CN106656960A - Hilscher-based credible data acquisition system and method - Google Patents

Hilscher-based credible data acquisition system and method Download PDF

Info

Publication number
CN106656960A
CN106656960A CN201610860497.3A CN201610860497A CN106656960A CN 106656960 A CN106656960 A CN 106656960A CN 201610860497 A CN201610860497 A CN 201610860497A CN 106656960 A CN106656960 A CN 106656960A
Authority
CN
China
Prior art keywords
data
module
encryption
hilscher
chips
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610860497.3A
Other languages
Chinese (zh)
Other versions
CN106656960B (en
Inventor
戎豫
胡波
马绍彪
张洪利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING CHENJI GUOTAI TECHNOLOGY Co Ltd
Original Assignee
BEIJING CHENJI GUOTAI TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING CHENJI GUOTAI TECHNOLOGY Co Ltd filed Critical BEIJING CHENJI GUOTAI TECHNOLOGY Co Ltd
Priority to CN201610860497.3A priority Critical patent/CN106656960B/en
Publication of CN106656960A publication Critical patent/CN106656960A/en
Application granted granted Critical
Publication of CN106656960B publication Critical patent/CN106656960B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/08Protocols for interworking; Protocol conversion
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information

Abstract

The invention provides a Hilscher-based credible data acquisition system and method wherein the system comprises a DP main station module, a protocol transition module, a data encryption module, and a host computer. The DP main station module consists of a Hilscher chip, at least one Profibus-DP interface used to connect a PLC sub-station, and a Hilscher main station and sub-station communication interface. The protocol transition module comprises a processor, a communication interface component, and a VPC3+C sub-station protocol chip. The data encryption module comprises a data receiving and processing module used to receive the data transmitted from the protocol transition module and an encrypted transmission data processing module used to encrypt the data and transmit the encrypted data to the host computer. The host computer comprises a decryption USBKEY module and a dual-redundant real-time database.

Description

A kind of trust data acquisition system and method based on Hilscher
Technical field
The present invention relates to technical field of data processing, particularly relates to a kind of trust data acquisition system based on Hilscher And method.
Background technology
With the development of computer and network technologies, industrializing becomes the certainty of development in science and technology with informationalized depth integration Trend.Existing development trend is mainly manifested in the fast development of Internet of Things, and industrial control product more and more with general association The aspects such as view, general software and hardware combining, but while bringing opportunity to develop, also cause safely for industrial control system data Hidden danger.According to statistics, the manufacturer that leak disclosed in industrial control system is related generally to includes Siemens, Ai Mosheng, Schneider, logical With electric, wherein SCADA accounts for 40%, PLC and accounts for 30%, has caused a series of industrial control system security incidents, Industry Control system System safety faces severe challenge.However, industrial control system is currently in safely the situation of " cold in heat outward ", foreign countries, state are compared It is inadequate that interior human and material resources Input Level is mainly attention degree far below foreign countries, the reason for cause this phenomenon.
It is also one of important step of industrial control system safety to run because host computer database is reliable and stable, therefore portion Commercial manufacturer is divided to take certain safety prevention measure, such as mounting industrial fire wall, intruding detection system;But due to industry control The actual conditions such as the complexity and popularity of system processed, and specific aim measure is not taken, cause protection effect limited.Additionally, The data for collecting cannot ensure its confidence level after data transfer, even if be tampered during data transfer also cannot examine in time Feel.Furthermore, the security protection measure that host computer is relied primarily on is still information security technology, to attacking with industrial control system feature Hitting cannot take certain measures, and this is very big potential safety hazard.
The content of the invention
Based on drawbacks described above, the purpose of the embodiment of the present invention is to propose a kind of trust data collection system based on Hilscher System and method.
In order to achieve the above object, the embodiment of the present invention proposes a kind of trust data collection system based on Hilscher System, including:DP master station modules, protocol conversion module, data encryption module, host computer;
Wherein described DP master station modules include:Hilscher chips, at least one are used to connect PLC slave stations Profibus-DP interfaces, Hilscher master-salve station communication interfaces;Wherein described Hilscher chips are connect by Profibus-DP Mouthful connection at least one PLC slave station equipments with the Profibus buses for gathering PLC slave station equipments based on Profibus agreements Data, and protocol conversion module is sent to by Hilscher master-salve station communication interfaces;
The protocol conversion module includes:Processor, communication interface component, VPC3+C slave station protocol chips;It is wherein described Processor is connected the DP master station modules and is assisted based on Profibus with receiving from the DP master station modules by communication interface component The data of view, and will be converted to based on Modbus agreements based on the data of Profibus agreements by VPC3+C slave station protocols chip And/or the data of ICP/IP protocol, and it is sent to the data encryption module;
The data encryption module includes:Receiving data for receiving the data that protocol conversion module sends processes mould Block, for data are encrypted and by encryption data be sent to host computer encryption send data processing module;
Host computer includes:Decryption USBKEY modules, dual redundant real-time data base;Set in wherein described decryption USBKEY modules There is the deciphering chip of built-in decryption program, the decryption USBKEY modules connect host computer by USB interface, by data encryption The encryption data that module sends is decrypted;Wherein described dual redundant real-time data base includes redundancy backup configuration AicDataHub industry real-time databases and Agilor industry real-time databases, to store the data after decrypting.
Further, the host computer also includes snort intrusion detection modules, and the snort intrusion detections module is monitored The data collection terminal mouth of the dual redundant real-time data base is with by the data characteristics of dual redundant real-time data base and default snort Regular planting modes on sink characteristic is contrasted to determine whether intrusion behavior.
Further, the host computer also includes the data management interface of connection dual redundant real-time data base, with by institute State data management interface and realize the functions such as user's pipe authority reason, remote access, data query, data analysis, data screening.
Further, the Hilscher chips of the DP master station modules receive the data based on Profibus agreements, sentence Whether disconnected is to carry out data transmission with the PLC slave stations first, if being carried out following initialization procedure with the explicit company of foundation Connect:
Step 1, DP master station modules send Initiate-REQ-PDU messages to the special services accessing points to PLC slave stations;
Step 2, PLC slave stations determine whether available service accessing points, if then jumping to step 3;If without if Next subcommand is continued waiting for, step terminates;
Step 3, PLC slave stations send RM-REQ-PDU messages to DP master station modules, and the RM-REQ-PDU messages include Available service accessing points;DP master station modules preserve available service accessing points information, while sent to PLC slave stations with polling mode connecting It is informed of a case and text and waits the response of PLC slave stations;
Step 4, PLC slave stations to PLC slave stations application program sends Initial message, and receives PLC slave station application programs Response message is simultaneously forwarded to DP master station modules;
Step 5, DP master station modules parse the response message, if the response message connects to agree to set up, DP Master station module is set up after being connected with PLC slave stations and carries out data exchange, and explicitly disconnects after data exchange is completed, and completes number According to collection;If the response message sets up connection for refusal, step terminates.
Further, the protocol conversion module is specifically included:Processor, VPC3+C slave station protocol chips, power module, RS-232 interface, RS-485 interfaces, Ethernet interface, JTAG modules;
Processor is LPC1788FDB208 chips, and the LPC1788FDB208 chips are connected with 12MHz crystal oscillators;
VPC3+C slave station protocols chip connects the Hilscher chip communications and processor of the protocol conversion module, described The baud rate of VPC3+C slave station protocol chips is 115200bps;And the VPC3+C slave station protocols chip to be connected with 48MHz brilliant Shake;
The input voltage of wherein described power module is 24V, and the output end of power module connects respectively LM2576 chips With the output voltage that LM1117-3.3/SOT223 chips provide 5V and 3.3V;
RS-232 interface is used to connect external computer, so that computer and processor communication;
RS-485 interfaces are provided with ADM2486 galvanic separations and think Modbus protocol interfaces to send Modbus agreement numbers According to;
Ethernet interface is provided with DP83848 controllers so that output signal is converted to into ICP/IP protocol data, and passes through HR911103A interfaces connect the data encryption module;
JTAG modules are used to connect external debugging device.
Further, the data encryption module includes:Data receiver network interface, receiving data processing module, encryption send Data processing module, data is activation network interface;
Protocol conversion module described in wherein described data receiver network interface connection is processed with receiving data by receiving data Module is processed data;Wherein described receiving data processing module is STM32F107 chips;
Wherein described data is activation network interface connection host computer, by the data after the process of receiving data processing module by adding Close transmission data processing module is sent to host computer after being encrypted;Wherein described encryption sends data processing module to be included STM32F107 chips and encryption chip;
Wherein data receiver network interface and data is activation network interface are all connected with DP83848 ethernet physical layer controllers, and institute State receiving data module and encryption is sent between data processing module by high speed SPI serial communication.
Further, the data encryption module also includes power module, two SWD interfaces, USB interfaces;It is wherein described Two SWD interfaces connect the STM32F107 chips of the receiving data processing module respectively and encryption sends data processing module STM32F107 chips to carry out download program, and the USB interface connection encryption sends data processing module to be encrypted Download program;It is described.
The input voltage of wherein described power module is 24V, and the output end of power module connects respectively LM2576 chips With the output voltage that LM1117-3.3/SOT223 chips provide 5V and 3.3V.
Meanwhile, the embodiment of the present invention also proposed a kind of credible number based on Hilscher using as described in front any one According to the method that acquisition system carries out trust data collection, including:
By DP master station modules, collection is based on Profibus agreements from the Profibus buses of connection PLC slave station equipments Data;
The data based on Profibus agreements are converted to based on Modbus agreements by protocol conversion module and/or The data of ICP/IP protocol;
By data encryption module the data of protocol conversion module are encrypted and are sent to host computer;
After host computer is performed intrusion detection and decrypted by decryption USBKEY modules to the encryption data for receiving, storage is arrived Dual redundant real-time data base.
The above-mentioned technical proposal of the present invention has the beneficial effect that:In above-mentioned technical proposal.
Description of the drawings
Fig. 1 is the structured flowchart of the trust data acquisition system based on Hilscher of the embodiment of the present invention;
Fig. 2 is the system architecture diagram of the protocol conversion module of the embodiment of the present invention;
The flow chart of the initialization procedure that Fig. 3 connects for the explicit foundation of the protocol conversion module of the embodiment of the present invention;
Fig. 4 is the system architecture diagram of the data encryption module of the embodiment of the present invention;
Fig. 5 is the flow chart of the data encryption of the embodiment of the present invention;
Fig. 6 is the system architecture diagram of the host computer of the embodiment of the present invention;
Fig. 7 is the flow chart of the snort intrusion detections of the embodiment of the present invention;
Fig. 8 is the dual redundant real time database structure block diagram of the embodiment of the present invention.
Specific embodiment
To make the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and tool Body example is described in detail.
To realize that Profibus-DP trust datas are gathered, data transfer, storage security are improved, while guaranteeing that system is steady Determine reliability service, the present invention proposes a kind of trust data collection comprising the fusion of the multiple technologies such as data acquisition, transmission, storage Profibus-DP protocol datas can be converted into various data forms for host computer data acquisition by system, the system.
The principle of the embodiment of the present invention is will using LPC1788FBD208 chip controls Profibus protocol chips VPC3+C The Profibus-DP bus datas of Hilscher collections are converted to ICP/IP protocol and export from network interface, and output data is added by data PC ends are sent to after close module encryption to be decrypted, and by dual redundant real-time data base data acquisition, so as to realize obtaining Trust data is taken, last SCADA ends are managed and show operation to data.Meanwhile, the embodiment of the present invention sets in upper computer end Snort intrusion detections are counted, to further ensure that data safety.
The trust data acquisition system based on Hilscher that the embodiment of the present invention is proposed, including DP master station modules, agreement Modular converter, data encryption module, decryption USBKEY modules, dual redundant real-time data base, snort intrusion detection modules, data Administration interface.
Operationally, DP master station modules receive data from least one PLC slave station equipments, and then Jing protocol conversion modules lead to The data receiver network interface that data are sent to ICP/IP protocol data encryption module is crossed, then data encryption module carries out adding to data Ciphertext is generated after close process, then ciphertext PC ends is sent to into.
Specifically:DP master station modules adopt the communication modes of DPV1 Class 2, including Profibus-DP interfaces, Hilscher chips, at least one Hilscher master-salve station communication interfaces;Wherein Hilscher chips pass through Hilscher principals and subordinates Communication interface of standing connects at least one PLC slave station equipments, with data acquisition bus data and is stored in dual ported register, Ran Houtong Cross Profibus-DP interfaces carries out data communication with protocol conversion module.
Protocol conversion module includes power module, processor, two RS-232 interfaces, 1 RS-485 interfaces, 1 ether Network interface, VPC3+C slave station protocol chips, JTAG modules., used as DP slave stations, wherein processor is by control for protocol conversion module VPC3+C slave station protocols chip realize with Hilscher chip communications, and by data by Profibus protocol conversions be Modbus association Negotiation ICP/IP protocol, then by data is activation to the data encryption module.
As shown in Fig. 2 the protocol conversion module is specifically included:
The input voltage of power module is 24V, is provided by LM2576 chips and LM1117-3.3/SOT223 chips respectively The output voltage of 5V and 3.3V;
Processor is LPC1788FDB208 chips, and the LPC1788FDB208 chips are based on the micro-control of ARMCortex-M3 Device processed, the characteristics of leading to highly integrated and low-power consumption;
RS-232 interface connects computer, so that computer and processor communication;
RS-485 interfaces are Modbus protocol interfaces, and for sending Modbus protocol datas, the interface is connected with ADM2486 Galvanic separation;
Ethernet interface is used to be connected with DP83848 controllers, for output signal to be converted to into ICP/IP protocol data;
VPC3+C slave station protocols chip is used for the Hilscher chip communications with the protocol conversion module, and then realizes intelligence The exploitation of energy slave station.VPC3+C slave station protocols chip is capable of the baud rate of self adaptation 9.6Kbps to 12Mbps, the embodiment of the present invention It is middle to adopt baud rate for 115200bps.
Wherein, as processor LPC1788FDB208 chips and the operating voltage of VPC3+C slave station protocol chips is 3.3V, powering compared to 5V can obtain preferable anti-interference.LPC1788FDB208 chips and VPC3+C slave station protocols chip point Lian Jie not 12M, 48MHz crystal oscillator.
Protocol conversion module realizes that by Profibus protocol conversions be Modbus agreements and ICP/IP protocol, Modbus agreements Data are exported after the semiduplex ADM2486 galvanic separations of isolated form are processed by the RS-485 interfaces 11;TCP/IP is assisted View data are after the process of DP83848 ethernet physical layers controller chip by the HR911103A interfaces of the Ethernet interface 12 Export data encryption module.Wherein, 2 RS-232 interfaces 10 are used for debugging process Computer and pass through electrical level transferring chip MAX232 is communicated with the LPC1788FDB208 chips as processor.
Using the VPC3+C slave station protocol chips of the protocol conversion module, obtain from the Hilscher chips of DP master station modules After fetching data, following operation as shown in Figure 3 is carried out:
Judge whether it is to carry out data transmission first, if it is need to perform initialization procedure with explicit foundation connection, Establishing process includes:
Step 1, DP master station modules send Initiate-REQ-PDU messages to the special services accessing points to PLC slave stations;
Step 2, PLC slave stations determine whether available service accessing points, if then jumping to step 3;If without if Next subcommand is continued waiting for, step terminates;
Step 3, PLC slave stations send RM-REQ-PDU messages to DP master station modules, and the RM-REQ-PDU messages include Available service accessing points;DP master station modules preserve available service accessing points information, while sent to PLC slave stations with polling mode connecting It is informed of a case and text and waits the response of PLC slave stations;
Step 4, PLC slave stations to PLC slave stations application program sends Initial message, and receives PLC slave station application programs Response message is simultaneously forwarded to DP master station modules;
Step 5, DP master station modules parse the response message, if the response message connects to agree to set up, DP Master station module is set up after being connected with PLC slave stations carries out data " reading (Read) ", " writing (Write) ", " data exchange (Data Transport) " operate, and explicitly disconnect after data exchange is completed, complete the collection of data;If the response report Text sets up connection for refusal, then step terminates.
As shown in figure 4, data encryption module includes power module, data receiver network interface, receiving data processing module, encryption Send data processing module, data is activation network interface, running LED, 2 SWD interfaces, 1 USB interface.Wherein receive number Can be STM32F107 chips according to processing module.It can be STM32F107 chips and encryption chip that encryption sends data module.
Specifically:Power module is powered for data encryption module, and protocol conversion module (2) is by ICP/IP protocol by data Data receiver network interface is sent to, receiving data processing module is realized by STM32F107 chips, then encryption is given by data and send data Processing module, encryption sends data module and realizes that ciphertext passes through data after encryption by STM32F107 and encryption chip Send network interface and be sent to PC ends.Wherein, power module provides 5V and 3.3V and powers;Data receiver network interface and data is activation network interface are equal There is DP83848 ethernet physical layers controller to support;Receiving data module and encryption send data processing module data exchange and adopt Use high speed SPI serial communication;Running LED display data encrypting module (3) ruuning situation;Two SWD interfaces are used respectively Download in two pieces of STM32F107 chip programs, USB interface is used for encryption chip download program.
As shown in Figure 1, also including the host computer of connection data encryption module, the host computer includes decryption USBKEY moulds Block, dual redundant real-time data base, snort intrusion detection modules, data management interface.
Wherein, USBKEY modules are decrypted, including run indicator, deciphering chip.Wherein carry out through data encryption module The data of encryption, need the driving layer in dual redundant real-time data base to complete decryption, and data are dealt in the form of channels reality When database carry out subsequent operation.The power supply of decryption USBKEY modules is provided by host computer, and decryption USBKEY module connections are upper The USB interface of machine, decryption program is solidificated in be decrypted to data in deciphering chip, and indicator lamp is used to indicate residing operation State.
In embodiments of the present invention, dual redundant real-time data base is based on the program development of Visual Studio 2012, and it is adopted Take the AicDataHub industry real-time databases and Agilor industry real-time databases of redundant configuration, it is therefore an objective to realize failover.When When AicDataHub industry real-time database operations are broken down, Agilor industry real-time databases will be automatically enabled to replace realizing data Memory management functions, whole process user be detectable.
Snort intrusion detections module can realize snort intrusion detections, to monitor application layer services, network traffics, day Whether will, user behavior, vital document the behavior monitoring such as are altered.Real-time data base number is mainly monitored in snort intrusion detections According to collection port, by data characteristics and snort rule base aspect ratios to determining whether intrusion behavior, if it find that there is invasion row For when then send alarm, with realize with particular industry control system attack signature protection.
Data management interface provides human-computer interaction interface, to realize user's pipe authority reason, remote access, data query, number According to functions such as analysis, data screenings.User can connect dual redundant real-time data base to obtain data by data management interface, Realize man-machine interaction, monitor in real time Industry Control.
As shown in figure 1, the trust data acquisition system based on Hilscher includes DP master station modules (1), protocol conversion mould Block (2), data encryption module (3), host computer (4).The DP master station modules (1) including Profibus slave station equipment interfaces (5), Hilscher (6), master-salve station communication interface (7);The protocol conversion module (2) mainly includes that processor (8), Profibus lead to News protocol chip (9), 2 RS232 interfaces (10), 1 RS485 interfaces (11), 1 network interface (12);The data encryption module (3) it is main to be made up of receiving data processing module (13), transmission data processing module (14), encryption chip (15);It is described upper Machine (4) is main by intrusion detection module (16), decryption USBKEY (17), dual redundant real-time data base (18), data management interface (19) constitute.
As shown in Fig. 2 the protocol conversion module input voltage is 24V, voltage module respectively by LM2576 and LM1117-3.3/SOT223 exports 5V, 3.3V;The processor (8) is single-chip microcomputer LPC1788FDB208, is based on ARM The microcontroller of Cortex-M3, the characteristics of leading to highly integrated and low-power consumption, this example is using described in Single-chip Controlling Profibus communications protocol chip (9) VPC3+C realize being communicated with the Hilscher (6), and then realize opening for intelligent slave station Send out, VPC3+C is capable of the baud rate of self adaptation 9.6Kbps to 12Mbps, and this example adopts baud rate for 115200bps.Single-chip microcomputer LPC1788FDB208 and chip VPC3+C power and are 3.3V, and powering compared to 5V can obtain preferable anti-interference.Single-chip microcomputer 12M, 48MHz crystal oscillator is connect respectively with VPC3+C.Protocol conversion realizes that by Profibus protocol conversions be Modbus agreements and TCP/ IP agreement, Modbus protocol datas are after the receiver ADM2486 of isolated form half-duplex RS -485 by the RS-485 interfaces (11) export;ICP/IP protocol data are after ethernet physical layer controller chip DP83848 by the network interface (12) HR911103A outputs are to encrypting module.2 RS-232 interfaces (10) for computer in debugging process and single chip communication, Its electrical level transferring chip is MAX232.
As shown in figure 3, the intelligent slave station developed using communications protocol chip (9) VPC3+C and the Hilscher (6) master station communication obtains data.Main website slave station configuration is carried out, it is first determined whether be to carry out data transmission first, if it is Need to perform initialization procedure with explicit foundation connection, the flow process for setting up connection is as follows:1) main website sends Initiate-REQ- PDU is to slave station special services accessing points;2) slave station determines whether available service accessing points, has, and the point is returned to into main website, Initial message is sent simultaneously to slave station application program, and next subcommand is continued waiting for if not;3) slave station sends RM- REQ-PDU messages are to main website;4) main website preserves service point information, while sending pre-connection message and waiting slave station with polling mode Response;5) slave station receives the response message of slave station application program, and issues main website, no if connection is then set up in affirmative acknowledgement Then set up connection failure.Setting up after connection just can carry out data " Read ", " Write ", " Data Transport " service, complete Explicitly disconnect after data exchange, master-salve station sign off completes the collection of data.
As shown in figure 4, data encryption module (3) the system architecture almost symmetry, the receiving data processing module (13) mainly it is made up of network interface, DP83848 ethernet physical layer control chips, ARM series STM32F107 chips, data pass through Network interface collects chip;Transmission data processing module (14) system architecture and receiving data processing module (13) phase Together, described transmission be sent to after the data encryption that data processing module (14) communicates acquisition with the encryption chip (15) upper Machine, two chips data exchange is by direct-connected high speed SPI mouth.Wherein, two pieces of STM32F107 chips be furnished with SR and SWD download program mouths, SWD interfaces are more stable in high speed mode, chip crystal oscillator frequency 25MHz;Encryption chip is furnished with USB journeys Sequence downloads mouth, and crystal oscillator frequency is 4MHz, and run indicator can show that working condition residing for encryption chip is idle or busy.
As shown in figure 5, the STM32F107 chips for sending data processing module (14) enter with the encryption chip (15) Row data encryption flow is:Encryption test data is sent first, is entered after time delay is waited again if encryption chip is in busy condition It is secondary to send encryption test data, checking encryption chip whether normal work when encryption chip is in idle condition, if normally Then send pre-add ciphertext data after time delay, chip operation state is then judged again, until for idle condition when read ciphertext, complete Data encryption, then judges and data encryption into next secondary data idle condition.In whole process, testing encryption data only exist Perform before encrypting for the first time.
As shown in fig. 6, host computer (4) system construction drawing includes the intrusion detection module (16), the decryption USBKEY (17), the dual redundant real-time data base (18), the data management interface (19).By the data encryption module (3) data for providing carry out snort intrusion detections in port, and detection is based on intrusion detection rule base, then drives in database Dynamic layer utilizes decryption USBKEY (17) ciphertext data, and sends the data to the dual redundant real-time data base (18), institute State data management interface (19) and complete data management function, mainly look into including user management, remote access, data analysis, data Ask and data screening function, realize man-machine interaction.
As shown in fig. 7, snort intrusion detection flow processs:ParseCmdLine () resolve command line parameter, initialization is called to become Amount structure and detecting and alarm routine.Call OpenPcap () to open Data Packet Seize port, bottom chain is arranged according to port type Road layer protocol parsing routine.It is corresponding with initialization program that initialization plug-in unit mainly completes keyword, then calls CreateDfaultRules () carries out initializing framework construction, and present invention snort 2.9.8.0 versions are capable of achieving rule fast Fast matching optimization routine simultaneously realizes that alarm rule is arranged.Next detection is entered, calls ProcessPacket () to carry out Decoded packet data, calls PreProcess () using preprocessor processing data, is then matched according to rule base, and Corresponding measure is taken according to the alarm rule for arranging, cycle detection link, otherwise terminator if continuing to detect.
As shown in figure 8, dual redundant real time database structure figure:Using real-time data base, Agilor based on AicDataHub It is that standby real-time data base guarantees data syn-chronization, monitor in real time after User logs in, when main real-time database failure is immediately switched to in real time Storehouse works, it is ensured that system stability.
To sum up, a kind of trust data acquisition system based on Hilscher of the present invention is in industrial control system bus It is real-time by protocol conversion, intrusion detection, data encryption-transmission-decryption, dual redundant in Profibus-DP data acquisitions Database safety measure, effectively improves Information Security and confidence level.
The beneficial effects of the present invention is:
1) overcome Profibus-DP agreements not open to the outside world the difficulty of cause the user, improve Profibus-DP number of buses According to ease of use.Communicated by master-salve station, the Profibus-DP bus datas that main website Hilscher is obtained are converted to Modbus and TCP/IP disclosure agreements, the intelligent slave station designed based on LPC1788FDB208 and VPC3+C has automatic identification work( Energy.
2) transmitted using ciphertext, it is ensured that data transmission security and confidence level:Two sets STM32F107 and DP83848 point Do not realize data acquisition and transmission, between by high speed SPI mouth it is direct-connected, transmitting terminal coordinate decryption USBKEY realize data encryption and Decryption, data transfer adopts strict communication mechanism, it is ensured that the safety and reliability of Data Encryption Transmission, USBKEY hardware Decryption reduces PC computation burdens.
3) dual redundant real-time data base effectively increases system run all right:With dual redundant real-time data base as support The operation of host computer data management interface stability must assure that database effectively runs, and dual redundant mechanism can be realized when one of them Another real-time database of automatic, realizes failover when real-time database breaks down, and substantially reduces the possibility of database obstacle Property, whole handoff procedure is invisible to user.
4) the more targeted offer safeguard protection of snort intrusion detections:Industrial control system data security protection is with it Be characterized as the foundation for taking measures, adopt snort invasion can with listening port, aspect ratio to, report to the police, wherein feature database can be tied Close actual conditions to improve and optimize, corresponding warning measure is taken when intrusion behavior has been detected.
5) host computer data management interface is capable of achieving user authority management, remote access, data query, screening, analysis etc. Function, provides the user trust data and decision-making foundation, reaches the purpose of monitor in real time industrial control system running status.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, on the premise of without departing from principle of the present invention, some improvements and modifications can also be made, these improvements and modifications Should be regarded as protection scope of the present invention.

Claims (8)

1. a kind of trust data acquisition system based on Hilscher, it is characterised in that including DP master station modules, protocol conversion mould Block, data encryption module, host computer;
Wherein described DP master station modules include:Hilscher chips, at least one are used to connect the Profibus-DP of PLC slave stations Interface, Hilscher master-salve station communication interfaces;Wherein described Hilscher chips are by Profibus-DP interfaces connection at least Individual PLC slave station equipments are passed through with the data based on Profibus agreements in the Profibus buses for gathering PLC slave station equipments Hilscher master-salve station communication interfaces are sent to protocol conversion module;
The protocol conversion module includes:Processor, communication interface component, VPC3+C slave station protocol chips;Wherein described process Device connects the DP master station modules to receive based on Profibus agreements from the DP master station modules by communication interface component Data, and by VPC3+C slave station protocols chip by based on Profibus agreements data be converted to based on Modbus agreements and/ Or the data of ICP/IP protocol, and it is sent to the data encryption module;
The data encryption module includes:For receive the data that protocol conversion module sends receiving data processing module, For being encrypted to data and the encryption that encryption data is sent to host computer is sent into data processing module;
Host computer includes:Decryption USBKEY modules, dual redundant real-time data base;In being provided with wherein described decryption USBKEY modules The deciphering chip of decryption program is put, the decryption USBKEY modules connect host computer by USB interface, by data encryption module The encryption data for sending is decrypted;Wherein described dual redundant real-time data base includes the AicDataHub of redundancy backup configuration Industrial real-time database and Agilor industry real-time databases, to store the data after decrypting.
2. the trust data acquisition system based on Hilscher according to claim 1, it is characterised in that the host computer Also include snort intrusion detection modules, the snort intrusion detections module is monitored the data of the dual redundant real-time data base and adopted Collect port the data characteristics of dual redundant real-time data base to be contrasted to judge whether with default snort rule planting modes on sink characteristic There is intrusion behavior.
3. the trust data acquisition system based on Hilscher according to claim 1, it is characterised in that the host computer Also include the data management interface of connection dual redundant real-time data base, to realize user's pipe authority by the data management interface The functions such as reason, remote access, data query, data analysis, data screening.
4. the trust data acquisition system based on Hilscher according to claim 1, it is characterised in that the DP main websites The Hilscher chips of module receive the data based on Profibus agreements, judge whether it is to enter with the PLC slave stations first Row data transfer, if be carried out following initialization procedure connected with explicit foundation:
Step 1, DP master station modules send Initiate-REQ-PDU messages to the special services accessing points to PLC slave stations;
Step 2, PLC slave stations determine whether available service accessing points, if then jumping to step 3;Continue if not Next subcommand, step is waited to terminate;
Step 3, PLC slave stations send RM-REQ-PDU messages to DP master station modules, and the RM-REQ-PDU messages include available Service access point;DP master station modules preserve available service accessing points information, while sending connection report to PLC slave stations with polling mode Response that is literary and waiting PLC slave stations;
Step 4, PLC slave stations to PLC slave stations application program sends Initial message, and receives the response of PLC slave station application programs Message is simultaneously forwarded to DP master station modules;
Step 5, DP master station modules parse the response message, if the response message connects to agree to set up, DP main websites Module is set up after being connected with PLC slave stations and carries out data exchange, and explicitly disconnects after data exchange is completed, and completes data Collection;If the response message sets up connection for refusal, step terminates.
5. the trust data acquisition system based on Hilscher according to claim 1, it is characterised in that the agreement turns Mold changing block is specifically included:Processor, VPC3+C slave station protocol chips, power module, RS-232 interface, RS-485 interfaces, ether Network interface, JTAG modules;
Processor is LPC1788FDB208 chips, and the LPC1788FDB208 chips are connected with 12MHz crystal oscillators;
VPC3+C slave station protocols chip connects the Hilscher chip communications and processor of the protocol conversion module, the VPC3 The baud rate of+C slave station protocol chips is 115200bps;And the VPC3+C slave station protocols chip is connected with 48MHz crystal oscillators;
The input voltage of wherein described power module be 24V, and the output end of power module connect respectively LM2576 chips and LM1117-3.3/SOT223 chips provide the output voltage of 5V and 3.3V;
RS-232 interface is used to connect external computer, so that computer and processor communication;
RS-485 interfaces are provided with ADM2486 galvanic separations and think Modbus protocol interfaces to send Modbus protocol datas;
Ethernet interface is provided with DP83848 controllers so that output signal is converted to into ICP/IP protocol data, and by HR911103A Interface connects the data encryption module;
JTAG modules are used to connect external debugging device.
6. the trust data acquisition system based on Hilscher according to claim 1, it is characterised in that the data add Close module includes:Data receiver network interface, receiving data processing module, encryption send data processing module, data is activation network interface;
Protocol conversion module described in wherein described data receiver network interface connection with receiving data, and by receiving data processing module Data are processed;Wherein described receiving data processing module is STM32F107 chips;
Wherein described data is activation network interface connection host computer, the data after the process of receiving data processing module are sent out by encryption Data processing module is sent to be sent to host computer after being encrypted;Wherein described encryption sends data processing module to be included STM32F107 chips and encryption chip;
Wherein data receiver network interface and data is activation network interface are all connected with DP83848 ethernet physical layer controllers, and described connect Receive data module and encryption sends and pass through between data processing module high speed SPI serial communication.
7. the trust data acquisition system based on Hilscher according to claim 6, it is characterised in that the data add Close module also includes power module, two SWD interfaces, USB interfaces;Wherein described two SWD interfaces connect respectively the reception Under the STM32F107 chips of data processing module and the STM32F107 chips of encryption transmission data processing module are to enter line program Carry, and the USB interface connection encryption sends data processing module to be encrypted download program;Wherein described power module Input voltage is 24V, and the output end of power module connects LM2576 chips respectively and LM1117-3.3/SOT223 chips are provided The output voltage of 5V and 3.3V.
8. a kind of credible using being carried out based on the trust data acquisition system of Hilscher as described in any one of claim 1-7 The method of data acquisition, it is characterised in that include:
By DP master station modules, collection is based on the number of Profibus agreements from the Profibus buses of connection PLC slave station equipments According to;
The data based on Profibus agreements are converted to based on Modbus agreements by protocol conversion module and/or The data of ICP/IP protocol;
By data encryption module the data of protocol conversion module are encrypted and are sent to host computer;
Host computer is stored after decryption USBKEY modules carry out snort intrusion detections and decryption to the encryption data for receiving To dual redundant real-time data base.
CN201610860497.3A 2016-09-28 2016-09-28 hilscher-based credible data acquisition system and method Active CN106656960B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610860497.3A CN106656960B (en) 2016-09-28 2016-09-28 hilscher-based credible data acquisition system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610860497.3A CN106656960B (en) 2016-09-28 2016-09-28 hilscher-based credible data acquisition system and method

Publications (2)

Publication Number Publication Date
CN106656960A true CN106656960A (en) 2017-05-10
CN106656960B CN106656960B (en) 2019-12-17

Family

ID=58853543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610860497.3A Active CN106656960B (en) 2016-09-28 2016-09-28 hilscher-based credible data acquisition system and method

Country Status (1)

Country Link
CN (1) CN106656960B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220070A (en) * 2017-08-01 2017-09-29 浙江佳乐科仪股份有限公司 A kind of Internet of Things DTU collecting methods
CN108761250A (en) * 2018-07-26 2018-11-06 电子科技大学 A kind of intrusion detection method based on industrial control equipment voltage and current
CN109120619A (en) * 2018-08-17 2019-01-01 西安科技大学 A kind of computer network communications system
CN110381139A (en) * 2019-07-19 2019-10-25 福建龙净环保股份有限公司 A kind of remote data acquisition method and apparatus Internet-based
CN111487932A (en) * 2019-01-29 2020-08-04 东泰高科装备科技有限公司 Monitoring system
CN112243205A (en) * 2020-10-23 2021-01-19 中国电子科技集团公司第二十八研究所 Multi-protocol fusion processing method based on Internet of things
CN112261107A (en) * 2020-10-16 2021-01-22 浙江中烟工业有限责任公司 Method and system for collecting information of boiler burner

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1914625A3 (en) * 2006-10-18 2010-07-07 Hitachi, Ltd. Method and program for supporting setting of access management information
US20130212227A1 (en) * 2012-02-09 2013-08-15 Cogent Real-Time Systems Inc. System and method for streaming data via http
CN103559104A (en) * 2013-11-07 2014-02-05 南京国电南自轨道交通工程有限公司 Distributed redundancy real-time database framework based on hybrid communication
CN103812830A (en) * 2012-11-09 2014-05-21 沈阳高精数控技术有限公司 Protocol authentication method used for bus slave station equipment
CN205028123U (en) * 2015-06-14 2016-02-10 上海云物信息技术有限公司 Non -contact intrusion detection system of SCADA system
CN205389215U (en) * 2016-01-27 2016-07-20 北京科技大学 PLC data acquisition and encryption and decryption system based on two net gapes

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1914625A3 (en) * 2006-10-18 2010-07-07 Hitachi, Ltd. Method and program for supporting setting of access management information
US20130212227A1 (en) * 2012-02-09 2013-08-15 Cogent Real-Time Systems Inc. System and method for streaming data via http
CN103812830A (en) * 2012-11-09 2014-05-21 沈阳高精数控技术有限公司 Protocol authentication method used for bus slave station equipment
CN103559104A (en) * 2013-11-07 2014-02-05 南京国电南自轨道交通工程有限公司 Distributed redundancy real-time database framework based on hybrid communication
CN205028123U (en) * 2015-06-14 2016-02-10 上海云物信息技术有限公司 Non -contact intrusion detection system of SCADA system
CN205389215U (en) * 2016-01-27 2016-07-20 北京科技大学 PLC data acquisition and encryption and decryption system based on two net gapes

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
姜日新,宋延民等: "基于VPC3+C的Profibus-DP智能从站设计", 《天津工程师范学院学报》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220070A (en) * 2017-08-01 2017-09-29 浙江佳乐科仪股份有限公司 A kind of Internet of Things DTU collecting methods
CN108761250A (en) * 2018-07-26 2018-11-06 电子科技大学 A kind of intrusion detection method based on industrial control equipment voltage and current
CN109120619A (en) * 2018-08-17 2019-01-01 西安科技大学 A kind of computer network communications system
CN111487932A (en) * 2019-01-29 2020-08-04 东泰高科装备科技有限公司 Monitoring system
CN110381139A (en) * 2019-07-19 2019-10-25 福建龙净环保股份有限公司 A kind of remote data acquisition method and apparatus Internet-based
CN110381139B (en) * 2019-07-19 2022-05-27 福建龙净环保股份有限公司 Remote data acquisition method and device based on Internet
CN112261107A (en) * 2020-10-16 2021-01-22 浙江中烟工业有限责任公司 Method and system for collecting information of boiler burner
CN112243205A (en) * 2020-10-23 2021-01-19 中国电子科技集团公司第二十八研究所 Multi-protocol fusion processing method based on Internet of things

Also Published As

Publication number Publication date
CN106656960B (en) 2019-12-17

Similar Documents

Publication Publication Date Title
CN106656960A (en) Hilscher-based credible data acquisition system and method
CN103365269B (en) Based on intelligent appliance multi-mode long distance control system and the method for wireless sense network
CN104317255A (en) Internet-of-things-based intelligent household control system
CN104348522A (en) Method suitable for heartbeat keeping of low-power consumption Bluetooth device
CN102088444A (en) PROFIBUS DP and PROFIBUS PA protocol conversion gateway module
CN104038383A (en) Switch based process level network message analysis method
CN107483372A (en) Data transmission method and system based on industrial Internet of things
CN107612800A (en) A kind of implementation method and control device of the Y type conversion equipments of connection PROFIBUS redundant networks and Monobus network
CN100419606C (en) Interface method and apparatus for plant-level monitoring system and decentralized control system for power plant
CN204789798U (en) Distribution lines operation condition monitoring device and monitoring system
CN106569440A (en) Method for achieving communication between microprocessor and touch screen based on MODBUS-RTU protocol
CN203241747U (en) Internet-of-Things system with redundancy design
CN203827367U (en) Switch on-line monitoring device for digital transformer station
CN208999999U (en) Data processing equipment
CN105743927B (en) A kind of CANopen and DP protocol data conversion method
CN108345558B (en) RS485 centralized configuration unit supporting multiple protocols
CN207099113U (en) A kind of heat transfer agent harvester
CN103357134B (en) The automatic management and control of intelligent fire interface interrupt and emergency processing method
CN206960932U (en) A kind of dynamic environment monitoring main frame
CN205909863U (en) Arrester humiture on -line monitoring system
CN101833533B (en) USART (Universal Synchronous Asynchronous Receiver Transmitter) synchronous/asynchronous serial communication transmission display circuit and interruption method
CN211630190U (en) Terminal equipment safety encryption and decryption system based on safety chip
CN203324762U (en) Communication control device for intelligent building emergency-evacuation system
CN103916230A (en) Sensor identification method, host computer, sensor and sensor identification system
CN207625583U (en) A kind of Internet of Things security gateway device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant