CN106161084A - A kind of protecting information safety device and method being applicable to fieldbus networks - Google Patents
A kind of protecting information safety device and method being applicable to fieldbus networks Download PDFInfo
- Publication number
- CN106161084A CN106161084A CN201610416686.1A CN201610416686A CN106161084A CN 106161084 A CN106161084 A CN 106161084A CN 201610416686 A CN201610416686 A CN 201610416686A CN 106161084 A CN106161084 A CN 106161084A
- Authority
- CN
- China
- Prior art keywords
- bus
- applicable
- information safety
- protecting information
- unit
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a kind of protecting information safety device and method being applicable to fieldbus networks, relate to technical field of industrial control, technical key point includes bus network interface unit, bus signals decoding unit, main controller, memorizer and power supply unit;Described power supply is alone powers in the power unit in device;Described bus network interface unit has at least one EBI, and bus network interface unit has signal with bus signals decoding unit and is connected;Bus signals decoding unit has at least one bus signals decoder, and bus signals decoding unit has signal with main controller and is connected;Memorizer has signal with master controller and is connected.
Description
Technical field
The present invention relates to technical field of industrial control, a kind of information security being applicable to industrial field bus network
The method of protection.
Background technology
Along with the development of automatic technology, field bus technique is widely used in industrial control system, and it will control
The field apparatus such as device, input and output module, sensor and actuator are connected with each other, and constitute field bus control system.
Vehicles Collected from Market main flow field bus system includes: Profibus, Modbus, CAN, FF etc..Additionally, there is also some pins on market
The Special field bus specification that the professional developed is stronger to specific industry application, as constitute TCN WTB and
MVB.
For different types of fieldbus, on Vehicles Collected from Market, existing manufacturer releases the diagnostic tool for specific bus.
Such as relatively big for market maintenance, apply wide Profibus-DP bus, Procentec company of existing Holland
Profitrace, the BT200 of Siemens, the diagnostic tool such as the PB Diagnostic Plug listing pin of Germany Comsoft
Sell.These diagnostic tools are generally made up of PC end diagnotor and dedicated bus interface module.Bus interface module one end is accessed
Field bus system, one end is connected with PC by USB port, completes to obtain message from bus, and is passed through by bus message
USB port sends PC end diagnotor to.Finally completed bus diagnostic function by the diagnotor operated on PC.
Due to factors such as functional localizations, the primary limitation of prior art is:
1. bus diagnostic instrument is only applicable to detect industrial field bus operating general communication mistake, and can not monitor identification
Bus intrusion behavior maliciously is also reported to the police;
2. bus diagnostic instrument generally is directed to certain specific fieldbus and designs, it is impossible to monitoring various field is total simultaneously
Line;
3. bus diagnostic instrument generally uses the mode of " obtaining bus message-> off-line in real time to resolve " to complete diagnostic function, it is impossible to
The real-time running state of reaction fieldbus;
4. diagnostic tool the most only uses when needing to analyze the bus error occurred, and the reproduction of mistake is typically difficulty
's.When bus network occurs the most reproducible transient error, diagnostic tool can play a role and will become very little;
5. the bus intrusion behavior of malice is the most unpredictable, the most reproducible, thus attempts to find to dislike by diagnostic tool
The method of meaning intrusion behavior is infeasible;
In sum, existing bus diagnostic technology can not be applicable to the protecting information safety of industrial field bus network.
Summary of the invention
The technical problem to be solved is: for the problem of above-mentioned existence, it is provided that one is applicable to industry spot
The device and method of the protecting information safety of bus network.
Apparatus of the present invention include that bus network interface unit, bus signals decoding unit, main controller, memorizer and power supply are single
Unit;
Said supply unit is powered for the power unit in device;
Described bus network interface unit has at least one EBI, and bus network interface unit is single with bus signals decoding
Unit has signal and connects;
Bus signals decoding unit has at least one bus signals decoder, and bus signals decoding unit and main controller have letter
Number connect;
Memorizer has signal with master controller and is connected.
Further, described bus network interface unit is used for receiving industrial field bus signal, and is carried out level and turn
Change.
Further, described bus signals decoding unit is for being decoded the signal that bus network interface unit exports
To message data.
Further, described memorizer is used for stored messages data.
Further, described main controller finds network intrusions behavior for being analyzed described message data.
The present invention provides a kind of protecting information safety method being applicable to fieldbus networks based on said apparatus, bag
Include:
Step 1: receive industrial field bus signal;
Step 2: described industrial field bus signal is carried out level conversion;
Step 3: the industrial field bus signal after level conversion is decoded and obtains message data;
Step 4: judge whether network intrusions behavior according to message data.
Described step 4 farther includes: search the website access information in message data, it is judged that whether this website is strange
Website, the most then generate warning message.
Described step 4 farther includes: the flow of detection messages data, if data changes in flow rate amount Δ is more than setting value,
Then think bus traffic exception generate warning message.
Described step 4 farther includes: judge whether industry spot equipment rolls off the production line according to the transmission situation of message data,
As rolled off the production line, think and website abnormal off-line occurs and generates warning message.
Described step 4 farther includes: judge whether occur that message exception or bus response are wrong according to message data content
By mistake, if then generating warning message.
In sum, owing to have employed technique scheme, the invention has the beneficial effects as follows:
Protecting information safety device of the present invention has multiple bus interface, can the compatible intrusion detection to multiple bus network
Function, and the protecting information safety function to multiple bus network can be completed simultaneously.
Protecting information safety device of the present invention can obtain and all operations of the accessed bus of real time parsing online
Data message.
Protecting information safety device of the present invention be capable of identify that " strange website access ", " system website abnormal off-line ",
The multiple bus that may be caused by malicious intrusions behavior such as " exception message " and " bus traffic sudden change " is abnormal.
Protecting information safety device of the present invention can be classified according to the difference of intrusion behavior generation warning message, and
Warning message can be uploaded to external management system, thus realize the protecting information safety of fieldbus aspect.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the principle schematic of apparatus of the present invention access industrial fieldbus networks.
Fig. 2 is the theory diagram within apparatus of the present invention.
Fig. 3 is the intrusion behavior overhaul flow chart in the inventive method.
Detailed description of the invention
All features disclosed in this specification, or disclosed all methods or during step, except mutually exclusive
Feature and/or step beyond, all can combine by any way.
Any feature disclosed in this specification, unless specifically stated otherwise, all can by other equivalence or there is similar purpose
Alternative features is replaced.I.e., unless specifically stated otherwise, an example during each feature is a series of equivalence or similar characteristics
?.
As in figure 2 it is shown, apparatus of the present invention include bus network interface unit, bus signals decoding unit, main controller, storage
Device and power supply unit.
Said supply unit is responsible for the input of direct current 5V power supply is converted into 3.3V, 1.2V and 1.0V voltage signal, for bus
NIU, bus signals decoding unit, main controller etc. provide properly functioning necessary power supply supply.
Described bus network interface unit has at least one EBI, bus network interface unit bag in the present embodiment
Include:
Conventional RS485 EBI: interface shape is PHOENIX terminal, it is adaptable under Modbus bus and low rate
Profibus bus accesses;
High speed Profibus interface: communication baud rate is up to 31.25kbps~12Mbps, and interface shape is cellular type DB9 adapter,
The Profibus bus being applicable to run under high bit rate accesses;
Redundancy MVB interface: communication baud rate 1.5Mbps, interface shape be two two-way redundancy DB9 adapters (cellular type, one
Individual pin type), it is adaptable to MVB accesses;
And Ethernet interface: 10/100M self adaptation, for uploading alarm event information to external management system.
Bus network interface unit has signal with bus signals decoding unit and is connected;Bus network interface unit will receive
To bus signals carry out level conversion after export to bus signals decoding unit.
Bus signals decoding unit has at least one bus signals decoder, in a preferred embodiment this decoder
Also there is encoding function, be bus signals codec unit.
Bus signals codec unit in the present embodiment uses Xilinx XC6SLX100-2FFG484I FPGA module
Realize, be made up of logic function blocks such as encoder, decoder, data buffer and configuration register arrays inside it.Gained merit
Can block all by VHDL language to FPGA programming realization.
Device of the present invention has multiple bus interface, supports that multiple bus accesses, and thus determines described bus letter
Number coding/decoding module has a characteristic that the multiple coded system of support, can support synchronous code and asynchronous code simultaneously, mainly support
Coded system comprise NRZ code, Manchester code etc..
Wherein decoding process is:
The decoding effort of described bus signals codec unit is mainly completed by decoder.Decoder has data sampling, data
Frame initiates location, extracts data and be stored in the functions such as data buffer from Frame.The decoder that FPGA is realized, decoding
The process of asynchronous code is the most uncomplicated, and decodes the synchronous detecting that it is critical only that of synchronous code, synchronizing information only detected, just can open
Beginning decoding periods.Such as MVB, the master and slave frame of agreement has frame head, a postamble synchronizing information, and what its data encoding used
Manchester's code itself also contains synchronizing information.Thus, for MVB, first decoding process is to realize Manchester
The decoding of code, it is achieved method judges signal edge for sampling, and rising edge is 0, and trailing edge is 1;Then according to agreement differentiate frame head and
Trailer information, and then extract and decode frame data, decoded frame data are stored in data buffer, and are led to by interrupt mode
Know that main control unit processes.
Master controller in the present invention uses the P1010 Power PC Processor that Freescale company produces, dominant frequency
500MHz, it carries VxWorks 5.5 embedded OS, and the function of safety protection of device is just by running on
Application program on vxworks operating system realizes.With Local Bus between master controller and bus signals codec unit
Connect, thus realize being rapidly transferred to decoded bus message the process of microprocessor program, it is ensured that bus data
Process in time, effectively prevent the loss of bus data bag, it is ensured that safety device is real-time for bus behavior monitoring
Property and accuracy.Master controller is for being analyzed decoded bus message data, thus judges whether that network enters
Invade behavior.
Memorizer in the present invention is mainly made up of FLASH memory and Installed System Memory, itself and bus signals encoding and decoding list
Unit has signal and connects.Wherein Installed System Memory uses the DDR3 SDRAM random access memory of 1GB capacity, for system and safety
Guard process provides enough running spaces;FLASH memory capacity is 64MB, be mainly used in store operation system image and
The properly functioning necessary guiding of system and configuration file.
As it is shown on figure 3, after device of the present invention accesses fieldbus networks, each hardware module is for bus network signal
Processing procedure as follows:
Bus signals interface unit is responsible for introducing fieldbus networks signal, and it is carried out necessary level conversion (as by RS485
Level conversion is Transistor-Transistor Logic level);
Bus network signal after the conversion of bus signals codec unit incoming level, and it is decoded as the signal number of standard
According to;
Data after decoding are stored in data buffer by codec unit, and notify that master controller processes by the way of interruption;
Master controller is by the data in Local Bus addressing, read data buffer, and further processes data,
Finally realize the protecting information safety function of fieldbus aspect.
Concrete, message data is analyzed by master controller, detects bus intrusion behavior, accesses inspection from strange website
The omnibearing identifications of multiple angles such as survey, the detection of system website abnormal off-line, exception message detection and bus traffic monitoring
The Information Security Risk of fieldbus aspect, and generate warning message respectively.The method based on bus data message analysis,
Different bus agreement concrete determination details slightly difference, typical case's testing process is as shown in Figure 3.Figure illustrates Profibus-DP
The idiographic flow of bus unusual checking, predominantly detects step and method is as follows:
1. whether detection messages meets protocol conventions: if meeting, and records the keys such as source address SA, destination address DA, function code FC
Information, otherwise program will generate " exception message " warning message;
2. judge to send out whether the website that station number is SA belongs to system website: if being not belonging to, then generate " strange website access " and report to the police
Information;If belonging to, then the monitoring timer that rolled off the production line by website corresponding for this website resets, and restarts timing;
Judge that each website of system rolls off the production line monitoring timer whether time-out the most one by one: if having website timing more than time limit T, then it is right to generate
" website abnormal off-line " warning message answered, wherein time limit T is determined by the cycle parameter of monitored bus system;
4. detection messages classification: if these frame data are response message, and former frame message is not for needing the claim frame of response, then generate
" bus response mistake " warning message.
Additionally, also detect bus traffic, this function relies on and connects produced by bus data trapping module
Receive statistical data, special flow bus monitoring task realize.The calculating flow bus data of this duty cycle, and will be real
Shi Liuliang compares with historical traffic, if flow bus data there occurs relatively macromutation, general it is considered that data traffic becomes
Change amount Δ more than setting value time flow bus data there occurs bigger sudden change, then upload this flow information, and generate " bus
Data traffic is suddenlyd change " warning message.
The invention is not limited in aforesaid detailed description of the invention.The present invention expands to any disclose in this manual
New feature or any new combination, and the arbitrary new method that discloses or the step of process or any new combination.
Claims (10)
1. the protecting information safety device being applicable to fieldbus networks, it is characterised in that include bus network interface list
Unit, bus signals decoding unit, main controller, memorizer and power supply unit;
Said supply unit is powered for the power unit in device;
Described bus network interface unit has at least one EBI, and bus network interface unit is single with bus signals decoding
Unit has signal and connects;
Bus signals decoding unit has at least one bus signals decoder, and bus signals decoding unit and main controller have letter
Number connect;
Memorizer has signal with master controller and is connected.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 1, it is characterised in that
Described bus network interface unit is used for receiving industrial field bus signal, and is carried out level conversion.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 1, it is characterised in that
Described bus signals decoding unit is for being decoded obtaining message data by the signal that bus network interface unit exports.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 3, it is characterised in that
Described memorizer is used for stored messages data.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 3, it is characterised in that
Described main controller finds network intrusions behavior for being analyzed described message data.
6. the protecting information safety method being applicable to fieldbus networks based on the device described in claim 1, it is special
Levy and be, including:
Step 1: receive industrial field bus signal;
Step 2: described industrial field bus signal is carried out level conversion;
Step 3: the industrial field bus signal after level conversion is decoded and obtains message data;
Step 4: judge whether network intrusions behavior according to message data.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that described
Step 4 farther includes: search the website access information in message data, it is judged that whether this website is strange website, the most then
Generate warning message.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that described
Step 4 farther includes: the flow of detection messages data, if data changes in flow rate amount Δ is more than setting value, then it is assumed that number of buses
According to Traffic Anomaly and generate warning message.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that described
Step 4 farther includes: judge whether industry spot equipment rolls off the production line according to the transmission situation of message data, as rolled off the production line, thinks
Website abnormal off-line occurs and generates warning message.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that institute
State step 4 to farther include: judge whether message exception or bus response mistake occur, if then giving birth to according to message data content
Become warning message.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610416686.1A CN106161084A (en) | 2016-06-15 | 2016-06-15 | A kind of protecting information safety device and method being applicable to fieldbus networks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610416686.1A CN106161084A (en) | 2016-06-15 | 2016-06-15 | A kind of protecting information safety device and method being applicable to fieldbus networks |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106161084A true CN106161084A (en) | 2016-11-23 |
Family
ID=57353161
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610416686.1A Pending CN106161084A (en) | 2016-06-15 | 2016-06-15 | A kind of protecting information safety device and method being applicable to fieldbus networks |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106161084A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107995258A (en) * | 2017-11-03 | 2018-05-04 | 长安大学 | Connect equipment and data transmission method |
CN108520187A (en) * | 2018-04-20 | 2018-09-11 | 西安交通大学 | Industrial control system physics Network Intrusion detection method based on the analysis of serial communication bus signal |
CN110896393A (en) * | 2018-09-13 | 2020-03-20 | 北京奇虎科技有限公司 | Intrusion detection method and device for automobile bus and computing equipment |
CN113364659A (en) * | 2021-08-11 | 2021-09-07 | 浙江德塔森特数据技术有限公司 | Data acquisition system based on Modbus protocol |
CN115801459A (en) * | 2023-02-03 | 2023-03-14 | 北京六方云信息技术有限公司 | Message detection method, device, system and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101042582A (en) * | 2007-04-25 | 2007-09-26 | 上海电器科学研究所(集团)有限公司 | Programmable and configurable remote I/O module with field bus interface |
CN102263683A (en) * | 2010-05-28 | 2011-11-30 | 沈阳高精数控技术有限公司 | Secure communication method for double loop field bus in numerical control system |
CN103618735A (en) * | 2013-12-10 | 2014-03-05 | 机械工业仪器仪表综合技术经济研究所 | Method for monitoring security of field level control network |
CN105573291A (en) * | 2015-12-24 | 2016-05-11 | 中国信息安全测评中心 | Threat detection method based on key parameter fusion verification and safety device |
-
2016
- 2016-06-15 CN CN201610416686.1A patent/CN106161084A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101042582A (en) * | 2007-04-25 | 2007-09-26 | 上海电器科学研究所(集团)有限公司 | Programmable and configurable remote I/O module with field bus interface |
CN102263683A (en) * | 2010-05-28 | 2011-11-30 | 沈阳高精数控技术有限公司 | Secure communication method for double loop field bus in numerical control system |
CN103618735A (en) * | 2013-12-10 | 2014-03-05 | 机械工业仪器仪表综合技术经济研究所 | Method for monitoring security of field level control network |
CN105573291A (en) * | 2015-12-24 | 2016-05-11 | 中国信息安全测评中心 | Threat detection method based on key parameter fusion verification and safety device |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107995258A (en) * | 2017-11-03 | 2018-05-04 | 长安大学 | Connect equipment and data transmission method |
CN107995258B (en) * | 2017-11-03 | 2021-01-05 | 长安大学 | Connection device and data transmission method |
CN108520187A (en) * | 2018-04-20 | 2018-09-11 | 西安交通大学 | Industrial control system physics Network Intrusion detection method based on the analysis of serial communication bus signal |
CN108520187B (en) * | 2018-04-20 | 2020-03-17 | 西安交通大学 | Industrial control system physical intrusion attack detection method based on serial communication bus signal analysis |
CN110896393A (en) * | 2018-09-13 | 2020-03-20 | 北京奇虎科技有限公司 | Intrusion detection method and device for automobile bus and computing equipment |
CN113364659A (en) * | 2021-08-11 | 2021-09-07 | 浙江德塔森特数据技术有限公司 | Data acquisition system based on Modbus protocol |
CN115801459A (en) * | 2023-02-03 | 2023-03-14 | 北京六方云信息技术有限公司 | Message detection method, device, system and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106161084A (en) | A kind of protecting information safety device and method being applicable to fieldbus networks | |
CN103475523B (en) | With the CAN analytical system of bus error analytical capabilities | |
CN107342909B (en) | Control system, control method, and recording medium | |
CN100359864C (en) | Method and apparatus of CPU fault detection for signal processing unit | |
CN106597941A (en) | Dual-processor redundant data acquisition and control system with self-detection function | |
CN104076808B (en) | The fault diagnosis system and method for industrial control equipment | |
CN103684903A (en) | GOOSE message anomaly online detection method | |
CN102413008B (en) | Based on method of testing and the system of electric power 104 stipulations | |
US8321555B2 (en) | Network analysis device | |
CN103914031B (en) | A kind of RS-485 bus monitoring probe circuit of self adaptation various protocols | |
US8631174B2 (en) | Systems, methods, and apparatus for facilitating communications between an external controller and fieldbus devices | |
CN103795146A (en) | Power distribution terminal conformance testing method | |
CN110086645A (en) | SCADA dispatching system data acquisition primary channel compares device and method online | |
CN103163402B (en) | Relay protection device state monitoring apparatus based on secondary circuit and monitoring method | |
CN116260710A (en) | ProfiBus-DP network intermittent interruption positioning device and method | |
CN107230263B (en) | WTB bus data frame recorder and recording method | |
CN116299129A (en) | All-fiber current transformer state detection and analysis method, device and medium | |
CN105591814A (en) | Method for online monitoring of E1 channel quality and monitoring system thereof | |
CN103618735A (en) | Method for monitoring security of field level control network | |
CN103885018A (en) | Method for debugging BMS lower computer by utilizing upper computer | |
CN107121970A (en) | It is electromechanical in a kind of building of use BIM technology to safeguard and supervising device | |
CN203104497U (en) | Digital relay protection testing device | |
CN104219012A (en) | EMC test system and EMC test method for transponder transmission module | |
CN109344978B (en) | Method for judging effectiveness of interval five-prevention data suitable for transformer substation | |
CN116938705B (en) | Terminal management method and device of RS485 bus and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20161123 |