CN107508831A - A kind of intrusion detection method based on bus - Google Patents

A kind of intrusion detection method based on bus Download PDF

Info

Publication number
CN107508831A
CN107508831A CN201710856697.6A CN201710856697A CN107508831A CN 107508831 A CN107508831 A CN 107508831A CN 201710856697 A CN201710856697 A CN 201710856697A CN 107508831 A CN107508831 A CN 107508831A
Authority
CN
China
Prior art keywords
bus
message
subsystem
intrusion
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710856697.6A
Other languages
Chinese (zh)
Other versions
CN107508831B (en
Inventor
何道敬
高甲豪
郑佳佳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
East China Normal University
Original Assignee
East China Normal University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by East China Normal University filed Critical East China Normal University
Priority to CN201710856697.6A priority Critical patent/CN107508831B/en
Publication of CN107508831A publication Critical patent/CN107508831A/en
Application granted granted Critical
Publication of CN107508831B publication Critical patent/CN107508831B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Abstract

The invention discloses a kind of intrusion detection method based on bus, including:Collect bus data:Monitor and collect bus transfer data;Extract bus characteristic:Using the operation principle of bus, extraction subsystem uses the bus characteristic such as bus frequency, subsystem bus prestige in the bus data of collection;Bus abnormality detection:The feature of extraction is submitted to the bus anomaly detector detection pre-established, if message is legal, then message is allowed to pass through, otherwise intrusion event is generated, this intrusion event is submitted to intrusion event filter, if intrusion detection filter can filter this intrusion event, allows message to pass through, otherwise this message of stopping bus transfer, prevent this time to invade.The present invention can detect that the attack between multiple subsystems, can effectively resist Replay Attack, forge the various attacks such as subsystem attack, refusal service.

Description

A kind of intrusion detection method based on bus
Technical field
The invention belongs to the technical field of intrusion detection, more particularly to a kind of bus characteristic and bus abnormality detection extracted Replay Attack can be resisted, forge the intrusion detection method of subsystem attack and Denial of Service attack.
Background technology
At present, industrial control field safety problem is increasingly serious, because infrastructure equipment is all by physical message system Form, in order to ensure the normal operation of national basis facility, the safety for the protection physics information system that should be done one's utmost.
The design of physical message system is increasingly complicated, and single system design can not meet the needs of growing. Function identical module is integrated into an independent subsystem, can be with the corresponding function of complete independently.It is high using buses such as 1553B The combining subsystems of effect, has gradually formed Data Control Center and the subsystem of each function passes through bus phase The Integrated Electronic System mutually cooperateed with.
Shared bus communication substantially belongs to a kind of communication of broadcast type, i.e., all subsystems in bus are all shared Communication channel, only subsystem judges whether message is transferred to oneself according to communication protocol.Therefore, in order to ensure bus The security of upper subsystems communication, prevent that message-replay and message forgery from being very important safety behavior.Because generally In the case of, subsystems can listen to the message transmitted in bus, by hacker if this subsystem is when integrated Implant backdoor programs, then this subsystem can be carved when necessary to accomplish to monitor the communication data between other subsystems Communication can be forged, so as to cause the communication that subsystem processes are forged, reaches the purpose of assault.Traditional intrusion detection side Method carries out classification according to detection data and is divided into Host Intrusion Detection System and Network Intrusion Detection System, but two kinds of invasion inspections Survey method can not resist subsystems under new environment by bus the invasion of communication that carries out, due to the inspection of Intrusion Detection based on host Survey method is to detect the audit log of main frame, in subsystem collaborative work, subsystems all equivalent to one main frames, and son System and control centre belong to answering system, so even if to all subsystems all using the method for Intrusion Detection based on host come solve into Invade problem, then if subsystem detects invasion situation, due to needing the order of wait control centre, so control centre The invasion situation of subsystem can not be got immediately.Network detection method is the network between each host computer communication of detection Packet, under the environment during subsystem cooperates, it is related to bus communication between each subsystem, is not related to network service, So Network Intrusion Detection System herein and does not apply to.
The content of the invention
The shortcomings that it is an object of the invention to overcome prior art and deficiency, there is provided a kind of intrusion detection side based on bus Method, verified using bus characteristic and Replay Attack can be resisted, forge subsystem attack and the intrusion detection of Denial of Service attack, While inheriting the efficiency and robustness of shared bus protocol, safeguard protection is provided for bus message transmission, can be with Resist Replay Attack, forge subsystem attack and Denial of Service attack.
The present invention proposes a kind of intrusion detection method based on bus, including such as the next stage:
Collect the bus data stage:Monitor and collect bus transfer data;
Extract the bus characteristic stage:Using the operation principle of bus, bus characteristic is extracted in the bus data of collection;
The bus abnormality detection stage:The feature of extraction is submitted to the bus anomaly detector detection pre-established, if disappearing It is legal to cease, then allows message by otherwise generating intrusion event, this intrusion event being submitted into intrusion event filter, if entered This intrusion event can be filtered by invading detection filter, then allows message by otherwise stopping bus transfer message, preventing this time to invade.
In the intrusion detection method based on bus proposed by the present invention, the collection bus data stage includes following Step:
Step A1:It is described to monitor and collect bus transfer data, bus is monitored in real time, and recording subsystem transmits in bus Data and subsystem use bus time.
In the intrusion detection method based on bus proposed by the present invention, the extraction bus characteristic stage includes following Step:
Step B1:The operation principle using bus, according to bus protocol, extract message duration, message-length, mode Code, message data, message time interval, message frequency;
Step B2:The extraction bus characteristic, extract the bus frequency and bus prestige of subsystem.
In the intrusion detection method based on bus proposed by the present invention, bus characteristic is extracted described in step B2, profit The message number sent with subsystem using bus and the transmission time of message are come the bus frequency of computing subsystem, the subsystem System bus prestige, using subsystem bus frequency, bus duration calculation subsystem bus prestige is used when sending message.
In the intrusion detection method based on bus proposed by the present invention, the bus abnormality detection stage includes following Step:
Step C1:The anomaly detector detection subsystem bus frequency pre-established, message frequency, message-length, Message data whether anomaly detector detection in the range of, if not in anomaly detector detection range, for intrusion detection Event, perform step C4;If in anomaly detector detection range, step C2 is performed;
Step C2:The anomaly detector detection equation code pre-established whether anomaly detector mode generation In code white list, if not in the mode code white list of anomaly detector, for intrusion detection event, step C4 is performed;If In the mode code white list of anomaly detector, then step C3 is performed;
Step C3:Whether the anomaly detector pre-established detects subsystem bus prestige in the total of anomaly detector In line prestige threshold value, if not in the bus prestige threshold value of anomaly detector, for intrusion detection event, step C4 is performed;If In the bus prestige threshold value of anomaly detector, then invasion is not present, allows message Successful transmissions;
Step C4:It is described that intrusion event is submitted to invasion filter, this is shown as into the behavior of intrusion event with nine The form record of tuple<Subsystem, message duration, message-length, mode code, message data, message time interval, message frequency Rate, subsystem bus frequency, subsystem bus prestige>, this nine tuple is submitted to intrusion detection filter, if intrusion detection Filter can filter this intrusion event, then allow message by otherwise stopping bus transfer message, preventing this time to invade;
In the intrusion detection method based on bus proposed by the present invention, subsystem bus letter is verified described in step C3 Whether reputation reaches threshold value, threshold value be by subsystems under normal circumstances using bus when calculate.
In the intrusion detection method based on bus proposed by the present invention, intrusion event filter mistake described in step C4 Filter comprises the following steps:
Step D1:By the tuple feature normalization of intrusion event nine;
Step D2:The tuple feature of intrusion event nine of intrusion detection device submission is calculated using the algorithm of machine learning;
Step D3:Nine tuple characteristic value legitimacies are verified, if not in the range of machine learning algorithm reception, for one Secondary intrusion event, this message of refusal bus transfer;Otherwise invasion is not present, allows message Successful transmissions.
In the intrusion detection method based on bus proposed by the present invention, the calculation of machine learning is used described in step D2 Method calculates intrusion event feature, and feature is calculated using K- neighbours (KNN) algorithm of machine learning.
The beneficial invention of the present invention is:
The intrusion detection based on bus is proposed, using nine tuples<Subsystem, message duration, message-length, mode code, Message data, message time interval, message frequency, subsystem bus frequency, subsystem bus prestige>To represent the spy of bus Sign, according to normal bus record of the audit, the normal codomain scope of each characteristic item is counted, exceeds normal codomain model if existing The communication enclosed, then be temporarily recorded as intrusion event, and secondary intrusion event is submitted and gives invasion filter, if this time intrusion event quilt Filtering, then it is not really to invade to show this intrusion event, and otherwise, record this time invasion is once really invasion;If Invasion is then not present in normal range (NR) in various features.
The beneficial effects of the present invention are:
1) normal communication between subsystem can be ensured:Subsystem carries out message transmission using bus, using based on total It the intrusion detection of line, can detect that subsystem uses the abnormal conditions of bus, when detecting abnormal conditions, block subsystem Use the right of bus.
2) it can resist and forge subsystem attack:The abnormality detection of message duration, message time interval and message-length is come The forgery subsystem attack condition that occurs in detection bus, when occurring to forge subsystem attack, due to the broadcast of bus, very Real subsystem can equally receive message so that the subsystem of forgery and real subsystem all respond, and cause to reply together The message-length of one order is elongated, and subsystem attack is forged so as to detect to exist.
3) being capable of resisting abnegation service aggression:Making for bus is detected using the normal range (NR) of subsystem transmission message frequency With situation, it can prevent the subsystem from carrying out Denial of Service attack to another subsystem.
4) low rate of false alarm:After bus anomaly detector detects exception, intrusion event is first submitted to intrusion detection filtering Device, whether intrusion detection filter is real intrusion event come the intrusion event detected now using KNN algorithms, so as to reduce Rate of false alarm.
Brief description of the drawings
Fig. 1 is flow chart of the present invention;
Fig. 2 is bus anomaly detector structure chart of the present invention;
Fig. 3 is intrusion detection filtration device structure figure of the present invention.
Embodiment
Below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.The process of the implementation present invention, Condition, experimental method etc., it is the universal knowledege and common knowledge of this area in addition to the following content specially referred to, this hair It is bright that content is not particularly limited.
The implication that relevant technical term represents in the present invention is as follows:
W represents a minimal communications unit (word) in bus communication;
M represents the once completely communication (message) in bus communication;
Wi represents i-th of word of a message;
As shown in figure 1, a kind of intrusion detection method based on bus of the present invention includes the following three stage:
First stage:Collect the bus data stage:Monitor and collect bus transfer data;
Second stage:Extract the bus characteristic stage:Using the operation principle of bus, extracted in the bus data of collection total Line feature;
Phase III:The bus abnormality detection stage:The feature of extraction is submitted to the bus anomaly detector pre-established Detection, if message is legal, message is allowed by otherwise generating intrusion event, this intrusion event being submitted into intrusion event filtering Device, intrusion event filter are used for filtering intrusion event, if intrusion detection filter can filter this intrusion event, allow message By otherwise stopping bus transfer message, preventing this time to invade.
The first stage comprises the steps:
Step A1:It is described to monitor and collect bus transfer data, bus, record trunk transmission data (message are monitored in real time M) it is made up of with transmission time, message M W1, W2 ..., Wn.
Record trunk transmission data and transmission time, record specific time point wherein described in step A1, listen to total After line transmission data, T1, end time T2 between recording at the beginning of bus transfer data.
The second stage comprises the steps:
Step B1:The operation principle using bus, according to bus protocol, extract message duration T, message-length L, side Formula code F, message data D, message time interval I, message frequency Mf;
Step B2:The extraction bus characteristic, extract the bus frequency Bf and bus prestige C of subsystem.
In wherein step B2, the bus prestige Confidence calculation formula of the subsystem are as follows:
In unit interval T, subsystem has used n times bus;Ith is normal using bus;Kth time is different using bus Often;C represents abnormal weight, if using bus duration in normal scope when subsystem bus frequency and subsystem send message It is interior, then to be normal using bus, otherwise to be abnormal using bus.
The phase III comprises the steps:
Step C1:Anomaly detector detection message the duration T, message-length L, message data D pre-established, message Time interval I, message frequency Mf, subsystem bus frequency Bf whether anomaly detector detection in the range of, if not different Then it is intrusion detection event, because the measured value of detection belongs to upper and lower bound boundary value in normal detector detection range Opereating specification, calculated using equation below:
Wherein, MV (i) (i=T, L, D, I, Mf, Bf) represents different measured values, e (i) (i=T, L, D, I, Mf, Bf) generations The error of table difference measured value, if measured value exceeds desired extent, perform step C4;If in anomaly detector detection range It is interior, then perform step C2;
Step C2:The anomaly detector detection mode code pre-established whether anomaly detector mode code In white list, if not in the mode code white list of anomaly detector, for intrusion detection event, due to detection mode code It is the white list strategy based on subsystem, is verified using equation below:
Wherein, Fwl(j) it is subsystem mode code white list, wherein j represents different subsystems, if detecting mode Code F then performs step C4 not in the mode code white list of the subsystem;If in the white name of mode code of anomaly detector In list, then step C3 is performed;
Step C3:Whether the anomaly detector pre-established detects subsystem bus prestige in the total of anomaly detector In line prestige threshold value, bus prestige is verified using equation below:
If subsystem bus prestige is less than threshold value, step C4 is performed;If in the bus prestige threshold value of anomaly detector It is interior, then invasion is not present, allows message Successful transmissions;
Step C4:It is described that intrusion event is submitted to intrusion detection filter, this is shown as to the behavior of intrusion event Recorded in the form of nine tuples<Subsystem, message duration, message-length, mode code, message data, message time interval, disappear Cease frequency, subsystem bus frequency, subsystem bus prestige>, this nine tuple is submitted to intrusion detection filter;
Wherein, the filtering of intrusion event filter described in step C4 comprises the following steps:
Step D1:By the tuple feature normalization of intrusion event nine, belong to for measured value with upper and lower bound boundary value Using deviation standardized method, it is as follows to calculate deviation standardization formula:
Wherein x-(i) (i=T, L, D, I, Mf, Bf) represents the feature of different standardization;For being not belonging to measured value tool There is the attributive character value of bound, if the attribute belongs to normal condition, normalized value 0, otherwise normalized value is 1;
Step D2:The tuple feature of intrusion event nine of intrusion detection device submission is calculated using KNN algorithms<Subsystem, message Duration, message-length, mode code, message data, message time interval, message frequency, subsystem bus frequency, subsystem are total Line prestige>, current intrusion event and distance during normal use bus are calculated, it is as follows to calculate range formula:
Wherein, i represents the attribute in nine tuples, and Ai represents the average value of ith attribute under normal circumstances, Ainstrusion Represent the exceptional value of the ith attribute of intrusion event, Ai and AintrusionAll it is the result after data normalization;
Step D3:Nine tuple characteristic value legitimacies are verified, if not in the range of KNN receiving, i.e.,
Dis(Eintrusion,E)2>D2
Wherein, D2Then it is an intrusion event for normal square distance, this message of refusal bus transfer;Otherwise do not deposit Invading, allowing message Successful transmissions.

Claims (7)

1. a kind of intrusion detection method based on bus, it is characterised in that this method includes step in detail below:
Step 1:Monitor and collect bus transfer data;
Step 2:Using the operation principle of bus, bus characteristic is extracted in the bus data of collection;
Step 3:The bus characteristic of extraction is submitted to the detection of bus anomaly detector, if message is legal, allows message to pass through no Intrusion event is then generated, this intrusion event is submitted to intrusion event filter, if intrusion detection filter can filter this invasion Event, then message is allowed by the way that otherwise this message of stopping bus transfer, prevents this time to invade.
2. intrusion detection method according to claim 1, it is characterised in that the step 1 specifically includes:
Step A1:It is described to monitor and collect bus transfer data, bus, the number that recording subsystem transmits in bus are monitored in real time According to the time that bus is used with subsystem.
3. intrusion detection method according to claim 1, it is characterised in that the step 2 specifically includes:
Step B1:According to bus protocol, message duration is extracted, message-length, mode code, message data, message time interval, Message frequency;
Step B2:Extract the bus frequency and bus prestige of subsystem.
4. intrusion detection method according to claim 3, it is characterised in that the total of subsystem is extracted described in step B2 Line frequency is the transmission time of the message number and message sent using subsystem using bus come the bus frequency of computing subsystem Rate, the bus prestige of the extraction subsystem is to utilize subsystem bus frequency, using bus duration calculation when sending message System bus prestige.
5. intrusion detection method according to claim 1, it is characterised in that the step 3 specifically includes:
Step C1:Anomaly detector detects subsystem bus frequency, and message frequency, message-length, whether message data is in exception In the range of detector detection, if not in anomaly detector detection range, for intrusion detection event, step C4 is performed;If In anomaly detector detection range, then step C2 is performed;
Step C2:The anomaly detector detection mode code pre-established whether anomaly detector mode code white list It is interior, if not in the mode code white list of anomaly detector, for intrusion detection event, perform step C4;If in abnormal inspection Survey in the mode code white list of device, then perform step C3;
Step C3:The anomaly detector detection subsystem bus prestige pre-established whether anomaly detector bus prestige threshold In value, if not in the bus prestige threshold value of anomaly detector, for intrusion detection event, step C4 is performed;If in abnormal inspection Survey in the bus prestige threshold value of device, then invasion is not present, allows message Successful transmissions;
Step C4:Intrusion detection event is submitted to intrusion detection filter, this is shown as into the behavior of intrusion event with nine The form record of tuple, is submitted to intrusion detection filter, if intrusion detection filter can filter this invasion by this nine tuple Event, then message is allowed by otherwise stopping bus transfer message, preventing this time to invade;Wherein, nine tuple forms are:Subsystem, Message duration, message-length, mode code, message data, message time interval, message frequency, subsystem bus frequency and son System bus prestige.
6. intrusion detection method according to claim 5, it is characterised in that in step C4 intrusion detection filter filter into The event of invading specifically includes:
Step D1:By the tuple feature normalization of intrusion event nine;
Step D2:The tuple feature of intrusion event nine of intrusion detection device submission is calculated using the algorithm of machine learning;
Step D3:Nine tuple characteristic value legitimacies are verified, if not in the range of machine learning algorithm reception, once to invade Event, this message of refusal bus transfer;Otherwise invasion is not present, allows message Successful transmissions.
7. intrusion detection method according to claim 6, it is characterised in that machine learning is used described in step D2 Algorithm, its algorithm are that K- neighbours are KNN algorithms.
CN201710856697.6A 2017-09-21 2017-09-21 Bus-based intrusion detection method Active CN107508831B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710856697.6A CN107508831B (en) 2017-09-21 2017-09-21 Bus-based intrusion detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710856697.6A CN107508831B (en) 2017-09-21 2017-09-21 Bus-based intrusion detection method

Publications (2)

Publication Number Publication Date
CN107508831A true CN107508831A (en) 2017-12-22
CN107508831B CN107508831B (en) 2020-02-14

Family

ID=60697184

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710856697.6A Active CN107508831B (en) 2017-09-21 2017-09-21 Bus-based intrusion detection method

Country Status (1)

Country Link
CN (1) CN107508831B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108600258A (en) * 2018-05-09 2018-09-28 华东师范大学 A kind of method for auditing safely towards Integrated Electronic System self-generating white list
CN108733871A (en) * 2018-03-29 2018-11-02 华东师范大学 A kind of method of pure software emulation bus communication
CN109347853A (en) * 2018-11-07 2019-02-15 华东师范大学 The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing
CN110062011A (en) * 2019-05-30 2019-07-26 海南大学 Ddos attack detection method and device based on V-SVM
CN111314310A (en) * 2020-01-19 2020-06-19 浙江大学 Attack detection method for unresolvable network data feature selection based on machine learning
CN112204578A (en) * 2018-03-28 2021-01-08 辉达公司 Detecting data anomalies on a data interface using machine learning
CN112698982A (en) * 2021-03-24 2021-04-23 中国航空油料集团有限公司 Industrial field bus scheduling method and device
CN112866270A (en) * 2021-01-29 2021-05-28 中汽创智科技有限公司 Intrusion detection defense method and system

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242316A (en) * 2008-02-03 2008-08-13 西安交大捷普网络科技有限公司 Network exception detection method based on quick clustering algorithm
CN101350745A (en) * 2008-08-15 2009-01-21 北京启明星辰信息技术股份有限公司 Intrude detection method and device
CN103957547A (en) * 2014-05-05 2014-07-30 中国科学院微电子研究所 Node reputation evaluating method and system for wireless sensor network
CN105227528A (en) * 2014-06-26 2016-01-06 华为技术有限公司 To detection method and the device of the attack of Web server group
US20160308891A1 (en) * 2015-01-20 2016-10-20 Cisco Techology, Inc Intrusion detection mechanism
CN106184068A (en) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 Automotive interior network security detection method and device, automobile
CN106330975A (en) * 2016-11-03 2017-01-11 上海三零卫士信息安全有限公司 Method for periodic exception detection based on SCADA system
CN106951776A (en) * 2017-01-18 2017-07-14 中国船舶重工集团公司第七0九研究所 A kind of Host Anomaly Detection method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242316A (en) * 2008-02-03 2008-08-13 西安交大捷普网络科技有限公司 Network exception detection method based on quick clustering algorithm
CN101350745A (en) * 2008-08-15 2009-01-21 北京启明星辰信息技术股份有限公司 Intrude detection method and device
CN103957547A (en) * 2014-05-05 2014-07-30 中国科学院微电子研究所 Node reputation evaluating method and system for wireless sensor network
CN105227528A (en) * 2014-06-26 2016-01-06 华为技术有限公司 To detection method and the device of the attack of Web server group
US20160308891A1 (en) * 2015-01-20 2016-10-20 Cisco Techology, Inc Intrusion detection mechanism
CN106184068A (en) * 2016-06-30 2016-12-07 北京奇虎科技有限公司 Automotive interior network security detection method and device, automobile
CN106330975A (en) * 2016-11-03 2017-01-11 上海三零卫士信息安全有限公司 Method for periodic exception detection based on SCADA system
CN106951776A (en) * 2017-01-18 2017-07-14 中国船舶重工集团公司第七0九研究所 A kind of Host Anomaly Detection method and system

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
MABROUKA GMIDEN ETC.: "An Intrusion Detection Method for Securing In-Vehicle CAN bus", 《IEEE》 *
RAFAEL RAMOS REGIS BARBOSA ETC.: "Towards Periodicity Based Anomaly Detection in SCADA Networks", 《IEEE》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112204578A (en) * 2018-03-28 2021-01-08 辉达公司 Detecting data anomalies on a data interface using machine learning
CN112204578B (en) * 2018-03-28 2024-04-02 辉达公司 Detecting data anomalies on a data interface using machine learning
CN108733871A (en) * 2018-03-29 2018-11-02 华东师范大学 A kind of method of pure software emulation bus communication
CN108733871B (en) * 2018-03-29 2022-04-05 华东师范大学 Pure software simulation bus communication method
CN108600258A (en) * 2018-05-09 2018-09-28 华东师范大学 A kind of method for auditing safely towards Integrated Electronic System self-generating white list
CN109347853A (en) * 2018-11-07 2019-02-15 华东师范大学 The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing
CN109347853B (en) * 2018-11-07 2020-10-30 华东师范大学 Deep packet analysis-based anomaly detection method for integrated electronic system
CN110062011A (en) * 2019-05-30 2019-07-26 海南大学 Ddos attack detection method and device based on V-SVM
CN111314310A (en) * 2020-01-19 2020-06-19 浙江大学 Attack detection method for unresolvable network data feature selection based on machine learning
CN112866270A (en) * 2021-01-29 2021-05-28 中汽创智科技有限公司 Intrusion detection defense method and system
CN112698982A (en) * 2021-03-24 2021-04-23 中国航空油料集团有限公司 Industrial field bus scheduling method and device
CN112698982B (en) * 2021-03-24 2021-06-29 中国航空油料集团有限公司 Industrial field bus scheduling method and device

Also Published As

Publication number Publication date
CN107508831B (en) 2020-02-14

Similar Documents

Publication Publication Date Title
CN107508831A (en) A kind of intrusion detection method based on bus
CN111556083B (en) Network attack physical side and information side collaborative source tracing device of power grid information physical system
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN110324323B (en) New energy plant station network-related end real-time interaction process anomaly detection method and system
CN102447707B (en) DDoS (Distributed Denial of Service) detection and response method based on mapping request
CN103647662B (en) A kind of malfunction monitoring alarm method and device
CN107517214A (en) System and method for providing computer network security
CN107122685A (en) A kind of big data method for secure storing and equipment
CN104378364B (en) A kind of Cooperative Analysis method at information security management center
CN113311809A (en) Industrial control system-based safe operation and maintenance instruction blocking device and method
CN106789982A (en) A kind of safety protecting method being applied in industrial control system and system
CN106326736A (en) Data processing method and system
CN107277070A (en) A kind of computer network instrument system of defense and intrusion prevention method
CN107612905A (en) The malicious code monitoring method of equipment oriented monitoring distributed system main website
CN114650166B (en) Fusion anomaly detection system for open heterogeneous network
CN108206826B (en) Lightweight intrusion detection method for integrated electronic system
CN108683639A (en) A kind of computer network abnormality detection and automatic repair system, method and mobile terminal
CN104410643A (en) Statistic-based anti-attack method of SDN (Soft Defined Network) controller
CN112394688B (en) Industrial personal computer protection equipment and control method
CN107070913A (en) A kind of detection and means of defence and system based on webshell attacks
CN110912869A (en) Big data-based monitoring and reminding method
Hong et al. Intrusion prevention system in the network of digital mine
CN112887288B (en) Internet-based E-commerce platform intrusion detection front-end computer scanning system
CN205485381U (en) Computer hardware port intelligence management and control system
CN102843254B (en) Method and system for suppressing inter-plate alarming priority

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant