CN105573291A - Threat detection method based on key parameter fusion verification and safety device - Google Patents
Threat detection method based on key parameter fusion verification and safety device Download PDFInfo
- Publication number
- CN105573291A CN105573291A CN201510984622.7A CN201510984622A CN105573291A CN 105573291 A CN105573291 A CN 105573291A CN 201510984622 A CN201510984622 A CN 201510984622A CN 105573291 A CN105573291 A CN 105573291A
- Authority
- CN
- China
- Prior art keywords
- threat detection
- detection unit
- information
- threat
- control system
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0259—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
- G05B23/0267—Fault communication, e.g. human machine interface [HMI]
- G05B23/027—Alarm generation, e.g. communication protocol; Forms of alarm
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24048—Remote test, monitoring, diagnostic
Abstract
The invention relates to a threat detection method based on key parameter fusion verification and an industrial control system safety device for realizing the method. According to the method, aiming at characteristics of a hierarchical structure of an industrial control system, a method for fusion verification of key parameters between vertical layers is employed. The threat detection method includes: firstly, threat detection of each layer of the industrial control system including a fieldbus layer is conducted; and then based on layered detection, vertical fusion verification of key parameters of the industrial control system such as key technological parameters, control parameters, and control instructions etc. is performed in order to overcome the defect of the layered detection method. According to the method, safety detection bugs caused by insufficient data fusion in defense in depth of the conventional industrial control system is solved, the personalized requirement of a threat detection device for the industrial control system is met, comprehensive threat detection for the safety of the industrial control system is realized, the safety of the industrial control system is improved, and safe and stable operation of a controlled process is guaranteed.
Description
Technical field
The invention belongs to industrial control system field, mainly, relate to a kind of threat detection method and the safety feature that merge verification based on key parameter.
Background technology
The industrial control system of industrial control system particularly critical infrastructures, its information security is the important component part of national security.In recent years, the frequent various network intrusions behaviors occurred not only serious threat to the safe and stable operation of critical infrastructures, but also the loss of the people's lives and property may be caused.Strengthen industrial control system intrusion detection, to improve system information safety level, there is important theory and realistic meaning.
Due to the complicacy of industrial control system, single prevention policies is adopted to be difficult to guarantee the information security of industrial control system.For design feature and the industry control information security needs of industrial control system, depth epidemic prevention technology becomes a kind of industrial control system protecting information safety scheme of current main flow.Depth epidemic prevention scheme is from technology and management view, the security protection to industrial control system is realized by technological means such as reinforcement security partitioning, border intrusion detection, Host-based intrusion detection and net control intrusion detections, for the Tructure arrangement of industrial control system network, intrusion detection and protection are carried out in layering.
But this protectiving scheme absorbs the Protective Information Security Techniques of IT system more, ignore the combination with industrial control system essential characteristic, and also lack information fusion on axial section, its major defect is in particular in:
(1) industrial control system is interconnected by the network structure of layering thus forms complicated industry control network, and the threat detection of existing depth epidemic prevention technology control-orientation layer, key-course, ignores the detection of most important fieldbus layer network in industry control network.Industrial control system belongs to information physical emerging system, and fieldbus networks directly with equipment connection physical process being carried out to parameter detecting and adjustment, various other threat and attack and must could produce serious destruction to physical process and equipment by fieldbus networks;
(2) various data in industrial control system, as observing and controlling information, it is consistent in bus layer, Controling network network layers, administration and supervision authorities at the scene, and namely the numerical value of any this variable of moment is all consistent.By carrying out longitudinal check to the time scale of the key parameter in industrial control system and correspondence thereof, the exception of control system can be found, and network intrusions is exactly probably this abnormal source.Existing scheme ignores the verification to the data consistency in different level;
(3) core of industry control network data stream is explained hereafter data, operational order, controling parameters, status information of equipment and opertaing device configuration parameter etc., these are obviously different from the information flow on conventional I T grid, and existing scheme does not make full use of this feature carries out safety detection and protection;
(4) industry control network structure is relatively stable, and mode of operation is in static state relatively.Therefore, more effective industry control network information threat detection can be carried out for this feature.
Summary of the invention
In view of above problem, the invention provides a kind of longitudinal layered threat detection method merged with interlayer and the industrial control system information safety device realizing the method.The method structurally still belongs to Defense in depth system, absorbs the advantage of traditional solution security partitioning, longitudinal layered and Border Protection.But this invention further provide to industrial control system fieldbus layer impend detect method, to strengthen the threat detection to the fieldbus layer with physical process close contact.Simultaneously, in order to overcome Defense in depth system in the past in the shortcoming longitudinally lacking data fusion, on the basis increasing fieldbus layer threat detection, with key parameters such as industrial process key process parameter, controling parameters and operational orders for detecting and alarm, carry out the information fusion verification of axial section, to find threat or abnormal behaviour can not be detected in single detection aspect.For the personalization of industrial control system rig-site utilization to the individual demand of threat detection apparatus, this invention proposes the method be configured threat detection parameter.Present invention also offers the safety feature realizing the method.
The concrete technical scheme of the application is as follows:
Merge a threat detection method for verification based on key parameter, comprise the steps:
(1) firewall information integrated unit is sent to system-level threat detection unit, for longitudinal information fusion and verification the daily record in Border Protection, rule and invasion information;
(2) main frame threat detection unit belongs to application layer detection, namely to the detection that impends such as host computer system (operator station, engineer station), OPC (Object link and embedded for process control) server, OPC client computer, real-time data base of industrial control system, and the key parameter real time value in the abnormal behaviour detected and the industrial control system gathered from database is sent to system threat detection unit, for longitudinal information fusion and verification;
(3) net control threat detection unit gathers industrial control network message, carries out message analysis and judgement, determines that whether industry control network information flow is normal.As there is exception message, then the critical parameter information that exception message extracts, such as key process parameter (as reactor pressure) and controling parameters (as proportional band, integral time or derivative time) and operational order (as the opening of equipment, stop, man-auto is but changed) information be sent to security system threat detection unit, for longitudinal information fusion and verification;
(4) fieldbus threat detection unit collection site bus message, carries out message analysis and judgement, to determine that whether fieldbus networks information flow is normal.The information that exception message then extracts exception message as existed and critical parameter information are sent to system-level threat detection unit, for longitudinal information fusion and verification;
(5) system-level threat detection unit merges each layer threat detection preliminary information received and key parameter, and comprehensive analysis and judgement security of system state, provides comprehensive descision result.
(6) security parameter configuration interface is main frame threat detection, the security-related parameters of net control threat detection and fieldbus threat detection unit is configured.
(7) full spectrum of threats that the configuration of safety detection database stores user and slave firewall information fusion unit obtain detects data, is the service of each threat detection unit.
The method, for the feature of industrial control system and explained hereafter safety requirements, is dissolved into key process parameter information and Constant numerical values thereof etc. in threat detection method.
Operation instruction information is dissolved in threat detection method, so not only can detects outside threat, and the maloperation of industrial control system built-in function personnel or the illegal invasion behavior to system can be detected.
The method is dissolved into controling parameters information in threat detection method.
For the hierarchy of industrial control system, in the hierarchical structure of traditional depth defense, add fieldbus threat detection unit.This described unit detects for impending with the immediate fieldbus unit of physical process and equipment, thus realizes the detection to fieldbus data stream.
Detect at key-course and the fieldbus layer rate of change to the consistance of steering order and the relevant controling parameters of and instruction.
For concrete application scenario, the parameter relevant to this application safety and threshold value thereof can be set by security parameter configuration interface, meet the individual demand of industrial control system threat detection.
System adopts unified safety detection database for each threat detection unit service.
Described longitudinal information fusion verification comprises following content:
(1) according to timestamp, the critical process from supervisory layers, key-course and fieldbus layer is contrasted, if same parameter numerical value difference difference between the different layers exceedes the threshold value of specifying, then send abnormal Detection Information;
(2) according to timestamp, the controling parameters from supervisory layers, key-course and fieldbus layer is contrasted, if same parameter numerical value difference difference between the different layers exceedes the threshold value of specifying, then send abnormal Detection Information;
(3) according to timestamp, the consistance of steering order in main frame, control and fieldbus detection layers is verified.If exist inconsistent, then system sends warning.
A kind of industrial control system safety feature, comprise firewall information integrated unit and carry out Border Protection, main frame threat detection unit is for control system main frame abnormal behaviour; Abnormal behaviour on net control threat detection unit inspection net control; Abnormal behaviour in fieldbus threat detection active cell Test Field bus; The threat detection information of the above-mentioned each layer of system-level threat detection unit comprehensive, carries out the threat level that comprehensive descision faces with judgement system.Security parameter configuration interface is that the security-related parameters of threat detection unit (main frame threat detection, net control threat detection and fieldbus detect) is configured.
Safety feature of the present invention for concrete application scenario, can be arranged the parameter relevant to this application safety and threshold value thereof by security parameter configuration interface, thus meets the individual demand of industrial control system threat detection.
Technique effect of the present invention is:
(1) structurally add fieldbus layer threat detection function, enriched level, make the threat detection of industry control network more comprehensively complete;
(2) longitudinal direction strengthens the information fusion between the threat detection module towards each layer, take full advantage of the information of each layer threat detection system, thus carry out the threat detection of whole industrial control system better, overcome each axial section in the past and independently to impend separately detection Problems existing;
(3) provide and longitudinally to merge based on key process parameter and the threat detection method of verification, to strengthen threat detection system in the specific aim of carrying out in system threat detection and of overall importance, and propose longitudinal data and merge and the concrete grammar of verification.
(4) provide for equipment crucial in industrial control system, the i.e. detection of controller and measure and control instrument, the behavior once upper strata threat detection unit can not note abnormalities, then the detection for controller and site measuring and control instrument is conducive to finding the threat of these abnormal behaviours to field layer equipment.
(5) in industry control threat detection longitudinally defence idea basis, according to industrial control system design feature and mode of operation, propose in the method longitudinally increasing fieldbus layer threat detection, to make up leak and the deficiency of classic method.Simultaneously, also proposed the threat detection method merged based on key parameter interlayer, to find the conventional shortcoming based on independent stratum threat detection and guard system, strengthen data integration and the analysis of industry control each sub-threat detection system, further the ability of raising industrial control system threat detection.
Accompanying drawing explanation
Fig. 1 is the structure principle chart of the industrial control system threat detection system of embodiment 1;
Fig. 2 is the structural representation of the industrial control system information safety device implementing Fig. 1.
Embodiment
Below, further illustrate content of the present invention by embodiment, but protection scope of the present invention is not limited in embodiment.To the other changes and modifications that those skilled in the art makes when not deviating from the present invention's spirit and protection domain, be still included within scope.
Embodiment 1
Fig. 1 is the structure principle chart of the industrial control system threat detection of embodiment 1.This system to impend detection mainly for the typical industry control system comprising fieldbus layer, key-course, supervisory layers, dispatch layer and office layer.
The equipment that field layer is detected mainly comprises measurement instrument, actuator, frequency converter and remote input output unit etc.
The major equipment that key-course detects comprises the equipment such as controller, Programmable Logic Controller, remote-terminal unit of Distributed Control System (DCS).
The equipment that main frame threat detection unit mainly detects comprises the server of control system, opc server and workstation (operator station, engineer station etc.).
Message exchange between the fire wall installed between key-course and dispatch layer is two-layer to this detects, and provides testing result and white list information for system-level threat detection unit.
Message exchange between fire wall between dispatch layer and office layer is two-layer to this detects, and provides testing result and white list information for system-level threat detection unit.
Preferably, Fig. 2 is the structural representation of industrial control system safety feature according to the preferred embodiment of the invention.
Chief threat detecting unit comprises the fieldbus threat detection unit detected field layer, the key-course threat detection unit detected key-course and supervisory layers network, the main frame threat detection unit, firewall information integrated unit industrial control system fire wall being carried out to information fusion that detect supervisory layers main frame and collects the system-level threat detection unit that these threat detection unit informations carry out comprehensive analysis and judgement.
Firewall information integrated unit utilizes the function of fire wall to carry out industrial control system Border Protection, firewall information integrated unit is communicated with fire wall by firewall interface, daily record in fire wall, rule and invasion information are sent to system threat detection unit, for longitudinal information fusion and verification; The wherein real-time protection information of fire wall, sends into system-level threat detection unit when exception particularly being detected immediately.
Main frame threat detection unit, by the host interface of host interface and industrial control system, utilizes the threat detection unit of main frame to implement impend detection to industrial control system host computer system (operator station, engineer station, OPC (Object link and embedded for process control) server, real-time data base etc.).The security system extraction module of main frame threat detection unit is sent to system-level threat detection unit, for longitudinal information fusion and verification the alarm log, Operation Log etc. of the result of main frame threat detection and key process parameter real time value, host computer system;
Net control threat detection unit is communicated with control bus by control bus interface.General industrial control system only has a net control.
Net control threat detection unit comprises data acquisition module, data extraction module, threat analysis module, Threat verdict module and alarm module etc.
Data acquisition module gathers net control flow and data message by net control interface unit.
Data extraction module carries out protocol analysis to data message, consistent whether with white list of the logical address first analyzing the source physical address in data message, source logical address, the physical address of object and object.If inconsistent, be then defined as infected information.Net control threat detection unit sends warning, and relevant information is delivered to system-level threat detection unit carries out comprehensive descision.
Data extracting unit, also by protocol analysis, extracts technological parameter wherein, controling parameters, operation (as downloading), steering order etc. to controller.
The network traffics of threat analysis module first in analysis and Control network, and whether this flow is abnormal to adopt Pauta criterion to judge, if abnormal, determine to exist the threat behavior comprising and net control is invaded, net control threat detection unit is reported to the police, and send system-level threat detection unit this testing result simultaneously.
Threat analysis module, according to the information of said extracted, also completes following measuring ability:
(1) threshold range of key parameter numerical value and configuration compares, if exceed threshold value, reports to the police, and send system-level threat detection unit this numerical value simultaneously.
(2) key parameter rate of change compares with the threshold value of configuration, if exceed threshold value, reports to the police, and send system-level threat detection unit this numerical value simultaneously.
(3) read-write for controller detects, once there is following event, threat detection unit is reported to the police, and send system-level threat detection unit result simultaneously:
1) to the read-write operation argument address space of controller not in system allowed band;
2) to the parameter modification of the controller threshold range beyond configuration;
3) instruction issued controller is illegal;
4) download program to controller under non-debugging mode;
5) under non-debugging mode to controller download data files or data block;
6) configuration of change control device under non-debugging mode;
7) under non-debugging mode to the opening of controller, stop operation.
Fieldbus threat detection unit is communicated with on-the-spot bus by field-bus interface.For large scale industry control system, there is n fieldbus.
Fieldbus threat detection unit comprises data acquisition module, data extraction module, threat analysis module, abnormal judgement and alarm module etc.
Data acquisition module is by field-bus interface unit collection site bus network flow and data message.
Data extraction module carries out protocol analysis to data message, consistent whether with white list of the logical address first analyzing the source physical address in data message, source logical address, the physical address of object and object.If inconsistent, be then defined as infected information.Fieldbus threat detection unit sends warning, and relevant information is delivered to system threat detection unit carries out comprehensive descision.
Data extracting unit also by protocol analysis, extracts technological parameter wherein, controling parameters and instruction.
First threat analysis module analyzes the network traffics in fieldbus networks, and whether this flow is abnormal to adopt Pauta criterion to judge, if abnormal, determine to there is the intrusion behavior for fieldbus networks, fieldbus threat detection unit is reported to the police, and send system threat detection unit this testing result simultaneously.
Threat analysis module, according to the information of said extracted, also completes following measuring ability:
(1) threshold range of key parameter numerical value and configuration compares, if exceed threshold value, reports to the police, and send system-level threat detection unit this numerical value simultaneously;
(2) key parameter rate of change compares with the threshold value of configuration, if exceed threshold value, reports to the police, and send system-level threat detection unit this numerical value simultaneously;
(3) for the detection of the opertaing device be connected with fieldbus networks (actuator, frequency converter etc.), the content, address space, optimum configurations etc. that detect write command is comprised.There is following situation threat detection unit to report to the police, send system-level threat detection unit result simultaneously:
1) to the read-write operation argument address space of measuring and controlling equipment in bus not in system allowed band;
2) to the parameter modification of measuring and controlling equipment in the bus threshold range beyond configuration;
3) instruction issued measuring and controlling equipment in bus is illegal;
4) under non-debugging mode to measuring and controlling equipment download data files or data block in bus;
5) configuration of measuring and controlling equipment in bus is revised under non-debugging mode;
6) under non-debugging mode to the opening of opertaing device in bus, stop operation;
The fieldbus individual to other (n-1), also implements above-mentioned threat detection process.
System-level threat detection unit comprises that inter-layer information gathers, inter-layer information is checked and comprehensive safety character judge module.
Inter-layer information summarizing module with to firewall information integrated unit, main frame threat detection unit, net control threat detection unit and fieldbus threat detection unit communication, receive the layer testing result that they send.
Inter-layer information checks module according to timestamp, respectively the same key process parameter from supervisory layers, key-course and bus layer is compared, if the difference between technological parameter numerical value exceedes the threshold value preset, then carry out alert process, send comprehensive safety character judge module warning message simultaneously.
Inter-layer information checks module according to timestamp, respectively the same key control parameter from supervisory layers, key-course and bus layer is compared, if the difference between controling parameters numerical value exceedes the threshold value preset, then carry out alert process, send comprehensive safety character judge module warning message simultaneously.
Inter-layer information checks module according to timestamp, respectively the same crucial steering order from supervisory layers, key-course and bus layer is compared, if the difference between the operand number of steering order Type-Inconsistencies or and instruction association exceedes the threshold value preset, then carry out alert process, send comprehensive safety character judge module warning message simultaneously.
Between comprehensive safety character judge module receiving layer, the result of information check, in conjunction with the safety rule stored in safety feature, carries out overall treatment to security alarm, the intrusion behavior that prompting occurs, and gives the suggestion of threat detection manager works.
The conclusion of comprehensive safety character judge module comprises:
For following warning message, provide the Operating Guideline that intensity grade is " seriously " and advise
(1) under non-debugging mode to controller executing block or data block down operation warning message;
(2) warning message of the program block in controlling or database is deleted under non-debugging mode;
(3) operational mode of controller or the warning message of configuration is changed under non-debugging mode;
(4) change fieldbus measurement instrument (as temperature instrument) configuration under non-debugging mode to report to the police;
(5) configuration changing field controlling instrument and actuator under non-debugging mode is reported to the police;
(6) the illegal read-write of the actuating equipment (as frequency converter or variable valve) on fieldbus is reported to the police;
(7) key process parameter is in the inconsistent warning of different key-course data;
(8) crucial steering order is in the inconsistent warning of different key-course data;
(9) key control parameter is in the inconsistent warning of different key-course data;
(10) steering order character is illegally reported to the police, numerical range or rate of change overload alarm;
(11) net control flow superthreshold is reported to the police;
(12) fieldbus networks flow superthreshold is reported to the police;
(13) infected information cannot resolved is reported to the police.
For following warning message, provide the Operating Guideline that intensity grade is " medium " and advise
(1) numerical range of key process parameter or rate of change overload alarm;
(2) address space of reading of instruction is not reported to the police in allowed band;
(3) instruction type is illegally reported to the police;
(4) under non-debugging mode, Read Controller program is reported to the police;
(5) threat for host computer system is reported to the police.
For other warning message, the Operating Guideline that the degree that provides is " low " is advised.
Security parameter configuration interface comprises system-level threat detection cell location module, net control threat detection cell location module and fieldbus threat detection cell location module.Its function completed comprises:
(1) crucial technological parameter and secure threshold thereof are set;
(1) controling parameters and threshold value thereof are set;
(3) steering order and the relevant parameter of and instruction are set;
(4) parameter relevant with main frame threat detection is set;
(5) setting detects relevant network parameter with fieldbus;
(6) network parameter relevant with net control threat detection is set;
(7) firewall information is set and merges the parameter needed;
(8) parameter that other threat detection are relevant.
This module is the present invention and safety feature are deployed to different Industry Control scenes provide customization function.
The information relevant with specific embodiment and control system of safety detection database stores user configuration, the white list that slave firewall information fusion unit and main frame threat detection unit etc. obtain and other security parameters are the service of each threat detection unit.
The embodiment of the present invention can be deployed in industrial control system; full spectrum of threats behavior in industrial control system is detected; judge whether to there is the threat behavior by management system invasion industry control underlying device; whether there is the threat behavior for main control system; whether there is the threat behavior for controller and the behavior such as threat that whether exists for net control or fieldbus networks; and propose the warning message of various grade in time, thus effectively achieve the protection to existing industrial control system and controlled physical process.The embodiment of the present invention does not carry out the process such as interception to existing industrial control data, can not affect the operation of existing industrial control system.The embodiment of the present invention has higher versatility, is namely applicable to the threat detection of different industries industrial control system.Meanwhile, carry out personalized configuration by security parameter configuration module, make the present invention can apply to different Industry Control on-the-spot, thus meet the individual demand of industrial control system to threat detection.
Claims (8)
1. merge a threat detection method for verification based on key parameter, it is characterized in that, comprise the steps:
(1) firewall information integrated unit is sent to system-level threat detection unit, for longitudinal information fusion and verification the daily record in Border Protection, rule and invasion information;
(2) main frame threat detection unit is that application layer detects, namely the host computer system of industrial control system, opc server, OPC client computer, real-time data base are impended detection, and the key parameter real time value in the abnormal behaviour detected and the industrial control system gathered from database is sent to system threat detection unit, for longitudinal information fusion and verification;
(3) net control threat detection unit gathers industrial control network message, carries out message analysis and judgement, determines that whether industry control network information flow is normal; As there is exception message, then the critical parameter information that exception message extracts is sent to security system threat detection unit, for longitudinal information fusion and verification;
(4) fieldbus threat detection unit collection site bus message, carries out message analysis and judgement, to determine that whether fieldbus networks information flow is normal; As there is exception message, then information exception message extracted and critical parameter information are sent to system-level threat detection unit, for longitudinal information fusion and verification;
(5) system-level threat detection unit merges each layer threat detection preliminary information received and key parameter, and comprehensive analysis and judgement security of system state, provides comprehensive descision result;
(6) security parameter configuration interface is main frame threat detection, the security-related parameters of net control threat detection and fieldbus threat detection unit is configured;
(7) full spectrum of threats that the configuration of safety detection database stores user and slave firewall information fusion unit obtain detects data, is the service of each threat detection unit.
2. threat detection method according to claim 1, is characterized in that, operation instruction information is dissolved in threat detection method, to the maloperation of outside threat, industrial control system built-in function personnel or detect the illegal invasion behavior of system.
3. threat detection method according to claim 1, is characterized in that, detects at key-course and the fieldbus layer rate of change to the consistance of steering order and the relevant controling parameters of and instruction.
4. threat detection method according to claim 1, is characterized in that, for concrete application scenario, arranges the parameter relevant to the safety of this application scenario and threshold value thereof by security parameter configuration interface.
5. threat detection method according to claim 1, is characterized in that, adopts unified safety detection database for each threat detection unit service.
6. according to the arbitrary described threat detection method of claim 1 to 5, it is characterized in that, described longitudinal information fusion verification comprises following content:
(1) according to timestamp, the critical process from supervisory layers, key-course and fieldbus layer is contrasted, if same parameter numerical value difference difference between the different layers exceedes the threshold value of specifying, then send abnormal Detection Information;
(2) according to timestamp, the controling parameters from supervisory layers, key-course and fieldbus layer is contrasted, if same parameter numerical value difference difference between the different layers exceedes the threshold value of specifying, then send abnormal Detection Information;
(3) according to timestamp, the consistance of steering order in main frame, control and fieldbus detection layers is verified; If exist inconsistent, then system sends warning.
7. an industrial control system safety feature, it is characterized in that, described safety feature comprises the firewall information integrated unit carrying out Border Protection, to the main frame threat detection unit that control system main frame abnormal behaviour detects, the net control threat detection unit that detection control Network Abnormal is capable, detect the fieldbus threat detection unit of fieldbus abnormal behaviour in active cell, and system-level threat detection unit; The threat detection information of the above-mentioned each layer of described system-level threat detection unit comprehensive, carries out the threat level that comprehensive descision faces with judgement system.
8. safety feature according to claim 7, it is characterized in that, the security parameter configuration interface of described safety feature is that the security-related parameters of threat detection unit is configured, and described threat detection unit refers to that main frame threat detection, net control threat detection and fieldbus detect.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984622.7A CN105573291B (en) | 2015-12-24 | 2015-12-24 | A kind of threat detection method and safety device based on key parameter fusion verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984622.7A CN105573291B (en) | 2015-12-24 | 2015-12-24 | A kind of threat detection method and safety device based on key parameter fusion verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105573291A true CN105573291A (en) | 2016-05-11 |
| CN105573291B CN105573291B (en) | 2018-05-18 |
Family
ID=55883545
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510984622.7A Active CN105573291B (en) | 2015-12-24 | 2015-12-24 | A kind of threat detection method and safety device based on key parameter fusion verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105573291B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106054840A (en) * | 2016-06-29 | 2016-10-26 | 北京科技大学 | Whole process product quality online control system |
| CN106161084A (en) * | 2016-06-15 | 2016-11-23 | 中国电子科技网络信息安全有限公司 | A kind of protecting information safety device and method being applicable to fieldbus networks |
| CN106774248A (en) * | 2016-12-08 | 2017-05-31 | 北京立思辰新技术有限公司 | A kind of behavior pattern safety protecting method based on slave computer |
| CN107045325A (en) * | 2017-06-02 | 2017-08-15 | 四川谊田集群科技有限公司 | A kind of control method and device based on characteristics of objects value |
| CN107491057A (en) * | 2016-06-10 | 2017-12-19 | 通用电气公司 | The system and method and computer-readable medium of safeguard industries assets control system |
| CN111381567A (en) * | 2018-12-27 | 2020-07-07 | 北京安控科技股份有限公司 | Safety detection system and method for industrial control system |
| CN112230610A (en) * | 2020-09-16 | 2021-01-15 | 中国科学院合肥物质科学研究院 | Network system of helium low-temperature control system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
| CN103401756A (en) * | 2013-08-21 | 2013-11-20 | 北京华烽泰特科技有限公司 | Security protection system used for industrial network |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN104615096A (en) * | 2014-12-04 | 2015-05-13 | 深圳市永达电子股份有限公司 | Method and system for guaranteeing information security of industrial control system |
-
2015
- 2015-12-24 CN CN201510984622.7A patent/CN105573291B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
| CN103401756A (en) * | 2013-08-21 | 2013-11-20 | 北京华烽泰特科技有限公司 | Security protection system used for industrial network |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN104615096A (en) * | 2014-12-04 | 2015-05-13 | 深圳市永达电子股份有限公司 | Method and system for guaranteeing information security of industrial control system |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107491057A (en) * | 2016-06-10 | 2017-12-19 | 通用电气公司 | The system and method and computer-readable medium of safeguard industries assets control system |
| CN107491057B (en) * | 2016-06-10 | 2021-12-31 | 通用电气公司 | System and method for protecting industrial asset control system and computer readable medium |
| CN106161084A (en) * | 2016-06-15 | 2016-11-23 | 中国电子科技网络信息安全有限公司 | A kind of protecting information safety device and method being applicable to fieldbus networks |
| CN106054840A (en) * | 2016-06-29 | 2016-10-26 | 北京科技大学 | Whole process product quality online control system |
| CN106054840B (en) * | 2016-06-29 | 2018-06-19 | 北京科技大学 | A kind of online managing and control system of whole process product quality |
| CN106774248A (en) * | 2016-12-08 | 2017-05-31 | 北京立思辰新技术有限公司 | A kind of behavior pattern safety protecting method based on slave computer |
| CN107045325A (en) * | 2017-06-02 | 2017-08-15 | 四川谊田集群科技有限公司 | A kind of control method and device based on characteristics of objects value |
| CN107045325B (en) * | 2017-06-02 | 2020-02-04 | 四川谊田集群科技有限公司 | Control method and device based on object characteristic value |
| CN111381567A (en) * | 2018-12-27 | 2020-07-07 | 北京安控科技股份有限公司 | Safety detection system and method for industrial control system |
| CN112230610A (en) * | 2020-09-16 | 2021-01-15 | 中国科学院合肥物质科学研究院 | Network system of helium low-temperature control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105573291B (en) | 2018-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105573291A (en) | Threat detection method based on key parameter fusion verification and safety device | |
| CN103491108B (en) | A kind of industrial control network security protection method and system | |
| CN104378228B (en) | Network data security manages system and method | |
| CN104144063A (en) | Website security monitoring and alarming system based on log analysis and firewall security matrixes | |
| CN103473626A (en) | Security protection method based on integrated dispatching data network operation and maintenance system | |
| CN110443048A (en) | Data center looks into number system | |
| CN102413127A (en) | Database generalization safety protection method | |
| CN104283889A (en) | Electric power system interior APT attack detection and pre-warning system based on network architecture | |
| CN203169888U (en) | Monitoring system for fire-fighting equipment | |
| CN110460459B (en) | Network security situation sensing method for power monitoring system | |
| CN110351277A (en) | Electric power monitoring system security protection alarm method | |
| CN109976239A (en) | Industrial control system terminal security guard system | |
| CN106339629A (en) | Application management method and device | |
| CN113132318A (en) | Active defense method and system for information safety of power distribution automation system master station | |
| CN109992961A (en) | Detection system and method for the anti-hacker attacks of Database Systems | |
| KR101666791B1 (en) | System and method of illegal usage prediction and security for private information | |
| CN114266081A (en) | Operation and maintenance computer safety protection system and method of power monitoring system | |
| CN114625074A (en) | Safety protection system and method for DCS (distributed control System) of thermal power generating unit | |
| KR101079036B1 (en) | Apparatus and method of detecting anomaly in control system network | |
| CN107277070A (en) | A kind of computer network instrument system of defense and intrusion prevention method | |
| CN117079398A (en) | Intelligent fire-fighting detection and early warning system | |
| CN108924129A (en) | One kind being based on computer network instrument system of defense and intrusion prevention method | |
| CN104506519A (en) | Web site access security audit method for MIPS (Million Instructions Per Second) platform | |
| CN112019590B (en) | Remote monitoring system for static load test | |
| CN104167074B (en) | Residual current type electrical fire regional type monitoring detector |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |