CN106998326A - Industrial control network behavior monitoring method, device and system - Google Patents
Industrial control network behavior monitoring method, device and system Download PDFInfo
- Publication number
- CN106998326A CN106998326A CN201710174219.7A CN201710174219A CN106998326A CN 106998326 A CN106998326 A CN 106998326A CN 201710174219 A CN201710174219 A CN 201710174219A CN 106998326 A CN106998326 A CN 106998326A
- Authority
- CN
- China
- Prior art keywords
- industrial
- protocol
- industrial protocol
- network
- behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/18—Protocol analysers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The disclosure is directed to a kind of industrial control network behavior monitoring method, device and system, it is related to field of information security technology, wherein the industrial control network behavior monitoring method includes:Obtain the network bag in industrial control network;Agreement matching is carried out to network bag, to recognize the industrial protocol of network bag;Deep analysis is carried out to network bag according to the industrial protocol, to obtain the industrial protocol behavioral data of network bag;Data analysis is carried out according to industrial protocol behavioral data and industrial behavior model storehouse, to determine whether industrial protocol behavioral data is abnormal.The technical scheme that the disclosure is provided can include the following benefits:On the one hand can monitor in industrial control network whether have abnormal behaviour effectively, exactly, in real time, if there is abnormal behaviour, then accurately it can be audited and be positioned, so as to improve the security of industrial control network, on the other hand all behaviors in industrial control network can also in real time be monitored, realizes effectively supervision.
Description
Technical field
This disclosure relates to field of information security technology, more particularly to a kind of industrial control network behavior monitoring method, one kind
Industrial control network behavior monitoring device and a kind of industrial control network behavior monitoring system.
Background technology
With the agreement variation in industrial automatization more and more higher and industrial control network, industrial protocol network
Importance and security increasingly highlight.Any abnormal operation can all bring about great losses.
Current industrial control network security fields are in developing stage, particularly abnormal behaviour predictive ability and lack maturation
Application scheme.
The content of the invention
To overcome problem present in correlation technique, the disclosure provides a kind of industrial control network behavior monitoring method, dress
Put and system.According to the first aspect of the embodiment of the present disclosure there is provided a kind of industrial control network behavior monitoring method, including:
Obtain the network bag in the industrial control network;Agreement matching is carried out to the network bag, to recognize the work of the network bag
Industry agreement;Deep analysis is carried out to the network bag according to the industrial protocol, to obtain the industrial protocol row of the network bag
For data;Data analysis is carried out according to the industrial protocol behavioral data and industrial behavior model storehouse, to determine that the industry is assisted
Whether abnormal discuss behavioral data.
According to the second aspect of the embodiment of the present disclosure there is provided a kind of industrial control network behavior monitoring device, including:Obtain
Module, for obtaining the network bag in the industrial control network;Protocol identification module, for carrying out agreement to the network bag
Match to recognize the industrial protocol of the network bag;Deep analysis module, for according to the industrial protocol to the network bag
Deep analysis is carried out to obtain the industrial protocol behavioral data of the network bag;And anomaly analysis module, for according to described
Industrial protocol behavioral data and industrial behavior model storehouse carry out data analysis to determine whether the industrial protocol behavioral data is different
Often.
According to the third aspect of the embodiment of the present disclosure there is provided a kind of industrial control network behavior monitoring system, including:It can compile
Range controller, for generating the network bag in the industrial control network;The network equipment, for transmitting the network bag;And
The industrial control network behavior monitoring device of the embodiment of the present disclosure, the industrial control network behavior monitoring device and the network
Equipment is connected.
The technical scheme provided by this disclosed embodiment can include the following benefits:It is applied to industry there is provided one kind
Control network network behavior monitoring scheme, on the one hand can effectively, exactly, in real time monitoring industrial control network in be
It is no to have abnormal behaviour, if there is abnormal behaviour, then accurately it can be audited and be positioned, so as to improve industrial control network
Security (such as avoid network attack, invasion behavior), on the other hand can also be to all rows in industrial control network
To be monitored in real time, effectively supervision is realized.
It should be appreciated that the general description of the above and detailed description hereinafter are only exemplary and explanatory, not
The disclosure can be limited.
Brief description of the drawings
Accompanying drawing herein is merged in specification and constitutes the part of this specification, shows the implementation for meeting the present invention
Example, and for explaining principle of the invention together with specification.
Fig. 1 is a kind of block architecture diagram of industrial control network behavior monitoring system according to an exemplary embodiment.
Fig. 2 is a kind of flow chart of industrial control network behavior monitoring method according to an exemplary embodiment.
Fig. 3 is a kind of flow chart of industrial control network behavior monitoring method according to an exemplary embodiment.
Fig. 4 is a kind of flow chart of industrial control network behavior monitoring method according to an exemplary embodiment.
Fig. 5 is a kind of schematic diagram of industrial control network behavior monitoring method according to an exemplary embodiment.
Fig. 6 is a kind of structured flowchart of industrial control network behavior monitoring device according to an exemplary embodiment.
Fig. 7 is a kind of structured flowchart of industrial control network behavior monitoring device according to an exemplary embodiment.
Fig. 8 is a kind of structured flowchart of industrial control network behavior monitoring device according to an exemplary embodiment.
Fig. 9 is a kind of structured flowchart of industrial control network behavior monitoring device according to an exemplary embodiment.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent and the consistent all embodiments of the present invention.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the present invention.
Embodiment 1
Fig. 1 is a kind of block architecture diagram of industrial control network behavior monitoring system according to an exemplary embodiment,
With reference to Fig. 1, the system can be used in industrial control network, and the industrial control network behavior monitoring system 1000 can be wrapped
Programmable controller PLC 100 (Programmable Logic Controller) is included, for generating the industrial control network
In network bag;The network equipment 200, for transmitting the network bag;And the industrial control network behavior of the embodiment of the present disclosure
Monitoring device 300.The network equipment 200 can be the equipment such as the network switch, the industrial control network behavior monitoring dress
Putting 300 can be connected directly or by bypass (such as the path that interchanger is connected with PLC) with the network equipment 200, to obtain
Take the network bag in the industrial control network.
Afterwards, the network bag of acquisition can be carried out industrial protocol knowledge by the industrial control network behavior monitoring device 300
Not to obtain industrial protocol behavioral data therein, carried out further according to the industrial protocol behavioral data and industrial behavior model storehouse
Data analysis, to determine whether the industrial protocol behavioral data is abnormal, if it is determined that the industrial protocol behavioral data exists different
Often, then the data being reported into (such as being reported to system server), to avoid the behavior of the crisis such as network attack system safety
Occur;If the data are normal behaviour, data can be recorded and stored, in order to which equipment is supervised.
It should be appreciated that the quantity of the programmable controller PLC 100 and the network equipment 200 can be multiple,
The quantity in Fig. 1 is not limited to, and can be by the industrial control network behavior monitoring device 300 of the disclosure with the shape of hardware
Formula is integrated in existing system server in the form of software.Or, the special knowledge with said apparatus can also be configured
Other device, is actually needed with meeting.
Using the system of such embodiment 1, on the one hand can effectively, exactly, monitor industrial control network in real time
Whether there is abnormal behaviour in network, if there is abnormal behaviour, then accurately can be audited and positioned, so as to improve industrial control
The security (behavior such as avoiding network attack, invasion) of network processed, on the other hand can also be in industrial control network
All behaviors are monitored in real time, realize effectively supervision.
The industrial control network behavior monitoring method that the embodiment of the present disclosure is provided respectively will be carried out in the following examples
It is described in detail, methods described can apply to above-mentioned industrial control network behavior monitoring device or be configured with the clothes of said apparatus
Business device and system.
Embodiment 2
Fig. 2 is a kind of flow chart of industrial control network behavior monitoring method according to an exemplary embodiment, ginseng
Examine Fig. 2, the industrial control network behavior monitoring device that methods described can apply in said system, as shown in Fig. 2 the side
Method comprises the following steps.
In step s 11, the network bag in the industrial control network is obtained.
For example, network bag can be obtained from the above-mentioned PLC and the channel of the network equipment in industrial control network, with
Start monitoring.
In step s 12, agreement matching is carried out to the network bag, to recognize the industrial protocol of the network bag.
For example, agreement matching can be carried out according to the header of network bag, to identify the industrial protocol of network bag.Example
Such as, the industrial protocol for identifying network bag is PLC S7 agreements.
In step s 13, deep analysis is carried out to the network bag according to the industrial protocol, to obtain the network bag
Industrial protocol behavioral data.
For example, deep analysis (Deep Packet Inspection) is utilized for the above-mentioned industrial protocol identified
Depth Packet analyzing is carried out, to parse the industrial protocol behavioral data of the network bag.Wherein, the industrial protocol behavioral data
Operation object information, operation target information, corresponding behavioural information and the behavior time of origin letter of industrial behavior can be included
Breath.For example, using above-mentioned example, the industrial protocol identified is S7, and industrial network can be parsed by depth Packet analyzing
The concrete behavior of middle flow, it is as shown in table 1 below:
The exemplary industrial agreement behavioral data of table 1
| Operation object information | Corresponding behavioural information | Operate target information (numerical value) | Behavior time of origin information |
| Valve A | Open | 21 | 2015.9.6 |
| Centrifuge A | Rotating speed sampled value is obtained | 40000 | 2015.9.6 |
| Valve A | Open | 20 | 2015.9.7 |
| Centrifuge A | Rotating speed sampled value is obtained | 41000 | 2015.9.7 |
| Valve A | Open | 19 | 2015.9.8 |
| Centrifuge A | Rotating speed sampled value is obtained | 39000 | 2015.9.8 |
| Valve A | Open | 37 | 2015.9.9 |
| Centrifuge A | Rotating speed sampled value is obtained | 40000 | 2015.9.9 |
It should be appreciated that above-mentioned industrial protocol behavioral data is exemplary non-limiting example, can be according to different works
Device type in industry control network obtains various industrial protocol behavioral datas, and the present invention is to this without limiting.
In step S14, data analysis is carried out according to the industrial protocol behavioral data and industrial behavior model storehouse, with true
Whether the fixed industrial protocol behavioral data is abnormal.
For example, the modeling data in the industrial protocol behavioral data of above-mentioned acquisition and industrial behavior model storehouse is carried out
Data analysis, determines whether the industrial protocol behavioral data is abnormal.It is further preferable that in order to further improve security, institute
The method of stating can also include:It is determined that in the case of the industrial protocol behavioral data exception, reporting abnormal industrial protocol row
For data (such as being reported to system server), to avoid the behavior of the crisis such as network attack system safety to occur in time.
Using the method for such embodiment 2, on the one hand can effectively, exactly, monitor industrial control network in real time
Whether there is abnormal behaviour in network, if there is abnormal behaviour, then accurately can be audited and positioned, so as to improve industrial control
The security (behavior such as avoiding network attack, invasion) of network processed, on the other hand can also be in industrial control network
All behaviors are monitored in real time, realize effectively supervision.
Embodiment 3
Fig. 3 is a kind of flow chart of industrial control network behavior monitoring method according to an exemplary embodiment, ginseng
Fig. 3 is examined, in the embodiment 3, it is further provided a kind of exemplary method step in the industrial behavior model storehouse in establishment step S14
Suddenly, following steps be may further include.
In the step s 21, multiple modeled network bags in the industrial control network are obtained.
For example, in order to set up model library, it is necessary in advance from multiple PLC in industrial control network and the network equipment
Multiple modeled network bags are obtained on channel, to set up the data basis of database.
In step S22, agreement matching is carried out to each modeled network bag in the multiple modeled network bag, to know
The modeling industrial protocol of each not described modeled network bag.
For example, agreement matching can be carried out according to the header of each modeled network bag, to identify each modeling net
The industrial protocol of network bag.For example, identifying that the industrial protocol of modeled network bag is PLC S7 agreements etc..
In step S23, depth solution is carried out to modeled network bag each described according to the modeling industrial protocol respectively
Analysis, to obtain multiple modeling industrial protocol behavioral datas of the multiple modeled network bag.
For example, depth Packet analyzing is carried out using deep analysis for the above-mentioned industrial protocol identified, to parse
The modeling industrial protocol behavioral data of the modeled network bag.Wherein, the modeling industrial protocol behavioral data can include building
Operation object information, operation target information, corresponding behavioural information and the behavior time of origin information of die worker's industry behavior.Example
Such as, using shown in above-mentioned table 1.
In step s 24, according to intelligent algorithm and the multiple modeling industrial protocol behavioral data, multiple industry associations are determined
View behavior classification and the credible scope corresponding to each industrial protocol behavior classification.
For example, multiple industry are determined using intelligent algorithm and multiple modeling industrial protocol behavioral datas of above-mentioned collection
Agreement behavior classification and the credible scope corresponding to each industrial protocol behavior classification.The intelligent algorithm can include association
At least one of excavation, sequential mining, sorting algorithm and clustering algorithm.For example, corresponding to the industrial protocol of valve opening
The credible scope of behavior classification can be different from the credible scope of the industrial protocol behavior classification corresponding to centrifuge speed.
In step s 25, the multiple industrial protocol behavior classification is stored and corresponding to each industrial protocol behavior class
Other credible scope.
For example, N number of industrial protocol behavior classification is stored and corresponding to the credible of each industrial protocol behavior classification
Scope, wherein N are the positive integer more than 1.For example, industrial protocol behavior classification, the corresponding credible scope of storage valve opening,
And industrial protocol behavior classification, the corresponding credible scope of centrifuge speed etc..
It should be appreciated that the example of disclosure intelligent algorithm is only a kind of example for illustrating inventive concept, other energy
Enough reach that the replacement algorithm of the object of the invention equally falls into protection scope of the present invention.
Using the method for such embodiment 3, industrial behavior model storehouse can be accurately set up, to be provided for follow-up identification
Model basis.
Embodiment 4
Fig. 4-5 is a kind of flow chart of industrial control network behavior monitoring method according to an exemplary embodiment,
With reference to Fig. 4, in the embodiment 4, it is further provided a kind of step S14 exemplary method step, may further include with
Lower step:
In step s 141, according to intelligent algorithm and the industrial protocol behavioral data, the industrial protocol behavior is determined
Corresponding industrial protocol behavior classification of the data in the industrial behavior model storehouse.For example, can be determined according to intelligent algorithm
The corresponding industrial protocol behavior classification of industrial protocol behavioral data got is valve opening.
In step S142, by the industrial protocol behavioral data is corresponding with identified industrial protocol behavior classification can
Letter scope is compared.For example, again referring to the example in above-mentioned steps, inquiry and valve opening pair in industrial behavior model storehouse
The credible scope answered, afterwards by industrial protocol behavioral data credible scope corresponding with the valve opening in industrial behavior model storehouse
It is compared, that is, judges whether to meet the credible scope, perform step S143.
In step S144, in the case where the industrial protocol behavioral data meets the credible scope, it is determined that described
Industrial protocol behavioral data is abnormal.
Conversely, in step S145, in the case where the industrial protocol behavioral data is unsatisfactory for the credible scope, really
The fixed industrial protocol behavioral data is abnormal.For example, as shown in figure 5, the data in above-mentioned table 1 can be classified and clustered
(clustering algorithm such as K averages), the credible scope for obtaining valve opening is 18-25, it may be determined that the industrial protocol of first three day
Behavioral data is normal behaviour, but the number of times that the 4th day (2015.9.9) is opened is unsatisfactory for above-mentioned credible scope, then can be with
Determine that exception occurs in the behavior of the 4th day, determine that the industrial protocol behavioral data is abnormal, it is necessary to the system server reported, progress
Security monitoring or maintenance.Similarly, for the monitoring of centrifuge speed, its credible scope can be obtained for 38- according to above-mentioned steps
43, the industrial protocol behavioral data of four days is normal behaviour, can be recorded according to actual conditions.
Using the method for such embodiment 4, on the one hand can effectively, exactly, monitor industrial control network in real time
Whether there is abnormal behaviour in network, if there is abnormal behaviour, then accurately can be audited and positioned, so as to improve industrial control
The security (behavior such as avoiding network attack, invasion) of network processed, on the other hand can also be in industrial control network
All behaviors are monitored in real time, realize effectively supervision.
Embodiment 5
Fig. 6 is a kind of structured flowchart of industrial control network behavior monitoring device according to an exemplary embodiment.
Reference picture 6, described device can include acquisition module 31, protocol identification module 32, deep analysis module 33 and anomaly analysis mould
Block 34.
The acquisition module 31 is configured as obtaining the network bag in the industrial control network.
The protocol identification module 32 is configured as carrying out the network bag agreement matching recognizing the work of the network bag
Industry agreement.
The deep analysis module 33 is configured as carrying out deep analysis to the network bag to obtain according to the industrial protocol
Obtain the industrial protocol behavioral data of the network bag.
The anomaly analysis module 34 is configured as being carried out according to the industrial protocol behavioral data and industrial behavior model storehouse
Data analysis is to determine whether the industrial protocol behavioral data is abnormal.
Preferably, as shown in fig. 7, described device can also be configured as in the industrial protocol row including sending module 35
Abnormal industrial protocol behavioral data is reported in the case of for data exception.
Fig. 8-9 is a kind of structural frames of industrial control network behavior monitoring device according to an exemplary embodiment
Figure.With reference to Fig. 8, described device can also include:Industrial behavior model storehouse 36.
The industrial behavior model storehouse 36 can include:Modeling data acquiring unit 351, modeling data protocol identification unit
352nd, modeling data deep analysis unit 353, modeling data determining unit 354 and modeling data memory cell 355.
The modeling data acquiring unit 351 is configured as obtaining multiple modeled network bags in the industrial control network.
The modeling data protocol identification unit 352 is configured as to each modeling net in the multiple modeled network bag
Network bag carries out agreement matching to recognize the modeling industrial protocol of each modeled network bag.
The modeling data deep analysis unit 353 is configured as according to the modeling industrial protocol respectively to described in each
Modeled network bag carries out deep analysis to obtain multiple modeling industrial protocol behavioral datas of the multiple modeled network bag.
The modeling data determining unit 354 is configured as according to intelligent algorithm and the multiple modeling industrial protocol behavior number
According to the multiple industrial protocol behavior classifications of determination and the credible scope corresponding to each industrial protocol behavior classification.
The modeling data memory cell 355 is configured as storing the multiple industrial protocol behavior classification and corresponding to every
The credible scope of individual industrial protocol behavior classification.
It is further preferable that with reference to Fig. 9, the anomaly analysis module 34 can include:Protocol class determining unit 341, ratio
Compared with unit 342 and abnormal determining unit 343.
The protocol class determining unit 341, described in being determined according to intelligent algorithm and the industrial protocol behavioral data
Corresponding industrial protocol behavior classification of the industrial protocol behavioral data in the industrial behavior model storehouse;
The comparing unit 342, for by the industrial protocol behavioral data and identified industrial protocol behavior classification pair
The credible scope answered is compared;And
The abnormal determining unit 343, the situation for being unsatisfactory for the credible scope in the industrial protocol behavioral data
It is lower to determine that the industrial protocol behavioral data is abnormal.
Using the device of such embodiment 5, on the one hand can effectively, exactly, monitor industrial control network in real time
Whether there is abnormal behaviour in network, if there is abnormal behaviour, then accurately can be audited and positioned, so as to improve industrial control
The security (behavior such as avoiding network attack, invasion) of network processed, on the other hand can also be in industrial control network
All behaviors are monitored in real time, realize effectively supervision.
On the device in above-described embodiment, wherein modules perform the concrete mode of operation in relevant this method
Embodiment in be described in detail, explanation will be not set forth in detail herein.
Those skilled in the art will readily occur to its of the present invention after considering specification and putting into practice invention disclosed herein
Its embodiment.The application be intended to the present invention any modification, purposes or adaptations, these modifications, purposes or
Person's adaptations follow the general principle of the present invention and including the undocumented common knowledge in the art of the disclosure
Or conventional techniques.Description and embodiments are considered only as exemplary, and true scope and spirit of the invention are by following
Claim is pointed out.
It should be appreciated that the invention is not limited in the precision architecture for being described above and being shown in the drawings, and
And various modifications and changes can be being carried out without departing from the scope.The scope of the present invention is only limited by appended claim.
Claims (10)
1. a kind of industrial control network behavior monitoring method, it is characterised in that methods described includes:
Obtain the network bag in the industrial control network;
Agreement matching is carried out to the network bag, to recognize the industrial protocol of the network bag;
Deep analysis is carried out to the network bag according to the industrial protocol, to obtain the industrial protocol behavior number of the network bag
According to;And
Data analysis is carried out according to the industrial protocol behavioral data and industrial behavior model storehouse, to determine the industrial protocol row
It is whether abnormal for data.
2. according to the method described in claim 1, it is characterised in that methods described also includes:In the industrial protocol behavior number
In the case of according to exception, abnormal industrial protocol behavioral data is reported.
3. according to the method described in claim 1, it is characterised in that the industrial behavior model storehouse is set up according to following steps:
Obtain multiple modeled network bags in the industrial control network;
Agreement matching is carried out to each modeled network bag in the multiple modeled network bag, to recognize each described modeling
The modeling industrial protocol of network bag;
Deep analysis is carried out to modeled network bag each described according to the modeling industrial protocol respectively, it is the multiple to obtain
Multiple modeling industrial protocol behavioral datas of modeled network bag;
According to intelligent algorithm and the multiple modeling industrial protocol behavioral data, multiple industrial protocol behavior classifications are determined and right
Should be in the credible scope of each industrial protocol behavior classification;And
Store the multiple industrial protocol behavior classification and the credible scope corresponding to each industrial protocol behavior classification.
4. method according to claim 3, it is characterised in that described according to the industrial protocol behavioral data and industrial row
Data analysis is carried out for model library, to determine whether the industrial protocol behavioral data is abnormal, including:
According to intelligent algorithm and the industrial protocol behavioral data, determine the industrial protocol behavioral data in the industrial behavior
Corresponding industrial protocol behavior classification in model library;
The industrial protocol behavioral data credible scope corresponding with identified industrial protocol behavior classification is compared;With
And
In the case where the industrial protocol behavioral data is unsatisfactory for the credible scope, the industrial protocol behavioral data is determined
It is abnormal.
5. method according to claim 4, it is characterised in that the intelligent algorithm includes association mining, sequential mining, divided
At least one of class algorithm and clustering algorithm.
6. method according to claim 5, it is characterised in that the industrial protocol behavioral data includes the behaviour of industrial behavior
Make object information, operation target information, corresponding behavioural information and behavior time of origin information, and the modeling industry
Agreement behavioral data includes the operation object information of the industrial behavior of modeling, operation target information, corresponding behavioural information, Yi Jihang
For time of origin information.
7. a kind of industrial control network behavior monitoring device, it is characterised in that described device includes:
Acquisition module, for obtaining the network bag in the industrial control network;
Protocol identification module, is matched to recognize the industrial protocol of the network bag for carrying out agreement to the network bag;
Deep analysis module, for obtaining the network bag to network bag progress deep analysis according to the industrial protocol
Industrial protocol behavioral data;And
Anomaly analysis module, for carrying out data analysis according to the industrial protocol behavioral data and industrial behavior model storehouse with true
Whether the fixed industrial protocol behavioral data is abnormal.
8. device according to claim 7, it is characterised in that described device also includes:Industrial behavior model storehouse, the work
Industry behavior model storehouse includes:
Modeling data acquiring unit, for obtaining multiple modeled network bags in the industrial control network;
Modeling data protocol identification unit, for carrying out agreement to each modeled network bag in the multiple modeled network bag
Match to recognize the modeling industrial protocol of each modeled network bag;
Modeling data deep analysis unit, for being entered respectively to modeled network bag each described according to the modeling industrial protocol
Row deep analysis is to obtain multiple modeling industrial protocol behavioral datas of the multiple modeled network bag;
Modeling data determining unit, for determining multiple works according to intelligent algorithm and the multiple modeling industrial protocol behavioral data
Industry agreement behavior classification and the credible scope corresponding to each industrial protocol behavior classification;And
Modeling data memory cell, for storing the multiple industrial protocol behavior classification and corresponding to each industrial protocol row
For the credible scope of classification.
9. device according to claim 8, it is characterised in that the anomaly analysis module also includes:
Protocol class determining unit, for determining the industrial protocol row according to intelligent algorithm and the industrial protocol behavioral data
For corresponding industrial protocol behavior classification of the data in the industrial behavior model storehouse;
Comparing unit, for by the industrial protocol behavioral data credible model corresponding with identified industrial protocol behavior classification
Enclose and be compared;And
Abnormal determining unit, for being unsatisfactory for the credible scope in the industrial protocol behavioral data in the case of determine it is described
Industrial protocol behavioral data is abnormal.
10. a kind of industrial control network behavior monitoring system, it is characterised in that the system includes:
Programmable controller, for generating the network bag in the industrial control network;
The network equipment, for transmitting the network bag;And
Industrial control network behavior monitoring device according to any one of claim 7-9 claim, the industry control
Network behavior monitoring device processed is connected with the network equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710174219.7A CN106998326A (en) | 2017-03-22 | 2017-03-22 | Industrial control network behavior monitoring method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710174219.7A CN106998326A (en) | 2017-03-22 | 2017-03-22 | Industrial control network behavior monitoring method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106998326A true CN106998326A (en) | 2017-08-01 |
Family
ID=59431279
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710174219.7A Pending CN106998326A (en) | 2017-03-22 | 2017-03-22 | Industrial control network behavior monitoring method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106998326A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107295010A (en) * | 2017-08-02 | 2017-10-24 | 杭州谷逸网络科技有限公司 | A kind of enterprise network security management cloud service platform system and its implementation |
| EP3518478A1 (en) * | 2018-01-29 | 2019-07-31 | GE Aviation Systems Limited | Configurable network switch for industrial control systems including deterministic networks |
| CN110221581A (en) * | 2019-04-26 | 2019-09-10 | 工业互联网创新中心(上海)有限公司 | Industrial control network monitoring device and method |
| CN110365717A (en) * | 2019-08-27 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | Industrial intrusion detection method and system based on HART-IP agreement |
| CN110650137A (en) * | 2019-09-23 | 2020-01-03 | 煤炭科学技术研究院有限公司 | Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium |
| CN110752951A (en) * | 2019-10-24 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Industrial network flow monitoring and auditing method, device and system |
| CN110912908A (en) * | 2019-11-28 | 2020-03-24 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Network protocol anomaly detection method and device, computer equipment and storage medium |
| CN113596064A (en) * | 2021-09-30 | 2021-11-02 | 成都诺比侃科技有限公司 | Analysis control method and system for security platform |
| CN114745197A (en) * | 2022-04-28 | 2022-07-12 | 东方电气中能工控网络安全技术(成都)有限责任公司 | Method and system for monitoring industrial control network intrusion in real time |
-
2017
- 2017-03-22 CN CN201710174219.7A patent/CN106998326A/en active Pending
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107295010A (en) * | 2017-08-02 | 2017-10-24 | 杭州谷逸网络科技有限公司 | A kind of enterprise network security management cloud service platform system and its implementation |
| GB2578268B (en) * | 2018-01-29 | 2021-12-29 | Ge Aviat Systems Ltd | Configurable network switch for industrial control systems including deterministic networks |
| EP3518478A1 (en) * | 2018-01-29 | 2019-07-31 | GE Aviation Systems Limited | Configurable network switch for industrial control systems including deterministic networks |
| US11765091B2 (en) | 2018-01-29 | 2023-09-19 | Ge Aviation Systems Limited | Configurable network switch for industrial control systems including deterministic networks |
| US11411874B2 (en) | 2018-01-29 | 2022-08-09 | Ge Aviation Systems Limited | Configurable network switch for industrial control systems including deterministic networks |
| CN110221581A (en) * | 2019-04-26 | 2019-09-10 | 工业互联网创新中心(上海)有限公司 | Industrial control network monitoring device and method |
| CN110365717A (en) * | 2019-08-27 | 2019-10-22 | 杭州安恒信息技术股份有限公司 | Industrial intrusion detection method and system based on HART-IP agreement |
| CN110650137A (en) * | 2019-09-23 | 2020-01-03 | 煤炭科学技术研究院有限公司 | Coal mine network abnormal behavior early warning method, system, equipment and readable storage medium |
| CN110752951A (en) * | 2019-10-24 | 2020-02-04 | 杭州安恒信息技术股份有限公司 | Industrial network flow monitoring and auditing method, device and system |
| CN110912908A (en) * | 2019-11-28 | 2020-03-24 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Network protocol anomaly detection method and device, computer equipment and storage medium |
| CN110912908B (en) * | 2019-11-28 | 2022-08-02 | 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) | Network protocol anomaly detection method and device, computer equipment and storage medium |
| CN113596064A (en) * | 2021-09-30 | 2021-11-02 | 成都诺比侃科技有限公司 | Analysis control method and system for security platform |
| CN113596064B (en) * | 2021-09-30 | 2021-12-24 | 成都诺比侃科技有限公司 | Analysis control method and system for security platform |
| CN114745197A (en) * | 2022-04-28 | 2022-07-12 | 东方电气中能工控网络安全技术(成都)有限责任公司 | Method and system for monitoring industrial control network intrusion in real time |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106998326A (en) | Industrial control network behavior monitoring method, device and system | |
| CN111782472B (en) | System abnormality detection method, device, equipment and storage medium | |
| CN108566364B (en) | Intrusion detection method based on neural network | |
| CN106888205B (en) | Non-invasive PLC anomaly detection method based on power consumption analysis | |
| CN109343995A (en) | Intelligent O&M analysis system based on multi-source heterogeneous data fusion, machine learning and customer service robot | |
| Vodenčarević et al. | Identifying behavior models for process plants | |
| KR101538709B1 (en) | Anomaly detection system and method for industrial control network | |
| CN110909811A (en) | OCSVM (online charging management system) -based power grid abnormal behavior detection and analysis method and system | |
| CN109840157A (en) | Method, apparatus, electronic equipment and the storage medium of fault diagnosis | |
| CN109255440B (en) | Method for predictive maintenance of power production equipment based on Recurrent Neural Networks (RNN) | |
| CN112749509B (en) | Intelligent substation fault diagnosis method based on LSTM neural network | |
| CN102339347A (en) | A method for computer-assisted analyzing of a technical system | |
| KR20230030542A (en) | AI-based facility data anomaly detection system and method using random cut forest algorithm | |
| CN108304567A (en) | High-tension transformer regime mode identifies and data classification method and system | |
| US20230221684A1 (en) | Explaining Machine Learning Output in Industrial Applications | |
| Maier | Identification of timed behavior models for diagnosis in production systems. | |
| CN113687972A (en) | Method, device and equipment for processing abnormal data of business system and storage medium | |
| US20230385699A1 (en) | Data boundary deriving system and method | |
| WO2021101490A1 (en) | Network failure prediction module and the method performed by this module | |
| Pradeep et al. | Optimal Predictive Maintenance Technique for Manufacturing Semiconductors using Machine Learning | |
| CN113807462A (en) | AI-based network equipment fault reason positioning method and system | |
| Mbuli et al. | Root causes analysis and fault prediction in intelligent transportation systems: coupling unsupervised and supervised learning techniques | |
| de Castro et al. | Distributed identification of discrete-event systems with the aim of fault detection | |
| Yu et al. | Mining anomaly communication patterns for industrial control systems | |
| Tan et al. | Automatic Model Generation and Data Assimilation Framework for Cyber-Physical Production Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |