CN117097557A - Industrial information security authentication system - Google Patents
Industrial information security authentication system Download PDFInfo
- Publication number
- CN117097557A CN117097557A CN202311304519.4A CN202311304519A CN117097557A CN 117097557 A CN117097557 A CN 117097557A CN 202311304519 A CN202311304519 A CN 202311304519A CN 117097557 A CN117097557 A CN 117097557A
- Authority
- CN
- China
- Prior art keywords
- flow
- time
- data
- coefficient
- sequence
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004886 process control Methods 0.000 claims abstract description 68
- 238000000034 method Methods 0.000 claims abstract description 62
- 230000008569 process Effects 0.000 claims abstract description 57
- 230000005540 biological transmission Effects 0.000 claims abstract description 33
- 238000004458 analytical method Methods 0.000 claims abstract description 29
- 230000000737 periodic effect Effects 0.000 claims abstract description 15
- 238000005206 flow analysis Methods 0.000 claims abstract description 12
- 238000010219 correlation analysis Methods 0.000 claims abstract description 9
- 238000012417 linear regression Methods 0.000 claims description 25
- 230000007613 environmental effect Effects 0.000 claims description 21
- 230000005856 abnormality Effects 0.000 claims description 18
- 238000012545 processing Methods 0.000 claims description 12
- 230000002159 abnormal effect Effects 0.000 claims description 6
- 238000005520 cutting process Methods 0.000 claims description 6
- 238000010606 normalization Methods 0.000 claims description 5
- 238000005070 sampling Methods 0.000 claims description 4
- 238000007405 data analysis Methods 0.000 claims description 3
- 230000001419 dependent effect Effects 0.000 claims description 3
- 238000012544 monitoring process Methods 0.000 abstract description 8
- 238000012163 sequencing technique Methods 0.000 abstract 1
- 238000004891 communication Methods 0.000 description 4
- 230000001186 cumulative effect Effects 0.000 description 3
- 230000007787 long-term memory Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000001276 controlling effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000000611 regression analysis Methods 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 230000008054 signal transmission Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides an industrial information security authentication system, which relates to the technical field of industrial system network monitoring, and comprises the steps of sequencing real-time flow transmission data sent to a process management unit by each process control unit through a first acquisition module according to time sequence, generating a correlation coefficient through a correlation analysis module, generating a periodic fluctuation coefficient and a flow fluctuation coefficient through a flow analysis module, judging the peak period of flow and the fluctuation condition of flow, judging whether the possibility of flow attack exists or not from three dimensions, acquiring the external electromagnetic wave intensity and the number of sensors connected with the process control unit and the number of process control units connected with the process control unit during data transmission outside the process control unit and the process management unit through a second acquisition module, judging the external electromagnetic wave intensity, constructing an environment influence coefficient through a second analysis module, and judging the influence of external electromagnetic waves on an industrial control system.
Description
Technical Field
The application relates to the technical field of industrial system network monitoring, in particular to an industrial information security authentication system.
Background
The industrial control system network is used as a core intranet for controlling the field devices of the key infrastructure, receives monitoring, control and early warning instructions issued by a control center, is a basis for normal operation of the field devices, and the process control unit and the process management unit are important bottom structures of the industrial control system network, are used for controlling and monitoring equipment and components of industrial processes, monitoring and regulating control in real time, are used for monitoring, configuring and managing advanced systems or software of industrial production processes, and are responsible for overall process monitoring, parameter setting, alarm management, data recording and analysis and other functions so as to ensure stability, safety and high efficiency of the production process.
The process control unit and the process management unit are bottom layer units of the industrial control system, but the functions of the process control unit and the process management unit are more realized, so that the data traffic sent through the process control unit and the process management unit are more complicated, and the process control unit and the process management unit are not protected by network security equipment such as a firewall and the like in a network like upper-layer equipment, so that the process control unit and the process management unit are very easy to attack, the main modes of attack on the process control unit and the process management unit are traffic attack and electromagnetic attack, and once the process control unit and the process management unit fail, the work of the whole industrial control system is influenced.
The prior art has the following defects: in the prior art, when information security authentication is performed on an industrial control system network, a communication protocol of the network is mainly authenticated, but because the communication protocols used by a process control unit and a process management unit are always public protocols, disguised data can still pass authentication although the data is rapidly increased in a short time, and the existing security authentication method does not effectively protect against electromagnetic attack, but under the influence of a comprehensive environment, the industrial control system network possibly has a certain risk, so the prior art does not have a good method for performing security authentication on the industrial control system network by monitoring various parameters, and particularly has a certain disadvantage for flow attack and electromagnetic attack.
The above information disclosed in the background section is only for enhancement of understanding of the background of the disclosure and therefore it may include information that does not form the prior art that is already known to a person of ordinary skill in the art.
Disclosure of Invention
The application aims to provide an industrial information security authentication system for solving the problems in the background technology.
In order to achieve the above purpose, the present application provides the following technical solutions:
an industrial information security authentication system, comprising:
the first acquisition module acquires real-time flow transmission data sent to the process management unit by each process control unit in the industrial control system, and arranges the data according to time sequence to form a time sequence under a certain time span, and the first acquisition module sends the time sequence to the first analysis module;
the first analysis module splits the time sequence data into n different time windows with the same time length, each time window contains a fixed number of data points, generates flow data information of each time window, and sends the flow data information to the flow analysis module and the correlation analysis module, wherein the flow data information of each time window comprises an average value, a maximum value and time corresponding to the maximum value of data flow in each window;
the correlation analysis module is used for generating correlation indexes of each time window by adopting R/S analysis, generating slopes and error coefficients of a plurality of groups of linear regression models by adopting a first-order linear regression model aiming at the correlation indexes, performing first-order differential analysis on the slope and error coefficient data to generate the correlation coefficients, and sending the correlation coefficients to the flow analysis module;
the flow analysis module is used for setting a flow peak value threshold according to flow data information of each time window, obtaining a time difference value sequence according to the time of flow data exceeding the flow peak value threshold, calculating a periodic fluctuation coefficient according to the time difference value sequence, generating a flow fluctuation coefficient according to the average value of data flow in each window, and finally generating a flow abnormality index by combining the correlation coefficient, the periodic fluctuation coefficient and the flow fluctuation coefficient;
the second acquisition module acquires the intensity of external electromagnetic waves and the number of sensors connected with the process control unit and the number of process control units connected with the process management unit during data transmission outside the process control unit and the process management unit, and sends acquired data to the second analysis module;
the second analysis module performs normalization formula processing according to the electromagnetic wave intensity, the number of sensors connected with the process control units and the number information of the process control units connected with the process management units after dimensionless processing to obtain an environmental impact coefficient;
and the safety analysis module is used for analyzing the environmental impact coefficient and the flow abnormality index, comparing the environmental impact coefficient and the flow abnormality index with a preset environmental impact threshold and a preset flow index threshold respectively, and judging the safety condition of the industrial control system in the process control unit and the process management unit.
Further, the real-time flow transmission data acquired by the first acquisition module is a flow value with a timestamp as an identifier, comprises time and corresponding flow data, and sequences the acquired real-time flow data according to the timestamp in time order, so that the data are ensured to be arranged according to the time sequence, and a time sequence is generated.
Further, the logic underlying the splitting into n time windows with a fixed number of data points is: determining the time length required by each time window, calculating the number of data points contained in each time window according to the time window length and the sampling frequency of the time sequence, segmenting the time sequence data according to the time window length, ensuring that the time span between the starting time and the ending time of each time window is the set time window length, deleting the time length left by the last window if the selected time window length cannot divide the total time span of the time sequence, filling the segmented time windows with the corresponding number of data points according to the calculated number of data points contained in each time window, and ensuring that each time window has the same number of data points.
Further, the specific logic for constructing a first-order linear regression model according to the correlation indexes to generate the slopes and error coefficients of a plurality of groups of linear regression models is that the time of the middle point of each time window is taken as an independent variable, the correlation indexes are taken as dependent variables to form a first-order linear regression model, the time of the middle points of two windows and the correlation indexes are taken, the slopes and error coefficients of one group of linear regression models are obtained, all combination modes are traversed, the slopes and error coefficients of all groups of linear regression models are obtained, and a first-order slope difference sequence and a first-order error coefficient difference sequence are generated after all slope values and error coefficients are subjected to first-order difference;
when the correlation coefficient is generated, elements in the first-order slope difference sequence are added to obtain an average number, the average number is defined as a slope index, elements in the first-order error coefficient difference sequence are added to obtain an average number, the average number is defined as an error index, the slope index and the error index are weighted and summed, and the correlation coefficient is generated, wherein the weighted weights are rho and τ respectively, rho is the slope index weight, τ is the error index weight, and rho > τ, rho+τ=1.
Further, the flow peak value threshold is generated after being weighted according to the average value of the maximum value of the data flow in each time window, and the specific formula according to which the flow peak value threshold is generated is as follows:
iy is a flow peak value threshold, alpha is a flow peak value weight, and alpha is more than or equal to 1.56.
Further, the specific logic of the time difference sequence generation is to compare the maximum value of the data flow in each time window with the flow peak value threshold one by one, record the time corresponding to the flow peak value threshold, arrange all the times according to the time sequence, and then process the time to form a time difference sequence, wherein the number of the maximum values exceeding the flow peak value threshold is m, and the time corresponding to the flow of the flow peak value threshold is respectively: ty (ty) 1 、ty 2 、…、ty q 、…、ty m Wherein, ty q For the time corresponding to the maximum value of the data traffic in the q-th time window exceeding the traffic peak threshold, q=1, 2, …, p, …, m, p∈n + ;
The number of elements in the time difference sequence is m-1, and the formula according to which the time difference sequence is generated is as follows:
wherein TC is a time difference sequence, TC q Is the q-th element in the time difference sequence.
Further, when the periodic fluctuation coefficient is generated, firstly calculating the average value of each time difference value, then calculating the distance between each time difference value and the average value of the time difference value, and then calculating the average value of the distances, namely the periodic fluctuation coefficient is generated, wherein the formula is as follows:
wherein,zb is the periodic fluctuation coefficient, which is the average of the time differences.
Further, the method for generating the flow fluctuation coefficient by the average value of the data flow in each window is that the average value data of the data flow in each window is calculated and divided by the number of windows after being overlapped, the flow average value of the time sequence is calculated, then the variance of the average value data of the data flow in each window is calculated, the variance measures the difference degree between the data point and the average value thereof, then the flow average value of the time sequence on the standard deviation is taken as the flow fluctuation coefficient, and the formula for generating the flow abnormality index by combining the correlation coefficient, the period fluctuation coefficient and the flow fluctuation coefficient is as follows:
ly=lnXg*Lb+e Zb
where Ly is a flow abnormality index, xg is a correlation coefficient, and Lb is a flow fluctuation coefficient.
Further, the second analysis module performs normalization formula processing according to the electromagnetic wave intensity, the number of sensors connected with the process control units and the number information of the process control units connected with the process management units after dimensionless processing to obtain an environmental impact coefficient, and the second data analysis module is based on the formula:
wherein Y is y F is the environmental impact coefficient 1 、f 2 Respectively a noise weight coefficient and a path weight coefficient, L k 、L g The number of sensors connected to the control unit and the number of process control units connected to the process management unit, respectively.
Further, the specific logic according to which the safety conditions of the industrial control system in the process control unit and the process management unit are judged is as follows:
when Ly is less than or equal to LZ and Y y When YZ is less than or equal to the threshold value, the industrial control system network is in a safe state, and the process control unit and the process management unit normally perform data transmission;
when Ly is larger than LZ, judging that abnormal flow enters between the process control unit and the process management unit, and cutting off a flow transmission channel between the process control unit and the process management unit;
when Y is y >When YZ is carried out, judging that electromagnetic attack exists outside the industrial control system network, and cutting off a flow transmission channel between the process control unit and the process management unit and a flow transmission channel between the process management unit and the upper computer;
wherein Y is y As the environmental impact coefficient, ly is the flow abnormality index, LZ is the flow index threshold, and YZ is the environmental impact threshold.
Compared with the prior art, the application has the beneficial effects that:
1. according to the application, the real-time flow transmission data sent to the process management unit by each process control unit is sequenced according to the time sequence through the first acquisition module, then the flow data information of each time window is generated through the first analysis module and the time sequence is analyzed, the correlation coefficient is generated through the correlation analysis module, the long-term memory and the randomness of the flow are judged, the periodic fluctuation coefficient and the flow fluctuation coefficient are generated through the flow analysis module, the peak period of the flow and the fluctuation condition of the flow are judged, so that the flow abnormality index can be constructed from the periodicity, the variation degree of the flow and the long-term memory and the randomness of the flow, the possibility of whether the flow attack exists is judged from three dimensions, the flow transmission is timely disconnected when the attack is judged, and the influence on upper equipment is reduced.
2. According to the application, the external electromagnetic wave intensity and the number of sensors connected with the process control unit and the number of process control units connected with the process control unit are acquired through the second acquisition module when the data outside the process control unit and the process management unit are transmitted, the external electromagnetic wave intensity is judged, the influence of the external electromagnetic wave on the industrial control system is judged through the second analysis module, the damage capability of the external electromagnetic wave is comprehensively analyzed, and then when the process control unit and the process management unit are influenced by the external factors, the flow transmission is disconnected, the threat to the safety of the whole system is prevented, and the safety of the industrial system is ensured.
Drawings
FIG. 1 is a schematic diagram of the overall system architecture of the present application.
Detailed Description
The present application will be further described in detail with reference to specific embodiments in order to make the objects, technical solutions and advantages of the present application more apparent.
It is to be noted that unless otherwise defined, technical or scientific terms used herein should be taken in a general sense as understood by one of ordinary skill in the art to which the present application belongs. The terms "first," "second," and the like, as used herein, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "up", "down", "left", "right" and the like are used only to indicate a relative positional relationship, and when the absolute position of the object to be described is changed, the relative positional relationship may be changed accordingly.
Examples:
referring to fig. 1, the present application provides a technical solution:
the utility model provides an industry information security authentication system, includes first collection module, first analysis module, correlation analysis module, flow analysis module, second collection module, second analysis module and safety analysis module, wherein:
the first acquisition module acquires real-time flow transmission data sent to the process management unit by each process control unit in the industrial control system, and arranges the data according to time sequence to form a time sequence under a certain time span, and the first acquisition module sends the time sequence to the first analysis module;
in this embodiment, the real-time traffic transmission data collected by the first collecting module is a traffic value with a timestamp as an identifier, and includes time and corresponding traffic data, and the obtained real-time traffic data is ordered according to time sequence according to the timestamp, so as to ensure that the data are arranged according to time sequence, the time span is the time interval of the data points in the time sequence,
the first analysis module splits the time sequence data into n different time windows with the same time length, each time window contains a fixed number of data points, generates flow data information of each time window, and sends the flow data information to the flow analysis module and the correlation analysis module, wherein the flow data information of each time window comprises an average value, a maximum value and time corresponding to the maximum value of data flow in each window.
In this embodiment, the logic underlying the splitting into n time windows with a fixed number of data points is: determining the time length required by each time window, calculating the number of data points contained in each time window according to the time window length and the sampling frequency of the time sequence, segmenting the time sequence data according to the time window length, ensuring that the time span between the starting time and the ending time of each time window is the set time window length, deleting the time length left by the last window if the selected time window length cannot divide the total time span of the time sequence, and filling the segmented time windows with the corresponding number of data points according to the calculated number of data points contained in each time window. Ensuring that each time window has the same number of data points.
Further, the time sequence is formed as T, and divided into n time windows, each time window is respectively T 1 、T 2 、…、T i 、……T n The number of data points in each window is j, T i Representing the ith time window, the maximum value of the internal data traffic of each time window is respectively: imax (Imax) 1 、Imax 2 、…、Imax i 、…、Imax n The average value of the data traffic within each time window is:wherein Imax i Represents the maximum value of the data traffic in the ith time window,/>Representing the average value of the data traffic in the ith time window.
The correlation analysis module adopts R/S analysis to generate correlation indexes of each time window, adopts a first-order linear regression model to generate the slopes and error coefficients of a plurality of groups of linear regression models aiming at the correlation indexes of each time window, carries out first-order difference on the slopes and error coefficient data of the linear regression models, analyzes the first-order difference result, generates correlation coefficients, and sends the correlation coefficients to the flow analysis module;
in this embodiment, when calculating the correlation index, calculating the deviation between the data point and the average value in each time window to form a deviation sequence, and for each time window, calculating the cumulative sum of the deviation sequences to obtain the cumulative deviation, and calculating the range of the cumulative deviation, that is, subtracting the minimum value from the maximum value of the sequence, and calculating the standard deviation of the deviation sequence;
dividing the range of the accumulated deviation of each window by the standard deviation to generate a correlation index of each time window, constructing a linear regression model, and reversely calculating the slope and the error coefficient of the linear regression model.
Further, each timeThe correlation indexes of the inter-window are respectively: RS (Reed-Solomon) 1 、RS 2 、…、RS i 、……RS n The specific logic for constructing the linear regression model according to the relevance index is as follows:
taking the time of the middle point of each time window as an independent variable and a correlation index as a dependent variable to form a linear regression model, taking the time of the middle points of two windows and the correlation index, solving the slope and the error coefficient of one group of linear regression models, traversing all combination modes, solving the slope and the error coefficient of all groups of linear regression models, and constructing the linear regression models as follows:
RS=H*t+ε
wherein t is the time at the midpoint of each time window;
the combination of time and correlation index taking the midpoints of two windows is shown in category X:
each combination mode generates a slope and an error coefficient of a linear regression model, so that X slope values and X error coefficients are generated, wherein the slope values are H respectively 1 、H 2 、…、H P 、…、H X Error coefficients are epsilon respectively 1 、ε 2 、…、ε P 、…、ε X ,p=1、2、……、X,p∈N + Wherein N is P Slope, ε, generated for the P-th combination P And generating a first-order slope difference sequence and a first-order error coefficient difference sequence for the error coefficient generated by the P-th combination after performing first-order difference on the X slope values and the X error coefficients, and forming a first-order slope difference sequence and a first-order error coefficient difference sequence according to the following formula:
wherein Xc is a first-order slope differential sequence, xc e For the e element in the first-order slope differential sequence, wc is the first-order error coefficient differential sequence, wc e E=1, 2, … …, X-1, e N, for the e-th element in the first order error coefficient differential sequence + 。
When the correlation coefficient is generated, the elements in the first-order slope difference sequence are added to obtain an average number and defined as a slope index, the elements in the first-order error coefficient difference sequence are added to obtain an average number and defined as an error index, the slope index and the error index are weighted and summed to generate the correlation coefficient, and a specific formula is generated:
wherein,is a slope index>Is an error index, xg is a correlation coefficient, ρ is a slope index weight, τ is an error index weight, and ρ>τ,ρ+τ=1。
According to the embodiment, the data set for calculating the slope and the error coefficient is expanded in an arbitrary combination mode, regression analysis is carried out by using multiple groups of data, the accuracy and the reliability of a model can be improved, the relation between variables can be better captured by using more observation values, the influence of sampling errors and random fluctuation is reduced, the more accurate slope and error coefficient are obtained, the large sample capacity is beneficial to reducing estimation errors and improving the accuracy of the slope, and the slope and the error coefficient are used for judging the stability of real-time flow transmission data.
The flow attack is a common attack aiming at an industrial network, the normal operation of the industrial network is interfered by sending a large number of falsified messages, and a flow data packet which greatly exceeds the communication bandwidth is sent to a target system in a short time, so that the system loses the normal communication capacity, the main characteristic of the industrial network equipment data interaction information is the stability of flow, and because the industrial network is a stable network, the number of equipment capable of transmitting information is fixed, the numerical difference between X slope values and X error coefficients in the flow transmission data of the industrial network is not large, the linear trend in a time sequence is eliminated by adopting the first-order difference, the data is converted into a relatively stable sequence, the slope index and the error index are larger for the flow data with larger change, the correlation coefficient is also larger at the moment, the description of poor correlation is made, the flow data has abrupt change, and the possibility of the flow attack exists.
The flow analysis sets a flow peak value threshold according to flow data information of each time window, obtains a time difference value sequence according to the time of flow data exceeding the flow peak value threshold, calculates a periodic fluctuation coefficient according to the time difference value sequence, generates a flow fluctuation coefficient according to the average value of data flow in each window, and finally generates a flow abnormality index by combining the correlation coefficient, the periodic fluctuation coefficient and the flow fluctuation coefficient.
In this embodiment, the flow peak value threshold is generated after weighting according to the average value of the maximum value of the data flow in each time window, and the specific formula according to which the flow peak value threshold is generated is:
iy is a flow peak value threshold, alpha is a flow peak value weight, and alpha is more than or equal to 1.56.
Comparing the maximum value of the data flow in each time window with the flow peak value threshold one by one, recording the time corresponding to the flow peak value threshold, arranging all the times according to the time sequence, and then processing to form a time difference sequence, wherein in the embodiment, the number of the maximum values exceeding the flow peak value threshold is assumed to be m, and the flow peak value threshold is assumed to be mThe corresponding time of the flow rate is respectively as follows: ty (ty) 1 、ty 2 、…、ty q 、…、ty m Wherein, ty q For the time corresponding to the maximum value of the data traffic in the q-th time window exceeding the traffic peak threshold, q=1, 2, …, p, …, m, p∈n + 。
The number of elements in the time difference sequence is m-1, and the formula according to which the time difference sequence is generated is as follows:
wherein TC is a time difference sequence, TC q Is the q-th element in the time difference sequence.
In this embodiment, the formula according to which the periodic fluctuation coefficient is generated is:
wherein,zb is the periodic fluctuation coefficient, which is the average of the time differences.
Under normal conditions, the flow peaks of the industrial control system are all periodically generated, namely, the time intervals of the peaks are the same, when the peak intervals are different, zb has a larger value, which indicates that the flow peaks have no periodicity, and indicates that abnormal flow enters.
The method for generating the flow fluctuation coefficient by the average value of the data flow in each window is that the average value data of the data flow in each window is calculated and divided by the number of windows after being overlapped, the flow average value of the time sequence is calculated, then the variance of the average value data of the data flow in each window is calculated, the variance measures the difference degree between the data point and the average value thereof, and then the flow average value of the time sequence on the standard deviation is taken as the flow fluctuation coefficient, and the specific formula is as follows:
wherein SI is the flow average value of the time sequence, isigma 2 The variance of the average data of the data flow in each window is represented by iσ, which is the standard deviation, and Lb, which is the flow fluctuation coefficient.
The network of the industrial control system has high stability, after the control system is stable, the number of nodes such as each sensor is not changed, so that the data flow is also highly stable, under the normal state, the fluctuation of the flow is very small, or the flow fluctuation coefficient is usually very small, once the flow fluctuation coefficient is very large, the fluctuation of the flow is large, and the possibility that abnormal flow enters and is attacked by the flow possibly exists.
The formula according to which the flow abnormality index is generated by combining the correlation coefficient, the period fluctuation coefficient and the flow fluctuation coefficient is as follows:
Ly=lnXg*Lb+e Zb
when Xg, lb and Zb are large, the flow abnormality index is large, so that the fluctuation of the flow and the long-term memory and randomness of the flow are large, abnormal flow exists, and the possibility that the system is under attack is large.
The second acquisition module acquires the intensity of external electromagnetic waves and the number of sensors connected with the process control unit and the number of process control units connected with the process management unit during data transmission outside the process control unit and the process management unit, and sends acquired data to the second analysis module;
the attack of the electromagnetic on the control system, which is also called electromagnetic interference or electromagnetic attack, mainly utilizes the characteristics of the electromagnetic wave to maliciously interfere or destroy the control system, and the attack mode mainly interferes or destroys the operation of the target system by sending an intentional electromagnetic signal, when the electromagnetic wave with high intensity generates interference in the data transmission process, the damage or loss of data can be caused, thereby affecting the safety of the data transmission, so that when the intensity of the electromagnetic wave is higher, the influence factor when the industrial system transmits is larger, and conversely, the influence factor is smaller.
When the number of sensors to which the process control unit is connected and the number of process control units to which the process management unit is connected are larger, in signal transmission, signals may reach the process control unit and the process management unit through a plurality of paths, and when signals of the paths are superimposed at the receiving place, interference and attenuation may occur, resulting in signal distortion or loss, and an external electromagnetic wave amplifies such signal distortion and loss.
The second analysis module performs normalization formula processing according to the electromagnetic wave intensity, the number of sensors connected with the process control units and the number information of the process control units connected with the process management units after dimensionless processing to obtain an environmental impact coefficient, and the second data analysis module is based on the formula:
wherein Y is y F is the environmental impact coefficient 1 、f 2 Respectively a noise weight coefficient and a path weight coefficient, L k 、L g The number of sensors connected to the control unit and the number of process control units connected to the process management unit, respectively.
When the intensity of external electromagnetic waves is large, the number of sensors connected with the process control unit and the number of process control units connected with the process management unit are large, the environment influence coefficient can analyze external influence factors of industrial control data transmission in the mode, judge whether the industrial control data transmission is attacked by electromagnetic interference, and effectively prevent the industrial control data transmission from being influenced by the large external factors.
And the safety analysis module is used for analyzing the environmental impact coefficient and the flow abnormality index, comparing the environmental impact coefficient and the flow abnormality index with a preset environmental impact threshold and a preset flow index threshold respectively, and judging the safety condition of the industrial control system in the process control unit and the process management unit.
In this embodiment, the specific logic according to which the safety conditions of the industrial control system in the process control unit and the process management unit are determined is:
when Ly is less than or equal to LZ and Y y When YZ is less than or equal to the threshold value, the industrial control system network is in a safe state, and the process control unit and the process management unit normally perform data transmission;
when Ly is larger than LZ, judging that abnormal flow enters between the process control unit and the process management unit, and cutting off a flow transmission channel between the process control unit and the process management unit;
when Y is y >And when YZ is carried out, judging that electromagnetic attack exists outside the industrial control system network, and cutting off a flow transmission channel between the process control unit and the process management unit and a flow transmission channel between the process management unit and the upper computer.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application.
Claims (10)
1. An industrial information security authentication system, comprising:
the first acquisition module acquires real-time flow transmission data sent to the process management unit by each process control unit in the industrial control system, and arranges the data according to time sequence to form a time sequence under a certain time span, and the first acquisition module sends the time sequence to the first analysis module;
the first analysis module splits the time sequence data into n different time windows with the same time length, each time window contains a fixed number of data points, generates flow data information of each time window, and sends the flow data information to the flow analysis module and the correlation analysis module, wherein the flow data information of each time window comprises an average value, a maximum value and time corresponding to the maximum value of data flow in each window;
the correlation analysis module is used for generating correlation indexes of each time window by adopting R/S analysis, generating slopes and error coefficients of a plurality of groups of linear regression models by adopting a first-order linear regression model aiming at the correlation indexes, performing first-order differential analysis on the slope and error coefficient data to generate the correlation coefficients, and sending the correlation coefficients to the flow analysis module;
the flow analysis module is used for setting a flow peak value threshold according to flow data information of each time window, obtaining a time difference value sequence according to the time of flow data exceeding the flow peak value threshold, calculating a periodic fluctuation coefficient according to the time difference value sequence, generating a flow fluctuation coefficient according to the average value of data flow in each window, and finally generating a flow abnormality index by combining the correlation coefficient, the periodic fluctuation coefficient and the flow fluctuation coefficient;
the second acquisition module acquires the intensity of external electromagnetic waves and the number of sensors connected with the process control unit and the number of process control units connected with the process management unit during data transmission outside the process control unit and the process management unit, and sends acquired data to the second analysis module;
the second analysis module performs normalization formula processing according to the electromagnetic wave intensity, the number of sensors connected with the process control units and the number information of the process control units connected with the process management units after dimensionless processing to obtain an environmental impact coefficient;
and the safety analysis module is used for analyzing the environmental impact coefficient and the flow abnormality index, comparing the environmental impact coefficient and the flow abnormality index with a preset environmental impact threshold and a preset flow index threshold respectively, and judging the safety condition of the industrial control system in the process control unit and the process management unit.
2. An industrial information security authentication system according to claim 1, wherein: the real-time flow transmission data acquired by the first acquisition module are flow values taking the time stamp as an identifier, comprise time and corresponding flow data, and are ordered according to time sequence according to the time stamp, so that the data are arranged according to the time sequence, and a time sequence is generated.
3. An industrial information security authentication system according to claim 2, wherein: the logic underlying the splitting into n time windows with a fixed number of data points is: determining the time length required by each time window, calculating the number of data points contained in each time window according to the time window length and the sampling frequency of the time sequence, segmenting the time sequence data according to the time window length, ensuring that the time span between the starting time and the ending time of each time window is the set time window length, deleting the time length left by the last window if the selected time window length cannot divide the total time span of the time sequence, filling the segmented time windows with the corresponding number of data points according to the calculated number of data points contained in each time window, and ensuring that each time window has the same number of data points.
4. An industrial information security authentication system according to claim 3, wherein: the specific logic for generating the slope and the error coefficient of the multiple groups of linear regression models by constructing the first-order linear regression model according to the correlation indexes is that the time of the middle point of each time window is taken as an independent variable, the correlation indexes are taken as dependent variables to form a first-order linear regression model, the time of the middle points of two windows and the correlation indexes are taken, the slope and the error coefficient of one group of linear regression models are obtained, all combination modes are traversed, the slope and the error coefficient of all groups of linear regression models are obtained, and a first-order slope difference sequence and a first-order error coefficient difference sequence are generated after all slope values and error coefficients are subjected to first-order difference;
when the correlation coefficient is generated, elements in the first-order slope difference sequence are added to obtain an average number, the average number is defined as a slope index, elements in the first-order error coefficient difference sequence are added to obtain an average number, the average number is defined as an error index, the slope index and the error index are weighted and summed to generate the correlation coefficient, the weighted weights are ρ and ρ respectively, ρ is the slope index weight, τ is the error index weight, ρ > ρ, and ρ+τ=1.
5. An industrial information security authentication system according to claim 4, wherein: the flow peak value threshold is generated after being weighted according to the average value of the maximum value of the data flow in each time window, and the specific formula based on the generation is as follows:
iy is a flow peak value threshold, alpha is a flow peak value weight, and alpha is more than or equal to 1.56.
6. An industrial information security authentication system according to claim 1, wherein: the specific logic of the time difference sequence generation is to compare the maximum value of the data flow in each time window with the flow peak value threshold value one by one, record the time corresponding to the flow peak value threshold value exceeded, and then toAll times are arranged according to time sequence, and after processing, a time difference value sequence is formed, the maximum number exceeding the flow peak value threshold is m, and the corresponding times of the flow peak value threshold are respectively as follows: ty (ty) 1 、ty 2 、…、ty q 、…、ty m Wherein, ty q Q=1, 2,..once, p,..once, m, p e N, for the time corresponding to the maximum value of the data traffic in the q-th time window exceeding the traffic peak threshold value + ;
The number of elements in the time difference sequence is m-1, and the formula according to which the time difference sequence is generated is as follows:
wherein TC is a time difference sequence, TC q Is the q-th element in the time difference sequence.
7. An industrial information security authentication system according to claim 6, wherein: when the period fluctuation coefficient is generated, firstly calculating the average value of each time difference value, then calculating the distance between each time difference value and the average value of the time difference value, and then calculating the average value of the distances, namely the period fluctuation coefficient is generated, wherein the formula is as follows:
wherein,zb is the periodic fluctuation coefficient, which is the average of the time differences.
8. An industrial information security authentication system according to claim 1, wherein: the method for generating the flow fluctuation coefficient by the average value of the data flow in each window is that the average value data of the data flow in each window is calculated and divided by the number of windows after being overlapped, the flow average value of the time sequence is calculated, then the variance of the average value data of the data flow in each window is calculated, the variance measures the difference degree between the data point and the average value thereof, then the flow average value of the time sequence on the standard deviation is taken as the flow fluctuation coefficient, and the formula for generating the flow abnormality index by combining the correlation coefficient, the periodic fluctuation coefficient and the flow fluctuation coefficient is as follows:
Ly=ln Xg*Lb+e Zb
where Ly is a flow abnormality index, xg is a correlation coefficient, and Lb is a flow fluctuation coefficient.
9. An industrial information security authentication system according to claim 1, wherein: the second analysis module performs normalization formula processing according to the electromagnetic wave intensity, the number of sensors connected with the process control units and the number information of the process control units connected with the process management units after dimensionless processing to obtain an environmental impact coefficient, and the second data analysis module is based on the formula:
wherein Y is y F is the environmental impact coefficient 1 、f 2 Respectively a noise weight coefficient and a path weight coefficient, L k 、L g The number of sensors connected to the control unit and the number of process control units connected to the process management unit, respectively.
10. An industrial information security authentication system according to claim 1, wherein: the specific logic on which the safety conditions of the industrial control system in the process control unit and the process management unit are judged is as follows:
when Ly is less than or equal to LZ and Y y When YZ is less than or equal to the threshold value, the industrial control system network is in a safe state, and the process control unit and the process management unit normally perform data transmission;
when Ly is larger than LZ, judging that abnormal flow enters between the process control unit and the process management unit, and cutting off a flow transmission channel between the process control unit and the process management unit;
when Y is y When YZ is more than YZ, judging that electromagnetic attack exists outside the industrial control system network, and cutting off a flow transmission channel between the process control unit and the process management unit and a flow transmission channel between the process management unit and the upper computer;
wherein Y is y As the environmental impact coefficient, ly is the flow abnormality index, LZ is the flow index threshold, and YZ is the environmental impact threshold.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311304519.4A CN117097557A (en) | 2023-10-10 | 2023-10-10 | Industrial information security authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311304519.4A CN117097557A (en) | 2023-10-10 | 2023-10-10 | Industrial information security authentication system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117097557A true CN117097557A (en) | 2023-11-21 |
Family
ID=88780408
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311304519.4A Pending CN117097557A (en) | 2023-10-10 | 2023-10-10 | Industrial information security authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117097557A (en) |
-
2023
- 2023-10-10 CN CN202311304519.4A patent/CN117097557A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110035090B (en) | False data injection attack detection method for smart grid | |
| JP6184270B2 (en) | System and method for creating index profiles related to attacks by correlating various indices with past attack cases in order to detect and predict future network attacks | |
| Ye et al. | Computer intrusion detection through EWMA for autocorrelated and uncorrelated data | |
| CN106375339B (en) | Attack mode detection method based on event sliding window | |
| Nesa et al. | Outlier detection in sensed data using statistical learning models for IoT | |
| CN111092862B (en) | Method and system for detecting communication traffic abnormality of power grid terminal | |
| CN108429651A (en) | Data on flows detection method, device, electronic equipment and computer-readable medium | |
| Burgess | Probabilistic anomaly detection in distributed computer networks | |
| CN109034400A (en) | A kind of substation's exception metric data predicting platform system | |
| CN109784668B (en) | Sample feature dimension reduction processing method for detecting abnormal behaviors of power monitoring system | |
| RU2619205C1 (en) | Method for monitoring distributed control system and communication | |
| CN116684878B (en) | 5G information transmission data safety monitoring system | |
| US11657150B2 (en) | Two-dimensionality detection method for industrial control system attacks | |
| De Vita et al. | A novel data collection framework for telemetry and anomaly detection in industrial iot systems | |
| CN110865625A (en) | Process data anomaly detection method based on time series | |
| CN115935415A (en) | Data safety early warning system based on industrial internet multi-factor perception | |
| CN113554330A (en) | Training method and application method of security situation perception model of hydrological information platform | |
| CN115378711A (en) | Industrial control network intrusion detection method and system | |
| EP4141715A1 (en) | Anomaly detection | |
| CN108805427B (en) | Power distribution network running state risk early warning system based on big data | |
| CN116709392B (en) | Large-scale wireless sensor network data fusion method | |
| CN117097557A (en) | Industrial information security authentication system | |
| CN110378111B (en) | Intrusion detection method and intrusion detection system for hidden attack of industrial control system | |
| CN116366319A (en) | Method and system for detecting network security | |
| CN111103487A (en) | Non-invasive PST anomaly monitoring method based on power consumption analysis |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |