CN105807631A - PLC simulation-based industrial control intrusion detection method and intrusion detection system - Google Patents
PLC simulation-based industrial control intrusion detection method and intrusion detection system Download PDFInfo
- Publication number
- CN105807631A CN105807631A CN201610131655.1A CN201610131655A CN105807631A CN 105807631 A CN105807631 A CN 105807631A CN 201610131655 A CN201610131655 A CN 201610131655A CN 105807631 A CN105807631 A CN 105807631A
- Authority
- CN
- China
- Prior art keywords
- plc
- scl
- controlled device
- variable
- subsystem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G05—CONTROLLING; REGULATING
- G05B—CONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
- G05B17/00—Systems involving the use of models or simulators of said systems
- G05B17/02—Systems involving the use of models or simulators of said systems electric
Landscapes
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Programmable Controllers (AREA)
Abstract
The invention relates to a PLC simulation-based industrial control intrusion detection method and intrusion detection system. The system is composed of a PLC simulation module, a control object anomaly detection module and a controlled object anomaly detection module; the PLC simulation module is composed of a communication subsystem, an SCL language interpretation subsystem, an intermediate layer data cache subsystem and an execution engine subsystem; the communication subsystem is connected with an industrial control network; the execution engine subsystem is connected with the intermediate layer data cache subsystem; and the controlled object anomaly detection module is connected with the PLC simulation module. The intrusion detection system for a control object and a controlled object can be provided for a user under the premise that the structure of the industrial control network is not modified, and daily production is not affected, and therefore, the phenomena of false negatives and false positives are few, intrusion recognition is fast, and thus, the network security level of an industrial control system can be greatly improved with low cost.
Description
Technical field
The present invention relates to industrial control network technical field, particularly to analysis method and the intruding detection system of a kind of industrial control system intrusion detection compiling write control logic based on SCL language.
Background technology
Industrial control system (IndustrialControlSystems, ICS) it is collectively formed by the process control modules of various Automated condtrol assemblies and real-time data acquisition, monitoring, mainly realizes data acquisition and processing (DAP), supervision and control and the information system of the function such as telecommunication and maintenance.Along with the continuous mixing together of industrialization Yu IT application process, industrial control field has been arrived in increasing information technology application.
Along with industrialization, automatization are towards networking, informationalized transformation, increasing industrial control system adopts standard, general communication protocol and software and hardware system;Again under such background, the original packaging effects of industrial control system is broken, various unsafe factors, as virus, wooden horse, invasion etc. can enter industrial control network along with normal flow of information, cause the instability that enterprise produces, especially at China's industrial control system wide variety of electric power, petrochemical industry, food pharmaceutical, the industrial circle such as air transportation, have a strong impact on the strategic security of country.
The technology relative maturity of tradition IT information security, it is possible to be applied to enterprise network as accessed control, audit, encryption, antivirus software, fire wall, intrusion detection (IDS) etc..But under industrial control network environment, due to reasons such as its application scenarios and control system exist many differences, as higher in industrial control system requirement of real-time, fractional transmission agreement is underground, industry control component programs interface is underground.Conventional art is not directly applicable the information safety protection of Controling network, fieldbus networks, it is necessary to revised so as to adapt to industry control network.And fieldbus networks is usually signal of telecommunication transmission, sensor, executor are usually program curing, and occurring abnormal is that therefore these logic control devices of RTU or PLC are under attack mostly.So research emphasis should be placed in industry control network in the Study of security mechanisms of Controling network.
But owing to antivirus software and some industry application program (IAP) are incompatible, fire wall can not prevent the attack come within ICS, IDS intruding detection system becomes us and tackles the APT optimum selection attacked.Intruding detection system has been widely used in protecting information safety, mainly adopts feature detection and abnormality detection two ways.Feature detection cannot be tackled unknown attack and threaten, and abnormality detection more can tackle the APT threat attacked.Comparing tradition applied environment, the abnormality detection research under ICS environment is also in the infancy, also has very big development space.
Summary of the invention
In order to solve the problems referred to above, the invention provides a kind of industry control intrusion detection method based on PLC emulation and intruding detection system, it is possible to effectively controller (PLC) and controlled device (physical equipment) are carried out abnormality detection.This system Detection accuracy is high, real-time.
In order to reach the purpose of the present invention, the present invention proposes a kind of industry control intruding detection system based on PLC emulation, and this system is by PLC emulation module, control object abnormality detection module and controlled device abnormality detection module composition.
Described PLC emulation module is made up of communication subsystem, SCL linguistic interpretation subsystem, intermediate layer data buffer storage subsystem, enforcement engine subsystem.
Described communication subsystem is connected with industrial control network.The configuration file editted is imported in abnormality detection system by user.The configuration file that system imports according to user is with true PLC communication.According to the cycle set in configuration file, the inputoutput data information on the core position specified in configuration file in PLC is read in circulation, and stores information in the data buffer storage subsystem of intermediate layer.
SCL linguistic interpretation subsystem is connected with intermediate layer data buffer storage subsystem, and the control program code write with SCL language in PLC is imported in native system by user.SCL code is carried out morphology segmentation according to form set in advance by lexical analyzer by system, and according to the form of token, the content after segmentation is passed to syntax analyzer.Syntax analyzer carries out rule-based filtering according to the BNF form set in advance, and legal token combination is passed to interpreter.Interpreter generates intermediate code according to the implication of different token combinations or variable is stored in symbol table, and the implication of token combination is consistent with the meaning of SCL code.Intermediate code and symbol table are stored in the data buffer storage subsystem of intermediate layer.
Enforcement engine subsystem is connected with intermediate layer cache subsystem.After SCL linguistic interpretation subsystem completes the explanation work to importing SCL language, enforcement engine subsystem loads intermediate code and symbol table.By the method for searching loop, intermediate code is performed, and in the process of implementation, according to performing the value of variable in result reindexing table.
The execution result that the result that one section of SCL language program code performs in PLC emulation module coexists in true PLC is consistent.
Control object abnormality detection module is connected with PLC emulation module.If same section of SCL controls final result that program code export in PLC emulation module with the output result difference read out in true PLC, then it is assumed that there occurs Deviant Behavior in controller PLC.Because the 26S Proteasome Structure and Function of PLC sandbox is consistent with true PLC.
Controlled device abnormality detection module is connected with PLC emulation module.First pass through PLC emulation module and read the numerical value of input and output sensor in controlled device.Utilize active autoregression model ARX to carry out multivariable system identification afterwards and set up plant model.Y(k)+a1Y(k-1)+…+ahY (k-n)=B0U(k)+B1U(k-1)+…+BhU (k-n)+e (k) wherein Y (k) is m dimension output;U (k) is r dimension input;N is r dimension input and the sequence length of m dimension output;K=(n+1) ... (n+N);E (k) ties up noise for m;a1,a2,…,ahFor dimension of m m scalar parameter to be identified;B1,B2,…,BhFor m × r matrix to be identified;N is time delay;H is the exponent number of model parameter.
Therefore, a line j, the j ∈ [1, m] in plant model can be rewritten as
N number of matrix can be obtained fom the above equation
A line j, j ∈ [1, m] in plant model can be rewritten as and be represented by Yj=Hjθj+ej。
Then can be calculated θ with method of least squarejConcordance and unbiasedness estimateMake j=1,2 ..., m can obtain the estimates of parameters of each rowThe ARX model of controlled device can be obtained.ah,bhIn exponent number ha,hbAIC criterion is utilized to choose.J (j)=J (j-1)+z (j) ε (k),AIC(ha,hb) value is a time minimumh,bhDetermination exponent number.If D (k) for model estimate value with the error between controlled device actual valueD (k) is carried out inflection point detection by the mode utilizing wavelet decomposition.Db6 wavelet function is adopted to carry out 3 layers of decomposition,Wherein j is the wavelet decomposition number of plies, and K=1000 is the mobile yardstick of small echo, φjKFor wavelet scaling function, ψjKFor wavelet function ψjk=2-j/2ψ0(2-ji-k).As the high frequency coefficient d decompositedig(j thinks that controlled device occurs when there is the point more than 0.3 in k) abnormal.
The invention provides a kind of industry control intrusion detection method based on PLC emulation and intruding detection system, do not change industrial network structure and do not affect daily production premise under, provide the user the intruding detection system to control object (PLC) and controlled device (physical equipment), the phenomenon failed to report and report by mistake is few, invasive biology is fast, thus substantially increase the network security level of industrial control system with relatively low cost.
Accompanying drawing explanation
Fig. 1 is the structural representation of present system.
Fig. 2 is the schematic flow sheet of PLC of the present invention emulation.
Fig. 3 is the schematic flow sheet of control object abnormality detection of the present invention.
Fig. 4 is the schematic flow sheet of controlled device abnormality detection of the present invention.
Detailed description of the invention
Describe the present invention below with reference to detailed description of the invention shown in the drawings.
Fig. 1 is the structural representation of the industry control intruding detection system that the present invention emulates based on sandbox, as it is shown in figure 1, include:
PLC emulation module is connected with controlled device detection module with control object abnormality detection module.
The input of PLC emulation module includes the control program code write based on SCL language of controlled device, the inputoutput data of initial configuration file and control object and controlled device.
PLC emulation module determines that by loading configuration file which to obtain controls and controlled device data, and communication subsystem carries out communication and reads, according to the cycle of operation interval set, reading data content, memory address, the data needed.
The data copy that all communication subsystems obtain is transferred to controlled device abnormality detection module, and another copy is transferred to intermediate layer data buffer storage subsystem for updating symbol table.
PLC emulation module loads PID program code, the program code write by SCL language input SCL linguistic interpretation subsystem.SCL language subsystem generates original symbol table and intermediate code through lexical analyzer, syntax analyzer and interpreter, and symbol table and intermediate code are input to intermediate layer data buffer storage subsystem.
Enforcement engine subsystem performs SCL LISP program LISP by the symbol table in the data buffer storage subsystem of loading intermediate layer and intermediate code simulation.Execution result passes to control object abnormality detection module and carries out abnormality detection.
Fig. 2 is the execution schematic flow sheet of PLC emulation module of the present invention, as in figure 2 it is shown, include:
Step 21, user reads in control object PLC based on the control program code logic of SCL language development and preserves into file.Program code should comprise variable declarations and logical code two parts.File is imported in PLC emulation module by user.
Step 22, whether whether user will need the control object variable and the title of controlled device sensing data, memory address, the storage class that read, be input variable, be that output variable is stated in initialization files.These variablees all should be saved in PLC.PLC emulates back the real PLC of message reference in stating according to initializing variable and reads the content specified from its internal memory.The initialization files write are imported in PLC emulation module by user.
Step 23, characteristic according to SCL language in the morphology resolver of the present invention, the key word in SCL language is set as Token, such as if correspondence TokenT_IF, else correspondence T_ELSE, if statement variable, returns V_VARToken.Lexical analyzer can read the character in file, and mates whether meet the Token defined, and as found the then return Token met, otherwise continues coupling.
Step 24, the grammar parser of this religious name adopts BNF form method to carry out formal description according to SCL language rule.SCL language meaning as corresponding in the combination of T_IFT_VART_EQUAL1 is ifvar==1.
Step 25, if grammar parser have found known Token combination according to the Token that morphology resolver obtains, jumps to step 27, otherwise jumps to step 26.
Step 26, there is syntax error in prompting user's SCL program code, asks user to check SCL language program code.
Step 27, the interpreter of the present invention generates intermediate code opcode according to the Token semantic meaning combined.The principle of Opcode is the relation that instruction code all of in SCL program is converted into binary operation, comprises two operands and operator also has the type of a node in opcode node.
Step 28, if the opcode node type generated is variable, jumps to step 30, and no person jumps to step 29.
Step 29, stores opcode node in intermediate code queue, in order to interpreter transfers to enforcement engine subsystem to perform after completing the explanation work of whole SCL code.
Step 30, if the opcode node type generated is variable, will change to withdraw deposit to variant structural to structure and store up in symbol table.Variant structural body storage name variable, data type and variate-value.Types of variables includes the data type of tetra-kinds of SCL language of REAL, TIME, DWORD, BIT.
Step 31, the variate-value in the PLC symbol table emulated is updated by the present invention by reading initialization files, and this step reads the input variable in control object PLC and output variable.
Step 32, this step reads the input variable in control target and output variable, will be modeled and detects in incoming for the value read controlled device detection model.
Step 321, carries out buffer memory by the inputoutput data of controlled device, uses for modeling and wavelet decomposition detection.
Step 322, this step judges whether to have built up plant model, if setting up, jumping to step 325 and utilizing the controlled device data obtained to be made directly detection, otherwise jumping to step 323.
Step 323, this step will determine that the setting when length of time series of whether buffer memory meets Initialize installation, if meeting, jumping to step 324, otherwise jumping to step 321.
Step 324, this step will utilize AIC criterion that model order is determined, and chooses the exponent number that modeling uses, and utilizes the controlled device data of exponent number that AIC order selection criteria determines and buffer memory to set up ARX System identification model.
Step 325, this step utilizes the estimated value of the controlled device data computation model output of ARX model and the acquisition set up.Calculate after obtaining estimated value and actual value obtains error amount.
Step 326, utilizes db6 small echo that error amount sequence carries out 3 layers of wavelet decomposition, obtains the high frequency coefficient after decomposing.
Step 327, this step traversal high frequency is washed one's face and rinsed one's mouth sequence, if it find that there is the value more than 0.3 then jump to step 328, otherwise jumps to step 329.
Step 328, there is ANOMALOUS VARIATIONS in the data of this step prompting user's controlled device, and controlled device occurs abnormal.
Step 329, it is normal that this step represents that this performs cycle controlled device, no abnormal state.
Step 33, has been completed the explanation work of SCL code, and is synchronized the input and output object in true control object before this step.This step traversal intermediate code sequence, carries out dizzy counting is calculated according to the operator function specified in intermediate code, and dizzy counting can be constant, variable or another intermediate code sequence.This step is divided into one branch of Liang Ge branch to jump to step 31 continuing cycling through execution after performing to terminate, and another branch jumps to step 34.
Step 34, the execution result of this intermediate code is transferred to control object abnormality detection module and carries out abnormality detection by this step, and generates this abnormality detection result performing the cycle.
Step 341, this step reads the value of calculation of output variable in PLC emulation.
Step 342, the setting according to initialization files of this step, from PLC, read the value of whole output variable.
Step 343, the output variable that PLC simulation calculation is gone out by this step is compared with the output variable value read from true PLC.
Step 344, if comparison unanimously jumps to step 346, otherwise jumps to step 345.
Step 345, if comparison is inconsistent, then it represents that in this execution cycle, true PLC and PLC emulates when input variable is consistent, and difference occurs in output result.Then represent that the execution logic of true PLC occurs abnormal, break down or artificially revise.Will appear from the title of the variable of difference, user is pointed out by variate-value output.
Step 346, if comparison unanimously, represents in this execution cycle, true PLC and PLC emulates when input variable is consistent, and output result is consistent.The control logic of control object PLC is normal.
It is to be understood that, although this specification is been described by according to embodiment, but not each embodiment only comprises an independent technical scheme, this narrating mode of description be only used to clear for the purpose of, description should be made as a whole by those skilled in the art, technical scheme in each embodiment can also be appropriately combined, implements according to the understanding of those skilled in the art.
The a series of detailed description of those listed above is only for illustrating of the feasibility embodiment of the present invention; they are not intended to limit protection scope of the present invention, and every equivalent implementations made without departing from invention skill spirit or change should be included within protection scope of the present invention.
Claims (4)
1. based on the industry control intruding detection system of PLC emulation, it is characterised in that: this system is by PLC emulation module, control object abnormality detection module and controlled device abnormality detection module composition;
Described PLC emulation module is made up of communication subsystem, SCL linguistic interpretation subsystem, intermediate layer data buffer storage subsystem, enforcement engine subsystem;
Described communication subsystem is connected with industrial control network;The configuration file editted is imported in abnormality detection system by user;The configuration file that system imports according to user is with true PLC communication;According to the cycle set in configuration file, the inputoutput data information on the core position specified in configuration file in PLC is read in circulation, and stores information in the data buffer storage subsystem of intermediate layer;
SCL linguistic interpretation subsystem is connected with intermediate layer data buffer storage subsystem, and the control program code write with SCL language in PLC is imported in native system by user;SCL code is carried out morphology segmentation according to form set in advance by lexical analyzer by system, and according to the form of token, the content after segmentation is passed to syntax analyzer;Syntax analyzer carries out rule-based filtering according to the BNF form set in advance, and legal token combination is passed to interpreter;Interpreter generates intermediate code according to the implication of different token combinations or variable is stored in symbol table, and the implication of token combination is consistent with the meaning of SCL code;Intermediate code and symbol table are stored in the data buffer storage subsystem of intermediate layer;
Enforcement engine subsystem is connected with intermediate layer cache subsystem;After SCL linguistic interpretation subsystem completes the explanation work to importing SCL language, enforcement engine subsystem loads intermediate code and symbol table;By the method for searching loop, intermediate code is performed, and in the process of implementation, according to performing the value of variable in result reindexing table;
The execution result that the result that one section of SCL language program code performs in PLC emulation module coexists in true PLC is consistent;
Control object abnormality detection module is connected with PLC emulation module;If same section of SCL controls final result that program code export in PLC emulation module with the output result difference read out in true PLC, then it is assumed that there occurs Deviant Behavior in controller PLC;Because the 26S Proteasome Structure and Function of PLC sandbox is consistent with true PLC;
Controlled device abnormality detection module is connected with PLC emulation module.
2. the industry control intruding detection system based on PLC emulation according to claim 1, it is characterised in that: PLC emulation module is connected with controlled device detection module with control object abnormality detection module;
The input of PLC emulation module includes the control program code write based on SCL language of controlled device, the inputoutput data of initial configuration file and control object and controlled device;
PLC emulation module determines that by loading configuration file which to obtain controls and controlled device data, and communication subsystem carries out communication and reads, according to the cycle of operation interval set, reading data content, memory address, the data needed;
The data copy that all communication subsystems obtain is transferred to controlled device abnormality detection module, and another copy is transferred to intermediate layer data buffer storage subsystem for updating symbol table;
PLC emulation module loads PID program code, the program code write by SCL language input SCL linguistic interpretation subsystem;SCL language subsystem generates original symbol table and intermediate code through lexical analyzer, syntax analyzer and interpreter, and symbol table and intermediate code are input to intermediate layer data buffer storage subsystem;
Enforcement engine subsystem performs SCL LISP program LISP by the symbol table in the data buffer storage subsystem of loading intermediate layer and intermediate code simulation;Execution result passes to control object abnormality detection module and carries out abnormality detection.
3. according to the industry control intrusion detection method based on PLC emulation of system described in claim 1, it is characterised in that: first pass through PLC emulation module and read the numerical value of input and output sensor in controlled device;Utilize active autoregression model ARMAX to carry out multivariable system identification afterwards and set up plant model;
Y(k)+a1Y(k-1)+…+ahY (k-n)=B0U(k)+B1U(k-1)+…+BhU (k-n)+e (k) wherein Y (k) is m dimension output;U (k) is r dimension input;N is r dimension input and the sequence length of m dimension output;K=(n+1) ... (n+N);E (k) ties up noise for m;a1,a2,…,ahFor dimension of m m scalar parameter to be identified;B1,B2,…,BhFor m × r matrix to be identified;N is time delay;H is the exponent number of model parameter;
Therefore, a line j, the j ∈ [1, m] in plant model can be rewritten as
N number of matrix can be obtained fom the above equation
A line j, j ∈ [1, m] in plant model can be rewritten as and be represented by Yj=Hjθj+ej;Then can be calculated θ with method of least squarejConcordance and unbiasedness estimateMake j=1,2 ..., m can obtain the estimates of parameters of each rowThe ARX model of controlled device can be obtained;ah,bhIn exponent number ha,hbAIC criterion is utilized to choose;J (j)=J (j-1)+z (j) ε (k),AIC(ha,hb) value is a time minimumh,bhDetermination exponent number;If D (k) for model estimate value with the error between controlled device actual valueD (k) is carried out inflection point detection by the mode utilizing wavelet decomposition;Db6 wavelet function is adopted to carry out 3 layers of decomposition,Wherein j is the wavelet decomposition number of plies, and K=1000 is the mobile yardstick of small echo, φjKFor wavelet scaling function, ψjKFor wavelet function ψjK=2-j/2ψ0(2-ji-K);As the high frequency coefficient d decompositedig(j thinks that controlled device occurs when there is the point more than 0.3 in k) abnormal.
4. the industry control intrusion detection method based on PLC emulation according to claim 3, it is characterised in that: the execution flow process of the PLC emulation module of this method includes,
Step 21, user reads in control object PLC based on the control program code logic of SCL language development and preserves into file;Program code should comprise variable declarations and logical code two parts;File is imported in PLC emulation module by user;
Step 22, whether whether user will need the control object variable and the title of controlled device sensing data, memory address, the storage class that read, be input variable, be that output variable is stated in initialization files;These variablees all should be saved in PLC;PLC emulates back the real PLC of message reference in stating according to initializing variable and reads the content specified from its internal memory;The initialization files write are imported in PLC emulation module by user;
Step 23, characteristic according to SCL language in the morphology resolver of this method, the key word in SCL language is set as Token, such as if correspondence TokenT_IF, else correspondence T_ELSE, if statement variable, returns V_VARToken;Lexical analyzer can read the character in file, and mates whether meet the Token defined, and as found the then return Token met, otherwise continues coupling;
Step 24, the grammar parser of this religious name adopts BNF form method to carry out formal description according to SCL language rule;SCL language meaning as corresponding in the combination of T_IFT_VART_EQUAL1 is ifvar==1;
Step 25, if grammar parser have found known Token combination according to the Token that morphology resolver obtains, jumps to step 27, otherwise jumps to step 26;
Step 26, there is syntax error in prompting user's SCL program code, asks user to check SCL language program code;
Step 27, the interpreter of this method generates intermediate code opcode according to the Token semantic meaning combined;The principle of Opcode is the relation that instruction code all of in SCL program is converted into binary operation, comprises two operands and operator also has the type of a node in opcode node;
Step 28, if the opcode node type generated is variable, jumps to step 30, and no person jumps to step 29;
Step 29, stores opcode node in intermediate code queue, in order to interpreter transfers to enforcement engine subsystem to perform after completing the explanation work of whole SCL code;
Step 30, if the opcode node type generated is variable, will change to withdraw deposit to variant structural to structure and store up in symbol table;Variant structural body storage name variable, data type and variate-value;Types of variables includes the data type of tetra-kinds of SCL language of REAL, TIME, DWORD, BIT;
Step 31, the variate-value in the PLC symbol table emulated is updated by this method by reading initialization files, and this step reads the input variable in control object PLC and output variable;
Step 32, this step reads the input variable in control target and output variable, will be modeled and detects in incoming for the value read controlled device detection model;
Step 321, carries out buffer memory by the inputoutput data of controlled device, uses for modeling and wavelet decomposition detection;
Step 322, this step judges whether to have built up plant model, if setting up, jumping to step 325 and utilizing the controlled device data obtained to be made directly detection, otherwise jumping to step 323;
Step 323, this step will determine that the setting when length of time series of whether buffer memory meets Initialize installation, if meeting, jumping to step 324, otherwise jumping to step 321;
Step 324, this step will utilize AIC criterion that model order is determined, and chooses the exponent number that modeling uses, and utilizes the controlled device data of exponent number that AIC order selection criteria determines and buffer memory to set up ARX System identification model;
Step 325, this step utilizes the estimated value of the controlled device data computation model output of ARX model and the acquisition set up;Calculate after obtaining estimated value and actual value obtains error amount;
Step 326, utilizes db6 small echo that error amount sequence carries out 3 layers of wavelet decomposition, obtains the high frequency coefficient after decomposing;
Step 327, this step traversal high frequency is washed one's face and rinsed one's mouth sequence, if it find that there is the value more than 0.3 then jump to step 328, otherwise jumps to step 329;
Step 328, there is ANOMALOUS VARIATIONS in the data of this step prompting user's controlled device, and controlled device occurs abnormal;
Step 329, it is normal that this step represents that this performs cycle controlled device, no abnormal state;
Step 33, has been completed the explanation work of SCL code, and is synchronized the input and output object in true control object before this step;This step traversal intermediate code sequence, carries out dizzy counting is calculated according to the operator function specified in intermediate code, and dizzy counting can be constant, variable or another intermediate code sequence;This step is divided into one branch of Liang Ge branch to jump to step 31 continuing cycling through execution after performing to terminate, and another branch jumps to step 34;
Step 34, the execution result of this intermediate code is transferred to control object abnormality detection module and carries out abnormality detection by this step, and generates this abnormality detection result performing the cycle;
Step 341, this step reads the value of calculation of output variable in PLC emulation;
Step 342, the setting according to initialization files of this step, from PLC, read the value of whole output variable;
Step 343, the output variable that PLC simulation calculation is gone out by this step is compared with the output variable value read from true PLC;
Step 344, if comparison unanimously jumps to step 346, otherwise jumps to step 345;
Step 345, if comparison is inconsistent, then it represents that in this execution cycle, true PLC and PLC emulates when input variable is consistent, and difference occurs in output result;Then represent that the execution logic of true PLC occurs abnormal, break down or artificially revise;Will appear from the title of the variable of difference, user is pointed out by variate-value output;
Step 346, if comparison unanimously, represents in this execution cycle, true PLC and PLC emulates when input variable is consistent, and output result is consistent;The control logic of control object PLC is normal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610131655.1A CN105807631B (en) | 2016-03-08 | 2016-03-08 | Industry control intrusion detection method and intruding detection system based on PLC emulation |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610131655.1A CN105807631B (en) | 2016-03-08 | 2016-03-08 | Industry control intrusion detection method and intruding detection system based on PLC emulation |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105807631A true CN105807631A (en) | 2016-07-27 |
CN105807631B CN105807631B (en) | 2019-02-12 |
Family
ID=56467977
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610131655.1A Active CN105807631B (en) | 2016-03-08 | 2016-03-08 | Industry control intrusion detection method and intruding detection system based on PLC emulation |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105807631B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109766992A (en) * | 2018-12-06 | 2019-05-17 | 北京工业大学 | Industry control abnormality detection and attack classification based on deep learning |
CN110941236A (en) * | 2019-12-31 | 2020-03-31 | 郑州信大捷安信息技术股份有限公司 | PLC safety monitoring and dynamic measuring method and system |
CN111007796A (en) * | 2019-12-31 | 2020-04-14 | 郑州信大捷安信息技术股份有限公司 | PLC safety real-time monitoring method and system |
CN112491796A (en) * | 2020-10-28 | 2021-03-12 | 北京工业大学 | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network |
CN112985747A (en) * | 2021-05-08 | 2021-06-18 | 中国空气动力研究与发展中心超高速空气动力研究所 | Hypersonic wind tunnel cooperative control and simulation device and control method |
CN113341870A (en) * | 2021-06-24 | 2021-09-03 | 上海交通大学宁波人工智能研究院 | System and method for recognizing control code exception |
CN114285599A (en) * | 2021-11-23 | 2022-04-05 | 中国人民解放军战略支援部队信息工程大学 | Industrial control honeypot construction method based on controller deep memory simulation and industrial control honeypot |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
RU2755252C2 (en) * | 2020-02-26 | 2021-09-14 | Акционерное общество "Лаборатория Касперского" | Method and system for assessing impact of software under study on availability of industrial automation systems |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7240368B1 (en) * | 1999-04-14 | 2007-07-03 | Verizon Corporate Services Group Inc. | Intrusion and misuse deterrence system employing a virtual network |
US7784099B2 (en) * | 2005-02-18 | 2010-08-24 | Pace University | System for intrusion detection and vulnerability assessment in a computer network using simulation and machine learning |
KR101283565B1 (en) * | 2011-12-14 | 2013-07-08 | 서울대학교산학협력단 | Method of worm propagation modeling simulation |
CN103776654A (en) * | 2014-02-21 | 2014-05-07 | 黑龙江省科学院自动化研究所 | Method for diagnosing faults of multi-sensor information fusion |
CN104902509A (en) * | 2015-05-19 | 2015-09-09 | 浙江农林大学 | Abnormal data detection method based on top-k(sigma) algorithm |
CN105022934A (en) * | 2015-06-29 | 2015-11-04 | 北京工业大学 | Artificial immune method for constructing brain effect connection network from fMRI data |
EP2966828A1 (en) * | 2014-07-11 | 2016-01-13 | Deutsche Telekom AG | Method for detecting an attack on a work environment connected with a communications network |
CN105302950A (en) * | 2015-10-19 | 2016-02-03 | 北京精密机电控制设备研究所 | Software and hardware cooperation based cross-linking simulation test method for programmable logic device |
-
2016
- 2016-03-08 CN CN201610131655.1A patent/CN105807631B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7240368B1 (en) * | 1999-04-14 | 2007-07-03 | Verizon Corporate Services Group Inc. | Intrusion and misuse deterrence system employing a virtual network |
US7784099B2 (en) * | 2005-02-18 | 2010-08-24 | Pace University | System for intrusion detection and vulnerability assessment in a computer network using simulation and machine learning |
KR101283565B1 (en) * | 2011-12-14 | 2013-07-08 | 서울대학교산학협력단 | Method of worm propagation modeling simulation |
CN103776654A (en) * | 2014-02-21 | 2014-05-07 | 黑龙江省科学院自动化研究所 | Method for diagnosing faults of multi-sensor information fusion |
EP2966828A1 (en) * | 2014-07-11 | 2016-01-13 | Deutsche Telekom AG | Method for detecting an attack on a work environment connected with a communications network |
CN104902509A (en) * | 2015-05-19 | 2015-09-09 | 浙江农林大学 | Abnormal data detection method based on top-k(sigma) algorithm |
CN105022934A (en) * | 2015-06-29 | 2015-11-04 | 北京工业大学 | Artificial immune method for constructing brain effect connection network from fMRI data |
CN105302950A (en) * | 2015-10-19 | 2016-02-03 | 北京精密机电控制设备研究所 | Software and hardware cooperation based cross-linking simulation test method for programmable logic device |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109766992A (en) * | 2018-12-06 | 2019-05-17 | 北京工业大学 | Industry control abnormality detection and attack classification based on deep learning |
CN109766992B (en) * | 2018-12-06 | 2020-12-04 | 北京工业大学 | Industrial control abnormity detection and attack classification method based on deep learning |
CN110941236A (en) * | 2019-12-31 | 2020-03-31 | 郑州信大捷安信息技术股份有限公司 | PLC safety monitoring and dynamic measuring method and system |
CN111007796A (en) * | 2019-12-31 | 2020-04-14 | 郑州信大捷安信息技术股份有限公司 | PLC safety real-time monitoring method and system |
CN111007796B (en) * | 2019-12-31 | 2021-02-12 | 郑州信大捷安信息技术股份有限公司 | PLC safety real-time monitoring method and system |
CN110941236B (en) * | 2019-12-31 | 2021-03-23 | 郑州信大捷安信息技术股份有限公司 | PLC safety monitoring and dynamic measuring method and system |
CN112491796A (en) * | 2020-10-28 | 2021-03-12 | 北京工业大学 | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network |
CN112491796B (en) * | 2020-10-28 | 2022-11-04 | 北京工业大学 | Intrusion detection and semantic decision tree quantitative interpretation method based on convolutional neural network |
CN112985747A (en) * | 2021-05-08 | 2021-06-18 | 中国空气动力研究与发展中心超高速空气动力研究所 | Hypersonic wind tunnel cooperative control and simulation device and control method |
CN113341870A (en) * | 2021-06-24 | 2021-09-03 | 上海交通大学宁波人工智能研究院 | System and method for recognizing control code exception |
CN114285599A (en) * | 2021-11-23 | 2022-04-05 | 中国人民解放军战略支援部队信息工程大学 | Industrial control honeypot construction method based on controller deep memory simulation and industrial control honeypot |
CN114285599B (en) * | 2021-11-23 | 2023-08-01 | 中国人民解放军战略支援部队信息工程大学 | Industrial control honey pot construction method based on controller deep memory simulation and industrial control honey pot |
Also Published As
Publication number | Publication date |
---|---|
CN105807631B (en) | 2019-02-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105807631A (en) | PLC simulation-based industrial control intrusion detection method and intrusion detection system | |
CN110175454A (en) | A kind of intelligent contract safety loophole mining method and system based on artificial intelligence | |
EP2420931B1 (en) | Solving hybrid constraints to generate test cases for validating a software module | |
EP2420932B1 (en) | Solving hybrid constraints to validate a security software module for detecting injection attacks | |
EP2407887B1 (en) | Solving hybrid constraints to validate specification requirements of a software module | |
US10409706B2 (en) | Automated test generation for structural coverage for temporal logic falsification of cyber-physical systems | |
CN113672515A (en) | WASM intelligent contract vulnerability detection method based on symbolic execution | |
CN112100625B (en) | Operating system access control vulnerability discovery method based on model detection | |
CN108183897B (en) | Safety risk assessment method for information physical fusion system | |
Zeng et al. | EtherGIS: a vulnerability detection framework for ethereum smart contracts based on graph learning features | |
US20220137586A1 (en) | Method, computer program and apparatus for analysing a programmable logic controller program | |
Poorhadi et al. | Analysing the impact of security attacks on safety using SysML and event-B | |
Kamburjan et al. | Knowledge structures over simulation units | |
Schlüter et al. | Towards rigorous understanding of neural networks via semantics-preserving transformations | |
CN110677413A (en) | Method and device for security verification of attack of smart home Internet of things system | |
Zhan | Efficient verification of imperative programs using auto2 | |
CN102982282B (en) | The detection system of bug and method | |
Chukharev et al. | FbSAT: Automatic inference of minimal finite-state models of function blocks using SAT solver | |
Meng et al. | Synthesis of Optimal Defenses for System Architecture Design Model in MaxSMT | |
CN114637664A (en) | Detection method and device for android application program properties | |
Wang et al. | A semantic-based smart contract defect detection general platform | |
Jiang et al. | An exploitability analysis technique for binary vulnerability based on automatic exception suppression | |
Biallas et al. | Range and value-set analysis for programmable logic controllers | |
Genet et al. | A completion algorithm for lattice tree automata | |
Tsukada et al. | A toolchain on model checking SPIN via Kalman Decomposition for control system software |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |