CN106161084A - A kind of protecting information safety device and method being applicable to fieldbus networks - Google Patents

A kind of protecting information safety device and method being applicable to fieldbus networks Download PDF

Info

Publication number
CN106161084A
CN106161084A CN201610416686.1A CN201610416686A CN106161084A CN 106161084 A CN106161084 A CN 106161084A CN 201610416686 A CN201610416686 A CN 201610416686A CN 106161084 A CN106161084 A CN 106161084A
Authority
CN
China
Prior art keywords
bus
applicable
information safety
protecting information
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610416686.1A
Other languages
Chinese (zh)
Inventor
兰昆
唐林
赖军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronic Technology Cyber Security Co Ltd
Original Assignee
China Electronic Technology Cyber Security Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronic Technology Cyber Security Co Ltd filed Critical China Electronic Technology Cyber Security Co Ltd
Priority to CN201610416686.1A priority Critical patent/CN106161084A/en
Publication of CN106161084A publication Critical patent/CN106161084A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention discloses a kind of protecting information safety device and method being applicable to fieldbus networks, relate to technical field of industrial control, technical key point includes bus network interface unit, bus signals decoding unit, main controller, memorizer and power supply unit;Described power supply is alone powers in the power unit in device;Described bus network interface unit has at least one EBI, and bus network interface unit has signal with bus signals decoding unit and is connected;Bus signals decoding unit has at least one bus signals decoder, and bus signals decoding unit has signal with main controller and is connected;Memorizer has signal with master controller and is connected.

Description

A kind of protecting information safety device and method being applicable to fieldbus networks
Technical field
The present invention relates to technical field of industrial control, a kind of information security being applicable to industrial field bus network The method of protection.
Background technology
Along with the development of automatic technology, field bus technique is widely used in industrial control system, and it will control The field apparatus such as device, input and output module, sensor and actuator are connected with each other, and constitute field bus control system. Vehicles Collected from Market main flow field bus system includes: Profibus, Modbus, CAN, FF etc..Additionally, there is also some pins on market The Special field bus specification that the professional developed is stronger to specific industry application, as constitute TCN WTB and MVB.
For different types of fieldbus, on Vehicles Collected from Market, existing manufacturer releases the diagnostic tool for specific bus. Such as relatively big for market maintenance, apply wide Profibus-DP bus, Procentec company of existing Holland Profitrace, the BT200 of Siemens, the diagnostic tool such as the PB Diagnostic Plug listing pin of Germany Comsoft Sell.These diagnostic tools are generally made up of PC end diagnotor and dedicated bus interface module.Bus interface module one end is accessed Field bus system, one end is connected with PC by USB port, completes to obtain message from bus, and is passed through by bus message USB port sends PC end diagnotor to.Finally completed bus diagnostic function by the diagnotor operated on PC.
Due to factors such as functional localizations, the primary limitation of prior art is:
1. bus diagnostic instrument is only applicable to detect industrial field bus operating general communication mistake, and can not monitor identification Bus intrusion behavior maliciously is also reported to the police;
2. bus diagnostic instrument generally is directed to certain specific fieldbus and designs, it is impossible to monitoring various field is total simultaneously Line;
3. bus diagnostic instrument generally uses the mode of " obtaining bus message-> off-line in real time to resolve " to complete diagnostic function, it is impossible to The real-time running state of reaction fieldbus;
4. diagnostic tool the most only uses when needing to analyze the bus error occurred, and the reproduction of mistake is typically difficulty 's.When bus network occurs the most reproducible transient error, diagnostic tool can play a role and will become very little;
5. the bus intrusion behavior of malice is the most unpredictable, the most reproducible, thus attempts to find to dislike by diagnostic tool The method of meaning intrusion behavior is infeasible;
In sum, existing bus diagnostic technology can not be applicable to the protecting information safety of industrial field bus network.
Summary of the invention
The technical problem to be solved is: for the problem of above-mentioned existence, it is provided that one is applicable to industry spot The device and method of the protecting information safety of bus network.
Apparatus of the present invention include that bus network interface unit, bus signals decoding unit, main controller, memorizer and power supply are single Unit;
Said supply unit is powered for the power unit in device;
Described bus network interface unit has at least one EBI, and bus network interface unit is single with bus signals decoding Unit has signal and connects;
Bus signals decoding unit has at least one bus signals decoder, and bus signals decoding unit and main controller have letter Number connect;
Memorizer has signal with master controller and is connected.
Further, described bus network interface unit is used for receiving industrial field bus signal, and is carried out level and turn Change.
Further, described bus signals decoding unit is for being decoded the signal that bus network interface unit exports To message data.
Further, described memorizer is used for stored messages data.
Further, described main controller finds network intrusions behavior for being analyzed described message data.
The present invention provides a kind of protecting information safety method being applicable to fieldbus networks based on said apparatus, bag Include:
Step 1: receive industrial field bus signal;
Step 2: described industrial field bus signal is carried out level conversion;
Step 3: the industrial field bus signal after level conversion is decoded and obtains message data;
Step 4: judge whether network intrusions behavior according to message data.
Described step 4 farther includes: search the website access information in message data, it is judged that whether this website is strange Website, the most then generate warning message.
Described step 4 farther includes: the flow of detection messages data, if data changes in flow rate amount Δ is more than setting value, Then think bus traffic exception generate warning message.
Described step 4 farther includes: judge whether industry spot equipment rolls off the production line according to the transmission situation of message data, As rolled off the production line, think and website abnormal off-line occurs and generates warning message.
Described step 4 farther includes: judge whether occur that message exception or bus response are wrong according to message data content By mistake, if then generating warning message.
In sum, owing to have employed technique scheme, the invention has the beneficial effects as follows:
Protecting information safety device of the present invention has multiple bus interface, can the compatible intrusion detection to multiple bus network Function, and the protecting information safety function to multiple bus network can be completed simultaneously.
Protecting information safety device of the present invention can obtain and all operations of the accessed bus of real time parsing online Data message.
Protecting information safety device of the present invention be capable of identify that " strange website access ", " system website abnormal off-line ", The multiple bus that may be caused by malicious intrusions behavior such as " exception message " and " bus traffic sudden change " is abnormal.
Protecting information safety device of the present invention can be classified according to the difference of intrusion behavior generation warning message, and Warning message can be uploaded to external management system, thus realize the protecting information safety of fieldbus aspect.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the principle schematic of apparatus of the present invention access industrial fieldbus networks.
Fig. 2 is the theory diagram within apparatus of the present invention.
Fig. 3 is the intrusion behavior overhaul flow chart in the inventive method.
Detailed description of the invention
All features disclosed in this specification, or disclosed all methods or during step, except mutually exclusive Feature and/or step beyond, all can combine by any way.
Any feature disclosed in this specification, unless specifically stated otherwise, all can by other equivalence or there is similar purpose Alternative features is replaced.I.e., unless specifically stated otherwise, an example during each feature is a series of equivalence or similar characteristics ?.
As in figure 2 it is shown, apparatus of the present invention include bus network interface unit, bus signals decoding unit, main controller, storage Device and power supply unit.
Said supply unit is responsible for the input of direct current 5V power supply is converted into 3.3V, 1.2V and 1.0V voltage signal, for bus NIU, bus signals decoding unit, main controller etc. provide properly functioning necessary power supply supply.
Described bus network interface unit has at least one EBI, bus network interface unit bag in the present embodiment Include:
Conventional RS485 EBI: interface shape is PHOENIX terminal, it is adaptable under Modbus bus and low rate Profibus bus accesses;
High speed Profibus interface: communication baud rate is up to 31.25kbps~12Mbps, and interface shape is cellular type DB9 adapter, The Profibus bus being applicable to run under high bit rate accesses;
Redundancy MVB interface: communication baud rate 1.5Mbps, interface shape be two two-way redundancy DB9 adapters (cellular type, one Individual pin type), it is adaptable to MVB accesses;
And Ethernet interface: 10/100M self adaptation, for uploading alarm event information to external management system.
Bus network interface unit has signal with bus signals decoding unit and is connected;Bus network interface unit will receive To bus signals carry out level conversion after export to bus signals decoding unit.
Bus signals decoding unit has at least one bus signals decoder, in a preferred embodiment this decoder Also there is encoding function, be bus signals codec unit.
Bus signals codec unit in the present embodiment uses Xilinx XC6SLX100-2FFG484I FPGA module Realize, be made up of logic function blocks such as encoder, decoder, data buffer and configuration register arrays inside it.Gained merit Can block all by VHDL language to FPGA programming realization.
Device of the present invention has multiple bus interface, supports that multiple bus accesses, and thus determines described bus letter Number coding/decoding module has a characteristic that the multiple coded system of support, can support synchronous code and asynchronous code simultaneously, mainly support Coded system comprise NRZ code, Manchester code etc..
Wherein decoding process is:
The decoding effort of described bus signals codec unit is mainly completed by decoder.Decoder has data sampling, data Frame initiates location, extracts data and be stored in the functions such as data buffer from Frame.The decoder that FPGA is realized, decoding The process of asynchronous code is the most uncomplicated, and decodes the synchronous detecting that it is critical only that of synchronous code, synchronizing information only detected, just can open Beginning decoding periods.Such as MVB, the master and slave frame of agreement has frame head, a postamble synchronizing information, and what its data encoding used Manchester's code itself also contains synchronizing information.Thus, for MVB, first decoding process is to realize Manchester The decoding of code, it is achieved method judges signal edge for sampling, and rising edge is 0, and trailing edge is 1;Then according to agreement differentiate frame head and Trailer information, and then extract and decode frame data, decoded frame data are stored in data buffer, and are led to by interrupt mode Know that main control unit processes.
Master controller in the present invention uses the P1010 Power PC Processor that Freescale company produces, dominant frequency 500MHz, it carries VxWorks 5.5 embedded OS, and the function of safety protection of device is just by running on Application program on vxworks operating system realizes.With Local Bus between master controller and bus signals codec unit Connect, thus realize being rapidly transferred to decoded bus message the process of microprocessor program, it is ensured that bus data Process in time, effectively prevent the loss of bus data bag, it is ensured that safety device is real-time for bus behavior monitoring Property and accuracy.Master controller is for being analyzed decoded bus message data, thus judges whether that network enters Invade behavior.
Memorizer in the present invention is mainly made up of FLASH memory and Installed System Memory, itself and bus signals encoding and decoding list Unit has signal and connects.Wherein Installed System Memory uses the DDR3 SDRAM random access memory of 1GB capacity, for system and safety Guard process provides enough running spaces;FLASH memory capacity is 64MB, be mainly used in store operation system image and The properly functioning necessary guiding of system and configuration file.
As it is shown on figure 3, after device of the present invention accesses fieldbus networks, each hardware module is for bus network signal Processing procedure as follows:
Bus signals interface unit is responsible for introducing fieldbus networks signal, and it is carried out necessary level conversion (as by RS485 Level conversion is Transistor-Transistor Logic level);
Bus network signal after the conversion of bus signals codec unit incoming level, and it is decoded as the signal number of standard According to;
Data after decoding are stored in data buffer by codec unit, and notify that master controller processes by the way of interruption;
Master controller is by the data in Local Bus addressing, read data buffer, and further processes data, Finally realize the protecting information safety function of fieldbus aspect.
Concrete, message data is analyzed by master controller, detects bus intrusion behavior, accesses inspection from strange website The omnibearing identifications of multiple angles such as survey, the detection of system website abnormal off-line, exception message detection and bus traffic monitoring The Information Security Risk of fieldbus aspect, and generate warning message respectively.The method based on bus data message analysis, Different bus agreement concrete determination details slightly difference, typical case's testing process is as shown in Figure 3.Figure illustrates Profibus-DP The idiographic flow of bus unusual checking, predominantly detects step and method is as follows:
1. whether detection messages meets protocol conventions: if meeting, and records the keys such as source address SA, destination address DA, function code FC Information, otherwise program will generate " exception message " warning message;
2. judge to send out whether the website that station number is SA belongs to system website: if being not belonging to, then generate " strange website access " and report to the police Information;If belonging to, then the monitoring timer that rolled off the production line by website corresponding for this website resets, and restarts timing;
Judge that each website of system rolls off the production line monitoring timer whether time-out the most one by one: if having website timing more than time limit T, then it is right to generate " website abnormal off-line " warning message answered, wherein time limit T is determined by the cycle parameter of monitored bus system;
4. detection messages classification: if these frame data are response message, and former frame message is not for needing the claim frame of response, then generate " bus response mistake " warning message.
Additionally, also detect bus traffic, this function relies on and connects produced by bus data trapping module Receive statistical data, special flow bus monitoring task realize.The calculating flow bus data of this duty cycle, and will be real Shi Liuliang compares with historical traffic, if flow bus data there occurs relatively macromutation, general it is considered that data traffic becomes Change amount Δ more than setting value time flow bus data there occurs bigger sudden change, then upload this flow information, and generate " bus Data traffic is suddenlyd change " warning message.
The invention is not limited in aforesaid detailed description of the invention.The present invention expands to any disclose in this manual New feature or any new combination, and the arbitrary new method that discloses or the step of process or any new combination.

Claims (10)

1. the protecting information safety device being applicable to fieldbus networks, it is characterised in that include bus network interface list Unit, bus signals decoding unit, main controller, memorizer and power supply unit;
Said supply unit is powered for the power unit in device;
Described bus network interface unit has at least one EBI, and bus network interface unit is single with bus signals decoding Unit has signal and connects;
Bus signals decoding unit has at least one bus signals decoder, and bus signals decoding unit and main controller have letter Number connect;
Memorizer has signal with master controller and is connected.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 1, it is characterised in that Described bus network interface unit is used for receiving industrial field bus signal, and is carried out level conversion.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 1, it is characterised in that Described bus signals decoding unit is for being decoded obtaining message data by the signal that bus network interface unit exports.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 3, it is characterised in that Described memorizer is used for stored messages data.
A kind of protecting information safety device being applicable to fieldbus networks the most according to claim 3, it is characterised in that Described main controller finds network intrusions behavior for being analyzed described message data.
6. the protecting information safety method being applicable to fieldbus networks based on the device described in claim 1, it is special Levy and be, including:
Step 1: receive industrial field bus signal;
Step 2: described industrial field bus signal is carried out level conversion;
Step 3: the industrial field bus signal after level conversion is decoded and obtains message data;
Step 4: judge whether network intrusions behavior according to message data.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that described Step 4 farther includes: search the website access information in message data, it is judged that whether this website is strange website, the most then Generate warning message.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that described Step 4 farther includes: the flow of detection messages data, if data changes in flow rate amount Δ is more than setting value, then it is assumed that number of buses According to Traffic Anomaly and generate warning message.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that described Step 4 farther includes: judge whether industry spot equipment rolls off the production line according to the transmission situation of message data, as rolled off the production line, thinks Website abnormal off-line occurs and generates warning message.
The protecting information safety method being applicable to fieldbus networks the most according to claim 6, it is characterised in that institute State step 4 to farther include: judge whether message exception or bus response mistake occur, if then giving birth to according to message data content Become warning message.
CN201610416686.1A 2016-06-15 2016-06-15 A kind of protecting information safety device and method being applicable to fieldbus networks Pending CN106161084A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610416686.1A CN106161084A (en) 2016-06-15 2016-06-15 A kind of protecting information safety device and method being applicable to fieldbus networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610416686.1A CN106161084A (en) 2016-06-15 2016-06-15 A kind of protecting information safety device and method being applicable to fieldbus networks

Publications (1)

Publication Number Publication Date
CN106161084A true CN106161084A (en) 2016-11-23

Family

ID=57353161

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610416686.1A Pending CN106161084A (en) 2016-06-15 2016-06-15 A kind of protecting information safety device and method being applicable to fieldbus networks

Country Status (1)

Country Link
CN (1) CN106161084A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107995258A (en) * 2017-11-03 2018-05-04 长安大学 Connect equipment and data transmission method
CN108520187A (en) * 2018-04-20 2018-09-11 西安交通大学 Industrial control system physics Network Intrusion detection method based on the analysis of serial communication bus signal
CN110896393A (en) * 2018-09-13 2020-03-20 北京奇虎科技有限公司 Intrusion detection method and device for automobile bus and computing equipment
CN113364659A (en) * 2021-08-11 2021-09-07 浙江德塔森特数据技术有限公司 Data acquisition system based on Modbus protocol
CN115801459A (en) * 2023-02-03 2023-03-14 北京六方云信息技术有限公司 Message detection method, device, system and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101042582A (en) * 2007-04-25 2007-09-26 上海电器科学研究所(集团)有限公司 Programmable and configurable remote I/O module with field bus interface
CN102263683A (en) * 2010-05-28 2011-11-30 沈阳高精数控技术有限公司 Secure communication method for double loop field bus in numerical control system
CN103618735A (en) * 2013-12-10 2014-03-05 机械工业仪器仪表综合技术经济研究所 Method for monitoring security of field level control network
CN105573291A (en) * 2015-12-24 2016-05-11 中国信息安全测评中心 Threat detection method based on key parameter fusion verification and safety device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101042582A (en) * 2007-04-25 2007-09-26 上海电器科学研究所(集团)有限公司 Programmable and configurable remote I/O module with field bus interface
CN102263683A (en) * 2010-05-28 2011-11-30 沈阳高精数控技术有限公司 Secure communication method for double loop field bus in numerical control system
CN103618735A (en) * 2013-12-10 2014-03-05 机械工业仪器仪表综合技术经济研究所 Method for monitoring security of field level control network
CN105573291A (en) * 2015-12-24 2016-05-11 中国信息安全测评中心 Threat detection method based on key parameter fusion verification and safety device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107995258A (en) * 2017-11-03 2018-05-04 长安大学 Connect equipment and data transmission method
CN107995258B (en) * 2017-11-03 2021-01-05 长安大学 Connection device and data transmission method
CN108520187A (en) * 2018-04-20 2018-09-11 西安交通大学 Industrial control system physics Network Intrusion detection method based on the analysis of serial communication bus signal
CN108520187B (en) * 2018-04-20 2020-03-17 西安交通大学 Industrial control system physical intrusion attack detection method based on serial communication bus signal analysis
CN110896393A (en) * 2018-09-13 2020-03-20 北京奇虎科技有限公司 Intrusion detection method and device for automobile bus and computing equipment
CN113364659A (en) * 2021-08-11 2021-09-07 浙江德塔森特数据技术有限公司 Data acquisition system based on Modbus protocol
CN115801459A (en) * 2023-02-03 2023-03-14 北京六方云信息技术有限公司 Message detection method, device, system and storage medium

Similar Documents

Publication Publication Date Title
CN106161084A (en) A kind of protecting information safety device and method being applicable to fieldbus networks
CN103475523B (en) With the CAN analytical system of bus error analytical capabilities
CN107342909B (en) Control system, control method, and recording medium
CN100359864C (en) Method and apparatus of CPU fault detection for signal processing unit
CN106597941A (en) Dual-processor redundant data acquisition and control system with self-detection function
CN104076808B (en) The fault diagnosis system and method for industrial control equipment
CN103684903A (en) GOOSE message anomaly online detection method
CN102413008B (en) Based on method of testing and the system of electric power 104 stipulations
US8321555B2 (en) Network analysis device
CN103914031B (en) A kind of RS-485 bus monitoring probe circuit of self adaptation various protocols
US8631174B2 (en) Systems, methods, and apparatus for facilitating communications between an external controller and fieldbus devices
CN103795146A (en) Power distribution terminal conformance testing method
CN110086645A (en) SCADA dispatching system data acquisition primary channel compares device and method online
CN103163402B (en) Relay protection device state monitoring apparatus based on secondary circuit and monitoring method
CN116260710A (en) ProfiBus-DP network intermittent interruption positioning device and method
CN107230263B (en) WTB bus data frame recorder and recording method
CN116299129A (en) All-fiber current transformer state detection and analysis method, device and medium
CN105591814A (en) Method for online monitoring of E1 channel quality and monitoring system thereof
CN103618735A (en) Method for monitoring security of field level control network
CN103885018A (en) Method for debugging BMS lower computer by utilizing upper computer
CN107121970A (en) It is electromechanical in a kind of building of use BIM technology to safeguard and supervising device
CN203104497U (en) Digital relay protection testing device
CN104219012A (en) EMC test system and EMC test method for transponder transmission module
CN109344978B (en) Method for judging effectiveness of interval five-prevention data suitable for transformer substation
CN116938705B (en) Terminal management method and device of RS485 bus and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20161123