CN103581160A - Heuristic detection method and device for malicious codes in industrial control system - Google Patents
Heuristic detection method and device for malicious codes in industrial control system Download PDFInfo
- Publication number
- CN103581160A CN103581160A CN201210330563.8A CN201210330563A CN103581160A CN 103581160 A CN103581160 A CN 103581160A CN 201210330563 A CN201210330563 A CN 201210330563A CN 103581160 A CN103581160 A CN 103581160A
- Authority
- CN
- China
- Prior art keywords
- test point
- module
- control system
- industrial control
- real
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a heuristic detection method and device for malicious codes in an industrial control system. Firstly, a detection point is arranged in the industrial control system; a real-time clock is mounted on the detection point to carry out synchronous time service; time markers are marked on detected data packets or effective data by using the real-time clock; corresponding heuristic marks are arranged aiming at the detection events in the industrial control system and are configured with weights; then input data are acquired through the detection point to carry out analysis, the fact that whether the detection events corresponding to the heuristic marks occur or not is judged, the corresponding heuristic marks are lighted if the detection events corresponding to the heuristic marks occur, and otherwise, the fact that malicious code attack does not occur is judged; weighting operation is carried out on the weight corresponding to the lighted heuristic marks by using a weighting algorithm; finally, the fact that whether malicious code attack occurs is judged according to the result of the weighting operation, and the result is output. The problem that the malicious code attack in the industrial control system cannot be detected by using a network detection method is solved.
Description
Technical field
The present invention relates to computer security technique field and industrial control system field, relate in particular to heuristic detection method and device for industrial control system malicious code.
Background technology
Because industrial control system has inside and outside network physical isolation, so attack for the malicious code of industrial control system, not propagation Network Based conventionally.Now traditional malicious code detecting method, by network packet is detected, and will no longer be applicable to industrial control field by detection methods such as condition code couplings.
Summary of the invention
For above-mentioned technical problem, the invention provides heuristic detection method and device for industrial control system malicious code, thereby solved traditional detection method, cannot detect the problem of attacking for the malicious code of industrial control system.
The present invention adopts with the following method and realizes: the heuristic detection method for industrial control system malicious code, comprising:
Test point is set in industrial control system;
At described test point, real-time clock is installed, is carried out synchronous time service;
Utilize real-time clock to stamp time mark to the packet detecting or valid data;
For the detection event in industrial control system, corresponding enlightening sign is set, and configures weights;
By described test point, obtain input data, and analyze, determine whether the detection event corresponding with enlightening sign occurs, if so, light corresponding enlightening sign; Otherwise, judge it is not that malicious code is attacked;
Utilize weighting algorithm to indicate that to the enlightenment of lighting corresponding weights compute weighted;
According to ranking operation result, take a decision as to whether malicious code and attack, and Output rusults.
Further, described test point comprises: detect the test point of Industrial Ethernet packet, the test point of the test point of Test Field bus data bag or detection communication simulation signal.
Further, described real-time clock carries out the precise synchronization time service that precision is 1ms level.
Further, described detection event comprises: unmatched request-response data packet, and it is abnormal that request data package sends the cycle, and request-response data packet is abnormal time of delay, there is ANOMALOUS VARIATIONS in measured value or controller output, or measured value or the abnormal vibration of controller output generation.
Heuristic checkout gear for industrial control system malicious code, comprising:
Test point arranges module, and test point is set in industrial control system;
Real-time clock module, arranges at test point the test point place installation real-time clock that module arranges, and carries out synchronous time service, utilizes real-time clock to stamp time mark to the packet detecting or valid data;
Enlightening Sign module, arranges corresponding enlightening sign for the detection event in industrial control system, and configures weights;
Input data acquisition module, the test point that module setting is set by test point obtains input data;
Determination module, the input data analysis that input data acquisition module is obtained, determines whether and occurs to indicate corresponding detection event with the enlightenment described in enlightening Sign module, if so, lights corresponding enlightening sign; Otherwise, judge it is not that malicious code is attacked;
Computing module, utilizes the enlightenment that weighting algorithm is lighted determination module to indicate that corresponding weights compute weighted;
The second determination module, takes a decision as to whether malicious code according to the result of computing module and attacks, and Output rusults.
Further, test point arranges the test point described in module and comprises: detect the test point of Industrial Ethernet packet, the test point of the test point of Test Field bus data bag or detection communication simulation signal.
Further, the real-time clock described in real-time clock module carries out the precise synchronization time service that precision is 1ms level.
Further, detection event described in enlightening Sign module comprises: unmatched request-response data packet, it is abnormal that request data package sends the cycle, request-response data packet is abnormal time of delay, there is ANOMALOUS VARIATIONS in measured value or controller output, or measured value or the abnormal vibration of controller output generation.
In sum, the invention provides heuristic detection method and device for industrial control system malicious code, first test point is set in industrial control system, at each test point place, real-time clock is set, for the packet detecting or valid data, stamp time mark, simultaneously, for the detection event in industrial control system, corresponding enlightening sign is set, and configure weights, the input data that analysis is obtained by test point, determine whether the detection event corresponding with enlightening sign that occur, if, light corresponding enlightening sign, and utilize weighting algorithm to indicate that to the enlightenment of lighting corresponding weights compute weighted, by operation result, taking a decision as to whether malicious code attacks, otherwise, judge it is not that malicious code is attacked.This method is not the detection that packet Network Based carries out, but the analyzing and testing event such as characteristic based on industrial control system, general character, control mathematical model and carry out didactic detection.For industrial control system, this detection method is better than the detection method of traditional emphasis malicious code itself.
Accompanying drawing explanation
In order to be illustrated more clearly in technical scheme of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, the accompanying drawing the following describes is only some embodiment that record in the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the heuristic detection method flow chart for industrial control system malicious code provided by the invention;
Fig. 2 is the heuristic structure of the detecting device figure for industrial control system malicious code provided by the invention.
Embodiment
The present invention has provided heuristic detection method and the device for industrial control system malicious code, in order to make those skilled in the art person understand better the technical scheme in the embodiment of the present invention, and above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, technical scheme in the present invention is described in further detail:
First the present invention provides the heuristic detection method for industrial control system malicious code, as shown in Figure 1, comprising:
S101 arranges test point in industrial control system;
S102 installs real-time clock at described test point, carries out synchronous time service;
S103 utilizes real-time clock to stamp time mark to the packet detecting or valid data;
S104 arranges corresponding enlightening sign for the detection event in industrial control system, and configures weights;
S105 obtains input data by described test point, and analyzes input data;
S106 determines whether the detection event corresponding with enlightening sign occurs, if so, carries out S107; Otherwise, judge it is not that malicious code is attacked;
S107 lights corresponding enlightening sign;
S108 utilizes weighting algorithm to indicate that to the enlightenment of lighting corresponding weights compute weighted;
S109 takes a decision as to whether malicious code according to ranking operation result and attacks, and Output rusults.
Further, described test point comprises: detect the test point of Industrial Ethernet packet, the test point of the test point of Test Field bus data bag or detection communication simulation signal.
Further, described real-time clock carries out the precise synchronization time service that precision is 1ms level.
Further, described detection event comprises: unmatched request-response data packet, and it is abnormal that request data package sends the cycle, and request-response data packet is abnormal time of delay, there is ANOMALOUS VARIATIONS in measured value or controller output, or measured value or the abnormal vibration of controller output generation.
The present invention also provides the heuristic checkout gear for industrial control system malicious code, as shown in Figure 2, comprising:
Test point arranges module 201, and test point is set in industrial control system;
Real-time clock module 202, arranges at test point the test point place installation real-time clock that module 201 arranges, and carries out synchronous time service, utilizes real-time clock to stamp time mark to the packet detecting or valid data;
Enlightening Sign module 203, arranges corresponding enlightening sign for the detection event in industrial control system, and configures weights;
Input data acquisition module 204, the test point that module 201 settings are set by test point obtains input data;
The second determination module 207, takes a decision as to whether malicious code according to the result of computing module 206 and attacks, and Output rusults.
Further, test point arranges the test point described in module and comprises: detect the test point of Industrial Ethernet packet, the test point of the test point of Test Field bus data bag or detection communication simulation signal.
Further, the real-time clock described in real-time clock module carries out the precise synchronization time service that precision is 1ms level.
Further, detection event described in enlightening Sign module comprises: unmatched request-response data packet, it is abnormal that request data package sends the cycle, request-response data packet is abnormal time of delay, there is ANOMALOUS VARIATIONS in measured value or controller output, or measured value or the abnormal vibration of controller output generation.
As mentioned above, the present invention has provided heuristic detection method and the device for industrial control system malicious code, the difference of itself and traditional detection method is, not the detection that utilizes network packet to carry out, but the didactic detection method of utilizing the characteristic of industrial control system itself to carry out.First test point is set in industrial control system, at each test point place, high-precision real-time clock is installed, thereby is stamped time mark for the packet detecting; After the input data analysis by described test point place is obtained, determine whether and occur and the corresponding detection event of enlightening sign, if, light corresponding heuristic sign, and utilize weighting algorithm to indicate that to the enlightenment of lighting corresponding weights compute weighted, according to result, take a decision as to whether malicious code and attack; Otherwise, judge it is not that malicious code is attacked.The present invention utilizes the characteristic of industrial control system itself, has solved the problem that traditional malicious code detecting method is not suitable for the detection of industrial control system, has reached good detection effect.
Above embodiment is unrestricted technical scheme of the present invention in order to explanation.Any modification or partial replacement that does not depart from spirit and scope of the invention, all should be encompassed in the middle of claim scope of the present invention.
Claims (8)
1. for the heuristic detection method of industrial control system malicious code, it is characterized in that:
Test point is set in industrial control system;
At described test point, real-time clock is installed, is carried out synchronous time service;
Utilize real-time clock to stamp time mark to the packet detecting or valid data;
For the detection event in industrial control system, corresponding enlightening sign is set, and configures weights;
By described test point, obtain input data, and analyze, determine whether the detection event corresponding with enlightening sign occurs, if so, light corresponding enlightening sign; Otherwise, judge it is not that malicious code is attacked;
Utilize weighting algorithm to indicate that to the enlightenment of lighting corresponding weights compute weighted;
According to ranking operation result, take a decision as to whether malicious code and attack, and Output rusults.
2. the method for claim 1, is characterized in that, described test point comprises: detect the test point of Industrial Ethernet packet, the test point of the test point of Test Field bus data bag or detection communication simulation signal.
3. the method for claim 1, is characterized in that, described real-time clock carries out the precise synchronization time service that precision is 1ms level.
4. the method for claim 1, it is characterized in that, described detection event comprises: unmatched request-response data packet, it is abnormal that request data package sends the cycle, request-response data packet is abnormal time of delay, there is ANOMALOUS VARIATIONS in measured value or controller output, or measured value or the abnormal vibration of controller output generation.
5. for the heuristic checkout gear of industrial control system malicious code, it is characterized in that, comprising:
Test point arranges module, and test point is set in industrial control system;
Real-time clock module, arranges at test point the test point place installation real-time clock that module arranges, and carries out synchronous time service, utilizes real-time clock to stamp time mark to the packet detecting or valid data;
Enlightening Sign module, arranges corresponding enlightening sign for the detection event in industrial control system, and configures weights;
Input data acquisition module, the test point that module setting is set by test point obtains input data;
Determination module, the input data analysis that input data acquisition module is obtained, determines whether and occurs to indicate corresponding detection event with the enlightenment described in enlightening Sign module, if so, lights corresponding enlightening sign; Otherwise, judge it is not that malicious code is attacked;
Computing module, utilizes the enlightenment that weighting algorithm is lighted determination module to indicate that corresponding weights compute weighted;
The second determination module, takes a decision as to whether malicious code according to the result of computing module and attacks, and Output rusults.
6. device as claimed in claim 5, is characterized in that, test point arranges the test point described in module and comprises: detect the test point of Industrial Ethernet packet, the test point of the test point of Test Field bus data bag or detection communication simulation signal.
7. device as claimed in claim 5, is characterized in that, the real-time clock described in real-time clock module carries out the precise synchronization time service that precision is 1ms level.
8. device as claimed in claim 5, it is characterized in that, detection event described in enlightening Sign module comprises: unmatched request-response data packet, it is abnormal that request data package sends the cycle, request-response data packet is abnormal time of delay, there is ANOMALOUS VARIATIONS in measured value or controller output, or measured value or the abnormal vibration of controller output generation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210330563.8A CN103581160A (en) | 2012-09-10 | 2012-09-10 | Heuristic detection method and device for malicious codes in industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210330563.8A CN103581160A (en) | 2012-09-10 | 2012-09-10 | Heuristic detection method and device for malicious codes in industrial control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103581160A true CN103581160A (en) | 2014-02-12 |
Family
ID=50052095
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210330563.8A Pending CN103581160A (en) | 2012-09-10 | 2012-09-10 | Heuristic detection method and device for malicious codes in industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103581160A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106599997A (en) * | 2016-12-20 | 2017-04-26 | 中兴软创科技股份有限公司 | Zero dynamic-based industrial control attack detection and identification method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020066024A1 (en) * | 2000-07-14 | 2002-05-30 | Markus Schmall | Detection of a class of viral code |
| CN101455029A (en) * | 2006-03-20 | 2009-06-10 | 王建 | Intrinsically safe data remote monitoring system and monitoring method thereof |
| CN102243699A (en) * | 2011-06-09 | 2011-11-16 | 深圳市安之天信息技术有限公司 | Malicious code detection method and system |
-
2012
- 2012-09-10 CN CN201210330563.8A patent/CN103581160A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020066024A1 (en) * | 2000-07-14 | 2002-05-30 | Markus Schmall | Detection of a class of viral code |
| CN101455029A (en) * | 2006-03-20 | 2009-06-10 | 王建 | Intrinsically safe data remote monitoring system and monitoring method thereof |
| CN102243699A (en) * | 2011-06-09 | 2011-11-16 | 深圳市安之天信息技术有限公司 | Malicious code detection method and system |
Non-Patent Citations (1)
| Title |
|---|
| 雷迟骏: "基于启发式算法的恶意代码检测系统研究与实现", 《中国优秀硕士学位论文全文数据库》, no. 06, 15 June 2012 (2012-06-15), pages 28 - 31 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106599997A (en) * | 2016-12-20 | 2017-04-26 | 中兴软创科技股份有限公司 | Zero dynamic-based industrial control attack detection and identification method and system |
| CN106599997B (en) * | 2016-12-20 | 2021-07-02 | 浩鲸云计算科技股份有限公司 | Zero-dynamic-based industrial control attack detection and identification method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9177139B2 (en) | Control system cyber security | |
| CN102607630B (en) | Fault detection method, device and system of encoder | |
| RU2011151543A (en) | METHOD AND DEVICE FOR DETECTING LEAKS IN THE FUEL SUPPLY SYSTEM | |
| DK1297313T3 (en) | Monitoring the health of a power plant | |
| CN106643765A (en) | Method for calculating collection abnormality maintenance time | |
| KR101862566B1 (en) | Simulation evaluation system of traffic signal controller | |
| ATE521159T1 (en) | CHARGE TEST METHOD AND CHARGE DEVICE | |
| CN103616887A (en) | Monitoring system and terminal of light-emitting identification | |
| CN104750633B (en) | FPGA device access verifying device and method | |
| CN105069701A (en) | Monte Carlo method based risk evaluation method for power transmission system | |
| Chromik et al. | Context-aware local Intrusion Detection in SCADA systems: a testbed and two showcases | |
| WO2011006117A3 (en) | Apparatus and method for enhancing forwarding, classification, and monitoring of network traffic | |
| CN107192981A (en) | Visible ray alignment system and method based on illumination shade and machine learning | |
| CN104702598A (en) | Distributed network protocol security detection method for smart power grid | |
| FI20105541A0 (en) | Control module, system and method | |
| CN103581160A (en) | Heuristic detection method and device for malicious codes in industrial control system | |
| CN102062817B (en) | Frequency offset detection method and device for crystal oscillator of electronic product | |
| CN204944483U (en) | High precision power transmission line shaft tower inclination monitoring system | |
| CN103399813B (en) | A kind of embedded system off-line trace analysis method based on Trace information | |
| CN103678014A (en) | Method for effectively detecting and analyzing SGPIO signals | |
| CN105978642A (en) | Wireless monitoring station analysis addressing method and system based on interference big data | |
| CN104880595A (en) | Current-sharing power transmission detection method and device for in-phase parallel power transmission system | |
| CN103823134B (en) | Electronic device detection system and method | |
| CN103645284B (en) | A kind of quick smell fingerprint detection method based on improving RANSAC theory | |
| CN103033800A (en) | Precise distance measuring monitoring unit circuit and implement method of function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20140212 |
|
| RJ01 | Rejection of invention patent application after publication |