CN114969672B - Safety protection method, device and system for industrial control host and storage medium - Google Patents
Safety protection method, device and system for industrial control host and storage medium Download PDFInfo
- Publication number
- CN114969672B CN114969672B CN202210919116.XA CN202210919116A CN114969672B CN 114969672 B CN114969672 B CN 114969672B CN 202210919116 A CN202210919116 A CN 202210919116A CN 114969672 B CN114969672 B CN 114969672B
- Authority
- CN
- China
- Prior art keywords
- industrial control
- files
- white list
- control host
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000001914 filtration Methods 0.000 claims abstract description 88
- 241000700605 Viruses Species 0.000 claims description 45
- 238000012216 screening Methods 0.000 claims description 5
- 230000002155 anti-virotic effect Effects 0.000 claims description 4
- 238000000605 extraction Methods 0.000 claims description 4
- 238000007689 inspection Methods 0.000 claims 2
- 230000000694 effects Effects 0.000 abstract description 17
- 239000000243 solution Substances 0.000 description 7
- 238000004891 communication Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013515 script Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/105—Arrangements for software license management or administration, e.g. for managing licenses at corporate level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a safety protection method, a device, a system and a storage medium of an industrial control host, wherein the method comprises the following steps: performing system scanning on the industrial control host operation program file, and extracting to obtain a file information set of the industrial control host operation program; based on a preset white list filtering rule, combining terminal software and/or management platform linkage to filter a list of files to be confirmed of each industrial control host operation program in the file information set; and determining a white list corresponding to the industrial control host according to the filtering result. The method has the advantages that the operating program lists of the industrial control hosts are filtered layer by layer through the preset white list filtering rules and are linked with the management platform, so that the accuracy and the safety of the operating white lists of the industrial control hosts are greatly improved; the white list filtering process is fully automatic, no manual intervention is needed except threat study and judgment of unknown files, workload of white list collection and deployment is not increased, and safety effect is improved under the condition that a user does not sense the white list.
Description
Technical Field
The invention relates to the field of industrial control safety, in particular to a safety protection method, a device and a system of an industrial control host and a storage medium.
Background
In recent years, network security is a frequent issue, and industrial control systems, which are important components of national key information infrastructure, are facing greater threats. The safety of the industrial control host is the first place, once the industrial control host is invaded, the light person affects the production for a while, and the heavy person damages the equipment, thus causing the loss of the whole plant area.
Industrial control hosts (also called upper computers, industrial personal computers, workstations, etc.) are important components of industrial control systems. The industrial control host is responsible for reading a large amount of data from the controller, issuing control instructions, managing production work flow and process, monitoring states, acquiring operation data, storing important information and the like, and is a command center of the whole industrial control system. Because of the importance of the industrial control host, the installation software of the industrial control host is relatively fixed and has less change in most factories. And the industrial pipeline scene has zero tolerance to downtime of machines and abnormal exit of programs, and the failure of any machine can cause the efficiency of the whole pipeline to be reduced. Therefore, in terms of safety protection of the industrial control host, a white list mode is mostly used, daily operation programs of the industrial control host are put into a white list, and operation of any other programs which are not in the white list can be intercepted, so that safety of the industrial control host is guaranteed.
The industrial control host white list can ensure the safe operation of the industrial field host without influencing the service. However, for various reasons, many enterprises do not perform white list collection at first, and perform network security construction only in the middle of the process, many machines already store malicious programs, and when a white list is run by a collection user host, the malicious programs are easily mistaken as normal files, so that even though network security construction is performed, the malicious programs still run, and the secure running of the industrial field host is influenced.
Disclosure of Invention
The invention mainly aims to provide a safety protection method, a device and a system of an industrial control host and a storage medium, aiming at improving the accuracy of the industrial control host in running a white list and ensuring the safety of the industrial control host.
In order to achieve the above object, the present invention provides a safety protection method for an industrial control host, including the following steps:
performing system scanning on an industrial control host operation program file, and extracting to obtain a file information set of the industrial control host operation program;
based on a preset white list filtering rule, combining terminal software and/or management platform linkage, and filtering a list of files to be confirmed of each industrial control host operation program in the file information set;
and determining a white list corresponding to the industrial control host according to the filtering result.
Optionally, the step of filtering the list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on a preset white list filtering rule in combination with terminal software and/or management platform linkage includes:
comparing the operating program files of each industrial control host in the file information set with an industrial control software feature library preset by terminal software;
and marking the industrial control host operating program files with consistent comparison results as trusted files.
Optionally, the step of filtering the list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on the preset white list filtering rule in combination with linkage of terminal software and/or a management platform further includes:
virus checking is carried out on the files of the operating programs of the industrial control hosts through a virus checking engine preset by terminal software and a list of files to be confirmed of the operating programs of the industrial control hosts in the file information set, and the files in the virus checking results obtained by the virus checking engine are marked as unreliable files; or alternatively
After the operation program files of the industrial control hosts in the file information set are compared with an industrial control software feature library preset by terminal software, the operation program files of the industrial control hosts with inconsistent comparison results are checked for viruses through a preset virus checking engine, and files in virus checking results obtained by the virus checking engine are marked as unreliable files.
Optionally, after the step of marking the file in the virus result obtained by the virus checking engine as an untrusted file, the method further includes:
obtaining the characteristic value of the unmarked residual files to be confirmed;
uploading the characteristic values of the unmarked residual files to be confirmed to a network security centralized management platform;
matching the unmarked residual files to be confirmed through a malicious file feature library and a white list library preset by the network security centralized management platform;
and marking the file successfully matched with the white list library as credible, and marking the file successfully matched with the malicious file feature library as untrustworthy.
Optionally, the method further comprises:
judging whether the unmarked residual files to be confirmed exist or not;
if the unmarked residual files to be confirmed still exist, uploading the current unmarked residual files to be confirmed to a cloud end through the network security centralized management platform, comparing the current unmarked residual files to be confirmed through a white list library accumulated by the cloud end and a malicious file feature library updated in real time, marking the files successfully matched with the white list library of the cloud end as credible according to a comparison result, and marking the files successfully matched with the malicious file feature library of the cloud end as untrustworthy.
Optionally, the method further comprises:
judging whether an unmarked unknown file exists;
if the unmarked unknown file exists, the unknown file is manually researched and judged, and whether the mark is credible or not is judged.
Optionally, the step of determining, according to the filtering result, a white list corresponding to the industrial personal computer includes:
and generating a white list corresponding to the industrial control host based on all the trusted files in the list of the files to be confirmed.
The embodiment of the invention also provides a safety protection device of the industrial control host, which comprises:
the file information extraction module is used for performing system scanning on the industrial control host operating program files and extracting to obtain a file information set of the industrial control host operating program;
the filtering module is used for filtering a list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on a preset white list filtering rule and in combination with terminal software and/or management platform linkage;
and the white list determining module is used for determining the white list corresponding to the industrial control host according to the filtering result.
The embodiment of the invention also provides a safety protection system of the industrial control host, the system comprises a terminal and a management platform, the terminal comprises a memory, a processor and a safety protection program of the industrial control host, the safety protection program of the industrial control host is stored in the memory and can run on the processor, and the safety protection program of the industrial control host is executed by the processor to realize the steps of the safety protection method of the industrial control host;
the management platform is used for receiving the characteristic values of the unmarked remaining files to be confirmed uploaded by the terminal and matching the unmarked remaining files to be confirmed through a malicious file characteristic library and a white list library preset by the management platform; marking the file successfully matched with the white list library as credible, and marking the file successfully matched with the malicious file feature library as untrustworthy; and when the unmarked residual files to be confirmed exist, uploading the unmarked residual files to be confirmed to the cloud end, comparing the unmarked residual files to be confirmed through the white list library accumulated by the cloud end and the malicious file feature library updated in real time, marking the files successfully matched with the white list library of the cloud end as credible according to a comparison result, and marking the files successfully matched with the malicious file feature library of the cloud end as incredible.
The embodiment of the present invention further provides a computer-readable storage medium, where a safety protection program of the industrial control host is stored on the computer-readable storage medium, and when the safety protection program of the industrial control host is executed by the processor, the steps of the safety protection method of the industrial control host are implemented.
According to the safety protection method, device, system and storage medium of the industrial control host provided by the embodiment of the invention, the file information set of the operating program of the industrial control host is extracted and obtained by performing system scanning on the operating program file of the industrial control host; based on a preset white list filtering rule, combining terminal software and/or management platform linkage, and filtering a list of files to be confirmed of each industrial control host operation program in the file information set; and determining a white list corresponding to the industrial control host according to the filtering result. Therefore, the operation program lists of the industrial control hosts can be filtered layer by layer through the preset white list filtering rules and are linked with the management platform, so that the accuracy and the safety of the operation of the white lists of the industrial control hosts are greatly improved, and the protection effect of the white lists is really realized; moreover, the process of filtering the report list is fully automatic, no manual intervention is needed except for studying and judging the threat of unknown files, the workload of collecting and deploying the white list is not increased, the safety effect is improved under the condition that a user does not sense, and the use experience effect of the user on site is improved.
Drawings
FIG. 1 is a functional block diagram of a terminal device to which a safety protection device of an industrial control host belongs;
FIG. 2 is a flowchart illustrating an exemplary embodiment of a security protection method for an industrial host according to the present invention;
FIG. 3 is a flowchart illustrating a security protection method for an industrial host according to another exemplary embodiment of the present invention;
fig. 4 is a schematic structural diagram of a safety protection system of an industrial host according to an exemplary embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main solution of the embodiment of the invention is as follows: performing system scanning on an industrial control host operation program file, and extracting to obtain a file information set of the industrial control host operation program; filtering a list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on a preset white list filtering rule; and determining a white list corresponding to the industrial control host according to the filtering result. Therefore, the operating program lists of the industrial control hosts can be filtered layer by layer through the preset white list filtering rules and linked with the management platform, so that the accuracy and the safety of the operating white lists of the industrial control hosts are greatly improved, and the protection effect of the white lists is really realized; moreover, the process of filtering the report list is fully automatic, no manual intervention is needed except for studying and judging the threat of unknown files, the workload of collecting and deploying the white list is not increased, the safety effect is improved under the condition that a user does not sense, and the use experience effect of the user on site is improved.
The technical terms related to the embodiment of the invention are as follows:
a White List (White List) may be understood simply as a "user" that a setting can pass, and corresponding to a black List, no "user" outside the White List can pass. The basic working principle of whitelisting is by identifying whether a process or file in the system has approved properties, common process names, file names, publisher names, digital signatures, etc. White list technology enables enterprises to approve which processes are allowed to run in a particular system. Some vendor products include only executable files, while others include scripts and macros, and may block more extensive files. Among them, an increasingly popular white-listing approach is referred to as "application control," which focuses exclusively on managing the behavior of endpoint applications. White-listing techniques can be resistant to malware and targeted attacks because by default, any unauthorized software, tools, and processes cannot run on the endpoint. If malware attempts to install on a whitelisted-enabled endpoint, the whitelisting technique may determine that this is not a trusted process and deny its operating rights. White listing techniques can be used not only to prevent installation of processes, but also to provide alerts. The white list can help to resist advanced memory injection attacks; the technique provides functionality to verify all approved processes running in memory and ensure that these processes are not modified at runtime, thereby defending against advanced memory exploits. Advanced attacks typically involve the manipulation of legitimate applications. When such advanced attacks involve memory violations, suspicious process behavior, configuration changes, or operating system tampering, the whitelist product may identify and issue an alert.
The present embodiment takes into account: in the prior art, many enterprises do not collect the white list at first for various reasons, and then build the network security midway, many machines already store malicious programs, and when collecting the white list of the user host, the malicious programs are easily mistaken as normal files, so that the malicious programs still run even though the network security is built, and the situation that the lamp is dark is caused.
In order to solve the problems, the invention provides a solution, which adopts a detection method of collection and filtration, names an original file collected from a host as a 'grey list', and carries out grey-over-white screening on the 'grey list' through an industrial control host terminal protection program and a network security centralized management platform, so as to ensure that a white list finally deployed on the industrial control host is safe and reliable, thereby improving the accuracy of the industrial control host in running the white list and ensuring the security of the industrial control host.
Specifically, referring to fig. 1, fig. 1 is a schematic functional module diagram of a terminal device to which a safety protection device of an industrial control host belongs. The safety protection device of the industrial control host can be a device which is independent of the terminal equipment and can carry out network attack detection, and the safety protection device can be borne on the terminal equipment in a hardware or software mode. The terminal device can be an intelligent mobile terminal with a data processing function, such as a mobile phone and a tablet personal computer, and can also be a fixed terminal device or a server with a data processing function.
In this embodiment, the terminal device to which the safety protection device of the industrial host belongs at least includes an output module 110, a processor 120, a memory 130, and a communication module 140.
The memory 130 stores an operating system and a safety protection program of the industrial control host; the output module 110 may be a display screen or the like. The communication module 140 may include a WIFI module, a mobile communication module, a bluetooth module, and the like, and communicates with an external device or a server through the communication module 140.
The safety protection program of the industrial control host in the memory 130 implements the following steps when executed by the processor:
performing system scanning on an industrial control host operation program file, and extracting to obtain a file information set of the industrial control host operation program;
based on a preset white list filtering rule, combining terminal software and/or management platform linkage, and filtering a list of files to be confirmed of each industrial control host operation program in the file information set;
and determining a white list corresponding to the industrial control host according to the filtering result.
Further, the safety protection program of the industrial control host in the memory 130, when executed by the processor, further implements the following steps:
comparing the running program files of each industrial control host in the file information set with a preset industrial control software feature library;
and marking the industrial control host operating program files with consistent comparison results as trusted files.
Further, the safety protection program of the industrial control host in the memory 130, when executed by the processor, further implements the following steps:
checking viruses of the files of the operating programs of the industrial control hosts through a virus checking engine preset by terminal software and a list of files to be confirmed of the operating programs of the industrial control hosts in the file information set, and marking the files in the virus checking results obtained by the virus checking engine as unreliable files; or
After the operation program files of the industrial control hosts in the file information set are compared with an industrial control software feature library preset by terminal software, the operation program files of the industrial control hosts with inconsistent comparison results are checked for viruses through a preset virus checking engine, and files in virus checking results obtained by the virus checking engine are marked as unreliable files.
Further, the safety protection program of the industrial control host in the memory 130, when executed by the processor, further implements the following steps:
obtaining the characteristic value of the unmarked residual files to be confirmed;
uploading the characteristic values of the unmarked residual files to be confirmed to a network security centralized management platform;
matching the unmarked residual files to be confirmed through a malicious file feature library and a white list library preset by the network security centralized management platform;
and marking the file successfully matched with the white list library as credible, and marking the file successfully matched with the malicious file feature library as untrustworthy.
Further, the safety protection program of the industrial control host in the memory 130, when executed by the processor, further implements the following steps:
judging whether the unmarked remaining files to be confirmed exist or not;
if the unmarked residual files to be confirmed still exist, uploading the current unmarked residual files to be confirmed to a cloud end through the network security centralized management platform, comparing the current unmarked residual files to be confirmed through a white list library accumulated by the cloud end and a malicious file feature library updated in real time, marking the files successfully matched with the white list library of the cloud end as credible according to a comparison result, and marking the files successfully matched with the malicious file feature library of the cloud end as untrustworthy.
Further, the safety protection program of the industrial control host in the memory 130, when executed by the processor, further implements the following steps:
judging whether an unmarked unknown file exists or not;
if the unmarked unknown file exists, the unknown file is manually researched and judged, and whether the mark is credible or not is judged.
Further, the safety protection program of the industrial control host in the memory 130, when executed by the processor, further implements the following steps:
and generating a white list corresponding to the industrial control host based on all the trusted files in the list of the files to be confirmed.
According to the scheme, the file information set of the industrial control host running program is extracted and obtained by carrying out system scanning on the industrial control host running program file; based on a preset white list filtering rule, combining terminal software and/or management platform linkage, and filtering a list of files to be confirmed of each industrial control host operation program in the file information set; and determining a white list corresponding to the industrial control host according to the filtering result. Therefore, the operating program lists of the industrial control hosts can be filtered layer by layer through the preset white list filtering rules and linked with the management platform, so that the accuracy and the safety of the operating white lists of the industrial control hosts are greatly improved, and the protection effect of the white lists is really realized; moreover, the process of filtering the report list is fully automatic, no manual intervention is needed except for studying and judging the threat of unknown files, the workload of collecting and deploying the white list is not increased, the safety effect is improved under the condition that a user does not sense, and the use experience effect of the user on site is improved.
Based on the above terminal device architecture but not limited to the above architecture, embodiments of the method of the present invention are presented.
The execution main body of the method of this embodiment may be a safety protection device of an industrial control host, or a terminal device, etc., and this embodiment is exemplified by the safety protection device of the industrial control host.
Referring to fig. 2, fig. 2 is a schematic flowchart of an exemplary embodiment of a security protection method of an industrial control host according to the present invention. The safety protection method of the industrial control host comprises the following steps:
step S101, performing system scanning on an industrial control host operation program file, and extracting to obtain a file information set of the industrial control host operation program;
when the terminal white list protection software is used for extracting the white list in a user site, firstly, system scanning is carried out on the operating program files of the industrial control host to extract a file information set of the operating program files of the industrial control host, and the file information set can be called as a 'grey list'. The file states in the grey list include credible, to-be-confirmed and incredible.
When the grey list is initially generated, all file states are set as states to be confirmed.
Step S102, based on a preset white list filtering rule, combining terminal software and/or management platform linkage, and filtering a list of files to be confirmed of operating programs of each industrial control host in the file information set;
when the list of the files to be confirmed of the operating programs of the industrial control hosts in the file information set is filtered, the filtering can be performed based on a preset white list filtering rule, and the white list filtering rule can be set by combining a preset white list library or a virus checking tool and the like.
Specifically, as an implementation manner, the operating program file of each industrial control host in the file information set may be compared with an industrial control software feature library preset by terminal software; and then, marking the industrial control host operating program files with consistent comparison results as trusted files.
Specifically, as an implementation manner, an industrial control software feature library may be built in the terminal white list protection software itself, and file feature information of a white list of operating program files of various industrial control hosts, such as wincc, configuration king, and the like, is collected in the industrial control software feature library. And comparing the file information set (namely a grey list) of the operating program of the industrial control host obtained by current scanning and extraction with the built-in industrial control software feature library, and marking the files with consistent comparison results as credible files.
Further, as an implementation manner, the step of filtering the list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on a preset white list filtering rule may further include:
virus checking is carried out on the files of the operating programs of the industrial control hosts through a virus checking engine preset by terminal software and a list of files to be confirmed of the operating programs of the industrial control hosts in the file information set, and the files in the virus checking results obtained by the virus checking engine are marked as unreliable files; or
After comparing each industrial control host operation program file in the file information set with a preset industrial control software feature library, the industrial control host operation program files with inconsistent comparison results are checked for viruses through a preset virus checking engine, and files in virus checking results obtained by the virus checking engine are marked as unreliable files.
Further, as an embodiment, after the step of marking the file in the virus result obtained by the virus checking engine as an untrusted file, the method may further include:
obtaining the characteristic value of the unmarked residual files to be confirmed;
uploading the characteristic values of the unmarked residual files to be confirmed to a network security centralized management platform;
matching the unmarked residual files to be confirmed through a malicious file feature library and a white list library preset by the network security centralized management platform;
and marking the file successfully matched with the white list library as credible, and marking the file successfully matched with the malicious file feature library as untrustworthy.
Further, as an embodiment, the method may further include:
judging whether the unmarked residual files to be confirmed exist or not;
if the unmarked residual files to be confirmed still exist, uploading the current unmarked residual files to be confirmed to a cloud end through the network security centralized management platform, comparing the current unmarked residual files to be confirmed through a white list library accumulated by the cloud end and a malicious file feature library updated in real time, marking the files successfully matched with the white list library of the cloud end as credible according to a comparison result, and marking the files successfully matched with the malicious file feature library of the cloud end as untrustworthy.
Further, as an embodiment, the method may further include:
judging whether an unmarked unknown file exists or not;
if the unmarked unknown file exists, the unknown file is manually researched and judged, and whether the mark is credible or not is judged.
The above embodiments may be combined according to actual conditions, and this embodiment is not particularly limited thereto.
And step S103, determining a white list corresponding to the industrial control host according to the filtering result.
And finally, generating a white list corresponding to the industrial control host based on all the trusted files in the list of the files to be confirmed.
According to the scheme, the file information set of the industrial control host running program is extracted and obtained by carrying out system scanning on the industrial control host running program file; based on a preset white list filtering rule, combining terminal software and/or management platform linkage, and filtering a list of files to be confirmed of each industrial control host operation program in the file information set; and determining a white list corresponding to the industrial control host according to the filtering result. Therefore, the method can filter the running program lists of the industrial control hosts layer by layer through the preset white list filtering rules, and can automatically perform grey and white filtering on the white lists through linkage of the terminal software and the management platform, compared with the prior art that the white lists are filtered manually by using a field antivirus engine, the efficiency is low, and a virus library is not timely, the method greatly improves the accuracy and the safety of the running white lists of the industrial control hosts, and really realizes the protection effect of the white lists; moreover, the process of filtering the report list is fully automatic, no manual intervention is needed except for studying and judging the threat of unknown files, the workload of collecting and deploying the white list is not increased, the safety effect is improved under the condition that a user does not sense, and the use experience effect of the user on site is improved.
The multi-layer filtration scheme of this example is systematically described below in conjunction with FIG. 3:
when a user uses terminal white list protection software to extract a white list on site, a file information set is extracted by scanning a system, and the file information set can be called as a grey list. The file states in the grey list include credible, to-be-confirmed and incredible. When the grey list is initially generated, the states of all files are to be confirmed. As shown in fig. 3, the specific filtration process is as follows:
and a first layer of filtering, namely, internally setting industrial control software file characteristic information such as winc, configuration king and the like in the terminal white list protection software. Comparing the grey list with a built-in industrial control software feature library, and marking the files with consistent comparison results as credible files;
and a second layer of filtering, namely arranging a virus checking engine in the terminal white list protection software, checking the viruses of the residual files to be confirmed in the grey list, and marking the files in the virus checking result of the virus checking engine as untrustworthy.
And in the third layer of filtering, because the software size of the terminal white list protection software is limited, the built-in file library only can contain high-frequency files. Therefore, the feature values of the remaining files to be confirmed need to be sent to the network security centralized management platform, and a malicious file feature library and a white list library are built in the network security centralized management platform when the network security centralized management platform leaves a factory and are periodically updated. And matching the file to be confirmed sent by the terminal white list protection software with the malicious file feature library and the white list library, wherein if the white list library is successfully matched, the file to be confirmed is marked as credible, and if the malicious file feature library is successfully matched, the file to be confirmed is marked as incredible.
And a fourth layer of filtering, wherein after the network security centralized management platform filters the files, if the files are not confirmed, the network security centralized management platform compares the files with a white list library accumulated by the cloud and a malicious file feature library updated in real time through cloud communication, and marks comparison results.
And a fifth layer of filtering, wherein the files are not determined to belong to unknown files through the first four layers of filtering, under the condition that a user agrees, the files are extracted by the terminal protection software, uploaded to the cloud end through the network security centralized management platform, and manually judged to mark whether the files are credible or not.
Therefore, safety, accuracy and reliability of the white list are guaranteed through five-layer filtering of grey-to-white filtering, the white list corresponding to the host is generated based on all the trusted files in the grey list, the white list is deployed to the host, and safety of the host is guaranteed.
Compared with the prior art, the scheme greatly improves the accuracy and the safety of the white list and really realizes the protection function of the white list; in addition, the ash-over-white process of the scheme is fully automatic, no manual intervention is needed except for the threat study and judgment of unknown files, the workload of white list collection and deployment is not increased, and the safety effect is improved under the condition that a user does not sense.
In addition, this patent scheme is applicable to the safety protection of various industrial field industrial control host computers.
In addition, an embodiment of the present invention further provides a safety protection device for an industrial control host, where the safety protection device for the industrial control host includes:
the file information extraction module is used for carrying out system scanning on the industrial control host operation program files and extracting to obtain a file information set of the industrial control host operation program;
the filtering module is used for filtering a list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on a preset white list filtering rule;
and the white list determining module is used for determining the white list corresponding to the industrial control host according to the filtering result.
For the principle and implementation process of implementing safety protection of the industrial control host, please refer to the above embodiments, which are not described herein again.
In addition, as shown in fig. 4, an embodiment of the present invention further provides a safety protection system for an industrial control host, where the system includes a terminal and a management platform, the terminal includes a memory, a processor, and a safety protection program of the industrial control host that is stored in the memory and can be run on the processor, and the safety protection program of the industrial control host is executed by the processor to implement the steps of the safety protection method for the industrial control host as described above;
the management platform is used for receiving the characteristic values of the unmarked remaining files to be confirmed uploaded by the terminal and matching the unmarked remaining files to be confirmed through a malicious file characteristic library and a white list library preset by the management platform; marking the file successfully matched with the white list library as credible, and marking the file successfully matched with the malicious file feature library as untrustworthy; and when the unmarked residual files to be confirmed exist, uploading the unmarked residual files to be confirmed to the cloud end, comparing the unmarked residual files to be confirmed through the white list library accumulated by the cloud end and the malicious file feature library updated in real time, marking the files successfully matched with the white list library of the cloud end as credible according to a comparison result, and marking the files successfully matched with the malicious file feature library of the cloud end as incredible.
Since the safety protection program of the industrial control host is executed by the processor, all technical solutions of all the foregoing embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the foregoing embodiments are achieved, and details are not repeated herein.
In addition, an embodiment of the present invention further provides a computer-readable storage medium, where a safety protection program of the industrial control host is stored on the computer-readable storage medium, and when the safety protection program of the industrial control host is executed by a processor, the steps of the safety protection method of the industrial control host are implemented.
Since the safety protection program of the industrial control host is executed by the processor, all technical solutions of all the embodiments are adopted, so that at least all the beneficial effects brought by all the technical solutions of all the embodiments are achieved, and detailed description is omitted here.
Compared with the prior art, the safety protection method, the safety protection device, the safety protection system and the storage medium of the industrial control host provided by the embodiment of the invention have the advantages that the file information set of the operating program of the industrial control host is extracted and obtained by carrying out system scanning on the operating program file of the industrial control host; based on a preset white list filtering rule, combining terminal software and/or management platform linkage, and filtering a list of files to be confirmed of each industrial control host operation program in the file information set; and determining a white list corresponding to the industrial control host according to the filtering result. Therefore, the method can filter the running program lists of the industrial control hosts layer by layer through the preset white list filtering rules, and can automatically perform grey and white filtering on the white lists through linkage of the terminal software and the management platform, compared with the prior art that the white lists are filtered manually by using a field antivirus engine, the efficiency is low, and a virus library is not timely, the method greatly improves the accuracy and the safety of the running white lists of the industrial control hosts, and really realizes the protection effect of the white lists; moreover, the process of filtering the report list is fully automatic, no manual intervention is needed except for studying and judging the threat of unknown files, the workload of collecting and deploying the white list is not increased, the safety effect is improved under the condition that a user does not sense, and the use experience effect of the user on site is improved.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present application may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, a controlled terminal, or a network device) to execute the method of each embodiment of the present application.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention, and all equivalent structures or equivalent processes performed by the present invention or directly or indirectly applied to other related technical fields are also included in the scope of the present invention.
Claims (10)
1. A safety protection method of an industrial control host is characterized by comprising the following steps:
performing system scanning on an industrial control host operation program file, and extracting to obtain a file information set of the industrial control host operation program, wherein the file information set is an operation program set which is collected from the industrial control host and is not subjected to safety screening;
based on a preset white list filtering rule, combining terminal software, a management platform, a cloud and manual research and judgment, filtering a list of files to be confirmed of operating programs of all industrial control hosts in the file information set, wherein the terminal software is internally provided with industrial control software file feature information and a antivirus engine, the management platform is internally provided with a malicious file feature library and a white list library, the cloud comprises an accumulated white list library and a malicious file feature library updated in real time, and filtering is performed according to the sequence of the terminal software, the management platform, the cloud and the manual research and judgment;
and determining a white list corresponding to the industrial control host according to the filtering result, wherein the white list is an operation program which is subjected to security screening in the file information set and is used for being deployed in the industrial control host.
2. The method according to claim 1, wherein the step of filtering the list of files to be confirmed of the operating programs of each industrial control host in the file information set based on the preset white list filtering rule in combination with terminal software, a management platform, a cloud and manual judgment comprises:
comparing the operating program files of each industrial control host in the file information set with an industrial control software feature library preset by terminal software;
and marking the industrial control host operating program files with consistent comparison results as trusted files.
3. The method according to claim 2, wherein the step of filtering the list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on the preset white list filtering rule in combination with terminal software, a management platform, a cloud and manual judgment further comprises:
checking viruses of the files of the operating programs of the industrial control hosts through a virus checking engine preset by terminal software and a list of files to be confirmed of the operating programs of the industrial control hosts in the file information set, and marking the files in the virus checking results obtained by the virus checking engine as unreliable files; or alternatively
After the operation program files of the industrial control hosts in the file information set are compared with an industrial control software feature library preset by terminal software, the operation program files of the industrial control hosts with inconsistent comparison results are checked for viruses through a preset virus checking engine, and files in virus checking results obtained by the virus checking engine are marked as unreliable files.
4. The method of claim 3, wherein the step of marking the file in the virus inspection result obtained by the virus inspection engine as an untrusted file further comprises:
acquiring the characteristic values of the unmarked remaining files to be confirmed;
uploading the characteristic values of the unmarked residual files to be confirmed to a network security centralized management platform;
matching the unmarked residual files to be confirmed through a malicious file feature library and a white list library preset by the network security centralized management platform;
and marking the file successfully matched with the white list library as credible, and marking the file successfully matched with the malicious file feature library as untrustworthy.
5. The method according to claim 4, wherein the step of filtering the list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on the preset white list filtering rules in combination with terminal software, a management platform, a cloud and manual judgment further comprises:
judging whether the unmarked residual files to be confirmed exist or not;
if the unmarked residual files to be confirmed still exist, uploading the current unmarked residual files to be confirmed to a cloud end through the network security centralized management platform, comparing the current unmarked residual files to be confirmed through a white list library accumulated by the cloud end and a malicious file feature library updated in real time, marking the files successfully matched with the white list library of the cloud end as credible according to a comparison result, and marking the files successfully matched with the malicious file feature library of the cloud end as untrustworthy.
6. The method according to claim 5, wherein the step of filtering the list of files to be confirmed of the operating programs of the industrial control hosts in the file information set based on the preset white list filtering rule in combination with terminal software, a management platform, a cloud and manual judgment further comprises:
judging whether an unmarked unknown file exists;
if the unmarked unknown file exists, the unknown file is manually researched and judged, and whether the mark is credible or not is judged.
7. The method of claim 1, wherein the step of determining the white list corresponding to the industrial host according to the filtering result comprises:
and generating a white list corresponding to the industrial control host based on all the trusted files in the list of the files to be confirmed.
8. The utility model provides a safety device of industrial control host computer which characterized in that, safety device of industrial control host computer includes:
the file information extraction module is used for carrying out system scanning on the operating program files of the industrial control host, and extracting to obtain a file information set of the operating program of the industrial control host, wherein the file information set is an operating program set which is collected from the industrial control host and is not subjected to safety screening;
the file information collection system comprises a filtering module, a management platform, a cloud and manual research and judgment module, wherein the filtering module is used for filtering a list of files to be confirmed of running programs of all industrial control hosts in the file information collection based on a preset white list filtering rule in combination with terminal software, the management platform, the cloud and the manual research and judgment module, industrial control software file feature information and a antivirus engine are arranged in the terminal software, a malicious file feature library and a white list library are arranged in the management platform, the cloud comprises the accumulated white list library and a malicious file feature library updated in real time, and filtering is performed according to the sequence of the terminal software, the management platform, the cloud and the manual research and judgment module;
and the white list determining module is used for determining a white list corresponding to the industrial control host according to the filtering result, wherein the white list is an operation program which is subjected to security screening in the file information set and is used for being deployed on the industrial control host.
9. A safety protection system of an industrial control host, which is characterized in that the system comprises a terminal and a management platform, wherein the terminal comprises a memory, a processor and a safety protection program of the industrial control host, the safety protection program of the industrial control host is stored in the memory and can run on the processor, and when the safety protection program of the industrial control host is executed by the processor, the steps of the safety protection method of the industrial control host according to any one of claims 1-7 are realized;
the management platform is used for receiving the characteristic values of the unmarked remaining files to be confirmed uploaded by the terminal and matching the unmarked remaining files to be confirmed through a malicious file characteristic library and a white list library preset by the management platform; marking the file successfully matched with the white list library as credible, and marking the file successfully matched with the malicious file feature library as untrustworthy; and when the remaining files to be confirmed which are not marked currently exist, uploading the remaining files to be confirmed which are not marked currently to a cloud end, comparing the remaining files to be confirmed which are not marked currently through a white list library accumulated by the cloud end and a malicious file feature library updated in real time, marking the files which are successfully matched with the white list library of the cloud end as credible according to a comparison result, and marking the files which are successfully matched with the malicious file feature library of the cloud end as untrustworthy.
10. A computer-readable storage medium, wherein a safety protection program of an industrial host is stored on the computer-readable storage medium, and when executed by a processor, the safety protection program of the industrial host implements the steps of the safety protection method of the industrial host according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210919116.XA CN114969672B (en) | 2022-08-02 | 2022-08-02 | Safety protection method, device and system for industrial control host and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210919116.XA CN114969672B (en) | 2022-08-02 | 2022-08-02 | Safety protection method, device and system for industrial control host and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114969672A CN114969672A (en) | 2022-08-30 |
| CN114969672B true CN114969672B (en) | 2022-11-15 |
Family
ID=82969402
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210919116.XA Active CN114969672B (en) | 2022-08-02 | 2022-08-02 | Safety protection method, device and system for industrial control host and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114969672B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
| CN109766694A (en) * | 2018-12-29 | 2019-05-17 | 北京威努特技术有限公司 | Program protocol white list linkage method and device of industrial control host |
| CN114253579A (en) * | 2021-12-20 | 2022-03-29 | 杭州安恒信息技术股份有限公司 | Software updating method, device and medium based on white list mechanism |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105516151B (en) * | 2015-12-15 | 2019-02-12 | 北京奇虎科技有限公司 | The checking and killing method and device of backdoor file |
-
2022
- 2022-08-02 CN CN202210919116.XA patent/CN114969672B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101788915A (en) * | 2010-02-05 | 2010-07-28 | 北京工业大学 | White list updating method based on trusted process tree |
| CN109766694A (en) * | 2018-12-29 | 2019-05-17 | 北京威努特技术有限公司 | Program protocol white list linkage method and device of industrial control host |
| CN114253579A (en) * | 2021-12-20 | 2022-03-29 | 杭州安恒信息技术股份有限公司 | Software updating method, device and medium based on white list mechanism |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114969672A (en) | 2022-08-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112637220B (en) | Industrial control system safety protection method and device | |
| CN102263773B (en) | Real-time protection method and apparatus thereof | |
| CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
| RU2693188C1 (en) | Control method and unit for portable storage devices and storage medium | |
| CN111935061B (en) | Industrial control host and network security protection implementation method thereof | |
| KR101851233B1 (en) | Apparatus and method for detection of malicious threats included in file, recording medium thereof | |
| CN103150511A (en) | Safety protection system | |
| CN102413127A (en) | Database generalization safety protection method | |
| CN102208004B (en) | Method for controlling software behavior based on least privilege principle | |
| KR102079304B1 (en) | Apparatus and method of blocking malicious code based on whitelist | |
| CN106339629A (en) | Application management method and device | |
| Serhane et al. | Programmable logic controllers based systems (PLC-BS): Vulnerabilities and threats | |
| CN112202704A (en) | Block chain intelligent contract safety protection system | |
| CN112565278A (en) | Attack capturing method and honeypot system | |
| CN115314286A (en) | Safety guarantee system | |
| CN113407949A (en) | Information security monitoring system, method, equipment and storage medium | |
| CN103353930B (en) | A kind of method and apparatus of preventing infectious virus infection | |
| KR20090044202A (en) | System and method for processing security for webservices detecting evasion attack by roundabout way or parameter alteration | |
| CN113987508A (en) | Vulnerability processing method, device, equipment and medium | |
| CN105550573A (en) | Bundled software interception method and apparatus | |
| CN114969672B (en) | Safety protection method, device and system for industrial control host and storage medium | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| KR102545488B1 (en) | Security Managing Method For Industrial Control System To Detect DLL Injection | |
| CN103150512B (en) | Honeypot system and method for detecting trojan by using same | |
| Rencelj Ling et al. | Estimating Time-To-Compromise for Industrial Control System Attack Techniques Through Vulnerability Data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |