CN106878257A - With the industrial network closed loop control method and its framework of attacking protection - Google Patents

With the industrial network closed loop control method and its framework of attacking protection Download PDF

Info

Publication number
CN106878257A
CN106878257A CN201611150778.6A CN201611150778A CN106878257A CN 106878257 A CN106878257 A CN 106878257A CN 201611150778 A CN201611150778 A CN 201611150778A CN 106878257 A CN106878257 A CN 106878257A
Authority
CN
China
Prior art keywords
information
attack
signal
control
controlled device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611150778.6A
Other languages
Chinese (zh)
Other versions
CN106878257B (en
Inventor
葛辉
岳东
邓松
解相朋
胡松林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Post and Telecommunication University
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing Post and Telecommunication University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Post and Telecommunication University filed Critical Nanjing Post and Telecommunication University
Priority to CN201611150778.6A priority Critical patent/CN106878257B/en
Publication of CN106878257A publication Critical patent/CN106878257A/en
Application granted granted Critical
Publication of CN106878257B publication Critical patent/CN106878257B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of with the industrial network closed loop control method and its framework of attacking protection, the framework is present in network control system on the basis of hiding attack model, link of the design with Intelligent Measurement and defence capability, attack and harm to being come by Netowrk tape are detected.In addition to some links of the structure in comprising representative network control system, the pretreatment link of control signal and the pretreatment link of feedback loop output signal are increased in the front end of controlled device and controller respectively, and according to the intelligent grade of attack, a comparing element is increased in the output end of controlled device, there are these links, the structure just possesses the ability of counteroffensive, can effectively eliminate the influence that hiding attack brings.The present invention according to the grade of hiding attack and can only situation devise two kinds of structures, a kind of primarily directed to general hiding attack, another kind is directed to and possesses the hiding attack that intelligent characteristic is surveyed in certain reverse-examination.

Description

With the industrial network closed loop control method and its framework of attacking protection
Technical field
Control and information security field the present invention relates to the physical system fusion with network characteristic, and in particular to a kind of It is applied to the foundation of the safety and attack detecting of network control system and the architecture design and model of defence.
Background technology
In network control system, with the extensive use that the wide area strange land of control targe and controller is distributed, information peace Full problem is increasingly becoming the threat of the normal operation of control system for possessing network characterization or even causes harm, especially to concerning state Family is safe and with substantial economics, the key equipment safety of prospect.In the safety of so-called key equipment, such as network system SCADA system, nuclear power station in centrifuge speed monitoring system, the air force of distributed formation execution task cruises the collaboration of team Control system etc..It is required that the order of the execution task sent by controller can be reached accurately and timely without being trapped and distorting, Monitor simultaneously perform control centre where the important of equipment operation, critical data can timely pass to controller safely and It is not trapped, change and disturbs.But because system scale is big, it is high to replicate degree, control centre and long-range controlled device in addition Geographic area is rendered as not in the distributed network control system of same place more.
Research discovery, the infrastructure or equipment of the physical layer of CPS, especially some key equipments, and management level The information of data and communication layers is susceptible to long-range attack, and becomes fragile even functional failure.Network control system is made It is the CPS of a quasi-representative, is widely used in all kinds of general and dedicated system, such as power system, traffic and transportation system, Internet of Things system System, industrial control process (Local or Remote) etc..The crucial equipment of system and the safety of flow and reliability are that system is normally transported The guarantee for turning., uranium-enrichment plant and Bushire nuclear power plant steamer positioned at Natanz in the nuclear engineering project of Iran in 2009 The malicious attack of " super factory's virus-Stuxnet " has been suffered in machine control simultaneously so that about 1000 centrifugations in uranium enrichment facility Machine is paralysed because of attack, and the progress of the nuclear engineering project of Iran receives strong influence.
Shake net (Stuxnet) virus is detected first in June, 2010, and great toxicity and destructive power are first Special orientation attacks " worm " virus of basic (energy) facility in real world, such as nuclear power station, dam, national grid.12 Month, a German computer advanced consultant represents that " shake net " computer virus makes the nuclear programme in Teheran delay 2 years.
" shake net " code is very accurate, mainly there is two functions, and one is made by object of attack (such as the centrifuge of Iran) fortune Row is out of control, and two is to cover situation about being broken down by object of attack, and administrative department is returned to the false entry of " normal operation ", is made It is the spoofing attack mode of a quasi-representative into the erroneous judgement of decision-making.
Due in the control system of typical closed loop, from controller to the control signal of long-range controlled device and from Long-range controlled device feeds back to the output feedback signal of controller, by closed loop two way circuit, control instruction and output feedback letter Number all may be intercepted and captured, the network attack that may be present such as distorted because of the dangerous of network link so that the Shandong of system Rod declines even system crash.And in some cases, attacker is mainly obtained using some leaks in message transmitting procedure To some leakage information, the feature of system is therefrom obtained, attack is hidden according to these features.
To the stabilization for ensureing system and accurate operation, it is necessary to corresponding device and control unit are designed, to being passed in loop Send the signal received with receiving terminal to be differentiated, the failure in system is detected and isolated, even design a set of effective Scheme system is attacked after can quickly recover to normal condition or subnormal stable state.The peace of guarantee system Entirely, it is exactly in the case where system is by attack, in can having signal of a set of effective scheme by signal to attack after being attacked.
The content of the invention
What the present invention mainly basis was likely to occur in the two way circuit of closed-loop system feeds back to control signal and output The attack that signal is likely to occur is analyzed and predicts, and according to prediction it is possible that information acquisition, distort, refuse service It is on the defensive Deng attack, designs a kind of framework of the new closed-loop control system for possessing counteroffensive ability.At this Under structure, for network attack generally with hidden function and possess intelligent hiding attack and separately design difference Framework link, the network attacks different to two kinds are on the defensive, while both structures, also possess while defensive attack Be difficult detected characteristic, defend and eliminate network attack while can also hide oneself, so that attacker when Between attack function shielded.
For above-mentioned technical purpose, the present invention will take following technical scheme, specifically:
A kind of industrial network closed loop control method with attack protection, including:In closed-loop control system, controller will Control signal is transmitted to long-range controlled device by network, long-range controlled device upon the reception of control signals, by judging control Signal before transmission after the similarities and differences, screen out the hiding attack signal mu whether control signal is in the transmission subjected to attacking system Attack or destroy;Screening out in the case that control signal attacked or destroyed in the transmission, hiding attack letter can obtained The true control information of number μ and long-range controlled device, the true control information is the true control letter approximate with control signal Number;True control information is input into long-range controlled device, to maintain the normal work of whole industrial network control, remotely quilt is obtained Metrical information when control object works under true control signals;Hiding attack signal mu is input into virtual controlled device, to simulate The operating mode of the whole industrial network control under attack state, obtains when virtual controlled device works under hiding attack signal mu Virtual measurement information;Metrical information, virtual controlled device when long-range controlled device is worked under true control signals is hidden After virtual measurement information fusion when being worked under the signal to attack of Tibetan, fuse information is obtained;Before fuse information is back to controller, The similarities and differences after by judging fuse information before transmission, judge whether fuse information is subjected to the hidden of attacking system during passback Hide the attack or destruction of signal to attack η;In the case where judging that fuse information is attacked or destroyed during passback, energy Enough obtain hiding attack signal η and the fusion alternative information approximate with fuse information;It is input into the fusion alternative information and is controlled Device, calculates the control signal in next cycle.
Another technical purpose of the invention is to provide a kind of with the counteroffensive industrial network closed loop for attacking protection and shielding Framework, including:Controller, long-range controlled device is arranged on the front end output feedback processing device of controller front end, is arranged on The rear end controlled output of controller rear end is merged, coding processing unit, is arranged on the front end receiver letter of long-range controlled device front end Number decoding, processing unit, and be arranged on long-range controlled device rear end rear end measurement output fusion, coding processing unit;Its In:Described rear end controlled output is merged, coding processing unit, can complete timestamp formation, encryption, the data of control signal Encapsulation;Using plaintext and cryptographic combination coding control signal;The described decoding of front end receiver signal, processing unit, including control Signal attack detection module, control signal attack protection module, hiding attack analog module;Described control signal attack detecting Module, the similarities and differences according to control signal before and after remote transmission screen out whether control signal is attacked in remote transmission The attack or destruction of the hiding attack signal mu of system;And judging that control signal is hidden by attacking system in the transmission When the attack or destruction of signal to attack μ, start control signal and attack protection module;Described control signal attacks protection module, True control information for obtaining hiding attack signal mu and the long-range controlled device approximate with control signal, and by gained The hiding attack signal mu input hiding attack analog module for arriving, true control information is input into long-range controlled device;Described hides Attack simulating module, with the model structure virtual controlled device approximate with long-range controlled device, by the hiding attack being input into Signal mu, the operating mode of the whole industrial network control under simulated strike state obtains virtual controlled device in hiding attack signal mu Virtual measurement information during lower work;Described long-range controlled device, by the true control information being input into, is remotely controlled Metrical information when object works under true control information;Rear end measurement output is merged, coding processing unit, is melted with signal Matched moulds block and data encryption coding package module;Signal fused module, can be respectively completed long-range controlled device and truly control The fusion treatment of output and virtual measurement information of the virtual controlled device under hiding attack signal mu under information control processed;Number According to scrambled package module, the data to being input into can complete scrambled encapsulation, including timestamp formation, encryption, data Encapsulation, and using plaintext and cryptographic combination coded transmission signal;Described front end output feedback processing device, including feedback information Attack detection module, feedback information attack protection module;Described feedback information attack detection module, is passing according to feedback information It is defeated before and after the similarities and differences, judge feedback information whether be subjected to during passback the hiding attack signal η of attacking system attack or Destruction;When judge feedback information be subjected to during passback the attack of hiding attack signal η of attacking system or destruction when, open Dynamic feedback information attacks protection module;The feedback information attacks protection module, for obtain hiding attack signal η and with it is anti- The approximate feedback real information of feedforward information;The controller, by the feedback information being input into, with reference to control law, calculates next week The control signal of phase.
According to above-mentioned technical scheme, the present invention has following beneficial effect:
The redundancy unit structure used in the application faults-tolerant control more conventional than tradition is simplified, with low cost, efficiency high Advantage.Being also equipped with faults-tolerant control simultaneously cannot detection of concealed (or deception) the characteristics of attack.
Brief description of the drawings
Fig. 1 is closed-loop system counteroffensive framework operation principle schematic diagram;
Fig. 2 is control signal packet (frame) encapsulating structure schematic diagram;
Fig. 3 is output signal data bag (frame) encapsulating structure schematic diagram;
Fig. 4 possesses the maskable counteroffensive configuration diagram of the attack of pretreatment unit and post-processing unit;
The parallel counteroffensive structure chart of Fig. 5 data separatings;
Fig. 6 hiding attacks have the flow chart of intelligent hidden unit;
Flow chart of Fig. 7 hiding attacks without intelligent hidden unit;
Note:In dotted line frame it is design and modeling to the model structure of hiding attack in network environment, P in figure (plant):Long-range controlled device;Pre-P:Input control signal pretreatment unit, C:(controller):Controller;Pre- C:The pretreatment link of the feedback signal of controller front end input;CA(Covert Agent):Hide intelligence (attack) unit.
Specific embodiment
Technical scheme involved in the present invention is explained below in conjunction with accompanying drawing.
At the beginning of system starts, at control object end, because of the good data for having training, study, [0, ts] in the time period, System status is normal, and to select the trust data for needing to provide foundation in subsequent process, this is a very important design Premise.
According to Fig. 1, the counteroffensive framework operation principle and the course of work of closed-loop system are as follows, activation system, control sequence Data encapsulation is carried out according to three parts shown in Fig. 2, dominant coding and recessive coding are respectively adopted to work signal and distinguishing signal Technology is encoded, and is then sent to remote control terminal by network media, and remote control terminal receives detection signal, long-range control Termination processed is differentiated after receiving control signal, if not finding to be attacked, distorting, system is then normally carried out instruction and performs, If it was found that control signal is attacked or distorted, proper data message generation is chosen from the history health data of early stage For execution, the then sensing of system operation and measurement is exported according to encapsulation of data shown in Fig. 3, and by dominant and recessive coding, Then data are sent back by controller end by network, forms returning for closed loop.
At local controller end, the passback output signal to receiving carries out attack detecting, if not attacked, Dai Ruji Calculate, draw the control decision information of subsequent time (cycle), if detection finds that the output signal of passback is attacked or distorted Deng, then optimal historical information is selected from the historical data base of early stage as foundation, replacement is attacked or felt by virus The data of dye.
According to Fig. 4, in controller and the signal transacting of executing agency's (local control centre and long-range controlled device) Design and increased front end units and post-processing unit in the front-end and back-end of unit.The rearmounted unit of local control mainly completes control The timestamp of information processed, the coding of control input signal and control input characteristic signal and transmission;And front end units are mainly responsible for The feedback signal that remote control object is passed back is premenstrual according to predicting the outcome under type, size, structure etc. and control rule The health data of phase training does comparative analysis, differentiates, judges whether return data is attacked, distort or virus infects etc., is Next periodic Control decision-making provides foundation.
Compared with local controller, long-range controlled device end is just conversely, controlled device back-end function unit is mainly completed The data encapsulation of the postrun measurement output signal of equipment, and data encoding and transmission;And in long-range controlled device front end, The main decoding and discriminating calculating for completing the control information to being received from network channel, extracts original signal and gives control object (execution structure), then obtains detection attack related data and is directly sent to control object rear end, is then run with executing agency Measurement output encapsulation transmission together afterwards.The detection unit be mainly used in confirmation from controller be sent to remotely be controlled it is right Whether attacked in the link of elephant, distort or virus infection etc., with ensure control validity and security.
In other words, the invention provides a kind of with the industrial network closed loop control method for attacking protection, including:Closing In ring control system, control signal is transmitted to long-range controlled device by controller by network, and long-range controlled device is receiving control After signal processed, by judging control signal before transmission after the similarities and differences, screen out whether control signal is attacked in the transmission The attack or destruction of the hiding attack signal mu of system;Screening out the situation that control signal is attacked or destroyed in the transmission Under, the true control information of hiding attack signal mu and long-range controlled device can be obtained, the true control information is and control The approximate true control signals of signal;True control information is input into long-range controlled device, to maintain whole industrial network control Normal work, obtain metrical information when long-range controlled device works under true control signals;Hiding attack signal mu is defeated Enter virtual controlled device, with the operating mode of the whole industrial network control under simulated strike state, obtain virtual controlled device hidden Hide virtual measurement information when working under signal to attack μ;Measurement when long-range controlled device is worked under true control signals After virtual measurement information fusion when information, virtual controlled device work under hiding attack signal, fuse information is obtained;Melting Close information back to controller before, by judging fuse information before transmission after the similarities and differences, judge fuse information whether returning During be subjected to attacking system hiding attack signal η attack or destruction;Judging that fuse information meets with during passback Under fire or in the case of destruction, hiding attack signal η and the fusion alternative information approximate with fuse information can be obtained;With The fusion alternative information input controller, calculates the control signal in next cycle.
Before fuse information is back to controller, by judging fuse information before transmission after the similarities and differences, additionally it is possible to judge Go out whether attacking system has intelligent characteristic;When attacking system is judged without intelligence, the industrial network in next cycle is closed Ring control method is simplified as:In closed-loop control system, control signal is transmitted to long-range controlled device by controller by network, Controlled device upon the reception of control signals, by judging control signal before transmission after the similarities and differences, screen out control signal and exist Whether the attack or destruction of hiding attack signal mu are subjected in transmission;Attacked in the transmission or broken control signal is screened out In the case of bad, the true control information of hiding attack signal mu and long-range controlled device can be obtained, the true control information It is the true control signals approximate with control signal;True control information is input into long-range controlled device, to maintain whole industry The normal work of network control, obtains metrical information when controlled device works under true control signals;Hiding attack is believed Number μ is input into virtual controlled device, with the operating mode of the whole industrial network control under simulated strike state, obtains virtual controlled device Virtual measurement information when being worked under hiding attack signal mu;When long-range controlled device is worked under true control signals Before metrical information is back to controller, by judging metrical information before transmission after the similarities and differences, judge metrical information whether return It is subjected to the attack or destruction of hiding attack signal η during biography;Judge metrical information attacked during passback or In the case of destruction, hiding attack signal η and the measurement alternative information approximate with metrical information can be obtained;Replaced with the measurement For information input controller, the control signal in next cycle is calculated.
Based on above-mentioned closed loop control method, the invention provides a kind of with the counteroffensive industry for attacking protection and shielding Network closed loop framework, including:Controller, long-range controlled device is arranged on the front end output feedback processing device of controller front end, The fusion of rear end controlled output, the coding processing unit of controller rear end are arranged on, the front end of long-range controlled device front end is arranged on Receive signal decoding, processing unit, and be arranged on long-range controlled device rear end rear end measurement output fusion, coded treatment list Unit;Wherein:Described rear end controlled output is merged, coding processing unit, and the timestamp that can complete control signal is formed, added Close, data encapsulation;Using plaintext and cryptographic combination coding control signal;The described decoding of front end receiver signal, processing unit, bag Include control signal attack detection module, control signal and attack protection module, hiding attack analog module;Described control signal is attacked Detection module is hit, the similarities and differences according to control signal before and after remote transmission screen out whether control signal meets with remote transmission The under fire attack or destruction of the hiding attack signal mu of system;And judging that control signal is subjected to attacking system in the transmission Hiding attack signal mu attack or destruction when, start control signal attack protection module;Described control signal attacks protection Module, the true control information for obtaining hiding attack signal mu and the long-range controlled device approximate with control signal, and will Resulting hiding attack signal mu input hiding attack analog module, true control information is input into long-range controlled device;Described Hiding attack analog module, with the model structure virtual controlled device approximate with long-range controlled device, by hiding for being input into Signal to attack μ, the operating mode of the whole industrial network control under simulated strike state obtains virtual controlled device and believes in hiding attack Virtual measurement information when being worked under number μ;Described long-range controlled device, by the true control information being input into, obtains long-range Metrical information when controlled device works under true control information;Rear end measurement output is merged, coding processing unit, with letter Number Fusion Module and data encryption coding package module;Signal fused module, can be respectively completed long-range controlled device true At exporting under real control information control and the fusion of virtual measurement information of the virtual controlled device under hiding attack signal mu Reason;Data encryption encode package module, to be input into data can complete scrambled encapsulation, including timestamp formed, encryption, Data are encapsulated, and using plaintext and cryptographic combination coded transmission signal;Described front end output feedback processing device, including feedback Information attack detection module, feedback information attack protection module;Described feedback information attack detection module, according to feedback information The similarities and differences after before transmission, judge whether feedback information is subjected to attacking for the hiding attack signal η of attacking system during passback Hit or destroy;When judging that feedback information is subjected to the attack or destruction of the hiding attack signal η of attacking system during passback When, start feedback information and attack protection module;The feedback information attacks protection module, for obtain hiding attack signal η with And the feedback real information approximate with feedback information;The controller, by the feedback information being input into, with reference to control law, calculates The control signal in next cycle.
Further, described front end output feedback processing device, also including attacking system intelligent decision module;The attack System intelligent decision module, according to fuse information before transmission after the similarities and differences judged;When attacking system intelligent decision module When judging that attacking system does not have intellectual monitoring module, in next cycle, control signal is performed in pretreatment unit, is closed Hiding attack analog module;The rear end measurement of long-range controlled device rear end is exported in fusion, coding processing unit, and shutdown signal is melted Matched moulds block, directly the metrical information using long-range controlled device when being worked under controlling actual signal is used as feedback information attack detecting The input information of module carries out detection judgement.
Above section is the substantially operation principle of closed-loop system counteroffensive framework, and detail will continue to be given.
If system meets following two assumed condition:
Assuming that 1:The model information of control object, i.e. P have been grasped completely in hiding attack sideuu, represent that control is right The information of elephant is revealed completely.
Assuming that 2:System is not influenceed in addition to attacking by any external disturbance, or the disturbance in the external world is not enough to influence system The robustness and security of system.
Assuming that 3:Assuming that for the signal for detectingWithBeing transmitted by Information Hiding Techniques can Ensure safety.
Then occur system attacked after therefore class attacker can hide attack completely and not detectable, because This, design control signal composition form is as follows:Wherein TstampWhen () is used to represent k Between stab,Expression is actually used in the control information of control,Represent for differentiatingAdditional information utilize Hash functionObtain, and be respectively adopted it is dominant coding and hiding coding techniques encoded.And according to Kazakhstan The data of random length can be generated the summary info (checking information) of regular length, Ran Houke by hash function by uncommon function With withTo verifyInformation whether attacked.In the controls, it is considered to system Real-time and stability, select the grade and complexity of respective algorithms.
Signal receiving end, i.e., the executing agency end of designed industrial control system, that is, it is long-range in industrial network Controlled terminal, after receiving control information, carries out attack detecting, that is, verify the complete of control in closed loop and feedback signal Whether the index such as property, confidentiality, availability is destroyed.
Hash () function in above-mentioned definition, in information security field would generally using various hash function algorithms come Realize, the present invention refers to existing hash function algorithm with regard to this part of function, and permission is entered wherein according to actual design demand Row is changed and perfect, and then obtains modified hash function, that is, hash () function in defining.
According to above-mentioned design, in controller rear end by control informationSequence, press It is encrypted according to three parts designed, encapsulated, is then just transmitted with udp protocol.In addition, in local network, it is considered to be The real-time of system is general to be carried out data transmission using bus protocol.
In the case of without attacking, the control signal for reaching Pre-plant is Sequence, only by decrypting the inverse process of computing and above-mentioned design, you can obtain authentic and valid control information.Pre-plant Unit is obtained by decrypting computingUtilizeAnd TstampThe direct size ratio of (k) Compared with, it is preliminary to judge whether system is attacked, under security situationOtherwise can determine whether that system is dangerous; Then utilizeWithRelation determine whether the security of system, both are equal under security situation, Both otherwise;IfSet up, then can further determine that system is safe.Finally according to the time Whether the forming process of stamp, the Summary file that further checking forms timestamp is equal, the judgement control signal of higher level Security.
In [t0,t1,...,tr] in the time period, for differentiatingAdditional information sequence If control information is in ts(the s < r) moment is attacked, and now transmitting the control signal come includes three below part:RespectivelyWith hiding attack signal mu, the coupling information obtained by decrypting computing is respectively;With WhereinUsing inverse functionObtainAnd pass throughObtain closest to ucThe information of (k), whereinRepresent closest in healthy historical data baseValue, by the information at query history moment from history Health database system: Find immediate historical data uc(k-ih) u at current time is substitutedcK (), is input into long-range controlled device;Then using decryption ObtainNow there is relationSet up, by algorithmIsolate hiding Signal to attack μ.
After signal to attack is separated, controlled device preprocessor substitution signal uc(k-ih) sent respectively with signal to attack μ To two different loops of true controlled device and virtual controlled device, real output is exported respectivelyIt is fitted with attacking Output
Then the data packing forms and content of the part are separately designed for two kinds of different situations:
(1) consider that attacker does not have intelligent detecting function:
As long as the now actual measurement output of systemAccording to controller end export control information packing forms and Method, is packaged into following structureWhereinIt is the time of output Stamp,Wherein F () is AES function,It is detection checking information, by hash function Computing is obtainedThen UDP coding transmissions are utilized, timestamp and measurement are exported in cataloged procedure Coded signal use dominant coding, and the checking information of Part III is encoded using recessive, gives the protection of higher level.
In receiving terminal (pre-controller) front end units of controller, the measurement of above-mentioned long-range controlled device is received Output data structure isAfter local decryption is reached after network environment Signal isBy hypothesis 3 above, it is ensured that The front end processing device of controller, by the way of the treatment to the control signal for receiving similar to long-range controlled device, Can be by the measurement output detection checking information that recessive coding sends after timestamp, encryption.
(2) when attack side hydraulic circuit in there is intelligent cell:
In the loop of long-range controlled device to controller, attacker can intercept and capture the information of passback, while Yin Qiyin is always The information leakage of detecting system and system, has tentatively grasped the model information of control system, while also having cracked bright The information of control input and measurement output in literary information, so man-in-the-middle attack can be implemented, will be provided with covert property Signal to attack μ, is inserted into the sequence of control information, and the effect removal for being formed, Jin Erda then will be attacked in the feedback loop To hiding attack (effect of spoofing attack).
For above-mentioned this advanced attack form, when information back, it is necessary to by its attack effect together Encapsulation passback, removes and then hiding attack behavior attack effect in backfeed loop in order to attacker, and deception controller is made Decision-making.
The use of intending to cooperate that the influence of attack μ is passed through into virtual controlled device, obtains fitting and is output asThen UtilizeTimestamp is formed, it is then right using AES function F ()WithEnter encryption respectively, obtain close Literary signal isWithAnd calculateExported as the measurement of controlled device end, so After verify signalTimestamp, composite measurement output have finally been encapsulated using udp protocol transmission The packet of signal is verified after testing
Backfeed loop receive data to letter beTake similar quilt The control object front end process similar to the decryption of control signal.Since attack exist, and attacker has Intelligent Measurement and treatment single Unit, therefore, it is understood that in the signal for receivingIn eliminated signal to attack act on remotely be controlled it is right The output of elephant, then only need to this when verify the following index judge whether system is attacked:
(1) detection time stamp, judgesWhether set up, it is invalid, illustrate that system is more tested The attack of card;
(2) if (1) sets up, judgeWhether set up, if equation is set up, show system safety, If equation is invalid, show that system is attacked;
(3) on the basis of equation establishment in (2), further decryption time stamp, the summary after contrast original text Hash operation File, the security of further determination system;If (system real time requirement is higher, and this step can postpone till final step Complete, be next cycle decision service);
(4) utilizeReduce the measurement output of controlled deviceIt is the control decision at next moment Make reference.
Before uncertain attacker whether there is Intelligent Measurement link, the number that first rapidly and efficiently decryption backfeed loop is returned According to
ObtainThen several conditions are verified: If condition (i) (ii) set up and then can determine that attacking system does not have Intelligent Measurement link, attack rank is relatively low, and the next cycle can improve return data Structure, after data classification will be attacked, can be left intact, reduce the design of simulation controlled device this redundancy link. If (i) (iii) condition is set up, may determine that there is Intelligent Measurement link in attacker's framework, the link can be attacked Effect is removed, and to reach the effect that " go-between " attacks (spoofing attack), controller end cannot be found.
When above-mentioned all conditions are all invalid, show that measurement output is attacked again during passback, For such case, it is necessary to pre-process the same thinking and method of link using controlled device front end, to returning and after decrypting SignalProcessed, according to the information that historical data base is provided, fast quick checking Qualified data are found in inquiryIn isolating backfeed loop Attack η.Then the data of health, safety are delivered into controller, the control strategy u of controller computing decision-making next cyclec (k+1), circulated into next cycle.

Claims (10)

1. a kind of with the industrial network closed loop control method for attacking protection, it is characterised in that including:
In closed-loop control system, control signal is transmitted to long-range controlled device by controller by network, and controlled device is being received To after control signal, by judging control signal before transmission after the similarities and differences, screen out whether control signal is subjected in the transmission The attack or destruction of the hiding attack signal mu of attacking system;
Screening out in the case that control signal attacked or destroyed in the transmission, can obtain hiding attack signal mu and The true control information of long-range controlled device, the true control information is the true control signals approximate with control signal;
True control information is input into long-range controlled device controlled device, to maintain the normal work of whole industrial network control, Obtain metrical information when controlled device works under true control signals;Hiding attack signal mu is input into virtual controlled device, With the operating mode of the whole industrial network control under simulated strike state, virtual controlled device work under hiding attack signal mu is obtained Virtual measurement information when making;
Metrical information, virtual controlled device when controlled device is worked under the true control signals work under hiding attack signal After virtual measurement information fusion when making, fuse information is obtained;
Before fuse information is back to controller, by judging fuse information before transmission after the similarities and differences, judge that fuse information is The attack or destruction of the no hiding attack signal η for being subjected to attacking system during passback;
In the case where judging that fuse information is attacked or destroyed during passback, hiding attack signal η can be obtained And the fusion alternative information approximate with fuse information;
With the fusion alternative information input controller, the control signal in next cycle is calculated.
2. it is according to claim 1 with the industrial network closed loop control method for attacking protection, it is characterised in that in fusion Before information back to controller, by judging fuse information before transmission after the similarities and differences, additionally it is possible to whether judge attacking system With intelligent characteristic;When attacking system is judged without intelligence, the industrial network closed loop control method in next cycle simplifies It is as follows:
In closed-loop control system, control signal is transmitted to long-range controlled device by controller by network, and controlled device is being received To after control signal, by judging control signal before transmission after the similarities and differences, screen out whether control signal is subjected in the transmission The attack or destruction of hiding attack signal mu;
Screening out in the case that control signal attacked or destroyed in the transmission, can obtain hiding attack signal mu and The true control information of long-range controlled device, the true control information is the true control signals approximate with control signal;
True control information is input into long-range controlled device, to maintain the normal work of whole industrial network control, is controlled Metrical information when object works under true control signals;Hiding attack signal mu is input into virtual controlled device, is attacked with simulating The operating mode of the whole industrial network control hit under state, obtains void when virtual controlled device works under hiding attack signal mu Intend metrical information;
Before metrical information of the long-range controlled device when being worked under true control signals is back into controller, by judging to measure Information before transmission after the similarities and differences, judge whether metrical information is subjected to the attack of hiding attack signal η or broken during passback It is bad;
In the case where judging that metrical information is attacked or destroyed during passback, hiding attack signal η can be obtained And the measurement alternative information approximate with metrical information;
With the measurement alternative information input controller, the control signal in next cycle is calculated.
3. it is according to claim 2 with the industrial network closed loop control method for attacking protection, it is characterised in that will to transmit Preceding control signal composition form is designed as:
S c ( k ) = { T s t a m p ( k ) , U c w ( k ) , U c d ( k ) }
Wherein:TstampK () is used to represent timestamp,Expression is actually used in the control information of control,Representing is used for DifferentiateAdditional information, using hash functionObtain;
The similarities and differences after judging control signal before transmission, judgement is control signal hiding the distinguishing signal of coding transmissionThe similarities and differences after before transmission.
4. it is according to claim 3 with the industrial network closed loop control method for attacking protection, it is characterised in that to hide and attack The mode of seeking for hitting signal mu and the true control signals approximate with control signal is:
In [t0,t1,...,tr] in the time period, for differentiatingAdditional information sequence If control information is in ts(the s < r) moment is attacked, and now transmitting the control signal come includes three below part:RespectivelyWith hiding attack signal mu, the coupling information obtained by decrypting computing is respectively;With WhereinUsing inverse functionObtainAnd pass throughObtain closest to ucThe information of (k), whereinRepresent closest in healthy historical data base Value, by the information at query history moment from history Health database system: Find immediate historical data uc(k-ih) u at current time is substitutedcK (), is input into long-range controlled device;Then using decryption ObtainNow there is relationSet up, by algorithmIsolate to hide and attack Hit signal mu.
5. it is according to claim 4 with the industrial network closed loop control method for attacking protection, it is characterised in that true control Signal u processedc(k-ih) long-range controlled device is input into, measurement letter when long-range controlled device works under true control signals is obtained BreathHiding attack signal mu is input into virtual long controlled device, obtains virtual long controlled device in hiding attack signal mu Virtual measurement information during lower work
6. it is according to claim 5 with the industrial network closed loop control method for attacking protection, it is characterised in that fusion letter Ceasing composition form is:
S p ( k ) = { T s t a m p p ( k ) , Y p w ( k ) , Y p a l l - d ( k ) , Y p d ( k ) }
Wherein:It is the timestamp of output;
Y y a l l - d ( k ) = H a s h ( Y y w ( k ) + Y y μ ( k ) )
It is detection checking information, is obtained by hash function computing
WithIt is right by AES function F ()WithEnter the ciphertext signal that encryption is obtained respectively.
7. it is according to claim 6 with the industrial network closed loop control method for attacking protection, it is characterised in that by sentencing Disconnected fuse information before transmission after the similarities and differences, judge attacking system whether have intelligence method include:
Fuse information composition form before transmission is:
Fuse information is combined after decrypted after transport:
By relatively following condition:
( i ) - - - T s t a m p p ( k ) < T ~ s t a m p p ( k ) ;
( i i ) - - - H a s h ( Y ~ p w ( k ) ) = Y ~ p a l l - d ( k ) &NotEqual; Y ~ p d ( k ) ;
( i i i ) - - - H a s h ( Y ~ p w ( k ) ) = Y ~ p d ( k ) &NotEqual; Y ~ p a l l - d ( k ) ;
If condition (i) (ii) is set up, can determine that attacking system without intelligence;
If (i) (iii) condition is set up, can determine that attacking system has intelligence.
8. a kind of with the counteroffensive industrial network closed loop framework for attacking protection and shielding, it is characterised in that including:Controller, Long-range controlled device, is arranged on the front end output feedback processing device of controller front end, is arranged on the rear end control of controller rear end System output fusion, coding processing unit, are arranged on the decoding of front end receiver signal, the processing unit of long-range controlled device front end, with And be arranged on long-range controlled device rear end rear end measurement output fusion, coding processing unit;Wherein:
Described rear end controlled output is merged, coding processing unit, and the timestamp that can complete control signal is formed, encrypts, counted According to encapsulation;Using plaintext and cryptographic combination coding control signal;
The described decoding of front end receiver signal, processing unit, including control signal attack detection module, control signal attack protection Module, hiding attack analog module;
Described control signal attack detection module, the similarities and differences according to control signal before and after remote transmission screen out control letter Whether number it is subjected to the attack or destruction of the hiding attack signal mu of attacking system in remote transmission;And judging control signal When being subjected to the attack or destruction of the hiding attack signal mu of attacking system in the transmission, start control signal and attack protection module;
Described control signal attacks protection module, for obtaining hiding attack signal mu and approximate with control signal long-range The true control information of controlled device, and resulting hiding attack signal mu is input into hiding attack analog module, true control The long-range controlled device of information input;
Described hiding attack analog module, with the model structure virtual controlled device approximate with long-range controlled device, passes through The hiding attack signal mu of input, the operating mode of the whole industrial network control under simulated strike state obtains virtual controlled device and exists Virtual measurement information when being worked under hiding attack signal mu;
Described long-range controlled device, by the true control information being input into, obtains long-range controlled device in true control information Metrical information during lower work;
Rear end measurement output is merged, coding processing unit, with signal fused module and data encryption coding package module;Letter Number Fusion Module, can be respectively completed output and virtual controlled device of the long-range controlled device under the control of true control information and exist The fusion treatment of the virtual measurement information under hiding attack signal mu;Data encryption encodes package module, and the data to being input into can Scrambled is completed to encapsulate, including timestamp is formed, encrypted, data are encapsulated, and believed using plaintext and cryptographic combination coding transmission Number;
Described front end output feedback processing device, including feedback information attack detection module, feedback information attack protection module;
Described feedback information attack detection module, according to feedback information before transmission after the similarities and differences, whether judge feedback information It is subjected to the attack or destruction of the hiding attack signal η of attacking system during passback;When judging that feedback information returning When being subjected to the attack or destruction of the hiding attack signal η of attacking system in journey, start feedback information and attack protection module;
The feedback information attacks protection module, true for obtaining hiding attack signal η and the feedback approximate with feedback information Real information;
The controller, by the feedback information being input into, with reference to control law, calculates the control signal in next cycle.
9. there is the industrial network closed-loop control framework for attacking protection according to claim 8, it is characterised in that before described End output feedback processing device, also including attacking system intelligent decision module;The attacking system intelligent decision module, according to fusion Information before transmission after the similarities and differences judged;When attacking system intelligent decision module judges that attacking system is supervised without intelligence When surveying module, in next cycle, control signal is performed in pretreatment unit, closes hiding attack analog module;It is right to be remotely controlled Rear end measurement output fusion as rear end, in coding processing unit, shutdown signal Fusion Module directly exists long-range controlled device Metrical information when being worked under control actual signal carries out detection judgement as the input information of feedback information attack detection module.
10. there is the industrial network closed-loop control framework for attacking protection according to claim 9, it is characterised in that before transmission Control signal composition form be designed as:
S c ( k ) = { T s t a m p ( k ) , U c w ( k ) , U c d ( k ) }
Wherein:TstampK () is used to represent timestamp,Expression is actually used in the control information of control,Representing is used for DifferentiateAdditional information, using hash functionObtain;
Described control signal attack detection module, by the distinguishing signal for judging control signal to hide coding transmission The similarities and differences after before transmission screen attack or destruction that whether control signal is subjected to hiding attack signal mu in the transmission.
CN201611150778.6A 2016-12-14 2016-12-14 Industrial network closed-loop control method and system with intelligent attack protection function Active CN106878257B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611150778.6A CN106878257B (en) 2016-12-14 2016-12-14 Industrial network closed-loop control method and system with intelligent attack protection function

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611150778.6A CN106878257B (en) 2016-12-14 2016-12-14 Industrial network closed-loop control method and system with intelligent attack protection function

Publications (2)

Publication Number Publication Date
CN106878257A true CN106878257A (en) 2017-06-20
CN106878257B CN106878257B (en) 2021-04-27

Family

ID=59164600

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611150778.6A Active CN106878257B (en) 2016-12-14 2016-12-14 Industrial network closed-loop control method and system with intelligent attack protection function

Country Status (1)

Country Link
CN (1) CN106878257B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107491058A (en) * 2017-08-07 2017-12-19 中国科学院信息工程研究所 A kind of industrial control system sequence attack detection method and equipment
CN108809727A (en) * 2018-06-15 2018-11-13 北京科技大学 A kind of intrusion prevention system of DC motor control system
CN109361648A (en) * 2018-08-31 2019-02-19 中国科学院信息工程研究所 The detection method and device of the concealed attack of industrial control system
CN111673750A (en) * 2020-06-12 2020-09-18 南京邮电大学 Speed synchronization control scheme of master-slave type multi-mechanical arm system under deception attack
CN113721586A (en) * 2021-08-20 2021-11-30 南京富岛信息工程有限公司 Deception attack detection method for industrial process control loop
CN113992334A (en) * 2021-12-28 2022-01-28 树根互联股份有限公司 Storage method and verification method and device of equipment side data and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101588578A (en) * 2008-05-23 2009-11-25 捷德(中国)信息科技有限公司 Attack test method and device
CN105245329A (en) * 2015-09-14 2016-01-13 清华大学 Quantum communication-based trusted industrial control network realizing method
US20160065603A1 (en) * 2014-08-27 2016-03-03 General Electric Company Collaborative infrastructure supporting cyber-security analytics in industrial networks
CN105429133A (en) * 2015-12-07 2016-03-23 国网智能电网研究院 Information network attack-oriented vulnerability node evaluation method for power grid

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101588578A (en) * 2008-05-23 2009-11-25 捷德(中国)信息科技有限公司 Attack test method and device
US20160065603A1 (en) * 2014-08-27 2016-03-03 General Electric Company Collaborative infrastructure supporting cyber-security analytics in industrial networks
CN105245329A (en) * 2015-09-14 2016-01-13 清华大学 Quantum communication-based trusted industrial control network realizing method
CN105429133A (en) * 2015-12-07 2016-03-23 国网智能电网研究院 Information network attack-oriented vulnerability node evaluation method for power grid

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107491058A (en) * 2017-08-07 2017-12-19 中国科学院信息工程研究所 A kind of industrial control system sequence attack detection method and equipment
CN107491058B (en) * 2017-08-07 2019-07-09 中国科学院信息工程研究所 A kind of industrial control system sequence attack detection method and equipment
CN108809727A (en) * 2018-06-15 2018-11-13 北京科技大学 A kind of intrusion prevention system of DC motor control system
CN108809727B (en) * 2018-06-15 2020-08-07 北京科技大学 Intrusion prevention system of direct current motor control system
CN109361648A (en) * 2018-08-31 2019-02-19 中国科学院信息工程研究所 The detection method and device of the concealed attack of industrial control system
CN109361648B (en) * 2018-08-31 2020-05-29 中国科学院信息工程研究所 Method and device for detecting hidden attack of industrial control system
CN111673750A (en) * 2020-06-12 2020-09-18 南京邮电大学 Speed synchronization control scheme of master-slave type multi-mechanical arm system under deception attack
CN111673750B (en) * 2020-06-12 2022-03-04 南京邮电大学 Speed synchronization control scheme of master-slave type multi-mechanical arm system under deception attack
CN113721586A (en) * 2021-08-20 2021-11-30 南京富岛信息工程有限公司 Deception attack detection method for industrial process control loop
CN113992334A (en) * 2021-12-28 2022-01-28 树根互联股份有限公司 Storage method and verification method and device of equipment side data and electronic equipment
CN113992334B (en) * 2021-12-28 2022-03-29 树根互联股份有限公司 Storage method and verification method and device of equipment side data and electronic equipment

Also Published As

Publication number Publication date
CN106878257B (en) 2021-04-27

Similar Documents

Publication Publication Date Title
CN106878257A (en) With the industrial network closed loop control method and its framework of attacking protection
Jiang et al. Secure data transmission and trustworthiness judgement approaches against cyber-physical attacks in an integrated data-driven framework
Ustun et al. Artificial intelligence based intrusion detection system for IEC 61850 sampled values under symmetric and asymmetric faults
Wu et al. An integrated data-driven scheme for the defense of typical cyber–physical attacks
CN103581173B (en) Safe data transmission method, system and device based on industrial Ethernet
CN106953855B (en) Method for intrusion detection of GOOSE message of IEC61850 digital substation
Markman et al. A new burst-DFA model for SCADA anomaly detection
Wang et al. Anomaly detection for insider attacks from untrusted intelligent electronic devices in substation automation systems
CN103957203A (en) Network security defense system
CN105245329A (en) Quantum communication-based trusted industrial control network realizing method
Zhu et al. Intrusion detection against MMS-based measurement attacks at digital substations
Jithish et al. Securing networked control systems: Modeling attacks and defenses
Behdadnia et al. Leveraging deep learning to increase the success rate of DOS attacks in PMU-based automatic generation control systems
Qassim et al. Towards SCADA threat intelligence based on intrusion detection systems-a short review
Asif et al. Intrusion detection system using honey token based encrypted pointers to mitigate cyber threats for critical infrastructure networks
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method
Roy et al. Enhancing Cyber-Resilience of Power Systems’ AGC Sensor Data by Time Series to Image Domain Encoding
Li et al. Overview of Intrusion Detection in Smart Substation
CN110233735B (en) Comprehensive safety protection method and system for grid-connected power station industrial control system
Pan et al. PLC Protection System Based on Verification Separation.
Shaikh et al. A probabilistic model checking (PMC) approach to solve security issues in digital twin (DT)
Liu et al. AI electronic products information security research
CN102970188B (en) A kind of 110kV digital transformer substation secure network
CN102164129A (en) Linkage method for firewall and intrusion-detection system
Zhang et al. Evaluation of Network Security State of Industrial Control System Based on BP Neural Network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant