CN106209870A - A kind of Network Intrusion Detection System for distributed industrial control system - Google Patents

A kind of Network Intrusion Detection System for distributed industrial control system Download PDF

Info

Publication number
CN106209870A
CN106209870A CN201610565134.7A CN201610565134A CN106209870A CN 106209870 A CN106209870 A CN 106209870A CN 201610565134 A CN201610565134 A CN 201610565134A CN 106209870 A CN106209870 A CN 106209870A
Authority
CN
China
Prior art keywords
network
control system
industrial control
data
communication data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610565134.7A
Other languages
Chinese (zh)
Other versions
CN106209870B (en
Inventor
解仑
金良辰
周育武
王志良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Science and Technology Beijing USTB
Original Assignee
University of Science and Technology Beijing USTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology Beijing USTB filed Critical University of Science and Technology Beijing USTB
Priority to CN201610565134.7A priority Critical patent/CN106209870B/en
Publication of CN106209870A publication Critical patent/CN106209870A/en
Application granted granted Critical
Publication of CN106209870B publication Critical patent/CN106209870B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Abstract

The present invention provides a kind of Network Intrusion Detection System for distributed industrial control system, it is possible to increase the network security of industrial control system.Described system includes: Network Sniffing unit, for capturing the network communication data of described industrial control system;Intrusion detecting unit, the described network communication data of capture is performed intrusion detection by the control instruction detected rule chained list and the default spatiality grader that generate for the network characterization hash value regulation linked by pre-building, real-time update, if there being intrusion behavior, then alert;Data transmission unit, for sending described warning message.The present invention is applicable to technical field of network security.

Description

A kind of Network Intrusion Detection System for distributed industrial control system
Technical field
The present invention relates to technical field of network security, particularly relate to a kind of network for distributed industrial control system and enter Invade detecting system.
Background technology
In recent years, transfer rate and the real-time of ethernet technology are greatly improved with the development of himself, This also makes it progressively be applied in industrial network, makes field bus type network technology natural with ether net type network technology Combine.Industrial control system gradually develops into more open and public network from a closing, isolated system to be had many The system connected.When Ethernet brings traditional industry huge favourable, this past of information security rarely has with industrial circle and associates Problem but highlight in face of proprietary, to the serious destruction of industrial network and nucleus equipment band.
Industrial network is different from traditional commercial network, faced by between industrial network be field personnel and work sets Standby, even small error is likely to cause the collapse of industrial network, cause life and property loss difficult to the appraisal.
Conventional networking products or the shortcomings and deficiencies existed due to self, it is impossible to meet the protection that industrial network is higher Requirement, or because not being specific to industrial network design, it is difficult in the application of industrial occasions safety and stability, this gives industry net Network brings serious threat.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of network invasion monitoring for distributed industrial control system System, can not meet, with the networking products solved existing for prior art, the requirement of shelter that industrial network is higher, or not be suitable for The problem of industrial occasions.
For solving above-mentioned technical problem, the embodiment of the present invention provides a kind of network for distributed industrial control system to enter Invade detecting system, including:
Network Sniffing unit, for capturing the network communication data of described industrial control system;
Intrusion detecting unit, for generating by the network characterization hash value regulation linked pre-build, real-time update Control instruction detected rule chained list and default spatiality grader carry out invasion inspection to the described network communication data of capture Survey, if there being intrusion behavior, then alert;
Data transmission unit, for sending described warning message.
Further, described Network Sniffing unit, accesses described industrial control system in the way of intercepting by bypass, catches Obtain the network communication data of described industrial control system.
Further, described Network Sniffing unit, specifically for utilizing libpcap packet snapping method to capture described Industry Control The network communication data of system.
Further, described system also includes: protocol analysis unit;
Described protocol analysis unit, for the described network communication data of capture is carried out protocol analysis, after successfully resolved, Export the protocol format of described network communication data.
Further, described protocol analysis unit includes: monitoring data acquisition module and protocol resolution module;
Described monitoring data acquisition module, for from configuration monitoring interface, obtains the monitoring data monitored;
Described protocol resolution module, for applying mechanically default work to the packet poll of the described network communication data of capture Industrial bus agreement in industry procotol storehouse, if protocol suite success, then successful protocol type is applied mechanically in output;Otherwise, will Data in described packet combine by turn and carry out floating-point process, the data after floating-pointization being processed and the described monitoring of acquisition Data are mated, between original position and the described monitoring data in raw data packets of the data after output floating-pointization process Coupling mapping table.
Further, described intrusion detecting unit includes: network characterization detection module;
Described network characterization detection module, for extracting the network characterization of described network communication data of capture, obtain institute State the hash value of network characterization, inquire about the network characterization hash value regulation linked pre-build, if the hash of described network characterization Value be not comprised in described in the network characterization hash value regulation linked that pre-builds, then alert, wherein, described net Network feature hash value regulation linked includes: the hash value of the network characterization of network communication data;Described network characterization includes: agreement Type, source IP address, purpose IP address, source port, destination interface.
Further, described network characterization detection module, specifically for use hash algorithm carry out network characterization self study Set up described network characterization hash value regulation linked.
Further, described intrusion detecting unit includes: control instruction detection module;
Described control instruction detection module, for obtaining the running status that described industrial control system is current, according to obtaining The current running status of described industrial control system, utilize three grades of list structures, according to the Industry Control model rule preset Storehouse, real-time update generates control instruction detected rule chained list;If the described network communication data of capture is control instruction, then detect Whether described control instruction violates rule in described control instruction detected rule chained list, if violating described control instruction detected rule Rule, then alert in chained list.
Further, described intrusion detecting unit also includes: spatiality detection module;
Described spatiality detection module, specifically for utilizing service data under industrial control system normal condition, generates Training sample, carries out dimension-reduction treatment according to principle component analysis to described training sample, after utilizing one-class support vector machines to dimensionality reduction Training sample be trained generating described spatiality grader;To not violating in described control instruction detected rule chained list After the network communication data of rule carries out pivot analysis dimensionality reduction, utilize network service described in the spatiality detection of classifier preset Data are normal data, if not normal data, then alert.
Further, described system also includes: 4 railway digital amount imput output circuits;
Described digital quantity imput output circuit is connected with the alarm module in described industrial control system, described alarm module It is connected with the controller in described industrial control system;
Described digital quantity imput output circuit, for sending described warning message to described alarm module.
Having the beneficial effect that of the technique scheme of the present invention:
In such scheme, by the network communication data of industrial control system described in Network Sniffing elements capture;By invading The control instruction detected rule chain that detector unit is generated by the network characterization hash value regulation linked pre-build, real-time update The described network communication data of capture is performed intrusion detection, if there being intrusion behavior, then by table and default spatiality grader Alert;Finally, by data transmission unit, described warning message is sent.So, by intrusion detection list Unit can effectively detect whether described industrial control system is invaded, if it find that invaded, reports to the police, thus protects And improve the communication security of described industrial control system.
Accompanying drawing explanation
The structure of the Network Intrusion Detection System for distributed industrial control system that Fig. 1 provides for the embodiment of the present invention Schematic diagram;
The hardware of the Network Intrusion Detection System for distributed industrial control system that Fig. 2 provides for the embodiment of the present invention Platform architecture schematic diagram;
The access schematic diagram accessing distributed industrial control system that Fig. 3 provides for the embodiment of the present invention;
The schematic flow sheet of the capture network communication data that Fig. 4 provides for the embodiment of the present invention;
The workflow schematic diagram of the protocol analysis unit that Fig. 5 provides for the embodiment of the present invention;
Data floating-point matching process schematic diagram in the protocol analysis unit that Fig. 6 provides for the embodiment of the present invention;
The workflow schematic diagram of the network characterization detection module that Fig. 7 provides for the embodiment of the present invention;
The rule schemata of the Industry Control model rule base that Fig. 8 provides for the embodiment of the present invention;
The workflow schematic diagram of the control instruction detection module that Fig. 9 provides for the embodiment of the present invention;
The workflow schematic diagram of the spatiality detection module that Figure 10 provides for the embodiment of the present invention;
The Network Intrusion Detection System for distributed industrial control system that Figure 11 provides for the embodiment of the present invention detailed Fine texture schematic diagram.
Detailed description of the invention
For making the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and tool Body embodiment is described in detail.
The present invention is directed to existing networking products and can not meet the requirement of shelter that industrial network is higher, or be not suitable for industry The problem of occasion, it is provided that a kind of Network Intrusion Detection System for distributed industrial control system.
Referring to shown in Fig. 1, the network invasion monitoring system for distributed industrial control system that the embodiment of the present invention provides System, including:
Network Sniffing unit 11, for capturing the network communication data of described industrial control system;
Intrusion detecting unit 12, for generating by the network characterization hash value regulation linked pre-build, real-time update Control instruction detected rule chained list and default spatiality grader to capture described network communication data invade Detection, if there being intrusion behavior, then alert;
Data transmission unit 13, for sending described warning message.
The Network Intrusion Detection System for distributed industrial control system described in the embodiment of the present invention, is smelt by network Visit the network communication data of industrial control system described in elements capture;By intrusion detecting unit by the network characterization pre-build The control instruction detected rule chained list of hash value regulation linked, real-time update generation and default spatiality grader are to capture Described network communication data perform intrusion detection, if there being intrusion behavior, then alert;Finally, transmitted by data Described warning message is sent by unit.So, described Industry Control system can effectively be detected by intrusion detecting unit Whether system is invaded, if it find that invaded, reports to the police, thus protects and improve the communication peace of described industrial control system Entirely.
In the present embodiment, the described Network Intrusion Detection System for distributed industrial control system operates in embedded On (SuSE) Linux OS, described built-in Linux operating system is that the Linux3.2.0 version kernel increased income customizes through cutting After obtain, the kernel after cutting includes: basic operation module, AR8031 network-driven chip module, USB drives module, SD card drives module;System kernel volume after cutting is little, operating rate fast, stable, it is possible to ensure described for distribution The safe and stable operation of the Network Intrusion Detection System of formula industrial control system.
As in figure 2 it is shown, in the present embodiment, the described Network Intrusion Detection System for distributed industrial control system is made Hardware platform can use 5V low voltage power supply low-power consumption hardware circuit, described hardware platform has SD drive circuit, can To realize the renewal of system kernel via SD card, the function such as caching of data.
In the present embodiment, the core processor of the described Network Intrusion Detection System for distributed industrial control system is TI (Texas Instruments Texas Instrument) technical grade Cortex-A8 framework AM335x series primary processor, dominant frequency can be high Reach 1GHz;Temperature range of operation is up to-40 DEG C-+85 DEG C;It is furnished with 512M DDR3 internal memory and 256M SLC NandFlash;Also wrap Gigabit ethernet interface ETH0 and ETH1 containing two AR8031 gigabit networking transponder chip extensions, wherein, ETH0 interface is used Realize the network communication data to industrial control system intercepts sniff work, and ETH1 interface is used for realizing warning message to far End server sends the function of data;PC847 light-coupled isolation chip drives 4 railway digital amount input and output (I/O) can also be utilized Circuit, described digital quantity I/O circuit may be coupled to the warning module of described industrial control system middle controller subordinate, works as detection Directly warning message is sent to described warning module via this I/O circuit, in order in industrial control system to during serious threat Emergent management made by controller.
In the present embodiment, it is possible to use described PC847 light-coupled isolation chip carries out isolated from power, it is achieved joint number that voltage is adjustable Word amount imput output circuit.
In the present embodiment, after the described network communication data captured is performed intrusion detection, if generating warning message, Need to be sent to far-end server by described data transmission unit 13;Described data transmission unit 13 can use TCP/IP to assist View, and it is designed to client, it is attached with remote server by Ethernet, after connection establishment completes, carries out alarm signal The transmission of breath.When the described Network Intrusion Detection System for distributed industrial control system detects serious intrusion behavior Time, when i.e. industrial control system will be caused the most serious destruction, directly will control system by described for distributed industrial The digital quantity I/O circuit of the Network Intrusion Detection System of system sends warning message to the report of industrial control system middle controller subordinate Alert module, in order to emergent management made by the controller in industrial control system.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described Network Sniffing unit 11, accesses described industrial control system in the way of intercepting by bypass, captures described industry control The network communication data of system processed.
In the present embodiment, as it is shown on figure 3, the described Network Intrusion Detection System for distributed industrial control system can be answered For by distributed industrial control system, described distributed industrial control system includes: the control station containing controller, configuration Other equipment such as the control station at monitoring place and industrial service device, described equipment is communicated by EPA, described Network Intrusion Detection System for distributed industrial control system is linked in described EPA by industrial switch, Utilize ETH0 interface to realize the network communication data of described industrial control system is intercepted capture, utilize ETH1 interface to report to the police Information sends to far-end server via the Internet.
In the present embodiment, the described Network Intrusion Detection System for distributed industrial control system is by monitor bypass Mode access industrial control system, it is not necessary to do not change the topological structure of former industrial control system, networking mode, facilitate feasible, And by the way of described Network Sniffing unit 11 is with packet sniffing, obtain the network communication data of described industrial control system, no Stability and the real-time of former industrial control system can be affected.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described Network Sniffing unit 11, leads to specifically for the network utilizing libpcap packet snapping method to capture described industrial control system Letter data.
In the present embodiment, described industrial control system has the highest requirement to real-time property, in order to not affect industry control The real-time of network, can obtain again the network communication data of described industrial control system in real time, can use libpcap packet capturing side Case realizes the packet sniffing of the network communication data of described industrial control system, wherein, as shown in Figure 4, uses libpcap packet capturing The concrete steps of the network communication data that scheme captures described industrial control system may include that lookup is described for distributed work The ETH0 Network Interface Unit of the hardware platform of the Network Intrusion Detection System of industry control system, it is thus achieved that network number and subnet are covered Code, opens described ETH0 Network Interface Unit, edits and arrange filter, then starts the cycle over packet capturing and obtains described Industry Control The network communication data of system.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described system also includes: protocol analysis unit;
Described protocol analysis unit, for the described network communication data of capture is carried out protocol analysis, after successfully resolved, Export the protocol format of described network communication data.
In the present embodiment, described protocol analysis unit can resolve network communication protocol, provides for the detection of depth data bag Basis (depth data Packet analyzing includes: application layer data resolves), makes the described network for distributed industrial control system enter Invading detecting system and have the good suitability and extensibility, wherein, described network communication protocol includes: privately owned industrial network Agreement.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described protocol analysis unit includes: monitoring data acquisition module and protocol resolution module;
Described monitoring data acquisition module, for from configuration monitoring interface, obtains the monitoring data monitored;
Described protocol resolution module, for by the packet of the described network communication data of capture and the industrial network preset Industrial bus agreement in protocol library is polled applying mechanically, if protocol suite success, then successful protocol type is applied mechanically in output;No Then, the data in described packet are combined by turn and carries out floating-point process, the data after floating-pointization is processed and the institute of acquisition State monitoring data to mate, export the original position in raw data packets of the data after floating-pointization processes and described monitoring number Coupling mapping table between according to.
In the present embodiment, described monitoring data acquisition module, it is used for from the configuration monitoring interface of current industrial control system, Obtaining the monitoring data monitored, described monitoring data are the observation that in industrial control system, equipment runs;
In the present embodiment, the network communication data in industrial network is encapsulated in TCP/IP application layer, described network service number According to there being respective proprietary protocol to encapsulate, to expect that the physical significance of concrete data needs to resolve these proprietary protocols, pass through Described protocol analysis unit can realize protocol analysis, or provide the function of reference for protocol analysis.Concrete steps can be wrapped Include: first from configuration monitoring interface, obtain the monitoring data of reality, the then packet to the described network communication data captured Poll applies mechanically the industrial bus agreement in default industrial network protocol library, if protocol suite success, then output is applied mechanically successfully Protocol type;Otherwise, by data in described packet four group, combination carries out floating-point (A, B, C ...), by floating-point by turn After data (A, B, C ...) with monitoring data (a, b, c ...) mate, will correctly mate monitoring data a floating-point data A original position in former packet is mapped with described monitoring data and records in coupling mapping table, poll coupling successively All monitoring data, output matching mapping table, provide reference for protocol analysis, as shown in Figure 5, Figure 6.
In the present embodiment, the industrial bus agreement in described default industrial network protocol library includes: Hostlink communicates Agreement, Modbus TCP communication agreement, USS communication protocol, Modbus RTU communication protocol, standard tcp/ip communication agreement, The agreements such as EhterCat, the present embodiment does not limits.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described intrusion detecting unit 12 includes: network characterization detection module;
Described network characterization detection module, for extracting the network characterization of described network communication data of capture, obtain institute State the hash value of network characterization, inquire about the network characterization hash value regulation linked pre-build, if the hash of described network characterization Value be not comprised in described in the network characterization hash value regulation linked that pre-builds, then alert, wherein, described net Network feature hash value regulation linked includes: the hash value of the network characterization of network communication data;Described network characterization includes: agreement Type, source IP address, purpose IP address, source port, destination interface.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described network characterization detection module, specifically for using hash algorithm to carry out network characterization self study, to set up described network special Levy hash value regulation linked.
In the present embodiment, industrial control system communication has the regular and feature of stability, i.e. has well-regulated communication Flow and there is relatively fixing behavior characteristics and predictable behavioral pattern, the method for machine learning therefore can be utilized automatically to give birth to Become network characterization hash value regulation linked.
In the present embodiment, first, it is pre-that the described network communication data captured described Network Sniffing unit 11 carries out data After process, successively decoding extracts packet header information and obtains the network characterization of described network communication data;Then, by rule Then self-learning module carries out study automatic generating network feature hash value rule to the network characterization of described network communication data Chained list, utilizes the network characterization hash value regulation linked generated to carry out the poll coupling of rule.
In the present embodiment, hash algorithm can be used to carry out network characterization self study and to set up network characterization hash value rule chain Table, carries out networking feature intrusion detection according to described network characterization hash chained list, and Preliminary detection network communication data is the most abnormal; Wherein, described network characterization hash value regulation linked includes: protocol type, source IP address, purpose IP ground in network communication data Location, source port, the hash value of these five network characterizations of destination interface.
In the present embodiment, utilize the tool that network characterization hash value regulation linked Preliminary detection network communication data is the most abnormal The step of body may include that as it is shown in fig. 7, the described network communication data that will be captured by Network Sniffing unit 11, through IP Generate journal file after the packet preprocessing process such as IP fragmentation and reassembly, TCP flow are recombinated, packet regularization, extract journal file In network characterization field (protocol type, source IP address, purpose IP address, source port, destination interface), and utilize hash algorithm Calculate the hash value of network characterization corresponding to network characterization field, and judge whether by described net according to the safety coefficient set up Network communication data, concrete, when the hash value of the network characterization of described network communication data is more than described safety coefficient, then lead to Cross described network communication data, and the hash value of the network characterization of the described network communication data passed through is inserted into network characterization In hash value regulation linked, reaching the purpose of self study, wherein, described secure access coefficient is the safety of same communication path The ratio of the access times that access times are total with this communication path, described same communication path refers to the different network of capture Protocol type in communication data, source IP address, purpose IP address, source port, these five network characterizations of destination interface are the most right Should be identical;Self study generates described network characterization hash value regulation linked, just can be according to described network characterization hash value rule Chained list carries out network characterization coupling, and described matching process is: extract the network characterization of the described network communication data of capture, calculates The hash value of described network characterization, if the match is successful for traverses network feature hash value regulation linked, described network communication data Normal through, otherwise alert, and this network characterization is added self study flow process, carry out learning whether to join network In feature hash value regulation linked.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described intrusion detecting unit 12 includes: control instruction detection module;
Described control instruction detection module, for obtaining the running status that described industrial control system is current, according to obtaining The current running status of described industrial control system, utilize three grades of list structures, according to the Industry Control model rule preset Storehouse, real-time update generates control instruction detected rule chained list;If the described network communication data of capture is control instruction, then detect Whether described control instruction violates rule in described control instruction detected rule chained list, if violating described control instruction detected rule Rule, then alert in chained list.
In the present embodiment, normal industrial control system should be the process of a stable state, the state of industrial control system Should develop to the direction tending to desired value, normal control instruction should make industrial control system in stable condition.Therefore refer to when control Order can be determined that the control instruction into mistake when running counter to this trend, can be considered that invasion occurs.Describe from automatization's angle and produced The mathematical method of process control has obtained comparing in-depth study, mostly has ready-made from mounted cast, operation model to process modeling Achievement in research, can be inbreak detection rule foundation provide instruct.The described network for distributed industrial control system Intruding detection system provides the user rule and writes interface document, and user, according to the rule schemata specified, can enrich default work Rule in industry Controlling model rule base, rule schemata is as shown in Figure 8.
In the present embodiment, it is possible to use three grades of list structures, the Industry Control that the rule schemata specified according to Fig. 8 is stored Model rule base, real-time update generates control instruction detected rule chained list, according to described control instruction detected rule chained list, carries out Network invasion monitoring.
In the present embodiment, described control instruction detection module, according to default Industry Control model rule base and industry The real-time status of control system, dynamically updates control instruction detected rule chained list, the control instruction that capture sends, detects described control Whether system instruction violates rule in control instruction detected rule chained list, advises if violated in described control instruction detected rule chained list Then, then corresponding warning message is produced.
As it is shown in figure 9, described control instruction detection module detecting step, specifically may include that
A11, reads the Industry Control model rule base preset, generates three grades of regulation linked A, wherein, described three grades of rules Chained list includes: the control instruction detected rule that state-detection rule is corresponding with state-detection rule, as shown in Figure 8;
A12, is carried out the described network communication data of the industrial communication data on EPA shown in Fig. 3 and capture deeply Degrees of data Packet analyzing, and combine the program variable point table of control program in industrial control system controller, obtain Industry Control Control variable value that system is concrete and measurand value, so that it is determined that the running status that described industrial control system is current (it is called for short: Current system conditions), wherein, described program variable point table is the service condition of each variable in characterizing industrial control system;
A13, according to current system conditions, travels through three grades of regulation linked A, it is judged that whether current system conditions meets described three State-detection rule in level regulation linked A, if the state-detection rule met in three grades of regulation linked A, then by three grades of rule Then in chain Table A, the corresponding control instruction detected rule of corresponding states detected rule extracts, and adds control instruction detection to In regulation linked B, thus, update control instruction detected rule chained list B;
A14, if the described network communication data of capture is control instruction, resolves the acquisition control of described network communication data and refers to Order, travels through control instruction detected rule chained list B, it is judged that whether described control instruction is violated in control instruction detected rule chained list B Rule, if the rule violated in B, then judge that current control instruction is as invasion instruction, alert.
A15, repeats A12, A13, A14, according to current system conditions real-time update control instruction detected rule chained list B, performs intrusion detection.
In the present embodiment, depth data Packet analyzing combines concrete Industry Control model rule base and formulates control instruction detection Regulation linked, the intrusion detection made has the strongest specific aim, and testing result is more credible.
Aforementioned in the detailed description of the invention of the Network Intrusion Detection System of distributed industrial control system, further Ground, described intrusion detecting unit 12 also includes: spatiality detection module;
Described spatiality detection module, specifically for utilizing service data under industrial control system normal condition, generates Training sample, carries out dimension-reduction treatment according to principle component analysis to described training sample, after utilizing one-class support vector machines to dimensionality reduction Training sample be trained generating described spatiality grader;To not violating in described control instruction detected rule chained list After the network communication data of rule carries out pivot analysis dimensionality reduction, utilize network service described in the spatiality detection of classifier preset Data are normal data, if not normal data, then alert.
In the present embodiment, " state Finite " and " behavior is limited " feature of industrial control system determines industrial control system The state space run is limited, and wherein, described state space refers to the collection of whole possible states of described industrial control system Close.Owing to intrusion behavior and normal behaviour essence can be distinguished, in the spatiality of behavior, Deviant Behavior is relative to just Chang Hangwei is inhomogeneous, and sorting technique therefore can be utilized to be classified with Deviant Behavior by normal behaviour.Because industry control The data sample that system processed obtains mostly is normal sample data, therefore learns a class sample, forms one to such The data of sample describe, and then judge whether new data sample belongs to normal sample according to design or given threshold value, Abnormal intrusion detection is carried out with this, so, intrusion detection method based on priori, it is possible to be greatly improved described for dividing The reliability of the Network Intrusion Detection System of cloth industrial control system.
In the present embodiment, as shown in Figure 10, because industrial control system has mass data, there is more attribute, number High according to dimension, so can reduce the efficiency of intrusion detection algorithm, in the present embodiment, it is possible to use industrial control system normal condition Lower service data, generates training sample, and uses pivot analysis (PCA) method to carry out described training sample at Data Dimensionality Reduction Reason, reduces operand;Then, according to the training sample after dimensionality reduction, use one-class support vector machines (OCSVM) to carry out sample training Generating spatiality grader, described spatiality grader has two important parameters, one-class support vector machines parameter ν and Radial basis kernel function g learning effect and result of determination have important impact, use a kind of adaptive genetic algorithm at this Adjust parameter ν and g, seek to train optimal spatiality grader.
In the present embodiment, by the network communication data of capture is carried out depth data Packet analyzing, Data Dimensionality Reduction processes it After, carry out classification checking with described spatiality grader, if by checking, described network communication data is normal data, Without by checking, then illustrating that described industrial control system spatiality is abnormal, described network communication data is abnormal number According to, alert.
To sum up, as shown in figure 11, the described Network Intrusion Detection System for distributed industrial control system includes: network Sniff unit 11, protocol analysis unit, intrusion detecting unit 12, data transmission unit 13;Described Network Sniffing unit 11 passes through What ETH0 interface access industrial network carried out the network communication data of described industrial control system intercepts capture work, data capture After, extract application layer data through pretreatment, deliver protocol analysis unit, carry out industrial network protocol analysis, successfully resolved Rear output protocol form, closes protocol analysis unit afterwards, enters described intrusion detecting unit 12;Data initially enter invasion inspection Surveying the network characterization detection module of unit 12, extract the network characterization of data, the networks such as conduct interviews path, access times are special Levying detection, detection is abnormal the most directly reports to the police, and exits intrusion detecting unit 12, exports alarm signal through data transmission unit 13 Breath;If detection is normal, then data is done further pretreatment, the protocol format gone out in conjunction with protocol analysis unit resolves, carries out Depth data Packet analyzing works, the data the most incoming control instruction detection module parsed and spatiality detection module.If The data parsed are control instruction, and described control instruction detection module reads Industry Control model rule base file, generate control Command detection regulation linked processed, and update described control instruction detected rule chained list according to industrial control system real-time status, right The control instruction of incoming industrial control system detects, and finds to violate the control of rule in described control instruction detected rule chained list System instruction then carries out output of reporting to the police;Described spatiality detection module, learns according to principle component analysis and one-class support vector machines The spatiality grader generated, carries out classification and Detection to industrial control system spatiality, if industrial control system space Abnormal state then alert also transmits described warning message through data transmission unit 13.
To sum up, in the present embodiment, use based on network characterization, Industry Control model rule base, industrial control system space The intrusion detection method of the three-dimensional depth defense of state, it is achieved dcs safety and the safety of industrial network Intrusion detection.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, on the premise of without departing from principle of the present invention, it is also possible to make some improvements and modifications, these improvements and modifications are also Should be regarded as protection scope of the present invention.

Claims (10)

1. the Network Intrusion Detection System for distributed industrial control system, it is characterised in that including:
Network Sniffing unit, for capturing the network communication data of described industrial control system;
Intrusion detecting unit, for the control generated by the network characterization hash value regulation linked pre-build, real-time update The described network communication data of capture is performed intrusion detection by command detection regulation linked and default spatiality grader, if There is intrusion behavior, then alert;
Data transmission unit, for sending described warning message.
Network Intrusion Detection System for distributed industrial control system the most according to claim 1, it is characterised in that Described Network Sniffing unit, accesses described industrial control system in the way of intercepting by bypass, captures described Industry Control system The network communication data of system.
Network Intrusion Detection System for distributed industrial control system the most according to claim 1 and 2, its feature exists In, described Network Sniffing unit, specifically for utilizing libpcap packet snapping method to capture the network service of described industrial control system Data.
Network Intrusion Detection System for distributed industrial control system the most according to claim 1, it is characterised in that Described system also includes: protocol analysis unit;
Described protocol analysis unit, for the described network communication data of capture is carried out protocol analysis, after successfully resolved, output The protocol format of described network communication data.
Network Intrusion Detection System for distributed industrial control system the most according to claim 4, it is characterised in that Described protocol analysis unit includes: monitoring data acquisition module and protocol resolution module;
Described monitoring data acquisition module, for from configuration monitoring interface, obtains the monitoring data monitored;
Described protocol resolution module, for applying mechanically default industrial net to the packet poll of the described network communication data of capture Industrial bus agreement in network protocol library, if protocol suite success, then successful protocol type is applied mechanically in output;Otherwise, by described Data in packet combine by turn and carry out floating-point process, the data after floating-pointization being processed and the described monitoring data of acquisition Mate, output floating-pointization process after data original position and described monitoring data in raw data packets between Join mapping table.
Network Intrusion Detection System for distributed industrial control system the most according to claim 1, it is characterised in that Described intrusion detecting unit includes: network characterization detection module;
Described network characterization detection module, for extracting the network characterization of described network communication data of capture, obtain described net The hash value of network feature, the network characterization hash value regulation linked that inquiry pre-builds, if the hash value of described network characterization is not Have in the network characterization hash value regulation linked pre-build described in being included in, then alert, wherein, described network is special Levy hash value regulation linked to include: the hash value of the network characterization of network communication data;Described network characterization includes: protocol class Type, source IP address, purpose IP address, source port, destination interface.
Network Intrusion Detection System for distributed industrial control system the most according to claim 6, it is characterised in that Described network characterization detection module, specifically for using hash algorithm to carry out network characterization self study and set up described network characterization Hash value regulation linked.
Network Intrusion Detection System for distributed industrial control system the most according to claim 1, it is characterised in that Described intrusion detecting unit includes: control instruction detection module;
Described control instruction detection module, for obtaining the running status that described industrial control system is current, according to the institute obtained State the running status that industrial control system is current, utilize three grades of list structures, according to the Industry Control model rule base preset, real Time more newly-generated control instruction detected rule chained list;If the described network communication data of capture is control instruction, then detection is described Whether control instruction violates rule in described control instruction detected rule chained list, if violating described control instruction detected rule chained list Middle rule, then alert.
Network Intrusion Detection System for distributed industrial control system the most according to claim 1, it is characterised in that Described intrusion detecting unit also includes: spatiality detection module;
Described spatiality detection module, specifically for utilizing service data under industrial control system normal condition, generates training Sample, carries out dimension-reduction treatment according to principle component analysis to described training sample, utilizes one-class support vector machines to the instruction after dimensionality reduction Practice sample to be trained generating described spatiality grader;To not violating rule in described control instruction detected rule chained list Network communication data carry out pivot analysis dimensionality reduction after, utilize preset spatiality detection of classifier described in network communication data For normal data, if not normal data, then alert.
Network Intrusion Detection System for distributed industrial control system the most according to claim 1, its feature exists In, described system also includes: 4 railway digital amount imput output circuits;
Described digital quantity imput output circuit is connected with the alarm module in described industrial control system, described alarm module and institute State the controller in industrial control system to be connected;
Described digital quantity imput output circuit, for sending described warning message to described alarm module.
CN201610565134.7A 2016-07-18 2016-07-18 A kind of Network Intrusion Detection System for distributed industrial control system Active CN106209870B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610565134.7A CN106209870B (en) 2016-07-18 2016-07-18 A kind of Network Intrusion Detection System for distributed industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610565134.7A CN106209870B (en) 2016-07-18 2016-07-18 A kind of Network Intrusion Detection System for distributed industrial control system

Publications (2)

Publication Number Publication Date
CN106209870A true CN106209870A (en) 2016-12-07
CN106209870B CN106209870B (en) 2019-07-09

Family

ID=57493860

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610565134.7A Active CN106209870B (en) 2016-07-18 2016-07-18 A kind of Network Intrusion Detection System for distributed industrial control system

Country Status (1)

Country Link
CN (1) CN106209870B (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106651183A (en) * 2016-12-26 2017-05-10 英赛克科技(北京)有限公司 Communication data security audit method and device for industrial control system
CN106911665A (en) * 2016-12-27 2017-06-30 深圳市安之天信息技术有限公司 A kind of method and system for recognizing malicious code weak passwurd intrusion behavior
CN107104960A (en) * 2017-04-20 2017-08-29 四川电科智造科技有限公司 A kind of industrial control system intrusion detection method based on machine learning
CN107493259A (en) * 2017-04-19 2017-12-19 安徽华脉科技发展有限公司 A kind of network security control system
CN108366041A (en) * 2017-03-31 2018-08-03 北京安天网络安全技术有限公司 Industry control Environmental security defence method and system based on service order model
CN108520272A (en) * 2018-03-22 2018-09-11 江南大学 A kind of semi-supervised intrusion detection method improving blue wolf algorithm
CN108712427A (en) * 2018-05-23 2018-10-26 北京国信安服信息安全科技有限公司 A kind of network security method and system of dynamic Initiative Defense
CN108809727A (en) * 2018-06-15 2018-11-13 北京科技大学 A kind of intrusion prevention system of DC motor control system
CN108933658A (en) * 2018-08-13 2018-12-04 杭州安恒信息技术股份有限公司 White list base establishing method and device based on industrial control equipment fingerprint
CN109218288A (en) * 2018-08-01 2019-01-15 北京科技大学 A kind of Network Intrusion Detection System for industrial robot control system
CN109845227A (en) * 2017-08-24 2019-06-04 思想系统公司 Method and system for network security
CN109901551A (en) * 2019-03-05 2019-06-18 烽台科技(北京)有限公司 Information acquisition method, information acquisition device and the terminal device of industrial control equipment
CN110320890A (en) * 2019-07-08 2019-10-11 北京科技大学 A kind of intruding detection system for PLC control system
WO2019200944A1 (en) * 2018-04-20 2019-10-24 西安交通大学 Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis
CN110493140A (en) * 2019-08-26 2019-11-22 中国人民解放军国防科技大学 The cognitive method and its operating system of link event in information network system
CN110719250A (en) * 2018-07-13 2020-01-21 中国科学院沈阳自动化研究所 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
CN110784440A (en) * 2018-07-30 2020-02-11 罗伯特·博世有限公司 Method and apparatus for identifying irregularities in a computer network
CN110995733A (en) * 2019-12-12 2020-04-10 江苏亨通工控安全研究院有限公司 Intrusion detection system in industrial control field based on remote measuring technology
CN111314289A (en) * 2019-12-26 2020-06-19 青岛海天炜业过程控制技术股份有限公司 Method for identifying industrial control protocol dangerous communication data based on Ethernet
CN112272184A (en) * 2020-10-29 2021-01-26 杭州迪普科技股份有限公司 Industrial flow detection method, device, equipment and medium
CN113545010A (en) * 2019-03-28 2021-10-22 欧姆龙株式会社 Monitoring system, setting device and monitoring method
CN114039766A (en) * 2021-11-05 2022-02-11 杭州和利时自动化有限公司 Industrial safety protection method, system and device
CN114374528A (en) * 2021-11-24 2022-04-19 河南中裕广恒科技股份有限公司 Data security detection method and device, electronic equipment and medium
CN114666246A (en) * 2022-03-29 2022-06-24 中材邦业(杭州)智能技术有限公司 Intelligent monitoring system and method for startup and shutdown of rotary kiln based on sniffing technology

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN103457948A (en) * 2013-08-29 2013-12-18 网神信息技术(北京)股份有限公司 Industrial control system and safety device thereof
CN103944915A (en) * 2014-04-29 2014-07-23 浙江大学 Threat detection and defense device, system and method for industrial control system
CN105204487A (en) * 2014-12-26 2015-12-30 北京邮电大学 Intrusion detection method and intrusion detection system for industrial control system based on communication model

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102438026A (en) * 2012-01-12 2012-05-02 冶金自动化研究设计院 Industrial control network security protection method and system
CN103457948A (en) * 2013-08-29 2013-12-18 网神信息技术(北京)股份有限公司 Industrial control system and safety device thereof
CN103944915A (en) * 2014-04-29 2014-07-23 浙江大学 Threat detection and defense device, system and method for industrial control system
CN105204487A (en) * 2014-12-26 2015-12-30 北京邮电大学 Intrusion detection method and intrusion detection system for industrial control system based on communication model

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106651183A (en) * 2016-12-26 2017-05-10 英赛克科技(北京)有限公司 Communication data security audit method and device for industrial control system
CN106911665A (en) * 2016-12-27 2017-06-30 深圳市安之天信息技术有限公司 A kind of method and system for recognizing malicious code weak passwurd intrusion behavior
CN108366041A (en) * 2017-03-31 2018-08-03 北京安天网络安全技术有限公司 Industry control Environmental security defence method and system based on service order model
CN107493259A (en) * 2017-04-19 2017-12-19 安徽华脉科技发展有限公司 A kind of network security control system
CN107104960A (en) * 2017-04-20 2017-08-29 四川电科智造科技有限公司 A kind of industrial control system intrusion detection method based on machine learning
CN109845227A (en) * 2017-08-24 2019-06-04 思想系统公司 Method and system for network security
CN108520272A (en) * 2018-03-22 2018-09-11 江南大学 A kind of semi-supervised intrusion detection method improving blue wolf algorithm
WO2019200944A1 (en) * 2018-04-20 2019-10-24 西安交通大学 Physical intrusion attack detection method for industrial control system based on serial communication bus signal analysis
CN108712427A (en) * 2018-05-23 2018-10-26 北京国信安服信息安全科技有限公司 A kind of network security method and system of dynamic Initiative Defense
CN108809727A (en) * 2018-06-15 2018-11-13 北京科技大学 A kind of intrusion prevention system of DC motor control system
CN108809727B (en) * 2018-06-15 2020-08-07 北京科技大学 Intrusion prevention system of direct current motor control system
CN110719250B (en) * 2018-07-13 2021-07-06 中国科学院沈阳自动化研究所 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
CN110719250A (en) * 2018-07-13 2020-01-21 中国科学院沈阳自动化研究所 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
CN110784440A (en) * 2018-07-30 2020-02-11 罗伯特·博世有限公司 Method and apparatus for identifying irregularities in a computer network
CN109218288A (en) * 2018-08-01 2019-01-15 北京科技大学 A kind of Network Intrusion Detection System for industrial robot control system
CN108933658A (en) * 2018-08-13 2018-12-04 杭州安恒信息技术股份有限公司 White list base establishing method and device based on industrial control equipment fingerprint
CN109901551A (en) * 2019-03-05 2019-06-18 烽台科技(北京)有限公司 Information acquisition method, information acquisition device and the terminal device of industrial control equipment
CN113545010A (en) * 2019-03-28 2021-10-22 欧姆龙株式会社 Monitoring system, setting device and monitoring method
US11695660B2 (en) 2019-03-28 2023-07-04 Omron Corporation Monitoring system, setting device, and monitoring method
EP3952219A4 (en) * 2019-03-28 2022-12-14 OMRON Corporation Monitoring system, setting device, and monitoring method
CN110320890A (en) * 2019-07-08 2019-10-11 北京科技大学 A kind of intruding detection system for PLC control system
CN110493140A (en) * 2019-08-26 2019-11-22 中国人民解放军国防科技大学 The cognitive method and its operating system of link event in information network system
CN110995733B (en) * 2019-12-12 2022-10-28 江苏亨通工控安全研究院有限公司 Intrusion detection system in industrial control field based on remote measuring technology
CN110995733A (en) * 2019-12-12 2020-04-10 江苏亨通工控安全研究院有限公司 Intrusion detection system in industrial control field based on remote measuring technology
CN111314289A (en) * 2019-12-26 2020-06-19 青岛海天炜业过程控制技术股份有限公司 Method for identifying industrial control protocol dangerous communication data based on Ethernet
CN111314289B (en) * 2019-12-26 2022-04-22 青岛海天炜业过程控制技术股份有限公司 Method for identifying industrial control protocol dangerous communication data based on Ethernet
CN112272184A (en) * 2020-10-29 2021-01-26 杭州迪普科技股份有限公司 Industrial flow detection method, device, equipment and medium
CN112272184B (en) * 2020-10-29 2022-07-01 杭州迪普科技股份有限公司 Industrial flow detection method, device, equipment and medium
CN114039766A (en) * 2021-11-05 2022-02-11 杭州和利时自动化有限公司 Industrial safety protection method, system and device
CN114374528A (en) * 2021-11-24 2022-04-19 河南中裕广恒科技股份有限公司 Data security detection method and device, electronic equipment and medium
CN114666246A (en) * 2022-03-29 2022-06-24 中材邦业(杭州)智能技术有限公司 Intelligent monitoring system and method for startup and shutdown of rotary kiln based on sniffing technology
CN114666246B (en) * 2022-03-29 2023-10-31 中才邦业(杭州)智能技术有限公司 Rotary kiln start-stop intelligent monitoring system and method based on sniffing technology

Also Published As

Publication number Publication date
CN106209870B (en) 2019-07-09

Similar Documents

Publication Publication Date Title
CN106209870A (en) A kind of Network Intrusion Detection System for distributed industrial control system
CN109218288A (en) A kind of Network Intrusion Detection System for industrial robot control system
US10681079B2 (en) Method for mitigation of cyber attacks on industrial control systems
US8893216B2 (en) Security measures for the smart grid
CN103281293A (en) Network flow rate abnormity detection method based on multi-dimension layering relative entropy
CN107295010A (en) A kind of enterprise network security management cloud service platform system and its implementation
CN103905451A (en) System and method for trapping network attack of embedded device of smart power grid
Chavez et al. Hybrid intrusion detection system design for distributed energy resource systems
CN103905450A (en) Smart power grid embedded device network detection assessment system and detection assessment method
CN107094170A (en) Intelligent energy-saving control system and method
Pan et al. Anomaly based intrusion detection for building automation and control networks
CN111917741B (en) Micro-grid security defense system and method based on Dos and virtual data injection attack
CN108769076A (en) Data collecting system, method and device with network isolation function
CN109413079A (en) Fast-Flux Botnet detection method and system under a kind of high speed network
CN113114626A (en) Security gateway system based on edge calculation and construction method thereof
CN104135403B (en) A kind of distributed environment Monitoring Data transfer check method
CN112153081A (en) Method for detecting abnormal state of industrial network
Zou et al. Research and implementation of intelligent substation information security risk assessment tool
Xue et al. Research of worm intrusion detection algorithm based on statistical classification technology
CN101548269B (en) Method, computer program product, and device for network reconnaissance flow identification
Lingkang et al. Detection of abnormal data flow at network boundary of renewable energy power system
CN104539941A (en) Traffic video private network fault positioning method based on improved codebook
CN110366170A (en) A kind of wireless network secure defence method based on software definition safety
CN104125082A (en) Monitoring method, apparatus and system for communication network of power system
La et al. A Framework for Security Monitoring of Real IoT Testbeds.

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant