GB2532630A - Network intrusion alarm method and system for nuclear power station - Google Patents

Network intrusion alarm method and system for nuclear power station Download PDF

Info

Publication number
GB2532630A
GB2532630A GB1602102.4A GB201602102A GB2532630A GB 2532630 A GB2532630 A GB 2532630A GB 201602102 A GB201602102 A GB 201602102A GB 2532630 A GB2532630 A GB 2532630A
Authority
GB
United Kingdom
Prior art keywords
alarm information
alarm
detection
instant
historical
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
GB1602102.4A
Other versions
GB201602102D0 (en
GB2532630B (en
Inventor
Sun Yongbin
Liu Gaojun
Wang Ting
Sun Qi
Zhang Jianbo
He Dayu
Chen Weihua
Huang Weijun
Peng Huaqing
Wang Chunbing
Duan Qizhi
Yang Hualong
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China General Nuclear Power Corp
China Nuclear Power Engineering Co Ltd
Lingao Nuclear Power Co Ltd
Original Assignee
China General Nuclear Power Corp
China Nuclear Power Engineering Co Ltd
Lingao Nuclear Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China General Nuclear Power Corp, China Nuclear Power Engineering Co Ltd, Lingao Nuclear Power Co Ltd filed Critical China General Nuclear Power Corp
Publication of GB201602102D0 publication Critical patent/GB201602102D0/en
Publication of GB2532630A publication Critical patent/GB2532630A/en
Application granted granted Critical
Publication of GB2532630B publication Critical patent/GB2532630B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/18Network protocols supporting networked applications, e.g. including control of end-device applications over a network
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Medical Informatics (AREA)
  • Testing And Monitoring For Control Systems (AREA)
  • Monitoring And Testing Of Nuclear Reactors (AREA)
  • Alarm Systems (AREA)

Abstract

Disclosed is a network intrusion alarm method for a nuclear power station, which comprises: detecting data information sent by an access object, the detection comprising misuse detection and protocol abnormality data detection; if the result of the data information detection is abnormal, generating instant pre-alarm information; matching the instant pre-alarm information with historical pre-alarm information in a database; and if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to a pre-set matching value, sending intrusion alarm information. The network intrusion alarm method for a nuclear power station of the present invention effectively satisfies the requirements of a nuclear power station industry network for network security protection. In addition, further disclosed is a network intrusion alarm system for a nuclear power station.

Description

SPECIFICATION
NETWORK INTRUSION ALARM METHOD AND SYSTEM FOR
NUCLEAR POWER PLANT FIELD OF THE INVENTION
[0001] The present invention generally relates to security technology of nuclear power plants and, more particularly, to a network intrusion alarm method and system for nuclear power plant.
BACKGROUND OF THE INVENTION
[0002] Intrusion detection system (IDS) is a system used to identify and deal with malicious use behaviors towards computers and network resources. Because of the increasing size of the network, there are more and more resources in the network. Accordingly, more and more threat comes from the network and the attack comes from the network becomes more and more secretive. The running data of a nuclear power plant relates to national security and social stability. Therefore, there is an urgent need to construct a network security system to ensure the safety of the data center. Industrial control system, including the nuclear power plant control system, is an independent network that is not connected to the Internet. Normally, there is no virus in the industrial control system. Outside hackers cannot attack the industrial control system. In addition, hackers and network virus generally attack the computer devices. There is no virus for the control equipments in the industrial control network.
[0003] In nuclear power control system, with the development of information technology and for facility of integration and usage of nuclear power systems, a large amount of industrial Ethernet ring and communication protocols are used to integrate the nuclear power control system. At the same time, a larger amount of PC servers and terminal products are used, and the operation system and database of the nuclear power plant use a large amount of universal systems. Although the nuclear power industrial network is not connected to the Internet, lots of standards are set forth for the nuclear power plant. However, in reality, there are people do not comply with the standards, for instance alternatively using U disk in the internet and the nuclear power industrial network and using undetected disc, which may lead to virus, Trojan horse and hacker attacks from enterprise management networks or internet and further lead to the failures of actual physical systems. The data running in a nuclear power plant relates to national security and social stability. Therefore, there is an urgent need to construct network security system to ensure the safety of the data center.
[0004] A conventional network security system generally includes firewall, anti-virus software and intrusion detection system (IDS) or intrusion prevention system (IPS). However, the nuclear power control system fails to install commercial intrusion detection system for network defense, or the commercial intrusion detection system installed is an intrusion detection system based on misuse detection. Because the nuclear power industry network is not connected to the internet, the nuclear power industry network cannot update the virus database timely. The commercial intrusion detection system cannot detect new virus or virus designed for specific industrial control systems.
[0005] Therefore, how to detect and pre-alarm virus intrusion from the network is an urgent problem to be solved.
SUMMARY OF THE INVENTION
[0006] One object of the present invention is to provide a network intrusion alarm method and system for nuclear power plant against virus intrusion from the network, which can improve the detection ability of the nuclear power control system to the network intrusion and improve the intrusion alarm mechanism via combined use of misuse detection and abnormality detection.
[0007] According to one embodiment of the present invention, a network intrusion alarm method for a nuclear power plant includes the steps of: detecting data information sent by an access object, the detection including misuse detection and protocol abnormality data detection; if the result of the data information detection is abnormal, generating instant pre-alarm information; matching the instant pre-alarm information with historical pre-alarm information in a database; and if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to a preset matching value, sending intrusion alarm information.
[0008] According to one aspect of the present invention, the method further includes the step of receiving data information sent by the access object.
[00091 According to one aspect of the present invention, the method further includes the step of presetting a matching value of the instant pre-alarm information and the historical pre-alarm information.
[0010] According to one aspect of the present invention, the historical pre-alarm information includes a field of pre-alarm number, if the matching result of the instant pre-alarm information and the historical pre-alarm information conforms to the preset matching value, the pre-alarm number adds one time.
100111 According to one aspect of the present invention, the method further includes the step of executing association analysis to the instant pre-alarm information and the historical pre-alarm information, and determining purpose of the access object according to a preset association rule.
[0012] According to one aspect of the present invention, the method further includes the step of setting a new association rule according to the instant pre-alarm information and instantly updating the association rule if the purpose of the access object cannot be determined according to the preset association rule.
[0013] According to one aspect of the present invention, the method further includes the step of saving the instant pre-alarm information in a database and updating the database.
100141 According to one aspect of the present invention, the method further includes the step of blocking IP addresses or port access of the access object according to the intrusion alarm information.
100151 According to one embodiment of the present invention, a network intrusion alarm system for a nuclear power plant includes: a detection module, configured to detect data information sent by an access object, the detection including misuse detection and protocol abnormality data detection; a pre-alarm module, configured to generate instant pre-alarm information if the detection result of the data information detected by the detection module is abnormal; a matching module, configured to match the instant pre-alarm information generated by the pre-alarm module with historical pre-alarm information in a database; and an alarm module, configured to send intrusion alarm information if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conformed to a preset matching value.
[0016] According to one aspect of the present invention, the system further includes a receiving module configured to receive the data information sent by the access object.
[0017] According to one aspect of the present invention, the system further includes a setting module configured to preset a matching value of the instant pre-alarm information with historical pre-alarm information.
[0018] According to one aspect of the present invention, the system further includes a database configured to save the historical pre-alarm information, the historical pre-alarm information comprises a field of pre-alarm number, and the pre-alarm number adds one time if the matching result of the instant pre-alarm information and the historical pre-alarm information conforms to the preset matching value.
I5 [0019] According to one aspect of the present invention, the system further includes an analysis module configured to execute association analysis to the instant pre-alarm information and the historical pre-alarm information, and determine purpose of the access object according to preset association rules.
[0020] According to one aspect of the present invention, the system further includes an adaptive module configured to save the preset association rules, and if the analysis module fails to determine the purpose of the access object according to the preset association rules, the adaptive module sets new association rules according to the instant pre-alarm information and updates the new association rules.
100211 According to one aspect of the present invention, the system further includes an updating module configured to save the instant pre-alarm information in the database and update the database.
[0022] According to one aspect of the present invention, the system further includes an execution module configured to block IP addresses or port access of the access object according to the intrusion alarm information.
[0023] Compared with the prior art, the network intrusion alarm method and system for nuclear power plant of the present invention have the following advantages: Via misuse detection and protocol abnormality data detection of the data information sent by the access object and the matching analysis based on the detection, alarm is generated according to the matching result, so as to realize intrusion alarm of the adaptive network environment of the nuclear power plant. Due to the combined use of the misuse detection and the protocol abnormality data detection, the detection ability and the intrusion alarm mechanism of the nuclear power control system to the network intrusion are remarkably improved, thereby satisfying the requirements of a nuclear power plant industry network for network security protection.
BRIEF DESCRIPTION OF THE DRAWINGS
[0024] Other advantages and novel features will be drawn from the following detailed description of the preferred embodiment with the attached drawings. The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiment of the present invention and, together with a general description of the invention given above, and the detailed description of the embodiments given below, serve to explain the principles of the invention, in which: 100251 Fig. 1 depicts a schematic flow chart of a network intrusion alarm method for nuclear power plant according to one embodiment of the present invention; [0026] Fig. 2 depicts a schematic diagram of a network intrusion alarm system for nuclear power plant according to one embodiment of the present invention; and [0027] Fig. 3 depicts a schematic diagram of a network intrusion alarm system for nuclear power plant according to another embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
[0028] Example embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all embodiments of the invention are shown. Indeed, the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements.
[0029] According to principles of operation, network intrusion detection technology can be divided into misuse detection technology and abnormality detection technology, wherein misuse detection technology is based on feature matching of data packet. Misuse detection technology has high accuracy, but may fail to report because misuse detection technology cannot find new intrusion pattern. Abnormality detection technology, such as protocol anomaly detection system (PADS), is based on data of network connection feature, system call feature, network traffic feature and system delay feature to set up descriptive model of normal network behaviors. User's behaviors that seriously deviate from the normal behaviors may be considered as intrusion. Abnormality detection technology can find new type of network intrusion, but has high false alarm rate and needs a large number of training samples. At present, there is no combined application of misuse detection technology and abnormality detection technology in a nuclear power plant control system.
[0030] Referring to Fig. 1, according to one embodiment of the present invention, a network intrusion alarm method includes the steps of: Step 101, data information sent by an access object is detected. The detection includes misuse detection and protocol abnormality data detection.
[0031] Nuclear intrusion alarm management system receives the data information sent by the access object. More specifically, the access data information enters the control system application server via a switch. Nuclear intrusion detection alert management system (ND-IDAMS) installed in the computer server obtains the data information of the access object via a switch.
100321 Nuclear intrusion alarm management system receives the data information sent by the access object. Alternatively, the access object can also send data information to the control system of the nuclear plant via a server.
100331 The nuclear intrusion alarm management system detects the data information sent by the access object. The detection includes misuse detection and protocol abnormality data detection. More specifically, the nuclear intrusion alarm management system detects the data information via a misuse detection module. In addition, protocol abnormality data detection PADS is executed to the data information. PADS can use Markov model to detect protocols in the network data.
[0034] Alternatively, the nuclear intrusion alarm management system can detect the data information via connecting commercial intrusion detection system (IPS or IDS). The nuclear intrusion alarm management system can be connected to more than one commercial intrusion detection system (IPS or IDS).
[0035] Step 103, if the result of the data information detection is abnormal, instant pre-alarm information is generated.
[0036] Detected normal data can access associated systems normally. If the result of data information detection is abnormal, the nuclear intrusion alarm management system generates instant pre-alarm information.
[0037] Step 105, the instant pre-alarm information is matched with the historical pre-alarm information in a database.
[0038] More specifically, the nuclear intrusion alarm management system matches the instant pre-alarm information with the historical pre-alarm information in a database, and confirms via classification algorithm there is historical pre-alarm information in the database which is the same as the instant pre-alarm information.
100391 Alternatively, the method of the present embodiment further includes the step of presetting a matching value of the instant pre-alarm information and the historical alarm information.
100401 Alternatively, a matching value of the instant pre-alarm information and the historical alarm information is preset. For instance, in case that the matching value is 75%, if more than 75% of the instant pre-alarm information and the historical pre-alarm information is the same, it is confirmed that the instant pre-alarm information matches the historical pre-alarm information. The matching value can be adjusted according to actual requirements.
100411 If there is instant pre-alarm information matching the historical pre-alarm information, classify the instant pre-alarm information and the historical pre-alarm information as one type pre-alarm. No matter how much instant pre-alarm information there is, as long as the instant pre-alarm information matches with the historical pre-alarm information, the historical pre-alarm information which is returned for information fusion.
Therefore, repeatability of similar pre-alarm is reduced remarkably.
[0042] Alternatively, the historical pre-alarm information includes the field of pre-alarm number. If the matching result of the instant pre-alarm information and the historical pre-alarm information conforms to the preset matching value, the number of pre-alarm will add one time. For instance, the historical pre-alarm information at least includes pre-alarm content and pre-alarm number. If the instant pre-alarm information matches the historical pre-alarm information, the pre-alarm content does not change while the pre-alarm number will add one time.
[0043] Further, association analysis to the instant pre-alarm information and the historical pre-alarm information is executed, purpose of the access object is determined according to preset association rules.
[0044] Step 107: if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to a preset matching value, intrusion alarm information is sent out.
[0045] For instance, the preset matching value is 75%. If the matching value of the instant pre-alarm information and the historical pre-alarm information is lower than 75%, it is determined that the instant pre-alarm information does not match with the historical pre-alarm information. If the matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to a preset matching value, the nuclear intrusion alarm management system sends intrusion alarm information.
100461 If the purpose of the access object cannot be determined according to preset association rules, new association vile is set and updated according to the instant pre-alarm information.
[0047] If there is no similar or matching historical pre-alarm information of the instant pre-alarm information received can be found in the database, the administrator will confirm and establish new pre-alarm fusion classification and association rules. On reviewing the attack pre-alarm association table, the administrator can update the associated rules have occurred.
[0048] Further, the instant pre-alarm information is saved into the database and the database is updated. New pre-alarm fusion classification and association rules are set and the database is updated timely.
100491 Further, according to the intrusion alarm information, blocking the IP address or port access of the access object is executed cooperating with the firewall or IPS.
[0050] Via misuse detection and protocol abnormality data detection of the data information sent by the access object and the matching analysis based on the detection, alarm is generated according to the matching result, so as to realize intrusion alarm of the adaptive network environment of the nuclear power plant. Due to the combined use of the misuse detection and the protocol abnormality data detection, the detection ability and the intrusion alarm mechanism of the nuclear power control system to the network intrusion are remarkably improved, thereby satisfying the requirements of a nuclear power plant industry network for network security protection.
100511 Referring to Fig. 2, one embodiment of a network intrusion alarm system for I1 a nuclear power plant includes a detection module 201, a pre-alarm module 203, a matching module 205, and an alarm module 207.
[0052] The detection module 201 is configured to detect the data information sent by an access object. The detecting includes misuse detection and protocol abnormality data 5 detection.
[0053] The pre-alarm module 203 is configured to generate instant pre-alarm information if the result of the data information detection of the detection module 201 is abnormal.
[0054] The matching module 205 is configured to match the instant pre-alarm information generated by the pre-alarm module 203 with historical pre-alarm information in a database.
[0055] The alarm module 207 is configured to send intrusion alarm information if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to a pre-set matching value.
I5 [0056] Referring to Fig. 3, a network intrusion alarm system for nuclear power plant according to another embodiment of the present invention includes a receiving module 301, a detection module 303, a pre-alarm module 305, a matching module 307, an alarm module 309, an updating module 311, a database 313, an analysis module 315, adaptive module 317 and an execution module 319.
[0057] The receiving module 301 is configured to receive the data information sent by the access object.
[0058] Specifically, the access data enters the control system application server via a switch. The receiving module 301 of the ND-IDAMS installed in the computer server can obtain the data information of the access object via the switch.
[0059] The receiving module 301 receives the data information sent by the access object. Alternatively, the access object can also send data information to the nuclear power plant control system via the server, and the data information is then received by the receiving module 301.
[0060] The detection module 303 is configured to detect the data information sent by the access object. The detection includes misuse detection and protocol abnormality data detection.
[0061] The detection module 303 is configured to detect the data information sent by the access object received by the receiving module 301. Detection includes protocol abnormality data detection and misuse detection. More specifically, the detection module 303 executes protocol abnormality data detection PADS to the data information. PADS can use protocols in the Markov model test network data.
I5 [0062] Alternatively, the detection module 303 can detect the data information via connecting with commercial intrusion detection system (IPS or IDS). The detection module 303 can be connected to a number of commercial intrusion detection systems (IPS or IDS).
[0063] Pre-alarm module 305 is configured to generate instant pre-alarm information if the detection result of the detection module is abnormal.
100641 Normal data detected by the detection module 303 can be accessed normally via associated systems. If the detection result of the data information is abnormal, the pre-alarm module 305 generates instant pre-alarm information.
100651 The matching module 307 is configured to match the instant pre-alarm information generated by the pre-alarm module 35 with the historical pre-alarm information.
[0066] More specifically, the matching module 307 matches the instant pre-alarm information with historical pre-alarm information stored in the database, and determines that the historical pre-alarm information in the database is the same as the instant pre-alarm information via classification algorithm.
[0067] Alternatively, the system of the present invention includes a setting module which can preset a matching value of the instant pre-alarm information and the historical pre-alarm information.
100681 Alternatively, the matching module 307 can preset a matching value of the instant pre-alarm information and the historical pre-alarm information, for instance a matching value is 75%. In this case, if the matching degree of the instant pre-alarm information and the historical pre-alarm information is no less than 75%, it is determined that the instant pre-alarm information matches with the historical pre-alarm information.
The matching value can be adjusted according to actual requirements.
[0069] If historical pre-alarm information matching the instant pre-alarm information can be found, the historical pre-alarm information and the instant pre-alarm information are classified as one type of pre-alarm, no matter how much the instant pre-alarm information is, as long as the instant pre-alarm information matches with the historical pre-alarm information. The historical pre-alarm information will be returned for pre-alarm information fusion. In this case, repetitiveness of similar pre-alarm is reduced remarkably.
100701 The database 313 is configured to save the historical pre-alarm information.
The historical pre-alarm information includes a field of pre-alarm number. The pre-alarm number adds one time if the matching result of the instant pre-alarm information and the historical pre-alarm information conforms to the preset matching value. For instance, the historical pre-alarm information at least includes pre-alarm content and pre-alarm number.
When the instant pre-alarm information matches with the historical pre-alarm information, the pre-alarm content does not change while the pre-alarm number adds one time.
100711 If the instant pre-alarm information does not match with the historical pre-alarm information, the update module 311 is configured to save the instant pre-alarm information into the database 313 and updates the database 313.
100721 The analysis module 315 is configured to execute association analysis to the instant pre-alarm information and the historical pre-alarm information, and determine the purpose of the access object according to preset association rules.
[0073] The adaptive module 317 is configured to save preset association rules. If the analysis module 315 fails to determine the purpose of the access object according to the preset association rules, the adaptive module 317 sets new association rules according to the instant pre-alarm information and updates the new association rules.
[0074] The alarm module 309 is configured to send intrusion alarm information if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to the preset matching value.
[0075] The execution module 3 I 9 is configured to block the IP address or port access of the access object according to the intrusion alarm information.
100761 In view of the foregoing, it can be clearly seen that, compared with the prior art, the present invention at least has the following advantages.
100771 Via misuse detection and protocol abnormality data detection of the data information sent by the access object and the matching analysis based on the detection, alarm is generated according to the matching result, so as to realize intrusion alarm of the adaptive network environment of the nuclear power plant. Due to the combined use of the misuse detection and the protocol abnormality data detection, the detection ability and the intrusion alarm mechanism of the nuclear power control system to the network intrusion are remarkably improved, thereby satisfying the requirements of a nuclear power plant industry network for network security protection. In addition, due to timely detection of the intrusion alarm information, the database and intrusion type can be updated via self adaption, so as to conduct strategy operation alarm, such as blocking IP address or port access to ensure the control security of the nuclear power plant.
[0078] Many modifications and other embodiments of the inventions set forth herein will come to mind to one skilled in the art to which these inventions pertain having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the inventions are not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Moreover, although the foregoing descriptions and the associated drawings describe example embodiments, it should be appreciated that alternative embodiments without departing from the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims (16)

  1. WHAT IS CLAIMED IS: 1. A network intrusion alarm method for nuclear power plant, comprising the steps of: detecting data information sent by an access object, the detection comprising misuse detection and protocol abnormality data detection; if result of the data information detection is abnormal, generating instant pre-alarm information; matching the instant pre-alarm information with historical pre-alarm information in a database; and if matching result of the instant pre-alarm information and the historical pre-alarm information does not conform to a preset matching value, sending intrusion alarm information.
  2. 2. The method of claim 1, further comprising the step of receiving data information sent by the access object.
  3. 3. The method of claim 2, further comprising the step of presetting a matching value of the instant pre-alarm information and the historical pre-alarm information.
  4. 4. The method of claim 2, wherein the historical pre-alarm information comprises a field of pre-alarm number, if the matching result of the instant pre-alarm information and the historical pre-alarm information conforms to the preset matching value, the pre-alarm number adds one time.
  5. 5. The method of claim 2, further comprising the step of executing association analysis to the instant pre-alarm information and the historical pre-alarm information, and determining purpose of the access object according to a preset association rule.
  6. 6. The method of claim 5, further comprising the step of setting a new association rule according to the instant pre-alarm information and instantly updating the association rule if the purpose of the access object cannot be determined according to the preset association rule.
  7. 7. The method of claim 6, further comprising the step of saving the instant pre-alarm information in a database and updating the database.
  8. 8. The method of claim 7, further comprising the step of blocking IP addresses or port access of the access object according to the intrusion alarm information.
  9. 9. A network intrusion alarm system for nuclear power plant, comprising: a detection module, configured to detect data information sent by an access object, the detection comprising misuse detection and protocol abnormality data detection; a pre-alarm module, configured to generate instant pre-alarm information if the detection result of the data information detected by the detection module is abnormal; a matching module, configured to match the instant pre-alarm information generated by the pre-alarm module with historical pre-alarm information in a database; and an alarm module, configured to send intrusion alarm information if the matching result of the instant pre-alarm information and the historical pre-alarm information does not conformed to a preset matching value.
  10. 10. The system of claim 9, further comprising a receiving module configured to receive the data information sent by the access object.
  11. 11. The system of claim 10, further comprising a setting module configured to preset a matching value of the instant pre-alarm information with historical pre-alarm information.
  12. 12. The system of claim 9, further comprising a database configured to save the historical pre-alarm information, the historical pre-alarm information comprises a field of pre-alarm number, the pre-alarm number adds one time if the matching result of the instant pre-alarm information and the historical pre-alarm information conforms to the preset matching value.
  13. 13. The system of claim 12, further comprising an analysis module configured to execute association analysis to the instant pre-alarm information and the historical pre-alarm information, and determine purpose of the access object according to preset association rules.
  14. 14. The system of claim 13, further comprising an adaptive module configured to save the preset association rules, if the analysis module fails to determine the purpose of the access object according to the preset association rules, the adaptive module sets new association rules according to the instant pre-alarm information and updates the new association rules.
  15. 15. The system of claim 14, further comprising an updating module configured to save the instant pre-alarm information in the database and update the database.
  16. 16. The system of claim 15, further comprising an execution module configured to block IP addresses or port access of the access object according to the intrusion alarm information.
GB1602102.4A 2013-08-19 2013-11-24 Network intrusion alarm method and system for nuclear power plant Active GB2532630B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310361837.4A CN103888282A (en) 2013-08-19 2013-08-19 Network intrusion alarm method and system based on nuclear power plant
PCT/CN2013/087737 WO2015024315A1 (en) 2013-08-19 2013-11-24 Network intrusion alarm method and system for nuclear power station

Publications (3)

Publication Number Publication Date
GB201602102D0 GB201602102D0 (en) 2016-03-23
GB2532630A true GB2532630A (en) 2016-05-25
GB2532630B GB2532630B (en) 2018-04-25

Family

ID=50957009

Family Applications (1)

Application Number Title Priority Date Filing Date
GB1602102.4A Active GB2532630B (en) 2013-08-19 2013-11-24 Network intrusion alarm method and system for nuclear power plant

Country Status (3)

Country Link
CN (1) CN103888282A (en)
GB (1) GB2532630B (en)
WO (1) WO2015024315A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112118141A (en) * 2020-09-21 2020-12-22 中山大学 Communication network-oriented alarm event correlation compression method and device

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106571886B (en) * 2016-11-03 2019-02-01 福建宁德核电有限公司 A kind of implementation method of data collection system DCS and wired broadcast system DTP linkage
CN106921676B (en) * 2017-04-20 2020-05-08 电子科技大学 Intrusion detection method based on OPCClasic
CN108693391A (en) * 2018-05-19 2018-10-23 安徽国电京润电力科技有限公司 A kind of nuclear power station electric energy amount detection systems
CN111325463A (en) * 2020-02-18 2020-06-23 深圳前海微众银行股份有限公司 Data quality detection method, device, equipment and computer readable storage medium
CN112235304A (en) * 2020-10-15 2021-01-15 唐琪林 Dynamic security protection method and system for industrial internet
CN113708959B (en) * 2021-08-11 2023-08-25 新华三技术有限公司 Rule base updating method, device and equipment
CN113904811B (en) * 2021-09-16 2023-11-24 深圳供电局有限公司 Abnormality detection method, abnormality detection device, computer device, and storage medium
CN113985226A (en) * 2021-10-25 2022-01-28 广东电网有限责任公司 Cable processing method and system
CN114742247A (en) * 2022-04-08 2022-07-12 广东电网有限责任公司 Characteristic extraction method and device based on distribution network distribution transformer abnormal alarm information
CN116401157B (en) * 2023-03-29 2024-04-02 中国铁道科学研究院集团有限公司 Test evaluation method and system for perimeter intrusion detection equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN102075516A (en) * 2010-11-26 2011-05-25 哈尔滨工程大学 Method for identifying and predicting network multi-step attacks

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399710B (en) * 2007-09-29 2011-06-22 北京启明星辰信息技术股份有限公司 Detection method and system for protocol format exception
FI20096394A0 (en) * 2009-12-23 2009-12-23 Valtion Teknillinen DETECTING DETECTION IN COMMUNICATIONS NETWORKS
JP5731223B2 (en) * 2011-02-14 2015-06-10 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Abnormality detection device, monitoring control system, abnormality detection method, program, and recording medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1909488A (en) * 2006-08-30 2007-02-07 北京启明星辰信息技术有限公司 Virus detection and invasion detection combined method and system
CN101741847A (en) * 2009-12-22 2010-06-16 北京锐安科技有限公司 Detecting method of DDOS (distributed denial of service) attacks
CN102075516A (en) * 2010-11-26 2011-05-25 哈尔滨工程大学 Method for identifying and predicting network multi-step attacks

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112118141A (en) * 2020-09-21 2020-12-22 中山大学 Communication network-oriented alarm event correlation compression method and device

Also Published As

Publication number Publication date
WO2015024315A1 (en) 2015-02-26
GB201602102D0 (en) 2016-03-23
GB2532630B (en) 2018-04-25
CN103888282A (en) 2014-06-25

Similar Documents

Publication Publication Date Title
GB2532630A (en) Network intrusion alarm method and system for nuclear power station
CN110495138B (en) Industrial control system and monitoring method for network security thereof
US10015188B2 (en) Method for mitigation of cyber attacks on industrial control systems
US10122748B1 (en) Network protection system and threat correlation engine
KR100942456B1 (en) Method for detecting and protecting ddos attack by using cloud computing and server thereof
US10686814B2 (en) Network anomaly detection
US9130983B2 (en) Apparatus and method for detecting abnormality sign in control system
CN108931968B (en) Network security protection system applied to industrial control system and protection method thereof
CN111274583A (en) Big data computer network safety protection device and control method thereof
US20150341380A1 (en) System and method for detecting abnormal behavior of control system
CA2926579A1 (en) Event correlation across heterogeneous operations
CN106537872B (en) Method for detecting attacks in a computer network
CN113839935B (en) Network situation awareness method, device and system
JP6711710B2 (en) Monitoring device, monitoring method, and monitoring program
US20110307936A1 (en) Network analysis
WO2012007402A1 (en) Supervision of the security in a computer system
CN101572609A (en) Method and device for detecting and refusing service attack
CN114666088A (en) Method, device, equipment and medium for detecting industrial network data behavior information
CN113411297A (en) Situation awareness defense method and system based on attribute access control
KR101887544B1 (en) Sdn-based network-attacks blocking system for micro server management system protection
CN114301700A (en) Method, device, system and storage medium for adjusting network security defense scheme
CN113660222A (en) Situation awareness defense method and system based on mandatory access control
CN112671781A (en) RASP-based firewall system
CN111935085A (en) Method and system for detecting and protecting abnormal network behaviors of industrial control network
Kim et al. Abnormal traffic detection mechanism for protecting IIoT environments

Legal Events

Date Code Title Description
789A Request for publication of translation (sect. 89(a)/1977)

Ref document number: 2015024315

Country of ref document: WO