CN106651183A - Communication data security audit method and device for industrial control system - Google Patents

Communication data security audit method and device for industrial control system Download PDF

Info

Publication number
CN106651183A
CN106651183A CN201611216266.5A CN201611216266A CN106651183A CN 106651183 A CN106651183 A CN 106651183A CN 201611216266 A CN201611216266 A CN 201611216266A CN 106651183 A CN106651183 A CN 106651183A
Authority
CN
China
Prior art keywords
business
control system
industrial control
business rule
communication data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611216266.5A
Other languages
Chinese (zh)
Other versions
CN106651183B (en
Inventor
陈亚宁
陈惠欣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Master Technology (beijing) Co Ltd
Original Assignee
Master Technology (beijing) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Master Technology (beijing) Co Ltd filed Critical Master Technology (beijing) Co Ltd
Priority to CN201611216266.5A priority Critical patent/CN106651183B/en
Publication of CN106651183A publication Critical patent/CN106651183A/en
Application granted granted Critical
Publication of CN106651183B publication Critical patent/CN106651183B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities

Landscapes

  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Engineering & Computer Science (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Economics (AREA)
  • Operations Research (AREA)
  • Game Theory and Decision Science (AREA)
  • Development Economics (AREA)
  • Marketing (AREA)
  • Educational Administration (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a communication data security audit method and device for an industrial control system. The method comprises the steps of: parsing acquired communication data to determine service behavior data which the communication data comprises; according to the service behavior data, determining a service rule set which needs to be met by the industrial control system when a service behavior is executed; and judging whether a current state of the industrial control system meets the service rule set, and carrying out corresponding recording. The communication data security audit method and device disclosed by the embodiment of the invention have the beneficial effect that when the communication data is audited, not only a communication behavior of the communication data but also the service behavior which the communication behavior represents need to be determined so as to judge whether the service behavior accords with the corresponding service rules and carry out recording. Therefore, when the industrial control system has a problem, communication data causing the problem can be determined from the recorded communication data which do not accord with the service rules. Fault or threat checking efficiency is promoted, and time is saved for recovering the industrial control system as soon as possible.

Description

The communication data method for auditing safely of industrial control system and device
Technical field
The present invention relates to field of industrial control safety, more particularly to a kind of communication data method for auditing safely of industrial control system And device.
Background technology
In industrial control system, between each intelligent electronic device (Intelligent Electronic Device are abbreviated as IED) Communicated by communication protocol.In order to realize that industrial control system behavior can be reviewed, hazard recognition operation, it is ensured that industrial control system is pacified Entirely, need to carry out security audit to the communication data in industrial control system.
Traditional security audit is analyzed according to communication protocol to communication data, records field information therein, is formed Record of the audit to communication behavior.Traditional method for auditing safely it is not intended that the business function of industrial control system, only according to communication Intercommunication primitive in agreement identifies communication behavior, it is impossible to recognize communication behavior represents which kind of business function of industrial control system, i.e., The business conduct that None- identified communication behavior is represented.Traditional method for auditing safely does not consider the business rule of industrial control system yet, Audit analysis cannot be carried out according to business rule to the business conduct that communication behavior is represented.
Due to the presence of problem above, conventional security auditing method can only be examined the communication behavior in industrial control system Meter, it is impossible to recognize business conduct, whether can not meet business rule to business conduct and audit, it is impossible to meet industrial control system Security audit demand.Because prior art is exactly the communication row that communication data is determined simply by the identification of intercommunication primitive For.For example, communication data is determined for carrying out the reading or write of data to some node (IED).When industrial control system goes out After existing problem, can only seriatim judge to audit all of communication data for being recorded to determine the communication data for throwing into question, therefore Barrier threatens exclusion efficiency low.This will cause huge loss for the high industrial control system of requirement of real-time.
The content of the invention
The embodiment of the present invention provides a kind of communication data method for auditing safely and device of industrial control system, at least solving One of above-mentioned technical problem.
In a first aspect, the embodiment of the present invention provides a kind of communication data method for auditing safely of industrial control system, it includes:Solution The communication data that analysis is obtained is determining business conduct data that the communication data is included;It is true according to the business conduct data Surely the business rule collection met needed for the business conduct industrial control system is performed;Whether judge the current state of the industrial control system Meet the business rule collection, and recorded accordingly.
Second aspect, the embodiment of the present invention also provides a kind of communication data security audit device of industrial control system, the dress Put including:
Data resolution module, for parsing the communication data for obtaining to determine the business conduct that the communication data is included Data;
Business rule collection determining module, for determining according to the business conduct data business conduct industry control system is performed The business rule collection met needed for system;
Judge logging modle, for judging whether the current state of the industrial control system meets the business rule collection, and Recorded accordingly.
The third aspect, the embodiment of the present invention provides a kind of non-volatile computer readable storage medium storing program for executing, the storage medium In be stored with one or more including execute instruction programs, the execute instruction can be by electronic equipment (including but not limited to Computer, server, or network equipment etc.) read and perform, for performing any of the above-described industrial control system of the present invention Communication data method for auditing safely.
Fourth aspect, there is provided a kind of electronic equipment, it includes:At least one processor, and with described at least one at The memory of reason device communication connection, wherein, the memory storage has can be by the instruction of at least one computing device, institute Instruction is stated by least one computing device, so that at least one processor is able to carry out any of the above-described of the present invention The communication data method for auditing safely of industrial control system.
5th aspect, the embodiment of the present invention also provides a kind of computer program, and the computer program includes The calculation procedure being stored on non-volatile computer readable storage medium storing program for executing, the computer program includes programmed instruction, works as institute When stating programmed instruction and being computer-executed, the computer is set to perform the communication data security audit of any of the above-described industrial control system Method.
The beneficial effect of the embodiment of the present invention is:The communication row of communication data is not only determined when communication data is examined For the business conduct representated by communication behavior is also predefined.So as to judge whether the business conduct meets corresponding business rule Collection, and recorded.So as to after industrial control system goes wrong, it is only necessary to from the communication number for not meeting business rule of record The communication data for causing problem to occur just is can determine that according in.Reduce failure or threaten Causing Factors to fix time really, lifted Failure threatens the efficiency of investigation, is to recover industrial control system as early as possible to save the time.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be to use needed for embodiment description Accompanying drawing be briefly described, it should be apparent that, drawings in the following description are some embodiments of the present invention, for ability For the those of ordinary skill of domain, on the premise of not paying creative work, can be attached to obtain others according to these accompanying drawings Figure.
Fig. 1 is the flow chart of the embodiment of communication data method for auditing safely one of the industrial control system of the present invention;
Fig. 2 is the flow chart of an embodiment of step S12 in Fig. 1;
Fig. 3 is the structural representation of the business function model in one embodiment of the invention;
Fig. 4 is the structural representation of the example of the business function model in one embodiment of the invention;
Fig. 5 is the structural representation of the business rule model in one embodiment of the invention;
Fig. 6 is the structural representation of the example of the business rule model in one embodiment of the invention;
Fig. 7 is the flow chart of an embodiment of step S13 in Fig. 1;
Fig. 8 is the structured flowchart of an embodiment of the communication data security audit device of the industrial control system of the present invention;
Fig. 9 is the embodiment of business rule determining module one of the communication data security audit device of the industrial control system of the present invention Structured flowchart;
Figure 10 is the embodiment of judgement logging modle one of the communication data security audit device of the industrial control system of the present invention Structured flowchart;
Figure 11 is the structural representation of an embodiment of the electronic equipment of the present invention.
Specific embodiment
To make purpose, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is The a part of embodiment of the present invention, rather than the embodiment of whole.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
It should be noted that in the case where not conflicting, the feature in embodiment and embodiment in the application can phase Mutually combination.
The present invention can be described in the general context of computer executable instructions, such as program Module.Usually, program module includes execution particular task or realizes routine, program, object, the unit of particular abstract data type Part, data structure etc..The present invention can also be in a distributed computing environment put into practice, in these DCEs, by The remote processing devices connected by communication network are performing task.In a distributed computing environment, program module can be with In local and remote computer-readable storage medium including including storage device.
In the present invention, " module ", " device ", " system " etc. refer to and be applied to the related entities of computer, such as hardware, hard The combination of part and software, software or executory software etc..In detail, for example, element can with but be not limited to run on place The process of reason device, processor, object, executable element, execution thread, program and/or computer.Further, server is run on On application program or shell script, server can be element.One or more elements can be in the process and/or line for performing Cheng Zhong, and element can on one computer be localized and/or be distributed between two or multiple stage computers, it is possible to by Various computer-readable medium operations.Element can be with according to the signal with one or more packets, for example, from one Interact with another element in local system, distributed system, and/or the network in internet is handed over by signal with other systems The signal of mutual data is communicated by locally and/or remotely process.
Finally, in addition it is also necessary to explanation, herein, such as first and second or the like relational terms be used merely to by One entity or operation make a distinction with another entity or operation, and not necessarily require or imply these entities or operation Between there is any this actual relation or order.And, term " including ", "comprising", not only including those key elements, and And also include other key elements being not expressly set out, or also include for this process, method, article or equipment institute inherently Key element.In the absence of more restrictions, the key element for being limited by sentence " including ... ", it is not excluded that including it is described will Also there is other identical element in process, method, article or the equipment of element.
As shown in figure 1, the communication data method for auditing safely of the industrial control system of one embodiment of the invention, including:
The communication data that S11, parsing are obtained is determining business conduct data that the communication data is included;
S12, the business rule met according to needed for the business conduct data determine and perform the business conduct industrial control system Then collect;
S13, judge whether the current state of the industrial control system meets the business rule collection, and remembered accordingly Record.
The communication data method for auditing safely of the industrial control system of the present embodiment can be held by a kind of data safety audit device OK.Be in step S11 by way of the switch by data safety audit device in industrial control system is arranged in parallel come Communication data in acquisition industrial control system.The present embodiment method will not only determine the logical of communication data when communication data is examined Letter behavior, is also predefined the business conduct representated by communication behavior.So as to judge whether the business conduct meets corresponding business Rule set, and recorded (including meet and do not meet business rule collection situation record).So as to when industrial control system occurs After problem, it is only necessary to the communication number for causing problem to occur just is can determine that from the communication data for not meeting business rule collection of record According to.The time for reducing failure or threatening Causing Factors to determine, is to recover industrial control system as early as possible to save the time.
As shown in Fig. 2 in certain embodiments, the business conduct data at least include Intelligent target electronic equipment mark Know, operation behavior is identified;Determined according to the business conduct data described in step S12 and perform the business conduct industrial control system institute The business rule collection that need to be met includes:
S121, the business conduct is determined according to the Intelligent target electronic device identification and operation behavior mark;
S122, the business rule collection that the business conduct is corresponded to according to the business rule model determination for pre-building.
Institute is determined according to the Intelligent target electronic device identification and operation behavior mark in step S121 in the present embodiment Stating business conduct includes:Intelligent target electronic device identification and operation behavior according to obtaining is identified from the business work(for previously generating Business conduct can be determined in model.
It is illustrated in figure 3 the structural representation of the business function model for pre-building.Industrial control system is by several IED groups Into each IED includes specific attribute and method, and the IED and its attribute and method in industrial control system is organized, and constitutes work The business function model of control system.Business function model shown in Fig. 3 includes multiple intelligent electronic device IED-1, IED- 2 ... IED-N (or IED1, IED2 ... IEDN), and include many kinds corresponding to each intelligent electronic device Property and method.
It is as described in Figure 4 a kind of structural representation of embodiment of business function model.The industry control system that the exemplary plot is represented Comprising two intelligent electronic devices of IED-1 and IED-2 (IED-1 and IED-2 respectively correspondence intelligence in the business function model of system The unique mark of electronic equipment, i.e. Intelligent target electronic device identification), each IED includes several attributes and method.Business work( Energy model defines unique mark (that is, operation behavior mark) to attribute therein and method.
Intelligent target electronic device identification and the operation row that communication data is included is obtained by parsing in above-described embodiment The business conduct representated by communication data is determined to identify.For example, when the Intelligent target that a certain communication data packet of parsing is obtained Electronic device identification is IED-1, when operation behavior is designated YX1, represents the business conduct representated by this communication data packet to visit The remote signalling 1 of intelligent electronic device IED-1 is asked, IED-1, YC1 identify the remote measurement 1 of IED1, and IED-1, YK1 identify the remote control 1 of IED1 Deng.Attribute status (value) and method state (implementing result) are stored in business function model.Therefore, the present embodiment will be by solving The Intelligent target electronic device identification that obtains of analysis and operation behavior mark and the business function model for previously generating contrasted with Determine the mode of the business conduct corresponding to communication data packet, be greatly improved the efficiency for determining telecommunications data traffic behavior. Also, because each intelligent electronic device is to there is unique mark, corresponding each intelligent electronic device is corresponded to again There is uniquely identified operation behavior to identify, so also ensure that the accuracy of the business conduct for determining communication data.
A kind of structure chart of the embodiment of the business rule model being illustrated in figure 5 in the embodiment of the present invention.Above-mentioned enforcement Business rule model in the step of example S122 is by the way that all of business conduct in industrial control system and its corresponding business are advised Then set up corresponding relation and constitute.Industrial control system business rule model shown in Fig. 5 includes multiple business behavior:Business row For 1, business conduct 2 ... business conduct N, and include multiple business rule group again corresponding to each business conduct, often One business rule group further includes a plurality of business rule.
It is illustrated in figure 6 a kind of structural representation of specific embodiment of business rule model.
Business conduct:Business conduct refers to the access to IED attributes or method in business function model, such as in Fig. 6 IED1 remote controls 1, IED2 remote controls 2 are selected, IED2 remote controls 2 are performed etc..
Business rule:Business rule is carried out the condition that a certain business conduct must is fulfilled for, and a business rule can be used One logical expression represents, herein below can be included in the expression formula:Logical operator, numeral or character string constant, Attribute or method mark defined in mathematical operator or function, current date or time, business function model etc..
Business rule model can be identified come reference service by the attribute defined in reference service functional mode or method Functional mode correlation behavior.For the security audit demand of industrial control system in above-described embodiment, above-mentioned business function is devised Model and business rule model are carrying out industrial control system security audit.The present embodiment pre-builds the business function mould of industrial control system Type and business rule model, when the communication data in industrial control system carries out audit analysis, identify logical according to communication protocol Letter primitive (at least includes Intelligent target electronic device identification and operation behavior mark), and based on business function model, identification Go out business conduct.Then based on business rule model the reasonability of business conduct is audited again, draws auditing result.Cause This, the embodiment of the present invention not only realizes the audit to communication behavior corresponding to communication data and record, also achieves to communication Whether the business conduct and business conduct corresponding to data meets the audit of corresponding business rule and record.It is achieved thereby that The trackability of industrial control system behavior, improves the efficiency and accuracy of investigation hazard recognition operation, it is ensured that the peace of industrial control system Entirely.
In certain embodiments, the business rule collection includes multiple business rule groups, and the business rule group includes many Bar business rule.When all of business rule is true below business rule group, just can determine that the business rule group is true;Arbitrarily One business rule is false, then judge the business rule group as false.
When auditing to business conduct, as long as its corresponding any one business rule group result of determination is true, i.e., It is believed that the business conduct is reasonable;All business rule group result of determination are all false, then it is assumed that the business conduct is unreasonable.
As shown in fig. 7, whether the current state for judging the industrial control system described in certain embodiments meets the industry Business rule set, and carry out corresponding record and include:
S131, judge whether the current state of the industrial control system meets the plurality of business rule group;
S132, when the current state for judging the industrial control system meets any one business rule group, determine the work The current state of control system meets the business rule collection, and records;
S133, when the current state for judging the industrial control system is unsatisfactory for all of business rule group, determine the work The current state of control system is unsatisfactory for the business rule collection, and records.
In the business rule model example shown in Fig. 6, three business conducts are defined, each business conduct correspondence two Business rule group, each business rule group includes some business rules.The business rule group 1 of business conduct IED-1 remote controls 1 is wrapped Containing two business rules, regular 1 logical expression therein is YX1=1, and the condition of expression is that IED1 remote signalling 1 is in conjunction position;Its In the logical expression of rule 2 be YX2=0, the condition of expression is that IED1 remote signalling 2 is in point position.Distant to business conduct IED1 When control 1 is audited, first judge that business rule group 1, whether as true, if not being true, then is judged business rule group 2.Sentence When determining business rule group 1, business rule 1 is first judged, if business rule 1 is true, then judges business rule 2, if business rule Then 2 is also true, then judge business rule group 1 as true;Otherwise, it is determined that business rule group 1 is false.Then process above pair is pressed again Business rule group 2 is judged.As long as business rule group 1 is true or business rule group 2 is true, you can judge the industry of IED1 remote controls 1 Business behavior rationally, otherwise judges that the business conduct is unreasonable.
In certain embodiments, the implementing result of the business conduct is the multiple industry met required for another business conduct One of business rule.As shown in fig. 6, the implementing result that business conduct IED-2 remote controls 2 are selected is exactly that business conduct IED-2 remote controls 2 are held The business rule (respectively rule 9 and rule 12) that the corresponding business rule group 5 of row and business rule group 6 are included.
The rational audit of the business conduct to being associated is realized in the present embodiment.It is achieved thereby that to interrelated Communication data packet rational audit, it is to avoid the communication behavior of simple audit communication data and cannot audit out associated There is the drawbacks of threatening in communication data.For example, when the selection operation of IED-2 remote controls 2 fails, if carry out IED-2 remote controls 2 performed Operation, then business conduct IED-2 remote controls 2 are performed and do not meet business rule, but only foundation communication behavior is audited, by nothing Method is audited out the threat.And the embodiment of the present invention is just because of the business conduct faced in business rule corresponding to communication data Audited and recorded, so as to find and recorded the relevance existed between communication data, and pure communications can be found The threat of behavior auditing None- identified.
It should be noted that for aforesaid each method embodiment, in order to be briefly described, therefore it is all expressed as a series of Action merge, but those skilled in the art should know, the present invention do not limited by described sequence of movement because According to the present invention, some steps can adopt other orders or while carry out.Secondly, those skilled in the art also should know Know, embodiment described in this description belongs to preferred embodiment, involved action and module is not necessarily of the invention It is necessary.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, without the portion described in detail in certain embodiment Point, may refer to the associated description of other embodiment.
As shown in figure 8, the embodiment of the present invention also provides a kind of communication data security audit device 800 of industrial control system, bag Include:
Data resolution module 810, for parsing the communication data for obtaining to determine the business that the communication data is included Behavioral data;
Business rule collection determining module 820, for determining according to the business conduct data business conduct work is performed The business rule collection met needed for control system;
Judge logging modle 830, for judging whether the current state of the industrial control system meets the business rule collection, And recorded accordingly.
The communication data security audit device of the industrial control system of the present embodiment can be performed in the above embodiment of the present invention Method.Data resolution module 810 is by the way that data safety audit device is arranged in parallel with the switch in industrial control system Mode to obtain industrial control system in communication data.The present embodiment device will not only determine communication when communication data is examined The communication behavior of data, is also predefined the business conduct representated by communication behavior.So as to judge it is right whether the business conduct meets The business rule answered, and recorded (including meet and do not meet business rule situation record).So as to work as industrial control system After going wrong, it is only necessary to the communication for causing problem to occur just is can determine that from the communication data for not meeting business rule of record Data.The time for reducing failure or threatening Causing Factors to determine, is to recover industrial control system as early as possible to save the time.
As shown in figure 9, in certain embodiments, the business conduct data at least include Intelligent target electronic equipment mark Know, operation behavior is identified;
The business rule collection determining module 820 includes:
Business conduct determining unit 821, for true according to the Intelligent target electronic device identification and operation behavior mark The fixed business conduct;
Business rule determining unit 822, for being determined corresponding to the business according to the business rule model for pre-building The business rule collection of behavior.
In certain embodiments, the business rule collection includes multiple business rule groups, and the business rule group includes many Bar business rule.
In certain embodiments, the implementing result of the business conduct is a plurality of industry met required for another business conduct One of business rule.
As shown in Figure 10, in certain embodiments, the judgement logging modle 830 includes:
Rule judging unit 831 is closed, whether the current state for judging the industrial control system meets the plurality of business rule group;
First performance element 832, for meeting any one business rule when the current state for judging the industrial control system During group, the current state for determining the industrial control system meets the business rule collection, and records;
Second performance element 833, for being unsatisfactory for all of business rule when the current state for judging the industrial control system During group, the current state for determining the industrial control system is unsatisfactory for the business rule collection, and records.
The communication data security audit device of the industrial control system of the embodiments of the present invention can be used to perform enforcement of the present invention The communication data method for auditing safely of the industrial control system of example, the audit device of each embodiment is corresponded in each embodiment institute The auditing method stated, and reach the communication data method for auditing safely of the industrial control system of the embodiments of the present invention accordingly and reached The technique effect for arriving, repeats no more here.
Correlation function mould can be realized by hardware processor (hardware processor) in the embodiment of the present invention Block.
On the other hand, the embodiment of the present invention provides a kind of non-volatile computer readable storage medium storing program for executing, the storage medium In be stored with one or more including execute instruction programs, the execute instruction can be by electronic equipment (including but not limited to Computer, server, or network equipment etc.) read and perform, for the correlation step in execution said method embodiment, For example:
The communication data that parsing is obtained is determining business conduct data that the communication data is included;
The business rule met according to needed for the business conduct data determine and perform the business conduct industrial control system;
Whether the current state for judging the industrial control system meets the business rule, and is recorded accordingly.
On the other hand, the embodiment of the present invention is also disclosed a kind of electronic equipment, and it includes:
At least one processor, and
The memory being connected with least one processor communication, wherein, the memory storage have can by it is described extremely The instruction of a few computing device, the instruction is by least one computing device, so that described at least one is processed Device is able to carry out:
The communication data that parsing is obtained is determining business conduct data that the communication data is included;
The business rule met according to needed for the business conduct data determine and perform the business conduct industrial control system;
Whether the current state for judging the industrial control system meets the business rule, and is recorded accordingly.
Figure 11 is the electronics of the communication data method for auditing safely of the execution industrial control system that another embodiment of the application is provided The hardware architecture diagram of equipment, as shown in figure 11, the equipment includes:
One or more processors 1110 and memory 1120, in Figure 11 by taking a processor 1110 as an example.
Performing the equipment of the communication data method for auditing safely of industrial control system can also include:Input unit 1130 and output Device 1140.
Processor 1110, memory 1120, input unit 1130 and output device 1140 can by bus or other Mode connects, in Figure 11 as a example by being connected by bus.
Memory 1120 can be used to store non-volatile software journey as a kind of non-volatile computer readable storage medium storing program for executing The communication data safety of sequence, non-volatile computer executable program and module, the such as industrial control system in the embodiment of the present application Corresponding programmed instruction/the module of auditing method.Processor 1110 is stored in non-volatile soft in memory 1120 by operation Part program, instruction and module, the various function application and data processing so as to execute server, that is, realize said method reality Apply the communication data method for auditing safely of an industrial control system.
Memory 1120 can include storing program area and storage data field, wherein, storing program area can store operation system Application program required for system, at least one function;Storage data field can be stored to be examined safely according to the communication data of industrial control system Counter device uses created data etc..Additionally, memory 1120 can include high-speed random access memory, can also wrap Include nonvolatile memory, for example, at least one disk memory, flush memory device or other non-volatile solid state memories Part.In certain embodiments, memory 1120 is optional including relative to the remotely located memory of processor 1110, and these are long-range Memory can pass through the communication data security audit device of network connection to industrial control system.The example of above-mentioned network include but not It is limited to internet, intranet, LAN, mobile radio communication and combinations thereof.
Input unit 1130 can receives input numeral or character information, and produce and pacify with the communication data of industrial control system The signal that the user of full audit device is arranged and function control is relevant.Output device 1140 may include that display screen etc. shows and set It is standby.
One or more of modules are stored in the memory 1120, when by one or more of processors During 1110 execution, the communication data method for auditing safely of the industrial control system in above-mentioned any means embodiment is performed.
The method that the executable the embodiment of the present application of the said goods is provided, possesses the corresponding functional module of execution method and has Beneficial effect.Ins and outs of detailed description in the present embodiment, not can be found in the method that the embodiment of the present application is provided.
The electronic equipment of the embodiment of the present application is present in a variety of forms, including but not limited to:
(1) mobile communication equipment:The characteristics of this kind equipment is that possess mobile communication function, and to provide speech, data Communicate as main target.This Terminal Type includes:Smart mobile phone (such as iPhone), multimedia handset, feature mobile phone, and it is low End mobile phone etc..
(2) super mobile personal computer equipment:This kind equipment belongs to the category of personal computer, has calculating and processes work( Can, typically also possess mobile Internet access characteristic.This Terminal Type includes:PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device:This kind equipment can show and play content of multimedia.The kind equipment includes:Audio frequency, Video player (such as iPod), handheld device, e-book, and intelligent toy and portable car-mounted navigator.
(4) server:The equipment for providing the service of calculating, the composition of server includes that processor, hard disk, internal memory, system are total Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, therefore processing energy The aspects such as power, stability, reliability, security, extensibility, manageability require higher.
(5) other have the electronic installation of data interaction function.
Device embodiment described above is only schematic, wherein the unit as separating component explanation can To be or may not be physically separate, can be as the part that unit shows or may not be physics list Unit, you can be located at a place, or can also be distributed on multiple NEs.It can according to the actual needs be selected In some or all of module realizing the purpose of this embodiment scheme.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can Realize by the mode of software plus general hardware platform, naturally it is also possible to by hardware.Based on such understanding, above-mentioned technology The part that scheme substantially contributes in other words to correlation technique can be embodied in the form of software product, the computer Software product can be stored in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions to So that computer equipment (can be personal computer, server, either network equipment etc.) perform each embodiment or Method described in some parts of embodiment.
Finally it should be noted that:Above example only to illustrate the technical scheme of the application, rather than a limitation;Although The application has been described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used To modify to the technical scheme described in foregoing embodiments, or equivalent is carried out to which part technical characteristic; And these modifications or replace, do not make appropriate technical solution essence depart from each embodiment technical scheme of the application spirit and Scope.

Claims (11)

1. the communication data method for auditing safely of a kind of industrial control system, including:
The communication data that parsing is obtained is determining business conduct data that the communication data is included;
The business rule collection met according to needed for the business conduct data determine and perform the business conduct industrial control system;
Whether the current state for judging the industrial control system meets the business rule collection, and is recorded accordingly.
2. method according to claim 1, wherein, the business conduct data at least include Intelligent target electronic equipment mark Know, operation behavior is identified;
The business rule collection met according to needed for the business conduct data determine and perform the business conduct industrial control system Including:
The business conduct is determined according to the Intelligent target electronic device identification and operation behavior mark;
Business rule collection corresponding to the business conduct is determined according to the business rule model for pre-building.
3. method according to claim 1, wherein, the business rule collection includes multiple business rule groups, the business Rule group includes a plurality of business rule.
4. method according to claim 3, wherein, the implementing result of the business conduct is required for another business conduct One of a plurality of business rule for meeting.
5. the method according to claim 3 or 4, wherein, whether the current state for judging the industrial control system meets The business rule collection, and carry out corresponding record and include:
Whether the current state for judging the industrial control system meets the plurality of business rule group;
When the current state for judging the industrial control system meets any one business rule group, working as the industrial control system is determined Front state meets the business rule collection, and records;
When the current state for judging the industrial control system is unsatisfactory for all of business rule group, working as the industrial control system is determined Front state is unsatisfactory for the business rule collection, and records.
6. the communication data security audit device of a kind of industrial control system, including:
Data resolution module, the communication data obtained for parsing is to determine business conduct number that the communication data is included According to;
Business rule collection determining module, for determining according to the business conduct data business conduct industrial control system institute is performed The business rule collection that need to be met;
Judge logging modle, for judging whether the current state of the industrial control system meets the business rule collection, and carry out Corresponding record.
7. device according to claim 6, wherein, the business conduct data at least include Intelligent target electronic equipment mark Know, operation behavior is identified;
The business rule collection determining module includes:
Business conduct determining unit, for determining the industry according to the Intelligent target electronic device identification and operation behavior mark Business behavior;
Business rule determining unit, for determining the industry corresponding to the business conduct according to the business rule model for pre-building Business rule set.
8. device according to claim 6, wherein, the business rule collection includes multiple business rule groups, the business Rule group includes a plurality of business rule.
9. device according to claim 8, wherein, the implementing result of the business conduct is required for another business conduct One of a plurality of business rule for meeting.
10. device according to claim 8 or claim 9, wherein, the judgement logging modle includes:
Rule judging unit is closed, whether the current state for judging the industrial control system meets the plurality of business rule group;
First performance element, for when the current state for judging the industrial control system meets any one business rule group, really The current state of the fixed industrial control system meets the business rule collection, and records;
Second performance element, for when the current state for judging the industrial control system is unsatisfactory for all of business rule group, really The current state of the fixed industrial control system is unsatisfactory for the business rule collection, and records.
11. a kind of electronic equipment, including:
At least one processor, and
The memory being connected with least one processor communication, wherein, the memory storage has can be by described at least one The instruction of individual computing device, the instruction by least one computing device so that at least one processor energy It is enough to perform:
The communication data that parsing is obtained is determining business conduct data that the communication data is included;
The business rule collection met according to needed for the business conduct data determine and perform the business conduct industrial control system;
Whether the current state for judging the industrial control system meets the business rule collection, and is recorded accordingly.
CN201611216266.5A 2016-12-26 2016-12-26 Communication data security audit method and device of industrial control system Active CN106651183B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611216266.5A CN106651183B (en) 2016-12-26 2016-12-26 Communication data security audit method and device of industrial control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611216266.5A CN106651183B (en) 2016-12-26 2016-12-26 Communication data security audit method and device of industrial control system

Publications (2)

Publication Number Publication Date
CN106651183A true CN106651183A (en) 2017-05-10
CN106651183B CN106651183B (en) 2020-04-10

Family

ID=58828007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611216266.5A Active CN106651183B (en) 2016-12-26 2016-12-26 Communication data security audit method and device of industrial control system

Country Status (1)

Country Link
CN (1) CN106651183B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109741029A (en) * 2018-12-27 2019-05-10 广东电网有限责任公司 The building method and device in a kind of power grid enterprises' audit regulation storehouse
CN110008706A (en) * 2019-03-05 2019-07-12 烽台科技(北京)有限公司 Host Security method of state management, device and terminal device
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090271346A1 (en) * 2008-04-29 2009-10-29 Rockwell Automation Technologies, Inc. Library synchronization between definitions and instances
CN102413013A (en) * 2011-11-21 2012-04-11 北京神州绿盟信息安全科技股份有限公司 Method and device for detecting abnormal network behavior
CN103036886A (en) * 2012-12-19 2013-04-10 珠海市鸿瑞软件技术有限公司 Industrial controlling network safety protecting method
US20140380458A1 (en) * 2013-06-20 2014-12-25 Electronics And Telecommunications Research Institute Apparatus for preventing illegal access of industrial control system and method thereof
CN104376023A (en) * 2013-08-16 2015-02-25 北京神州泰岳软件股份有限公司 Auditing method and system based on logs
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
CN105049228A (en) * 2015-06-12 2015-11-11 北京奇虎科技有限公司 Method and apparatus for auditing operation and maintenance operation
CN105279614A (en) * 2015-11-11 2016-01-27 上海熙菱信息技术有限公司 Business auditing system based on process and method thereof
CN105978745A (en) * 2016-07-27 2016-09-28 福州福大自动化科技有限公司 Abnormal state monitoring method for industrial control system
CN106209870A (en) * 2016-07-18 2016-12-07 北京科技大学 A kind of Network Intrusion Detection System for distributed industrial control system

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090271346A1 (en) * 2008-04-29 2009-10-29 Rockwell Automation Technologies, Inc. Library synchronization between definitions and instances
CN102413013A (en) * 2011-11-21 2012-04-11 北京神州绿盟信息安全科技股份有限公司 Method and device for detecting abnormal network behavior
CN103036886A (en) * 2012-12-19 2013-04-10 珠海市鸿瑞软件技术有限公司 Industrial controlling network safety protecting method
US20140380458A1 (en) * 2013-06-20 2014-12-25 Electronics And Telecommunications Research Institute Apparatus for preventing illegal access of industrial control system and method thereof
CN104376023A (en) * 2013-08-16 2015-02-25 北京神州泰岳软件股份有限公司 Auditing method and system based on logs
CN104683332A (en) * 2015-02-10 2015-06-03 杭州优稳自动化系统有限公司 Security isolation gateway in industrial control network and security isolation method thereof
CN105049228A (en) * 2015-06-12 2015-11-11 北京奇虎科技有限公司 Method and apparatus for auditing operation and maintenance operation
CN105279614A (en) * 2015-11-11 2016-01-27 上海熙菱信息技术有限公司 Business auditing system based on process and method thereof
CN106209870A (en) * 2016-07-18 2016-12-07 北京科技大学 A kind of Network Intrusion Detection System for distributed industrial control system
CN105978745A (en) * 2016-07-27 2016-09-28 福州福大自动化科技有限公司 Abnormal state monitoring method for industrial control system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109741029A (en) * 2018-12-27 2019-05-10 广东电网有限责任公司 The building method and device in a kind of power grid enterprises' audit regulation storehouse
CN110008706A (en) * 2019-03-05 2019-07-12 烽台科技(北京)有限公司 Host Security method of state management, device and terminal device
CN110430187A (en) * 2019-08-01 2019-11-08 英赛克科技(北京)有限公司 Communication message method for auditing safely in industrial control system
CN110430187B (en) * 2019-08-01 2021-07-06 英赛克科技(北京)有限公司 Communication message security audit method, equipment and storage medium in industrial control system

Also Published As

Publication number Publication date
CN106651183B (en) 2020-04-10

Similar Documents

Publication Publication Date Title
CN109034660B (en) Method and related device for determining risk control strategy based on prediction model
CN104426885B (en) Abnormal account providing method and device
CN107786545A (en) A kind of attack detection method and terminal device
CN110458686B (en) Method and device for determining loan risk
CN111460312A (en) Method and device for identifying empty-shell enterprise and computer equipment
EP2943925A2 (en) Method and apparatus of identifying a website user
CN107370806A (en) HTTP conditional codes monitoring method, device, storage medium and electronic equipment
CN101834716B (en) Method and device for hybrid representing association of deterministic finite automata
CN112839014B (en) Method, system, equipment and medium for establishing abnormal visitor identification model
CN104618304B (en) Data processing method and data handling system
CN110201393A (en) Configuration data storage method and device and electronic equipment
CN112328802A (en) Data processing method and device and server
CN108805422A (en) A kind of data assessment model training systems, data assessment platform and method
CN108876545A (en) Order recognition methods, device and readable storage medium storing program for executing
CN107483381A (en) The monitoring method and device of interlock account
CN105119735A (en) Method and device for determining flow types
CN106651183A (en) Communication data security audit method and device for industrial control system
CN107070897A (en) Network log storage method based on many attribute Hash duplicate removals in intruding detection system
WO2020019489A1 (en) Method for predicting reason for employee resignation and related device
CN109711849B (en) Ether house address portrait generation method and device, electronic equipment and storage medium
CN113190746B (en) Recommendation model evaluation method and device and electronic equipment
CN106844219A (en) Using detection method and apply detection means
CN114154166A (en) Abnormal data identification method, device, equipment and storage medium
Haga et al. Breaking the cyber kill chain by modelling resource costs
CN107133163A (en) A kind of method and apparatus for verifying description class API

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant