CN104735043A - Method for preventing suspicious data package from attacking PLC via industrial Ethernet - Google Patents
Method for preventing suspicious data package from attacking PLC via industrial Ethernet Download PDFInfo
- Publication number
- CN104735043A CN104735043A CN201310755533.6A CN201310755533A CN104735043A CN 104735043 A CN104735043 A CN 104735043A CN 201310755533 A CN201310755533 A CN 201310755533A CN 104735043 A CN104735043 A CN 104735043A
- Authority
- CN
- China
- Prior art keywords
- plc
- data package
- industrial ethernet
- suspicious data
- depth
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
Provided is a method for preventing a suspicious data package from attacking a PLC via an industrial Ethernet. The method comprises the following steps that a protecting device is arranged between a user computer and the PLC; the data package in a network of the industrial Ethernet is intercepted and analyzed by the protecting device; an analysis result is compared with a preset rule in the protecting device, and a corresponding depth defense module is searched; a specific analysis is carried out on a protocol by the depth defense module; based on the judgment of the depth defense module, passing of the data package is prevented or allowed. The method is based on a deep package inspection technology, an in-depth analysis and an inspection are carried out on application layer content of the data package which tries to access the PLC, and the suspicious data package is blocked, so that attacking behaviors targeting a PLC register are prevented. Once the suspicious data package is intercepted, beside from rejecting the suspicious data package from entering a protected area, a TCP connection can be reset, or a data package which shows an error is sent to an upper computer, and the attacking behaviors are alerted, so that attacks from hackers or viruses are effectively intercepted, and the safety of data in the PLC is protected.
Description
Technical field
The present invention relates to Industrial Ethernet security technology area, particularly relate to a kind of suspicious data bag that stops and attack the method for PLC by Industrial Ethernet.
Background technology
Along with the arrival of networked information era, there is earth-shaking change in China's industrial model, thoroughly broken " information island " pattern, enterprise's complete networking, creation data easily realizes Macro or mass analysis, not only increases production efficiency, also promotes the national strategy of energy-saving and emission-reduction.The information-based favourable change brought to industry, obviously, but thing followed Network Information Security Problem, make people alarmed for it again.
Commercial firewalls is a kind of more common Network Security Device, is a kind of protective equipment the most frequently used on network boundary.Generally provide these functions: packet filtering, examination & verification and alarm mechanism, NAT, agency, flow control etc., wherein, " packet filtering " is a most important function, general principle checks to filter each network packet passed through, check essential information (source address and destination address, port numbers, agreement etc.) available in bag, by these information compared with the rule of setting, if legal bag can be passed through by clearance, the bag varied from a rule can be rejected and abandon.Therefore, commercial firewalls possesses stronger attack resistance and resists the ability of invasion.
Commercial firewalls is a kind of fire compartment wall according to the design of office network safety requirements, and it can carry out packet filtering to the most of general purpose network protocol (as http, ftp etc.) transmitting use in office network, can provide effective protection to office network.But, for the network packet of the industrial communication protocol that industrial network uses (as application layer protocols such as Modbus, OPC), commercial firewalls can only do the shallow-layer packet filtering of network layer and transport layer, it cannot carry out deep layer inspection to application layer data in network packet, therefore, commercial firewalls has certain limitation, cannot meet the requirement of industrial network.
In industrial network, run the various Process Control System such as DCS, PLC, SCADA, their cores often in production system, have been responsible for basic production control.But, if these control system are once be invaded or destroy, will impact industrial production, enterprise may be made to suffer great economic loss, even jeopardize the life security of producers.Therefore; ensure that the security of operation of these control system is very important somethings; but traditional commercial firewalls cannot safeguard industries network, in the urgent need to a industrial fireproof wall being exclusively used in industrial network in automation industry, effectively inspection can be filtered for industrial communication protocol.
PLC (Programmable Logic Controller), is usually used in industrial real-time control.The user of PLC carries out host computer and PLC swap data frequently by Ethernet, gathers production status and assigns control command.If hacker or Virus entry computer, attempt to destroy the data in PLC, will lead to production accident, this is a kind of attack of malice.
Summary of the invention
For solving the problems of the technologies described above, the invention provides a kind of suspicious data bag that stops and attacking the method for PLC by Industrial Ethernet.
For achieving the above object, technical scheme disclosed by the invention is as follows:
Stop suspicious data bag to attack a method of PLC by Industrial Ethernet, comprise the following steps:
Step one arranges protective device between subscriber computer and PLC;
Step 2 protective device intercepts the packet in Industrial Ethernet network and analyzes;
Preset rules in analysis result and protective device compares by step 3, searches corresponding depth in-verse module;
Step 4 is specifically resolved agreement by depth in-verse module;
Step 5 stops according to the judgement of depth in-verse or allows packet to pass through.
Further, also step 6 is comprised: packet is dropped or allows by or carries out other operations.
Further, other operations described comprise TCP reset or/and abnormal answer.
Further, also comprise step 4 ': export depth in-verse daily record.
Further, also comprise step 5 ': export Firewall Alerts information.
The present invention is based on deep packet inspection technical, carries out analysing in depth checking and stoping suspicious packet, to stop the attack for PLC register the application layer content of attempting the packet of accessing PLC.Suspicious data bag is once be intercepted and captured; except refusal enters protection zone; also according to setting processing method; connect to reset or send host computer to TCP and represent wrong packet and attack is reported to the police, to reach the object stoping the packet of misoperation or malicious attack to enter PLC.The attack of effective interception hacker and virus, the safety of data in protection PLC.
Accompanying drawing explanation
Fig. 1 is flow chart of the present invention;
Fig. 2 is one embodiment of the invention schematic diagram.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
Fig. 1 is flow chart of the present invention, and as shown in Figure 1, a kind of suspicious data bag that stops attacks the method for PLC by Industrial Ethernet, comprises the following steps:
Step one arranges protective device between subscriber computer and PLC;
Step 2 protective device intercepts the packet in Industrial Ethernet network and analyzes;
Preset rules in analysis result and protective device compares by step 3, searches corresponding depth in-verse module;
Step 4 is specifically resolved agreement by depth in-verse module;
Step 4 ' output depth in-verse daily record.
Step 5 stops according to the judgement of depth in-verse or allows packet to pass through.
Step 5 ' output Firewall Alerts information.
Step 6 packet is dropped or allows by or carries out other operations such as TCP reset or abnormal answer.
Fig. 2 is one embodiment of the invention schematic diagram; as shown in Figure 2; protective device first intercepts the packet in Industrial Ethernet network; each byte content of whole application layer contents of packet is analyzed; for Siemens's communication protocol, be below intercepting one section and the data packet messages content of SIEMENS PLC communication:
03 00 00 1f 02 f0 80 32 01 00 00 03 23 00 0e 00 00 04 01 12 0a 10 0500 0a 00 00 83 00 00 00
The value of the 18th byte is 04, represents read-write properties for reading;
The value of the 23rd byte is 05, and representing resolution data type is INT type;
The value of the 28th byte is 83, and representative data register district is M district;
……
After data packet analysis completes, the information analyzed out and setting (preset rules) are in advance compared, if mated completely, allow to pass through, Incomplete matching is then refused to pass through.For above-mentioned data packet messages, suppose that setting content be read-write properties is read, data type is INT, and data register district is M district, and above-mentioned data packet messages then meets this setting rule completely, then this packet enters protection zone by allowing; Suppose that read-write properties in setting content are for writing, data type is Real, and above-mentioned data packet messages is then not in full conformity with this setting rule, and so this packet will be denied access to protection zone.
The device (protective device) that the inventive method carries is the device that subscriber computer must first pass through when being connected with PLC; user can arrange shielded secure data district in the middle of PLC according to field condition; data type, the data address range in the protected data district that device can set according to user; data value range; read-write properties etc.; com-parison and analysis is carried out to the packet passed through, effectively can tackle the attack of hacker and virus, the safety of data in protection PLC.
The above embodiment only have expressed embodiments of the present invention, and it describes comparatively concrete and detailed, but therefore can not be interpreted as the restriction to the scope of the claims of the present invention.It should be pointed out that for the person of ordinary skill of the art, without departing from the inventive concept of the premise, can also make some distortion and improvement, these all belong to protection scope of the present invention.Therefore, the protection range of patent of the present invention should be as the criterion with claims.
Claims (5)
1. stop suspicious data bag to attack a method of PLC by Industrial Ethernet, it is characterized in that comprising the following steps:
Step one arranges protective device between subscriber computer and PLC;
Step 2 protective device intercepts the packet in Industrial Ethernet network and analyzes;
Preset rules in analysis result and protective device compares by step 3, searches corresponding depth in-verse module;
Step 4 is specifically resolved agreement by depth in-verse module;
Step 5 stops according to the judgement of depth in-verse or allows packet to pass through.
2. the method for PLC attacked by prevention suspicious data bag according to claim 1 by Industrial Ethernet, characterized by further comprising step 6: packet is dropped or allows by or carries out other operations.
3. the method for PLC attacked by prevention suspicious data bag according to claim 2 by Industrial Ethernet, it is characterized in that: other operations described comprise TCP and reset or/and abnormal answer.
4. prevention suspicious data bag according to claim 1 attacks the method for PLC by Industrial Ethernet, characterized by further comprising step 4 ': export depth in-verse daily record.
5. prevention suspicious data bag according to claim 1 attacks the method for PLC by Industrial Ethernet, characterized by further comprising step 5 ': export Firewall Alerts information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310755533.6A CN104735043A (en) | 2013-12-24 | 2013-12-24 | Method for preventing suspicious data package from attacking PLC via industrial Ethernet |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310755533.6A CN104735043A (en) | 2013-12-24 | 2013-12-24 | Method for preventing suspicious data package from attacking PLC via industrial Ethernet |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104735043A true CN104735043A (en) | 2015-06-24 |
Family
ID=53458481
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310755533.6A Pending CN104735043A (en) | 2013-12-24 | 2013-12-24 | Method for preventing suspicious data package from attacking PLC via industrial Ethernet |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104735043A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104993976A (en) * | 2015-07-07 | 2015-10-21 | 北京科技大学 | Method and system for evaluating PLC safety protection equipment |
| CN106534068A (en) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system |
| CN109933001A (en) * | 2019-04-11 | 2019-06-25 | 韩拥军 | Firewall, method and system for programmable logic controller (PLC) |
| CN112305986A (en) * | 2020-10-23 | 2021-02-02 | 广州大学 | PLC protection system, method and medium based on verification separation |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
-
2013
- 2013-12-24 CN CN201310755533.6A patent/CN104735043A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101035111A (en) * | 2007-04-13 | 2007-09-12 | 北京启明星辰信息技术有限公司 | Intelligent protocol parsing method and device |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104993976A (en) * | 2015-07-07 | 2015-10-21 | 北京科技大学 | Method and system for evaluating PLC safety protection equipment |
| WO2017004867A1 (en) * | 2015-07-07 | 2017-01-12 | 北京科技大学 | Device testing and evaluation method and system for plc security protection |
| CN104993976B (en) * | 2015-07-07 | 2018-07-13 | 北京科技大学 | A kind of PLC safety protection equipments assessment method and system |
| CN106534068A (en) * | 2016-09-29 | 2017-03-22 | 广州华多网络科技有限公司 | Method and device for cleaning forged source IP in DDOS (Distributed Denial of Service) defense system |
| CN106534068B (en) * | 2016-09-29 | 2023-12-22 | 广州华多网络科技有限公司 | Method and device for cleaning counterfeit source IP in DDOS defense system |
| CN109933001A (en) * | 2019-04-11 | 2019-06-25 | 韩拥军 | Firewall, method and system for programmable logic controller (PLC) |
| CN112305986A (en) * | 2020-10-23 | 2021-02-02 | 广州大学 | PLC protection system, method and medium based on verification separation |
| CN112305986B (en) * | 2020-10-23 | 2021-08-17 | 广州大学 | PLC protection system, method and medium based on verification separation |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109922085B (en) | Safety protection system and method based on CIP (common interface protocol) in PLC (programmable logic controller) | |
| EP2382512B1 (en) | Communication module with network isolation and communication filter | |
| CN110958262A (en) | Ubiquitous Internet of things safety protection gateway system, method and deployment architecture in power industry | |
| CN107493265A (en) | A kind of network security monitoring method towards industrial control system | |
| CN108183886B (en) | Safety enhancement equipment for safety gateway of rail transit signal system | |
| CN104917776A (en) | Industrial control network safety protection equipment and industrial control network safety protection method | |
| JP2016220213A (en) | Configurable Robustness Agent in Plant Security System | |
| CN104683332A (en) | Security isolation gateway in industrial control network and security isolation method thereof | |
| CN105847251B (en) | Using the industrial control system safety protecting method and system of S7 agreements | |
| CN104753936A (en) | Opc security gateway system | |
| KR101206095B1 (en) | Intelligent Electric Device, network system including the device and the protecting method for the network | |
| CN110572412A (en) | Firewall based on intrusion detection system feedback in cloud environment and implementation method thereof | |
| CN204392296U (en) | Secure isolation gateway in a kind of industrial control network | |
| CN110768965B (en) | Remote operation safety permission method for power grid dispatching based on message replacement | |
| CN104735043A (en) | Method for preventing suspicious data package from attacking PLC via industrial Ethernet | |
| CN105245555A (en) | Communication protocol security defending system for electric power serial server | |
| GB2495214A (en) | Firewalls for process control systems | |
| CN209627407U (en) | The safety isolation network gate of limited connection | |
| CN113079185B (en) | Industrial firewall control method and equipment for realizing deep data packet detection control | |
| CN104539600A (en) | Industrial control firewall implementing method for supporting filtering IEC 104 protocol | |
| CN105577705B (en) | For the safety protecting method and system of IEC60870-5-104 agreements | |
| Kang et al. | Whitelists based multiple filtering techniques in SCADA sensor networks | |
| Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
| CN112417434A (en) | Program white list protection method combined with UEBA mechanism | |
| CN110990900B (en) | Computer network intelligent monitoring system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150624 |