CN105337986B - Credible protocol conversion method and system - Google Patents

Credible protocol conversion method and system Download PDF

Info

Publication number
CN105337986B
CN105337986B CN201510809808.9A CN201510809808A CN105337986B CN 105337986 B CN105337986 B CN 105337986B CN 201510809808 A CN201510809808 A CN 201510809808A CN 105337986 B CN105337986 B CN 105337986B
Authority
CN
China
Prior art keywords
outside access
access request
control system
white list
industrial control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510809808.9A
Other languages
Chinese (zh)
Other versions
CN105337986A (en
Inventor
陈惠欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Master Technology (beijing) Co Ltd
Original Assignee
Master Technology (beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Master Technology (beijing) Co Ltd filed Critical Master Technology (beijing) Co Ltd
Priority to CN201510809808.9A priority Critical patent/CN105337986B/en
Publication of CN105337986A publication Critical patent/CN105337986A/en
Priority to PCT/CN2016/105419 priority patent/WO2017084535A1/en
Application granted granted Critical
Publication of CN105337986B publication Critical patent/CN105337986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of credible protocol conversion method, for the protocol conversion between the first industrial control system and the second industrial control system, the method includes:Receive the outside access request for being sent to the first industrial control system;The legitimacy of outside access request is judged according to default white list, and judges the access type of outside access request, the type includes data inquiry request and control operation requests;When outside access request is data inquiry request, will package, and be sent to the second industrial control system according to the agreement of the second industrial control system from the status data that the first industrial control system inquires;When outside access asks operation requests in order to control, package, and be sent to the first industrial control system to control operation requests according to the agreement of the first industrial control system;The present invention also provides a kind of credible protocol converting systems accordingly;The present invention reduces the delay to communicate between industrial control system, and improve the reliability to communicate between industrial control system.

Description

Credible protocol conversion method and system
Technical field
The present invention relates to industrial information technology field, more particularly to a kind of credible protocol conversion method and system.
Background technology
With the rapid development of industrial automatic control, more and more industrial enterprises use its internal (or special) network By its process-specified equipment or industrial intelligent equipment (Intelligent Electric Device, referred to as " IED ") interconnection Together, production control system network is formed.
All types of industries Control network protocols are all based on ISO/OSI open systems interconnection models, and OSI Reference Model is divided into Be 7 layers, industrial control network communication protocol is then simplified according to the specific of itself, employ physical layer, data link layer and Network layer, while consider that the control function of field device and specific use increase application layer again, between realization heterogeneous network Communication need converted between different agreements, this can be completed by gateway, gateway also referred to as IP(Internet Protocol) turn Parallel operation, user's connection realize the data transmission between network, protocol converter is specific real using the network of different communication protocol It is now technically related with the agreement of two specific networks that it is interconnected, support the protocol conversion converted between different network protocol Device is different, due to definition of the various industrial control network agreements in physical layer, data link layer, network layer and application layer Be substantially it is different, therefore for industrial control protocols protocol converter preferably by the way of protocol gateway, in agreement Realize protocol conversion in upper strata.
Protocol conversion is exactly the process that a kind of agreement A is mapped to another agreement B, during protocol conversion, agreement Transfer gateway analyzes the content of the protocol data packet according to the definition of agreement A, including the transmission control section in data packet and Data portion, the information analysis further according to data portion go out the specific meanings that data are included, pass through data mapping definition table, will Data conversion in agreement A data packets supports data content into agreement B networks, then encapsulates data into support procotol The data packet of B, and pass through agreement B transmission of network to the network equipment specified, during protocol conversion, the conversion master of agreement It to be carried out in network layer and application layer.
Since industrial control system control integration trend is gradually strengthened so that industrial control system and information management system and internet It is connected, while industrial control system increasingly complicates, has begun largely to use common software, common hardware and puppy parc, this The industrial control system that tradition is closed is made gradually to be exposed, directly facing various threats from extraneous network, increases industry control system The security risk of system.Industrial control system is typically that the System Development for conforming to the principle of simplicity individually to stand becomes complicated network system, subsystems Between design lack safeguard measure, go wrong so as to cause a region, entire industrial control system network will soon be infected.
The method of traditional realization industrial information safety be the sub- industrial control system that is connected with each other in industrial control system network it Between add industrial fireproof wall, although this mode solves security risk to a certain extent, two works in this case Communication should carry out solicited message by industrial fireproof wall the conversion that " audit " passes through protocol converter again between control system, So as to cause the problem of communication delay is long between industrial control system, reliability is low;In addition, also exist due to general industry fire wall needle To application layer protocol after link layer divided stator frame, a layer security risk caused by white list access control can not be effectively practiced The technical issues of.
Invention content
Embodiments of the present invention provide a kind of credible protocol conversion method and system, for solving existing industrial control system Between the problem of communication delay is long, reliability is low.
According to an aspect of the invention, there is provided a kind of credible protocol conversion method, for the first industrial control system and Protocol conversion between two industrial control systems, the method includes:
Receive the outside access request for being sent to the first industrial control system;
The legitimacy of the outside access request is judged according to default white list, and judges the visit of the outside access request Ask type, the type includes data inquiry request and control operation requests;
When outside access request is data inquiry request, the status number that will be inquired from first industrial control system It packages according to the agreement according to the second industrial control system, and is sent to second industrial control system;
When the outside access asks operation requests in order to control, the control is grasped according to the agreement of the first industrial control system Make request to package, and be sent to first industrial control system.
According to another aspect of the present invention, a kind of credible protocol converting system is additionally provided, including
Access request receiving port receives the outside access request for being sent to the first industrial control system;
Legitimacy/access type determination module is accessed, is configured to judge the outside access request according to default white list Legitimacy, and judge the access type of outside access request, the type includes data inquiry request and control operates Request;
State data acquisition module is configured with when outside access request is data inquiry request, will be from described the The status data that one industrial control system inquires packages according to the agreement of the second industrial control system, and is sent to second industry control System;
Data group packet module, be configured with when the outside access ask operation requests in order to control when, according to the first industry control system The agreement of system packages, and be sent to first industrial control system to the control operation requests.
The credible protocol conversion method and system of embodiments of the present invention are by the way that firewall technology and industrial protocol are turned The technology of changing is merged, and realizes the security boundary of industrial control system, is protected by the security boundary for promoting industrial protocol converter Ability enhances the inherently safe safeguard function of industrial protocol converter, by protocol conversion process and the access based on white list Control strategy is combined, and can be realized by set of device, a protocal analysis using the two or more of different application layer protocol The industrial control systems such as application layer protocol conversion, communication data packet filtering and blocking, intrusion detection and antivirus protection between industrial control system Protecting information safety function, reducing traditional industrial control system protocol conversion and protecting information safety needs to dispose protocol converter simultaneously , the problems such as reliability low long with system delay caused by two covering device of industrial fireproof wall.
Description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, required use in being described below to embodiment Attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description is some embodiments of the present invention, for ability For the those of ordinary skill of domain, without creative efforts, it can also be obtained according to these attached drawings other attached Figure.
Fig. 1 is the flow chart of one embodiment of credible protocol conversion method of the present invention;
Fig. 2 is the flow chart of another embodiment of credible protocol conversion method of the present invention;
Fig. 3 is the flow chart of the another embodiment of credible protocol conversion method of the present invention;
Fig. 4 is the flow chart of the credible protocol conversion method a further embodiment of the present invention;
Fig. 5 is the schematic diagram of one embodiment of credible protocol converting system of the present invention;
Fig. 6 is the schematic diagram of another embodiment of credible protocol converting system of the present invention;
Fig. 7 is the schematic diagram of the credible protocol converting system a further embodiment of the present invention.
Specific embodiment
Purpose, technical scheme and advantage to make the embodiment of the present invention are clearer, below in conjunction with the embodiment of the present invention In attached drawing, the technical solution in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art All other embodiments obtained without creative efforts shall fall within the protection scope of the present invention.
It should be noted that in the absence of conflict, the feature in embodiment and embodiment in the application can To be combined with each other.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, term " comprising ", "comprising", not only including those elements, but also Including other elements that are not explicitly listed or further include for this process, method, article or equipment it is intrinsic will Element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including the element Also there are other identical elements in process, method, article or equipment.
As shown in Figure 1, the credible protocol conversion method of one embodiment of the present invention, for the first industrial control system and second Protocol conversion between industrial control system, the method includes:
S11, reception are sent to the outside access request of the first industrial control system;
S12, the legitimacy of outside access request is judged, and judge the access class of outside access request according to default white list Type, access type include data inquiry request and control operation requests;
S13, when outside access request for data inquiry request when, by from the status data that the first industrial control system inquires by It packages according to the agreement of the second industrial control system, and is sent to second industrial control system;
S14, when outside access ask operation requests in order to control when, according to the first industrial control system agreement to control operation please It asks and packages, and be sent to the first industrial control system.
White list technology can resist Malware on the zero and targetedly attack, because in default situations, it is any Unauthorized software, tool and process cannot all be run on endpoint.If Malware attempts enabling white list Endpoint is installed, and white list technology can determine whether that this is not trusted process, and negates that it runs permission.
The credible protocol conversion method of present embodiment is by the way that firewall technology and industrial protocol switch technology are melted It closes, realizes the security boundary of industrial control system, by promoting the security boundary protective capacities of industrial protocol converter, enhance work The inherently safe safeguard function of industry protocol converter, protocol conversion process and the access control policy based on white list are mutually tied It closes, can be by set of device, a protocal analysis, realization is used between two or more industrial control systems of different application layer protocol The industrial control systems protecting information safety such as application layer protocol conversion, communication data packet filtering and blocking, intrusion detection and antivirus protection Function, reducing traditional industrial control system protocol conversion and protecting information safety needs to dispose protocol converter and industrial fireproof wall simultaneously The problems such as system delay caused by two covering devices is long, reliability is low.
As shown in Fig. 2, in some embodiments, the conjunction of the outside access request is judged according to the default white list Method and access type include:
S21, the outside access request is parsed in network layer, determines the fisrt feature parameter of the outside access request;
S22, judge that the outside access is asked legal according to the network layer white list and the fisrt feature parameter Property;If not conforming to rule blocks the outside access request, the access type of the outside access request is judged if legal.
Present embodiment realizes the filtering to external request, ensure that industrial control system by setting white list in network layer Between the safety and reliability that communicates.
Further, it is also possible in the default white list for application layer, the filtering to external request is realized in application layer.
As shown in figure 3, in some embodiments, white list includes network layer white list and application layer white list;According to The white list judge outside access request it is whether legal including:
Judge that the legitimacy that outside access is asked includes according to default white list:
S31, it is asked in network layer parsing outside access, determines the fisrt feature parameter of outside access request;
S32, the legitimacy that outside access request is judged according to network layer white list and the fisrt feature parameter;If no It is legal, outside access is blocked to ask, outside access is asked into progress application layer group packet if legal, be applied layer data Packet, and application layer data packet is sent to application layer;
S33, application layer data packet is parsed in application layer, determines the second feature parameter of outside access request;
S34, judge whether outside access request is legal according to application layer white list and second feature parameter, if illegal The outside access is then blocked to ask, the access type of the outside access request is judged if legal.
By the way that white list is divided into network layer white list and application layer white list, and respectively in network in present embodiment Layer and application layer carry out white list filtering to access request, so more ensure that the safety of entire industrial control system network with can By property;In addition the safety based on white list that primary parsing just completes two levels need to be only carried out to external access request packet Certification in the case where improving security performance and eliminating security risk, is also reduced and is delayed caused by repeatedly parsing, from And it ensure that the real-time and validity to communicate between industrial control system.
In some embodiments, network layer white list is allowed including at least each communication port of the first industrial control system One kind in protocol type, port numbers, MAC Address and IP address, but it is not limited to above-mentioned listed content, network layer white list content It can be modified according to demand, such as when communication port is can then reduce the white name of network layer when being exclusively used in a certain independent service Single content included so as to reduce the time that filter process is consumed, promotes the real-time to communicate between industrial control system;Work as communication When port is multi-functional multiplexing port (for example, conversion of user's various protocols), then can further it expand according to demand The range of white list.
The application layer white list include at least the first industrial control system each communication port allowed communication request primitive, Allow the data address range of read-write, allow to change the value range of data and allow to change one kind in the change frequency of data, But above-mentioned listed content is not limited to, application layer white list content can be modified according to demand.
In some embodiments, according to different communications protocol, different data point correlation rules is predefined, and can be right Each data point establishes the transformational relation between true form value and actual value.
In some embodiments, after the outside access request is blocked, system log record and alarm output are generated Signal.
As shown in figure 4, the still another embodiment of the credible protocol conversion method of the present invention comprises the steps of:
S101, all outside access request from industrial control system A (the second industrial control system) is received;
S102, it is analyzed by network layer protocol, extraction network layer protocol parameter (fisrt feature parameter), and white with network layer List is matched, and generates network layer filter result;
S103, judged whether to meet blocking condition according to network layer filter result;
If meeting network layer blocks condition, the outside access is blocked to ask, does not do any type of response, and perform To step S109, step S104 is otherwise performed;
S104, progress application layer group packet is asked by outside access, and (application layer data of external request agreement may be dispersed in In multiple transport layer messages, therefore application layer group packet herein is primarily referred to as extracting from multiple external request transport layer messages Application layer data, and combine and to form a complete application layer message), after forming complete application packet, carry out application layer protocol point Analysis, extraction application layer protocol parameter (second feature parameter), and matched with application layer white list, generate application filters knot Fruit;
S105, judged whether to meet blocking condition according to application filters result;
If meeting application layer blocks condition, the outside access is blocked to ask, does not do any type of response, and perform To step S109, step S106 is otherwise performed;
S109, generation log recording and alarm output signal, and terminate outside access request;
S106, the type for detecting outside access request;
If S107, in order to control operation requests, according to control operation requests, by outside access request by industrial control system The agreement of B, which is re-grouped package, (to be referred to package to control operation requests by the protocol format of industrial control system B, forms industry control The protocol format message of system B), and be sent to industrial control system B, wait it is to be answered, if confiscate from industrial control system B should It answers, then terminates outside access request, if receiving the response from industrial control system B, as accessing as a result, and performing step S303;
S302, if it is data inquiry request, obtains status data from slip condition database by default correlation rule and makees To access as a result, and performing step S303;
S303, it is packaged, and be sent to industrial control system A by the agreement of industrial control system A to accessing result.
It is further included in above-mentioned embodiment:
S201, the communication that industrial control system B is built on according to pre-defined data query regular (that is, preset rules);
S202, status data is obtained in real time from industrial control system B according to preset rules;
S203, the status data obtained in real time is stored as real-time data base.
It is also needed to before the above embodiment:
1.1st, a white list library is pre-defined, preserves the network layer white list of corresponding ports and application layer white list;
1.2nd, the preset rules that cycle obtains industrial control system B (the first industrial control system) status data are pre-defined;It is pre- herein If rule is primarily referred to as obtaining the data query rule of data from industrial control system B, including data query message and query result solution The rule of packet write-in real-time data base;
1.3rd, the communications protocol of industrial control system A (the second industrial control system) and the default association of real-time data base point are pre-established Rule, correlation rule herein are primarily referred to as establishing the data address of the second industrial control system communications protocol and real-time data base label The rule of correspondence and Data Format Transform rule between point.
In above-mentioned steps 1.1, network layer white list includes protocol type or port numbers, the MAC that each port of device is allowed Address or IP address, the subpackage of application layer white list contain three parts, the communication request primitive allowed, the data address for allowing read-write Range allows to change the value range of data and change frequency;
In above-mentioned steps 1.2, can different data point correlation rules be defined, and can be to every according to different communications protocol A data point establishes the transformational relation between true form value and actual value.
In the above embodiment, the access of multiple kinds can be allowed according to using needs for same port, and The communications protocol allowed is respectively configured simultaneously the correlation rule of white list and communications protocol and real-time data base.
In the above embodiment, the communication request that is unsatisfactory for white list requirement is being detected, and implementing after communication blocks, it will Generation system log recording and alarm output, alarm output method, including:Pass through device indicator light and the background monitoring of connection Software.
It should be noted that for aforementioned each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Action merge, but those skilled in the art should know, the present invention is not limited by described sequence of movement because According to the present invention, certain steps may be used other sequences or be carried out at the same time.Secondly, those skilled in the art should also know It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention It is necessary.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, there is no the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
As shown in figure 5, another aspect of the invention, additionally provides a kind of credible protocol converting system, including:
Access request receiving port receives the outside access request for being sent to the first industrial control system;
Legitimacy/access type determination module is accessed, the conjunction to judge outside access request according to default white list is configured Method, and judge the access type of outside access request, access type includes data inquiry request and control operation requests;
State data acquisition module, be configured with when outside access request be data inquiry request when, will be from the first industry control system The status data inquired of uniting packages, and be sent to the second industrial control system according to the agreement of the second industrial control system;
Data group packet module, be configured with when outside access ask operation requests in order to control when, according to the first industrial control system Agreement packages, and be sent to the first industrial control system to control operation requests.
In some embodiments, white list includes network layer white list and application layer white list.
The credible protocol converter of present embodiment by the way that firewall technology is merged with industrial protocol switch technology, The security boundary of industrial control system is realized, by promoting the security boundary protective capacities of industrial protocol converter, enhances industry Protocol conversion process is combined by the inherently safe safeguard function of protocol converter with the access control policy based on white list, Can be by set of device, a protocal analysis, realization uses answering between two or more industrial control systems of different application layer protocol It is converted with layer protocol, the industrial control systems protecting information safety work(such as communication data packet filtering and blocking, intrusion detection and antivirus protection Can, reducing traditional industrial control system protocol conversion and protecting information safety needs to dispose protocol converter and industrial fireproof wall two simultaneously The problems such as system delay caused by covering device is long, reliability is low.
As shown in figure 5, it in some embodiments, accesses legitimacy/access type determination module and includes:
Network layer resolver is configured special to parse the first of the outside access request from outside access request Levy parameter;
Network layer validity decision unit is configured with according to the network layer white list and fisrt feature parameter judgement The legitimacy of the outside access request;
Access type identifying unit is configured, when outside access request is legal, to judge the outside access request Access type.
Present embodiment realizes the filtering to external request, ensure that industrial control system by setting white list in network layer Between the safety and reliability that communicates.
Further, it is also possible in the default white list for application layer, the filtering to external request is realized in application layer.
As shown in fig. 7, it in some embodiments, accesses legitimacy/access type determination module and includes:
The fisrt feature parameter to parse outside access request in being asked from outside access is configured in network layer resolver;
Network layer validity decision unit is configured to judge outside access according to network layer white list and fisrt feature parameter The legitimacy of request;
Network layer execution unit is configured when outside access request is illegal, to block outside access request, when outside is visited When asking that request is legal, outside access is asked to carry out application layer group packet, the layer data that is applied packet, and application layer data packet is sent out It send to application layer;
Using resolver layer by layer, it is configured and is joined with the second feature that outside access request is parsed from application layer data packet Number;
Application layer validity decision unit is configured to judge outside access according to application layer white list and second feature parameter The legitimacy of request if not conforming to rule blocks the outside access request, judges the outside access request if legal Access type.
In some embodiments, network layer white list is allowed including at least each communication port of the first industrial control system One kind in protocol type, port numbers, MAC Address and IP address;
The application layer white list include at least the first industrial control system each communication port allowed communication request primitive, Allow the data address range of read-write, allow to change the value range of data and allow to change one kind in the change frequency of data.
In some embodiments, it including warning module, is configured after the outside access request is blocked, to generate system Log recording and alarm output signal.
Embodiment of the method described above is only schematical, wherein the unit illustrated as separating component can To be or may not be physically separate, the component shown as unit may or may not be physics list Member, you can be located at a place or can also be distributed in multiple network element.It can be selected according to the actual needs In some or all of module realize the purpose of this embodiment scheme.Those of ordinary skill in the art are not paying creativeness Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on such understanding, on Technical solution is stated substantially in other words to embody the part that the prior art contributes in the form of software product, it should Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers It enables and (can be personal computer, server or the network equipment etc.) so that computer equipment is used to perform each implementation Method described in certain parts of example or embodiment.
It should be understood by those skilled in the art that, embodiments of the present invention can be provided as method, system or computer journey Sequence product.Therefore, the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware side The form of the embodiment in face.
The present invention is with reference to the stream according to the method for embodiment of the present invention, equipment (system) and computer program product Journey figure and/or block diagram describe.It should be understood that it can be realized by computer program instructions each in flowchart and/or the block diagram The combination of flow and/or box in flow and/or box and flowchart and/or the block diagram.These computer journeys can be provided Sequence instruct to all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices processor with Generate a machine so that the instruction generation performed by computer or the processor of other programmable data processing devices is used for Realize the dress of function specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes It puts.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that the instruction generation being stored in the computer-readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.These computer program instructions can also be loaded into computer or the processing of other programmable datas is set It is standby upper so that series of operation steps are performed on computer or other programmable devices to generate computer implemented processing, Instruction offer so as to be performed on computer or other programmable devices is used to implement in one flow of flow chart or multiple streams The step of function of being specified in one box of journey and/or block diagram or multiple boxes.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that:It still may be used To modify to the technical solution recorded in foregoing embodiments or carry out equivalent replacement to which part technical characteristic; And these modification or replace, various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution spirit and Range.

Claims (10)

1. a kind of credible protocol conversion method, described for the protocol conversion between the first industrial control system and the second industrial control system Method includes:
Receive the outside access request for being sent to the first industrial control system;
The legitimacy of the outside access request is judged according to default white list, and judges the access type of outside access request, The access type includes data inquiry request and control operation requests;
When the outside access request for data inquiry request when, by from the status data that first industrial control system inquires by It packages according to the agreement of the second industrial control system, and is sent to second industrial control system;
It, please to the control operation according to the agreement of the first industrial control system when the outside access asks operation requests in order to control It asks and packages, and be sent to first industrial control system.
2. credible protocol conversion method according to claim 1, which is characterized in that the default white list includes network layer White list and application layer white list;
It is described that the legitimacy of the outside access request is judged according to the default white list, and judge the visit of outside access request Ask that type includes:
The outside access request is parsed in network layer, determines the fisrt feature parameter of the outside access request;
The legitimacy of the outside access request is judged according to the network layer white list and the fisrt feature parameter;If no It is legal, the outside access is blocked to ask, the access type of the outside access request is judged if legal.
3. credible protocol conversion method according to claim 1, which is characterized in that the default white list includes network layer White list and application layer white list;
It is described that the legitimacy of the outside access request is judged according to the default white list, and judge the visit of outside access request Ask that type includes:
The outside access request is parsed in network layer, determines the fisrt feature parameter of the outside access request;
The legitimacy of the outside access request is judged according to the network layer white list and the fisrt feature parameter;If no It is legal, the outside access is blocked to ask, by the outside access request group packet is application layer data packet if legal, and It is sent to application layer;
The application layer data packet is parsed in application layer, determines the second feature parameter of the outside access request;
Judge whether the outside access request is legal according to the application layer white list and the second feature parameter, if not It is legal, the outside access is blocked to ask, the access type of the outside access request is judged if legal.
4. credible protocol conversion method according to claim 3, which is characterized in that the network layer white list includes at least One kind in protocol type, port numbers, MAC Address and IP address that each communication port of first industrial control system is allowed;
The application layer white list include at least the first industrial control system each communication port allowed communication request primitive, allow The data address range of read-write allows to change the value range of data and allows to change one kind in the change frequency of data.
5. according to claim 1-4 any one of them credible protocol conversion methods, which is characterized in that blocking the external visit After asking request, system log record and alarm output signal are generated.
6. a kind of credible protocol converting system, including:
Access request receiving port receives the outside access request for being sent to the first industrial control system;
Legitimacy/access type determination module is accessed, the conjunction to judge the outside access request according to default white list is configured Method, and judge the access type of outside access request, the type includes data inquiry request and control operation requests;
State data acquisition module, be configured with when the outside access request be data inquiry request when, will be from first work Control system queries to status data package according to the agreement of the second industrial control system, and be sent to the second industry control system System;
Data group packet module, be configured with when the outside access ask operation requests in order to control when, according to the first industrial control system Agreement packages, and be sent to first industrial control system to the control operation requests.
7. credible protocol converting system according to claim 6, which is characterized in that the default white list includes network layer White list and application layer white list;
Access legitimacy/access type the determination module includes:
Network layer resolver is configured and is joined with the fisrt feature that the outside access request is parsed from outside access request Number;
Network layer validity decision unit is configured with according to the network layer white list and fisrt feature parameter judgement The legitimacy of outside access request;
Access type identifying unit is configured, when outside access request is legal, to judge the visit of the outside access request Ask type.
8. credible protocol converting system according to claim 6, which is characterized in that the white list includes the white name of network layer Single and application layer white list;
Access legitimacy/access type the determination module includes:
Network layer resolver is configured and is joined with the fisrt feature that the outside access request is parsed from outside access request Number;
Network layer validity decision unit is configured with according to the network layer white list and fisrt feature parameter judgement The legitimacy of outside access request;
Network layer execution unit is configured, when outside access request is illegal, the outside access to be blocked to ask, works as institute State outside access request it is legal when, the outside access is asked to carry out application layer group packet, and is sent to application layer;
Using resolver layer by layer, the second feature to parse the outside access request from the application layer data packet is configured Parameter;
Application layer validity decision unit is configured with according to the application layer white list and second feature parameter judgement The legitimacy of outside access request;
Access type identifying unit is configured with when application layer validity decision unit judges that outside access request is legal, Judge the access type of the outside access request.
9. credible protocol converting system according to claim 8, which is characterized in that the network layer white list includes at least One kind in protocol type, port numbers, MAC Address and IP address that each communication port of first industrial control system is allowed;
The application layer white list include at least the first industrial control system each communication port allowed communication request primitive, allow The data address range of read-write allows to change the value range of data and allows to change one kind in the change frequency of data.
10. according to claim 6-9 any one of them credible protocol converting systems, which is characterized in that warning module is further included, It is configured after the outside access is blocked to ask, to generate system log record and alarm output signal.
CN201510809808.9A 2015-11-20 2015-11-20 Credible protocol conversion method and system Active CN105337986B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510809808.9A CN105337986B (en) 2015-11-20 2015-11-20 Credible protocol conversion method and system
PCT/CN2016/105419 WO2017084535A1 (en) 2015-11-20 2016-11-11 Method for trusted protocol conversion and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510809808.9A CN105337986B (en) 2015-11-20 2015-11-20 Credible protocol conversion method and system

Publications (2)

Publication Number Publication Date
CN105337986A CN105337986A (en) 2016-02-17
CN105337986B true CN105337986B (en) 2018-06-19

Family

ID=55288269

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510809808.9A Active CN105337986B (en) 2015-11-20 2015-11-20 Credible protocol conversion method and system

Country Status (2)

Country Link
CN (1) CN105337986B (en)
WO (1) WO2017084535A1 (en)

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105337986B (en) * 2015-11-20 2018-06-19 英赛克科技(北京)有限公司 Credible protocol conversion method and system
CN105847251B (en) * 2016-03-22 2018-10-30 英赛克科技(北京)有限公司 Using the industrial control system safety protecting method and system of S7 agreements
CN105577704B (en) * 2016-03-22 2018-08-17 英赛克科技(北京)有限公司 For the safety protecting method and system of IEC60870-5-101 agreements
CN105577705B (en) * 2016-03-22 2018-08-21 英赛克科技(北京)有限公司 For the safety protecting method and system of IEC60870-5-104 agreements
CN106060087A (en) * 2016-07-26 2016-10-26 中国南方电网有限责任公司信息中心 Multi-factor host security access control system and method
CN106302518B (en) * 2016-09-13 2019-10-29 西安莫贝克半导体科技有限公司 A kind of network firewall of software and hardware combining
CN106850631A (en) * 2017-02-10 2017-06-13 北京匡恩网络科技有限责任公司 Method, device and communication system for data transfer
CN108572587A (en) * 2017-12-25 2018-09-25 人民电器集团上海有限公司 A kind of microcomputer background monitoring system
CN110290147A (en) * 2019-07-05 2019-09-27 上海中通吉网络技术有限公司 Safe penetration defence method, device and equipment
CN114091014A (en) * 2021-10-29 2022-02-25 珠海大横琴科技发展有限公司 Data processing method and device
CN114499942A (en) * 2021-12-22 2022-05-13 天翼云科技有限公司 Data access method and device and electronic equipment
CN114363026B (en) * 2021-12-27 2024-05-24 北京安博通科技股份有限公司 Industrial control network intelligent control management method and system based on white list
CN114417336B (en) * 2022-01-24 2022-11-01 北京新桥信通科技股份有限公司 Application system side safety management and control method and system
CN114885037A (en) * 2022-04-07 2022-08-09 西门子(中国)有限公司 Data transmission device, method and system
CN114676418B (en) * 2022-05-27 2022-09-02 太平金融科技服务(上海)有限公司深圳分公司 Operation request processing method, device, equipment, storage medium and program product
CN115664789B (en) * 2022-10-21 2023-08-01 北京珞安科技有限责任公司 Industrial firewall security assessment system and method
CN117294538B (en) * 2023-11-27 2024-04-02 华信咨询设计研究院有限公司 Bypass detection and blocking method and system for data security risk behaviors

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882828A (en) * 2011-07-11 2013-01-16 上海可鲁系统软件有限公司 Information safe transmission control method between inside network and outside network and gateway thereof
CN102984170A (en) * 2012-12-11 2013-03-20 清华大学 System and method for safe filtering of industrial control network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100592688C (en) * 2004-12-08 2010-02-24 杭州华三通信技术有限公司 System and method for safety identification to network customer terminal
KR101391781B1 (en) * 2012-08-07 2014-05-07 한국전자통신연구원 Apparatus and Method for Detecting HTTP Botnet based on the Density of Web Transaction
CN105337986B (en) * 2015-11-20 2018-06-19 英赛克科技(北京)有限公司 Credible protocol conversion method and system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102882828A (en) * 2011-07-11 2013-01-16 上海可鲁系统软件有限公司 Information safe transmission control method between inside network and outside network and gateway thereof
CN102984170A (en) * 2012-12-11 2013-03-20 清华大学 System and method for safe filtering of industrial control network

Also Published As

Publication number Publication date
WO2017084535A1 (en) 2017-05-26
CN105337986A (en) 2016-02-17

Similar Documents

Publication Publication Date Title
CN105337986B (en) Credible protocol conversion method and system
US10819590B2 (en) End-to-end policy enforcement in the presence of a traffic midpoint device
CN105684391B (en) Access control rule based on label automatically generates
US8782771B2 (en) Real-time industrial firewall
US9369434B2 (en) Whitelist-based network switch
CN100556031C (en) Intelligent integrated network security device
US8782239B2 (en) Distributed router computing at network nodes
CN106161335A (en) A kind for the treatment of method and apparatus of network packet
CN105847300B (en) The method for visualizing and device of enterprise network boundary device topology
JP2021528749A (en) Automatic packetless network reachability analysis
CN104348677A (en) Deep packet inspection method and equipment and coprocessor
JP6782842B2 (en) Methods and electronic monitoring units for communication networks
CN104394122A (en) HTTP (Hyper Text Transport Protocol) service firewall based on adaptive agent mechanism
US20120047573A1 (en) Methods and apparatus for detecting invalid ipv6 packets
CN116055254A (en) Safe and trusted gateway system, control method, medium, equipment and terminal
KR20200118887A (en) Network probes and methods for handling messages
CN106650425B (en) A kind of control method and device of security sandbox
KR101083925B1 (en) Apparatus and Method for defending against security threats, and Recording medium thereof
CN103457948A (en) Industrial control system and safety device thereof
CN104717212A (en) Protection method and system for cloud virtual network security
CN107797859A (en) A kind of dispatching method of timed task and a kind of dispatch server
KR20200006824A (en) Method and apparatus for routing control in sdn network
CN105577705B (en) For the safety protecting method and system of IEC60870-5-104 agreements
Ovaz Akpinar et al. Development of the ECAT preprocessor with the trust communication approach
CN105683943B (en) Use the distributed network security of the Policy model of logic-based multidimensional label

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB03 Change of inventor or designer information

Inventor after: Chen Huixin

Inventor before: Pan Hongqin

COR Change of bibliographic data
GR01 Patent grant
GR01 Patent grant