CN107612905A - The malicious code monitoring method of equipment oriented monitoring distributed system main website - Google Patents
The malicious code monitoring method of equipment oriented monitoring distributed system main website Download PDFInfo
- Publication number
- CN107612905A CN107612905A CN201710830120.8A CN201710830120A CN107612905A CN 107612905 A CN107612905 A CN 107612905A CN 201710830120 A CN201710830120 A CN 201710830120A CN 107612905 A CN107612905 A CN 107612905A
- Authority
- CN
- China
- Prior art keywords
- communication protocol
- message
- protocol rule
- port
- length
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Maintenance And Management Of Digital Transmission (AREA)
Abstract
The invention belongs to power equipment state monitoring and fault diagnosis technology field, more particularly to the malicious code monitoring method of equipment oriented monitoring distributed system main website, the communication protocol regular collection of the invention by establishing all communication protocols in construction machines monitoring and evaluation systemXn, and the exhaustive network port set set involved by monitoring and evaluation businessYn, for each message for sending or receiving in the unit intervalm i , ergodic communication protocol rule setXnIn all communication protocol rules, judge messagem i Whether with the communication protocol rule match;If messagem i Port diagnostic, length characteristic or content characteristic and communication protocol rule in a certain bar mismatch, then judge to send messagem i For communication protocol exception agreement.The present invention is convenient to be disposed, is easy to spread, it is possible to prevente effectively from there is electric power monitoring system network safety event caused by malicious code, improves system safe and stable operation level, electric power safety event caused by having prevented therefore.
Description
Technical field
The invention belongs to power equipment state monitoring and fault diagnosis technology field, and in particular to equipment oriented monitoring distribution
The malicious code monitoring method of formula system main website.
Background technology
Electric power monitoring system refer to for monitor and control power generation and supply process, based on computer techno-stress skill
The operation system and smart machine of art, and based on the communication that supports and data network etc..Wherein monitoring of equipment evaluation system
System is to continue monitoring, grasp the important system of equipment state.
When electric power monitoring system invaded or attacked, virus infection or malicious code, by physical damage etc., cause be
Failure, the major function of uniting are unavailable, trigger the power network mistuning consequence such as control by mistake, or system-critical data illegally distorted or destroyed,
Sensitive information such as is stolen at the harm, or even leads to the event adversely affected to society.It is first for the importance of network security
Promulgate afterwards《People's Republic of China's network security method》、《Electric power monitoring system security protection provides》(The Committee of Development and Reform 2014 year
14 commands)、《Electric power monitoring system security protection overall plan》(State can (2015) No. 36 texts)A series of regulation and policy text
Part.Thereby, it is ensured that electric power monitoring system network security is just particularly important, and signified network security refers to ensure power monitoring
The safety of system, the destruction and attack of hacker, virus, malicious code etc. are resisted, prevent the collapse or paralysis of electric power monitoring system,
And the system engineering of the power system accident or large area blackout thereby resulted in.The feature of wherein malicious code risk exists
In 1)By USB flash disk or network mode, infection and propagation;2)Possess SSH back doors, remote controlled infection main frame;3)Destructive power is strong,
System crash can be caused and can not be recovered;Primary challenge Windows systems, possesses the ability of attack industrial control system.A however, side
Face, numerous electric power monitoring system manufacturers develop many different proprietary protocols controlled for data interaction, system;The opposing party
Face, malicious code easily pretends to turn into above-mentioned proprietary protocol, and then threatens the network security of electric power monitoring system.Therefore, monitor,
Malicious code is defendd to turn into the important measures for ensureing electric power monitoring system network security.
In consideration of it, the control of malicious code need to be defendd in electric power monitoring system application deployment such as monitoring of equipment evaluation system main websites
System strategy, and the major safety risks for preventing to violate " security partitioning, network-specific, lateral isolation, longitudinal certification " principle with this,
The factor of electric power monitoring system Networks and information security event caused by avoiding the occurrence of therefore.
The content of the invention
To overcome above-mentioned the deficiencies in the prior art, the invention provides the malice of equipment oriented monitoring distributed system main website
Code monitoring method, the factor of electric power monitoring system Networks and information security event, lifting system caused by avoiding the occurrence of therefore
The level of safe and stable operation, the concrete technical scheme that the present invention uses are as follows:
The malicious code monitoring method of equipment oriented monitoring distributed system main website comprises the following steps:
(1)The communication protocol regular collection of all communication protocols is established in construction machines monitoring and evaluation systemXn, and exhaustion is set
Put the network port set involved by monitoring and evaluation businessYn, the representation of each communication protocol rule is:
r=<port,minlen,maxlen,value>;
Wherein,rRefer to communication protocol rule,;portRefer to that communication protocol has particular source port or target port,;minlenRepresent the minimum value of message length as defined in the communication protocol rule;maxlenRepresent the communication protocols
The maximum of message length as defined in view rule;valueRefer to the fixed word in message content as defined in the communication protocol rule
Section;
(2)For each message for sending or receiving in the unit intervalm i , ergodic communication protocol rule setXnIn it is all logical
Believe protocol rule, judge messagem i Whether matched with the matching characteristic of communication protocol rule;The matching of communication protocol rule is special
Sign includes port diagnostic, length characteristic, content characteristic, specific as follows:
1)Port diagnostic:Messagem i Source port or target port it is consistent with port specified in the communication protocol rule, then
Represent messagem i Port diagnostic and the communication protocol rule match;I.e.:
;
In above formula,DstPortRefer to the target port for sending message,SrcPortRefer to the source port for extracting message;
Conversely, then mismatch.
2)Length characteristic:When the maximum of message length as defined in the communication protocol rulemaxlenFornullWhen, and
The minimum value of message length as defined in the communication protocol ruleminlenAlso it isnullWhen, then messagem i Length characteristic it is logical with this
Believe that protocol rule mismatches;
When the maximum of message length as defined in the communication protocol rulemaxlenIt is notnullWhen, and messagem i Length most
Big value is less than or equal to maximum specified in the communication protocol rulemaxlen;And work as message as defined in the communication protocol rule
The minimum value of lengthminlenIt is notnullWhen, and messagem i Length minimum value be more than or equal to the communication protocol rule in advise
The minimum value of fixed message lengthminlen, then it represents that messagem i Length characteristic and the communication protocol rule match;I.e.:
&&
;
Conversely, then mismatch;
3)Content characteristic:The value of fixed field in such message content specified in the communication protocol rulevalueFornullWhen, then messagem i Content and the communication protocol rule mismatch;
Or messagem i Content and the communication protocol rule specified in fixed field in such message content valuevalueUnanimously, then it represents that messagem i Content and the communication protocol rule match;
;
(3)Messagem i Port diagnostic, length characteristic, content characteristic all with communication protocol rule match, then it is assumed that messagem i With
The communication protocol rule match, if messagem i Port diagnostic, length characteristic, appointing in content characteristic and communication protocol rule
One regulation mismatches, then judges to send messagem i For communication protocol exception agreement, that is, think to perform the process of this communication protocol
Doubtful is malicious code, and carries mobile memory medium or the doubtful contamination of hard disk of the malicious code.
Further, the step(1)Also include:For each communication protocol, when communication protocol regular collectionXnIn have no
During the communication protocol rule, then in communication protocol regular collectionXnMiddle supplement.
Further, the step(1)Fixed field in middle message content characterizes the feature of such message.
Further, the step(1)InportIt is notnull。
The invention provides the malicious code monitoring method of equipment oriented monitoring distributed system main website, it is possible to prevente effectively from
The factor of electric power monitoring system Networks and information security event, improves system safe and stable operation caused by there is malicious code
It is horizontal..
The short-cut method that malicious code is investigated according to port diagnostic, length characteristic, content characteristic is creatively realized, is kept away
Exempt to delete the proprietary protocol for being used for data interaction, system control etc. in electric power monitoring system by mistake, possess a wide range of engineer applied valency
Value.
Embodiment
In order to be better understood from the present invention, with reference to specific embodiment, the invention will be further described:
The malicious code monitoring method of equipment oriented monitoring distributed system main website comprises the following steps:
1st, the communication protocol regular collection of all communication protocols is established in construction machines monitoring and evaluation systemXn, and exhaustive setting
Network port set involved by monitoring and evaluation businessYn, for each communication protocol, when communication protocol regular collectionXnIn simultaneously
During without the communication protocol rule, then in communication protocol regular collectionXnMiddle supplement;Each the representation of communication protocol rule is:
r=<port,minlen,maxlen,value>;
Wherein, r refers to communication protocol rule,;portRefer to that communication protocol has particular source port or target port,;minlenRepresent the minimum value of message length as defined in the communication protocol rule;maxlenRepresent the communication protocols
The maximum of message length as defined in view rule;valueRefer to the fixed word in message content as defined in the communication protocol rule
Section, the fixed field in message content characterizes the feature of such message;portIt is notnull,minlen、maxlen、valueCan
Fornull。
2nd, each message for sending or receiving in the unit intervalm i , ergodic communication protocol rule setXnIn it is all
Communication protocol rule, judges messagem i Whether matched with the matching characteristic of communication protocol rule;The matching of communication protocol rule
Feature includes port diagnostic, length characteristic, content characteristic, specific as follows:
1)Port diagnostic:Messagem i Source port or target port it is consistent with port specified in the communication protocol rule, then
Represent messagem i Port diagnostic and the communication protocol rule match;I.e.:
;
In above formula,DstPortRefer to the target port for sending message,SrcPortRefer to the source port for extracting message;
Conversely, then mismatch.
2)Length characteristic:When the maximum of message length as defined in the communication protocol rulemaxlenFornullWhen, and
The minimum value of message length as defined in the communication protocol ruleminlenAlso it isnullWhen, then messagem i Length characteristic it is logical with this
Believe that protocol rule mismatches;
When the maximum of message length as defined in the communication protocol rulemaxlenIt is notnullWhen, and messagem i Length most
Big value is less than or equal to maximum specified in the communication protocol rulemaxlen;And work as message as defined in the communication protocol rule
The minimum value of lengthminlenIt is notnullWhen, and messagem i Length minimum value be more than or equal to the communication protocol rule in advise
The minimum value of fixed message lengthminlen, then it represents that messagem i Length characteristic and the communication protocol rule match;I.e.:
&&
;
Conversely, then mismatch;
3)Content characteristic:The value of fixed field in such message content specified in the communication protocol rulevalueFornullWhen, then messagem i Content and the communication protocol rule mismatch;
Or messagem i Content and the communication protocol rule specified in fixed field in such message content valuevalueUnanimously, then it represents that messagem i Content and the communication protocol rule match;
;
3rd, messagem i Port diagnostic, length characteristic, content characteristic all with communication protocol rule match, then it is assumed that messagem i With this
Communication protocol rule match, if messagem i Port diagnostic, length characteristic, any in content characteristic and communication protocol rule
Regulation mismatches, then judges to send messagem i For communication protocol exception agreement, that is, the process for thinking to perform this communication protocol doubts
It is seemingly malicious code, and carries mobile memory medium or the doubtful contamination of hard disk of the malicious code.
The present invention is not limited to above-described embodiment, the foregoing is only the preferable case study on implementation of the present invention
, it is not intended to limit the invention, any modification for being made within the spirit and principles of the invention, equivalent substitution and changes
Enter, should be included in the scope of the protection.
Claims (4)
1. the malicious code monitoring method of equipment oriented monitoring distributed system main website, it is characterised in that:Comprise the following steps:
(1)The communication protocol regular collection of all communication protocols is established in construction machines monitoring and evaluation systemXn, and exhaustion is set
Put the network port set involved by monitoring and evaluation businessYn, the representation of each communication protocol rule is:
r=<port,minlen,maxlen,value>;
Wherein,rRefer to communication protocol rule,;portRefer to that communication protocol has particular source port or target port,;minlenRepresent the minimum value of message length as defined in the communication protocol rule;maxlenRepresent the communication protocols
The maximum of message length as defined in view rule;valueRefer to the fixed word in message content as defined in the communication protocol rule
Section;
(2)For each message for sending or receiving in the unit intervalm i , ergodic communication protocol rule setXnIn all communication
Protocol rule, judge messagem i Whether matched with the matching characteristic of communication protocol rule;The matching characteristic of communication protocol rule
It is specific as follows including port diagnostic, length characteristic, content characteristic:
1)Port diagnostic:Messagem i Source port or target port it is consistent with port specified in the communication protocol rule, then table
Show messagem i Port diagnostic and the communication protocol rule match;I.e.:
;
In above formula,DstPortRefer to the target port for sending message,SrcPortRefer to the source port for extracting message;
Conversely, then mismatch;
2)Length characteristic:When the maximum of message length as defined in the communication protocol rulemaxlenFornullWhen, and this is logical
Believe the minimum value of message length as defined in protocol ruleminlenAlso it isnullWhen, then messagem i Length characteristic and the communication protocols
View rule mismatches;
When the maximum of message length as defined in the communication protocol rulemaxlenIt is notnullWhen, and messagem i Length most
Big value is less than or equal to maximum specified in the communication protocol rulemaxlen;And work as message as defined in the communication protocol rule
The minimum value of lengthminlenIt is notnullWhen, and messagem i Length minimum value be more than or equal to the communication protocol rule in advise
The minimum value of fixed message lengthminlen, then it represents that messagem i Length characteristic and the communication protocol rule match;I.e.:
&&
;
Conversely, then mismatch;
3)Content characteristic:The value of fixed field in such message content specified in the communication protocol rulevalueFornullWhen, then messagem i Content and the communication protocol rule mismatch;
Or messagem i Content and the communication protocol rule specified in fixed field in such message content valuevalueUnanimously, then it represents that messagem i Content and the communication protocol rule match;
;
(3)Messagem i Port diagnostic, length characteristic, content characteristic all with communication protocol rule match, then it is assumed that messagem i With this
Communication protocol rule match, if messagem i Port diagnostic, length characteristic, any in content characteristic and communication protocol rule
Regulation mismatches, then judges to send messagem i For communication protocol exception agreement, that is, the process for thinking to perform this communication protocol doubts
It is seemingly malicious code, and carries mobile memory medium or the doubtful contamination of hard disk of the malicious code.
2. the malicious code monitoring method of equipment oriented monitoring distributed system main website according to claim 1, its feature
It is:The step(1)Also include:For each communication protocol, when communication protocol regular collectionXnIn have no the communication protocol
When regular, then in communication protocol regular collectionXnMiddle supplement.
3. the malicious code monitoring method of equipment oriented monitoring distributed system main website according to claim 1, its feature
It is:The step(1)Fixed field in middle message content characterizes the feature of such message.
4. the malicious code monitoring method of equipment oriented monitoring distributed system main website according to claim 1, its feature
It is:The step(1)InportIt is notnull。
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710830120.8A CN107612905A (en) | 2017-09-15 | 2017-09-15 | The malicious code monitoring method of equipment oriented monitoring distributed system main website |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710830120.8A CN107612905A (en) | 2017-09-15 | 2017-09-15 | The malicious code monitoring method of equipment oriented monitoring distributed system main website |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107612905A true CN107612905A (en) | 2018-01-19 |
Family
ID=61062499
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710830120.8A Pending CN107612905A (en) | 2017-09-15 | 2017-09-15 | The malicious code monitoring method of equipment oriented monitoring distributed system main website |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107612905A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109660518A (en) * | 2018-11-22 | 2019-04-19 | 北京六方领安网络科技有限公司 | Communication data detection method, device and the machine readable storage medium of network |
| CN111031004A (en) * | 2019-11-21 | 2020-04-17 | 腾讯科技(深圳)有限公司 | Service flow processing method, service flow learning method, device and system |
| CN114095243A (en) * | 2021-11-18 | 2022-02-25 | 许昌许继软件技术有限公司 | Data filtering method based on configuration |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101266550A (en) * | 2007-12-21 | 2008-09-17 | 北京大学 | Malicious code detection method |
| CN103428212A (en) * | 2013-08-08 | 2013-12-04 | 电子科技大学 | Malicious code detection and defense method |
| CN105515180A (en) * | 2015-07-14 | 2016-04-20 | 国家电网公司 | Intelligent substation communication network dynamic monitoring system and monitoring method thereof |
| CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
-
2017
- 2017-09-15 CN CN201710830120.8A patent/CN107612905A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101266550A (en) * | 2007-12-21 | 2008-09-17 | 北京大学 | Malicious code detection method |
| CN103428212A (en) * | 2013-08-08 | 2013-12-04 | 电子科技大学 | Malicious code detection and defense method |
| CN105515180A (en) * | 2015-07-14 | 2016-04-20 | 国家电网公司 | Intelligent substation communication network dynamic monitoring system and monitoring method thereof |
| CN106909847A (en) * | 2017-02-17 | 2017-06-30 | 国家计算机网络与信息安全管理中心 | A kind of method of Malicious Code Detection, apparatus and system |
Non-Patent Citations (2)
| Title |
|---|
| 姜海涛等: "《智能变电站网络异常分析方法》", 《电力信息与通信技术》 * |
| 邓雨荣等: "《面向广域分布的在线监测数据通信技术》", 《ELECTRIC POWER IT》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109660518A (en) * | 2018-11-22 | 2019-04-19 | 北京六方领安网络科技有限公司 | Communication data detection method, device and the machine readable storage medium of network |
| CN109660518B (en) * | 2018-11-22 | 2020-12-18 | 北京六方云信息技术有限公司 | Communication data detection method and device of network and machine-readable storage medium |
| CN111031004A (en) * | 2019-11-21 | 2020-04-17 | 腾讯科技(深圳)有限公司 | Service flow processing method, service flow learning method, device and system |
| CN114095243A (en) * | 2021-11-18 | 2022-02-25 | 许昌许继软件技术有限公司 | Data filtering method based on configuration |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103209072B (en) | A kind of MACsec key updating methods and equipment | |
| CN107612905A (en) | The malicious code monitoring method of equipment oriented monitoring distributed system main website | |
| CN102404318B (en) | A kind of method and device taking precautions against DNS cache attack | |
| CN103795735B (en) | Safety means, server and server info safety implementation method | |
| CN115150208B (en) | Zero-trust-based Internet of things terminal secure access method and system | |
| CN103441926A (en) | Security gateway system of numerically-controlled machine tool network | |
| US9444845B2 (en) | Network security apparatus and method | |
| CN203271342U (en) | Internet of Things coded lock | |
| CN102833067B (en) | Trilateral authentication method and system and authentication state management method of terminal equipment | |
| CN104065533A (en) | Internet of things distributed dynamic security detection system | |
| JP2023535474A (en) | ASSOCIATION CONTROL METHOD AND RELATED DEVICE | |
| CN104156670A (en) | Data protection method and device | |
| CN107277070A (en) | A kind of computer network instrument system of defense and intrusion prevention method | |
| CN109347791B (en) | Dual I/O bus SIM card | |
| WO2015127831A1 (en) | Anti-intrusion method and access device | |
| CN106325457A (en) | Shutdown monitoring system | |
| CN108768996A (en) | A kind of detection guard system of SQL injection attack | |
| Ye et al. | Research on network security protection strategy | |
| Eian | Fragility of the robust security network: 802.11 denial of service | |
| CN206270962U (en) | A kind of computer security control system | |
| CN107315963A (en) | A kind of financial management method with remote access function | |
| JP4418211B2 (en) | Network security maintenance method, connection permission server, and connection permission server program | |
| CN107070913A (en) | A kind of detection and means of defence and system based on webshell attacks | |
| CN205017590U (en) | Equipment safety protection structure and safety protection module | |
| CN107343274A (en) | The processing method of address list information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180119 |