CN105959289A - Self-learning-based safety detection method for OPC Classic protocol - Google Patents

Self-learning-based safety detection method for OPC Classic protocol Download PDF

Info

Publication number
CN105959289A
CN105959289A CN201610392101.7A CN201610392101A CN105959289A CN 105959289 A CN105959289 A CN 105959289A CN 201610392101 A CN201610392101 A CN 201610392101A CN 105959289 A CN105959289 A CN 105959289A
Authority
CN
China
Prior art keywords
opc
communication data
self study
client
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610392101.7A
Other languages
Chinese (zh)
Inventor
袁晓舒
程超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dongfang Electric Corp
Original Assignee
Dongfang Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dongfang Electric Corp filed Critical Dongfang Electric Corp
Priority to CN201610392101.7A priority Critical patent/CN105959289A/en
Publication of CN105959289A publication Critical patent/CN105959289A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]

Abstract

The invention relates to the industrial control system network information safety field, and discloses a self-learning-based safety detection method for an OPC Classic protocol. The flow of the method includes the steps: detecting whether port scanning is being operated in the network of an OPC client, wherein if not, the data is filtered through access control and if so, the data is filtered through access control and an anomaly flow detection model which is generated through self-learning; transmitting the filtered data to an OPC server; and performing safety detection through the anomaly flow detection model which is generated through self-learning and access control. Therefore, a more reliable detection method is provided for stabilization and safety of connection of the OPC Classic protocol, and the safety for OPC communication is maximumly guaranteed.

Description

A kind of safety detection method of OPC Classic agreement based on self study
Technical field
The present invention relates to industrial control system filed of network information security, more specifically say, relate to the safety detection method of a kind of OPC Classic agreement based on self study.
Background technology
Continuous mixing together along with industrialization Yu IT application process, industrial circle has been arrived in increasing information technology application, OPC provides standardized software interface between equipment and the application program for different suppliers, making data exchange simplerization therebetween, its appear as application program based on Windows and field process controls application and establishes bridge;Due to OPC agreement DCOM based on Microsoft agreement, DCOM agreement designed before safety problem is extensively recognized, and therefore, these agreements propose challenge greatly to the safety and reliability of control system.
OPC Classic agreement is set up to connect needs following two steps:
1, client passes through 135 interface querying servers to obtain the tcp port number needed for communication.
2, the port numbers that client uses the first step to get is connected to server, accesses target data.
The port numbers that in step 1, data object request uses is standardized, and is well-known.But, the port numbers that the data cube computation in actual step 2 uses dynamically is distributed with a pseudorandom sequence by opc server, therefore has no idea to know the port numbers that server returns to client in advance;Just because of this, the port numbers that the OPC data of current OPC protection mainly dynamic tracking opc server distribution connects, the MIN port opened needed for communication, it is allowed to data cube computation passes through, simultaneously close off all untapped ports;But, this method only resides within port controlling, access owing to there may be illegal OPC, and then steal OPC data, such as " shake net " virus, first, it can carry out the whole LAN of TCP, then which opc server inquiry is provided with, and last and opc server steals data alternately;So the abnormal traffic detection carrying out OPC becomes necessary and urgent.
OPC agreement is based on DCOM agreement, DCOM agreement is based on remote procedure call protocol, i.e. DCE/RPC agreement, DCE/RPC protocol headers comprises a lot of recalls information, wherein, operation code (Operation Number) represents a certain specific operation to calling interface, and semantic identifier (Context Identifiers) represents interface and the transfer syntax of data;During because OPC client carries out different operating to opc server, operation code and semantic identifier in packet are different from, so operation code and semantic identifier can be utilized to combine the feature such as IP and operating interval time to set up flow detection model, carry out the detection of abnormal flow.
Summary of the invention
It is an object of the invention to, for in prior art by the safety and reliability problem of the control system of the OPC agreement caused dangerous, unreliable of DCOM agreement, propose the safety detection method of a kind of OPC Classic agreement based on self study, ensure the safety of OPC communication to greatest extent.
To achieve these goals, the technical solution used in the present invention is:
A kind of safety detection method of OPC Classic agreement based on self study, it is characterised in that: the flow process of the method is: whether carrying out TCP in the network of detection OPC client, if it is not, communication data controls to filter by accessing;If so, communication data filters by accessing the abnormal traffic detection model of control and self study generation;Communication data after filtration is transferred to opc server.
Described access controls to use white list pattern.
When not carrying out TCP in the network detecting OPC client, the flow process that described access controls to filter is as follows:
1) IP controls: filter the source IP in communication data packets and purpose IP, only allows the IP address in white list to pass through;
2) port controlling: judge whether to comprise in communication data packets 135 ports, if do not comprised, then refuses this communication data packets;
3) port is followed the tracks of: opc server uses 135 ports dynamically to distribute COM1 to OPC client, monitors opc server 135 port, parses this dynamic port, and open to ensure the communication of OPC by this port;
4) burst attack detecting: judge OPC communication data distribution condition, if OPC communication data burst, then carries out burst attack detecting to it;If data do not occur burst, then skip this step;
5) DCE/RPC detection: communication data is carried out DCE/RPC detection, filters out the communication data not meeting DCE/RPC standard.
When in the network of detection OPC client when carrying out TCP, the flow process that the abnormal traffic detection model that described communication data generates by accessing control and self study filters is as follows:
Step one, the communication data self study between OPC client and opc server, form abnormal traffic detection model;
Step 2, TCP, communication data conducts interviews and controls to filter;
Step 3, enables abnormal traffic detection model, and the communication data input abnormal traffic detection model after step 2 being filtered is tested, and filters OPC communication.
Described self study includes below scheme:
1) flow obtains: uses the filter function of linux kernel to capture the communication data between OPC client and opc server, filters out the flow that opc server is operated by OPC client;
2) feature extraction: processed by the communication data of acquisition, extracts the client ip of communication data, server ip, the operation code of DCE/RPC protocol headers, semantic identifier and the interval time to opc server same operation;By these features with following form record:
X n =(x1,x2,x3,x4,x5)
Wherein,X n Represent sample;The quantity of n representative sample, n value is the biggest, and representative sample quantity is the most: x1To x5Represent the feature extracted from communication data respectively;
3) model training: use neural network algorithm to carry out Machine self-learning, by sampleX n As input, Y n =1 is trained as output, wherein 1 represents communication data and passes through, and 0 represents communication data does not passes through;
4) generate model: after model training is good, the test of reality can be carried out, the communication data of input is extracted characteristic vectorX, willXInput this model to obtain exporting resultY, communication data acceptable degree is set, judges that flow is the most abnormal according to data acceptable degree, if refuse this packet.
Owing to have employed technique scheme, the invention has the beneficial effects as follows:
The present invention carries out the judgement of TCP, the abnormal flow monitoring model generated by self study controls jointly to carry out safety detection with accessing, stablize and safely provided more structurally sound detection method for what OPC Classic agreement connected, ensure the safety of OPC communication to greatest extent.
Accompanying drawing explanation
Fig. 1 is the topology diagram of the present invention.
Fig. 2 is the overview flow chart of the present invention.
Fig. 3 is the flow chart of self study of the present invention.
Fig. 4 is the flow chart that the present invention accesses control.
Detailed description of the invention
Below in conjunction with the accompanying drawings, the present invention is described in detail.
As a kind of preferred embodiment of the present invention, with reference to Figure of description 1 to accompanying drawing 4, present embodiment discloses the safety detection method of a kind of OPC Classic agreement based on self study, the present embodiment includes:
As it is shown in figure 1, the method for the present invention is connected between OPC client and opc server by Ethernet;As in figure 2 it is shown, in the present embodiment, first pass through self study and carry out the self study of a period of time, generate abnormal traffic detection model;Enable this model the most according to demand, and combined with access controls to filter OPC communication, wherein, access control and contain some OPC depth detection methods;The main working process of the present invention is as follows:
Whether detection network is carrying out TCP, if it is not, communication data is controlled by access;If so, communication data filters by accessing the abnormal traffic detection model of control and self study generation.
Described access controls to use white list pattern.
Shown in Figure 4, when not carrying out TCP in the network detecting OPC client, the flow process that described access controls to filter is as follows:
1) IP controls: filter the source IP in communication data packets and purpose IP, only allows the IP address in white list to pass through;
2) port controlling: judge whether to comprise in communication data packets 135 ports, if do not comprised, then refuses this communication data packets;
3) port is followed the tracks of: opc server uses 135 ports dynamically to distribute COM1 to OPC client, monitors opc server 135 port, parses this dynamic port, and open to ensure the communication of OPC by this port;
4) burst attack detecting: judge OPC communication data distribution condition, if OPC communication data burst, then carries out burst attack detecting to it;If data do not occur burst, then skip this step;
5) DCE/RPC detection: communication data is carried out DCE/RPC detection, filters out the communication data not meeting DCE/RPC standard.
When in the network of detection OPC client when carrying out TCP, the flow process that the abnormal traffic detection model that described communication data generates by accessing control and self study filters is as follows:
Step one, the communication data self study between OPC client and opc server, form abnormal traffic detection model;
Step 2, TCP, communication data conducts interviews and controls to filter;
Step 3, enables abnormal traffic detection model, and the communication data input abnormal traffic detection model after step 2 being filtered is tested, and filters OPC communication.
Shown in Figure 3, described self study includes below scheme:
1) flow obtains: uses the filter function of linux kernel to capture the communication data between OPC client and opc server, filters out the flow that opc server is operated by OPC client;
2) feature extraction: processed by the communication data of acquisition, extracts the client ip of communication data, server ip, the operation code of DCE/RPC protocol headers, semantic identifier and the interval time to opc server same operation;By these features with following form record:
X n =(x1,x2,x3,x4,x5)
Wherein,X n Represent sample;The quantity of n representative sample, n value is the biggest, and representative sample quantity is the most: x1To x5Represent the feature extracted from communication data respectively;
3) model training: use neural network algorithm to carry out Machine self-learning, by sampleX n As input, Y n =1 is trained as output, wherein 1 represents communication data and passes through, and 0 represents communication data does not passes through;
4) generate model: after model training is good, the test of reality can be carried out, the communication data of input is extracted characteristic vectorX, willXInput this model to obtain exporting resultY, communication data acceptable degree is set, judges that flow is the most abnormal according to data acceptable degree, if refuse this packet.

Claims (5)

1. the safety detection method of an OPC Classic agreement based on self study, it is characterised in that: the flow process of the method is: whether carrying out TCP in the network of detection OPC client, if it is not, communication data controls to filter by accessing;If so, communication data filters by accessing the abnormal traffic detection model of control and self study generation;Communication data after filtration is transferred to opc server.
The safety detection method of a kind of OPC Classic agreement based on self study the most according to claim 1, it is characterised in that: described access controls to use white list pattern.
The safety detection method of a kind of OPC Classic agreement based on self study the most according to claim 2, it is characterised in that: when not carrying out TCP in the network detecting OPC client, the flow process that described access controls to filter is as follows:
1) IP controls: filter the source IP in communication data packets and purpose IP, only allows the IP address in white list to pass through;
2) port controlling: judge whether to comprise in communication data packets 135 ports, if do not comprised, then refuses this communication data packets;
3) port is followed the tracks of: opc server uses 135 ports dynamically to distribute COM1 to OPC client, monitors opc server 135 port, parses this dynamic port, and open to ensure the communication of OPC by this port;
4) burst attack detecting: judge OPC communication data distribution condition, if OPC communication data burst, then carries out burst attack detecting to it;If data do not occur burst, then skip this step;
5) DCE/RPC detection: communication data is carried out DCE/RPC detection, filters out the communication data not meeting DCE/RPC standard.
The safety detection method of a kind of OPC Classic agreement based on self study the most according to claim 1, it is characterized in that: when in the network of detection OPC client when carrying out TCP, the flow process that the abnormal traffic detection model that described communication data generates by accessing control and self study filters is as follows:
Step one, the communication data self study between OPC client and opc server, form abnormal traffic detection model;
Step 2, TCP, communication data conducts interviews and controls to filter;
Step 3, enables abnormal traffic detection model, and the communication data input abnormal traffic detection model after step 2 being filtered is tested, and filters OPC communication.
5. according to the safety detection method of a kind of based on self study the OPC Classic agreement described in claim 1 or 4, it is characterised in that: described self study includes below scheme:
1) flow obtains: uses the filter function of linux kernel to capture the communication data between OPC client and opc server, filters out the flow that opc server is operated by OPC client;
2) feature extraction: processed by the communication data of acquisition, extracts the client ip of communication data, server ip, the operation code of DCE/RPC protocol headers, semantic identifier and the interval time to opc server same operation;
By these features with following form record:
X n =(x1,x2,x3,x4,x5)
Wherein,X n Represent sample;The quantity of n representative sample, n value is the biggest, and representative sample quantity is the most: x1To x5Represent the feature extracted from communication data respectively;
3) model training: use neural network algorithm to carry out Machine self-learning, by sampleX n As input, Y n =1 is trained as output, wherein 1 represents communication data and passes through, and 0 represents communication data does not passes through;
4) generate model: after model training is good, the test of reality can be carried out, the communication data of input is extracted characteristic vectorX, willXInput this model to obtain exporting resultY, communication data acceptable degree is set, judges that flow is the most abnormal according to data acceptable degree, if refuse this packet.
CN201610392101.7A 2016-06-06 2016-06-06 Self-learning-based safety detection method for OPC Classic protocol Pending CN105959289A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610392101.7A CN105959289A (en) 2016-06-06 2016-06-06 Self-learning-based safety detection method for OPC Classic protocol

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610392101.7A CN105959289A (en) 2016-06-06 2016-06-06 Self-learning-based safety detection method for OPC Classic protocol

Publications (1)

Publication Number Publication Date
CN105959289A true CN105959289A (en) 2016-09-21

Family

ID=56907840

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610392101.7A Pending CN105959289A (en) 2016-06-06 2016-06-06 Self-learning-based safety detection method for OPC Classic protocol

Country Status (1)

Country Link
CN (1) CN105959289A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789281A (en) * 2016-12-28 2017-05-31 青岛海天炜业过程控制技术股份有限公司 A kind of method that disconnection reconnecting is realized during OPC protocol communications
CN106921676A (en) * 2017-04-20 2017-07-04 电子科技大学 A kind of intrusion detection method based on OPCClassic
CN109639701A (en) * 2018-12-25 2019-04-16 杭州迪普科技股份有限公司 Access control method, device, equipment and storage medium based on OPC agreement
CN110460623A (en) * 2019-09-27 2019-11-15 杭州九略智能科技有限公司 A kind of processing system, method and terminal for Industry Control puppy parc
CN111680906A (en) * 2020-06-03 2020-09-18 贵州航天云网科技有限公司 Industrial control system safety detection and early warning oriented system construction method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
CN104734903A (en) * 2013-12-23 2015-06-24 中国科学院沈阳自动化研究所 Safety protection method of OPC protocol based on dynamic tracking technology
CN104767748A (en) * 2015-03-30 2015-07-08 西北工业大学 OPC server safety defending system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101399672A (en) * 2008-10-17 2009-04-01 章毅 Intrusion detection method for fusion of multiple neutral networks
CN102130800A (en) * 2011-04-01 2011-07-20 苏州赛特斯网络科技有限公司 Device and method for detecting network access abnormality based on data stream behavior analysis
CN104734903A (en) * 2013-12-23 2015-06-24 中国科学院沈阳自动化研究所 Safety protection method of OPC protocol based on dynamic tracking technology
CN104767748A (en) * 2015-03-30 2015-07-08 西北工业大学 OPC server safety defending system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106789281A (en) * 2016-12-28 2017-05-31 青岛海天炜业过程控制技术股份有限公司 A kind of method that disconnection reconnecting is realized during OPC protocol communications
CN106789281B (en) * 2016-12-28 2019-12-31 青岛海天炜业过程控制技术股份有限公司 Method for realizing disconnection reconnection in OPC protocol communication process
CN106921676A (en) * 2017-04-20 2017-07-04 电子科技大学 A kind of intrusion detection method based on OPCClassic
CN106921676B (en) * 2017-04-20 2020-05-08 电子科技大学 Intrusion detection method based on OPCClasic
CN109639701A (en) * 2018-12-25 2019-04-16 杭州迪普科技股份有限公司 Access control method, device, equipment and storage medium based on OPC agreement
CN109639701B (en) * 2018-12-25 2021-06-29 杭州迪普科技股份有限公司 Access control method, device and equipment based on OPC protocol and storage medium
CN110460623A (en) * 2019-09-27 2019-11-15 杭州九略智能科技有限公司 A kind of processing system, method and terminal for Industry Control puppy parc
CN111680906A (en) * 2020-06-03 2020-09-18 贵州航天云网科技有限公司 Industrial control system safety detection and early warning oriented system construction method and device

Similar Documents

Publication Publication Date Title
CN105959289A (en) Self-learning-based safety detection method for OPC Classic protocol
CN108848067B (en) OPC protocol safety protection method for intelligently learning and presetting read-only white list rule
US8782771B2 (en) Real-time industrial firewall
US11038887B2 (en) Enhanced smart process control switch port lockdown
CN102035793B (en) Botnet detecting method, device and network security protective equipment
CN104394122A (en) HTTP (Hyper Text Transport Protocol) service firewall based on adaptive agent mechanism
CN110401624A (en) The detection method and system of source net G system mutual message exception
CN111510433A (en) Internet of things malicious flow detection method based on fog computing platform
CN106302371B (en) A kind of firewall control method and system based on subscriber service system
CN109167798A (en) A kind of household internet of things equipment DDoS detection method based on machine learning
CN104065731A (en) FTP file transfer system and transfer method
CN106357685A (en) Method and device for defending distributed denial of service attack
CN103997489A (en) Method and device for recognizing DDoS bot network communication protocol
CN106254379B (en) The processing system and processing method of network security policy
CN109587156A (en) Abnormal network access connection identification and blocking-up method, system, medium and equipment
CN104734903A (en) Safety protection method of OPC protocol based on dynamic tracking technology
CN111308958A (en) CNC equipment simulation method and system based on honeypot technology and industrial control honeypot
CN103916288A (en) Botnet detection method and system on basis of gateway and local
CN102984031B (en) Method and device for allowing encoding equipment to be safely accessed to monitoring and control network
CN112578761A (en) Industrial control honey pot safety protection device and method
CN107666468A (en) network security detection method and device
CN113067843A (en) Security monitoring and linkage defense system and method for power distribution Internet of things network
Paul et al. Towards the protection of industrial control systems–conclusions of a vulnerability analysis of profinet IO
CN108712369A (en) A kind of more attribute constraint access control decision system and method for industrial control network
Pfrang et al. On the Detection of Replay Attacks in Industrial Automation Networks Operated with Profinet IO.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160921

RJ01 Rejection of invention patent application after publication