavior of the threat attack class is judged, triggering automatic alarm warning through the man-machine interaction window, triggering the corresponding data protection module at the same time, automatically filtering data or cutting off a communication link according to a processing strategy preset by the data protection module, or clearing and repairing the abnormal data.
The connection contains at least the following five attribute information: endpoint type, endpoint name, connection link name, link instance, communication protocol associated with the link;
the endpoint types include:
the A-type end point refers to industrial terminal equipment and comprises a sensor node, an actuator node, a controller node, a local database node and a switch node;
the B-type end points refer to edge data acquisition equipment and comprise edge gateway equipment nodes and server nodes;
the C-type endpoint refers to a cloud server and comprises a cloud computing node, a cloud storage node and a video server node;
the class D endpoint refers to industrial application and comprises a web application node and a mobile terminal node;
class E endpoints, which refer to third party systems or APIs;
the communication protocol associated with the link includes:
the first type of link: connecting A-B type end points, and marking the name of a connecting link as A-B; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol;
the second type of link: connecting B-C type end points; the name of the connection link is marked as B-C; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the third type of link: connecting the C-D endpoints; the name of the connection link is marked as C-D; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the fourth type of link: connecting B-E type end points; the name of the connection link is marked as B-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface;
the fifth type of link: connecting the C-E type end points; the name of the connection link is marked as C-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and third-party data source API interfaces;
type six link: connecting the A-type end points, the B-type end points or indirectly connecting the A-type end points and the B-type end points; the names of the connecting links are respectively recorded as Ai-Aj, Bi-Bj and Ai-Bj; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol;
type seven link: is a connection between class D endpoints; the name of the connection link is recorded as Di-Dj; the related communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
link of the eighth type: is a connection between class E endpoints; the name of the connecting link is recorded as Ei-Ej; the related communication protocols comprise HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and third-party data source API interfaces;
the abnormal data behaviors are divided into 8 types, and each type corresponds to a unique behavior tag:
the abnormal data behavior label is 120110001, which represents data stealing and indicates that the possibility of interception and interception exists on the interface call or transmission link of the data;
an abnormal data behavior label is 120110002, which represents data tampering and indicates that the data value exceeds a preset abnormal degree threshold range;
the abnormal data behavior label is 120110003, which represents data loss, represents an original non-empty data value and becomes a null value;
the abnormal data behavior label is 120110004, which represents data falsification and indicates that the undefined abnormal data of the system occurs;
the abnormal data behavior label is 120110005, which represents data delay and indicates that the time sequence label of the data is delayed and disordered;
the abnormal data behavior label is 120110006, which represents data blocking, and indicates that data cannot be accessed due to communication interruption;
the abnormal data behavior label is 120110007, represents illegal authorization, and indicates that the data is outside the preset authority rule and is transmitted to a suspicious receiving object;
the abnormal data behavior label is 120110008, which represents data repudiation, and indicates that the data can be denied after being illegally accessed, authorized or tampered.
Since the apparatus described in the second embodiment of the present invention is an apparatus used for implementing the method of the first embodiment of the present invention, based on the method described in the first embodiment of the present invention, a person skilled in the art can understand the specific structure and the deformation of the apparatus, and thus the details are not described herein. All the devices adopted in the method of the first embodiment of the present invention belong to the protection scope of the present invention.
Based on the same inventive concept, the application provides an electronic device embodiment corresponding to the first embodiment, which is detailed in the third embodiment.
EXAMPLE III
The present embodiment provides an electronic device, as shown in fig. 6, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, any implementation manner of the first embodiment may be implemented.
Since the electronic device described in this embodiment is a device used for implementing the method in the first embodiment of the present application, based on the method described in the first embodiment of the present application, a person skilled in the art can understand the specific implementation manner of the electronic device in this embodiment and various variations thereof, and therefore, how to implement the method in the first embodiment of the present application by the electronic device is not described in detail herein. The equipment used by those skilled in the art to implement the methods in the embodiments of the present application is within the scope of the present application.
Based on the same inventive concept, the application provides a storage medium corresponding to the fourth embodiment.
Example four
The present embodiment provides a computer-readable storage medium, as shown in fig. 7, on which a computer program is stored, and when the computer program is executed by a processor, any one of the embodiments can be implemented.
The technical scheme provided in the embodiment of the application at least has the following technical effects or advantages: the method adopts a data behavior analysis method based on credibility to detect the security of the industrial internet connection, establishes a special network model, makes the most direct judgment on the credibility of the industrial connection through mining and analyzing the data relation, and sets corresponding safety protection processing operations aiming at the types of abnormal data behaviors respectively, thereby establishing a safety autonomous defense mechanism, greatly improving the perception and detection capability of the industrial internet on the self information safety state, immediately giving stable and reliable response when necessary, and having very important promotion effect on the information safety of the industrial internet. When the industrial internet is not attacked by the network, the rule of the change of the statistical relevant data is used as judgment data for judging whether the industrial internet is attacked by the network; in addition, the abnormal relation of the data is used as a criterion for abnormal change of the data. A large amount of industrial historical data are stored in the industrial internet and serve as samples of a training network model, a condition basis is provided for judgment, external attack characteristics are convenient to grasp, and therefore accuracy of judging abnormal data behavior types is greatly improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus or system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Although specific embodiments of the invention have been described above, it will be understood by those skilled in the art that the specific embodiments described are illustrative only and are not limiting upon the scope of the invention, and that equivalent modifications and variations can be made by those skilled in the art without departing from the spirit of the invention, which is to be limited only by the appended claims.
Claims (10)
1. A method for detecting industrial network data behavior information is characterized in that: the method comprises the following steps:
modeling and analyzing data behaviors: establishing and training an abnormal behavior characteristic network model and an abnormal data behavior analysis and prediction model, analyzing the data change condition in the connection to be tested by using the two trained models, judging whether the connection has abnormal data behavior according to the data change condition, and further judging the type of the abnormal data behavior; measuring the credibility of the data behavior in each connection by using a group of credibility indexes;
performing a handling of the security protection: setting corresponding safety protection handling operations aiming at the types of abnormal data behaviors; monitoring the reliability index of the data behavior in each connection in real time, and automatically triggering and implementing protective measures according to the type of the abnormal data behavior when the reliability index is reduced to a preset threshold value due to the data change in any connection;
wherein the connection is composed of at least two endpoints, a unidirectional or bidirectional connection link, and at least one data stream generated when data of one endpoint is transmitted to another endpoint through an associated communication protocol;
the data change means that the data content or the data state in an endpoint or a communication link of a certain connection is changed within a certain time period;
the types of the abnormal data behaviors comprise threat attack type abnormal data behaviors and non-threat attack type abnormal data behaviors.
2. A method for detecting industrial network data behavior information as claimed in claim 1, wherein: the modeling and analyzing process of the data behaviors specifically comprises the following steps:
s11, preprocessing the real-time data of the connection to be detected, then performing abnormal data detection, and if abnormal data are obtained through detection, inputting the abnormal data into a real-time abnormal data set;
s12, directly storing the real-time abnormal data set according to a fixed time period or storing the real-time abnormal data set into a historical abnormal database after manual marking, wherein the real-time abnormal data set is used as a training sample of historical abnormal data attacked by known viruses or malicious programs; the manually marked content comprises:
defining classification labels for attack sources, attack objects and attack forms of industrial internet threats;
defining a classification label for abnormal change of data caused by industrial internet connection;
defining classification tags for possible damage to industrial internet connections;
s13, inputting the historical abnormal data samples into an abnormal behavior feature network model and an abnormal data behavior analysis prediction model to complete feature extraction and model prediction training, and obtaining a trained abnormal behavior feature network model and a trained abnormal data behavior analysis prediction model;
s14, inputting the real-time abnormal data set to be tested into the trained abnormal data behavior analysis and prediction model structure, and analyzing and judging the type of the real-time abnormal data behavior to be tested in a characteristic pattern matching mode;
s15, calculating a group of credibility indexes aiming at the connection to be detected, and evaluating the credibility of the threat attack existing on the connection; the reliability index has 7 dimensionality safety indexes, and the expression is as follows:
Li_CRED=f(Cxi,Cyi,Czi,Cmi,Cni,Cpi,Cqi);
in the formula: li _ CRED represents the confidence index of the ith connection;
cxi represents the confidentiality of the link data, i.e. sensitive information is not revealed;
cyi represents data integrity, i.e., the data has not been modified without detection;
czi represent data availability, ensuring that information can be accessed for use when needed;
cmi represents identity authentication, namely, the attribution authority of the data is determined, and the unknown entity is ensured not to access the identity authentication;
cni, which represents non-repudiation, i.e., being able to ensure that the system cannot repudiate that some action was performed;
cpi represents resilience, i.e. the system can maintain state awareness and normal operating level when a malicious threat attacks;
cqi represent security in that the affected system does not pose a hazard or damage to the environment or humans in the event of an attack.
3. A method for detecting industrial network data behavior information as claimed in claim 1, wherein: in the executing of the security protection handling operation, the setting of the corresponding security protection handling operation for the type of the abnormal data behavior specifically includes: if the non-threat attack abnormal behavior is judged, triggering automatic alarm warning through a man-machine interaction window; otherwise, if the abnormal behavior of the threat attack class is judged, triggering automatic alarm warning through the man-machine interaction window, triggering the corresponding data protection module at the same time, automatically filtering data or cutting off a communication link according to a processing strategy preset by the data protection module, or clearing and repairing the abnormal data.
4. A method for detecting industrial network data behavior information as claimed in claim 1, wherein: the connection contains at least the following five attribute information: endpoint type, endpoint name, connection link name, link instance, communication protocol associated with the link;
the endpoint types include:
the A-type end point refers to industrial terminal equipment and comprises a sensor node, an actuator node, a controller node, a local database node and a switch node;
the B-type end points refer to edge data acquisition equipment and comprise edge gateway equipment nodes and server nodes;
the C-type endpoint refers to a cloud server and comprises a cloud computing node, a cloud storage node and a video server node;
the class D endpoint refers to industrial application and comprises a web application node and a mobile terminal node;
class E endpoints, which refer to third party systems or APIs;
the communication protocol associated with the link includes:
the first type of link: connecting A-B type end points, and marking the name of a connecting link as A-B; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol;
the second type of link: connecting B-C type end points; the name of the connection link is marked as B-C; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the third type of link: connecting the C-D endpoints; the name of the connection link is marked as C-D; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the fourth type of link: connecting B-E type end points; the name of the connection link is marked as B-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and third-party data source API interfaces;
the fifth type of link: connecting the C-E type end points; the name of the connecting link is marked as C-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface;
type six link: connecting the A-type end points, the B-type end points or indirectly connecting the A-type end points and the B-type end points; the names of the connecting links are respectively recorded as Ai-Aj, Bi-Bj and Ai-Bj; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol;
type seven link: is a connection between class D endpoints; the name of the connection link is recorded as Di-Dj; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
link of the eighth type: is a connection between class E endpoints; the name of the connecting link is recorded as Ei-Ej; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface;
the abnormal data behaviors are divided into 8 types, and each type corresponds to a unique behavior tag:
the abnormal data behavior label is 120110001, which represents data stealing and indicates that the possibility of interception and interception exists on the interface call or transmission link of the data;
an abnormal data behavior label is 120110002, which represents data tampering and indicates that the data value exceeds a preset abnormal degree threshold range;
the abnormal data behavior label is 120110003, which represents data loss, represents an original non-empty data value and becomes a null value;
the abnormal data behavior label is 120110004, which represents data falsification and indicates that the undefined abnormal data of the system occurs;
the abnormal data behavior label is 120110005, which represents data delay and indicates that the time sequence label of the data is delayed and disordered;
the abnormal data behavior label is 120110006, which represents data blocking, and indicates that data cannot be accessed due to communication interruption;
the abnormal data behavior label is 120110007, represents illegal authorization, and indicates that the data is outside the preset authority rules and is transmitted to a suspicious receiving object;
the abnormal data behavior label is 120110008, which represents data repudiation, and indicates that the data can be denied after being illegally accessed, authorized or tampered.
5. A device for detecting industrial network data behavior information is characterized in that: the method comprises the following steps:
the data behavior modeling and analyzing module is used for establishing and training an abnormal behavior characteristic network model and an abnormal data behavior analyzing and predicting model, analyzing the data change condition in the connection to be tested by utilizing the two trained models, judging whether the connection has abnormal data behavior according to the data change condition and further judging the type of the abnormal data behavior; measuring the credibility of the data behavior in each connection by using a group of credibility indexes;
a handling module for executing security protection, which is used for setting corresponding security protection handling operations respectively aiming at the types of abnormal data behaviors; monitoring the reliability index of the data behavior in each connection in real time, and automatically triggering and implementing protective measures according to the type of the abnormal data behavior when the reliability index is reduced to a preset threshold value due to the data change in any connection;
wherein the connection is composed of at least two endpoints, a unidirectional or bidirectional connection link, and at least one data stream generated when data of one endpoint is transmitted to another endpoint through an associated communication protocol;
the data change means that the data content or the data state in an endpoint or a communication link of a certain connection is changed within a certain time period;
the types of the abnormal data behaviors comprise threat attack type abnormal data behaviors and non-threat attack type abnormal data behaviors.
6. The apparatus as claimed in claim 5, wherein the apparatus further comprises: the data behavior modeling and analysis module further comprises:
the preprocessing module is used for preprocessing the real-time data of the connection to be detected;
the abnormal data detection module is used for detecting abnormal data of the preprocessed real-time data to be detected and connected, and if the abnormal data is detected, the abnormal data is input into the real-time abnormal data set;
the training sample module is used for directly storing the real-time abnormal data set according to a fixed time period or storing the real-time abnormal data set into a historical abnormal database after manual marking, and the real-time abnormal data set is used as a training sample of historical abnormal data attacked by known viruses or malicious programs; the manually marked content comprises:
defining classification labels for attack sources, attack objects and attack forms of industrial internet threats;
defining a classification label for abnormal change of data caused by industrial internet connection;
defining classification tags for possible damage to industrial internet connections;
the training module is used for inputting the historical abnormal data samples into an abnormal behavior characteristic network model and an abnormal data behavior analysis prediction model to complete feature extraction and prediction model training, and obtain a trained abnormal behavior characteristic network model and a trained abnormal data behavior analysis prediction model;
the analysis and judgment module is used for inputting a real-time abnormal data set to be tested into the trained abnormal data behavior analysis and prediction model structure and analyzing and judging the type of the real-time abnormal data behavior to be tested in a characteristic pattern matching mode;
the reliability index evaluation module is used for calculating a group of reliability indexes aiming at the connection to be tested and evaluating the credibility of threat attack on the connection; the reliability index has 7 dimensionality safety indexes, and the expression is as follows:
Li_CRED=f(Cxi,Cyi,Czi,Cmi,Cni,Cpi,Cqi);
in the formula: li _ CRED represents the confidence index of the ith connection;
cxi represents the confidentiality of the link data, i.e. sensitive information is not revealed;
cyi represents data integrity, i.e., the data has not been modified without detection;
czi represent data availability, ensuring that information can be accessed for use when needed;
cmi represents identity authentication, namely, the attribution authority of the data is determined, and the unknown entity is ensured not to access the identity authentication;
cni, which represents non-repudiation, i.e., being able to ensure that the system cannot repudiate that some action was performed;
cpi represents resiliency, i.e., the system can maintain state awareness and normal operating levels when attacked by malicious threats;
cqi represents security, i.e., the affected system does not pose a hazard or damage to the environment or humans in the event of an attack.
7. The apparatus as claimed in claim 5, wherein the apparatus further comprises: the executing security protection handling module specifically sets corresponding security protection handling operations for the types of the abnormal data behaviors, that is,: if the non-threat attack abnormal behavior is judged, triggering automatic alarm warning through a man-machine interaction window; otherwise, if the abnormal behavior of the threat attack class is judged, triggering automatic alarm warning through the man-machine interaction window, triggering the corresponding data protection module at the same time, automatically filtering data or cutting off a communication link according to a processing strategy preset by the data protection module, or clearing and repairing the abnormal data.
8. The apparatus as claimed in claim 5, wherein the apparatus further comprises: the connection contains at least the following five attribute information: endpoint type, endpoint name, connection link name, link instance, communication protocol associated with the link;
the endpoint types include:
the A-type end point refers to industrial terminal equipment and comprises a sensor node, an actuator node, a controller node, a local database node and a switch node;
the B-type end points refer to edge data acquisition equipment and comprise edge gateway equipment nodes and server nodes;
the C-type endpoint refers to a cloud server and comprises a cloud computing node, a cloud storage node and a video server node;
the D-type endpoint refers to industrial application and comprises a web application node and a mobile terminal node;
class E endpoints, which refer to third party systems or APIs;
the communication protocol associated with the link includes:
the first type of link: connecting A-B type end points, and marking the name of a connecting link as A-B; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol;
the second type of link: connecting B-C type end points; the name of the connection link is marked as B-C; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the third type of link: connecting the C-D endpoints; the name of the connection link is marked as C-D; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
the fourth type of link: connecting B-E type end points; the name of the connection link is marked as B-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface;
the fifth type of link: connecting the C-E type end points; the name of the connecting link is marked as C-E; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface;
type six link: connecting A type end points, connecting B type end points, or indirectly connecting A type end points and B type end points; the names of the connecting links are respectively marked as Ai-Aj, Bi-Bj and Ai-Bj; the associated communication protocols comprise an industrial Ethernet protocol, a field bus protocol and a wireless communication network protocol;
type seven link: is a connection between class D endpoints; the name of the connection link is recorded as Di-Dj; the associated communication protocols comprise HTTP/HTTPS, websocket, MQTT and OPC-UA;
link of the eighth type: is a connection between class E endpoints; the name of the connecting link is recorded as Ei-Ej; the associated communication protocol comprises HTTP/HTTPS, MQTT, OPC server, websocket, Modbus TCP/RTU server and a third-party data source API interface;
the abnormal data behaviors are divided into 8 types, and each type corresponds to a unique behavior tag:
the abnormal data behavior label is 120110001, which represents data stealing and indicates that the possibility of interception and interception exists on the interface call or transmission link of the data;
an abnormal data behavior label is 120110002, which represents data tampering and indicates that the data value exceeds a preset abnormal degree threshold range;
the abnormal data behavior label is 120110003, which represents data loss, represents an original non-empty data value and becomes a null value;
the abnormal data behavior label is 120110004, which represents data falsification and indicates that undefined abnormal data of the system occurs;
the abnormal data behavior label is 120110005, which represents data delay and indicates that the time sequence label of the data has delay disorder;
the abnormal data behavior label is 120110006, which represents data blocking, and indicates that data cannot be accessed due to communication interruption;
the abnormal data behavior label is 120110007, represents illegal authorization, and indicates that the data is transmitted to a suspicious receiving object outside the preset authority rules;
the abnormal data behavior label is 120110008, which represents data repudiation, and indicates that the data can be denied after being illegally accessed, authorized or tampered.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method according to any of claims 1 to 4 when executing the program.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111655150.2A CN114666088A (en) | 2021-12-30 | 2021-12-30 | Method, device, equipment and medium for detecting industrial network data behavior information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111655150.2A CN114666088A (en) | 2021-12-30 | 2021-12-30 | Method, device, equipment and medium for detecting industrial network data behavior information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114666088A true CN114666088A (en) | 2022-06-24 |
Family
ID=82025614
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111655150.2A Pending CN114666088A (en) | 2021-12-30 | 2021-12-30 | Method, device, equipment and medium for detecting industrial network data behavior information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114666088A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580490A (en) * | 2022-11-25 | 2023-01-06 | 国家工业信息安全发展研究中心 | Industrial Internet edge device behavior detection method, device, equipment and medium |
| CN115630373A (en) * | 2022-12-21 | 2023-01-20 | 四川知行志成科技有限公司 | Cloud service security analysis method, monitoring equipment and analysis system |
| CN115660444A (en) * | 2022-12-02 | 2023-01-31 | 中国兵器科学研究院 | Defense control method and device, electronic equipment and storage medium |
| CN117424758A (en) * | 2023-12-18 | 2024-01-19 | 国家电网有限公司客户服务中心 | Probing attack blocking method capable of adaptively adjusting access rights |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070192344A1 (en) * | 2005-12-29 | 2007-08-16 | Microsoft Corporation | Threats and countermeasures schema |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| CN109889476A (en) * | 2018-12-05 | 2019-06-14 | 国网冀北电力有限公司信息通信分公司 | A kind of network safety protection method and network security protection system |
| US20200358792A1 (en) * | 2018-02-20 | 2020-11-12 | Darktrace Limited | Artificial intelligence (ai) based cyber threat analyst to support a cyber security appliance |
| CN113556354A (en) * | 2021-07-29 | 2021-10-26 | 国家工业信息安全发展研究中心 | Industrial Internet security threat detection method and system based on flow analysis |
| CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
-
2021
- 2021-12-30 CN CN202111655150.2A patent/CN114666088A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070192344A1 (en) * | 2005-12-29 | 2007-08-16 | Microsoft Corporation | Threats and countermeasures schema |
| CN108063753A (en) * | 2017-11-10 | 2018-05-22 | 全球能源互联网研究院有限公司 | A kind of information safety monitoring method and system |
| CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
| US20200358792A1 (en) * | 2018-02-20 | 2020-11-12 | Darktrace Limited | Artificial intelligence (ai) based cyber threat analyst to support a cyber security appliance |
| CN109889476A (en) * | 2018-12-05 | 2019-06-14 | 国网冀北电力有限公司信息通信分公司 | A kind of network safety protection method and network security protection system |
| CN113556354A (en) * | 2021-07-29 | 2021-10-26 | 国家工业信息安全发展研究中心 | Industrial Internet security threat detection method and system based on flow analysis |
| CN113645232A (en) * | 2021-08-10 | 2021-11-12 | 克拉玛依和中云网技术发展有限公司 | Intelligent flow monitoring method and system for industrial internet and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 郑松;郑蓉: "工业互联网连接与安全模型研究", 自动化博览, vol. 38, no. 01, pages 73 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115580490A (en) * | 2022-11-25 | 2023-01-06 | 国家工业信息安全发展研究中心 | Industrial Internet edge device behavior detection method, device, equipment and medium |
| CN115580490B (en) * | 2022-11-25 | 2023-03-24 | 国家工业信息安全发展研究中心 | Industrial Internet edge device behavior detection method, device, equipment and medium |
| CN115660444A (en) * | 2022-12-02 | 2023-01-31 | 中国兵器科学研究院 | Defense control method and device, electronic equipment and storage medium |
| CN115660444B (en) * | 2022-12-02 | 2023-08-15 | 中国兵器科学研究院 | Defensive control method and device, electronic equipment and storage medium |
| CN115630373A (en) * | 2022-12-21 | 2023-01-20 | 四川知行志成科技有限公司 | Cloud service security analysis method, monitoring equipment and analysis system |
| CN117424758A (en) * | 2023-12-18 | 2024-01-19 | 国家电网有限公司客户服务中心 | Probing attack blocking method capable of adaptively adjusting access rights |
| CN117424758B (en) * | 2023-12-18 | 2024-03-08 | 国家电网有限公司客户服务中心 | Probing attack blocking method capable of adaptively adjusting access rights |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
| CN103491108B (en) | A kind of industrial control network security protection method and system | |
| CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
| Garitano et al. | A review of SCADA anomaly detection systems | |
| US20240073233A1 (en) | System and method for providing security to in-vehicle network | |
| US9197652B2 (en) | Method for detecting anomalies in a control network | |
| CN109739203B (en) | Industrial network boundary protection system | |
| WO2015149663A1 (en) | System and method for trapping network attack on embedded device in smart power grid | |
| CN114978770B (en) | Internet of things security risk early warning management and control method and system based on big data | |
| Jardine et al. | Senami: Selective non-invasive active monitoring for ics intrusion detection | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| US20190222591A1 (en) | Method and server for determining malicious files in network traffic | |
| CN107070889B (en) | Unified security defense system based on cloud platform | |
| CN113839935B (en) | Network situation awareness method, device and system | |
| CN114006723B (en) | Network security prediction method, device and system based on threat information | |
| WO2015024315A1 (en) | Network intrusion alarm method and system for nuclear power station | |
| CN115996146A (en) | Numerical control system security situation sensing and analyzing system, method, equipment and terminal | |
| CN113596028B (en) | Method and device for handling network abnormal behaviors | |
| CN113411297A (en) | Situation awareness defense method and system based on attribute access control | |
| CN113411295A (en) | Role-based access control situation awareness defense method and system | |
| Alruwaili | Intrusion detection and prevention in industrial iot: A technological survey | |
| CN113660222A (en) | Situation awareness defense method and system based on mandatory access control | |
| CN110493200B (en) | Industrial control system risk quantitative analysis method based on threat map | |
| Shyamasundar | Security and protection of SCADA: a bigdata algorithmic approach | |
| CN115766235A (en) | Network security early warning system and early warning method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20220624 |