CN115080357A - Method and system for monitoring data in each industrial control operation device in complex industrial control - Google Patents
Method and system for monitoring data in each industrial control operation device in complex industrial control Download PDFInfo
- Publication number
- CN115080357A CN115080357A CN202210860576.XA CN202210860576A CN115080357A CN 115080357 A CN115080357 A CN 115080357A CN 202210860576 A CN202210860576 A CN 202210860576A CN 115080357 A CN115080357 A CN 115080357A
- Authority
- CN
- China
- Prior art keywords
- industrial control
- data
- behavior
- processed
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000012544 monitoring process Methods 0.000 title claims abstract description 36
- 238000012545 processing Methods 0.000 claims abstract description 30
- 231100000279 safety data Toxicity 0.000 claims abstract description 19
- 230000008569 process Effects 0.000 claims abstract description 13
- 230000006399 behavior Effects 0.000 claims description 155
- 241000700605 Viruses Species 0.000 claims description 44
- 238000007726 management method Methods 0.000 claims description 24
- 238000005516 engineering process Methods 0.000 claims description 19
- 230000002452 interceptive effect Effects 0.000 claims description 6
- 230000003068 static effect Effects 0.000 claims description 6
- 238000004458 analytical method Methods 0.000 claims description 5
- 230000001960 triggered effect Effects 0.000 claims description 5
- 230000009471 action Effects 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000010801 machine learning Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 2
- 238000002955 isolation Methods 0.000 description 14
- 230000002155 anti-virotic effect Effects 0.000 description 9
- 230000000694 effects Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000012550 audit Methods 0.000 description 6
- 238000001514 detection method Methods 0.000 description 4
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000008439 repair process Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009385 viral infection Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3089—Monitoring arrangements determined by the means or processing involved in sensing the monitored data, e.g. interfaces, connectors, sensors, probes, agents
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Quality & Reliability (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Safety Devices In Control Systems (AREA)
- Testing And Monitoring For Control Systems (AREA)
Abstract
The invention relates to a method and a system for monitoring data in each industrial control operation device in complex industrial control, wherein the method comprises the following steps: acquiring the type of data to be processed of industrial control operation equipment in the operation process; when the type of the data to be processed is determined to be a non-safety data type, performing protection type processing on the data to be processed based on a network port protection strategy; and recording the information processed in a protection mode in a risk behavior operation table, and periodically uploading the risk behavior operation table to an industrial control host computer, so that the industrial control host computer determines whether the data to be processed is added into the safety data type or not based on the risk behavior operation table of a plurality of industrial control operation devices. The method can carry out all-around monitoring on the current high-curing site and the operation station, and realize all-around monitoring of safety protection in complex industrial control.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a system for monitoring data in each industrial control operation device in complex industrial control.
Background
In the field of industrial control safety, a plurality of industrial fields are in a relatively lagged state from equipment to operating system versions, the industrial fields are completely in an internal local area network state due to the characteristics of the industry, and the risks of virus invasion and infection caused by the highly solidified fields are more and more serious along with the lengthening of time and the gradual diversification of virus invasion modes. Therefore, it is very important to accurately identify the risk of the industrial control industry site program and the file being infected by intrusion.
In the field of industrial control safety protection, a corresponding trusted white list file is generated through a white list technology so as to realize safety guard on an operation station or a server and the like in a conventional mode, and files which are not in the white list file cannot be operated or called, so that the safety guard is realized. However, a single white list guard cannot ensure the credibility of the white list file, and still has the risk that the host is poisoned when scanning the white list and adds viruses to the white list.
The above drawbacks are expected to be overcome by those skilled in the art.
Disclosure of Invention
Technical problem to be solved
In order to solve the above problems in the prior art, the present invention provides a method and a system for monitoring data in each industrial control operating device in complex industrial control, and aims to solve the problem that the risk of virus infection of an industrial host is still caused by using a white list only in the prior art.
(II) technical scheme
In order to solve the above problem, in a first aspect, the present invention provides a method for monitoring data in each industrial control operating device in complex industrial control, including:
acquiring the type of data to be processed of industrial control operation equipment in the operation process;
when the type of the data to be processed is determined to be a non-safety data type, performing protection type processing on the data to be processed based on a predefined network port protection strategy;
the network port protection policy comprises: a broadcasting packet sending stopping behavior, a point-to-point data sending delaying behavior and/or a system file accessing behavior in the industrial control operation equipment, and a system file reading behavior in the industrial control operation equipment;
and recording the information processed in a protection mode in a risk behavior operation table, and periodically uploading the risk behavior operation table to an industrial control host computer, so that the industrial control host computer determines whether the data to be processed is added into the safety data type or not based on the risk behavior operation table of a plurality of industrial control operation devices.
Optionally, the obtaining of the type of data to be processed in the operation process of the industrial control operation device includes:
comparing the identifier of the data to be processed with the data identifier in the safety data type, and if the identifier of the data to be processed belongs to the safety data type, determining the type of the data to be processed as the safety data type;
otherwise, the data type is a non-safety data type;
each data identifier in the security data type comprises: the industrial control host computer is used for identifying the data identification in advance, the data identification of safety set manually and the data identification of safety determined by the industrial control host computer based on a risk behavior operation table of a plurality of industrial control operation devices.
Optionally, when it is determined that the type of the data to be processed is a non-security data type, performing protected processing on the data to be processed based on a predefined network port protection policy, including:
when detecting that the behavior of the data to be processed belongs to send a broadcast packet outwards, stopping the sending behavior of the broadcast packet, and recording the identification and the behavior of the data to be processed in a risk behavior operation table;
when the behavior of the data to be processed is detected to be point-to-point data communication, delay operation is carried out on the sending behavior, if the behavior is detected to send data by the same object in a high-frequency item within delay time T, the behavior is defined as a network storm risk behavior, the sending operation is stopped, and the identification and the behavior of the data to be processed are recorded in a risk behavior operation table;
when the behavior of the data to be processed is the behavior of accessing a system file or a system path, delaying the execution of the access behavior, detecting whether the access behavior relates to the writing of the system file, if so, stopping the access behavior, recording the identifier and the behavior of the data to be processed in a risk behavior operation table, and if detecting that the access behavior is only a read operation, allowing the execution of the access behavior;
when detecting that the behavior operation of the data to be processed belongs to the behavior of creating the file or the behavior of modifying the file exists, stopping the sent operation request, and recording the identification and the behavior of the data to be processed in a risk behavior operation table;
when detecting that the behavior operation of the data to be processed belongs to the behavior of adding and deleting the security setting and the rule of the system, preventing the behavior operation from being executed; when detecting that the behavior operation of the data to be processed belongs to a modified or newly-added registry key and the registry key of the operation relates to a system and specified software, preventing the behavior operation from being executed, and when detecting that the behavior operation is the behavior operation aiming at a driver, hardware equipment and external equipment, preventing the behavior operation from being executed and recording the identifier and the behavior of the data to be processed in a risk behavior operation table;
when detecting that the behavior operation of the data to be processed belongs to the sent interactive request which is a request for a driver, hardware equipment and external equipment, stopping sending the interactive request; and recording the identification and the behavior of the data to be processed in a risk behavior operation table.
Optionally, the method further comprises:
the industrial control operation equipment receives the safety data type sent by the industrial control host;
the industrial control host carries out security processing on all files and behaviors of the industrial control host and the industrial control operation equipment through a scanning technology to obtain a security data type.
Optionally, the industrial control host performs security processing on all files and behaviors of the industrial control host and the industrial control operation equipment by means of at least one scanning technology of feature scanning, static scanning and dynamic heuristic scanning based on dynamic behavior analysis of the virtual sand table;
the security processing includes: and tracking and learning each behavior of industrial control in a machine learning mode, generating a safety rule base, and assisting safety protection of complex industrial control to the safety rule base.
Optionally, any industrial control host is remotely connected with the installation and management platform; when the safety management platform remotely scans the industrial control host and the industrial control operation equipment, the starting of the scanning action is triggered by adopting at least one scanning mode of full-disk scanning, custom scanning and right-click menu scanning;
and acquiring virus information in security processing, determining a processing mode of the virus information, and performing security protection on the industrial control host and the industrial control operation equipment by means of the processing mode.
In a second aspect, an embodiment of the present invention provides a system for monitoring data in each industrial control operating device in complex industrial control, including:
the system comprises a management platform, a plurality of industrial control hosts and a plurality of industrial control operation devices;
and one safety management platform is interacted with each industrial control host, each industrial control host is interacted with a plurality of industrial control operation devices, and the method for monitoring data in each industrial control operation device in the complex industrial control of any one of the first aspect is executed in the interaction.
Optionally, the monitoring system is used in a scenario where the industrial control operation device is disconnected from the industrial control host.
(III) advantageous effects
The invention has the beneficial effects that: the method for monitoring data in each industrial control operation device in the complex industrial control provided by the embodiment of the invention can carry out all-around monitoring on the current highly-solidified field and operation station, and realize all-around monitoring of safety protection in the complex industrial control. Particularly, the monitoring method is suitable for industrial control operation equipment which cannot be upgraded to automation, meanwhile, the monitoring method is suitable for industrial control operation equipment in different operation stages, continuous monitoring can be performed under the condition of network disconnection, normal operation of the whole monitoring system is guaranteed, and safety of the industrial control operation equipment and an industrial control host is improved.
In addition, a mode of combining an antivirus technology and a security file technology is adopted in the security management platform, the reliability of the security file is further ensured by utilizing the antivirus technology, and the problem of security holes existing in a single dependence white list in the prior art is solved. In addition, the industrial host can realize the functions of remotely scanning viruses, collecting killing logs, automatically updating virus libraries and the like by supporting the remote management of the security management platform, achieve the effect of omnibearing and multi-level protection, and improve the safety level while simplifying the operation complexity.
Drawings
Fig. 1 is a flowchart of a method for monitoring data in each industrial control operating device in complex industrial control according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating that an industrial control host and industrial control operation equipment are protected by a management platform based on a remote mode in the embodiment of the present invention.
Detailed Description
For the purpose of better explaining the present invention and to facilitate understanding, the present invention will be described in detail by way of specific embodiments with reference to the accompanying drawings.
It should be noted that all the directional indicators (such as up, down, left, right, front, and rear … …) in the embodiment of the present invention are only used to explain the relative position relationship between the components, the movement situation, etc. in a specific posture (as shown in the drawing), and if the specific posture is changed, the directional indicator is changed accordingly.
In addition, descriptions such as "first", "second", etc. in the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any data amount indicating the technical feature indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless explicitly specified otherwise.
Fig. 1 is a flowchart of a method for monitoring data in each industrial control operating device in complex industrial control according to an embodiment of the present invention, and as shown in fig. 1, the method specifically includes the following steps:
101. and acquiring the type of the data to be processed of the industrial control operation equipment in the operation process.
For example, comparing the identifier of the data to be processed with the data identifier in the security data type, and if the identifier of the data to be processed belongs to the security data type, determining that the type of the data to be processed is the security data type; otherwise, the data type is a non-safety data type;
each data identifier in the security data type comprises: the industrial control host computer is used for identifying the data identification in advance, the data identification of safety set manually and the data identification of safety determined by the industrial control host computer based on a risk behavior operation table of a plurality of industrial control operation devices.
102. When the type of the data to be processed is determined to be a non-safety data type, carrying out protected processing on the data to be processed based on a predefined network port protection strategy;
the network port protection policy comprises: a broadcasting packet sending stopping behavior, a point-to-point data sending delaying behavior and/or a system file accessing behavior in the industrial control operation equipment, and a system file reading behavior in the industrial control operation equipment;
103. and recording the information processed in a protection mode in a risk behavior operation table, and periodically uploading the risk behavior operation table to an industrial control host computer, so that the industrial control host computer determines whether the data to be processed is added into the safety data type or not based on the risk behavior operation table of a plurality of industrial control operation devices.
The above step 102 can be specifically described as follows:
when detecting that the behavior of the data to be processed belongs to send a broadcast packet outwards, stopping the sending behavior of the broadcast packet, and recording the identification and the behavior of the data to be processed in a risk behavior operation table;
when the behavior of the data to be processed is detected to be point-to-point data communication, delay operation is carried out on the sending behavior, if the behavior is detected to send data by the same object in a high-frequency item within delay time T, the behavior is defined as a network storm risk behavior, the sending operation is stopped, and the identification and the behavior of the data to be processed are recorded in a risk behavior operation table; t may be 3 seconds or 5 seconds.
When the behavior of the data to be processed is the behavior of accessing a system file or a system path, delaying the execution of the access behavior, detecting whether the access behavior relates to the writing of the system file, if so, stopping the access behavior, recording the identifier and the behavior of the data to be processed in a risk behavior operation table, and if detecting that the access behavior is only the reading operation, allowing the execution of the access behavior;
when detecting that the behavior operation of the data to be processed belongs to the behavior of creating the file or the behavior of modifying the file exists, stopping the sent operation request, and recording the identification and the behavior of the data to be processed in a risk behavior operation table;
when detecting that the behavior operation of the data to be processed belongs to the behavior of adding and deleting the security setting and the rule of the system, preventing the behavior operation from being executed; when detecting that the behavior operation of the data to be processed belongs to a modified or newly-added registry key and the registry key of the operation relates to a system and specified software, preventing the behavior operation from being executed, and when detecting that the behavior operation is the behavior operation aiming at a driver, hardware equipment and external equipment, preventing the behavior operation from being executed and recording the identifier and the behavior of the data to be processed in a risk behavior operation table;
when detecting that the behavior operation of the data to be processed belongs to the sent interactive request which is a request for a driver, hardware equipment and external equipment, stopping sending the interactive request; and recording the identification and the behavior of the data to be processed in a risk behavior operation table.
The method can carry out all-around monitoring on the current high-curing site and the operation station, and realize all-around monitoring of safety protection in complex industrial control. Particularly, the monitoring method is suitable for industrial control operation equipment which cannot be upgraded to automation, meanwhile, the monitoring method is suitable for industrial control operation equipment in different operation stages, continuous monitoring can be performed under the condition of network disconnection, normal operation of the whole monitoring system is guaranteed, and safety of the industrial control operation equipment and an industrial control host is improved.
It should be noted that the industrial control operation device receives the security data type sent by the industrial control host;
the industrial control host carries out security processing on all files and behaviors of the industrial control host and the industrial control operation equipment through a scanning technology to obtain a security data type.
Understandably, the industrial control host carries out security processing on all files and behaviors of the industrial control host and the industrial control operation equipment by means of at least one scanning technology of characteristic scanning, static scanning and dynamic heuristic scanning based on dynamic behavior analysis of a virtual sand table;
the security processing includes: and tracking and learning each behavior of industrial control by a machine learning mode, generating a safety rule base, and assisting the safety protection of complex industrial control to the safety rule base.
Generally, any industrial control host is remotely connected with a safety management platform; when the safety management platform remotely scans the industrial control host and the industrial control operation equipment, the starting of the scanning action is triggered by adopting at least one scanning mode of full-disk scanning, custom scanning and right-click menu scanning;
and acquiring virus information in security processing, determining a processing mode of the virus information, and performing security protection on the industrial control host and the industrial control operation equipment by means of the processing mode.
In this embodiment, the safety management platform is used for performing safety protection on various industrial control hosts and industrial control operation equipment, and a protection method based on a safety rule base exists in an industrial environment in the following embodiments of the present invention. And updating the security rule base by comparing and judging the feature codes of the files which are not in the security baseline by methods of establishing the program security baseline in advance, continuously extracting the feature codes, the hash values, the original paths of the files and the like.
Fig. 2 is a flowchart illustrating protection of an industrial control host and an industrial control operation device by a management platform based on a remote manner in an embodiment of the present invention, as shown in fig. 2, the following is specifically described:
firstly, a security guard of an industrial control host is remotely controlled through a security management platform, the security guard updates a virus library and a security rule library on one hand and records an audit log on the other hand, anti-virus functions are executed according to the modes of user-defined scanning, full-disk scanning and the like, and accurate checking and killing of files and behaviors are realized by combining the traditional characteristic scanning, static and dynamic heuristic scanning, dynamic behavior analysis based on a virtual sandbox and other multi-scanning technologies.
Secondly, code level repair is added, the checking and killing result of the previous step is further detected and processed by codes and viruses at a more microscopic level, and the processed codes and corresponding data can still normally run.
And then, continuously processing the virus obtained by searching and killing, encrypting the virus, placing the encrypted virus in an isolation area for further processing, simultaneously recording each virus and an isolation area path corresponding to the virus, and taking the form of a detailed audit log, wherein the scanning function of the security rule base can be triggered after the completion. The safety protection function is also triggered when the virus is not detected and killed.
And finally, in the security processing process, automatically detecting viruses of all detected files (including the called files and running files), if the files have corresponding data in the security data types, allowing the files to run normally, and otherwise, intercepting the running, recording an audit log and recording the audit log in a risk behavior operation table in industrial control running equipment. And after the safety management platform ensures safety, adding the safety management platform into the corresponding safety rule base to complete updating.
The specific process aiming at the setting of the isolation area and the remote configuration and operation method of the mistaken deletion recovery logic, the antivirus technology and the safety protection technology of the isolation area data can comprise the following steps:
firstly, searching and killing files and behaviors of an industrial control host and industrial control operation equipment by a scanning technology to obtain searching and killing results and screen out virus files;
secondly, detecting and repairing code-level viruses according to the checking and killing result to obtain repaired files;
thirdly, processing the virus files searched and killed and storing the virus files in an isolation area to obtain isolation files;
fourthly, virus detection is carried out on the repaired file and the isolated file.
Based on the method provided by the embodiment, the reliability of the security rule base is ensured by adopting an antivirus technology, and the problem of security loopholes existing in a white list which is singly relied on is solved.
Further, the real-time data is called from the real-time database and the data volume of the real-time data is acquired.
In this embodiment, the industrial control host computer can realize functions such as remote virus scanning, log collection and killing, automatic virus library updating and the like by supporting remote management of the security management platform, so that an all-dimensional and multi-level protection effect is achieved, and the security level is improved while the operation complexity is simplified. For example, in combination with traditional feature scanning, static and dynamic heuristic scanning, and based on the combination of virtual sandbox dynamic scanning, various scanning technologies are applied in the field of industrial control security protection.
In an exemplary embodiment of the present invention, when the security management platform remotely scans the industrial host, the security management platform triggers the start of the scanning action by at least one of full-disk scanning, custom scanning and right-click menu scanning.
In an exemplary embodiment of the present invention, further comprising: and updating the files and behaviors of the industrial control host to a virus library based on the screened virus files in the process of searching and killing the files and behaviors of the industrial control host by a scanning technology, and recording an audit log. In addition, by adding a code level repair after a virus is searched and killed once, the processed code and corresponding data can still normally run, and the searched and killed virus file is processed and then stored in an isolation region to obtain an isolation file.
Furthermore, virus files in the searching and killing process can be processed and encrypted;
processing the encrypted file in an isolation area, and recording a virus name and a corresponding isolation area path; and generating a corresponding audit log based on the virus file.
In the step, the virus file is stored in the isolation area through encryption, so that the data in the isolation area can be replied under the condition of meeting the condition, and the error deletion recovery of the data in the isolation area in the antivirus process is realized.
In an exemplary embodiment of the present invention, virus detection is performed on the repaired file and the isolated file, and after virus detection, a secure file is added to a security rule base.
The method solves the problem of security vulnerability existing in a single dependence white list in the prior art. The method can remotely scan viruses, collect killing logs and automatically update the virus database, achieves the all-round and multi-level protection effect, and greatly improves the market value. In the processing, the functions of scanning, virus killing, isolation and design are matched, the method is an innovation in application, the convenience of operation is improved while multilayer protection is provided, and the method has the following effects:
1) the method provided by the invention does not need to consider various conditions of field equipment, can directly manufacture a safe safety rule base in the equipment of an industrial field in a deployment stage, generates safe information in real time, and can completely ensure the field safety by fully detecting all data through an antivirus technology.
2) The method provided by the invention can be used for performing antivirus detection and generation of the safety rule base on all files in the equipment during deployment, the virus base is pre-arranged in the deployment stage, and the latest virus base can be updated in the software using process, so that the safety rule base for installing software can be newly added in real time, the problem that the software cannot be operated due to file calling or application program calling in the formal operation process of the software can not occur, and thus, the method not only has a good protection effect on external intrusion, but also has a good guarantee effect on the field safety.
3) The method provided by the invention realizes multi-aspect scanning by multiple scanning technologies combining traditional characteristic scanning, static and dynamic heuristic scanning, dynamic analysis behaviors based on a virtual sandbox and more microcosmic checking and killing of the square viruses at a code level, thereby greatly ensuring the safety of a site.
4) The method provided by the invention completes the client updating of the lightweight virus library through the security management platform in the field deployment stage, and does not influence the anti-virus scanning function and the generation of the safety rule library even if the network is disconnected or the network is unstable.
It should be understood that the above description of specific embodiments of the present invention is only for the purpose of illustrating the technical lines and features of the present invention, and is intended to enable those skilled in the art to understand the contents of the present invention and to implement the present invention, but the present invention is not limited to the above specific embodiments. It is intended that all such changes and modifications as fall within the scope of the appended claims be embraced therein.
Claims (8)
1. A method for monitoring data in each industrial control operation device in complex industrial control is characterized by comprising the following steps:
acquiring the type of data to be processed of industrial control operation equipment in the operation process;
when the type of the data to be processed is determined to be a non-safety data type, carrying out protected processing on the data to be processed based on a predefined network port protection strategy;
the network port protection policy comprises: the method comprises the following steps of preventing a broadcasting packet sending behavior, a point-to-point data sending delaying behavior and/or preventing a system file in the industrial control operation equipment from being accessed and allowing the system file in the industrial control operation equipment to be read;
and recording the information processed in a protection mode in a risk behavior operation table, and periodically uploading the risk behavior operation table to an industrial control host, so that the industrial control host determines whether the data to be processed is added into the safety data type or not based on the risk behavior operation table of a plurality of industrial control operation devices.
2. The monitoring method according to claim 1, wherein the obtaining of the type of the data to be processed in the operation process of the industrial control operation equipment comprises:
comparing the identifier of the data to be processed with the data identifier in the safety data type, and if the identifier of the data to be processed belongs to the safety data type, determining the type of the data to be processed as the safety data type;
otherwise, the data type is a non-safety data type;
each data identifier in the security data type comprises: the industrial control host computer is used for identifying the data identification in advance, the data identification of safety set manually and the data identification of safety determined by the industrial control host computer based on a risk behavior operation table of a plurality of industrial control operation devices.
3. The monitoring method according to claim 1, wherein when determining that the type of the data to be processed is a non-security data type, performing protected processing on the data to be processed based on a predefined network port protection policy, includes:
when detecting that the behavior of the data to be processed belongs to send a broadcast packet outwards, stopping the sending behavior of the broadcast packet, and recording the identification and the behavior of the data to be processed in a risk behavior operation table;
when the behavior of the data to be processed is detected to be point-to-point data communication, delay operation is carried out on the sending behavior, if the behavior is detected to send data by the same object in a high-frequency item within delay time T, the behavior is defined as a network storm risk behavior, the sending operation is stopped, and the identification and the behavior of the data to be processed are recorded in a risk behavior operation table;
when the behavior of the data to be processed is the behavior of accessing a system file or a system path, delaying the execution of the access behavior, detecting whether the access behavior relates to the writing of the system file, if so, stopping the access behavior, recording the identifier and the behavior of the data to be processed in a risk behavior operation table, and if detecting that the access behavior is only the reading operation, allowing the execution of the access behavior;
when detecting that the behavior operation of the data to be processed belongs to the behavior of creating the file or the behavior of modifying the file exists, stopping the sent operation request, and recording the identification and the behavior of the data to be processed in a risk behavior operation table;
when detecting that the behavior operation of the data to be processed belongs to the behavior of adding and deleting the security setting and the rule of the system, preventing the behavior operation from being executed; when detecting that the behavior operation of the data to be processed belongs to a modified or newly-added registry key and the registry key of the operation relates to a system and specified software, preventing the behavior operation from being executed, and when detecting that the behavior operation is the behavior operation aiming at a driver, hardware equipment and external equipment, preventing the behavior operation from being executed and recording the identifier and the behavior of the data to be processed in a risk behavior operation table;
when detecting that the behavior operation of the data to be processed belongs to the sent interactive request which is a request for a driver, hardware equipment and external equipment, stopping sending the interactive request; and recording the identification and the behavior of the data to be processed in a risk behavior operation table.
4. The method of monitoring of claim 1, further comprising:
the industrial control operation equipment receives the safety data type sent by the industrial control host;
the industrial control host carries out security processing on all files and behaviors of the industrial control host and the industrial control operation equipment through a scanning technology to obtain a security data type.
5. The monitoring method according to claim 4,
the industrial control host carries out security processing on all files and behaviors of the industrial control host and the industrial control operation equipment by means of at least one scanning technology of characteristic scanning, static scanning and dynamic heuristic scanning based on dynamic behavior analysis of the virtual sand table;
the security processing includes: and tracking and learning each behavior of industrial control by a machine learning mode, generating a safety rule base, and assisting the safety protection of complex industrial control to the safety rule base.
6. The monitoring method according to claim 4, wherein any industrial control host is remotely connected with the safety management platform; when the safety management platform remotely scans the industrial control host and the industrial control operation equipment, the starting of the scanning action is triggered by adopting at least one scanning mode of full-disk scanning, custom scanning and right-click menu scanning;
and acquiring virus information in security processing, determining a processing mode of the virus information, and performing security protection on the industrial control host and the industrial control operation equipment by means of the processing mode.
7. The utility model provides a monitoring system of data among each industrial control operational device in complicated industrial control which characterized in that includes:
the system comprises a management platform, a plurality of industrial control hosts and a plurality of industrial control operation devices;
a safety management platform interacting with each industrial control host, each industrial control host interacting with a plurality of industrial control operation devices, and executing the method for monitoring data in each industrial control operation device in complex industrial control as claimed in any one of claims 1 to 6 in the interaction.
8. The monitoring system of claim 7, wherein the monitoring system is used in a scenario where the industrial control operating device is disconnected from an industrial control host.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210860576.XA CN115080357B (en) | 2022-07-22 | 2022-07-22 | Method and system for monitoring data in each industrial control operation device in complex industrial control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210860576.XA CN115080357B (en) | 2022-07-22 | 2022-07-22 | Method and system for monitoring data in each industrial control operation device in complex industrial control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115080357A true CN115080357A (en) | 2022-09-20 |
| CN115080357B CN115080357B (en) | 2022-11-11 |
Family
ID=83243879
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210860576.XA Active CN115080357B (en) | 2022-07-22 | 2022-07-22 | Method and system for monitoring data in each industrial control operation device in complex industrial control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115080357B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7123974B1 (en) * | 2002-11-19 | 2006-10-17 | Rockwell Software Inc. | System and methodology providing audit recording and tracking in real time industrial controller environment |
| US20100095365A1 (en) * | 2008-10-14 | 2010-04-15 | Wei-Chiang Hsu | Self-setting security system and method for guarding against unauthorized access to data and preventing malicious attacks |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN111931234A (en) * | 2020-08-13 | 2020-11-13 | 中国民航信息网络股份有限公司 | Data access control method and system |
| CN112637143A (en) * | 2020-12-08 | 2021-04-09 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
| CN112910921A (en) * | 2021-03-02 | 2021-06-04 | 中核武汉核电运行技术股份有限公司 | Industrial control boundary network safety protection method |
| CN113098846A (en) * | 2021-03-17 | 2021-07-09 | 苏州三六零智能安全科技有限公司 | Industrial control flow monitoring method, equipment, storage medium and device |
| CN114418263A (en) * | 2021-11-26 | 2022-04-29 | 内蒙古大唐国际托克托发电有限责任公司 | A defense system for power monitoring device of thermal power plant |
| CN114760103A (en) * | 2022-03-21 | 2022-07-15 | 广州大学 | Industrial control system abnormity detection system, method, equipment and storage medium |
-
2022
- 2022-07-22 CN CN202210860576.XA patent/CN115080357B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7123974B1 (en) * | 2002-11-19 | 2006-10-17 | Rockwell Software Inc. | System and methodology providing audit recording and tracking in real time industrial controller environment |
| US20100095365A1 (en) * | 2008-10-14 | 2010-04-15 | Wei-Chiang Hsu | Self-setting security system and method for guarding against unauthorized access to data and preventing malicious attacks |
| CN109474607A (en) * | 2018-12-06 | 2019-03-15 | 连云港杰瑞深软科技有限公司 | A kind of industrial control network safeguard protection monitoring system |
| CN111931234A (en) * | 2020-08-13 | 2020-11-13 | 中国民航信息网络股份有限公司 | Data access control method and system |
| CN112637143A (en) * | 2020-12-08 | 2021-04-09 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
| CN112910921A (en) * | 2021-03-02 | 2021-06-04 | 中核武汉核电运行技术股份有限公司 | Industrial control boundary network safety protection method |
| CN113098846A (en) * | 2021-03-17 | 2021-07-09 | 苏州三六零智能安全科技有限公司 | Industrial control flow monitoring method, equipment, storage medium and device |
| CN114418263A (en) * | 2021-11-26 | 2022-04-29 | 内蒙古大唐国际托克托发电有限责任公司 | A defense system for power monitoring device of thermal power plant |
| CN114760103A (en) * | 2022-03-21 | 2022-07-15 | 广州大学 | Industrial control system abnormity detection system, method, equipment and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 孙易安等: "工业控制系统安全网络防护研究", 《信息安全研究》 * |
| 张娜: "工业控制网络安全风险及防护策略", 《安全、健康和环境》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115080357B (en) | 2022-11-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220284094A1 (en) | Methods and apparatus for malware threat research | |
| US10038711B1 (en) | Penetration testing of a networked system | |
| CN101373502B (en) | Automatic analysis system of virus behavior based on Win32 platform | |
| US8978137B2 (en) | Method and apparatus for retroactively detecting malicious or otherwise undesirable software | |
| JP5586216B2 (en) | Context-aware real-time computer protection system and method | |
| US7870612B2 (en) | Antivirus protection system and method for computers | |
| US20180270268A1 (en) | Verifying success of compromising a network node during penetration testing of a networked system | |
| US11086983B2 (en) | System and method for authenticating safe software | |
| CN101894225B (en) | System and method of aggregating the knowledge base of antivirus software applications | |
| US20100306851A1 (en) | Method and apparatus for preventing a vulnerability of a web browser from being exploited | |
| KR101676366B1 (en) | Attacks tracking system and method for tracking malware path and behaviors for the defense against cyber attacks | |
| CN103473501A (en) | Malware tracking method based on cloud safety | |
| CN108959936B (en) | Automatic utilization method of buffer overflow vulnerability based on path analysis | |
| CN113190839A (en) | Web attack protection method and system based on SQL injection | |
| CN102857519B (en) | Active defensive system | |
| CN116708033B (en) | Terminal security detection method and device, electronic equipment and storage medium | |
| CN115080357B (en) | Method and system for monitoring data in each industrial control operation device in complex industrial control | |
| CN116318783B (en) | Network industrial control equipment safety monitoring method and device based on safety index | |
| CN110555308B (en) | Terminal application behavior tracking and threat risk assessment method and system | |
| CN115086081B (en) | Escape prevention method and system for honeypots | |
| CN113569240B (en) | Method, device and equipment for detecting malicious software | |
| CN106856477B (en) | Threat processing method and device based on local area network | |
| US11763004B1 (en) | System and method for bootkit detection | |
| KR101754964B1 (en) | Method and Apparatus for Detecting Malicious Behavior | |
| CN112527624A (en) | Detection system, detection method, and update verification method executed using detection method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 310051 No. 309, Liuhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee after: Zhongkong Technology Co.,Ltd. Address before: 310051 No. 309, Liuhe Road, Binjiang District, Hangzhou City, Zhejiang Province Patentee before: ZHEJIANG SUPCON TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |