CN106209870B - A kind of Network Intrusion Detection System for distributed industrial control system - Google Patents
A kind of Network Intrusion Detection System for distributed industrial control system Download PDFInfo
- Publication number
- CN106209870B CN106209870B CN201610565134.7A CN201610565134A CN106209870B CN 106209870 B CN106209870 B CN 106209870B CN 201610565134 A CN201610565134 A CN 201610565134A CN 106209870 B CN106209870 B CN 106209870B
- Authority
- CN
- China
- Prior art keywords
- network
- control system
- data
- industrial control
- communication data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 107
- 238000004891 communication Methods 0.000 claims abstract description 89
- 238000012512 characterization method Methods 0.000 claims abstract description 67
- 230000005540 biological transmission Effects 0.000 claims abstract description 12
- 238000004458 analytical method Methods 0.000 claims description 32
- 238000012544 monitoring process Methods 0.000 claims description 32
- 238000000034 method Methods 0.000 claims description 14
- 238000012549 training Methods 0.000 claims description 12
- 230000009467 reduction Effects 0.000 claims description 9
- 238000012706 support-vector machine Methods 0.000 claims description 6
- 238000013507 mapping Methods 0.000 claims description 5
- 238000012545 processing Methods 0.000 claims description 4
- 230000006399 behavior Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 10
- 230000009545 invasion Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 239000000284 extract Substances 0.000 description 5
- 230000006855 networking Effects 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 101100435070 Saccharomyces cerevisiae (strain ATCC 204508 / S288c) APN2 gene Proteins 0.000 description 3
- 101100268779 Solanum lycopersicum ACO1 gene Proteins 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 206010000117 Abnormal behaviour Diseases 0.000 description 2
- RTZKZFJDLAIYFH-UHFFFAOYSA-N Diethyl ether Chemical compound CCOCC RTZKZFJDLAIYFH-UHFFFAOYSA-N 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 101000911390 Homo sapiens Coagulation factor VIII Proteins 0.000 description 1
- 241001062472 Stokellia anisodon Species 0.000 description 1
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000001276 controlling effect Effects 0.000 description 1
- 238000013481 data capture Methods 0.000 description 1
- 230000007123 defense Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000004744 fabric Substances 0.000 description 1
- 230000002068 genetic effect Effects 0.000 description 1
- 102000057593 human F8 Human genes 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012067 mathematical method Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000004886 process control Methods 0.000 description 1
- 229940047431 recombinate Drugs 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of Network Intrusion Detection System for distributed industrial control system, can be improved the network security of industrial control system.The system comprises: Network Sniffing unit, for capturing the network communication data of the industrial control system;Intrusion detecting unit, the control instruction detected rule chained list and preset spatiality classifier generated for the network characterization hash value regulation linked by pre-establishing, real-time update performs intrusion detection the network communication data of capture, if there is intrusion behavior, alert;Data transmission unit, for sending the warning message.The present invention is suitable for technical field of network security.
Description
Technical field
The present invention relates to technical field of network security, particularly relates to a kind of network for distributed industrial control system and enter
Invade detection system.
Background technique
In recent years, the delivery rate of ethernet technology and real-time are greatly improved with the development of its own,
This is also gradually applied to it in industrial network, keeps field bus type network technology and ether net type network technology natural
It is combined together.Industrial control system gradually develop from a closing, isolated system as more open and public network have it is more
The system of connection.When Ethernet brings the huge advantage of traditional industry, this past of information security rarely has with industrial circle to be associated with
The problem of but highlight in face of proprietary, give industrial network and core equipment band serious destruction.
Industrial network is different from traditional commercial network, and what is faced between industrial network is that field personnel and work are set
It is standby, even small error may also cause the collapse of industrial network, lead to life and property loss difficult to the appraisal.
Conventional networking products or the shortcomings and deficiencies as existing for itself, are not able to satisfy the higher protection of industrial network
It is required that because not being specific to industrial network design, it is difficult in the application of industrial occasions safety and stability, this gives industrial network
Network brings serious threat.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of network invasion monitorings for distributed industrial control system
System is not able to satisfy the higher requirement of shelter of industrial network to solve networking products present in the prior art, or is not suitable for
The problem of industrial occasions.
Enter in order to solve the above technical problems, the embodiment of the present invention provides a kind of network for distributed industrial control system
Invade detection system, comprising:
Network Sniffing unit, for capturing the network communication data of the industrial control system;
Intrusion detecting unit is generated for the network characterization hash value regulation linked by pre-establishing, real-time update
Control instruction detected rule chained list and preset spatiality classifier carry out invasion inspection to the network communication data of capture
It surveys, if there is intrusion behavior, alert;
Data transmission unit, for sending the warning message.
Further, the Network Sniffing unit is caught for accessing the industrial control system in such a way that bypass is listened to
Obtain the network communication data of the industrial control system.
Further, the Network Sniffing unit is specifically used for capturing the Industry Control using libpcap packet snapping method
The network communication data of system.
Further, the system also includes protocol analysis units;
The protocol analysis unit, for carrying out protocol analysis to the network communication data of capture, after successfully resolved,
Export the protocol format of the network communication data.
Further, the protocol analysis unit includes: that monitoring data obtains module and protocol resolution module;
The monitoring data obtains module, for obtaining the monitoring data monitored from configuration monitoring interface;
The protocol resolution module, the data packet poll for the network communication data to capture apply preset work
Industrial bus agreement in industry network protocol library, if agreement applies success, successful protocol type is applied in output;Otherwise, will
Data in the data packet combine by turn carries out floating-point processing, by the monitoring of floating-pointization treated data and acquisition
Data are matched, and output floating-pointization treated data are in the initial position in raw data packets and between the monitoring data
Matching mapping table.
Further, the intrusion detecting unit includes: network characterization detection module;
The network characterization detection module, the network characterization for extracting the network communication data captured, obtain institute
The hash value for stating network characterization inquires the network characterization hash value regulation linked pre-established, if the hash of the network characterization
Value is not comprised in the network characterization hash value regulation linked pre-established, then alert, wherein the net
Network feature hash value regulation linked includes: the hash value of the network characterization of network communication data;The network characterization includes: agreement
Type, source IP address, purpose IP address, source port, destination port.
Further, the network characterization detection module, be specifically used for using hash algorithm carry out network characterization self study
Establish the network characterization hash value regulation linked.
Further, the intrusion detecting unit includes: control instruction detection module;
The control instruction detection module, for obtaining the current operating status of the industrial control system, according to obtaining
The current operating status of the industrial control system, using three-level list structure, according to preset Industry Control model rule
Library, real-time update generate control instruction detected rule chained list;If the network communication data of capture is control instruction, detect
It is regular in the control instruction detected rule chained list whether the control instruction violates, if violating the control instruction detected rule
It is regular in chained list, then alert.
Further, the intrusion detecting unit further include: spatiality detection module;
The spatiality detection module is specifically used for generating using operation data under industrial control system normal condition
Training sample, according to principle component analysis to the training sample carry out dimension-reduction treatment, using one-class support vector machines to dimensionality reduction after
Training sample be trained and generate the spatiality classifier;It is violated in the control instruction detected rule chained list to no
After the network communication data of rule carries out pivot analysis dimensionality reduction, network communication described in preset spatiality detection of classifier is utilized
Data are normal data, if not normal data, then alert.
Further, the system also includes 4 railway digital amount imput output circuits;
The digital quantity imput output circuit is connected with the alarm module in the industrial control system, the alarm module
It is connected with the controller in the industrial control system;
The digital quantity imput output circuit, for the warning message to be sent to the alarm module.
The advantageous effects of the above technical solutions of the present invention are as follows:
In above scheme, pass through the network communication data of industrial control system described in Network Sniffing elements capture;By invading
The control instruction detected rule chain that detection unit passes through the network characterization hash value regulation linked pre-established, real-time update generates
Table and preset spatiality classifier perform intrusion detection the network communication data of capture, if there is intrusion behavior,
Alert;Finally, the warning message is sent by data transmission unit.In this way, passing through intrusion detection list
Member can effectively detect whether the industrial control system is invaded, if it find that being alarmed by invading, to protect
And improve the communication security of the industrial control system.
Detailed description of the invention
Fig. 1 is the structure of the Network Intrusion Detection System provided in an embodiment of the present invention for distributed industrial control system
Schematic diagram;
Fig. 2 is the hardware of the Network Intrusion Detection System provided in an embodiment of the present invention for distributed industrial control system
Platform architecture schematic diagram;
Fig. 3 is the access schematic diagram of access distributed industrial control system provided in an embodiment of the present invention;
Fig. 4 is the flow diagram of capture network communication data provided in an embodiment of the present invention;
Fig. 5 is the workflow schematic diagram of protocol analysis unit provided in an embodiment of the present invention;
Fig. 6 is data floating-point matching process schematic diagram in protocol analysis unit provided in an embodiment of the present invention;
Fig. 7 is the workflow schematic diagram of network characterization detection module provided in an embodiment of the present invention;
Fig. 8 is the rule schemata of Industry Control model rule base provided in an embodiment of the present invention;
Fig. 9 is the workflow schematic diagram of control instruction detection module provided in an embodiment of the present invention;
Figure 10 is the workflow schematic diagram of spatiality detection module provided in an embodiment of the present invention;
Figure 11 is the detailed of the Network Intrusion Detection System provided in an embodiment of the present invention for distributed industrial control system
Fine texture schematic diagram.
Specific embodiment
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and tool
Body embodiment is described in detail.
The present invention is not able to satisfy the higher requirement of shelter of industrial network for existing networking products, or is not suitable for industry
The problem of occasion, provides a kind of Network Intrusion Detection System for distributed industrial control system.
Referring to shown in Fig. 1, the network invasion monitoring system provided in an embodiment of the present invention for distributed industrial control system
System, comprising:
Network Sniffing unit 11, for capturing the network communication data of the industrial control system;
Intrusion detecting unit 12 is generated for the network characterization hash value regulation linked by pre-establishing, real-time update
Control instruction detected rule chained list and preset spatiality classifier the network communication data of capture is invaded
Detection, if there is intrusion behavior, alert;
Data transmission unit 13, for sending the warning message.
It is directed to the Network Intrusion Detection System of distributed industrial control system described in the embodiment of the present invention, is smelt by network
Visit the network communication data of industrial control system described in elements capture;The network characterization pre-established is passed through by intrusion detecting unit
The control instruction detected rule chained list and preset spatiality classifier that hash value regulation linked, real-time update generate are to capture
The network communication data perform intrusion detection, if there is intrusion behavior, alert;Finally, being transmitted by data
Unit sends the warning message.In this way, can effectively detect the Industry Control system by intrusion detecting unit
Whether system is invaded, if it find that being alarmed by invading, to protect and improve the communication peace of the industrial control system
Entirely.
In the present embodiment, the Network Intrusion Detection System for distributed industrial control system operates in embedded
On (SuSE) Linux OS, the built-in Linux operating system is the Linux3.2.0 version kernel of open source by cutting customization
It obtaining afterwards, the kernel after cutting includes: basic operation module, AR8031 network-driven chip module, USB drive module,
SD card drive module;System kernel after cutting is small in size, operating rate is fast, stable, can guarantee described for distribution
The safe and stable operation of the Network Intrusion Detection System of formula industrial control system.
As shown in Fig. 2, the Network Intrusion Detection System for distributed industrial control system is made in the present embodiment
Hardware platform can use 5V low voltage power supply low-power consumption hardware circuit, and the hardware platform has SD driving circuit, can
To realize the update of system kernel, the functions such as caching of data via SD card.
In the present embodiment, the core processor of the Network Intrusion Detection System for distributed industrial control system is
TI (Texas Instruments Texas Instrument) technical grade Cortex-A8 framework AM335x series primary processor, dominant frequency can be high
Up to 1GHz;Reachable -40 DEG C -+85 DEG C of temperature range of operation;Equipped with 512M DDR3 memory and 256M SLC NandFlash;Also wrap
The gigabit ethernet interface ETH0 and ETH1 of the extension containing two AR8031 gigabit networking transponder chips, wherein ETH0 interface is used
Sniff work is listened to the network communication data of industrial control system to realize, ETH1 interface is used to realize warning message to remote
Server is held to send the function of data;4 railway digital amount input and output (I/O) can also be driven using PC847 light-coupled isolation chip
Circuit, the digital quantity I/O circuit may be coupled to the alarm module of controller junior in the industrial control system, work as detection
To when seriously threatening directly via the I/O circuit send warning message to the alarm module, so as in industrial control system
Controller makes emergent management.
In the present embodiment, the PC847 light-coupled isolation chip can be used and carry out isolated from power, realize the adjustable joint number of voltage
Word amount imput output circuit.
In the present embodiment, after being performed intrusion detection to the network communication data of capture, if generating warning message
It needs to be sent to remote server by the data transmission unit 13;TCP/IP association can be used in the data transmission unit 13
View, and it is designed to client, it is attached by Ethernet and remote server, connection is established after completion, and alarm signal is carried out
The transmission of breath.When the Network Intrusion Detection System for distributed industrial control system detects serious intrusion behavior
When, i.e., it, will be directly by described for distributed industrial control system when will will cause very serious destruction to industrial control system
The digital quantity I/O circuit of the Network Intrusion Detection System of system sends the report of warning message controller junior into industrial control system
Alert module, so that the controller in industrial control system makes emergent management.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the Network Sniffing unit 11 capture the industry control for accessing the industrial control system in such a way that bypass is listened to
The network communication data of system processed.
In the present embodiment, as shown in figure 3, the Network Intrusion Detection System for distributed industrial control system can answer
For by distributed industrial control system, the distributed industrial control system includes: the control station containing controller, configuration
The other equipment such as console and industrial service device where monitoring, the equipment is communicated by Industrial Ethernet, described
It is linked into the Industrial Ethernet for the Network Intrusion Detection System of distributed industrial control system by industrial switch,
It is realized using ETH0 interface and capture is listened to the network communication data of the industrial control system, will alarmed using ETH1 interface
Information is sent in remote server via internet.
In the present embodiment, the Network Intrusion Detection System for distributed industrial control system passes through monitor bypass
Mode access industrial control system is not required to otherwise changes topological structure, the networking mode of former industrial control system, facilitate it is feasible,
And the network communication data of the industrial control system is obtained in a manner of packet sniffing the Network Sniffing unit 11, no
It will affect the stability and real-time of former industrial control system.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the Network Sniffing unit 11, the network specifically for being captured the industrial control system using libpcap packet snapping method are led to
Letter data.
In the present embodiment, the industrial control system has very high requirement to real-time property, in order to not influence industry control
The real-time of network, and the network communication data of the industrial control system can be obtained in real time, the packet capturing side libpcap can be used
Case realizes the packet sniffing of the network communication data of the industrial control system, wherein as shown in figure 4, using libpcap packet capturing
The specific steps that scheme captures the network communication data of the industrial control system may include: that lookup is described for distributed work
The ETH0 network interface device of the hardware platform of the Network Intrusion Detection System of industry control system, obtains network number and subnet is covered
Code, opens the ETH0 network interface device, edits and be arranged filter, then starts the cycle over packet capturing and obtains the Industry Control
The network communication data of system.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the system also includes: protocol analysis unit;
The protocol analysis unit, for carrying out protocol analysis to the network communication data of capture, after successfully resolved,
Export the protocol format of the network communication data.
In the present embodiment, the protocol analysis unit can parse network communication protocol, provide for the detection of depth data packet
Basis (depth data Packet analyzing includes: application layer data parsing), enters the network for distributed industrial control system
Detection system is invaded with good applicability and scalability, wherein the network communication protocol includes: privately owned industrial network
Agreement.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the protocol analysis unit include: that monitoring data obtains module and protocol resolution module;
The monitoring data obtains module, for obtaining the monitoring data monitored from configuration monitoring interface;
The protocol resolution module, the data packet of the network communication data for that will capture and preset industrial network
Industrial bus agreement in protocol library, which is polled, applies, if agreement applies success, successful protocol type is applied in output;It is no
Then, it combines the data in the data packet by turn and carries out floating-point processing, by the institute of floating-pointization treated data and acquisition
It states monitoring data to be matched, output floating-pointization treated initial position of the data in raw data packets and the monitoring number
Matching mapping table between.
In the present embodiment, the monitoring data obtains module, for from the configuration monitoring interface of current industrial control system,
The monitoring data monitored is obtained, the monitoring data is the observation of equipment operation in industrial control system;
In the present embodiment, the network communication data in industrial network is encapsulated in TCP/IP application layer, the network communication number
According to there is respective proprietary protocol to encapsulate, needs to parse these proprietary protocols to obtain the physical significance of specific data, pass through
Protocol analysis may be implemented in the protocol analysis unit, or provides the function of reference for protocol analysis.Specific steps can wrap
It includes: first from configuration monitoring interface, obtaining actual monitoring data, then to the data packet of the network communication data of capture
Poll applies the industrial bus agreement in preset industrial network protocol library, if agreement applies success, output is applied successfully
Protocol type;Otherwise, by four one group of data in the data packet, combination carries out floating-point (A, B, C ...) by turn, by floating-point
Data (A, B, C ...) and monitoring data (a, b, c ...) afterwards are matched, by the floating-point data of correct matching monitoring data a
A is mapped with the monitoring data in the initial position in former data packet and is recorded in matching mapping table, and successively poll matches
All monitoring datas, output matching mapping table, provide reference for protocol analysis, as shown in Figure 5, Figure 6.
In the present embodiment, the industrial bus agreement in the preset industrial network protocol library includes: Hostlink communication
Agreement, Modbus TCP communication agreement, USS communication protocol, Modbus RTU communication protocol, standard TCP/IP communication agreement,
The agreements such as EhterCat, the present embodiment does not limit.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the intrusion detecting unit 12 include: network characterization detection module;
The network characterization detection module, the network characterization for extracting the network communication data captured, obtain institute
The hash value for stating network characterization inquires the network characterization hash value regulation linked pre-established, if the hash of the network characterization
Value is not comprised in the network characterization hash value regulation linked pre-established, then alert, wherein the net
Network feature hash value regulation linked includes: the hash value of the network characterization of network communication data;The network characterization includes: agreement
Type, source IP address, purpose IP address, source port, destination port.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the network characterization detection module establish the network spy specifically for carrying out network characterization self study using hash algorithm
Levy hash value regulation linked.
In the present embodiment, industrial control system communication has the characteristics that regularity and stability, that is, has well-regulated communication
It flows and there is relatively fixed behavioural characteristic and predictable behavior pattern, therefore the method that can use machine learning is given birth to automatically
At network characterization hash value regulation linked.
In the present embodiment, firstly, it is pre- to carry out data to the network communication data of the Network Sniffing unit 11 capture
After processing, successively decoding extracts packet header information and obtains the network characterization of the network communication data;Then, pass through rule
Then self-learning module learn to the network characterization of the network communication data and automatic generating network feature hash value is regular
Chained list is matched using the poll that the network characterization hash value regulation linked of generation carries out rule.
In the present embodiment, network characterization self study can be carried out using hash algorithm and establish network characterization hash value rule chain
Table carries out the intrusion detection of network feature according to the network characterization hash chained list, and whether Preliminary detection network communication data is abnormal;
Wherein, the network characterization hash value regulation linked includes: protocol type in network communication data, source IP address, destination IP
Location, source port, destination port this five network characterizations hash value.
In the present embodiment, using network characterization hash value regulation linked Preliminary detection network communication data whether Yi Chang tool
The step of body may include: as shown in fig. 7, will pass through the network communication data that Network Sniffing unit 11 captures, by IP
Frament reassembling, TCP flow recombinate, and journal file is generated after the data packets preprocessing process such as data packet regularization, extract journal file
In network characterization field (protocol type, source IP address, purpose IP address, source port, destination port), and utilize hash algorithm
The hash value of the corresponding network characterization of network characterization field is calculated, and is judged whether according to the safety coefficient of foundation through the net
Network communication data, specifically, then leading to when the hash value of the network characterization of the network communication data is greater than the safety coefficient
The network communication data is crossed, and the hash value of the network characterization of the network communication data passed through is inserted into network characterization
In hash value regulation linked, achieve the purpose that self study, wherein the secure access coefficient is the safety of same communication path
The ratio of access times and the total access times of the communication path, the same communication path refer to the different networks of capture
Protocol type, source IP address, purpose IP address, source port, this five network characterizations of destination port in communication data is right respectively
It answers identical;Self study generates the network characterization hash value regulation linked, can be according to the network characterization hash value rule
Chained list carries out network characterization matching, the matching process are as follows: extracts the network characterization of the network communication data of capture, calculates
The hash value of the network characterization, if traverses network feature hash value regulation linked successful match, the network communication data
Normal through, otherwise alert, and self study process is added in the network characterization, learnt whether to be added to network
In feature hash value regulation linked.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the intrusion detecting unit 12 include: control instruction detection module;
The control instruction detection module, for obtaining the current operating status of the industrial control system, according to obtaining
The current operating status of the industrial control system, using three-level list structure, according to preset Industry Control model rule
Library, real-time update generate control instruction detected rule chained list;If the network communication data of capture is control instruction, detect
It is regular in the control instruction detected rule chained list whether the control instruction violates, if violating the control instruction detected rule
It is regular in chained list, then alert.
In the present embodiment, normal industrial control system should be the process of a stable state, the state of industrial control system
It should develop to the direction for tending to target value, normal control instruction should make industrial control system in stable condition.Therefore when control refers to
Enabling can be determined that when violating the trend as the control instruction of mistake, can be considered invasion.It was produced from automation angle description
The mathematical method of process control has obtained comparing in-depth study, mostly has from mounted cast, process model to process modeling ready-made
Research achievement, guidance can be provided for the foundation of inbreak detection rule.The network for distributed industrial control system
Intruding detection system provides rule for user and writes interface document, and user can enrich preset work according to specified rule schemata
Rule in industry Controlling model rule base, rule schemata are as shown in Figure 8.
In the present embodiment, three-level list structure can use, the Industry Control that the rule schemata specified according to Fig. 8 is stored
Model rule base, real-time update generate control instruction detected rule chained list, according to the control instruction detected rule chained list, carry out
Network invasion monitoring.
In the present embodiment, the control instruction detection module, according to preset Industry Control model rule base and industry
The real-time status of control system, dynamic more new control instruction detected rule chained list, captures the control instruction of transmission, detects the control
It is regular in control instruction detected rule chained list whether system instruction violates, and advises in the control instruction detected rule chained list if violated
Then, then corresponding warning message is generated.
As shown in figure 9, the control instruction detection module detecting step, can specifically include:
A11 reads preset Industry Control model rule base, generates three-level regulation linked A, wherein the three-level rule
Chained list includes: state-detection rule and the corresponding control instruction detected rule of state-detection rule, as shown in Figure 8;
A12 carries out the network communication data of industrial communication data and capture in Industrial Ethernet shown in Fig. 3 deep
Resolve packet is spent, and combines the program variable point table of the control program in industrial control system controller, obtains Industry Control
The specific control variable value of system and measurand value, so that it is determined that operating status that the industrial control system is current (referred to as:
Current system conditions), wherein described program variable point table is used to characterize the service condition of each variable in industrial control system;
A13 traverses three-level regulation linked A, judges whether current system conditions meet described three according to current system conditions
State-detection rule in grade regulation linked A advises three-level if meeting the state-detection rule in three-level regulation linked A
Then the corresponding control instruction detected rule of corresponding states detected rule extracts in chain Table A, is added to control instruction detection
In regulation linked B, thus, more new control instruction detected rule chained list B;
A14 parses the network communication data acquisition control and refers to if the network communication data of capture is control instruction
It enables, traverses control instruction detected rule chained list B, judge whether the control instruction violates in control instruction detected rule chained list B
Rule, if violate B in rule, determine current control instruction for invasion instruction, alert.
A15 repeats A12, A13, A14, according to current system conditions real-time update control instruction detected rule chained list
B is performed intrusion detection.
In the present embodiment, depth data Packet analyzing combines specific Industry Control model rule base to formulate control instruction detection
Regulation linked, the intrusion detection made have very strong specific aim, and testing result is more credible.
In the specific embodiment of the aforementioned Network Intrusion Detection System for distributed industrial control system, further
Ground, the intrusion detecting unit 12 further include: spatiality detection module;
The spatiality detection module is specifically used for generating using operation data under industrial control system normal condition
Training sample, according to principle component analysis to the training sample carry out dimension-reduction treatment, using one-class support vector machines to dimensionality reduction after
Training sample be trained and generate the spatiality classifier;It is violated in the control instruction detected rule chained list to no
After the network communication data of rule carries out pivot analysis dimensionality reduction, network communication described in preset spatiality detection of classifier is utilized
Data are normal data, if not normal data, then alert.
In the present embodiment, " state Finite " and " behavior is limited " feature of industrial control system determines industrial control system
The state space of operation is limited, wherein the state space refers to the collection of whole possible states of the industrial control system
It closes.Since intrusion behavior and normal behaviour essence can be distinguished, abnormal behaviour is relative to just in the spatiality of behavior
Chang Hangwei is inhomogeneous, therefore can use classification method and normal behaviour and abnormal behaviour are classified.Because of industry control
The data sample that system processed obtains is mostly normal sample data, therefore learns to a kind of sample, forms one to such
The data of sample describe, and then judge whether new data sample belongs to normal sample according to design or given threshold value,
Carry out abnormal intrusion detection with this, in this way, the intrusion detection method based on priori knowledge, can greatly improve it is described for point
The reliability of the Network Intrusion Detection System of cloth industrial control system.
In the present embodiment, as shown in Figure 10, because industrial control system has mass data, there is more attribute, number
According to dimension height, the efficiency of intrusion detection algorithm can be reduced in this way, in the present embodiment, can use industrial control system normal condition
Lower operation data is generated training sample, and is carried out at Data Dimensionality Reduction using pivot analysis (PCA) method to the training sample
Reason reduces operand;Then, according to the training sample after dimensionality reduction, sample training is carried out using one-class support vector machines (OCSVM)
Generate spatiality classifier, spatiality classifier tool there are two important parameter, one-class support vector machines parameter ν and
Radial basis kernel function g learning effect and determine that result has important influence, herein using the adaptive genetic algorithm of one kind come
Adjusting parameter ν and g seek to train optimal spatiality classifier.
In the present embodiment, by the network communication data of capture carries out depth data Packet analyzing, Data Dimensionality Reduction handles it
Afterwards, classification verifying carrying out with the spatiality classifier, the network communication data is normal data if through verifying,
If illustrating that the industrial control system spatiality is abnormal not over verifying, the network communication data is abnormal number
According to alert.
To sum up, as shown in figure 11, the Network Intrusion Detection System for distributed industrial control system includes: network
Sniff unit 11, protocol analysis unit, intrusion detecting unit 12, data transmission unit 13;The Network Sniffing unit 11 passes through
What ETH0 interface access industrial network carried out the network communication data of the industrial control system listens to capture work, data capture
Afterwards, application layer data is extracted by pretreatment, delivers protocol analysis unit, carry out industrial network protocol analysis, successfully resolved
Output protocol format afterwards closes protocol analysis unit, into the intrusion detecting unit 12 later;Data initially enter invasion inspection
The network characterization detection module for surveying unit 12, extracts the network characterization of data, and access path, and the networks such as access times are special
Sign detection, detection is abnormal then directly to alarm, and exits intrusion detecting unit 12, exports alarm signal by data transmission unit 13
Breath;If detection is normal, further pretreatment is done to data, in conjunction with the protocol format that protocol analysis unit resolves go out, is carried out
The work of depth data Packet analyzing, the data parsed are successively passed to control instruction detection module and spatiality detection module.If
The data parsed are control instruction, and the control instruction detection module reads Industry Control model rule library file, generate control
Command detection regulation linked processed, and the control instruction detected rule chained list is updated according to industrial control system real-time status, it is right
The control instruction of incoming industrial control system is detected, and discovery violates control regular in the control instruction detected rule chained list
System instruction then carries out warning output;The spatiality detection module learns according to principle component analysis and one-class support vector machines
The spatiality classifier of generation carries out classification and Detection to industrial control system spatiality, if industrial control system space
Abnormal state then alert and transmits the warning message by data transmission unit 13.
To sum up, in the present embodiment, using based on network characterization, Industry Control model rule base, industrial control system space
The intrusion detection method of the three-dimensional depth defense of state realizes the safety of dcs safety and industrial network
Intrusion detection.
The above is a preferred embodiment of the present invention, it is noted that for those skilled in the art
For, without departing from the principles of the present invention, it can also make several improvements and retouch, these improvements and modifications
It should be regarded as protection scope of the present invention.
Claims (7)
1. a kind of Network Intrusion Detection System for distributed industrial control system characterized by comprising
Network Sniffing unit, for capturing the network communication data of the industrial control system;
Intrusion detecting unit, the control generated for the network characterization hash value regulation linked by pre-establishing, real-time update
Command detection regulation linked and preset spatiality classifier perform intrusion detection the network communication data of capture, if
There is intrusion behavior, then alert;
Data transmission unit, for sending the warning message;
Wherein, the system also includes protocol analysis units;
The protocol analysis unit, for carrying out protocol analysis to the network communication data of capture, after successfully resolved, output
The protocol format of the network communication data;
Wherein, the protocol analysis unit includes: that monitoring data obtains module and protocol resolution module;
The monitoring data obtains module, for obtaining the monitoring data monitored from configuration monitoring interface;
The protocol resolution module, the data packet poll for the network communication data to capture apply preset industrial network
Industrial bus agreement in network protocol library, if agreement applies success, successful protocol type is applied in output;It otherwise, will be described
Data in data packet combine by turn carries out floating-point processing, by the monitoring data of floating-pointization treated data and acquisition
It is matched, output floating-pointization treated data are in the initial position in raw data packets and between the monitoring data
With mapping table;
Wherein, the intrusion detecting unit further include: spatiality detection module;
The spatiality detection module is specifically used for generating training using operation data under industrial control system normal condition
Sample carries out dimension-reduction treatment to the training sample according to principle component analysis, using one-class support vector machines to the instruction after dimensionality reduction
Practice sample and is trained the generation spatiality classifier;Rule in the control instruction detected rule chained list is violated to no
Network communication data carry out pivot analysis dimensionality reduction after, utilize network communication data described in preset spatiality detection of classifier
For normal data, if not normal data, then alert.
2. the Network Intrusion Detection System according to claim 1 for distributed industrial control system, which is characterized in that
The Network Sniffing unit captures the Industry Control system for accessing the industrial control system in such a way that bypass is listened to
The network communication data of system.
3. the Network Intrusion Detection System according to claim 1 or 2 for distributed industrial control system, feature exist
In the Network Sniffing unit, specifically for capturing the network communication of the industrial control system using libpcap packet snapping method
Data.
4. the Network Intrusion Detection System according to claim 1 for distributed industrial control system, which is characterized in that
The intrusion detecting unit includes: network characterization detection module;
The network characterization detection module, the network characterization for extracting the network communication data captured, obtain the net
The hash value of network feature inquires the network characterization hash value regulation linked pre-established, if the hash value of the network characterization does not have
Have and be included in the network characterization hash value regulation linked pre-established, then alert, wherein the network is special
Sign hash value regulation linked includes: the hash value of the network characterization of network communication data;The network characterization includes: protocol class
Type, source IP address, purpose IP address, source port, destination port.
5. the Network Intrusion Detection System according to claim 4 for distributed industrial control system, which is characterized in that
The network characterization detection module establishes the network characterization specifically for carrying out network characterization self study using hash algorithm
Hash value regulation linked.
6. the Network Intrusion Detection System according to claim 1 for distributed industrial control system, which is characterized in that
The intrusion detecting unit includes: control instruction detection module;
The control instruction detection module, the institute for obtaining the current operating status of the industrial control system, according to acquisition
The current operating status of industrial control system is stated, it is real according to preset Industry Control model rule base using three-level list structure
When more newly-generated control instruction detected rule chained list;If capture the network communication data be control instruction, detection described in
It is regular in the control instruction detected rule chained list whether control instruction violates, if violating the control instruction detected rule chained list
Middle rule, then alert.
7. the Network Intrusion Detection System according to claim 1 for distributed industrial control system, which is characterized in that
The system also includes: 4 railway digital amount imput output circuits;
The digital quantity imput output circuit is connected with the alarm module in the industrial control system, the alarm module and institute
The controller stated in industrial control system is connected;
The digital quantity imput output circuit, for the warning message to be sent to the alarm module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610565134.7A CN106209870B (en) | 2016-07-18 | 2016-07-18 | A kind of Network Intrusion Detection System for distributed industrial control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610565134.7A CN106209870B (en) | 2016-07-18 | 2016-07-18 | A kind of Network Intrusion Detection System for distributed industrial control system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106209870A CN106209870A (en) | 2016-12-07 |
| CN106209870B true CN106209870B (en) | 2019-07-09 |
Family
ID=57493860
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610565134.7A Expired - Fee Related CN106209870B (en) | 2016-07-18 | 2016-07-18 | A kind of Network Intrusion Detection System for distributed industrial control system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106209870B (en) |
Families Citing this family (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106651183B (en) * | 2016-12-26 | 2020-04-10 | 英赛克科技(北京)有限公司 | Communication data security audit method and device of industrial control system |
| CN106911665B (en) * | 2016-12-27 | 2020-08-18 | 深圳市安之天信息技术有限公司 | Method and system for identifying malicious code weak password intrusion behavior |
| CN108366041A (en) * | 2017-03-31 | 2018-08-03 | 北京安天网络安全技术有限公司 | Industry control Environmental security defence method and system based on service order model |
| CN107493259A (en) * | 2017-04-19 | 2017-12-19 | 安徽华脉科技发展有限公司 | A kind of network security control system |
| CN107104960A (en) * | 2017-04-20 | 2017-08-29 | 四川电科智造科技有限公司 | A kind of industrial control system intrusion detection method based on machine learning |
| WO2019040771A1 (en) * | 2017-08-24 | 2019-02-28 | Pensando Systems Inc. | Methods and systems for network security |
| CN108520272B (en) * | 2018-03-22 | 2020-09-04 | 江南大学 | Semi-supervised intrusion detection method for improving Cantonese algorithm |
| CN108520187B (en) * | 2018-04-20 | 2020-03-17 | 西安交通大学 | Industrial control system physical intrusion attack detection method based on serial communication bus signal analysis |
| CN108712427A (en) * | 2018-05-23 | 2018-10-26 | 北京国信安服信息安全科技有限公司 | A kind of network security method and system of dynamic Initiative Defense |
| CN108809727B (en) * | 2018-06-15 | 2020-08-07 | 北京科技大学 | Intrusion prevention system of direct current motor control system |
| CN110719250B (en) * | 2018-07-13 | 2021-07-06 | 中国科学院沈阳自动化研究所 | Powerlink industrial control protocol anomaly detection method based on PSO-SVDD |
| DE102018212657A1 (en) * | 2018-07-30 | 2020-01-30 | Robert Bosch Gmbh | Method and device for detecting irregularities in a computer network |
| CN109218288A (en) * | 2018-08-01 | 2019-01-15 | 北京科技大学 | A kind of Network Intrusion Detection System for industrial robot control system |
| CN108933658A (en) * | 2018-08-13 | 2018-12-04 | 杭州安恒信息技术股份有限公司 | White list base establishing method and device based on industrial control equipment fingerprint |
| CN109901551A (en) * | 2019-03-05 | 2019-06-18 | 烽台科技(北京)有限公司 | Information acquisition method, information acquisition device and the terminal device of industrial control equipment |
| JP7176455B2 (en) * | 2019-03-28 | 2022-11-22 | オムロン株式会社 | Monitoring system, setting device and monitoring method |
| CN110320890B (en) * | 2019-07-08 | 2021-08-03 | 北京科技大学 | Intrusion detection system for PLC control system |
| CN110493140A (en) * | 2019-08-26 | 2019-11-22 | 中国人民解放军国防科技大学 | The cognitive method and its operating system of link event in information network system |
| CN110995733B (en) * | 2019-12-12 | 2022-10-28 | 江苏亨通工控安全研究院有限公司 | Intrusion detection system in industrial control field based on remote measuring technology |
| CN111314289B (en) * | 2019-12-26 | 2022-04-22 | 青岛海天炜业过程控制技术股份有限公司 | Method for identifying industrial control protocol dangerous communication data based on Ethernet |
| CN112272184B (en) * | 2020-10-29 | 2022-07-01 | 杭州迪普科技股份有限公司 | Industrial flow detection method, device, equipment and medium |
| CN114039766A (en) * | 2021-11-05 | 2022-02-11 | 杭州和利时自动化有限公司 | Industrial safety protection method, system and device |
| CN114374528A (en) * | 2021-11-24 | 2022-04-19 | 河南中裕广恒科技股份有限公司 | Data security detection method and device, electronic equipment and medium |
| CN114666246B (en) * | 2022-03-29 | 2023-10-31 | 中才邦业(杭州)智能技术有限公司 | Rotary kiln start-stop intelligent monitoring system and method based on sniffing technology |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102438026B (en) * | 2012-01-12 | 2014-05-07 | 冶金自动化研究设计院 | Industrial control network security protection method and system |
| CN103457948A (en) * | 2013-08-29 | 2013-12-18 | 网神信息技术(北京)股份有限公司 | Industrial control system and safety device thereof |
| CN103944915B (en) * | 2014-04-29 | 2017-11-14 | 浙江大学 | A kind of industrial control system threat detection defence installation, system and method |
| CN105204487A (en) * | 2014-12-26 | 2015-12-30 | 北京邮电大学 | Intrusion detection method and intrusion detection system for industrial control system based on communication model |
-
2016
- 2016-07-18 CN CN201610565134.7A patent/CN106209870B/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN106209870A (en) | 2016-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106209870B (en) | A kind of Network Intrusion Detection System for distributed industrial control system | |
| CN109218288A (en) | A kind of Network Intrusion Detection System for industrial robot control system | |
| Lemay et al. | Providing {SCADA} network data sets for intrusion detection research | |
| CN109167796B (en) | Deep packet inspection platform based on industrial SCADA system | |
| CN110320890A (en) | A kind of intruding detection system for PLC control system | |
| CN111262722B (en) | Safety monitoring method for industrial control system network | |
| CN105933268B (en) | A kind of website back door detection method and device based on the analysis of full dose access log | |
| CN107360145B (en) | Multi-node honeypot system and data analysis method thereof | |
| CN107465667B (en) | The safe synergic monitoring method and device of power grid industry control based on specification deep analysis | |
| EP2721801B1 (en) | Security measures for the smart grid | |
| CN110138787A (en) | A kind of anomalous traffic detection method and system based on hybrid neural networks | |
| CN105024877B (en) | A kind of Hadoop malicious node detecting systems based on user's behaviors analysis | |
| US20160352759A1 (en) | Utilizing Big Data Analytics to Optimize Information Security Monitoring And Controls | |
| CN107295010A (en) | A kind of enterprise network security management cloud service platform system and its implementation | |
| JP2017041886A (en) | Method for reducing cyber attack in industrial control system | |
| CN107995226A (en) | A kind of device-fingerprint recognition methods based on passive flux | |
| CN102223267B (en) | IDS (intrusion detection system) detecting method and IDS detecting equipment | |
| Mantere et al. | A module for anomaly detection in ICS networks | |
| CN111181971B (en) | System for automatically detecting industrial network attack | |
| CN107094170A (en) | Intelligent energy-saving control system and method | |
| Pan et al. | Anomaly based intrusion detection for building automation and control networks | |
| CN112822151A (en) | Multilayer accurate active network attack detection method and system for control network industrial computer | |
| CN110493180A (en) | A kind of substation network communication flow real-time analysis method | |
| CN111698209A (en) | Network abnormal flow detection method and device | |
| Pinto et al. | Attack detection in cyber-physical production systems using the deterministic dendritic cell algorithm |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190709 |