A kind of industrial fireproof wall rule base analytical method based on orthogonal list
Technical field
The invention belongs to industrial fireproof wall network safety filed, specifically, relate to a kind of industrial fireproof wall rule base analytical method based on orthogonal list.
Background technology
Industrial fireproof wall after being deployed to industrial control network, safeguard industries net control Environmental security.Protected environment comprises specific assets in environment, also comprises the relation between assets.Relation between assets embodies often through data flow mutual between assets.
Keeper clearly defines the relation of data flow between assets to ensure that between assets, normal interchange is allowed to.Such as: temp measuring system of refining oil in industry computer regularly obtains certain high pressure valve current pressure values.
It is that abnormal conditions are blocked that keeper clearly defines certain data flow pass between assets.Such as: temp measuring system of refining oil in industry computer sends to governor pressure detector in system and resets order.
The whole of keeper's definition allow for asset data stream or block, and define the rule base of industrial fireproof wall.Industrial fireproof wall, by the rule base for particular industry net control environment, carries out the management and control of particular industry net control Environmental security.
Can by the process of industrial fireproof wall by each packet of industrial fireproof wall in the protected environment of industrial control network, by or block.
Have a lot of key business high to requirement of real-time in industrial control network, reaction speed requires at second, Millisecond.
In a complicated industrial control network environment, regular number is greater than 8,000.And packet industrial protocol abundant species, relate to form, identify that content varies especially.How improving rule match speed, under the prerequisite not reducing industrial fireproof wall security capabilities, improve handling property, is the problem of industrial fireproof wall in the urgent need to process.
Packet Filtering (Packet Filtering) refers to be analyzed packet in network layer, selects.Determine whether to allow this packet to pass through by the factor such as source IP address, object IP address, source port number, destination slogan, protocol type or their combination that check each packet in data flow.
State Inspection Packet Filter is the Function Extension on conventional bag is filtered.State-inspection firewall has an intercepted data bag extract the information relevant with application layer state of checking engine in network layer, and determines to this connection it is accept or refusal on this basis.
Deep packet inspection technical and DPI technology are a kind of flow detection based on application layer and control technology, when IP packet, TCP or UDP message flow through the bandwidth management system based on DPI technology, this system is recombinated to the application layer message in OSI seven layer protocol by the content of deep reading IP payload package, thus obtain the content of whole application program, then according to the management strategy of system definition, shaping operation is carried out to flow.
Prior art mainly contains three kinds, its each own significant advantage, but shortcoming is also very serious.
The first as shown in Figure 1, for not to the technology that rule processes, carry out a packet for each rule and resolve, until mate certain rule, then process terminates.Each rule is all a Packet analyzing filter.Adopt the method program structure clear, logic is simple.Require to carry out Packet analyzing for every rule, complete rule match and judge, overall process efficiency is low.
The second as shown in Figure 2, for carrying out certain finishing technique according to protocol type to rule.According to protocol type, necessarily arrange rule set, for often organizing rule process packet, until mate certain rule, then process terminates.Rule group is general adopts chained list institutional framework, usually forming some array type rules data structure according to protocol type, processing regular group of corresponding agreement when being resolved to certain one deck of packet.Adopt this technology can reduce certain Packet analyzing number of times, but then need equally repeated multiple timesly to carry out Packet analyzing for the various depth content analysis of application, overall process efficiency improves.
The third is for carrying out certain technology arranged according to protocol type to rule.Usually forming some array type rules data structure according to protocol type, processing regular group of corresponding agreement when being resolved to certain one deck of packet.Adopt this technology can reduce certain Packet analyzing number of times, but then need equally repeated multiple timesly to carry out Packet analyzing for the various depth content analysis of application, overall process efficiency improves.
Existing various technology is all from rule to resolve bag.When regular very different, the operation of the iterative parsing of bag being extracted to given content cannot be avoided.
Summary of the invention
For solving the problem in background technology, the present invention proposes a kind of specifically be applied in rule base analytical method in industrial control network, by adopting the organizational form of orthogonal list by agreement, content, rule organic assembling, reach one parsing packet, the object that traversal industrial fireproof wall is all regular, well improve industrial fireproof wall processing data packets ability, improve packet rule base analysis speed in industrial control network, reach industrial control network to the low object postponing to require of packet.
Technical scheme of the present invention is:
Based on an industrial fireproof wall rule base analytical method for orthogonal list, it is characterized in that: its step is as follows:
Step one: under industrial control network environment, after system manager carries out safety analysis to network environment, determine safety regulation collection, safety regulation collection is made up of specific rules 0 ~ regular N, N be greater than 1 positive integer, define every rule, wherein regular N is the last rule that default meeting adds, and is defined as and blocks packet and report;
Step 2: the safety regulation collection that system inputs according to system manager generates corresponding orthogonal list;
Step 3: system carries out merge operation to orthogonal list, carries out normalizing by identical content, and after merger, data structure remains an orthogonal list;
Step 4: according to the line index data of orthogonal list, needs the data set extracted from packet under determining this safety regulation collection;
Step 5: check each row node of orthogonal list successively, extracts data set contents decision node match condition according to agreement;
Step 6: the common factor getting each node matching rule set, has determined whether matched rule, and the rule number of coupling; If have and only have a matched rule, then packet performs according to this rule definition, if matched rule is more than one, then packet performs according to the definition of Article 1 matched rule, and Reports Administration person; If without matched rule, then executing rule N, namely blocks packet and reports.
In further improved plan, N=8, orthogonal list is that 9 row 7 arrange, corresponding 8 rules of 9 row and wardrobe, the corresponding 6 kinds of fields of 7 row and row head, these 6 kinds of fields are respectively: agreement, server ip address, client ip address, network address, web page contents, industry control protocol contents.
Industry control agreement refers to equipment room messaging protocol in industry control network.By industry control agreement, host computer completes the operation to equipment such as industry control network measuring instruments.Industry control protocol contents refers to the concrete instructional contents comprised in industry control agreement.Generally comprise: function code+content+CRC check code such as: function code: write operation content: No. 1 register.Or function code: read operation content: No. 1 register.
Innovation of the present invention is:
1, by industrial control network rule set, with orthogonal list structure construction.
2, rule composition transverse axis, the rule judgment condition composition longitudinal axis.
3, same class node merges, and reduces and needs node to be processed.
4, according to agreement situation dynamic call packet depth analysis engine regular in orthogonal list.
5, pass through analysis node situation in orthogonal list analytic process, dynamic eliminating does not need processing node.
Beneficial effect of the present invention is:
The present invention is by the rule in the mode rule of combination storehouse of orthogonal list.Under the prerequisite of retention discipline (OK) form, carry out the analysis of each rule condition (row), obtain the relation of each rule in rule set, formation rule collection orthogonal list.Rule base analysis is completed by rule set orthogonal list energy one parsing packet.Decrease packet iterative parsing process.Particularly comprise in rule base need in a large number depth analysis rule time, efficiency enhancement effect is more remarkable.
By the regular flexible combination form of orthogonal list, improve the time of rule base data packet analysis process, space availability ratio.
Rule orthogonal list has made the dependence between rule condition in order, mutual exclusion, comprise, relation of equality, in orthogonal list node analysis process, dynamically can remove dependence, mutex relation node, simply judges inclusion relation node, merges identical relation node, reach and reduce rule base analysis node, improve the object of analysis efficiency.
Adopt the technology of the present invention to greatly improve packet rule base analysis speed in industrial control network, meet industrial control network to the low object postponing to require of packet.
Accompanying drawing explanation
Fig. 1 is not to the flow chart of the technology that rule processes in prior art.
Fig. 2 is the flow chart according to protocol type, rule being carried out to certain finishing technique in prior art.
Fig. 3 is the flow chart of overall technical architecture of the present invention.
Fig. 4 is the particular flow sheet of step 2 in the present invention program.
Fig. 5 is the particular flow sheet of step 3 in the present invention program.
Fig. 6 is the particular flow sheet of step 4 in the present invention program.
Fig. 7 be in the present invention program in step 5 to according to obtain contents processing rule orthogonal list flow chart.
Embodiment
Fig. 3 describes overall technical architecture of the present invention.
Based on an industrial fireproof wall rule base analytical method for orthogonal list, step is as follows:
Step one: under industrial control network environment, after system manager carries out safety analysis to network environment, determine safety regulation collection, safety regulation collection is made up of specific rules 0 ~ regular N, N be greater than 1 positive integer, define every rule, wherein regular N is the last rule that default meeting adds, and is defined as and blocks packet and report;
Step 2: the safety regulation collection that system inputs according to system manager generates corresponding orthogonal list;
Step 3: system carries out merge operation to orthogonal list, carries out normalizing by identical content, and after merger, data structure remains an orthogonal list;
Step 4: according to the line index data of orthogonal list, needs the data set extracted from packet under determining this safety regulation collection;
Step 5: check each row node of orthogonal list successively, extracts data set contents decision node match condition according to agreement;
Step 6: the common factor getting each node matching rule set, has determined whether matched rule, and the rule number of coupling; If have and only have a matched rule, then packet performs according to this rule definition, if unnecessary one of matched rule, then packet performs according to the definition of Article 1 matched rule, and Reports Administration person; If without matched rule, then executing rule N, namely blocks packet and reports.
Specifically technical scheme of the present invention is set forth below in conjunction with Fig. 4-7.
The first step: under industrial control network environment, system manager determines concrete safety regulation after carrying out safety analysis to network environment:
Rule 0: analyze packet
Command parameter:--analyze
Illustrate: this is the default rule added, before other filtering rules all.
Rule 1: allow statistical department to prevent asking historical data management server (being assumed to 192.168.100.22, with the access of http form)
--filter http--where:server-ip:192.168.100.22; Client-ip:@statistical department-jACCEPT_LOG
--filter http--where:server-ip:192.168.100.22-j DROP_LOG
Illustrate: "@statistical department " is an IP group of addresses, can comprise one or more IP or IP scope, command configuration is as "--add ip. statistical department: 192.168.1.0/24,192.168.2.0/24 "
Rule 2: do not allow access to forbid website, or allow should not occur banned word in website, and let slip other all http (web page access allows employee to consult reference materials)
Command parameter:
--filter http--where:url:@forbids website; The full company of client-ip:@-j DROP_LOG
--filter http--where:content:@banned word; The full company of client-ip:@-j DROP_LOG
--the full company of filter http--where:client-ip:@-j ACCEPT_LOG
Rule 3: monitoring industry control agreement, only allow production division to send operational motion, superintendent office and administrative department can check (can not operate), and all the other departments then do not allow access completely:
Command parameter:
--filter industry control agreement--where: industry control order :@operates; Client-ip:@production division-jACCEPT_LOG
--filter industry control agreement--where: industry control order :@checks; Client-ip:@superintendent office ,@administrative department-j ACCEPT_LOG
--filter industry control agreement-j DROP_LOG
Rule N: all the other all packets, blocks and log reports
Command parameter:
-j DROP_LOG
Illustrate: this is the last rule that default meeting adds.
Note :@action: represent set of actions.
Second step: as shown in Figure 4, the rule set that system inputs according to keeper generates corresponding orthogonal list:
Orthogonal list is that 9 row 7 arrange.
Corresponding 8 rules of 9 row and wardrobe,
The corresponding 6 kinds of fields of 7 row and row head: (1) agreement (2) server ip address (3) client ip address (4) network address (5) web page contents (6) industry control protocol contents
3rd step: as shown in Figure 5, system carries out merge operation to orthogonal list, and identical content is carried out normalizing.After merger, data structure remains an orthogonal list.
Server ip address merges becomes a 192.168.100.22, records rule 1,2 corresponding to node matching simultaneously; Client ip address merges becomes one, records the rule that different matching results is corresponding simultaneously;
Industry control agreement merges into one, records the rule that different matching results is corresponding simultaneously;
Agreement is merged into two, records the rule that different matching results is corresponding simultaneously;
4th step: as shown in Figure 6, according to orthogonal list line index data, needs the data set extracted from packet under determining this rule set.
By one parsing packet, obtain corresponding content.Data Analysis process is that the packet ISO/OSI of standard goes encapsulation process.Different according to the agreement that packet belongs to, the content of the data set formed after resolving can be variant.
Be explained as follows in conjunction with HTTP packet resolving:
A packet is obtained from administrative department's access profile website operation.This bag is http protocol, and server ip address is 192.168.100.56, and client ip address is@administrative department group, and network address is not forbidden in website at@, and web page contents is not in@banned word.
5th step: as shown in Figure 7, checks each row node of orthogonal list successively, extracts data set contents decision node match condition according to agreement.
, only having there are " http " and " industry control agreement " two kinds of agreements here in first row Water demand agreement, so only will enable these two kinds of protocol-analysis models to do depth monitoring, and can not enable the analysis of other agreement.
Monitor this client ip and do not belong to@production division, then rule 6 is just denied at the 3rd row (client-ip) place, so on " industry control agreement " these row, just only need to judge "@checks " action, and do not need to judge "@operation " action.And in traditional analysis engine, when processing rule 6 and 7, each process all needs to resolve industry control agreement in detail, therefrom extract operational motion, more respectively more whether " operation " and whether " check ".The depth data bag decreasing unnecessary repetition detects action.
According to the contents processing rule orthogonal list obtained as shown in Figure 7.
According to process orthogonal list node matching result, traversal rule arranges, and each node matching rule set is as follows:
Rule 12345
Rule 345678
Rule 345728
Rule 1245678
Rule 1235678
Rule 123458
6th step: the common factor getting each node matching rule set, has determined whether matched rule, and the rule number of coupling.The each node of rule 5-> mates entirely.Then this HTTP packet passes through operation according to the permission data flow of rule 5 definition.
Can nonjoinder orthogonal list node in concrete scheme realizes.But extract orthogonal list interior joint information, then form the information after a list structure preservation extraction.Follow-up rule base analytic process is for information chained list, and the same technique scheme of processing mode, rule match result is put into orthogonal list and preserved.Whether judgment rule mates, and needs the longitudinal index according to orthogonal list, judges whether every a line has and does not mate.
Said method is a change of the technology of the present invention, and process basis remains orthogonal list.Just in orthogonal list, do not preserve rule condition information, use other certain data structure to preserve rule condition information.As: array, set, chained list etc.
Above implementation method only in order to technical scheme of the present invention to be described, is not intended to limit; Those skilled in the art can modify according to aforesaid technical scheme, or carry out equivalent replacement to wherein portion of techniques feature; And these amendments or replacement, do not make the essence of appropriate technical solution depart from the spirit and scope of technical solution of the present invention.