CN104079444A - Method and device for detecting depth of industrial Ethernet data frame - Google Patents
Method and device for detecting depth of industrial Ethernet data frame Download PDFInfo
- Publication number
- CN104079444A CN104079444A CN201310102778.9A CN201310102778A CN104079444A CN 104079444 A CN104079444 A CN 104079444A CN 201310102778 A CN201310102778 A CN 201310102778A CN 104079444 A CN104079444 A CN 104079444A
- Authority
- CN
- China
- Prior art keywords
- industrial ethernet
- pattern
- agreement
- describing
- behavior pattern
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention relates to a method and a device for detecting the depth of an industrial Ethernet data frame. The device comprises a detection module for detecting whether an intercepted industrial Ethernet data frame is legal or not according to a mode for describing the legality characteristic of an industrial Ethernet protocol and/or specific to the attack characteristic of the protocol when the industrial Ethernet data frame is intercepted, and a discarding/alarming module for discarding the intercepted industrial Ethernet data frame and/or alarming if a detection result is negative. By using the method and the device, the communication safety of an industrial automatic control system can be enhanced.
Description
Technical field
The present invention relates to industrial automation, relate in particular to a kind of method and apparatus for Industrial Ethernet Frame depth detection.
Background technology
Industrial automation control system (IACS) is a kind of control theory, instrument and meter, computer and other information technology used, industrial processes are realized to detection, control, optimization, scheduling, management and decision, reach increase output, improve quality, reduce consumption, guarantee the object systems such as safety.In industrial automation control system, conventionally adopt Industrial Ethernet (IE:Industrial Ethernet) so that each equipment and instrument are linked together.
People have developed the much communication protocol based on Industrial Ethernet, for example, and PROFINET, Ethernet Powerlink, EtherNet/IP, Modbus/TCP etc.Because Industrial Ethernet need to meet real-time network requirement, therefore, for fear of the expense of ICP/IP protocol stack, these communication protocols based on Industrial Ethernet are often directly encapsulated as Industrial Ethernet Frame by crucial control data and transmit in industrial automation control system.In these (belong to the second layer (data link layer)) in OSI network model Industrial Ethernet Frames, the communication protocol that does not encapsulate such higher level such as (in OSI network model the 3rd layer, the 4th layer) such as IP, TCP, second layer communication protocol is exactly its highest layer protocol.In other words,, in Industrial Ethernet Frame, second layer communication protocol is application layer protocol.
Due to the higher protocol layer not comprising in Industrial Ethernet Frame more than second layer communication protocol; therefore; the method of avoiding network attack for the protection of data realizing in higher protocol level more than the communication protocol second layer can not be used for the safety of safeguard industries ethernet data frame, thereby the communication in industrial automation control system exists potential safety hazard.
Prior art has existed utilizes deep message detection (DPI:Deep Packet Inspection) scheme to ensure communication safety, but, this DPI scheme is that the payload by detecting in application protocol more than communication protocol IP layer (the 3rd layer), TCP/UDP layer (the 4th layer) ensures communication safety, and it is not also suitable for Industrial Ethernet Frame.
Summary of the invention
Consider that prior art can not adapt to the needs of industrial field control field security protection, the embodiment of the present invention proposes a kind of method and apparatus for Industrial Ethernet Frame depth detection, and it can improve the communication security of industrial automation control system.
According to a kind of method for Industrial Ethernet Frame depth detection of the embodiment of the present invention, comprise: in the time intercepting Industrial Ethernet Frame, according to the legal feature for describing industrial ethernet protocol and/or for the pattern of the attack signature of this agreement, whether the Industrial Ethernet Frame that detects described interception is legal; And, if testing result is for negating, abandon Industrial Ethernet Frame and/or the alarm of described interception.
In a kind of specific implementation, described for describing the legal feature of industrial ethernet protocol and/or comprising the behavior pattern of the legal feature for describing industrial ethernet protocol and/or the behavior pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement, described detecting step comprises: the Industrial Ethernet Frame that checks described interception with described for describe industrial ethernet protocol legal feature behavior pattern and/or whether mate for the behavior pattern of the attack signature of this agreement; And, if the Industrial Ethernet Frame that check result shows described interception does not mate and/or mates with the behavior pattern of the described attack signature for this agreement with the described behavior pattern for the legal feature of describing industrial ethernet protocol, determine that the Industrial Ethernet Frame of described interception is illegal.
In a kind of specific implementation, described for describing the legal feature of industrial ethernet protocol and/or also comprising the grammatical pattern of the legal feature for describing industrial ethernet protocol and/or the grammatical pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement, and described detecting step also comprises: detect the included payload of the Industrial Ethernet Frame of described interception with described for describe industrial ethernet protocol legal feature grammatical pattern and/or whether mate for the grammatical pattern of the attack signature of this agreement; And, if testing result shows described payload and does not mate and/or mate with the grammatical pattern of the described attack signature for this agreement with the described grammatical pattern for the legal feature of describing industrial ethernet protocol, determines that the Industrial Ethernet Frame of described interception is illegal.
In a kind of specific implementation, described for describe the behavior pattern of legal feature of industrial ethernet protocol comprise the time behavior pattern of the legal time behavioural characteristic for describing industrial ethernet protocol, for describe industrial ethernet protocol legitimate channel behavioural characteristic channel behavior pattern and for describing at least one of traffic behavior pattern of legitimate traffic behavioural characteristic of industrial ethernet protocol, the behavior pattern of the described attack signature for this agreement comprises for describing the time behavior pattern for the illegal time behavior feature of this agreement.
According to a kind of device for Industrial Ethernet Frame depth detection of the embodiment of the present invention, comprise: detection module, for in the time intercepting Industrial Ethernet Frame, according to the legal feature for describing industrial ethernet protocol and/or for the pattern of the attack signature of this agreement, whether the Industrial Ethernet Frame that detects described interception is legal; And, abandon/alarm module, if be to negate for testing result, abandon Industrial Ethernet Frame and/or the alarm of described interception.
In a kind of specific implementation, described for describing the legal feature of industrial ethernet protocol and/or comprising the behavior pattern of the legal feature for describing industrial ethernet protocol and/or the behavior pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement, described detection module comprises: checking module, for the Industrial Ethernet Frame that checks described interception with described for describe industrial ethernet protocol legal feature behavior pattern and/or whether mate for the behavior pattern of the attack signature of this agreement; And, determination module, if the Industrial Ethernet Frame that shows described interception for check result does not mate and/or mates with the behavior pattern of the described attack signature for this agreement with the described behavior pattern for the legal feature of describing industrial ethernet protocol, the Industrial Ethernet Frame of definite described interception is illegal.
In a kind of specific implementation, described for describing the legal feature of industrial ethernet protocol and/or also comprising the grammatical pattern of the legal feature for describing industrial ethernet protocol and/or the grammatical pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement, described checking module also for detection of the included payload of the Industrial Ethernet Frame of described interception with described for describe industrial ethernet protocol legal feature grammatical pattern and/or whether mate for the grammatical pattern of the attack signature of this agreement, and, if described determination module also shows that for testing result described payload do not mate and/or mate with the grammatical pattern of the described attack signature for this agreement with the described grammatical pattern for the legal feature of describing industrial ethernet protocol, the Industrial Ethernet Frame of determining described interception is illegal.
In a kind of specific implementation, described for describe the behavior pattern of legal feature of industrial ethernet protocol comprise the time behavior pattern of the legal time behavioural characteristic for describing industrial ethernet protocol, for describe industrial ethernet protocol legitimate channel behavioural characteristic channel behavior pattern and for describing at least one of traffic behavior pattern of legitimate traffic behavioural characteristic of industrial ethernet protocol, the behavior pattern of the described attack signature for this agreement comprises for describing the time behavior pattern for the illegal time behavior feature of this agreement.
Can find out from description above, scheme that the embodiment of the present invention proposes is according to whether for describing the legal feature of Industrial Ethernet Control communication and/or the pattern of attack signature, to detect Industrial Ethernet Frame legal, and abandon illegal Industrial Ethernet Frame and/or alarm, thereby improve the communication security of industrial automation control system.
Brief description of the drawings
Further feature of the present invention, feature, advantage and benefit will become more apparent by the detailed description below in conjunction with accompanying drawing.
Fig. 1 shows according to the schematic diagram of the industrial automation control system of one embodiment of the invention.
Fig. 2 shows according to the flow chart of the method for Industrial Ethernet Frame depth detection of one embodiment of the invention.
Fig. 3 shows according to the schematic diagram of the device for Industrial Ethernet Frame depth detection of one embodiment of the invention.
Fig. 4 shows according to the schematic diagram of the detection module of one embodiment of the invention.
Fig. 5 shows according to the schematic diagram of the equipment for Industrial Ethernet Frame depth detection of one embodiment of the invention.
Embodiment
Describe each embodiment of the present invention in detail in connection with accompanying drawing below.
Referring now to Fig. 1,, it shows according to the schematic diagram of the industrial automation control system of one embodiment of the invention.As shown in Figure 1, industrial automation control system 10 can comprise work station 102, human interface devices (HMI) 104, server 106, programmable logic controller (PLC) (PLC) 108,110,112, industrial ethernet switch 114,116 and Frame depth detection equipment 118.Wherein, work station 102, HMI104 and server 106 are connected with industrial ethernet switch 114, programmable logic controller (PLC) (PLC) 108,110 is connected with industrial ethernet switch 116 with 112, industrial ethernet switch 114 and 116 interconnects, and Frame depth detection equipment 118 is connected between industrial ethernet switch 114 and 116.
Wherein, work station 102, HMI104 and server 106 are the equipment that is subject to security attack and easily infected virus and Malware, its can by from user's and/or produce configuration (configuration) instruction, supervisory instruction, control command is packaged into Industrial Ethernet Frame and sends to programmable logic controller (PLC) 108 by industrial ethernet switch 114 and 116, 110 and 112, and receive from programmable logic controller (PLC) 108 by industrial ethernet switch 114 and 116, 110 and 112 be encapsulated in various control data or the status data in Industrial Ethernet Frame.
Programmable logic controller (PLC) 108,110 and 112 belongs to field control equipment, it can control each field apparatus (the distributed I/O equipment region according to configuration (configuration) instruction, supervisory instruction, the control command that receive from work station 102, HMI104 and server 106 by industrial ethernet switch 114 and 116, not shown) carry out various operations, and the data encapsulation of collecting from these field apparatuss is become to Industrial Ethernet Frame and sends to work station 102, HMI104 and server 106 by industrial ethernet switch 114 and 116.
Frame depth detection equipment 118 is can be for the equipment of Industrial Ethernet Frame depth detection, and it is pre-stored is useful on the legal feature (white list) of industrial ethernet protocol and the pattern for the attack signature (blacklist) of this agreement described.Frame depth detection equipment 118 can be tackled the Industrial Ethernet Frame transmitting between industrial ethernet switch 114 and 116, according to pre-stored whether legal for describing the legal feature of industrial ethernet protocol and detecting tackled Industrial Ethernet Frame for the pattern of the attack signature of this agreement, and work as tackled Industrial Ethernet Frame and abandon this Industrial Ethernet Frame and/or alarm when illegal.In other words,, in the time that tackled Industrial Ethernet Frame is illegal, this Industrial Ethernet Frame can be dropped and can not send to the indicated destination of this Industrial Ethernet Frame.
For describe the legal feature of industrial ethernet protocol and for the pattern of the attack signature of this agreement can comprise the grammatical pattern of the legal feature for describing industrial ethernet protocol, for describe for this agreement attack signature grammatical pattern, for describe industrial ethernet protocol legal feature behavior pattern and for describe for this agreement the behavior pattern of attack signature.
The grammatical pattern that is used for the legal feature of describing industrial ethernet protocol can comprise the legal grammer of the Industrial Ethernet Frame of protocol specification appointment, at this, legal grammer can comprise the grammar properties such as the position (relative position) that in frame, field occurs, legal span, length.Can be including, but not limited to the Industrial Ethernet Frame etc. of the incorrect grammer of Industrial Ethernet Frame, deformity for the grammatical pattern of describing attack signature, at this, the Industrial Ethernet Frame of deformity can comprise, for example some frame field has been set up the Industrial Ethernet Frame of malice value, length or the position of frame field is changed to the Industrial Ethernet Frame that is different from the defined legal grammer of protocol specification.At this, grammatical pattern can be including, but not limited to defining with simple character string, regular expression, regular grammar, BNF/ABNF/EBNF grammer or the grammer based on XML etc.
The more important thing is the behavior pattern of the lawful acts feature for describing industrial ethernet protocol and the behavior pattern for the attack feature of this agreement, it can be including, but not limited to time behavior pattern, channel (communication context) behavior pattern and traffic behavior pattern.
(1) time behavior pattern.In various industrial ethernet protocols, ubiquity the variety of protocol for network, equipment, communication being carried out to engineering management or configuration configuration, the such as DCP agreement in PROFINET etc.In these agreements, all exist the Industrial Ethernet Frame of some type, can arrange the key parameter of equipment, communication, as amendment IP address, be Default Value by device reset etc.These Industrial Ethernet Frames itself all meet agreement grammatical norm; being carried out, Industrial Ethernet and equipment thereof allow when (during Installation and Debugging, shutdown period) repair and maintenance; but when field control equipment is in the time working (control) state; send these Industrial Ethernet Frames and can cause control appliance to occur abnormal, shutdown, cause serious consequence.Therefore, adopt time behavior pattern can describe legal time behavioural characteristic or the illegal time behavior feature of industrial ethernet protocol.For example, can represent by following rule the time behavior pattern of the legal time behavioural characteristic for describing industrial ethernet protocol:
<start1,end1>allow?src1→dst1,<frame?pattern>,
The Frame pattern feature that meets this appointment from source address src1 to destination address dst1 that its expression only occurs from initial time start1 to this time window of end time end1 or the Industrial Ethernet Frame of type frame pattern are only permission or legal.Again for example, can represent the time behavior pattern for the illegal time behavior feature of this agreement by following rule:
<start2,end2>deny?src2→dst2,<frame?pattern>,
The Frame pattern feature that meets this regulation from source address src2 to destination address dst2 that it occurs being illustrated in from initial time start2 to this time window of end time end2 or the Industrial Ethernet Frame of type frame pattern are forbidden or are illegal.
(2) channel (communication context) behavior pattern.All (in real time) industrial ethernet protocols, due to the exchanges data fast that will consider between the field apparatus of Ethernet, so generally adopted predefined communication channel (comprising the parameter such as time, the time migration that may occur of the equipment at predefined communication two ends and application entity, communication) to define the communication (comprising exchanges data, parameter transmission and Debugging) between field apparatus.For example, in PROFINET IO, follow the model of provider-consumer (provider-consumer), between IO controller and IO equipment, can set up an application relation (AR:Application Relation), this class AR is used for the different communications such as periodic exchanges data, parameter transmission, alarm processing, and can in AR, define further corresponding communication relation (CR:Communication Relation).Therefore, at the scene equipment between communication be to have strict communication context (channel), its behavioural characteristic can comprise time, source device, object equipment of communication etc.Therefore, adopt channel behavior pattern can describe the legitimate channel behavioural characteristic of Industrial Ethernet Frame.For example, can represent by following rule the channel behavior pattern of the legitimate channel behavioural characteristic for describing industrial ethernet protocol:
<time,offset>Context<src,dst,frame?pattern>,
This rule definition within the scope of call duration time time and the time migration offset that may occur, communication context Context is the communication of the type-scheme frame pattern from equipment src to the ethernet data frame equipment dst.This rule can be deployed to manually or automatically in Frame depth detection equipment 118 in the time that field apparatus is carried out to configuration (configuration).If the Industrial Ethernet Frame of interception meets above-mentioned rule, this Frame is legal; If do not meet above-mentioned rule, this Frame is likely aggressive Frame, can disturb the high speed real time communication between field apparatus.
(3) traffic behavior pattern.Traffic behavior pattern can be for describing the legitimate traffic behavioural characteristic of industrial ethernet protocol, includes but not limited to that Industrial Ethernet Frame is allowed to unit interval throughput threshold value and the legal traffic statistics distribution characteristics etc. of transmission.For example, it is 200kbs that traffic behavior pattern arranges ARP claim frame unit interval throughput threshold value,, in the time that the request quantity per second of ARP claim frame is greater than this threshold value, can be judged that there is the DoS attack that can disturb Industrial Ethernet Control communication.
At this, behavior pattern can with but be not limited to finite state machine, UML state diagram or state transition table and define.
As can be seen from the above description, scheme that the embodiment of the present invention proposes is according to whether for describing the pattern of legal feature and/or attack signature, to detect Industrial Ethernet Frame legal and abandon illegal Industrial Ethernet Frame and/or alarm, thereby improved the communication security of industrial automation control system.In addition, time behavior pattern, channel behavior pattern and traffic behavior pattern are for the feature that it is unique that Industrial Ethernet Control is communicated by letter, describe application relation and communication relation between time factor and the communication equipment of legal and/or illegal Industrial Ethernet Control communication protocol, thereby can provide effective security protection to control data communication crucial in Industrial Ethernet.
Referring now to Fig. 2,, it shows according to the flow chart of the method for the Industrial Ethernet Frame depth detection of one embodiment of the invention.Method shown in Fig. 2 is carried out by Frame depth detection equipment 118.
As shown in Figure 2, at step S200, Frame depth detection equipment 118 is tackled the Industrial Ethernet Frame transmitting between industrial ethernet switch 114 and 116.
At step S204, whether Frame depth detection equipment 118 detects the included payload of tackled Industrial Ethernet Frame and mates for describing for the grammatical pattern of the attack signature of industrial ethernet protocol with for the grammatical pattern of the legal feature of describing industrial ethernet protocol with pre-stored.
At step S208, if the testing result of step S204 shows the included payload of tackled Industrial Ethernet Frame and do not mate or mate with the grammatical pattern of described legal feature (A branch) with the grammatical pattern of described attack signature, Frame depth detection equipment 118 checks whether tackled Industrial Ethernet Frame mates with the behavior pattern of described attack signature and the behavior pattern of described legal feature.For example, suppose pre-stored for describe the behavior pattern of legal feature of industrial ethernet protocol comprise for describe the Industrial Ethernet Frame of expression reset instruction that sends to equipment B 1 from device A 1 between from the outset StartTime1 to occurring it being legal time behavior pattern end time EndTime1, whether the Industrial Ethernet Frame that first Frame depth detection equipment 118 tackles according to the included information check of tackled Industrial Ethernet Frame is so the Industrial Ethernet Frame that sends to the expression reset instruction of equipment B 1 from device A 1, if the Industrial Ethernet Frame of tackling is the Industrial Ethernet Frame that sends to the expression reset instruction of equipment B 1 from device A 1, Frame depth detection equipment 118 further check time that the Industrial Ethernet Frame tackled is blocked whether fall within from the outset between StartTime1 between end time EndTime1, if the time that the Industrial Ethernet Frame of tackling is blocked fall within from the outset between StartTime1 between end time EndTime1, show tackled Industrial Ethernet Frame and this time behavior pattern matching.For example, suppose pre-stored for describe for the behavior pattern of the attack signature of industrial ethernet protocol comprise for describe the Industrial Ethernet Frame of expression reset instruction that sends to equipment B 2 from device A 2 between from the outset StartTime2 to occurring it being illegal time behavior pattern end time EndTime2, whether the Industrial Ethernet Frame that first Frame depth detection equipment 118 tackles according to the included information check of tackled Industrial Ethernet Frame is so the Industrial Ethernet Frame that sends to the expression reset instruction of equipment B 2 from device A 2, if the Industrial Ethernet Frame of tackling is the Industrial Ethernet Frame that sends to the expression reset instruction of equipment B 2 from device A 2, Frame depth detection equipment 118 further check time that the Industrial Ethernet Frame tackled is blocked whether fall within from the outset between StartTime2 between end time EndTime2, if the time that the Industrial Ethernet Frame of tackling is blocked fall within from the outset between StartTime2 between end time EndTime2, show tackled Industrial Ethernet Frame and this time behavior pattern matching.For example, suppose pre-stored to comprise that for describing the behavior pattern of legal feature of industrial ethernet protocol to send to from device A 3 the Industrial Ethernet Frame that the type of equipment B 3 is L3 be legal channel behavior pattern communicating by letter with time deviation taking PTime3 as basic point for describing in the time range of POffset3, whether the Industrial Ethernet Frame that first Frame depth detection equipment 118 tackles according to the included information check of tackled Industrial Ethernet Frame is so to send to from device A 3 the Industrial Ethernet Frame that the type of equipment B 3 is L3, if the Industrial Ethernet Frame of tackling is to send to from device A 3 the Industrial Ethernet Frame that the type of equipment B 3 is L3, Frame depth detection equipment 118 further check the call duration time of the Industrial Ethernet Frame of tackling whether fall within taking PTime3 as basic point and time deviation in the time range of POffset3, if the time that the Industrial Ethernet Frame of tackling is blocked falls within taking PTime3 as basic point and time deviation in the time range of POffset3, show that tackled Industrial Ethernet Frame mates with this channel behavior pattern.Again for example, suppose pre-stored to comprise that for describing the behavior pattern of legal feature ethernet data frame frame is allowed to the traffic behavior pattern of the unit interval throughput threshold value of transmission, Frame depth detection equipment 118 checks whether tackled Industrial Ethernet Frame is the ethernet data frame of specified type so, if the Industrial Ethernet Frame of tackling is the ethernet data frame of specified type, Frame depth detection equipment 118 by the sum of the ethernet data frame of the specified type of having intercepted at present including tackled Industrial Ethernet Frame in the unit interval is multiplied by each specified type ethernet data frame byte number and calculate the unit interval throughput of actual transmissions divided by the unit interval, and whether the unit interval throughput of the actual transmissions that judgement calculates is greater than the unit interval throughput threshold value that is allowed to transmission, if judged result shows the unit interval throughput of actual transmissions and is greater than the unit interval throughput threshold value that is allowed to transmission, show that tackled Industrial Ethernet Frame does not mate with this traffic behavior pattern.
At step S212, if the check result of step S208 shows tackled Industrial Ethernet Frame and does not mate or mate with the behavior pattern of the legal feature for describing industrial ethernet protocol (C branch) for describing for the behavior pattern of the attack signature of industrial ethernet protocol, Frame depth detection equipment 118 determines that the Industrial Ethernet Frame of tackling is legal and allow tackled Industrial Ethernet Frame pass through, and the Industrial Ethernet Frame of being tackled to make arrives its destination.
At step S216, if the testing result of step S204 shows the included payload of tackled Industrial Ethernet Frame and mates or do not mate with the grammatical pattern of the legal feature for describing industrial ethernet protocol (B branch) for describing for the grammatical pattern of the attack signature of industrial ethernet protocol, or, if the check result of step S208 shows tackled Industrial Ethernet Frame and mates or do not mate (D branch) with the pre-stored behavior pattern for the legal feature of describing industrial ethernet protocol for describing for the behavior pattern of the attack signature of industrial ethernet protocol with pre-stored, Frame depth detection equipment 118 is determined that the Industrial Ethernet Frame of tackling is illegal and is abandoned this Industrial Ethernet Frame.
Other modification
Those skilled in the art are to be understood that, although in the above embodiments, in the time that whether definite Industrial Ethernet Frame of tackling is legal, first check whether tackled Industrial Ethernet Frame mates with grammatical pattern, but the present invention is not limited thereto.In some other embodiment of the present invention, in the time that whether definite Industrial Ethernet Frame of tackling is legal, also can first check whether tackled Industrial Ethernet Frame mates with behavior pattern, or check whether the Industrial Ethernet Frame of tackling mates with grammatical pattern and check whether tackled Industrial Ethernet Frame mates simultaneously and carry out with behavior pattern, or need not check whether tackled Industrial Ethernet Frame mates with grammatical pattern.
Those skilled in the art are to be understood that, although in the above embodiments, by checking the Industrial Ethernet Frame tackled and grammatical pattern for describing legal feature, for describing the grammatical pattern of attack signature, for describing the behavior pattern of legal feature and whether mating to determine that for describing the behavior pattern of attack signature whether tackled Industrial Ethernet Frame is legal, but the present invention is not limited thereto.In some other embodiment of the present invention, also can by check the Industrial Ethernet Frame that tackle and grammatical pattern for describing legal feature, for describe the grammatical pattern of attack signature, for describe the behavior pattern of legal feature and for describe attack signature behavior pattern any one of them, two or three whether mate to determine that whether tackled Industrial Ethernet Frame legal.
Although it will be appreciated by those skilled in the art that in the above embodiments, determine that the pattern that the Industrial Ethernet Frame of tackling uses when whether legal comprises grammatical pattern and behavior pattern, but the present invention is not limited thereto.In some other embodiment of the present invention, determine that the pattern that the Industrial Ethernet Frame of tackling uses when whether legal can only include grammatical pattern or behavior pattern, or, determine that pattern that the Industrial Ethernet Frame tackled uses when whether legal can comprise at least one and the pattern of other type in grammatical pattern and behavior pattern, or the pattern whether definite Industrial Ethernet Frame of tackling uses when legal can comprise the pattern of other type except grammatical pattern and behavior pattern.
Although it will be appreciated by those skilled in the art that in the above embodiments, the function of Industrial Ethernet Frame depth detection realizes in Frame depth detection equipment 118, but the present invention is not limited thereto.In some other embodiment of the present invention, the function of Industrial Ethernet Frame depth detection also can for example, realize in the miscellaneous equipment (, work station 102, HMI104, server 106, programmable logic controller (PLC) 108,110,112 and/or industrial ethernet switch 114,116 etc.) in industrial automation control system 10.
Referring now to Fig. 3,, it shows according to the schematic diagram of the device for Industrial Ethernet Frame depth detection of one embodiment of the invention.Device shown in Fig. 3 can utilize software, hardware (such as integrated circuit or FPGA etc.) or the mode of software and hardware combining to realize, and for example can be arranged on, in the suitable equipment (, Frame depth detection equipment 118, work station 102, HMI104, server 106, programmable logic controller (PLC) 108,110,112 and/or industrial ethernet switch 114,116) of industrial automation control system 10.
As shown in Figure 3, can comprise detection module 310 and discard module 330 for the device 300 of Industrial Ethernet Frame depth detection.Wherein, detection module 310 is in the time intercepting Industrial Ethernet Frame, and according to the legal feature for describing industrial ethernet protocol and/or for the pattern of the attack signature of this agreement, whether the Industrial Ethernet Frame that detects described interception is legal.If abandon/alarm module 330 for negating, abandons Industrial Ethernet Frame and/or the alarm of described interception for testing result.
Wherein, described for describe the legal feature of industrial ethernet protocol and/or for the pattern of the attack signature of this agreement can comprise the behavior pattern of the legal feature for describing industrial ethernet protocol and/or for this agreement the behavior pattern of attack signature, and, as shown in Figure 4, detection module 310 can comprise: checking module 312, for the Industrial Ethernet Frame that checks described interception with described for describe industrial ethernet protocol legal feature behavior pattern and/or for this agreement the behavior pattern of attack signature whether mate; And, determination module 314, if the Industrial Ethernet Frame that shows described interception for check result with described for describe that the behavior pattern of legal feature of industrial ethernet protocol is not mated and/or with described for this agreement the behavior pattern of attack signature mate, the Industrial Ethernet Frame of definite described interception is illegal.
Wherein, described for describe legal feature and/or for the pattern of the attack signature of this agreement can also comprise the grammatical pattern of the legal feature for describing industrial ethernet protocol and/or for this agreement the grammatical pattern of attack signature, checking module 312 can also for detection of the included payload of the Industrial Ethernet Frame of described interception with described for describe industrial ethernet protocol legal feature grammatical pattern and/or for this agreement the grammatical pattern of attack signature whether mate, and, if determination module 314 can also be used for testing result show described payload with described for describe that the grammatical pattern of legal feature of industrial ethernet protocol is not mated and/or with described for this agreement the grammatical pattern of attack signature mate, the Industrial Ethernet Frame of determining described interception is illegal.
Wherein, described for describe the behavior pattern of legal feature of industrial ethernet protocol comprise the time behavior pattern of the legal time behavioural characteristic for describing industrial ethernet protocol, for describe industrial ethernet protocol legitimate channel behavioural characteristic channel behavior pattern and for describing at least one of traffic behavior pattern of legitimate traffic behavioural characteristic of industrial ethernet protocol, and, the behavior pattern of the described attack signature for industrial ethernet protocol comprise for describe for this agreement the time behavior pattern of illegal time behavior feature.
Referring now to Fig. 5,, its show according to one embodiment of the invention for Industrial Ethernet Frame being carried out to the schematic diagram of the equipment of depth detection.As shown in Figure 5, equipment 500 can comprise memory 510 and the processor 520 for stores executable instructions.Wherein, the executable instruction that processor 520 is stored according to memory 510, the performed operation of modules of final controlling element 300.
The embodiment of the present invention also provides a kind of machine readable media, and stores executable instructions on it, in the time that this executable instruction is performed, makes machine realize the performed operation of processor 520.
It will be appreciated by those skilled in the art that disclosed each embodiment can make various changes and modifications in the situation that not departing from invention essence above.Therefore, protection scope of the present invention should be limited by appending claims.
Claims (10)
1. for a method for Industrial Ethernet Frame depth detection, comprising:
In the time intercepting Industrial Ethernet Frame, according to the legal feature for describing industrial ethernet protocol and/or for the pattern of the attack signature of this agreement, whether the Industrial Ethernet Frame that detects described interception is legal; And
If testing result, for negating, abandons Industrial Ethernet Frame and/or the alarm of described interception.
2. the method for claim 1, wherein
It is described for describing the legal feature of industrial ethernet protocol and/or comprising the behavior pattern of the legal feature for describing industrial ethernet protocol and/or the behavior pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement,
Described detecting step comprises:
The Industrial Ethernet Frame that checks described interception with described for describe industrial ethernet protocol legal feature behavior pattern and/or whether mate for the behavior pattern of the attack signature of this agreement; And
If the Industrial Ethernet Frame that check result shows described interception does not mate and/or mates with the behavior pattern of the described attack signature for this agreement with the described behavior pattern for the legal feature of describing industrial ethernet protocol, determine that the Industrial Ethernet Frame of described interception is illegal.
3. method as claimed in claim 2, wherein
Described for describing the legal feature of industrial ethernet protocol and/or also comprising the grammatical pattern of the legal feature for describing industrial ethernet protocol and/or the grammatical pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement, and
Described detecting step also comprises:
Detect the included payload of the Industrial Ethernet Frame of described interception with described for describe industrial ethernet protocol legal feature grammatical pattern and/or whether mate for the grammatical pattern of the attack signature of this agreement; And
If testing result shows described payload and does not mate and/or mate with the grammatical pattern of the described attack signature for this association's agreement with the described grammatical pattern for the legal feature of describing industrial ethernet protocol, determines that the Industrial Ethernet Frame of described interception is illegal.
4. method as claimed in claim 2 or claim 3, wherein
Described for describe the behavior pattern of legal feature of industrial ethernet protocol comprise the time behavior pattern of the legal time behavioural characteristic for describing industrial ethernet protocol, for describe industrial ethernet protocol legitimate channel behavioural characteristic channel behavior pattern and for describing at least one of traffic behavior pattern of legitimate traffic behavioural characteristic of industrial ethernet protocol
The behavior pattern of the described attack signature for this agreement comprises for describing the time behavior pattern for the illegal time behavior feature of this agreement.
5. for a device for Industrial Ethernet Frame depth detection, comprising:
Detection module, in the time intercepting Industrial Ethernet Frame, according to the legal feature for describing industrial ethernet protocol and/or for the pattern of the attack signature of this agreement, whether the Industrial Ethernet Frame that detects described interception is legal; And
Abandon/alarm module, if be to negate for testing result, abandon Industrial Ethernet Frame and/or the alarm of described interception.
6. device as claimed in claim 5, wherein
It is described for describing the legal feature of industrial ethernet protocol and/or comprising the behavior pattern of the legal feature for describing industrial ethernet protocol and/or the behavior pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement,
Described detection module comprises:
Checking module, for the Industrial Ethernet Frame that checks described interception with described for describe industrial ethernet protocol legal feature behavior pattern and/or whether mate for the behavior pattern of the attack signature of agreement; And
Determination module, if the Industrial Ethernet Frame that shows described interception for check result does not mate and/or mates with the behavior pattern of the described attack signature for this agreement with the described behavior pattern for the legal feature of describing industrial ethernet protocol, the Industrial Ethernet Frame of definite described interception is illegal.
7. device as claimed in claim 6, wherein
It is described for describing the legal feature of industrial ethernet protocol and/or also comprising the grammatical pattern of the legal feature for describing industrial ethernet protocol and/or the grammatical pattern for the attack signature of this agreement for the pattern of the attack signature of this agreement,
Described checking module also for detection of the included payload of the Industrial Ethernet Frame of described interception with described for describe industrial ethernet protocol legal feature grammatical pattern and/or whether mate for the grammatical pattern of the attack signature of this agreement, and
If described determination module also shows that for testing result described payload do not mate and/or mate with the grammatical pattern of the described attack signature for this agreement with the described grammatical pattern for the legal feature of describing industrial ethernet protocol, determine that the Industrial Ethernet Frame of described interception is illegal.
8. the device as described in claim 6 or 7, wherein
Described for describe the behavior pattern of legal feature of industrial ethernet protocol comprise the time behavior pattern of the legal time behavioural characteristic for describing industrial ethernet protocol, for describe industrial ethernet protocol legitimate channel behavioural characteristic channel behavior pattern and for describing at least one of traffic behavior pattern of legitimate traffic behavioural characteristic of industrial ethernet protocol
The behavior pattern of the described attack signature for this agreement comprises for describing the time behavior pattern for the illegal time behavior feature of this agreement.
9. for an equipment for Industrial Ethernet Frame depth detection, comprising:
Memory, for stores executable instructions; And
Processor, for the executable instruction of storing according to described memory, executes claims any one the included step in 1-4.
10. a machine readable media, stores executable instruction on it, in the time that this executable instruction is performed, make machine execute claims any one the included step in 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310102778.9A CN104079444A (en) | 2013-03-27 | 2013-03-27 | Method and device for detecting depth of industrial Ethernet data frame |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310102778.9A CN104079444A (en) | 2013-03-27 | 2013-03-27 | Method and device for detecting depth of industrial Ethernet data frame |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104079444A true CN104079444A (en) | 2014-10-01 |
Family
ID=51600500
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310102778.9A Pending CN104079444A (en) | 2013-03-27 | 2013-03-27 | Method and device for detecting depth of industrial Ethernet data frame |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104079444A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104301177A (en) * | 2014-10-08 | 2015-01-21 | 清华大学 | CAN message abnormality detection method and system |
| CN106130854A (en) * | 2016-06-23 | 2016-11-16 | 北京东土科技股份有限公司 | Industrial process control system based on industry internet |
| CN106125680A (en) * | 2016-06-23 | 2016-11-16 | 北京东土科技股份有限公司 | Industrial stokehold data safety processing method based on industry internet and device |
| CN107222508A (en) * | 2017-07-14 | 2017-09-29 | 国家计算机网络与信息安全管理中心 | Safety access control method, equipment and system |
| CN108712406A (en) * | 2018-05-07 | 2018-10-26 | 广东电网有限责任公司 | Invalid data source retroactive method, device, user terminal and computer storage media |
| CN110719250A (en) * | 2018-07-13 | 2020-01-21 | 中国科学院沈阳自动化研究所 | Powerlink industrial control protocol anomaly detection method based on PSO-SVDD |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558608A (en) * | 2004-01-13 | 2004-12-29 | 重庆邮电学院 | TCP/IP based method and system for realizing safety strategy for industrial control networks |
| CN101159718A (en) * | 2007-08-03 | 2008-04-09 | 重庆邮电大学 | Embedded type industry ethernet safety gateway |
| CN101728869A (en) * | 2009-11-10 | 2010-06-09 | 重庆大学 | Power station automation system data network security monitoring method |
| CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
| CN102474444A (en) * | 2009-07-02 | 2012-05-23 | Abb研究有限公司 | A method of limiting the amount of network traffic reaching a local node operating according to an industrial Ethernet protocol |
-
2013
- 2013-03-27 CN CN201310102778.9A patent/CN104079444A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1558608A (en) * | 2004-01-13 | 2004-12-29 | 重庆邮电学院 | TCP/IP based method and system for realizing safety strategy for industrial control networks |
| CN101159718A (en) * | 2007-08-03 | 2008-04-09 | 重庆邮电大学 | Embedded type industry ethernet safety gateway |
| CN102474444A (en) * | 2009-07-02 | 2012-05-23 | Abb研究有限公司 | A method of limiting the amount of network traffic reaching a local node operating according to an industrial Ethernet protocol |
| CN101728869A (en) * | 2009-11-10 | 2010-06-09 | 重庆大学 | Power station automation system data network security monitoring method |
| CN102438026A (en) * | 2012-01-12 | 2012-05-02 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104301177A (en) * | 2014-10-08 | 2015-01-21 | 清华大学 | CAN message abnormality detection method and system |
| CN104301177B (en) * | 2014-10-08 | 2018-08-03 | 清华大学 | CAN message method for detecting abnormality and system |
| CN106130854A (en) * | 2016-06-23 | 2016-11-16 | 北京东土科技股份有限公司 | Industrial process control system based on industry internet |
| CN106125680A (en) * | 2016-06-23 | 2016-11-16 | 北京东土科技股份有限公司 | Industrial stokehold data safety processing method based on industry internet and device |
| CN106125680B (en) * | 2016-06-23 | 2018-09-11 | 北京东土科技股份有限公司 | Industrial stokehold data safety processing method based on industry internet and device |
| CN107222508A (en) * | 2017-07-14 | 2017-09-29 | 国家计算机网络与信息安全管理中心 | Safety access control method, equipment and system |
| CN107222508B (en) * | 2017-07-14 | 2020-08-25 | 国家计算机网络与信息安全管理中心 | Security access control method, device and system |
| CN108712406A (en) * | 2018-05-07 | 2018-10-26 | 广东电网有限责任公司 | Invalid data source retroactive method, device, user terminal and computer storage media |
| CN110719250A (en) * | 2018-07-13 | 2020-01-21 | 中国科学院沈阳自动化研究所 | Powerlink industrial control protocol anomaly detection method based on PSO-SVDD |
| CN110719250B (en) * | 2018-07-13 | 2021-07-06 | 中国科学院沈阳自动化研究所 | Powerlink industrial control protocol anomaly detection method based on PSO-SVDD |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104079444A (en) | Method and device for detecting depth of industrial Ethernet data frame | |
| EP2382512B1 (en) | Communication module with network isolation and communication filter | |
| US11363035B2 (en) | Configurable robustness agent in a plant security system | |
| US9130983B2 (en) | Apparatus and method for detecting abnormality sign in control system | |
| Radoglou-Grammatikis et al. | Attacking iec-60870-5-104 scada systems | |
| KR102414860B1 (en) | Network probes and methods for processing messages | |
| CN108574698B (en) | Method for carrying out network security protection on Internet of things system | |
| CN104767748B (en) | Opc server security protection system | |
| US10341293B2 (en) | Transparent firewall for protecting field devices | |
| KR101736223B1 (en) | Security methods and apparatus for industrial networks | |
| US20140298008A1 (en) | Control System Security Appliance | |
| CN105847251B (en) | Using the industrial control system safety protecting method and system of S7 agreements | |
| CN106506527B (en) | A method of the defence connectionless flood attack of UDP | |
| CN104519065A (en) | Implementation method of industrial control firewall supporting Modbus TCP protocol filtering | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| Satyanarayana | Detection and blocking of replay, false command, and false access injection commands in scada systems with modbus protocol | |
| CN106888185B (en) | industrial network safety protection method based on serial link | |
| CN105049403A (en) | Power distribution network control system safety protection method and system | |
| CN106375273A (en) | Automation network and method of surveillance for security of the transmission of data packets | |
| JP5091975B2 (en) | Information processing apparatus and information processing system | |
| CN115834218A (en) | Safety protection method and system for scheduling data network multistage blocking | |
| KR101453980B1 (en) | Packet relay and transmission apparatus for semiconductor manufacturing equipment | |
| CN208459797U (en) | A kind of industry control security terminal | |
| Kerschbaum et al. | A framework for establishing performance guarantees in industrial automation networks | |
| CN112261032A (en) | Industrial internet network security protection method and system based on real-time data transmission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141001 |