CN105573291B - A kind of threat detection method and safety device based on key parameter fusion verification - Google Patents
A kind of threat detection method and safety device based on key parameter fusion verification Download PDFInfo
- Publication number
- CN105573291B CN105573291B CN201510984622.7A CN201510984622A CN105573291B CN 105573291 B CN105573291 B CN 105573291B CN 201510984622 A CN201510984622 A CN 201510984622A CN 105573291 B CN105573291 B CN 105573291B
- Authority
- CN
- China
- Prior art keywords
- threat detection
- information
- detection unit
- parameter
- threat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B23/00—Testing or monitoring of control systems or parts thereof
- G05B23/02—Electric testing or monitoring
- G05B23/0205—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults
- G05B23/0259—Electric testing or monitoring by means of a monitoring system capable of detecting and responding to faults characterized by the response to fault detection
- G05B23/0267—Fault communication, e.g. human machine interface [HMI]
- G05B23/027—Alarm generation, e.g. communication protocol; Forms of alarm
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B2219/00—Program-control systems
- G05B2219/20—Pc systems
- G05B2219/24—Pc safety
- G05B2219/24048—Remote test, monitoring, diagnostic
Abstract
The present invention relates to the industrial control system safety devices of a kind of threat detection method based on key parameter fusion verification and realization this method.This method is directed to industrial control system layered structure feature, takes the method for carrying out fusion verification to key parameter between longitudinal interlayer.Wherein, threat detection method carries out threat detection to each level of the industrial control system including fieldbus layer first, then on the basis of layered weighting, merging for longitudinal direction is carried out with industrial control systems key parameters such as control instructions to key process parameter, control parameter and verifies to overcome weakness existing for layer detection method.The present invention solves safety detection loophole caused by data fusion deficiency in existing industrial control system depth defense, meet individual demand of the industrial control system for threat detection apparatus simultaneously, realize the synthetic threat detection of industrial control system safety, improve the security of industrial control system, it is ensured that controlled process safe and stable operation.
Description
Technical field
The invention belongs to industrial control system fields, mainly, are related to a kind of threat based on key parameter fusion verification
Detection method and safety device.
Background technology
The industrial control system of industrial control system particularly critical infrastructures, information security are the weights of national security
Want component.In recent years, the various network intrusions behaviors frequently occurred not only serious threat to the safety of critical infrastructures
Stable operation, and may also result in the loss of the people's lives and property.Strengthen industrial control system intrusion detection is to improve
Information security of uniting is horizontal to have important theory and realistic meaning.
Due to the complexity of industrial control system, using single prevention policies it is difficult to ensure that the information peace of industrial control system
Entirely.Design feature and industry control information security for industrial control system need, and depth epidemic prevention technology becomes a kind of of current mainstream
Industrial control system protecting information safety scheme.Depth prevents epidemic scheme from technology and management view, is entered by strengthening security partitioning, border
The technological means such as detection, Host-based intrusion detection and control network invasion monitoring are invaded to realize the security protection to industrial control system, pin
To the Tructure arrangement of industrial control system network, intrusion detection and protection are carried out in layering.
However, this protectiving scheme more absorbs the Protective Information Security Techniques of IT system, ignore and industry control system
The combination of system essential characteristic, and also lack information fusion on axial section, major defect is in particular in:
(1) industrial control system is to interconnect to form complicated industry control network by the network structure of layering, existing vertical
Deep epidemic prevention technology control-orientation layer, the threat detection of key-course, ignore most important fieldbus layer network in industry control network
Detection.Industrial control system belongs to information physical emerging system, and fieldbus networks are directly with joining physical process
Number detection is connected with the equipment adjusted, and various other threats and attack must could be to physical processes by fieldbus networks
Serious destruction is generated with equipment;
(2) various data in industrial control system such as observing and controlling information, are at the scene in bus layer, control network layer, management level
Consistent, i.e., the numerical value of any moment variable is all consistent.By to the key parameter in industrial control system and its corresponding
Time scale carries out longitudinal check, it can be found that the exception of control system, and network intrusions are probably this abnormal and come
Source.Currently existing scheme ignores the verification to the data consistency in different levels;
(3) core of industry control network data flow is technique productions data, operational order, control parameter, status information of equipment
Parameter etc. is configured with control device, this is significantly different with the information flow on traditional IT system network, and currently existing scheme is not filled
Divide and carry out safety detection and protection using this feature;
(4) industry control network structure is stablized relatively, and operating mode is opposite in static state.Therefore, the feature can be directed to carry out
Significantly more efficient industry control network information threat detection.
The content of the invention
In view of problem above, it should the present invention provides a kind of longitudinal layered threat detection method merged with interlayer and realization
The industrial control system information safety device of method.This method still falls within Defense in depth system in structure, absorbs tradition
The advantages of solution security partitioning, longitudinal layered and Border Protection.But the invention is further provided to industrial control system
Fieldbus layer impends the method for detection, to strengthen the threat inspection of pair fieldbus layer being in close contact with physical process
It surveys.Meanwhile the shortcomings that in order to which previous Defense in depth system is overcome to lack data fusion in longitudinal direction, it is threatened increasing fieldbus layer
On the basis of detection, using key parameters such as industrial process key process parameter, control parameter and operational orders as detecting and alarm, open
The information fusion verification of axial section is opened up, to find to detect threat or abnormal behaviour in single detection level.For work
The personalized individual demand to threat detection apparatus of industry control system field application, which, which proposes, joins threat detection
The method that number is configured.The present invention also provides the safety devices for realizing this method.
The specific technical solution of the application is as follows:
A kind of threat detection method based on key parameter fusion verification, includes the following steps:
(1) daily record, rule and the invasion information in Border Protection are sent to system-level prestige by firewall information integrated unit
Detection unit is coerced, merges and verifies for longitudinal information;
(2) host threat detection unit belongs to application layer detection, the i.e. host computer system (operator to industrial control system
Stand, engineer station), OPC the Object link and embedded of process control (be used for) server, OPC client, real-time data base etc. into
Row threat detection, and the key parameter in the abnormal behaviour detected and the industrial control system gathered from database is real
When numerical value be sent to system threat detection unit, for longitudinal information merge and verify;
(3) Cyberthreat detection unit acquisition industrial control network message is controlled, message analysis is carried out with judging, determines work
Whether normal control network information flow.Such as there are exception message, then critical parameter information exception message extracted, for example (,) it is crucial
Technological parameter (such as reactor pressure) and control parameter (such as proportional band, the time of integration or derivative time) (are such as set with operational order
Standby opens, stops, and manauto is but changed) information be sent to security system threat detection unit, for longitudinal information fusion with
Verification;
(4) fieldbus threat detection unit collection site bus message carries out message analysis with judging, to determine scene
Whether bus network information flow is normal.The information and critical parameter information that exception message is extracted if there are exception message
System-level threat detection unit is sent to, merges and verifies for longitudinal information;
(5) system-level threat detection unit merges each layer threat detection preliminary information and key parameter that receive,
Comprehensive analysis and judgement system safe condition, provides comprehensive descision result.
(6) security parameter configuration interface is host threat detection, control Cyberthreat detects and fieldbus threat detection
The security-related parameters of unit are configured.
(7) the full spectrum of threats detection that the configuration of safety detection database stores user and slave firewall information fusion unit obtain
Data are each threat detection unit service.
This method is directed to the characteristics of industrial control system and technique productions safety requirements, key process parameter information and its
Constant numerical values etc. are dissolved into threat detection method.
Operation instruction information is dissolved into threat detection method, so can not only detect outside threat, but also can be with
Detect the maloperation of operating personnel or the illegal invasion behavior to system inside industrial control system.
This method is dissolved into control parameter information in threat detection method.
For the layered structure of industrial control system, in the hierarchical structure of traditional depth defense, add live total
Line threat detection unit.Described unit impends inspection for fieldbus unit immediate with physical process and equipment
It surveys, so as to fulfill the detection to fieldbus data stream.
In the uniformity of key-course and fieldbus layer to control instruction and the variation with instructing relevant control parameter
Rate is detected.
Specific application scenario can be directed to, configure interface setting by security parameter applies safety-related parameter with this
And its threshold value, meet the individual demand of industrial control system threat detection.
System uses unified safety detection database as each threat detection unit service.
The longitudinal direction information fusion verification includes following content:
(1) according to timestamp, the critical process from supervisory layers, key-course and fieldbus layer is compared, if together
The numerical value difference difference of one parameter between the different layers is more than the threshold value specified, then sends abnormal detection information;
(2) according to timestamp, the control parameter from supervisory layers, key-course and fieldbus layer is compared, if together
The numerical value difference difference of one parameter between the different layers is more than the threshold value specified, then sends abnormal detection information;
(3) according to timestamp, uniformity of the control instruction in host, control and fieldbus detection layers is verified.
If there are inconsistent, system sends alarm.
A kind of industrial control system safety device carries out Border Protection including firewall information integrated unit, and host threatens
Detection unit is directed to control system host abnormal behaviour;Control the abnormal row on Cyberthreat detection unit detection control network
For;Abnormal behaviour on fieldbus threat detection active cell detection fieldbus;On system-level threat detection unit comprehensive
It states the threat detection information of each layer, carries out comprehensive descision to judge threat level that system is faced.Security parameter configures interface
Security-related parameters for threat detection unit (host threat detection, the detection of control Cyberthreat and fieldbus detection) carry out
Configuration.
The safety device of the present invention can configure interface by security parameter and set with that should answer for specific application scenario
With safety-related parameter and its threshold value, so as to meet the individual demand of industrial control system threat detection.
The present invention technique effect be:
(1) fieldbus layer threat detection function is added in structure, enriches hierarchy so that the prestige of industry control network
Side of body detection is more comprehensively complete;
(2) strengthened on longitudinal direction towards the information fusion between the threat detection module of each layer, take full advantage of each layer prestige
The information of detecting system is coerced, so as to preferably carry out the threat detection of entire industrial control system, overcomes previous each axial section
Each independently impend detection there are the problem of;
(3) threat detection method for longitudinally merging and verifying based on key process parameter is provided, to strengthen threat detection
Specific aim and of overall importance of the system on system threat detection is carried out, and propose the specific side of longitudinal data fusion and verification
Method.
(4) detection for equipment crucial in industrial control system, i.e. controller and measure and control instrument is provided, once on
Layer threat detection unit cannot note abnormalities behavior, then be conducive to find these for the detection of controller and site measuring and control instrument
Threat of the abnormal behaviour to field layer equipment.
(5) in industry control threat detection longitudinally defence idea basis, according to industrial control system design feature and operating mode, carry
Go out in the method for longitudinally increasing fieldbus layer threat detection, to make up the loophole of conventional method and deficiency.It is also proposed that
It is conventional based on independent stratum threat detection and guard system to find based on the threat detection method of key parameter interlayer fusion
The shortcomings that, the data integration and analysis of each sub- threat detection system of industry control are strengthened, further improves industrial control system prestige
Coerce the ability of detection.
Description of the drawings
Fig. 1 is the structure principle chart of the industrial control system threat detection system of embodiment 1;
Fig. 2 is the structure diagram for the industrial control system information safety device for implementing Fig. 1.
Specific embodiment
In the following, content is further illustrated the present invention with embodiment, but protection scope of the present invention is not limited in implementing
Example.The others that those skilled in the art makes in the case of without departing substantially from spirit and scope of the present invention are changed and repaiied
Change, be included within the scope of the present invention.
Embodiment 1
Fig. 1 is the structure principle chart of the industrial control system threat detection of embodiment 1.The system is mainly for including scene
Bus layer, key-course, supervisory layers, the typical industry control system of dispatch layer and layer of handling official business impend detection.
The equipment that field layer is detected mainly includes measuring instrumentss, actuator, frequency converter and remote input output unit etc..
The capital equipment of key-course detection includes controller, programmable controller, the remote terminal list of Distributed Control System
The equipment such as member.
The equipment that host threat detection unit predominantly detects includes server, opc server and the work station of control system
(operator station, engineer station etc.).
The information exchange between this two layers is detected in the fire wall of key-course and scheduling interlayer installation, and is system
Grade threat detection unit provides testing result and white list information.
Fire wall between dispatch layer and office layer is detected the information exchange between this two layers, and is system-level
Threat detection unit provides testing result and white list information.
Preferably, Fig. 2 is the structure diagram of industrial control system safety device according to the preferred embodiment of the invention.
Chief threat detection unit includes the fieldbus threat detection unit being detected to field layer, to key-course and
Monitor the key-course threat detection unit that layer network is detected, the host threat detection list being detected to supervisory layers host
Member, the firewall information integrated unit merged to industrial control system fire wall into row information and collect these threat detection units
Information carries out the system-level threat detection unit of comprehensive analysis and judgement.
Firewall information integrated unit carries out industrial control system Border Protection, firewall information fusion using the function of fire wall
Unit is communicated by firewall interface with fire wall, and daily record, rule and the invasion information in fire wall, which are sent to system, to threaten
Detection unit is merged and verified for longitudinal information;The wherein real-time protection information of fire wall, when particularly detecting abnormal
It is immediately fed into system-level threat detection unit.
Host threat detection unit utilizes the threat detection list of host by host interface and the host interface of industrial control system
Member implement to industrial control system host computer system (operator station, engineer station, OPC (for process control object link with
It is embedded) server, real-time data base etc.) impend detection.The security system extraction module of host threat detection unit is main
The result and key process parameter real time value of machine threat detection, the alarm log of host computer system, operation log etc. are sent to
System-level threat detection unit is merged and verified for longitudinal information;
Control Cyberthreat detection unit is communicated by controlling bus interface with controlling bus.General Industry Control
Only there are one control networks for system.
Control Cyberthreat detection unit is sentenced including data acquisition module, data extraction module, threat analysis module, threat
Disconnected module and alarm module etc..
Data acquisition module is by controlling Network Interface Unit acquisition control network traffics and data message.
Data extraction module carries out data message protocol analysis, source physical address, source first in analysis data message
Whether the logical address of logical address, the physical address of purpose and purpose is consistent in white list.If it is inconsistent, really
It is set to infected information.Control Cyberthreat detection unit sends alarm, and relevant information is sent to system-level threat detection unit
Carry out comprehensive descision.
Data extracting unit is also by protocol analysis, extracting technological parameter therein, control parameter, to controller
Operation (such as downloading program), control instruction.
Network traffics in threat analysis module analysis and Control network first, and judge that the flow is using Pauta criterion
No exception, determines there is the threat behavior comprising being invaded control network if abnormal, and control Cyberthreat detection is single
Member alarm, while send system-level threat detection unit the testing result.
Threat analysis module also completes following detection function according to the information of said extracted:
(1) key parameter numerical value is alarmed compared with the threshold range configured if being more than threshold value, while the numerical value
Send system-level threat detection unit.
(2) key parameter change rate and the threshold value comparison of configuration, alarm if being more than threshold value, while send system the numerical value
Grade threat detection unit.
(3) it is detected for the read-write of controller, once there is following event, threat detection unit is alarmed, together
When result send system-level threat detection unit:
1) to the read-write operation argument address space of controller not in system allowed band;
2) threshold range beyond configuration is changed the parameter of controller;
3) instruction issued to controller is illegal;
4) program of controller is downloaded under non-debugging mode;
5) to controller downloading data file or data block under non-debugging mode;
6) configuration of controller is changed under non-debugging mode;
7) under non-debugging mode to the opening of controller, stop operating.
Fieldbus threat detection unit is communicated by field-bus interface with the bus at scene.For large scale industry
Control system has n fieldbus.
Fieldbus threat detection unit includes data acquisition module, data extraction module, threat analysis module, exception and sentences
Disconnected and alarm module etc..
Data acquisition module passes through field-bus interface unit collection site bus network flow and data message.
Data extraction module carries out data message protocol analysis, source physical address, source first in analysis data message
Whether the logical address of logical address, the physical address of purpose and purpose is consistent in white list.If it is inconsistent, really
It is set to infected information.Fieldbus threat detection unit sends alarm, and relevant information be sent to system threat detection unit into
Row comprehensive descision.
Data extracting unit is also by protocol analysis, extracting technological parameter therein, control parameter and instruction.
Threat analysis module analyzes the network traffics in fieldbus networks first, and judges the stream using Pauta criterion
Whether amount is abnormal, and the intrusion behavior for having for fieldbus networks, fieldbus threat detection unit are determined if abnormal
Alarm, while send system threat detection unit the testing result.
Threat analysis module also completes following detection function according to the information of said extracted:
(1) key parameter numerical value is alarmed compared with the threshold range configured if being more than threshold value, while the numerical value
Send system-level threat detection unit;
(2) key parameter change rate and the threshold value comparison of configuration, alarm if being more than threshold value, while send system the numerical value
Grade threat detection unit;
(3) for the detection for the control device (actuator, frequency converter etc.) being connected with fieldbus networks, write including detection
Content, address space, parameter setting of instruction etc..There are following situation threat detection units to alarm, while result is sent
System-level threat detection unit:
1) to the read-write operation argument address space of measuring and controlling equipment in bus not in system allowed band;
2) threshold range beyond configuration is changed the parameter of measuring and controlling equipment in bus;
3) instruction issued to measuring and controlling equipment in bus is illegal;
4) to measuring and controlling equipment downloading data file or data block in bus under non-debugging mode;
5) configuration of measuring and controlling equipment in bus is changed under non-debugging mode;
6) under non-debugging mode to the opening of control device in bus, stop operating;
The fieldbus a to other (n-1), also implements above-mentioned threat detection process.
System-level threat detection unit summarizes including inter-layer information, inter-layer information is checked and comprehensive safety property judges mould
Block.
Inter-layer information summarizing module is with arriving firewall information integrated unit, host threat detection unit, control Cyberthreat
Detection unit and fieldbus threat detection unit communication receive the layer testing result that they send.
Inter-layer information checks module according to timestamp, respectively to the same pass from supervisory layers, key-course and bus layer
Key technological parameter is compared, if the difference between technological parameter numerical value is more than preset threshold value, carries out alert process,
Simultaneously comprehensive safety property judgment module is sent warning message.
Inter-layer information checks module according to timestamp, respectively to the same pass from supervisory layers, key-course and bus layer
Key control parameter is compared, if the difference between control parameter numerical value is more than preset threshold value, carries out alert process,
Simultaneously comprehensive safety property judgment module is sent warning message.
Inter-layer information checks module according to timestamp, respectively to the same pass from supervisory layers, key-course and bus layer
Key control instruction is compared, if control instruction Type-Inconsistencies or the difference between the associated operand number of instruction are more than pre-
The threshold value first set then carries out alert process, while send comprehensive safety property judgment module warning message.
Comprehensive safety property judgment module receive interlayer information check as a result, with reference to stored in safety device safety rule
Then, integrated treatment is carried out to security alarm, prompts the intrusion behavior occurred, and to threat detection manager works suggestion.
The conclusion of comprehensive safety property judgment module includes:
For following warning message, the Operating Guideline suggestion that intensity grade is " serious " is provided
(1) to controller executing block or data block down operation warning message under non-debugging mode;
(2) warning message of the program block or database in control is deleted under non-debugging mode;
(3) operational mode of controller or the warning message of configuration are changed under non-debugging mode;
(4) change fieldbus measuring instrumentss (such as temperature instrument) under non-debugging mode and configure alarm;
(5) the configuration alarm of field controlling instrument and actuator is changed under non-debugging mode;
(6) to the illegal read-write alarm of the execution equipment (such as frequency converter or regulating valve) on fieldbus;
(7) key process parameter is in the different control inconsistent alarms of layer data;
(8) crucial control instruction is in the different control inconsistent alarms of layer data;
(9) key control parameter is in the different control inconsistent alarms of layer data;
(10) control instruction property is illegally alarmed, numberical range or change rate overload alarm;
(11) alarm of network traffics superthreshold is controlled;
(12) fieldbus networks flow superthreshold is alarmed;
(13) the infected information alarm that can not be parsed.
For following warning message, the Operating Guideline suggestion that intensity grade is " medium " is provided
(1) numberical range of key process parameter or change rate overload alarm;
(2) the reading address space of instruction is not alarmed in allowed band;
(3) instruction type is illegally alarmed;
(4) Read Controller program is alarmed under non-debugging mode;
(5) threat for host computer system is alarmed.
For other warning messages, the Operating Guideline suggestion that degree is " low " is provided.
Security parameter configuration interface includes system-level threat detection unit configuration module, control Cyberthreat detection unit is matched somebody with somebody
Put module and fieldbus threat detection unit configuration module.Its function of completing includes:
(1) crucial technological parameter and its secure threshold are set;
(1) control parameter and its threshold value are set;
(3) control instruction and the parameter related with instruction are set;
(4) parameter related with host threat detection is set;
(5) network parameter related with fieldbus detection is set;
(6) network parameter related with control Cyberthreat detection is set;
(7) firewall information is set to merge the parameter needed;
(8) the relevant parameter of other threat detections.
The module for the present invention and safety device be deployed to different Industry Control scenes and provide customization function.
The information related with specific embodiment and control system of safety detection database stores user configuration, from fire prevention
The white list of acquisitions such as wall information fusion unit and host threat detection unit and other security parameters are each threat detection list
Meta-service.
The embodiment of the present invention can be deployed in industrial control system, and the full spectrum of threats behavior in industrial control system is examined
It surveys, judges whether to invade the threat behavior of industry control underlying device by management system, if exist for control host
Threat behavior, if exist for the threat behavior of controller and with the presence or absence of for control network or fieldbus networks
The behaviors such as threaten, and propose the warning message of various grades in time, so as to effectively realize to existing industrial control system and by
The protection of the physical process of control.The embodiment of the present invention does not carry out existing industrial control data the processing such as to intercept, and does not interfere with existing
The operation of industrial control system.The embodiment of the present invention has higher versatility, the i.e. prestige suitable for different industries industrial control system
Side of body detection.Meanwhile personalized configuration is carried out by security parameter configuration module so that the present invention can apply to different works
Industry control scene, so as to meet individual demand of the industrial control system to threat detection.
Claims (8)
1. a kind of threat detection method based on key parameter fusion verification, which is characterized in that include the following steps:
(1) daily record, rule and the invasion information in Border Protection are sent to system-level threaten and examined by firewall information integrated unit
Unit is surveyed, merges and verifies for longitudinal information;
(2) host threat detection unit is application layer detection, i.e., to the host computer system of industrial control system, opc server, OPC
Client computer, real-time data base impend detection, and the industry control gathered the abnormal behaviour detected and from database
Key parameter real time value in system processed is sent to system-level threat detection unit, merges and verifies for longitudinal information;
(3) Cyberthreat detection unit acquisition industrial control network message is controlled, message analysis is carried out with judging, determines industry computer
Whether network information flow is normal;Such as there are exception message, then critical parameter information exception message extracted is sent to system-level
Threat detection unit is merged and verified for longitudinal information;
(4) fieldbus threat detection unit collection site bus message carries out message analysis with judging, to determine fieldbus
Whether network information flow is normal;Such as there are exception message, then the information and critical parameter information exception message extracted is sent
Enter to system-level threat detection unit, merge and verify for longitudinal information;
(5) system-level threat detection unit is the firewall information integrated unit, host threat detection unit, control network received
The threat detection preliminary information and key parameter of threat detection unit and fieldbus threat detection unit are merged, comprehensive point
Judgement system safe condition is analysed, provides comprehensive descision result;
(6) security parameter configuration interface is host threat detection, control Cyberthreat detects and fieldbus threat detection unit
Security-related parameters configured;
(7) the full spectrum of threats testing number that the configuration of safety detection database stores user and slave firewall information fusion unit obtain
According to for each threat detection unit service.
2. threat detection method according to claim 1, which is characterized in that operation instruction information is dissolved into threat detection
In method, the maloperation to operating personnel inside outside threat, industrial control system or the illegal invasion behavior progress to system
Detection.
3. threat detection method according to claim 1, which is characterized in that refer in key-course and fieldbus layer to control
The uniformity of order and with the change rate of relevant control parameter is instructed to be detected.
4. threat detection method according to claim 1, which is characterized in that for specific application scenario, pass through safety
Parameter/configuration interface sets the safety-related parameter and its threshold value with the application scenario.
5. threat detection method according to claim 1, which is characterized in that it is each to use unified safety detection database
A threat detection unit service.
6. threat detection method according to any one of claims 1 to 5, which is characterized in that the longitudinal direction information fusion verification
Including following content:
(1) according to timestamp, the critical process from supervisory layers, key-course and fieldbus layer is compared, if same
The numerical value difference difference of parameter between the different layers is more than the threshold value specified, then sends abnormal detection information;
(2) according to timestamp, the control parameter from supervisory layers, key-course and fieldbus layer is compared, if same
The numerical value difference difference of parameter between the different layers is more than the threshold value specified, then sends abnormal detection information;
(3) according to timestamp, uniformity of the control instruction in host, control and fieldbus detection layers is verified;If it deposits
Inconsistent, then system sends alarm.
7. a kind of industrial control system safety device, which is characterized in that the safety device includes carrying out the fire prevention of Border Protection
Wall information fusion unit, to the host threat detection unit that control system host abnormal behaviour is detected, detection control network
The control Cyberthreat detection unit of abnormal row detects the fieldbus threat detection of fieldbus abnormal behaviour in active cell
Unit and system-level threat detection unit;The above-mentioned firewall information integrated unit of the system-level threat detection unit comprehensive,
The threat detection information of host threat detection unit, control Cyberthreat detection unit and fieldbus threat detection unit, into
Row comprehensive descision is to judge threat level that system is faced.
8. safety device according to claim 7, which is characterized in that the security parameter of the safety device configures interface and is
The security-related parameters of threat detection unit are configured, and the threat detection unit refers to host threat detection, control network
Threat detection and fieldbus detection.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984622.7A CN105573291B (en) | 2015-12-24 | 2015-12-24 | A kind of threat detection method and safety device based on key parameter fusion verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510984622.7A CN105573291B (en) | 2015-12-24 | 2015-12-24 | A kind of threat detection method and safety device based on key parameter fusion verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105573291A CN105573291A (en) | 2016-05-11 |
| CN105573291B true CN105573291B (en) | 2018-05-18 |
Family
ID=55883545
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510984622.7A Active CN105573291B (en) | 2015-12-24 | 2015-12-24 | A kind of threat detection method and safety device based on key parameter fusion verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105573291B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11005863B2 (en) * | 2016-06-10 | 2021-05-11 | General Electric Company | Threat detection and localization for monitoring nodes of an industrial asset control system |
| CN106161084A (en) * | 2016-06-15 | 2016-11-23 | 中国电子科技网络信息安全有限公司 | A kind of protecting information safety device and method being applicable to fieldbus networks |
| CN106054840B (en) * | 2016-06-29 | 2018-06-19 | 北京科技大学 | A kind of online managing and control system of whole process product quality |
| CN106774248B (en) * | 2016-12-08 | 2019-10-22 | 北京立思辰新技术有限公司 | A kind of behavior pattern safety protecting method based on slave computer |
| CN107045325B (en) * | 2017-06-02 | 2020-02-04 | 四川谊田集群科技有限公司 | Control method and device based on object characteristic value |
| CN111381567B (en) * | 2018-12-27 | 2021-11-05 | 北京安控科技股份有限公司 | Safety detection system and method for industrial control system |
| CN112230610B (en) * | 2020-09-16 | 2021-12-24 | 中国科学院合肥物质科学研究院 | Network system of helium low-temperature control system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
| CN103401756A (en) * | 2013-08-21 | 2013-11-20 | 北京华烽泰特科技有限公司 | Security protection system used for industrial network |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN104615096A (en) * | 2014-12-04 | 2015-05-13 | 深圳市永达电子股份有限公司 | Method and system for guaranteeing information security of industrial control system |
-
2015
- 2015-12-24 CN CN201510984622.7A patent/CN105573291B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103036886A (en) * | 2012-12-19 | 2013-04-10 | 珠海市鸿瑞软件技术有限公司 | Industrial controlling network safety protecting method |
| CN103401756A (en) * | 2013-08-21 | 2013-11-20 | 北京华烽泰特科技有限公司 | Security protection system used for industrial network |
| CN103491108A (en) * | 2013-10-15 | 2014-01-01 | 浙江中控研究院有限公司 | Method and system for security protection of industrial control network |
| CN103944915A (en) * | 2014-04-29 | 2014-07-23 | 浙江大学 | Threat detection and defense device, system and method for industrial control system |
| CN104615096A (en) * | 2014-12-04 | 2015-05-13 | 深圳市永达电子股份有限公司 | Method and system for guaranteeing information security of industrial control system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105573291A (en) | 2016-05-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105573291B (en) | A kind of threat detection method and safety device based on key parameter fusion verification | |
| CN103491108B (en) | A kind of industrial control network security protection method and system | |
| CN102622818B (en) | All-directional intelligent monitoring method for bank ATMs | |
| CN104378228B (en) | Network data security manages system and method | |
| CN108055261B (en) | Industrial network security system deployment method and security system | |
| CN110443048A (en) | Data center looks into number system | |
| CN104144063A (en) | Website security monitoring and alarming system based on log analysis and firewall security matrixes | |
| CN103473626A (en) | Security protection method based on integrated dispatching data network operation and maintenance system | |
| JP2011100443A (en) | Integrated unified threat management for process control system | |
| CN116781430B (en) | Network information security system and method for gas pipe network | |
| CN107517214A (en) | System and method for providing computer network security | |
| CN110351277A (en) | Electric power monitoring system security protection alarm method | |
| CN113114647A (en) | Network security risk detection method and device, electronic equipment and storage medium | |
| CN107689954A (en) | Power information system monitoring method and device | |
| CN110460459A (en) | Electric power monitoring system network security situational awareness method | |
| CN109981686A (en) | A kind of network security situational awareness method and system based on circulation confrontation | |
| CN111178828A (en) | Method and system for building fire safety early warning | |
| CN112230584A (en) | Safety monitoring visualization system and safety monitoring method applied to industrial control field | |
| CN111107108B (en) | Method for analyzing network security of industrial control system | |
| Zahid et al. | A security risk mitigation framework for cyber physical systems | |
| Adams et al. | How port security has to evolve to address the cyber-physical security threat: lessons from the SAURON project | |
| CN108924129A (en) | One kind being based on computer network instrument system of defense and intrusion prevention method | |
| CN113672926A (en) | Data protection method and system based on computer intelligent algorithm | |
| JP7150425B2 (en) | COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND PROGRAM | |
| CN109861865A (en) | A kind of alarm interlock method, device, system, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |