CN107508831A - A kind of intrusion detection method based on bus - Google Patents
A kind of intrusion detection method based on bus Download PDFInfo
- Publication number
- CN107508831A CN107508831A CN201710856697.6A CN201710856697A CN107508831A CN 107508831 A CN107508831 A CN 107508831A CN 201710856697 A CN201710856697 A CN 201710856697A CN 107508831 A CN107508831 A CN 107508831A
- Authority
- CN
- China
- Prior art keywords
- bus
- message
- subsystem
- intrusion
- event
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The invention discloses a kind of intrusion detection method based on bus, including:Collect bus data:Monitor and collect bus transfer data;Extract bus characteristic:Using the operation principle of bus, extraction subsystem uses the bus characteristic such as bus frequency, subsystem bus prestige in the bus data of collection;Bus abnormality detection:The feature of extraction is submitted to the bus anomaly detector detection pre-established, if message is legal, then message is allowed to pass through, otherwise intrusion event is generated, this intrusion event is submitted to intrusion event filter, if intrusion detection filter can filter this intrusion event, allows message to pass through, otherwise this message of stopping bus transfer, prevent this time to invade.The present invention can detect that the attack between multiple subsystems, can effectively resist Replay Attack, forge the various attacks such as subsystem attack, refusal service.
Description
Technical field
The invention belongs to the technical field of intrusion detection, more particularly to a kind of bus characteristic and bus abnormality detection extracted
Replay Attack can be resisted, forge the intrusion detection method of subsystem attack and Denial of Service attack.
Background technology
At present, industrial control field safety problem is increasingly serious, because infrastructure equipment is all by physical message system
Form, in order to ensure the normal operation of national basis facility, the safety for the protection physics information system that should be done one's utmost.
The design of physical message system is increasingly complicated, and single system design can not meet the needs of growing.
Function identical module is integrated into an independent subsystem, can be with the corresponding function of complete independently.It is high using buses such as 1553B
The combining subsystems of effect, has gradually formed Data Control Center and the subsystem of each function passes through bus phase
The Integrated Electronic System mutually cooperateed with.
Shared bus communication substantially belongs to a kind of communication of broadcast type, i.e., all subsystems in bus are all shared
Communication channel, only subsystem judges whether message is transferred to oneself according to communication protocol.Therefore, in order to ensure bus
The security of upper subsystems communication, prevent that message-replay and message forgery from being very important safety behavior.Because generally
In the case of, subsystems can listen to the message transmitted in bus, by hacker if this subsystem is when integrated
Implant backdoor programs, then this subsystem can be carved when necessary to accomplish to monitor the communication data between other subsystems
Communication can be forged, so as to cause the communication that subsystem processes are forged, reaches the purpose of assault.Traditional intrusion detection side
Method carries out classification according to detection data and is divided into Host Intrusion Detection System and Network Intrusion Detection System, but two kinds of invasion inspections
Survey method can not resist subsystems under new environment by bus the invasion of communication that carries out, due to the inspection of Intrusion Detection based on host
Survey method is to detect the audit log of main frame, in subsystem collaborative work, subsystems all equivalent to one main frames, and son
System and control centre belong to answering system, so even if to all subsystems all using the method for Intrusion Detection based on host come solve into
Invade problem, then if subsystem detects invasion situation, due to needing the order of wait control centre, so control centre
The invasion situation of subsystem can not be got immediately.Network detection method is the network between each host computer communication of detection
Packet, under the environment during subsystem cooperates, it is related to bus communication between each subsystem, is not related to network service,
So Network Intrusion Detection System herein and does not apply to.
The content of the invention
The shortcomings that it is an object of the invention to overcome prior art and deficiency, there is provided a kind of intrusion detection side based on bus
Method, verified using bus characteristic and Replay Attack can be resisted, forge subsystem attack and the intrusion detection of Denial of Service attack,
While inheriting the efficiency and robustness of shared bus protocol, safeguard protection is provided for bus message transmission, can be with
Resist Replay Attack, forge subsystem attack and Denial of Service attack.
The present invention proposes a kind of intrusion detection method based on bus, including such as the next stage:
Collect the bus data stage:Monitor and collect bus transfer data;
Extract the bus characteristic stage:Using the operation principle of bus, bus characteristic is extracted in the bus data of collection;
The bus abnormality detection stage:The feature of extraction is submitted to the bus anomaly detector detection pre-established, if disappearing
It is legal to cease, then allows message by otherwise generating intrusion event, this intrusion event being submitted into intrusion event filter, if entered
This intrusion event can be filtered by invading detection filter, then allows message by otherwise stopping bus transfer message, preventing this time to invade.
In the intrusion detection method based on bus proposed by the present invention, the collection bus data stage includes following
Step:
Step A1:It is described to monitor and collect bus transfer data, bus is monitored in real time, and recording subsystem transmits in bus
Data and subsystem use bus time.
In the intrusion detection method based on bus proposed by the present invention, the extraction bus characteristic stage includes following
Step:
Step B1:The operation principle using bus, according to bus protocol, extract message duration, message-length, mode
Code, message data, message time interval, message frequency;
Step B2:The extraction bus characteristic, extract the bus frequency and bus prestige of subsystem.
In the intrusion detection method based on bus proposed by the present invention, bus characteristic is extracted described in step B2, profit
The message number sent with subsystem using bus and the transmission time of message are come the bus frequency of computing subsystem, the subsystem
System bus prestige, using subsystem bus frequency, bus duration calculation subsystem bus prestige is used when sending message.
In the intrusion detection method based on bus proposed by the present invention, the bus abnormality detection stage includes following
Step:
Step C1:The anomaly detector detection subsystem bus frequency pre-established, message frequency, message-length,
Message data whether anomaly detector detection in the range of, if not in anomaly detector detection range, for intrusion detection
Event, perform step C4;If in anomaly detector detection range, step C2 is performed;
Step C2:The anomaly detector detection equation code pre-established whether anomaly detector mode generation
In code white list, if not in the mode code white list of anomaly detector, for intrusion detection event, step C4 is performed;If
In the mode code white list of anomaly detector, then step C3 is performed;
Step C3:Whether the anomaly detector pre-established detects subsystem bus prestige in the total of anomaly detector
In line prestige threshold value, if not in the bus prestige threshold value of anomaly detector, for intrusion detection event, step C4 is performed;If
In the bus prestige threshold value of anomaly detector, then invasion is not present, allows message Successful transmissions;
Step C4:It is described that intrusion event is submitted to invasion filter, this is shown as into the behavior of intrusion event with nine
The form record of tuple<Subsystem, message duration, message-length, mode code, message data, message time interval, message frequency
Rate, subsystem bus frequency, subsystem bus prestige>, this nine tuple is submitted to intrusion detection filter, if intrusion detection
Filter can filter this intrusion event, then allow message by otherwise stopping bus transfer message, preventing this time to invade;
In the intrusion detection method based on bus proposed by the present invention, subsystem bus letter is verified described in step C3
Whether reputation reaches threshold value, threshold value be by subsystems under normal circumstances using bus when calculate.
In the intrusion detection method based on bus proposed by the present invention, intrusion event filter mistake described in step C4
Filter comprises the following steps:
Step D1:By the tuple feature normalization of intrusion event nine;
Step D2:The tuple feature of intrusion event nine of intrusion detection device submission is calculated using the algorithm of machine learning;
Step D3:Nine tuple characteristic value legitimacies are verified, if not in the range of machine learning algorithm reception, for one
Secondary intrusion event, this message of refusal bus transfer;Otherwise invasion is not present, allows message Successful transmissions.
In the intrusion detection method based on bus proposed by the present invention, the calculation of machine learning is used described in step D2
Method calculates intrusion event feature, and feature is calculated using K- neighbours (KNN) algorithm of machine learning.
The beneficial invention of the present invention is:
The intrusion detection based on bus is proposed, using nine tuples<Subsystem, message duration, message-length, mode code,
Message data, message time interval, message frequency, subsystem bus frequency, subsystem bus prestige>To represent the spy of bus
Sign, according to normal bus record of the audit, the normal codomain scope of each characteristic item is counted, exceeds normal codomain model if existing
The communication enclosed, then be temporarily recorded as intrusion event, and secondary intrusion event is submitted and gives invasion filter, if this time intrusion event quilt
Filtering, then it is not really to invade to show this intrusion event, and otherwise, record this time invasion is once really invasion;If
Invasion is then not present in normal range (NR) in various features.
The beneficial effects of the present invention are:
1) normal communication between subsystem can be ensured:Subsystem carries out message transmission using bus, using based on total
It the intrusion detection of line, can detect that subsystem uses the abnormal conditions of bus, when detecting abnormal conditions, block subsystem
Use the right of bus.
2) it can resist and forge subsystem attack:The abnormality detection of message duration, message time interval and message-length is come
The forgery subsystem attack condition that occurs in detection bus, when occurring to forge subsystem attack, due to the broadcast of bus, very
Real subsystem can equally receive message so that the subsystem of forgery and real subsystem all respond, and cause to reply together
The message-length of one order is elongated, and subsystem attack is forged so as to detect to exist.
3) being capable of resisting abnegation service aggression:Making for bus is detected using the normal range (NR) of subsystem transmission message frequency
With situation, it can prevent the subsystem from carrying out Denial of Service attack to another subsystem.
4) low rate of false alarm:After bus anomaly detector detects exception, intrusion event is first submitted to intrusion detection filtering
Device, whether intrusion detection filter is real intrusion event come the intrusion event detected now using KNN algorithms, so as to reduce
Rate of false alarm.
Brief description of the drawings
Fig. 1 is flow chart of the present invention;
Fig. 2 is bus anomaly detector structure chart of the present invention;
Fig. 3 is intrusion detection filtration device structure figure of the present invention.
Embodiment
Below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.The process of the implementation present invention,
Condition, experimental method etc., it is the universal knowledege and common knowledge of this area in addition to the following content specially referred to, this hair
It is bright that content is not particularly limited.
The implication that relevant technical term represents in the present invention is as follows:
W represents a minimal communications unit (word) in bus communication;
M represents the once completely communication (message) in bus communication;
Wi represents i-th of word of a message;
As shown in figure 1, a kind of intrusion detection method based on bus of the present invention includes the following three stage:
First stage:Collect the bus data stage:Monitor and collect bus transfer data;
Second stage:Extract the bus characteristic stage:Using the operation principle of bus, extracted in the bus data of collection total
Line feature;
Phase III:The bus abnormality detection stage:The feature of extraction is submitted to the bus anomaly detector pre-established
Detection, if message is legal, message is allowed by otherwise generating intrusion event, this intrusion event being submitted into intrusion event filtering
Device, intrusion event filter are used for filtering intrusion event, if intrusion detection filter can filter this intrusion event, allow message
By otherwise stopping bus transfer message, preventing this time to invade.
The first stage comprises the steps:
Step A1:It is described to monitor and collect bus transfer data, bus, record trunk transmission data (message are monitored in real time
M) it is made up of with transmission time, message M W1, W2 ..., Wn.
Record trunk transmission data and transmission time, record specific time point wherein described in step A1, listen to total
After line transmission data, T1, end time T2 between recording at the beginning of bus transfer data.
The second stage comprises the steps:
Step B1:The operation principle using bus, according to bus protocol, extract message duration T, message-length L, side
Formula code F, message data D, message time interval I, message frequency Mf;
Step B2:The extraction bus characteristic, extract the bus frequency Bf and bus prestige C of subsystem.
In wherein step B2, the bus prestige Confidence calculation formula of the subsystem are as follows:
In unit interval T, subsystem has used n times bus;Ith is normal using bus;Kth time is different using bus
Often;C represents abnormal weight, if using bus duration in normal scope when subsystem bus frequency and subsystem send message
It is interior, then to be normal using bus, otherwise to be abnormal using bus.
The phase III comprises the steps:
Step C1:Anomaly detector detection message the duration T, message-length L, message data D pre-established, message
Time interval I, message frequency Mf, subsystem bus frequency Bf whether anomaly detector detection in the range of, if not different
Then it is intrusion detection event, because the measured value of detection belongs to upper and lower bound boundary value in normal detector detection range
Opereating specification, calculated using equation below:
Wherein, MV (i) (i=T, L, D, I, Mf, Bf) represents different measured values, e (i) (i=T, L, D, I, Mf, Bf) generations
The error of table difference measured value, if measured value exceeds desired extent, perform step C4;If in anomaly detector detection range
It is interior, then perform step C2;
Step C2:The anomaly detector detection mode code pre-established whether anomaly detector mode code
In white list, if not in the mode code white list of anomaly detector, for intrusion detection event, due to detection mode code
It is the white list strategy based on subsystem, is verified using equation below:
Wherein, Fwl(j) it is subsystem mode code white list, wherein j represents different subsystems, if detecting mode
Code F then performs step C4 not in the mode code white list of the subsystem;If in the white name of mode code of anomaly detector
In list, then step C3 is performed;
Step C3:Whether the anomaly detector pre-established detects subsystem bus prestige in the total of anomaly detector
In line prestige threshold value, bus prestige is verified using equation below:
If subsystem bus prestige is less than threshold value, step C4 is performed;If in the bus prestige threshold value of anomaly detector
It is interior, then invasion is not present, allows message Successful transmissions;
Step C4:It is described that intrusion event is submitted to intrusion detection filter, this is shown as to the behavior of intrusion event
Recorded in the form of nine tuples<Subsystem, message duration, message-length, mode code, message data, message time interval, disappear
Cease frequency, subsystem bus frequency, subsystem bus prestige>, this nine tuple is submitted to intrusion detection filter;
Wherein, the filtering of intrusion event filter described in step C4 comprises the following steps:
Step D1:By the tuple feature normalization of intrusion event nine, belong to for measured value with upper and lower bound boundary value
Using deviation standardized method, it is as follows to calculate deviation standardization formula:
Wherein x-(i) (i=T, L, D, I, Mf, Bf) represents the feature of different standardization;For being not belonging to measured value tool
There is the attributive character value of bound, if the attribute belongs to normal condition, normalized value 0, otherwise normalized value is 1;
Step D2:The tuple feature of intrusion event nine of intrusion detection device submission is calculated using KNN algorithms<Subsystem, message
Duration, message-length, mode code, message data, message time interval, message frequency, subsystem bus frequency, subsystem are total
Line prestige>, current intrusion event and distance during normal use bus are calculated, it is as follows to calculate range formula:
Wherein, i represents the attribute in nine tuples, and Ai represents the average value of ith attribute under normal circumstances, Ainstrusion
Represent the exceptional value of the ith attribute of intrusion event, Ai and AintrusionAll it is the result after data normalization;
Step D3:Nine tuple characteristic value legitimacies are verified, if not in the range of KNN receiving, i.e.,
Dis(Eintrusion,E)2>D2
Wherein, D2Then it is an intrusion event for normal square distance, this message of refusal bus transfer;Otherwise do not deposit
Invading, allowing message Successful transmissions.
Claims (7)
1. a kind of intrusion detection method based on bus, it is characterised in that this method includes step in detail below:
Step 1:Monitor and collect bus transfer data;
Step 2:Using the operation principle of bus, bus characteristic is extracted in the bus data of collection;
Step 3:The bus characteristic of extraction is submitted to the detection of bus anomaly detector, if message is legal, allows message to pass through no
Intrusion event is then generated, this intrusion event is submitted to intrusion event filter, if intrusion detection filter can filter this invasion
Event, then message is allowed by the way that otherwise this message of stopping bus transfer, prevents this time to invade.
2. intrusion detection method according to claim 1, it is characterised in that the step 1 specifically includes:
Step A1:It is described to monitor and collect bus transfer data, bus, the number that recording subsystem transmits in bus are monitored in real time
According to the time that bus is used with subsystem.
3. intrusion detection method according to claim 1, it is characterised in that the step 2 specifically includes:
Step B1:According to bus protocol, message duration is extracted, message-length, mode code, message data, message time interval,
Message frequency;
Step B2:Extract the bus frequency and bus prestige of subsystem.
4. intrusion detection method according to claim 3, it is characterised in that the total of subsystem is extracted described in step B2
Line frequency is the transmission time of the message number and message sent using subsystem using bus come the bus frequency of computing subsystem
Rate, the bus prestige of the extraction subsystem is to utilize subsystem bus frequency, using bus duration calculation when sending message
System bus prestige.
5. intrusion detection method according to claim 1, it is characterised in that the step 3 specifically includes:
Step C1:Anomaly detector detects subsystem bus frequency, and message frequency, message-length, whether message data is in exception
In the range of detector detection, if not in anomaly detector detection range, for intrusion detection event, step C4 is performed;If
In anomaly detector detection range, then step C2 is performed;
Step C2:The anomaly detector detection mode code pre-established whether anomaly detector mode code white list
It is interior, if not in the mode code white list of anomaly detector, for intrusion detection event, perform step C4;If in abnormal inspection
Survey in the mode code white list of device, then perform step C3;
Step C3:The anomaly detector detection subsystem bus prestige pre-established whether anomaly detector bus prestige threshold
In value, if not in the bus prestige threshold value of anomaly detector, for intrusion detection event, step C4 is performed;If in abnormal inspection
Survey in the bus prestige threshold value of device, then invasion is not present, allows message Successful transmissions;
Step C4:Intrusion detection event is submitted to intrusion detection filter, this is shown as into the behavior of intrusion event with nine
The form record of tuple, is submitted to intrusion detection filter, if intrusion detection filter can filter this invasion by this nine tuple
Event, then message is allowed by otherwise stopping bus transfer message, preventing this time to invade;Wherein, nine tuple forms are:Subsystem,
Message duration, message-length, mode code, message data, message time interval, message frequency, subsystem bus frequency and son
System bus prestige.
6. intrusion detection method according to claim 5, it is characterised in that in step C4 intrusion detection filter filter into
The event of invading specifically includes:
Step D1:By the tuple feature normalization of intrusion event nine;
Step D2:The tuple feature of intrusion event nine of intrusion detection device submission is calculated using the algorithm of machine learning;
Step D3:Nine tuple characteristic value legitimacies are verified, if not in the range of machine learning algorithm reception, once to invade
Event, this message of refusal bus transfer;Otherwise invasion is not present, allows message Successful transmissions.
7. intrusion detection method according to claim 6, it is characterised in that machine learning is used described in step D2
Algorithm, its algorithm are that K- neighbours are KNN algorithms.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710856697.6A CN107508831B (en) | 2017-09-21 | 2017-09-21 | Bus-based intrusion detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710856697.6A CN107508831B (en) | 2017-09-21 | 2017-09-21 | Bus-based intrusion detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107508831A true CN107508831A (en) | 2017-12-22 |
CN107508831B CN107508831B (en) | 2020-02-14 |
Family
ID=60697184
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710856697.6A Active CN107508831B (en) | 2017-09-21 | 2017-09-21 | Bus-based intrusion detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107508831B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108600258A (en) * | 2018-05-09 | 2018-09-28 | 华东师范大学 | A kind of method for auditing safely towards Integrated Electronic System self-generating white list |
CN108733871A (en) * | 2018-03-29 | 2018-11-02 | 华东师范大学 | A kind of method of pure software emulation bus communication |
CN109347853A (en) * | 2018-11-07 | 2019-02-15 | 华东师范大学 | The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing |
CN110062011A (en) * | 2019-05-30 | 2019-07-26 | 海南大学 | Ddos attack detection method and device based on V-SVM |
CN111314310A (en) * | 2020-01-19 | 2020-06-19 | 浙江大学 | Attack detection method for unresolvable network data feature selection based on machine learning |
CN112204578A (en) * | 2018-03-28 | 2021-01-08 | 辉达公司 | Detecting data anomalies on a data interface using machine learning |
CN112698982A (en) * | 2021-03-24 | 2021-04-23 | 中国航空油料集团有限公司 | Industrial field bus scheduling method and device |
CN112866270A (en) * | 2021-01-29 | 2021-05-28 | 中汽创智科技有限公司 | Intrusion detection defense method and system |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101242316A (en) * | 2008-02-03 | 2008-08-13 | 西安交大捷普网络科技有限公司 | Network exception detection method based on quick clustering algorithm |
CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
CN103957547A (en) * | 2014-05-05 | 2014-07-30 | 中国科学院微电子研究所 | Node reputation evaluating method and system for wireless sensor network |
CN105227528A (en) * | 2014-06-26 | 2016-01-06 | 华为技术有限公司 | To detection method and the device of the attack of Web server group |
US20160308891A1 (en) * | 2015-01-20 | 2016-10-20 | Cisco Techology, Inc | Intrusion detection mechanism |
CN106184068A (en) * | 2016-06-30 | 2016-12-07 | 北京奇虎科技有限公司 | Automotive interior network security detection method and device, automobile |
CN106330975A (en) * | 2016-11-03 | 2017-01-11 | 上海三零卫士信息安全有限公司 | Method for periodic exception detection based on SCADA system |
CN106951776A (en) * | 2017-01-18 | 2017-07-14 | 中国船舶重工集团公司第七0九研究所 | A kind of Host Anomaly Detection method and system |
-
2017
- 2017-09-21 CN CN201710856697.6A patent/CN107508831B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101242316A (en) * | 2008-02-03 | 2008-08-13 | 西安交大捷普网络科技有限公司 | Network exception detection method based on quick clustering algorithm |
CN101350745A (en) * | 2008-08-15 | 2009-01-21 | 北京启明星辰信息技术股份有限公司 | Intrude detection method and device |
CN103957547A (en) * | 2014-05-05 | 2014-07-30 | 中国科学院微电子研究所 | Node reputation evaluating method and system for wireless sensor network |
CN105227528A (en) * | 2014-06-26 | 2016-01-06 | 华为技术有限公司 | To detection method and the device of the attack of Web server group |
US20160308891A1 (en) * | 2015-01-20 | 2016-10-20 | Cisco Techology, Inc | Intrusion detection mechanism |
CN106184068A (en) * | 2016-06-30 | 2016-12-07 | 北京奇虎科技有限公司 | Automotive interior network security detection method and device, automobile |
CN106330975A (en) * | 2016-11-03 | 2017-01-11 | 上海三零卫士信息安全有限公司 | Method for periodic exception detection based on SCADA system |
CN106951776A (en) * | 2017-01-18 | 2017-07-14 | 中国船舶重工集团公司第七0九研究所 | A kind of Host Anomaly Detection method and system |
Non-Patent Citations (2)
Title |
---|
MABROUKA GMIDEN ETC.: "An Intrusion Detection Method for Securing In-Vehicle CAN bus", 《IEEE》 * |
RAFAEL RAMOS REGIS BARBOSA ETC.: "Towards Periodicity Based Anomaly Detection in SCADA Networks", 《IEEE》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112204578A (en) * | 2018-03-28 | 2021-01-08 | 辉达公司 | Detecting data anomalies on a data interface using machine learning |
CN112204578B (en) * | 2018-03-28 | 2024-04-02 | 辉达公司 | Detecting data anomalies on a data interface using machine learning |
CN108733871A (en) * | 2018-03-29 | 2018-11-02 | 华东师范大学 | A kind of method of pure software emulation bus communication |
CN108733871B (en) * | 2018-03-29 | 2022-04-05 | 华东师范大学 | Pure software simulation bus communication method |
CN108600258A (en) * | 2018-05-09 | 2018-09-28 | 华东师范大学 | A kind of method for auditing safely towards Integrated Electronic System self-generating white list |
CN109347853A (en) * | 2018-11-07 | 2019-02-15 | 华东师范大学 | The method for detecting abnormality towards Integrated Electronic System based on depth Packet analyzing |
CN109347853B (en) * | 2018-11-07 | 2020-10-30 | 华东师范大学 | Deep packet analysis-based anomaly detection method for integrated electronic system |
CN110062011A (en) * | 2019-05-30 | 2019-07-26 | 海南大学 | Ddos attack detection method and device based on V-SVM |
CN111314310A (en) * | 2020-01-19 | 2020-06-19 | 浙江大学 | Attack detection method for unresolvable network data feature selection based on machine learning |
CN112866270A (en) * | 2021-01-29 | 2021-05-28 | 中汽创智科技有限公司 | Intrusion detection defense method and system |
CN112698982A (en) * | 2021-03-24 | 2021-04-23 | 中国航空油料集团有限公司 | Industrial field bus scheduling method and device |
CN112698982B (en) * | 2021-03-24 | 2021-06-29 | 中国航空油料集团有限公司 | Industrial field bus scheduling method and device |
Also Published As
Publication number | Publication date |
---|---|
CN107508831B (en) | 2020-02-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107508831A (en) | A kind of intrusion detection method based on bus | |
CN111556083B (en) | Network attack physical side and information side collaborative source tracing device of power grid information physical system | |
KR101375813B1 (en) | Active security sensing device and method for intrusion detection and audit of digital substation | |
CN110324323B (en) | New energy plant station network-related end real-time interaction process anomaly detection method and system | |
CN102447707B (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
CN103647662B (en) | A kind of malfunction monitoring alarm method and device | |
CN107517214A (en) | System and method for providing computer network security | |
CN107122685A (en) | A kind of big data method for secure storing and equipment | |
CN104378364B (en) | A kind of Cooperative Analysis method at information security management center | |
CN113311809A (en) | Industrial control system-based safe operation and maintenance instruction blocking device and method | |
CN106789982A (en) | A kind of safety protecting method being applied in industrial control system and system | |
CN106326736A (en) | Data processing method and system | |
CN107277070A (en) | A kind of computer network instrument system of defense and intrusion prevention method | |
CN107612905A (en) | The malicious code monitoring method of equipment oriented monitoring distributed system main website | |
CN114650166B (en) | Fusion anomaly detection system for open heterogeneous network | |
CN108206826B (en) | Lightweight intrusion detection method for integrated electronic system | |
CN108683639A (en) | A kind of computer network abnormality detection and automatic repair system, method and mobile terminal | |
CN104410643A (en) | Statistic-based anti-attack method of SDN (Soft Defined Network) controller | |
CN112394688B (en) | Industrial personal computer protection equipment and control method | |
CN107070913A (en) | A kind of detection and means of defence and system based on webshell attacks | |
CN110912869A (en) | Big data-based monitoring and reminding method | |
Hong et al. | Intrusion prevention system in the network of digital mine | |
CN112887288B (en) | Internet-based E-commerce platform intrusion detection front-end computer scanning system | |
CN205485381U (en) | Computer hardware port intelligence management and control system | |
CN102843254B (en) | Method and system for suppressing inter-plate alarming priority |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |