CN107493265B - A kind of network security monitoring method towards industrial control system - Google Patents
A kind of network security monitoring method towards industrial control system Download PDFInfo
- Publication number
- CN107493265B CN107493265B CN201710605143.9A CN201710605143A CN107493265B CN 107493265 B CN107493265 B CN 107493265B CN 201710605143 A CN201710605143 A CN 201710605143A CN 107493265 B CN107493265 B CN 107493265B
- Authority
- CN
- China
- Prior art keywords
- information
- control system
- network
- industrial control
- analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 43
- 238000000034 method Methods 0.000 title claims abstract description 30
- 238000004458 analytical method Methods 0.000 claims abstract description 32
- 230000006399 behavior Effects 0.000 claims abstract description 27
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 14
- 238000012545 processing Methods 0.000 claims abstract description 4
- 230000002159 abnormal effect Effects 0.000 claims description 17
- 238000003860 storage Methods 0.000 claims description 12
- 230000005856 abnormality Effects 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 8
- 238000007619 statistical method Methods 0.000 claims description 6
- 238000012098 association analyses Methods 0.000 claims description 5
- 238000004891 communication Methods 0.000 claims description 5
- 238000004140 cleaning Methods 0.000 claims description 3
- 230000000903 blocking effect Effects 0.000 claims description 2
- 230000002093 peripheral effect Effects 0.000 abstract description 3
- 230000007123 defense Effects 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 10
- 239000003795 chemical substances by application Substances 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 6
- 230000000694 effects Effects 0.000 description 3
- 230000009466 transformation Effects 0.000 description 3
- 230000003612 virological effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000003780 insertion Methods 0.000 description 2
- 230000037431 insertion Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 238000005272 metallurgy Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 238000002203 pretreatment Methods 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 239000004575 stone Substances 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Environmental & Geological Engineering (AREA)
- Computer And Data Communications (AREA)
Abstract
The network security monitoring method towards industrial control system that the invention discloses a kind of, includes the following steps:Acquire the relevant information of industrial control system internal monitoring object;Safety analysis is carried out to collected relevant information;When analysis has found potential abnormal behaviour, associated safety management and control order is generated, and be issued to related monitoring object and executed, blocks abnormal behaviour.The present invention carries out abundant data by the core networked devices to industrial control system and acquires, realize the real-time monitoring to industrial control systems major security risk behaviors such as peripheral hardware access, personnel's operation, network external connections, simultaneously, by carrying out analyzing processing to various actions, abnormal behaviour is found and blocked in time, is truly realized the Initiative Defense of industrial control system.For being difficult to effectively for conventional security safeguard procedures to be applied to the present situation of industrial control system, solves the major security threat that current industrial control system faces well from the angle of monitoring and early warning.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of network security monitorings towards industrial control system
Method.
Background technology
It is each that industrial control system based on acquisition, monitoring, control is widely used in electric power, petrochemical industry, traffic, metallurgy etc.
Industry realizes the automation of Industry Control.Typical industrial control system includes SCADA (Supervisory Control
And Data Acquisition, monitoring control with data acquire), DCS (Distributed Control System, distribution
Formula control system), PLC (Programmable Logic Controller, programmable logic controller (PLC)) etc..With China's work
Industry, information-based increasingly fusion, computer technology and network communication technology are in the extensive use of industrial control system, traditional work
Industry control system has gradually broken previous closure and monopoly, standard, general communication protocol and software and hardware system application
More extensively.Industrial control system is also faced with increasing safe prestige while promoting automation, the level of IT application
The side of body.The industry control security incident frequently occurred in recent years is that people have beaten alarm bell.
Compared with conventional systems, industrial control system is due to real-time, reliability, work continuity etc.
Particular/special requirement seldom considers safety at the beginning of design, when in use often seldom installation anti-virus Trojan software, seldom progress
The upgrading of system vulnerability patch leads to the infection of industrial control system pole susceptible viral wooden horse.And in the day of industrial control system
In normal operation and maintenance, the use of the mobile memory mediums such as USB flash disk, CD, the use of producer's O&M notebook, which often becomes, to be introduced
The window of viral wooden horse.
For such case, part industry in management from strengthening to mobile memory medium in industrial control system and O&M
The use of notebook, as remove industrial control system in unnecessary USB interface, CD-ROM drive, using special O&M notebook into
Safe O&M of row etc..The application of these management measures plays good effect, but day-to-day operation and maintenance work also occurs
Inconvenience, the unreachable position of management measure, the problems such as artificial malice violation operation can not be limited.
For this reason, it is necessary to technically prevent the day-to-day operation of industrial control system and the supervision for safeguarding progress overall process
Only because Misuse mobile memory medium, using band malicious O&M notebook due to introduce viral wooden horse, while being also required to be subsequent
Audit backtracking proposes data supporting.
Invention content
In view of the drawbacks described above of the prior art, technical problem to be solved by the invention is to provide one kind to control towards industry
The network security monitoring method of system processed, so as to solve the deficiencies in the prior art.
A kind of network security monitoring method towards industrial control system of the present invention, including following steps:
Step 1 acquires the relevant information of industrial control system internal monitoring object;
Step 2 carries out safety analysis to collected relevant information;
Step 3 generates associated safety management and control order, is issued to related monitoring when analysis has found potential abnormal behaviour
Object is executed, and abnormal behaviour is blocked.
In step 1, the monitoring object includes the network equipment, safety equipment, host equipment three classes, the network equipment
Including industry control interchanger, the safety equipment includes fire wall, gateway isolating device, VPN encryption devices, the host equipment packet
Include monitoring host computer, communication network shutdown, server, work station.
In step 1, the relevant information is divided into urgent, important, common, general from high to low from information severity
Four classes.
In step 1, the relevant information is divided into access information, log-on message, operation information, shape from information type
State information, network connection information, six class of security event information;The access information includes the access and notes of movable storage device
This computer passes through network insertion;The log-on message includes the local and Telnet information to all monitoring objects, including is stepped on
Record successful information, login failure information and information of logging off;The operation information refers to logging on to host by remote terminal
The operational order carried out after equipment and the network equipment and operational order result echo message;The status information includes that CPU is utilized
Rate, memory usage, disk space utilization rate, network interface flow;The network connection information refer to present on host equipment with
External TCP/UDP link informations;The security event information refers to the security event information that safety equipment detects.
Above-mentioned movable storage device includes USB flash disk, mobile hard disk, USB CD-ROM drives, USB network card, mobile phone and CD.
In step 1, the monitoring object support is adopted by SNMP, SYSLOG, self-defined specialized protocol mode into row information
Collection.
In step 2, the safety analysis includes statistical analysis, abnormality detection and association analysis;The statistical analysis refers to
Acquisition information is counted from information source, information type, information importance level, same day information content, of that month information content;
The abnormality detection refer to analysis detect that access is abnormal, log in exception, operation exception, abnormal state, network external connection exception and
Exception safety event;The abnormal access for including the movable storage device, notebook not within the scope of white list of access;It is described
It refers to login of the continuous login failure number more than defined threshold to log in abnormal;The operation exception refers to performing the danger of definition
Dangerous operational order is modified the controlled catalogue of definition, the content of controlled file, permission;The abnormal state refers to CPU
Utilization rate, memory usage, disk space utilization rate, network interface flow have been more than defined threshold value;The network external connection is extremely
Point out to have showed the network connection not in security strategy allowable range;The exception safety event refers to not meeting access control plan
Access Events slightly, assault;The association analysis refers to that being associated property is analyzed between discrete acquisition information,
Find out the incidence relation between the acquisition information of various discrete.
The specific method is as follows for above-mentioned safety analysis:
(2-1) carries out duplicate removal, cleaning, classification, formatting processing to the information of acquisition;
(2-2) is from information source, information type, information importance level, same day information content, of that month information content to acquisition
Information carries out comprehensive statistics;
(2-3) is carried out abnormality detection, and according to the type of acquisition information, detects the information with the presence or absence of abnormal;If do not deposited
, and the significance level of the information is general, then return to step (2-1) otherwise turns to step (2-4);
(2-4) is associated analysis, from cluster, when things for having collected and surveyed with other of the current individual event information of ordered pair
Part information is associated analysis, identifies the behavior sequence belonging to current event information, and belonging to the event information is added to
Behavior sequence in;
(2-5) searches knowledge base, impends analysis to the behavior sequence;If analysis result does not threaten and the row
For the sequence ends, then behavior sequence and return to step (2-1) are deleted;If not yet recognizing threat, and behavior sequence is still
It is not finished, then return to step (2-1) continues;If identifying that behavior sequence exists abnormal or threatens, step (2- is turned to
6);
(2-6) carries out security alarm, and starts Subsequent secure management and control order.
In step 3, security management and control order issues support various ways, including is issued by SNMP, by self-defined special
Agreement issues.
In step 3, the method for blocking abnormal behaviour includes following several:The connect USB of suspicious movable storage device is disabled to connect
Mouth, the port for closing the interchanger that O&M notebook is connect prevent risky operation instruction execution, disconnect suspect login connection, add
Access control policy is added to prevent unauthorized access.
The beneficial effects of the invention are as follows:
The present invention carries out abundant data by the core networked devices to industrial control system and acquires, and realizes to peripheral hardware
The real-time monitoring of the industrial control systems major security risk behaviors such as access, personnel's operation, network external connection, meanwhile, by each
Kind behavior carries out analyzing processing, finds and blocks abnormal behaviour in time, be truly realized the Initiative Defense of industrial control system.It is right
In being difficult to effectively for conventional security safeguard procedures to be applied to the present situation of industrial control system, the method for the present invention is from the angle of monitoring and early warning
Degree solves the major security threat that current industrial control system faces well.
The technique effect of the design of the present invention, concrete structure and generation is described further below with reference to attached drawing, with
It is fully understood from the purpose of the present invention, feature and effect.
Description of the drawings
Fig. 1 is the structure chart of the present invention.
Fig. 2 is the safety analysis process chart of the present invention.
Specific implementation mode
As shown in Figure 1, a kind of network security monitoring method towards industrial control system, includes the following steps:
Step 1 acquires the relevant information of industrial control system internal monitoring object;
Step 2 carries out safety analysis to collected relevant information;
Step 3 generates associated safety management and control order, and be issued to related prison when analysis has found potential abnormal behaviour
It surveys object to be executed, blocks abnormal behaviour.
In the present embodiment, the monitoring object includes the network equipment, safety equipment, host equipment three classes, and the network is set
Standby refers to industry control interchanger, passes through snmp such as network interface status information by snmp mode active obtaining interchanger relevant informations
Trap modes obtain the security incident of interchanger generation, such as network interface up, network interface down access events, illegal MAC access events,
User logs in interchanger event etc..It needs to carry out Safe Transformation to industry control interchanger to support the acquisition of above- mentioned information.
Safety equipment includes fire wall, gateway isolating device, VPN encryption devices, and peace is acquired by standard SYSLOG modes
Full device-dependent message, including user log in security device information, violate access control policy information, attack information, match
Set modification information etc..It needs to carry out Safe Transformation to safety equipment to support the acquisition of above- mentioned information.
Host equipment includes monitoring host computer, communication network shutdown, work station.By installing agent agent ways in host
Realize that the acquisition of host information, agent report information by self-defined specialized protocol.The information of agent acquisitions includes mainly using
Family logs in host information, illegal external connection information, user operation commands and echo message, movable storage device or mobile phone etc. and passes through
USB interface hot plug event information, risky operation information etc..Agent supports the industrial control systems such as Linux, Unix, Windows
The interior common operating system of host equipment.
In the present embodiment, the relevant information includes access information, log-on message, operation information, status information, network company
Connect information, security event information;Access information includes that the computer equipments such as access and the laptop of movable storage device pass through
Network insertion;Log-on message includes the local and Telnet information to all monitoring objects, including logins successfully information, logs in
Failure information and information of logging off;Operation information refers to being carried out after logging on to host equipment and the network equipment by remote terminal
Operational order and operational order result echo message;Status information, which includes cpu busy percentage, memory usage, disk space, to be made
With rate, network interface flow;Network connection information refers to present on host equipment and the TCP/UDP link informations of outside;Safe thing
Part information refers to the security event information that safety equipment detects, including violates the access of access control policy, attack alarm.
In the present embodiment, movable storage device includes USB flash disk, mobile hard disk, USB CD-ROM drives, USB network card, mobile phone, CD.
In the present embodiment, the monitoring object is supported to carry out by SNMP, SYSLOG, self-defined specialized protocol various ways
Information collection.
In the present embodiment, step 2 safety analysis includes statistical analysis, abnormality detection and association analysis.Primary network is attacked
The combination of many different single behaviors on an attack chain is often shown as, the error of any one link may all cause to attack
Failure.By the collection of these single behaviors, analyze, it can be found that its potential incidence relation, and then analyze possible
Attack prevents the generation of attack from providing basis for the follow-up attack chain of cut-out in time.
The method of the present invention by being accessed to peripheral hardware, personnel's operation, the collection of the various security related informations such as network external connection, tool
For the data basis of further analysis.By believing access information, log-on message, operation information, status information, network connection
Breath, security event information are associated analysis, draw a portrait to the behavior of user or malicious code, are carried out pair in conjunction with historical behavior
Than reaching the identification to abnormal behaviour.
As shown in Fig. 2, the specific safety analysis flow of the method for the present invention is as follows:
1) pretreatments such as duplicate removal, cleaning, classification, formatting are carried out to the information of acquisition;
2) for statistical analysis, from information source, information type, information importance level, same day information content, work as month information
The dimensions such as quantity carry out comprehensive statistics to acquisition information;
3) it carries out abnormality detection, according to the type of acquisition information, detects the information with the presence or absence of abnormal.If it does not,
And the significance level of the information is general, then return to step 1), otherwise, turn to step 4);
4) be associated analysis, from cluster, sequential etc. to current individual event information and other collected and surveyed
Event information be associated analysis, identify the behavior sequence belonging to current event information, and the event information is added to
In affiliated behavior sequence;
5) knowledge base is searched, is impended analysis to the behavior sequence;If analysis result does not threaten and the behavior
The sequence ends then delete behavior sequence and return to step 1);If not yet recognizing threat, and behavior sequence is not yet tied
Beam, then return to step 1) continue;If identifying that behavior sequence exists abnormal or threatens, step 6) is turned to;
6) security alarm is carried out, and starts Subsequent secure management and control order.
In the present embodiment, step 3 generates security management and control order, and is issued to related monitoring object and is executed, wherein pacifying
Full management and control order issues support various ways, including is issued by SNMP, issued by self-defined specialized protocol.
In the present embodiment, the method that step 3 blocks abnormal behaviour includes following several:Disable suspicious movable storage device
Connect USB interface, the port for closing the interchanger that O&M notebook is connect prevent risky operation instruction execution, disconnect suspicious step on
Record connection, addition access control policy prevent unauthorized access.
For different monitoring objects, different security management and control orders is issued in different ways, is such as set for network
It is standby, the switch port that suspect device is connect is closed by SNMP mode transmitting order to lower levels;For safety equipment, by self-defined special
There is agreement to issue access control policy and prevents unauthorized access;For host equipment, disconnection is issued by self-defined proprietary protocol and is stepped on
Record connection is disabled temporarily in the instructions to host such as suspicious account number logs in, disables USB interface temporarily, prevention risky operation executes
Agent is acted on behalf of, and is executed instruction by agent agencies.
The above method has carried out real-time monitoring and pipe to the major security threat faced inside current industrial control system
Reason, in the case where not carrying out big Safe Transformation to industrial control system inside, can be obviously improved in industrial control system
The safety protection level in portion effectively resists the attack of virus, wooden horse.In addition, this method is versatile, it is applicable to electric power, stone
The industrial control system of multiple industries such as change, traffic, metallurgy.
The preferred embodiment of the present invention has been described in detail above.It should be appreciated that those skilled in the art without
It needs creative work according to the present invention can conceive and makes many modifications and variations.Therefore, all technologies in the art
Personnel are available by logical analysis, reasoning, or a limited experiment on the basis of existing technology under this invention's idea
Technical solution, all should be in the protection domain being defined in the patent claims.
Claims (8)
1. a kind of network security monitoring method towards industrial control system, which is characterized in that including following steps:
Step 1 acquires the relevant information of industrial control system internal monitoring object;
Step 2 carries out safety analysis to collected relevant information;
Step 3 generates associated safety management and control order, is issued to related monitoring object when analysis has found potential abnormal behaviour
It is executed, blocks abnormal behaviour;
In step 2, the safety analysis includes statistical analysis, abnormality detection and association analysis;The statistical analysis refers to from letter
Breath source, information type, information importance level, same day information content, of that month information content count acquisition information;It is described
Abnormality detection refers to that analysis detects that abnormal access, login exception, operation exception, abnormal state, network external connection are abnormal and abnormal
Security incident;The abnormal access for including the movable storage device, notebook not within the scope of white list of access;The login
Exception refers to the login that continuous login failure number is more than defined threshold;The operation exception refers to performing the dangerous behaviour of definition
It instructs, the controlled catalogue of definition, the content of controlled file, permission is modified;The abnormal state refers to that CPU is utilized
Rate, memory usage, disk space utilization rate, network interface flow have been more than defined threshold value;The network external connection is pointed out extremely
The network connection not in security strategy allowable range is showed;The exception safety event refers to not meeting access control policy
Access Events, assault;The association analysis refers to that being associated property is analyzed between discrete acquisition information, is found out
Incidence relation between the acquisition information of various discrete;
The specific method is as follows for the safety analysis:
(2-1) carries out duplicate removal, cleaning, classification, formatting processing to the information of acquisition;
(2-2) is from information source, information type, information importance level, same day information content, of that month information content to acquiring information
Carry out comprehensive statistics;
(2-3) is carried out abnormality detection, and according to the type of acquisition information, detects the information with the presence or absence of abnormal;If it does not, and
The significance level of the information is general, then return to step (2-1) otherwise turns to step (2-4);
(2-4) is associated analysis, from cluster, when events for having collected and surveyed with other of the current individual event information of ordered pair believe
Breath is associated analysis, identifies the behavior sequence belonging to current event information, and the event information is added to affiliated row
For in sequence;
(2-5) searches knowledge base, impends analysis to the behavior sequence;If analysis result does not threaten and behavior sequence
Row terminate, then delete behavior sequence and return to step (2-1);If not yet recognizing threat, and behavior sequence is not yet tied
Beam, then return to step (2-1) continuation;If identifying that behavior sequence exists abnormal or threatens, step (2-6) is turned to;
(2-6) carries out security alarm, and starts Subsequent secure management and control order.
2. a kind of network security monitoring method towards industrial control system as described in claim 1, it is characterised in that:Step
In one, the monitoring object includes the network equipment, safety equipment, host equipment three classes, and the network equipment includes that industry control exchanges
Machine, the safety equipment include fire wall, gateway isolating device, VPN encryption devices, the host equipment include monitoring host computer,
Communication network shutdown, server, work station.
3. a kind of network security monitoring method towards industrial control system as described in claim 1, it is characterised in that:Step
In one, the relevant information is divided into urgent, important, common, general four classes from high to low from information severity.
4. a kind of network security monitoring method towards industrial control system as described in claim 1, it is characterised in that:Step
In one, the relevant information is divided into access information, log-on message, operation information, status information, network from information type and connects
Connect information, six class of security event information;The access information includes that the access of movable storage device and laptop pass through net
Network accesses;The log-on message includes the local and Telnet information to all monitoring objects, including logins successfully information, steps on
Record failure information and information of logging off;The operation information refers to logging on to host equipment and the network equipment by remote terminal
The operational order carried out afterwards and operational order result echo message;The status information include cpu busy percentage, memory usage,
Disk space utilization rate, network interface flow;The network connection information refers to connecting with external TCP/UDP present on host equipment
Connect information;The security event information refers to the security event information that safety equipment detects.
5. a kind of network security monitoring method towards industrial control system as claimed in claim 4, it is characterised in that:It is described
Movable storage device includes USB flash disk, mobile hard disk, USB CD-ROM drives, USB network card, mobile phone and CD.
6. a kind of network security monitoring method towards industrial control system as described in claim 1, it is characterised in that:Step
In one, the monitoring object is supported to carry out information collection by SNMP, SYSLOG, self-defined specialized protocol mode.
7. a kind of network security monitoring method towards industrial control system as described in claim 1, it is characterised in that:Step
In three, security management and control order issues support various ways, including is issued by SNMP, issued by self-defined specialized protocol.
8. a kind of network security monitoring method towards industrial control system as described in claim 1, it is characterised in that:Step
In three, the method for blocking abnormal behaviour includes following several:It disables the connect USB interface of suspicious movable storage device, close O&M
The port for the interchanger that notebook is connect prevents risky operation instruction execution, disconnects suspect login connection, addition access control plan
Slightly prevent unauthorized access.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710605143.9A CN107493265B (en) | 2017-07-24 | 2017-07-24 | A kind of network security monitoring method towards industrial control system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710605143.9A CN107493265B (en) | 2017-07-24 | 2017-07-24 | A kind of network security monitoring method towards industrial control system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107493265A CN107493265A (en) | 2017-12-19 |
CN107493265B true CN107493265B (en) | 2018-11-02 |
Family
ID=60644738
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710605143.9A Active CN107493265B (en) | 2017-07-24 | 2017-07-24 | A kind of network security monitoring method towards industrial control system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107493265B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3933519A1 (en) * | 2020-06-26 | 2022-01-05 | Kabushiki Kaisha Yaskawa Denki | Production system, production method, and program |
Families Citing this family (24)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108183920B (en) * | 2018-01-23 | 2020-08-11 | 北京网藤科技有限公司 | Defense method of industrial control system malicious code defense system |
CN110224970B (en) | 2018-03-01 | 2021-11-23 | 西门子公司 | Safety monitoring method and device for industrial control system |
CN108696391A (en) * | 2018-05-10 | 2018-10-23 | 浙江八方电信有限公司 | One kind being applied to mobile network optimization and alerts Time Series Clustering algorithm |
CN108712425A (en) * | 2018-05-21 | 2018-10-26 | 南京南瑞集团公司 | A kind of analysis monitoring and managing method towards industrial control system network security threats event |
WO2020014181A1 (en) * | 2018-07-09 | 2020-01-16 | Siemens Aktiengesellschaft | Knowledge graph for real time industrial control system security event monitoring and management |
CN108931968B (en) * | 2018-07-25 | 2021-07-20 | 安徽三实信息技术服务有限公司 | Network security protection system applied to industrial control system and protection method thereof |
CN109150869B (en) * | 2018-08-14 | 2021-06-04 | 南瑞集团有限公司 | Switch information acquisition and analysis system and method |
CN109474620A (en) * | 2018-12-17 | 2019-03-15 | 杭州安恒信息技术股份有限公司 | The quickly method, apparatus and electronic equipment of protection internet security love scene |
CN109462621A (en) * | 2019-01-10 | 2019-03-12 | 国网浙江省电力有限公司杭州供电公司 | Network safety protective method, device and electronic equipment |
CN109922055A (en) * | 2019-02-26 | 2019-06-21 | 深圳市信锐网科技术有限公司 | A kind of detection method, system and the associated component of risk terminal |
CN110011973B (en) * | 2019-03-06 | 2021-08-03 | 浙江国利网安科技有限公司 | Industrial control network access rule construction method and training system |
CN110505215B (en) * | 2019-07-29 | 2021-03-30 | 电子科技大学 | Industrial control system network attack coping method based on virtual operation and state conversion |
CN110661339A (en) * | 2019-10-10 | 2020-01-07 | 四川洪辉电力科技有限公司 | Method for monitoring running state of monitoring host of transformer substation |
CN110933064B (en) * | 2019-11-26 | 2023-10-03 | 云南电网有限责任公司信息中心 | Method and system for determining user behavior track |
CN110809009A (en) * | 2019-12-12 | 2020-02-18 | 江苏亨通工控安全研究院有限公司 | Two-stage intrusion detection system applied to industrial control network |
CN111031062B (en) * | 2019-12-24 | 2020-12-15 | 四川英得赛克科技有限公司 | Industrial control system panoramic perception monitoring method, device and system with self-learning function |
CN111786822A (en) * | 2020-06-17 | 2020-10-16 | 许昌许继软件技术有限公司 | Remote management method for internet protocol shutdown |
CN111698267B (en) * | 2020-07-02 | 2022-07-26 | 厦门力含信息技术服务有限公司 | Information security testing system and method for industrial control system |
CN112187914A (en) * | 2020-09-24 | 2021-01-05 | 上海思寒环保科技有限公司 | Remote control robot management method and system |
CN112543289A (en) * | 2020-10-29 | 2021-03-23 | 中国农业银行股份有限公司福建省分行 | AI (artificial intelligence) video point counting method, device, equipment and medium for pig breeding |
CN112419130B (en) * | 2020-11-17 | 2024-02-27 | 北京京航计算通讯研究所 | Emergency response system and method based on network security monitoring and data analysis |
CN112799358B (en) * | 2020-12-30 | 2022-11-25 | 上海磐御网络科技有限公司 | Industrial control safety defense system |
CN113191917B (en) * | 2021-03-09 | 2023-04-07 | 中国大唐集团科学技术研究院有限公司 | Power plant industrial control system network security threat classification method based on radial basis function algorithm |
CN115001877B (en) * | 2022-08-08 | 2022-12-09 | 北京宏数科技有限公司 | Big data-based information security operation and maintenance management system and method |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3145130B1 (en) * | 2014-06-18 | 2019-02-27 | Nippon Telegraph and Telephone Corporation | Network system, communication control method, and communication control program |
CN106209826A (en) * | 2016-07-08 | 2016-12-07 | 瑞达信息安全产业股份有限公司 | A kind of safety case investigation method of Network Security Device monitoring |
CN106627102A (en) * | 2017-02-10 | 2017-05-10 | 中国第汽车股份有限公司 | Wheel hub motor driving device |
-
2017
- 2017-07-24 CN CN201710605143.9A patent/CN107493265B/en active Active
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3933519A1 (en) * | 2020-06-26 | 2022-01-05 | Kabushiki Kaisha Yaskawa Denki | Production system, production method, and program |
JP7147807B2 (en) | 2020-06-26 | 2022-10-05 | 株式会社安川電機 | Engineering device, host control device, engineering method, processing execution method, and program |
Also Published As
Publication number | Publication date |
---|---|
CN107493265A (en) | 2017-12-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107493265B (en) | A kind of network security monitoring method towards industrial control system | |
CN106982235B (en) | IEC 61850-based electric power industry control network intrusion detection method and system | |
CN108931968B (en) | Network security protection system applied to industrial control system and protection method thereof | |
WO2020087781A1 (en) | External connection type terminal protection device and protection system | |
EP3151152B1 (en) | Non-intrusive software agent for monitoring and detection of cyber security events and cyber-attacks in an industrial control system | |
KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
CN214306527U (en) | Gas pipe network scheduling monitoring network safety system | |
KR101880162B1 (en) | Method for Control Signals Verifying Integrity Using Control Signals Analysis in Automatic Control System | |
CN108712425A (en) | A kind of analysis monitoring and managing method towards industrial control system network security threats event | |
CN106803037A (en) | A kind of software security means of defence and device | |
CN111835680A (en) | Safety protection system of industry automatic manufacturing | |
CN113438249B (en) | Attack tracing method based on strategy | |
CN115314286A (en) | Safety guarantee system | |
CN114666088A (en) | Method, device, equipment and medium for detecting industrial network data behavior information | |
Feng et al. | Snort improvement on profinet RT for industrial control system intrusion detection | |
CN114124450A (en) | Network security system and method for remote storage battery capacity checking | |
Zhang et al. | Investigating the impact of cyber attacks on power system reliability | |
CN106534110B (en) | Trinity transformer substation secondary system safety protection system framework system | |
KR101871406B1 (en) | Method for securiting control system using whitelist and system for the same | |
CN111885020A (en) | Network attack behavior real-time capturing and monitoring system with distributed architecture | |
CN111898167A (en) | External terminal protection equipment and protection system including identity information verification | |
CN111885179B (en) | External terminal protection device and protection system based on file monitoring service | |
CN114398642A (en) | Enterprise economic management information safety system | |
CN112565246A (en) | Network anti-attack system and method based on artificial intelligence | |
CN210444303U (en) | Network protection test system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |